x64 hoo KiUserExceptionDispatcher 参数

最新推荐文章于 2021-11-17 20:07:10 发布

instruder

最新推荐文章于 2021-11-17 20:07:10 发布

阅读量4.3k

点赞数

分类专栏： Asm/win32ASM/win64asm 文章标签： c header up

本文链接：https://blog.csdn.net/instruder/article/details/6671341

版权

Asm/win32ASM/win64asm 专栏收录该内容

11 篇文章 0 订阅

订阅专栏

0:000> g
Breakpoint 0 hit
ntdll!KiUserExceptionDispatch:
00000000`78ef3a30 48b8809e008001000000 mov rax,offset ACTIVE_1!Detour_KiUserExceptionDispatcher (00000001`80009e80)
0:000> dq rsp
00000000`00126410 00000000`001261e0 fffffadf`e1fd26e8
00000000`00126420 00000000`00000030 fffff800`012b92e8
00000000`00126430 00000000`00000000 00000000`00000000
00000000`00126440 00001f80`0010001f 0053002b`002b0033
00000000`00126450 00010206`002b002b 00000000`00000000
00000000`00126460 00000000`00000000 00000000`00000000
00000000`00126470 00000000`00000000 00000000`00000000
00000000`00126480 00000000`00000000 00000000`00000001
0:000> r
rax=0000000000000001 rbx=0000000000000409 rcx=00000000000000c0
rdx=0000000000000002 rsi=0000000000127088 rdi=0000000003c32b60
rip=0000000078ef3a30 rsp=0000000000126410 rbp=0000000000126a10
r8=10263985000000cd r9=00000000001e9228 r10=000003d247c0000e
r11=0000000000000201 r12=00000000001269e0 r13=0000000002991640
r14=0000000000000008 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b             efl=00000206
ntdll!KiUserExceptionDispatch:
00000000`78ef3a30 48b8809e008001000000 mov rax,offset ACTIVE_1!Detour_KiUserExceptionDispatcher (00000001`80009e80)
0:000> dq rsp
00000000`00126410 00000000`001261e0 fffffadf`e1fd26e8
00000000`00126420 00000000`00000030 fffff800`012b92e8
00000000`00126430 00000000`00000000 00000000`00000000
00000000`00126440 00001f80`0010001f 0053002b`002b0033
00000000`00126450 00010206`002b002b 00000000`00000000
00000000`00126460 00000000`00000000 00000000`00000000
00000000`00126470 00000000`00000000 00000000`00000000
00000000`00126480 00000000`00000000 00000000`00000001
0:000> dq rsp+0x4d0
00000000`001268e0 00000000`c0000005 00000000`00000000
00000000`001268f0 00000000`02991661 00000000`00000002
00000000`00126900 00000000`00000000 00000000`00000409
00000000`00126910 00000000`00000000 fffffa80`0057c0f0
00000000`00126920 00000000`0015020a 00000000`00000000
00000000`00126930 00000000`00000409 00000000`03c32b60
00000000`00126940 00000000`00127088 00000000`001269e0
00000000`00126950 00000000`02991640 00000000`00000008
0:000> dt CONTEXT 00000000`00126410
ACTIVE_1!CONTEXT
   +0x000 P1Home           : 0x1261e0
   +0x008 P2Home           : 0xfffffadf`e1fd26e8
   +0x010 P3Home           : 0x30
   +0x018 P4Home           : 0xfffff800`012b92e8
   +0x020 P5Home           : 0
   +0x028 P6Home           : 0
   +0x030 ContextFlags     : 0x10001f
   +0x034 MxCsr            : 0x1f80
   +0x038 SegCs            : 0x33
   +0x03a SegDs            : 0x2b
   +0x03c SegEs            : 0x2b
   +0x03e SegFs            : 0x53
   +0x040 SegGs            : 0x2b
   +0x042 SegSs            : 0x2b
   +0x044 EFlags           : 0x10206
   +0x048 Dr0              : 0
   +0x050 Dr1              : 0
   +0x058 Dr2              : 0
   +0x060 Dr3              : 0
   +0x068 Dr6              : 0
   +0x070 Dr7              : 0
   +0x078 Rax              : 1
   +0x080 Rcx              : 0xc0
   +0x088 Rdx              : 2
   +0x090 Rbx              : 0x409
   +0x098 Rsp              : 0x1269b0
   +0x0a0 Rbp              : 0x126a10
   +0x0a8 Rsi              : 0x127088
   +0x0b0 Rdi              : 0x3c32b60
   +0x0b8 R8               : 0x10263985`000000cd
   +0x0c0 R9               : 0x1e9228
   +0x0c8 R10              : 0x3d2`47c0000e
   +0x0d0 R11              : 0x201
   +0x0d8 R12              : 0x1269e0
   +0x0e0 R13              : 0x2991640
   +0x0e8 R14              : 8
   +0x0f0 R15              : 0
   +0x0f8 Rip              : 0x2991661
   +0x100 FltSave          : _XMM_SAVE_AREA32
   +0x100 Header           : [2] _M128
   +0x120 Legacy           : [8] _M128
   +0x1a0 Xmm0             : _M128
   +0x1b0 Xmm1             : _M128
   +0x1c0 Xmm2             : _M128
   +0x1d0 Xmm3             : _M128
   +0x1e0 Xmm4             : _M128
   +0x1f0 Xmm5             : _M128
   +0x200 Xmm6             : _M128
   +0x210 Xmm7             : _M128
   +0x220 Xmm8             : _M128
   +0x230 Xmm9             : _M128
   +0x240 Xmm10            : _M128
   +0x250 Xmm11            : _M128
   +0x260 Xmm12            : _M128
   +0x270 Xmm13            : _M128
   +0x280 Xmm14            : _M128
   +0x290 Xmm15            : _M128
   +0x300 VectorRegister   : [26] _M128
   +0x4a0 VectorControl    : 0
   +0x4a8 DebugControl     : 0
   +0x4b0 LastBranchToRip : 0
   +0x4b8 LastBranchFromRip : 0
   +0x4c0 LastExceptionToRip : 0
   +0x4c8 LastExceptionFromRip : 0

0000000078EF3A30 KiUserExceptionDispatcher:              ; DATA XREF: .text:off_78F03D48o
.text:0000000078EF3A30                                         ; .data:RtlpFunctionAddressTableo
.text:0000000078EF3A30                 mov     rax, cs:Wow64PrepareForException
.text:0000000078EF3A37                 test    rax, rax
.text:0000000078EF3A3A                 jz      short loc_78EF3A4B
.text:0000000078EF3A3C                 mov     rcx, rsp          //rsp和rsp+4d0h是2个参数参数结构全部放在堆栈中
.text:0000000078EF3A3F                 add     rcx, 4D0h
.text:0000000078EF3A46                 mov     rdx, rsp
.text:0000000078EF3A49                 call    rax ; Wow64PrepareForException
.text:0000000078EF3A4B
.text:0000000078EF3A4B loc_78EF3A4B:                           ; CODE XREF: .text:0000000078EF3A3Aj
.text:0000000078EF3A4B                 mov     rcx, rsp
.text:0000000078EF3A4E                 add     rcx, 4D0h
.text:0000000078EF3A55                 mov     rdx, rsp
.text:0000000078EF3A58                 call    RtlDispatchException
.text:0000000078EF3A5D                 test    al, al
.text:0000000078EF3A5F                 jz      short loc_78EF3A6D
.text:0000000078EF3A61                 mov     rcx, rsp
.text:0000000078EF3A64                 xor     edx, edx
.text:0000000078EF3A66                 call    RtlRestoreContext
.text:0000000078EF3A6B                 jmp     short loc_78EF3A82
.text:0000000078EF3A6D ; ---------------------------------------------------------------------------
.text:0000000078EF3A6D
.text:0000000078EF3A6D loc_78EF3A6D:                           ; CODE XREF: .text:0000000078EF3A5Fj
.text:0000000078EF3A6D                 mov     rcx, rsp
.text:0000000078EF3A70                 add     rcx, 4D0h
.text:0000000078EF3A77                 mov     rdx, rsp
.text:0000000078EF3A7A                 xor     r8b, r8b
.text:0000000078EF3A7D                 call    ZwRaiseException
.text:0000000078EF3A82
.text:0000000078EF3A82 loc_78EF3A82:                           ; CODE XREF: .text:0000000078EF3A6Bj
.text:0000000078EF3A82                 mov     ecx, eax
.text:0000000078EF3A84                 call    RtlRaiseStatus
.text:0000000078EF3A89                 int     3               ; Trap to Debugger
.text:0000000078EF3A8A                 nop
.text:0000000078EF3A8B                 nop
.text:0000000078EF3A8B ; ---------------------------------------------------------------------------
.text:0000000078EF3A8C                 db 6 dup(0CCh)
.text:0000000078EF3A92                 align 20h
.text:0000000078EF3AA0 ; Exported entry 73. KiRaiseUserExceptionDispatcher