Analysis system call (WIN)

Analyze the location of fast system calls

int main(){    CreateFile(        L"C:\\1.txt",        FILE_ALL_ACCESS,        NULL,        NULL,        CREATE_ALWAYS,        FILE_ATTRIBUTE_NORMAL,        NULL    );    return 0;}

Directly up and down breakpoints in Createfilew


After entering, you can see

After entering, you can see

This sysenter is the periphery of the third ring world, the OD can not continue to analyze.
Pressing F7 on the Sysenter directly returns to the previous layer function.

分析MSR  0x174   0x175  0x176kd> rdmsr 0x174msr[174] = 00000000`00000008     //新的CSkd> rdmsr 0x175msr[175] = 00000000`80792000     //新的ESPkd> rdmsr 0x176msr[176] = 00000000`83e91790     //新的EIP

Analyze the code that stores address points in the MSR 0x176 number

Nt!     kifastcallentry:83e91790 b923000000 mov ecx,23h83e91795 6a30 push 30h83e91797 0fa1 pop FS//fs was modified, pointing to kpcr83e91799 8ED9 mov ds,cx83e9179b 8EC1 mov E s,cx83e9179d 648b0d40000000 mov ecx,dword ptr fs:[40h]83e917a4 8b6104 mov esp,dword ptr [ecx+4]83e917a7 6a23 push 23h83e917a9 push edx83e917aa 9c pushfd83e917ab 6a02 Pus H 283e917ad 83c208 Add edx,883e917b0 9d popfd83e917b1 804c240102 or byte ptr [esp+1            ],283e917b6 6a1b push 1bh83e917b8 ff350403dfff push DWORD ptr ds:[0ffdf0304h]83e917be 6a00 Push 083e917c0 ebp83e917c1 ebx83e917c2 push esi83e91 7C3 edi83e917c4 push 648b1d1c000000 mov ebx,dword ptr fs:[1ch]//Important Get KPCR yourself 83E917CB 6a   3b Push 3BH83E917CD 8bb324010000 mov esi,dword ptr [ebx+124h]//Important Get current execution thread ethread83e917d3 ff33 push DWORD ptr [EBX]83E917D5 C703FFFFFFFF mov dword ptr [ebx],0ffffffffh83e917db 8B6E28 mov Ebp,dword PT R [esi+28h]83e917de 6a01 push 183e917e0 83ec48 Sub Esp,48h83e917e3 81ed9c020000 Sub Ebp,            29ch83e917e9 c6863a01000001 mov byte ptr [esi+13ah],183e917f0 3bec cmp ebp,esp83e917f2 7597 Jne nt! kifastcallentry2+0x49 (83e9178b) 83e917f4 83652c00 and DWORD ptr [Ebp+2ch],083e917f8 F64603DF test byt e ptr [ESI+3],0DFH83E917FC 89ae28010000 mov dword ptr [esi+128h],ebp83e91802 0f8538feffff jne nt! Dr_fastcalldrsave (83e91640) 83e91808 8b5d60 mov ebx,dword ptr [ebp+60h]83e9180b 8b7d68 mov edi,d Word ptr [ebp+68h]83e9180e 89550c mov dword ptr [ebp+0ch],edx83e91811 C74508000ddbba mov dword ptr [ebp+ 8],0badb0d00h83e91818 895D00 mov dword ptr [ebp],ebx83e9181b 897D04 mov dword ptr [EBP+4],EDI83E9181E FB s                                 ti83e9181f 8BF8 mov edi,eax//edi stored in call number 83e91821 c1ef08 shr edi,8 X YYYY YYYY YYYY//                                                                      X YYYY//1 0000 x 0000//If SSDT, X is 0, the whole number is 0//if SHADOWSSDT, X is 1, the whole number is 1683e91824. 83e710 and edi,10h83e91827 8BCF mov ecx,edi83e91829 03bebc000000 add edi,dword ptr [esi     +0BCH]//Important Get service table, automatically adapted to SSDT or shadowssdt83e9182f 8BD8 mov ebx,eax83e91831 25ff0f0000 and            Eax,0fffh                X YYYY YYYY YYYY//0 1111 1111 1111 0 YYYY YYYY yyyy83e91836 3b4708 cmp E Ax,dword ptr [edi+8]83e91839 0f8333fdffff Jae Nt! Kibbtunexpectedrange (83e91572) 83e9183f 83f910 cmp ecx,10h83e91842 751a jne nt! kisystemserviceaccessteb+0x12 (83e9185e) 83e91844 8b8e88000000 mov ecx,dword ptr [esi+88h]83e9184a 33f6 x or esi,esint! kisystemserviceaccessteb:83e9184c 0bb1700f0000 or Esi,dword ptr [ecx+0f70h]83e91852 740a je nt! kisystemserviceaccessteb+0x12 (83e9185e) 83e91854 edx83e91855 push eax83e91856 F F1594dafb83 call DWORD ptr [nt! Kegdiflushuserbatch (83fbda94)]83e9185c eax83e9185d 5a Pop edx83e9185e 64ff05b006        0000 Inc DWORD PTR fs:[6b0h]83e91865 8BF2    MOV Esi,edx//copy of user stack base address to esi83e91867 33c9 xor ecx,ecx83e91869 8b570c                    mov Edx,dword ptr [edi+0ch]//Get here is the parameter size table 83e9186c 8b3f mov edi,dword ptr [edi] Important Get the table of functions in the Service table//This table is called the System service Dispatch table     (SSDT) 83e9186e 8A0C10 mov cl,byte ptr [eax+edx]//Get parameters occupied by bytes 83e91871 8b1487 mov                                Edx,dword ptr [edi+eax*4]//Important Get function address 83e91874 2be1 Sub esp,ecx                                Stack top raised so big, ready to copy Parameters 83e91876 c1e902 shr ecx,283e91879 8BFC mov edi,esp The kernel stack is the destination location edi83e9187b f6457202 test byte ptr [ebp+72h],283e9187f 7506 jne nt!      KISYSTEMSERVICEACCESSTEB+0X3B (83e91887) 83e91881 f6456c01 test byte ptr [ebp+6ch],183e91885 740c JE Nt! Kisystemservicecopyarguments (83e91893) 83e91887 3b3550d8fb83 cmp esi,dword ptr [nt! Mmuserprobeaddress (83fbd850)]83e9188d 0f832e020000 Jae Nt! Kisystemcallexit2+0xa5 (83E91AC1) nt! kisystemservicecopyarguments:83e91893 F3A5 Rep movs dword ptr es:[edi],dword ptr [esi]//copy parameter 83e91895 f6456 C01 test byte ptr [ebp+6ch],183e91899 7416 je nt!          KISYSTEMSERVICECOPYARGUMENTS+0X1E (83E918B1) 83e9189b 648b0d24010000 mov ecx,dword ptr fs:[124h]83e918a2 8b3c24 mov Edi,dword ptr [esp]83e918a5 89993c010000 mov dword ptr [ECX+13CH],EBX83E918AB 89b92c010000 mov DW Ord ptr [ecx+12ch],edi83e918b1 8BDA mov ebx,edx//important 83E918B3 f60588a6f88340 t EST byte ptr [nt!     perfglobalgroupmask+0x8 (83f8a688)],40h83e918ba 0f954512 setne byte ptr [ebp+12h]83e918be 0f8580030000 jne Nt! kiserviceexit2+0x179 (83E91C44) 83e918c4 ffd3 call EBX//important calls to real system functions

The KPCR (Processpor control region) processor controls the domain, where CPU-related information is stored, and each core CPU has one.

FS registers, at the user level, point to TEB, at the kernel level, pointing to KPCR.
Nt!_kpcr

  +0x120 PrcbData         : _KPRCB      +0x000 MinorVersion     : ??      +0x002 MajorVersion     : ??      +0x004 CurrentThread    : ????

So fs:[124] is CurrentThread, the ethread of the currently running thread.
In Ethread's 0XBC location, it stores something called a service table.

kd> dt _KTHREADnt!_KTHREAD   +0x000 Header           : _DISPATCHER_HEADER   +0x010 CycleTime        : Uint8B   ......   +0x0bc ServiceTable     : Ptr32 Void

Analysis system call (WIN)