.text:00465651 _KiSystemService proc near ; CODE XREF: ZwAcceptConnectPort(x,x,x,x,x,x)+Cp
.text:00465651 ; ZwAccessCheck(x,x,x,x,x,x,x,x)+Cp ...
.text:00465651
.text:00465651 arg_0 = dword ptr 4
.text:00465651
.text:00465651 push 0
.text:00465653 push ebp
.text:00465654 push ebx
.text:00465655 push esi
.text:00465656 push edi
.text:00465657 push fs
.text:00465659 mov ebx, 30h
.text:0046565E db 66h
.text:0046565E mov fs, bx ; 段選擇子爲 30H
.text:00465661 push dword ptr ds:0FFDFF000h ; fs:[0]
.text:00465667 mov dword ptr ds:0FFDFF000h, 0FFFFFFFFh
; ExceptionList = FFFFFFFFH
.text:00465671 mov esi, ds:0FFDFF124h
; _KPCR.PrcbData.CurrentThread
.text:00465677 push dword ptr [esi+140h]
.text:0046567D sub esp, 48h
.text:00465680 mov ebx, [esp+68h+arg_0] ; arg_0 = 8
.text:00465684 and ebx, 1
.text:00465687 mov [esi+140h], bl ; PreviousMode usermode = 1
.text:0046568D mov ebp, esp
.text:0046568F mov ebx, [esi+134h] ; TrapFrame 指向進入內核時所保留的現場,也即上下文
.text:00465695 mov [ebp+3Ch], ebx ; 保存 指向用戶模式上下文context結構
.text:00465698 mov [esi+134h], ebp ; 建立異常處理幀 切換到內核上下文
.text:0046569E cld ; 初始化KTRAP_FRAME
.text:0046569F mov ebx, [ebp+60h] ; 原EBP
.text:004656A2 mov edi, [ebp+68h] ; ret返回地址
.text:004656A5 mov [ebp+0Ch], edx ; KTRAP_FRAME.DbgArgPointer存放參數堆棧首地址
.text:004656A8 mov dword ptr [ebp+8], 0BADB0D00h ; DbgArgMark
.text:004656AF mov [ebp+0], ebx ; KTRAP_FRAME.DbgEbp存放原EBP
.text:004656B2 mov [ebp+4], edi ; KTRAP_FRAME.DbgEip存放 ret返回地址
.text:004656B5 test byte ptr [esi+2Ch], 0FFh ; DebugActive
.text:004656B9 jnz Dr_kss_a
.text:0046554C Dr_kss_a proc near ; CODE XREF: _KiSystemService+68j
.text:0046554C
.text:0046554C ; FUNCTION CHUNK AT .text:004656BF SIZE 00000006 BYTES
.text:0046554C
.text:0046554C test dword ptr [ebp+70h], 20000h ; EFlags = 0x246
.text:00465553 jnz short loc_465562
.text:00465555 test dword ptr [ebp+6Ch], 1
.text:0046555C jz loc_4656BF
.text:00465562
.text:00465562 loc_465562: ; CODE XREF: Dr_kss_a+7j
.text:00465562 mov ebx, dr0
.text:00465565 mov ecx, dr1
.text:00465568 mov edi, dr2
.text:0046556B mov [ebp+18h], ebx ; KTRAP_FRAME.Dr0
.text:0046556E mov [ebp+1Ch], ecx ; KTRAP_FRAME.Dr1
.text:00465571 mov [ebp+20h], edi ; KTRAP_FRAME.Dr2
.text:00465574 mov ebx, dr3
.text:00465577 mov ecx, dr6
.text:0046557A mov edi, dr7
.text:0046557D mov [ebp+24h], ebx ; KTRAP_FRAME.Dr3
.text:00465580 mov [ebp+28h], ecx ; KTRAP_FRAME.Dr6
.text:00465583 xor ebx, ebx
.text:00465585 mov [ebp+2Ch], edi ; KTRAP_FRAME.Dr7
.text:00465588 mov dr7, ebx ; dr7 清0
.text:0046558B mov edi, large fs:20h ; KPCR.Prcb
.text:00465592 mov ebx, [edi+2F8h] ; KPRCB.KSPECIAL_REGISTERS.KernelDr0
.text:00465598 mov ecx, [edi+2FCh] ; KernelDr1
.text:0046559E mov dr0, ebx
.text:004655A1 mov dr1, ecx
.text:004655A4 mov ebx, [edi+300h] ; KernelDr2
.text:004655AA mov ecx, [edi+304h] ; KernelDr3
.text:004655B0 mov dr2, ebx
.text:004655B3 mov dr3, ecx
.text:004655B6 mov ebx, [edi+308h] ; KernelDr6
.text:004655BC mov ecx, [edi+30Ch] ; KernelDr7
.text:004655C2 mov dr6, ebx
.text:004655C5 mov dr7, ecx
.text:004655C8 jmp loc_4656BF
.text:0046579D loc_46579D: ; CODE XREF: _KiBBTUnexpectedRange+18j
.text:0046579D ; Dr_kss_a+174j
.text:0046579D mov edi, eax ; 分派ID送EDI
.text:0046579F shr edi, 8 ; 右移一個字節
.text:004657A2 and edi, 30h ; 檢驗分派ID是否合法
.text:004657A2 ; 0x3fff>分派ID的 高字節的低4位清0
.text:004657A2 ; 分派ID > 0x 4000的,高字節的高4位對3取餘 低四位清0
.text:004657A2 ; 實質上代表 分派ID%0x4000
.text:004657A5 mov ecx, edi
.text:004657A7 add edi, [esi+0E0h] ; KeServiceDescriptorTableShadow
.text:004657A7 ; 根據分派ID的高字節 確定SST是ntoskrnl還是win32k
.text:004657AD mov ebx, eax
.text:004657AF and eax, 0FFFh
.text:004657B4 cmp eax, [edi+8] ; 檢驗ID 是否小於ServiceLimit 合法ID應該小於
.text:004657B7 jnb _KiBBTUnexpectedRange
.text:004657BD cmp ecx, 10h
.text:004657C0 jnz short loc_4657DC ; 如果SST 是ntoskrnl則跳
.text:004657C2 mov ecx, ds:0FFDFF018h ; Self = 0x7ffde000 用戶模式的Thread Environment Block
.text:004657C8 xor ebx, ebx
.text:004657CA
.text:004657CA loc_4657CA: ; DATA XREF: Dr_kite_a+1BFo
.text:004657CA or ebx, [ecx+0F70h] ; GdiBatchCount = 0
.text:004657D0 jz short loc_4657DC
.text:004657D2 push edx
.text:004657D3 push eax
.text:004657D4 call ds:_KeGdiFlushUserBatch
.text:004657DA pop eax
.text:004657DB pop edx
.text:004657DC
.text:004657DC loc_4657DC: ; CODE XREF: Dr_FastCallDrSave+1F0j
.text:004657DC ; Dr_FastCallDrSave+200j
.text:004657DC inc dword ptr ds:0FFDFF638h ; KeSystemCalls 這裏是不是存放 CALL 內核函數的次數?
.text:004657E2 mov esi, edx ; 存放函數參數的棧首地址
.text:004657E4 mov ebx, [edi+0Ch] ; KiArgumentTable
.text:004657E7 xor ecx, ecx
.text:004657E9 mov cl, [eax+ebx] ; 得到調用NT函數的參數的字節大小
.text:004657EC mov edi, [edi] ; *KiServiceTable
.text:004657EE mov ebx, [edi+eax*4] ; 得到調用的NT函數地址
.text:004657F1 sub esp, ecx
.text:004657F3 shr ecx, 2 ; size in dwords
.text:004657F6 mov edi, esp
.text:004657F8 cmp esi, ds:_MmUserProbeAddress ; 檢驗存放參數棧是否是用戶模式下的
.text:004657FE jnb loc_4659AC
.text:00465804
.text:00465804 loc_465804: ; CODE XREF: Dr_FastCallDrSave+3E0j
.text:00465804 ; DATA XREF: Dr_kite_a+1B5o
.text:00465804 rep movsd ; 複製參數
.text:00465806 call ebx ; 調用函數
.text:00465808
.text:00465808 loc_465808: ; CODE XREF: Dr_FastCallDrSave+3EBj
.text:00465808 ; DATA XREF: Dr_kite_a+1D5o ...
.text:00465808 mov esp, ebp ; 恢復堆棧
.text:0046580A
.text:0046580A loc_46580A: ; CODE XREF: _KiBBTUnexpectedRange+38j
.text:0046580A ; _KiBBTUnexpectedRange+43j
.text:0046580A mov ecx, ds:0FFDFF124h ; _KTHREAD
.text:00465810 mov edx, [ebp+3Ch]
.text:00465813 mov [ecx+134h], edx ; 上下文 從內核切換到用戶模式下 調用KiServiceExit
