The--KERAISEIRQL function and KELOWERIRQL () function of Windows kernel scenario analysis

The--KERAISEIRQL function and KELOWERIRQL () function of Windows kernel scenario analysis

1.KERAISEIRQL function

This KERAISEIRQL () simply calls the HAL module's KFRAISEIRQL () function, returns the original IRQL write to the 2nd parameter of KERAISEIRQL (), and writes it back to the C code as follows:

VOID KeRaiseIrql(KIRQL NewIrql, PKIRQL OldIrql){KIRQL Irql = KfRaiseIrql(NewIrql);*OldIrql = Irql;} KIRQL KfRaiseIrql(KIRQL Irql){KIRQL OldIrql = GetCurrentKPcr()->Irql; // 从 _KPCR.Irql（fs:[24]）得到 Irql 值if (HalpEnableIrqlAudit != 0){eflags = GetCurrentElfags(); // 得到 eflags 值DisableInterrupt();  // 关闭中断HalpValidatePendingInterrts();if (HalpEnableIrqlAudit == 0|| OldIrql >= DPC_LEVE|| OldIrql >= ((USHORT *)GetCurrentKPcr()->HalReserved)[1]; // fs:[96h]|| HalpAssertFailedOnce != 0){if (eflags.IF == 0)EnableInterrupt():  // 开中断}}if (HalpEnableIrqlAudit == 0 || OldIrql <= Irql){// 空，跳出 if()}else{HalpAssertFailedOnce = 1;DbgBreakPoint();  // 被断下}GetCurrentKPcr()->Irql = Irql; // 设置新的 IRQL 值return OldIrql;// 返回旧的 IRQL 值}

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21st
• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• 38
• 39
• 40
• 41

The KFRAISEIRQL () function can raise IRQL to meet one of the following conditions:

1.HalpEnableIrqlAudit is 0 (Halpenableirqlaudit is a global variable within the HAL module, but I don't know what it means

2.NEWIRQL >= OLDIRQL (i.e. the IRQL to be lifted must be greater than or equal to the original value)

2.KELOWERIRQL () function

#define KELOWERIRQL (a) KFLOWERIRQL (a) VOID fastcall KFLOWERIRQL (KIRQLNEWIRQL) {if (Newirql > Kegetpcr ()->irql    ) {Kebugcheck (0);    for (;;);  } HALPLOWERIRQL (NEWIRQL); } VOID HALPLOWERIRQL (KIRQL NEWIRQL)//main function {if (NEWIRQL >= profile_level)//If the interrupt request level to be dropped is greater than profile_level, set the current interrupt directly    Seek level {KEGETPCR ()->IRQL = NEWIRQL;    Return    } Halpexecuteirqs (NEWIRQL);    if (NEWIRQL >= dispatch_level)//If the interrupt request level to be dropped is greater than dispatch_level, the current interrupt request level {KEGETPCR ()->IRQL = NEWIRQL is set directly;    Return }//NEWIRQL below Dispatch_level KEGETPCR ()->IRQL = Dispatch_level;  The interrupt request level to be reduced is less than dispatch_level, the current interrupt request level is set to Dispatch_level,//And then the DPC queue is scanned, and if not empty, the DPC software interrupt is triggered if (((PKIPCR) KEGETPCR ())->halreserved[hal_dpc_request]) {//DPC request queue non-empty ((PKIPCR) KEGETPCR ())->halreserved[hal_    Dpc_request] = FALSE;    Kidispatchinterrupt (); } KEGETPCR ()->IRQL = Apc_level;                   The interrupt request level to be reduced is less than apc_level, and the current interrupt request level is set to Apc_level,             Then scan the APC queue and, if not empty, trigger an APC software interrupt if (NEWIRQL = = Apc_level) {return; }//NEWIRQL below Apc_level if (Kegetcurrentthread ()! = NULL &&kegetcurrentthread ()->APCSTATE.KERNELAPC Pendin    g) {KIDELIVERAPC (kernelmode, NULL, NULL);  } KEGETPCR ()->IRQL = Passive_level; }

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21st
• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• 38
• 39
• 40
• 41
• 42
• 43
• 44
• 45
• 46
• 47
• 48
• JPG change rar

The--KERAISEIRQL function and KELOWERIRQL () function of Windows kernel scenario analysis