0:000> g
Breakpoint 0 hit
ntdll!KiUserExceptionDispatch:
00000000`78ef3a30 48b8809e008001000000 mov rax,offset ACTIVE_1!Detour_KiUserExceptionDispatcher (00000001`80009e80)
0:000> dq rsp
00000000`00126410 00000000`001261e0 fffffadf`e1fd26e8
00000000`00126420 00000000`00000030 fffff800`012b92e8
00000000`00126430 00000000`00000000 00000000`00000000
00000000`00126440 00001f80`0010001f 0053002b`002b0033
00000000`00126450 00010206`002b002b 00000000`00000000
00000000`00126460 00000000`00000000 00000000`00000000
00000000`00126470 00000000`00000000 00000000`00000000
00000000`00126480 00000000`00000000 00000000`00000001
0:000> r
rax=0000000000000001 rbx=0000000000000409 rcx=00000000000000c0
rdx=0000000000000002 rsi=0000000000127088 rdi=0000000003c32b60
rip=0000000078ef3a30 rsp=0000000000126410 rbp=0000000000126a10
r8=10263985000000cd r9=00000000001e9228 r10=000003d247c0000e
r11=0000000000000201 r12=00000000001269e0 r13=0000000002991640
r14=0000000000000008 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!KiUserExceptionDispatch:
00000000`78ef3a30 48b8809e008001000000 mov rax,offset ACTIVE_1!Detour_KiUserExceptionDispatcher (00000001`80009e80)
0:000> dq rsp
00000000`00126410 00000000`001261e0 fffffadf`e1fd26e8
00000000`00126420 00000000`00000030 fffff800`012b92e8
00000000`00126430 00000000`00000000 00000000`00000000
00000000`00126440 00001f80`0010001f 0053002b`002b0033
00000000`00126450 00010206`002b002b 00000000`00000000
00000000`00126460 00000000`00000000 00000000`00000000
00000000`00126470 00000000`00000000 00000000`00000000
00000000`00126480 00000000`00000000 00000000`00000001
0:000> dq rsp+0x4d0
00000000`001268e0 00000000`c0000005 00000000`00000000
00000000`001268f0 00000000`02991661 00000000`00000002
00000000`00126900 00000000`00000000 00000000`00000409
00000000`00126910 00000000`00000000 fffffa80`0057c0f0
00000000`00126920 00000000`0015020a 00000000`00000000
00000000`00126930 00000000`00000409 00000000`03c32b60
00000000`00126940 00000000`00127088 00000000`001269e0
00000000`00126950 00000000`02991640 00000000`00000008
0:000> dt CONTEXT 00000000`00126410
ACTIVE_1!CONTEXT
+0x000 P1Home : 0x1261e0
+0x008 P2Home : 0xfffffadf`e1fd26e8
+0x010 P3Home : 0x30
+0x018 P4Home : 0xfffff800`012b92e8
+0x020 P5Home : 0
+0x028 P6Home : 0
+0x030 ContextFlags : 0x10001f
+0x034 MxCsr : 0x1f80
+0x038 SegCs : 0x33
+0x03a SegDs : 0x2b
+0x03c SegEs : 0x2b
+0x03e SegFs : 0x53
+0x040 SegGs : 0x2b
+0x042 SegSs : 0x2b
+0x044 EFlags : 0x10206
+0x048 Dr0 : 0
+0x050 Dr1 : 0
+0x058 Dr2 : 0
+0x060 Dr3 : 0
+0x068 Dr6 : 0
+0x070 Dr7 : 0
+0x078 Rax : 1
+0x080 Rcx : 0xc0
+0x088 Rdx : 2
+0x090 Rbx : 0x409
+0x098 Rsp : 0x1269b0
+0x0a0 Rbp : 0x126a10
+0x0a8 Rsi : 0x127088
+0x0b0 Rdi : 0x3c32b60
+0x0b8 R8 : 0x10263985`000000cd
+0x0c0 R9 : 0x1e9228
+0x0c8 R10 : 0x3d2`47c0000e
+0x0d0 R11 : 0x201
+0x0d8 R12 : 0x1269e0
+0x0e0 R13 : 0x2991640
+0x0e8 R14 : 8
+0x0f0 R15 : 0
+0x0f8 Rip : 0x2991661
+0x100 FltSave : _XMM_SAVE_AREA32
+0x100 Header : [2] _M128
+0x120 Legacy : [8] _M128
+0x1a0 Xmm0 : _M128
+0x1b0 Xmm1 : _M128
+0x1c0 Xmm2 : _M128
+0x1d0 Xmm3 : _M128
+0x1e0 Xmm4 : _M128
+0x1f0 Xmm5 : _M128
+0x200 Xmm6 : _M128
+0x210 Xmm7 : _M128
+0x220 Xmm8 : _M128
+0x230 Xmm9 : _M128
+0x240 Xmm10 : _M128
+0x250 Xmm11 : _M128
+0x260 Xmm12 : _M128
+0x270 Xmm13 : _M128
+0x280 Xmm14 : _M128
+0x290 Xmm15 : _M128
+0x300 VectorRegister : [26] _M128
+0x4a0 VectorControl : 0
+0x4a8 DebugControl : 0
+0x4b0 LastBranchToRip : 0
+0x4b8 LastBranchFromRip : 0
+0x4c0 LastExceptionToRip : 0
+0x4c8 LastExceptionFromRip : 0
0000000078EF3A30 KiUserExceptionDispatcher: ; DATA XREF: .text:off_78F03D48o
.text:0000000078EF3A30 ; .data:RtlpFunctionAddressTableo
.text:0000000078EF3A30 mov rax, cs:Wow64PrepareForException
.text:0000000078EF3A37 test rax, rax
.text:0000000078EF3A3A jz short loc_78EF3A4B
.text:0000000078EF3A3C mov rcx, rsp //rsp和rsp+4d0h是2个参数 参数结构全部放在堆栈中
.text:0000000078EF3A3F add rcx, 4D0h
.text:0000000078EF3A46 mov rdx, rsp
.text:0000000078EF3A49 call rax ; Wow64PrepareForException
.text:0000000078EF3A4B
.text:0000000078EF3A4B loc_78EF3A4B: ; CODE XREF: .text:0000000078EF3A3Aj
.text:0000000078EF3A4B mov rcx, rsp
.text:0000000078EF3A4E add rcx, 4D0h
.text:0000000078EF3A55 mov rdx, rsp
.text:0000000078EF3A58 call RtlDispatchException
.text:0000000078EF3A5D test al, al
.text:0000000078EF3A5F jz short loc_78EF3A6D
.text:0000000078EF3A61 mov rcx, rsp
.text:0000000078EF3A64 xor edx, edx
.text:0000000078EF3A66 call RtlRestoreContext
.text:0000000078EF3A6B jmp short loc_78EF3A82
.text:0000000078EF3A6D ; ---------------------------------------------------------------------------
.text:0000000078EF3A6D
.text:0000000078EF3A6D loc_78EF3A6D: ; CODE XREF: .text:0000000078EF3A5Fj
.text:0000000078EF3A6D mov rcx, rsp
.text:0000000078EF3A70 add rcx, 4D0h
.text:0000000078EF3A77 mov rdx, rsp
.text:0000000078EF3A7A xor r8b, r8b
.text:0000000078EF3A7D call ZwRaiseException
.text:0000000078EF3A82
.text:0000000078EF3A82 loc_78EF3A82: ; CODE XREF: .text:0000000078EF3A6Bj
.text:0000000078EF3A82 mov ecx, eax
.text:0000000078EF3A84 call RtlRaiseStatus
.text:0000000078EF3A89 int 3 ; Trap to Debugger
.text:0000000078EF3A8A nop
.text:0000000078EF3A8B nop
.text:0000000078EF3A8B ; ---------------------------------------------------------------------------
.text:0000000078EF3A8C db 6 dup(0CCh)
.text:0000000078EF3A92 align 20h
.text:0000000078EF3AA0 ; Exported entry 73. KiRaiseUserExceptionDispatcher
Breakpoint 0 hit
ntdll!KiUserExceptionDispatch:
00000000`78ef3a30 48b8809e008001000000 mov rax,offset ACTIVE_1!Detour_KiUserExceptionDispatcher (00000001`80009e80)
0:000> dq rsp
00000000`00126410 00000000`001261e0 fffffadf`e1fd26e8
00000000`00126420 00000000`00000030 fffff800`012b92e8
00000000`00126430 00000000`00000000 00000000`00000000
00000000`00126440 00001f80`0010001f 0053002b`002b0033
00000000`00126450 00010206`002b002b 00000000`00000000
00000000`00126460 00000000`00000000 00000000`00000000
00000000`00126470 00000000`00000000 00000000`00000000
00000000`00126480 00000000`00000000 00000000`00000001
0:000> r
rax=0000000000000001 rbx=0000000000000409 rcx=00000000000000c0
rdx=0000000000000002 rsi=0000000000127088 rdi=0000000003c32b60
rip=0000000078ef3a30 rsp=0000000000126410 rbp=0000000000126a10
r8=10263985000000cd r9=00000000001e9228 r10=000003d247c0000e
r11=0000000000000201 r12=00000000001269e0 r13=0000000002991640
r14=0000000000000008 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
ntdll!KiUserExceptionDispatch:
00000000`78ef3a30 48b8809e008001000000 mov rax,offset ACTIVE_1!Detour_KiUserExceptionDispatcher (00000001`80009e80)
0:000> dq rsp
00000000`00126410 00000000`001261e0 fffffadf`e1fd26e8
00000000`00126420 00000000`00000030 fffff800`012b92e8
00000000`00126430 00000000`00000000 00000000`00000000
00000000`00126440 00001f80`0010001f 0053002b`002b0033
00000000`00126450 00010206`002b002b 00000000`00000000
00000000`00126460 00000000`00000000 00000000`00000000
00000000`00126470 00000000`00000000 00000000`00000000
00000000`00126480 00000000`00000000 00000000`00000001
0:000> dq rsp+0x4d0
00000000`001268e0 00000000`c0000005 00000000`00000000
00000000`001268f0 00000000`02991661 00000000`00000002
00000000`00126900 00000000`00000000 00000000`00000409
00000000`00126910 00000000`00000000 fffffa80`0057c0f0
00000000`00126920 00000000`0015020a 00000000`00000000
00000000`00126930 00000000`00000409 00000000`03c32b60
00000000`00126940 00000000`00127088 00000000`001269e0
00000000`00126950 00000000`02991640 00000000`00000008
0:000> dt CONTEXT 00000000`00126410
ACTIVE_1!CONTEXT
+0x000 P1Home : 0x1261e0
+0x008 P2Home : 0xfffffadf`e1fd26e8
+0x010 P3Home : 0x30
+0x018 P4Home : 0xfffff800`012b92e8
+0x020 P5Home : 0
+0x028 P6Home : 0
+0x030 ContextFlags : 0x10001f
+0x034 MxCsr : 0x1f80
+0x038 SegCs : 0x33
+0x03a SegDs : 0x2b
+0x03c SegEs : 0x2b
+0x03e SegFs : 0x53
+0x040 SegGs : 0x2b
+0x042 SegSs : 0x2b
+0x044 EFlags : 0x10206
+0x048 Dr0 : 0
+0x050 Dr1 : 0
+0x058 Dr2 : 0
+0x060 Dr3 : 0
+0x068 Dr6 : 0
+0x070 Dr7 : 0
+0x078 Rax : 1
+0x080 Rcx : 0xc0
+0x088 Rdx : 2
+0x090 Rbx : 0x409
+0x098 Rsp : 0x1269b0
+0x0a0 Rbp : 0x126a10
+0x0a8 Rsi : 0x127088
+0x0b0 Rdi : 0x3c32b60
+0x0b8 R8 : 0x10263985`000000cd
+0x0c0 R9 : 0x1e9228
+0x0c8 R10 : 0x3d2`47c0000e
+0x0d0 R11 : 0x201
+0x0d8 R12 : 0x1269e0
+0x0e0 R13 : 0x2991640
+0x0e8 R14 : 8
+0x0f0 R15 : 0
+0x0f8 Rip : 0x2991661
+0x100 FltSave : _XMM_SAVE_AREA32
+0x100 Header : [2] _M128
+0x120 Legacy : [8] _M128
+0x1a0 Xmm0 : _M128
+0x1b0 Xmm1 : _M128
+0x1c0 Xmm2 : _M128
+0x1d0 Xmm3 : _M128
+0x1e0 Xmm4 : _M128
+0x1f0 Xmm5 : _M128
+0x200 Xmm6 : _M128
+0x210 Xmm7 : _M128
+0x220 Xmm8 : _M128
+0x230 Xmm9 : _M128
+0x240 Xmm10 : _M128
+0x250 Xmm11 : _M128
+0x260 Xmm12 : _M128
+0x270 Xmm13 : _M128
+0x280 Xmm14 : _M128
+0x290 Xmm15 : _M128
+0x300 VectorRegister : [26] _M128
+0x4a0 VectorControl : 0
+0x4a8 DebugControl : 0
+0x4b0 LastBranchToRip : 0
+0x4b8 LastBranchFromRip : 0
+0x4c0 LastExceptionToRip : 0
+0x4c8 LastExceptionFromRip : 0
0000000078EF3A30 KiUserExceptionDispatcher: ; DATA XREF: .text:off_78F03D48o
.text:0000000078EF3A30 ; .data:RtlpFunctionAddressTableo
.text:0000000078EF3A30 mov rax, cs:Wow64PrepareForException
.text:0000000078EF3A37 test rax, rax
.text:0000000078EF3A3A jz short loc_78EF3A4B
.text:0000000078EF3A3C mov rcx, rsp //rsp和rsp+4d0h是2个参数 参数结构全部放在堆栈中
.text:0000000078EF3A3F add rcx, 4D0h
.text:0000000078EF3A46 mov rdx, rsp
.text:0000000078EF3A49 call rax ; Wow64PrepareForException
.text:0000000078EF3A4B
.text:0000000078EF3A4B loc_78EF3A4B: ; CODE XREF: .text:0000000078EF3A3Aj
.text:0000000078EF3A4B mov rcx, rsp
.text:0000000078EF3A4E add rcx, 4D0h
.text:0000000078EF3A55 mov rdx, rsp
.text:0000000078EF3A58 call RtlDispatchException
.text:0000000078EF3A5D test al, al
.text:0000000078EF3A5F jz short loc_78EF3A6D
.text:0000000078EF3A61 mov rcx, rsp
.text:0000000078EF3A64 xor edx, edx
.text:0000000078EF3A66 call RtlRestoreContext
.text:0000000078EF3A6B jmp short loc_78EF3A82
.text:0000000078EF3A6D ; ---------------------------------------------------------------------------
.text:0000000078EF3A6D
.text:0000000078EF3A6D loc_78EF3A6D: ; CODE XREF: .text:0000000078EF3A5Fj
.text:0000000078EF3A6D mov rcx, rsp
.text:0000000078EF3A70 add rcx, 4D0h
.text:0000000078EF3A77 mov rdx, rsp
.text:0000000078EF3A7A xor r8b, r8b
.text:0000000078EF3A7D call ZwRaiseException
.text:0000000078EF3A82
.text:0000000078EF3A82 loc_78EF3A82: ; CODE XREF: .text:0000000078EF3A6Bj
.text:0000000078EF3A82 mov ecx, eax
.text:0000000078EF3A84 call RtlRaiseStatus
.text:0000000078EF3A89 int 3 ; Trap to Debugger
.text:0000000078EF3A8A nop
.text:0000000078EF3A8B nop
.text:0000000078EF3A8B ; ---------------------------------------------------------------------------
.text:0000000078EF3A8C db 6 dup(0CCh)
.text:0000000078EF3A92 align 20h
.text:0000000078EF3AA0 ; Exported entry 73. KiRaiseUserExceptionDispatcher