windows 7 x86 中内核模块nt（ntkrpamp 模块）源码学习

windows 7 x86 中内核模块 nt（即 ntkrpamp 模块）的实现：

偏移      机器码         指令
nt!memset:
83c8ce40 8b54240c        mov     edx,dword ptr [esp+0Ch]
83c8ce44 8b4c2404        mov     ecx,dword ptr [esp+4]
83c8ce48 85d2            test    edx,edx
83c8ce4a 744f            je      nt!memset+0x5b (83c8ce9b)
83c8ce4c 33c0            xor     eax,eax
83c8ce4e 8a442408        mov     al,byte ptr [esp+8]
83c8ce52 57              push    edi
83c8ce53 8bf9            mov     edi,ecx
83c8ce55 83fa04          cmp     edx,4
83c8ce58 7231            jb      nt!memset+0x4b (83c8ce8b)
83c8ce5a f7d9            neg     ecx
83c8ce5c 83e103          and     ecx,3
83c8ce5f 740c            je      nt!memset+0x2d (83c8ce6d)
83c8ce61 2bd1            sub     edx,ecx
83c8ce63 8807            mov     byte ptr [edi],al
83c8ce65 83c701          add     edi,1
83c8ce68 83e901          sub     ecx,1
83c8ce6b 75f6            jne     nt!memset+0x23 (83c8ce63)
83c8ce6d 8bc8            mov     ecx,eax
83c8ce6f c1e008          shl     eax,8
83c8ce72 03c1            add     eax,ecx
83c8ce74 8bc8            mov     ecx,eax
83c8ce76 c1e010          shl     eax,10h
83c8ce79 03c1            add     eax,ecx
83c8ce7b 8bca            mov     ecx,edx
83c8ce7d 83e203          and     edx,3
83c8ce80 c1e902          shr     ecx,2
83c8ce83 7406            je      nt!memset+0x4b (83c8ce8b)
83c8ce85 f3ab            rep stos dword ptr es:[edi]
83c8ce87 85d2            test    edx,edx
83c8ce89 740a            je      nt!memset+0x55 (83c8ce95)
83c8ce8b 8807            mov     byte ptr [edi],al
83c8ce8d 83c701          add     edi,1
83c8ce90 83ea01          sub     edx,1
83c8ce93 75f6            jne     nt!memset+0x4b (83c8ce8b)
83c8ce95 8b442408        mov     eax,dword ptr [esp+8]
83c8ce99 5f              pop     edi
83c8ce9a c3              ret
83c8ce9b 8b442404        mov     eax,dword ptr [esp+4]
83c8ce9f c3              ret
nt!strcpy:
83c8cea0 57              push    edi
83c8cea1 8b7c2408        mov     edi,dword ptr [esp+8]
83c8cea5 eb6e            jmp     nt!strcat+0x65 (83c8cf15)
83c8cea7 8da42400000000  lea     esp,[esp]
83c8ceae 8bff            mov     edi,edi
nt!strcat:
83c8ceb0 8b4c2404        mov     ecx,dword ptr [esp+4]
83c8ceb4 57              push    edi
83c8ceb5 f7c103000000    test    ecx,3
83c8cebb 7413            je      nt!strcat+0x20 (83c8ced0)
83c8cebd 8a01            mov     al,byte ptr [ecx]
83c8cebf 83c101          add     ecx,1
83c8cec2 84c0            test    al,al
83c8cec4 743d            je      nt!strcat+0x53 (83c8cf03)
83c8cec6 f7c103000000    test    ecx,3
83c8cecc 75ef            jne     nt!strcat+0xd (83c8cebd)
83c8cece 8bff            mov     edi,edi
83c8ced0 8b01            mov     eax,dword ptr [ecx]
83c8ced2 bafffefe7e      mov     edx,7EFEFEFFh
83c8ced7 03d0            add     edx,eax
83c8ced9 83f0ff          xor