Wow64cpu!CpuSimulate的一点点分析

最新推荐文章于 2024-03-08 10:37:46 发布
最新推荐文章于 2024-03-08 10:37:46 发布
阅读量2.2k 收藏
点赞数
文章标签: Wow64cpu!CpuSimulate的一点点分析
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/lif1234567890/article/details/80859138
版权 
.text:0000000078B625B0 CpuSimulate     proc near               ; DATA XREF: .text:off_78B63168o
.text:0000000078B625B0                                         ; .pdata:0000000078B650B4o
.text:0000000078B625B0
.text:0000000078B625B0 var_B8          = qword ptr -0B8h
.text:0000000078B625B0 var_B0          = word ptr -0B0h
.text:0000000078B625B0 var_A8          = dword ptr -0A8h
.text:0000000078B625B0 var_A0          = qword ptr -0A0h
.text:0000000078B625B0 var_98          = qword ptr -98h
.text:0000000078B625B0 var_90          = qword ptr -90h
.text:0000000078B625B0 var_88          = qword ptr -88h
.text:0000000078B625B0 var_80          = qword ptr -80h
.text:0000000078B625B0 var_78          = qword ptr -78h
.text:0000000078B625B0 var_70          = qword ptr -70h
.text:0000000078B625B0 var_68          = qword ptr -68h
.text:0000000078B625B0 var_60          = dword ptr -60h
.text:0000000078B625B0 var_58          = dword ptr -58h
.text:0000000078B625B0 var_48          = dword ptr -48h
.text:0000000078B625B0 var_40          = qword ptr -40h
.text:0000000078B625B0 var_38          = qword ptr -38h
.text:0000000078B625B0 var_30          = qword ptr -30h
.text:0000000078B625B0 var_28          = qword ptr -28h
.text:0000000078B625B0 var_20          = qword ptr -20h
.text:0000000078B625B0 var_18          = qword ptr -18h
.text:0000000078B625B0 var_10          = qword ptr -10h
.text:0000000078B625B0 var_8           = qword ptr -8
.text:0000000078B625B0
.text:0000000078B625B0                 sub     rsp, 0B8h
.text:0000000078B625B7                 mov     [rsp+0B8h+var_40], rbp
.text:0000000078B625BC                 mov     [rsp+0B8h+var_38], rdi
.text:0000000078B625C4                 mov     [rsp+0B8h+var_30], rsi
.text:0000000078B625CC                 mov     [rsp+0B8h+var_28], rbx
.text:0000000078B625D4                 mov     [rsp+0B8h+var_20], r12
.text:0000000078B625DC                 mov     [rsp+0B8h+var_18], r13
.text:0000000078B625E4                 mov     [rsp+0B8h+var_10], r14
.text:0000000078B625EC                 mov     [rsp+0B8h+var_8], r15
.text:0000000078B625F4                 lea     r14, [rsp+0B8h+var_48]
.text:0000000078B625F9                 mov     r12, gs:30h
.text:0000000078B62602                 lea     r15, TurboDispatchJumpAddressEnd_78B62450 ; r15=函数表
.text:0000000078B62602                                         ; ecx=index
.text:0000000078B62609                 mov     r13, [r12+1488h] ; r12=TEB
.text:0000000078B62609                                         ; 来自32位程序的TEB,1488h存在某个结构
.text:0000000078B62611
.text:0000000078B62611 GoonSimuloc_78B62611:                   ; CODE XREF: CpuSimulate+1CDj
.text:0000000078B62611                 and     dword ptr [r13+2D0h], 1
.text:0000000078B62619                 jz      loc_78B626CE
.text:0000000078B6261F                 movaps  xmm0, xmmword ptr [r13+170h]
.text:0000000078B62627                 movaps  xmm1, xmmword ptr [r13+180h]
.text:0000000078B6262F                 movaps  xmm2, xmmword ptr [r13+190h]
.text:0000000078B62637                 movaps  xmm3, xmmword ptr [r13+1A0h]
.text:0000000078B6263F                 movaps  xmm4, xmmword ptr [r13+1B0h]
.text:0000000078B62647                 movaps  xmm5, xmmword ptr [r13+1C0h]
.text:0000000078B6264F                 mov     ecx, [r13+0B0h]
.text:0000000078B62656                 mov     edx, [r13+0ACh]
.text:0000000078B6265D                 and     dword ptr [r13+2D0h], 0FFFFFFFEh
.text:0000000078B62665                 mov     edi, [r13+0A0h]
.text:0000000078B6266C                 mov     esi, [r13+0A4h]
.text:0000000078B62673                 mov     ebx, [r13+0A8h]
.text:0000000078B6267A                 mov     ebp, [r13+0B8h]
.text:0000000078B62681                 mov     eax, [r13+0B4h]
.text:0000000078B62688                 mov     [r12+1480h], rsp
.text:0000000078B62690                 mov     [rsp+0B8h+var_B0], 23h
.text:0000000078B62697                 mov     word ptr [rsp+0B8h+var_98], 2Bh
.text:0000000078B6269E                 mov     r8d, [r13+0C4h]
.text:0000000078B626A5                 and     dword ptr [r13+0C4h], 0FFFFFEFFh
.text:0000000078B626B0                 mov     [rsp+0B8h+var_A8], r8d
.text:0000000078B626B5                 mov     r8d, [r13+0C8h]
.text:0000000078B626BC                 mov     [rsp+0B8h+var_A0], r8
.text:0000000078B626C1                 mov     r8d, [r13+0BCh]
.text:0000000078B626C8                 mov     [rsp+0B8h+var_B8], r8
.text:0000000078B626CC                 iretq
.text:0000000078B626CE ; ---------------------------------------------------------------------------
.text:0000000078B626CE
.text:0000000078B626CE loc_78B626CE:                           ; CODE XREF: CpuSimulate+69j
.text:0000000078B626CE                 mov     edi, [r13+0A0h]
.text:0000000078B626D5                 mov     esi, [r13+0A4h]
.text:0000000078B626DC                 mov     ebx, [r13+0A8h]
.text:0000000078B626E3                 mov     ebp, [r13+0B8h]
.text:0000000078B626EA                 mov     eax, [r13+0B4h]
.text:0000000078B626F1                 mov     [r12+1480h], rsp
.text:0000000078B626F9                 mov     dword ptr [r14+4], 23h
.text:0000000078B62701                 mov     r8d, 2Bh
.text:0000000078B62707                 mov     ss, r8d
.text:0000000078B6270A                 mov     esp, [r13+0C8h]
.text:0000000078B62711                 mov     r9d, [r13+0BCh]
.text:0000000078B62718                 mov     [r14], r9d
.text:0000000078B6271B                 jmp     fword ptr [r14]
.text:0000000078B6271E ; ---------------------------------------------------------------------------
.text:0000000078B6271E
.text:0000000078B6271E CpupReturnFromSimulatedCode:            ; DATA XREF: CpuProcessInit+B1o
.text:0000000078B6271E                                         ; CpuResetToConsistentState+B7o ...
.text:0000000078B6271E                 mov     r8d, dword ptr [esp+0B8h+var_B8]
.text:0000000078B62723                 mov     [r13+0BCh], r8d
.text:0000000078B6272A                 mov     [r13+0C8h], esp
.text:0000000078B62731                 mov     rsp, [r12+1480h]
.text:0000000078B62739                 and     qword ptr [r12+1480h], 0
.text:0000000078B62742                 mov     r11d, edx
.text:0000000078B62745 ; Exported entry  25. TurboDispatchJumpAddressStart
.text:0000000078B62745
.text:0000000078B62745                 public TurboDispatchJumpAddressStart
.text:0000000078B62745 TurboDispatchJumpAddressStart:          ; DATA XREF: CpuProcessInit+153o
.text:0000000078B62745                                         ; CpuProcessInit+166o ...
.text:0000000078B62745                 jmp     qword ptr [r15+rcx*8] ; 到64为程序入口
.text:0000000078B62749 ; ---------------------------------------------------------------------------
.text:0000000078B62749 ; Exported entry  24. TurboDispatchJumpAddressEnd
.text:0000000078B62749
.text:0000000078B62749                 public TurboDispatchJumpAddressEnd
.text:0000000078B62749 TurboDispatchJumpAddressEnd:            ; CODE XREF: CpuSimulate+32Cj
.text:0000000078B62749                                         ; CpuSimulate+3E6j
.text:0000000078B62749                                         ; DATA XREF: ...
.text:0000000078B62749                 mov     [r13+0A4h], esi
.text:0000000078B62750                 mov     [r13+0A0h], edi
.text:0000000078B62757                 mov     [r13+0A8h], ebx
.text:0000000078B6275E                 mov     [r13+0B8h], ebp
.text:0000000078B62765                 pushfq
.text:0000000078B62766                 pop     rbx
.text:0000000078B62767                 mov     [r13+0C4h], ebx
.text:0000000078B6276E                 mov     ecx, eax
.text:0000000078B62770                 call    cs:__imp_Wow64SystemServiceEx
.text:0000000078B62776                 mov     [r13+0B4h], eax
.text:0000000078B6277D                 jmp     GoonSimuloc_78B62611
.text:0000000078B6277D ; ---------------------------------------------------------------------------
.text:0000000078B62782 ThunkNone       db 0CCh                 ; DATA XREF: .text:0000000078B62548o
.text:0000000078B62783 ; ---------------------------------------------------------------------------
.text:0000000078B62783
.text:0000000078B62783 ; DWORD __stdcall GetCurrentProcessorNumber()
.text:0000000078B62783 GetCurrentProcessorNumber:              ; DATA XREF: .text:0000000078B62518o
.text:0000000078B62783                 mov     eax, 53h
.text:0000000078B62788                 lsl     eax, eax
.text:0000000078B6278B                 shr     eax, 0Eh
.text:0000000078B6278E                 and     eax, 1Fh
.text:0000000078B62791                 mov     [r12+1480h], rsp
.text:0000000078B62799                 mov     dword ptr [r14+4], 23h
.text:0000000078B627A1                 mov     r8d, 2Bh
.text:0000000078B627A7                 mov     ss, r8d
.text:0000000078B627AA                 mov     esp, [r13+0C8h]
.text:0000000078B627B1                 mov     r9d, [r13+0BCh]
.text:0000000078B627B8                 mov     [r14], r9d
.text:0000000078B627BB                 jmp     fword ptr [r14]
.text:0000000078B627BE ; ---------------------------------------------------------------------------
.text:0000000078B627BE
.text:0000000078B627BE QuerySystemTime:                        ; DATA XREF: .text:0000000078B62510o
.text:0000000078B627BE                 mov     ecx, [r11]
.text:0000000078B627C1                 xor     eax, eax
.text:0000000078B627C3                 mov     edx, 7FFE0000h
.text:0000000078B627C8                 mov     rdx, [rdx+14h]
.text:0000000078B627CC
.text:0000000078B627CC QuerySystemTimeFault:                   ; DATA XREF: .text:0000000078B62400o
.text:0000000078B627CC                 mov     [rcx], rdx
.text:0000000078B627CF
.text:0000000078B627CF QuerySystemTimeResume:                  ; DATA XREF: .text:0000000078B62408o
.text:0000000078B627CF                 mov     [r12+1480h], rsp
.text:0000000078B627D7                 mov     dword ptr [r14+4], 23h
.text:0000000078B627DF                 mov     r8d, 2Bh
.text:0000000078B627E5                 mov     ss, r8d
.text:0000000078B627E8                 mov     esp, [r13+0C8h]
.text:0000000078B627EF                 mov     r9d, [r13+0BCh]
.text:0000000078B627F6                 mov     [r14], r9d
.text:0000000078B627F9                 jmp     fword ptr [r14] ; 跳转到0x23:LOWDWORD([r14])
.text:0000000078B627FC ; ---------------------------------------------------------------------------
.text:0000000078B627FC
.text:0000000078B627FC ; DWORD __stdcall WaitForMultipleObjects(DWORD nCount, const HANDLE *lpHandles, BOOL bWaitAll, DWORD dwMilliseconds)
.text:0000000078B627FC WaitForMultipleObjects:                 ; DATA XREF: .text:0000000078B62538o
.text:0000000078B627FC                 mov     rax, 17h
.text:0000000078B62803
.text:0000000078B62803 WaitForMultipleObjects32:               ; DATA XREF: .text:0000000078B62540o
.text:0000000078B62803                 mov     ecx, [r11+10h]
.text:0000000078B62807                 mov     [rsp+0B8h+var_98], rcx
.text:0000000078B6280C                 mov     r10, [r11]
.text:0000000078B6280F                 mov     edx, [r11+4]
.text:0000000078B62813                 mov     r8d, [r11+8]
.text:0000000078B62817                 mov     r9d, [r11+0Ch]
.text:0000000078B6281B                 mov     [r13+0A4h], esi
.text:0000000078B62822                 mov     [r13+0A0h], edi
.text:0000000078B62829                 mov     [r13+0A8h], ebx
.text:0000000078B62830                 pushfq
.text:0000000078B62831                 pop     rbx
.text:0000000078B62832                 mov     [r13+0C4h], ebx
.text:0000000078B62839                 call    CpupSyscallStub
.text:0000000078B6283E                 mov     edi, [r13+0A0h]
.text:0000000078B62845                 mov     esi, [r13+0A4h]
.text:0000000078B6284C                 mov     ebx, [r13+0A8h]
.text:0000000078B62853                 mov     ebp, [r13+0B8h]
.text:0000000078B6285A                 and     dword ptr [r13+2D0h], 1
.text:0000000078B62862                 jnz     short loc_78B62891
.text:0000000078B62864                 mov     [r12+1480h], rsp
.text:0000000078B6286C                 mov     dword ptr [r14+4], 23h
.text:0000000078B62874                 mov     r8d, 2Bh
.text:0000000078B6287A                 mov     ss, r8d
.text:0000000078B6287D                 mov     esp, [r13+0C8h]
.text:0000000078B62884                 mov     r9d, [r13+0BCh]
.text:0000000078B6288B                 mov     [r14], r9d
.text:0000000078B6288E                 jmp     fword ptr [r14]
.text:0000000078B62891 ; ---------------------------------------------------------------------------
.text:0000000078B62891
.text:0000000078B62891 loc_78B62891:                           ; CODE XREF: CpuSimulate+2B2j
.text:0000000078B62891                 mov     [r12+1480h], rsp
.text:0000000078B62899                 mov     [rsp+0B8h+var_B0], 23h
.text:0000000078B628A0                 mov     word ptr [rsp+0B8h+var_98], 2Bh
.text:0000000078B628A7                 mov     r8d, [r13+0C4h]
.text:0000000078B628AE                 and     dword ptr [r13+0C4h], 0FFFFFEFFh
.text:0000000078B628B9                 mov     [rsp+0B8h+var_A8], r8d
.text:0000000078B628BE                 mov     r8d, [r13+0C8h]
.text:0000000078B628C5                 mov     [rsp+0B8h+var_A0], r8
.text:0000000078B628CA                 mov     r8d, [r13+0BCh]
.text:0000000078B628D1                 mov     [rsp+0B8h+var_B8], r8
.text:0000000078B628D5                 iretq
.text:0000000078B628D7 ; ---------------------------------------------------------------------------
.text:0000000078B628D7
.text:0000000078B628D7 DeviceIoctlFile:                        ; DATA XREF: .text:0000000078B62528o
.text:0000000078B628D7                 cmp     dword ptr [r11+8], 0
.text:0000000078B628DC                 jnz     TurboDispatchJumpAddressEnd
.text:0000000078B628E2                 mov     ecx, [r11+24h]
.text:0000000078B628E6                 mov     [rsp+0B8h+var_70], rcx
.text:0000000078B628EB                 mov     ecx, [r11+20h]
.text:0000000078B628EF                 mov     [rsp+0B8h+var_78], rcx
.text:0000000078B628F4                 mov     ecx, [r11+1Ch]
.text:0000000078B628F8                 mov     [rsp+0B8h+var_80], rcx
.text:0000000078B628FD                 mov     ecx, [r11+18h]
.text:0000000078B62901                 mov     [rsp+0B8h+var_88], rcx
.text:0000000078B62906                 mov     ecx, [r11+14h]
.text:0000000078B6290A                 mov     [rsp+0B8h+var_90], rcx
.text:0000000078B6290F                 mov     ecx, [r11+10h]
.text:0000000078B62913
.text:0000000078B62913 DeviceIoctlFileFault:                   ; DATA XREF: .text:0000000078B62420o
.text:0000000078B62913                 test    ecx, ecx
.text:0000000078B62915                 jz      short loc_78B6292C
.text:0000000078B62917                 mov     rdx, [rcx]
.text:0000000078B6291A                 mov     [rcx], rdx
.text:0000000078B6291D                 lea     rdx, [rsp+0B8h+var_68]
.text:0000000078B62922                 mov     [rdx], rcx
.text:0000000078B62925                 mov     [rsp+0B8h+var_58], ecx
.text:0000000078B62929                 mov     rcx, rdx
.text:0000000078B6292C
.text:0000000078B6292C loc_78B6292C:                           ; CODE XREF: CpuSimulate+365j
.text:0000000078B6292C                 mov     [rsp+0B8h+var_98], rcx
.text:0000000078B62931                 mov     r9d, [r11+0Ch]
.text:0000000078B62935                 xor     r8d, r8d
.text:0000000078B62938                 movsxd  rdx, dword ptr [r11+4]
.text:0000000078B6293C                 movsxd  r10, dword ptr [r11]
.text:0000000078B6293F                 call    CpupSyscallStub
.text:0000000078B62944                 mov     rcx, [rsp+0B8h+var_98]
.text:0000000078B62949                 test    rcx, rcx
.text:0000000078B6294C                 jz      short DeviceIoctlFileResume
.text:0000000078B6294E                 mov     edx, [rsp+0B8h+var_58]
.text:0000000078B62952                 cmp     edx, [rcx]
.text:0000000078B62954                 jz      short DeviceIoctlFileResume
.text:0000000078B62956                 mov     r8d, [rcx]
.text:0000000078B62959                 mov     [rdx], r8d
.text:0000000078B6295C                 mov     r8d, [rcx+8]
.text:0000000078B62960                 mov     [rdx+4], r8d
.text:0000000078B62964
.text:0000000078B62964 DeviceIoctlFileResume:                  ; CODE XREF: CpuSimulate+39Cj
.text:0000000078B62964                                         ; CpuSimulate+3A4j
.text:0000000078B62964                                         ; DATA XREF: ...
.text:0000000078B62964                 mov     [r12+1480h], rsp
.text:0000000078B6296C                 mov     dword ptr [r14+4], 23h
.text:0000000078B62974                 mov     r8d, 2Bh
.text:0000000078B6297A                 mov     ss, r8d
.text:0000000078B6297D                 mov     esp, [r13+0C8h]
.text:0000000078B62984                 mov     r9d, [r13+0BCh]
.text:0000000078B6298B                 mov     [r14], r9d
.text:0000000078B6298E                 jmp     fword ptr [r14]
.text:0000000078B62991 ; ---------------------------------------------------------------------------
.text:0000000078B62991
.text:0000000078B62991 ReadWriteFile:                          ; DATA XREF: .text:0000000078B62520o
.text:0000000078B62991                 cmp     dword ptr [r11+8], 0
.text:0000000078B62996                 jnz     TurboDispatchJumpAddressEnd
.text:0000000078B6299C                 mov     ecx, [r11+20h]
.text:0000000078B629A0                 mov     [rsp+0B8h+var_78], rcx
.text:0000000078B629A5                 mov     ecx, [r11+1Ch]
.text:0000000078B629A9                 mov     [rsp+0B8h+var_80], rcx
.text:0000000078B629AE                 mov     ecx, [r11+18h]
.text:0000000078B629B2                 mov     [rsp+0B8h+var_88], rcx
.text:0000000078B629B7                 mov     ecx, [r11+14h]
.text:0000000078B629BB                 mov     [rsp+0B8h+var_90], rcx
.text:0000000078B629C0                 mov     ecx, [r11+10h]
.text:0000000078B629C4
.text:0000000078B629C4 ReadWriteFileFault:                     ; DATA XREF: .text:0000000078B62410o
.text:0000000078B629C4                 test    ecx, ecx
.text:0000000078B629C6                 jz      short loc_78B629DD
.text:0000000078B629C8                 mov     rdx, [rcx]
.text:0000000078B629CB                 mov     [rcx], rdx
.text:0000000078B629CE                 lea     rdx, [rsp+0B8h+var_70]
.text:0000000078B629D3                 mov     [rdx], rcx
.text:0000000078B629D6                 mov     [rsp+0B8h+var_60], ecx
.text:0000000078B629DA                 mov     rcx, rdx
.text:0000000078B629DD
.text:0000000078B629DD loc_78B629DD:                           ; CODE XREF: CpuSimulate+416j
.text:0000000078B629DD                 mov     [rsp+0B8h+var_98], rcx
.text:0000000078B629E2                 mov     r9d, [r11+0Ch]
.text:0000000078B629E6                 xor     r8d, r8d
.text:0000000078B629E9                 movsxd  rdx, dword ptr [r11+4]
.text:0000000078B629ED                 movsxd  r10, dword ptr [r11]
.text:0000000078B629F0                 call    CpupSyscallStub
.text:0000000078B629F5                 mov     rcx, [rsp+0B8h+var_98]
.text:0000000078B629FA                 test    rcx, rcx
.text:0000000078B629FD                 jz      short ReadWriteFileResume
.text:0000000078B629FF                 mov     edx, [rsp+0B8h+var_60]
.text:0000000078B62A03                 cmp     edx, [rcx]
.text:0000000078B62A05                 jz      short ReadWriteFileResume
.text:0000000078B62A07                 mov     r8d, [rcx]
.text:0000000078B62A0A                 mov     [rdx], r8d
.text:0000000078B62A0D                 mov     r8d, [rcx+8]
.text:0000000078B62A11                 mov     [rdx+4], r8d
.text:0000000078B62A15
.text:0000000078B62A15 ReadWriteFileResume:                    ; CODE XREF: CpuSimulate+44Dj
.text:0000000078B62A15                                         ; CpuSimulate+455j
.text:0000000078B62A15                                         ; DATA XREF: ...
.text:0000000078B62A15                 mov     [r12+1480h], rsp
.text:0000000078B62A1D                 mov     dword ptr [r14+4], 23h
.text:0000000078B62A25                 mov     r8d, 2Bh
.text:0000000078B62A2B                 mov     ss, r8d
.text:0000000078B62A2E                 mov     esp, [r13+0C8h]
.text:0000000078B62A35                 mov     r9d, [r13+0BCh]
.text:0000000078B62A3C                 mov     [r14], r9d
.text:0000000078B62A3F                 jmp     fword ptr [r14]
.text:0000000078B62A42 ; ---------------------------------------------------------------------------
.text:0000000078B62A42
.text:0000000078B62A42 RemoveIoCompletion:                     ; DATA XREF: .text:0000000078B62530o
.text:0000000078B62A42                 mov     ecx, [r11+10h]
.text:0000000078B62A46                 mov     [rsp+0B8h+var_98], rcx
.text:0000000078B62A4B
.text:0000000078B62A4B RemoveIoCompletionFault:                ; DATA XREF: .text:0000000078B62430o
.text:0000000078B62A4B                 mov     ecx, [r11+0Ch]
.text:0000000078B62A4F                 mov     rdx, [rcx]
.text:0000000078B62A52                 mov     [rcx], rdx
.text:0000000078B62A55                 mov     dword ptr [rsp+0B8h+var_80], ecx
.text:0000000078B62A59                 mov     ecx, [r11+8]
.text:0000000078B62A5D                 mov     edx, [rcx]
.text:0000000078B62A5F                 mov     [rcx], edx
.text:0000000078B62A61                 mov     dword ptr [rsp+0B8h+var_78], ecx
.text:0000000078B62A65                 mov     ecx, [r11+4]
.text:0000000078B62A69                 mov     edx, [rcx]
.text:0000000078B62A6B                 mov     [rcx], edx
.text:0000000078B62A6D                 mov     dword ptr [rsp+0B8h+var_80+4], ecx
.text:0000000078B62A71                 lea     r9, [rsp+0B8h+var_90]
.text:0000000078B62A76                 lea     r8, [rsp+0B8h+var_68]
.text:0000000078B62A7B                 lea     rdx, [rsp+0B8h+var_70]
.text:0000000078B62A80                 movsxd  r10, dword ptr [r11]
.text:0000000078B62A83                 call    CpupSyscallStub
.text:0000000078B62A88                 cmp     eax, 102h
.text:0000000078B62A8D                 jz      short RemoveIoCompletionResume
.text:0000000078B62A8F                 cmp     eax, 0C0h
.text:0000000078B62A94                 jz      short RemoveIoCompletionResume
.text:0000000078B62A96                 test    eax, eax
.text:0000000078B62A98                 jl      short RemoveIoCompletionResume
.text:0000000078B62A9A                 lea     rcx, [rsp+0B8h+var_90]
.text:0000000078B62A9F                 mov     edx, dword ptr [rsp+0B8h+var_80]
.text:0000000078B62AA3                 mov     r8d, [rcx]
.text:0000000078B62AA6                 mov     [rdx], r8d
.text:0000000078B62AA9                 mov     r8d, [rcx+8]
.text:0000000078B62AAD                 mov     [rdx+4], r8d
.text:0000000078B62AB1                 mov     ecx, dword ptr [rsp+0B8h+var_78]
.text:0000000078B62AB5                 mov     rdx, [rsp+0B8h+var_68]
.text:0000000078B62ABA                 mov     [rcx], edx
.text:0000000078B62ABC                 mov     ecx, dword ptr [rsp+0B8h+var_80+4]
.text:0000000078B62AC0                 mov     rdx, [rsp+0B8h+var_70]
.text:0000000078B62AC5                 mov     [rcx], edx
.text:0000000078B62AC7
.text:0000000078B62AC7 RemoveIoCompletionResume:               ; CODE XREF: CpuSimulate+4DDj
.text:0000000078B62AC7                                         ; CpuSimulate+4E4j ...
.text:0000000078B62AC7                 mov     [r12+1480h], rsp
.text:0000000078B62ACF                 mov     dword ptr [r14+4], 23h
.text:0000000078B62AD7                 mov     r8d, 2Bh
.text:0000000078B62ADD                 mov     ss, r8d
.text:0000000078B62AE0                 mov     esp, [r13+0C8h]
.text:0000000078B62AE7                 mov     r9d, [r13+0BCh]
.text:0000000078B62AEE                 mov     [r14], r9d
.text:0000000078B62AF1                 jmp     fword ptr [r14]
.text:0000000078B62AF4 ; ---------------------------------------------------------------------------
.text:0000000078B62AF4
.text:0000000078B62AF4 Thunk4ArgSpSpNSpNSpReloadState:         ; DATA XREF: .text:0000000078B624E8o
.text:0000000078B62AF4                 movsxd  r10, dword ptr [r11]
.text:0000000078B62AF7                 movsxd  rdx, dword ptr [r11+4]
.text:0000000078B62AFB                 mov     r8d, [r11+8]
.text:0000000078B62AFF                 mov     r9d, [r11+0Ch]
.text:0000000078B62B03                 mov     [r13+0A4h], esi
.text:0000000078B62B0A                 mov     [r13+0A0h], edi
.text:0000000078B62B11                 mov     [r13+0A8h], ebx
.text:0000000078B62B18                 pushfq
.text:0000000078B62B19                 pop     rbx
.text:0000000078B62B1A                 mov     [r13+0C4h], ebx
.text:0000000078B62B21                 call    CpupSyscallStub
.text:0000000078B62B26                 mov     edi, [r13+0A0h]
.text:0000000078B62B2D                 mov     esi, [r13+0A4h]
.text:0000000078B62B34                 mov     ebx, [r13+0A8h]
.text:0000000078B62B3B                 mov     ebp, [r13+0B8h]
.text:0000000078B62B42                 and     dword ptr [r13+2D0h], 1
.text:0000000078B62B4A                 jnz     short loc_78B62B79
.text:0000000078B62B4C                 mov     [r12+1480h], rsp
.text:0000000078B62B54                 mov     dword ptr [r14+4], 23h
.text:0000000078B62B5C                 mov     r8d, 2Bh
.text:0000000078B62B62                 mov     ss, r8d
.text:0000000078B62B65                 mov     esp, [r13+0C8h]
.text:0000000078B62B6C                 mov     r9d, [r13+0BCh]
.text:0000000078B62B73                 mov     [r14], r9d
.text:0000000078B62B76                 jmp     fword ptr [r14]
.text:0000000078B62B79 ; ---------------------------------------------------------------------------
.text:0000000078B62B79
.text:0000000078B62B79 loc_78B62B79:                           ; CODE XREF: CpuSimulate+59Aj
.text:0000000078B62B79                 mov     [r12+1480h], rsp
.text:0000000078B62B81                 mov     [rsp+0B8h+var_B0], 23h
.text:0000000078B62B88                 mov     word ptr [rsp+0B8h+var_98], 2Bh
.text:0000000078B62B8F                 mov     r8d, [r13+0C4h]
.text:0000000078B62B96                 and     dword ptr [r13+0C4h], 0FFFFFEFFh
.text:0000000078B62BA1                 mov     [rsp+0B8h+var_A8], r8d
.text:0000000078B62BA6                 mov     r8d, [r13+0C8h]
.text:0000000078B62BAD                 mov     [rsp+0B8h+var_A0], r8
.text:0000000078B62BB2                 mov     r8d, [r13+0BCh]
.text:0000000078B62BB9                 mov     [rsp+0B8h+var_B8], r8
.text:0000000078B62BBD                 iretq
.text:0000000078B62BBF ; ---------------------------------------------------------------------------
.text:0000000078B62BBF
.text:0000000078B62BBF Thunk4ArgSpNSpNSpNSpReloadState:        ; DATA XREF: .text:0000000078B624F8o
.text:0000000078B62BBF                 mov     r9d, [r11+0Ch]
.text:0000000078B62BC3
.text:0000000078B62BC3 Thunk3ArgSpNSpNSpReloadState:           ; DATA XREF: .text:0000000078B624B8o
.text:0000000078B62BC3                 movsxd  r10, dword ptr [r11]
.text:0000000078B62BC6                 mov     edx, [r11+4]
.text:0000000078B62BCA                 mov     r8d, [r11+8]
.text:0000000078B62BCE
.text:0000000078B62BCE Thunk0ArgReloadState:                   ; DATA XREF: .text:0000000078B62460o
.text:0000000078B62BCE                 mov     [r13+0A4h], esi
.text:0000000078B62BD5                 mov     [r13+0A0h], edi
.text:0000000078B62BDC                 mov     [r13+0A8h], ebx
.text:0000000078B62BE3                 pushfq
.text:0000000078B62BE4                 pop     rbx
.text:0000000078B62BE5                 mov     [r13+0C4h], ebx
.text:0000000078B62BEC                 call    CpupSyscallStub
.text:0000000078B62BF1                 mov     edi, [r13+0A0h]
.text:0000000078B62BF8                 mov     esi, [r13+0A4h]
.text:0000000078B62BFF                 mov     ebx, [r13+0A8h]
.text:0000000078B62C06                 mov     ebp, [r13+0B8h]
.text:0000000078B62C0D                 and     dword ptr [r13+2D0h], 1
.text:0000000078B62C15                 jnz     short loc_78B62C44
.text:0000000078B62C17                 mov     [r12+1480h], rsp
.text:0000000078B62C1F                 mov     dword ptr [r14+4], 23h
.text:0000000078B62C27                 mov     r8d, 2Bh
.text:0000000078B62C2D                 mov     ss, r8d
.text:0000000078B62C30                 mov     esp, [r13+0C8h]
.text:0000000078B62C37                 mov     r9d, [r13+0BCh]
.text:0000000078B62C3E                 mov     [r14], r9d
.text:0000000078B62C41                 jmp     fword ptr [r14]
.text:0000000078B62C44 ; ---------------------------------------------------------------------------
.text:0000000078B62C44
.text:0000000078B62C44 loc_78B62C44:                           ; CODE XREF: CpuSimulate+665j
.text:0000000078B62C44                 mov     [r12+1480h], rsp
.text:0000000078B62C4C                 mov     [rsp+0B8h+var_B0], 23h
.text:0000000078B62C53                 mov     word ptr [rsp+0B8h+var_98], 2Bh
.text:0000000078B62C5A                 mov     r8d, [r13+0C4h]
.text:0000000078B62C61                 and     dword ptr [r13+0C4h], 0FFFFFEFFh
.text:0000000078B62C6C                 mov     [rsp+0B8h+var_A8], r8d
.text:0000000078B62C71                 mov     r8d, [r13+0C8h]
.text:0000000078B62C78                 mov     [rsp+0B8h+var_A0], r8
.text:0000000078B62C7D                 mov     r8d, [r13+0BCh]
.text:0000000078B62C84                 mov     [rsp+0B8h+var_B8], r8
.text:0000000078B62C88                 iretq
.text:0000000078B62C8A ; ---------------------------------------------------------------------------
.text:0000000078B62C8A
.text:0000000078B62C8A Thunk2ArgNSpNSpReloadState:             ; DATA XREF: .text:0000000078B62480o
.text:0000000078B62C8A                 mov     r10d, [r11]
.text:0000000078B62C8D                 mov     edx, [r11+4]
.text:0000000078B62C91                 mov     [r13+0A4h], esi
.text:0000000078B62C98                 mov     [r13+0A0h], edi
.text:0000000078B62C9F                 mov     [r13+0A8h], ebx
.text:0000000078B62CA6                 pushfq
.text:0000000078B62CA7                 pop     rbx
.text:0000000078B62CA8                 mov     [r13+0C4h], ebx
.text:0000000078B62CAF                 call    CpupSyscallStub
.text:0000000078B62CB4                 mov     edi, [r13+0A0h]
.text:0000000078B62CBB                 mov     esi, [r13+0A4h]
.text:0000000078B62CC2                 mov     ebx, [r13+0A8h]
.text:0000000078B62CC9                 mov     ebp, [r13+0B8h]
.text:0000000078B62CD0                 and     dword ptr [r13+2D0h], 1
.text:0000000078B62CD8                 jnz     short loc_78B62D07
.text:0000000078B62CDA                 mov     [r12+1480h], rsp
.text:0000000078B62CE2                 mov     dword ptr [r14+4], 23h
.text:0000000078B62CEA                 mov     r8d, 2Bh
.text:0000000078B62CF0                 mov     ss, r8d
.text:0000000078B62CF3                 mov     esp, [r13+0C8h]
.text:0000000078B62CFA                 mov     r9d, [r13+0BCh]
.text:0000000078B62D01                 mov     [r14], r9d
.text:0000000078B62D04                 jmp     fword ptr [r14]
.text:0000000078B62D07 ; ---------------------------------------------------------------------------
.text:0000000078B62D07
.text:0000000078B62D07 loc_78B62D07:                           ; CODE XREF: CpuSimulate+728j
.text:0000000078B62D07                 mov     [r12+1480h], rsp
.text:0000000078B62D0F                 mov     [rsp+0B8h+var_B0], 23h
.text:0000000078B62D16                 mov     word ptr [rsp+0B8h+var_98], 2Bh
.text:0000000078B62D1D                 mov     r8d, [r13+0C4h]
.text:0000000078B62D24                 and     dword ptr [r13+0C4h], 0FFFFFEFFh
.text:0000000078B62D2F                 mov     [rsp+0B8h+var_A8], r8d
.text:0000000078B62D34                 mov     r8d, [r13+0C8h]
.text:0000000078B62D3B                 mov     [rsp+0B8h+var_A0], r8
.text:0000000078B62D40                 mov     r8d, [r13+0BCh]
.text:0000000078B62D47                 mov     [rsp+0B8h+var_B8], r8
.text:0000000078B62D4B                 iretq
.text:0000000078B62D4D ; ---------------------------------------------------------------------------
.text:0000000078B62D4D
.text:0000000078B62D4D Thunk4ArgNSpSpNSpNSp:                   ; DATA XREF: .text:0000000078B62500o
.text:0000000078B62D4D                 mov     r9d, [r11+0Ch]
.text:0000000078B62D51
.text:0000000078B62D51 Thunk3ArgNSpSpNSp:                      ; DATA XREF: .text:0000000078B624C8o
.text:0000000078B62D51                 mov     r8d, [r11+8]
.text:0000000078B62D55
.text:0000000078B62D55 Thunk2ArgNSpSp:                         ; DATA XREF: .text:0000000078B62498o
.text:0000000078B62D55                 mov     r10d, [r11]
.text:0000000078B62D58                 movsxd  rdx, dword ptr [r11+4]
.text:0000000078B62D5C                 jmp     short Thunk0Arg
.text:0000000078B62D5E ; ---------------------------------------------------------------------------
.text:0000000078B62D5E
.text:0000000078B62D5E Thunk4ArgSpSpSpNSp:                     ; DATA XREF: .text:0000000078B62508o
.text:0000000078B62D5E                 mov     r9d, [r11+0Ch]
.text:0000000078B62D62
.text:0000000078B62D62 Thunk3ArgSpSpSp:                        ; DATA XREF: .text:0000000078B624A8o
.text:0000000078B62D62                 movsxd  r8, dword ptr [r11+8]
.text:0000000078B62D66
.text:0000000078B62D66 Thunk2ArgSpSp:                          ; DATA XREF: .text:0000000078B62490o
.text:0000000078B62D66                 movsxd  rdx, dword ptr [r11+4]
.text:0000000078B62D6A
.text:0000000078B62D6A Thunk1ArgSp:                            ; DATA XREF: .text:0000000078B62468o
.text:0000000078B62D6A                 movsxd  r10, dword ptr [r11]
.text:0000000078B62D6D                 jmp     short Thunk0Arg
.text:0000000078B62D6F ; ---------------------------------------------------------------------------
.text:0000000078B62D6F
.text:0000000078B62D6F Thunk4ArgNSpNSpNSpNSp:                  ; DATA XREF: .text:0000000078B624D8o
.text:0000000078B62D6F                 mov     r9d, [r11+0Ch]
.text:0000000078B62D73
.text:0000000078B62D73 Thunk3ArgNSpNSpNSp:                     ; DATA XREF: .text:0000000078B624A0o
.text:0000000078B62D73                 mov     r8d, [r11+8]
.text:0000000078B62D77
.text:0000000078B62D77 Thunk2ArgNSpNSp:                        ; DATA XREF: .text:0000000078B62478o
.text:0000000078B62D77                 mov     edx, [r11+4]
.text:0000000078B62D7B
.text:0000000078B62D7B Thunk1ArgNSp:                           ; DATA XREF: .text:0000000078B62470o
.text:0000000078B62D7B                 mov     r10d, [r11]
.text:0000000078B62D7E                 jmp     short Thunk0Arg
.text:0000000078B62D80 ; ---------------------------------------------------------------------------
.text:0000000078B62D80
.text:0000000078B62D80 Thunk3ArgSpNSpSp:                       ; DATA XREF: .text:0000000078B624D0o
.text:0000000078B62D80                 movsxd  r8, dword ptr [r11+8]
.text:0000000078B62D84
.text:0000000078B62D84 Thunk2ArgSpNSp:                         ; DATA XREF: .text:0000000078B62488o
.text:0000000078B62D84                 movsxd  r10, dword ptr [r11]
.text:0000000078B62D87                 mov     edx, [r11+4]
.text:0000000078B62D8B                 jmp     short Thunk0Arg
.text:0000000078B62D8D ; ---------------------------------------------------------------------------
.text:0000000078B62D8D
.text:0000000078B62D8D Thunk3ArgSpNSpNSp:                      ; DATA XREF: .text:0000000078B624B0o
.text:0000000078B62D8D                 movsxd  r10, dword ptr [r11]
.text:0000000078B62D90                 mov     edx, [r11+4]
.text:0000000078B62D94                 mov     r8d, [r11+8]
.text:0000000078B62D98                 jmp     short Thunk0Arg
.text:0000000078B62D9A ; ---------------------------------------------------------------------------
.text:0000000078B62D9A
.text:0000000078B62D9A Thunk4ArgSpSpNSpNSp:                    ; DATA XREF: .text:0000000078B624E0o
.text:0000000078B62D9A                 mov     r9d, [r11+0Ch]
.text:0000000078B62D9E
.text:0000000078B62D9E Thunk3ArgSpSpNSp:                       ; DATA XREF: .text:0000000078B624C0o
.text:0000000078B62D9E                 movsxd  r10, dword ptr [r11]
.text:0000000078B62DA1                 movsxd  rdx, dword ptr [r11+4]
.text:0000000078B62DA5                 mov     r8d, [r11+8]
.text:0000000078B62DA9                 jmp     short Thunk0Arg
.text:0000000078B62DAB ; ---------------------------------------------------------------------------
.text:0000000078B62DAB
.text:0000000078B62DAB Thunk4ArgSpNSpNSpNSp:                   ; DATA XREF: .text:0000000078B624F0o
.text:0000000078B62DAB                 movsxd  r10, dword ptr [r11]
.text:0000000078B62DAE                 mov     edx, [r11+4]
.text:0000000078B62DB2                 mov     r8d, [r11+8]
.text:0000000078B62DB6                 mov     r9d, [r11+0Ch]
.text:0000000078B62DBA
.text:0000000078B62DBA Thunk0Arg:                              ; CODE XREF: CpuSimulate+7ACj
.text:0000000078B62DBA                                         ; CpuSimulate+7BDj ...
.text:0000000078B62DBA                 call    CpupSyscallStub
.text:0000000078B62DBF                 mov     [r12+1480h], rsp
.text:0000000078B62DC7                 mov     dword ptr [r14+4], 23h
.text:0000000078B62DCF                 mov     r8d, 2Bh
.text:0000000078B62DD5                 mov     ss, r8d
.text:0000000078B62DD8                 mov     esp, [r13+0C8h]
.text:0000000078B62DDF                 mov     r9d, [r13+0BCh]
.text:0000000078B62DE6                 mov     [r14], r9d
.text:0000000078B62DE9                 jmp     fword ptr [r14]
.text:0000000078B62DE9 CpuSimulate     endp ; sp-analysis failed
.text:0000000078B62DE9
.text:0000000078B62DE9 ; ---------------------------------------------------------------------------
.text:0000000078B62DEC algn_78B62DEC:                          ; DATA XREF: .pdata:0000000078B650B4o
.text:0000000078B62DEC                 align 20h
.text:0000000078B62E00
.text:0000000078B62E00 ; =============== S U B R O U T I N E =======================================
.text:0000000078B62E00
.text:0000000078B62E00
.text:0000000078B62E00 CpupSyscallStub proc near               ; CODE XREF: CpuSimulate+289p
.text:0000000078B62E00                                         ; CpuSimulate+38Fp ...
.text:0000000078B62E00                 mov     [r13+0B8h], ebp
.text:0000000078B62E07                 syscall
.text:0000000078B62E09                 retn
.text:0000000078B62E09 CpupSyscallStub endp
.text:0000000078B62E09
.text:0000000078B62E09 ; ---------------------------------------------------------------------------
.text:0000000078B62E0A algn_78B62E0A:                          ; DATA XREF: .pdata:0000000078B650C0o
.text:0000000078B62E0A                 align 10h
.text:0000000078B62E10 stru_78B62E10   UNWIND_INFO <1, 0, 0, 0>
.text:0000000078B62E10                                         ; DATA XREF: .pdata:0000000078B6509Co
.text:0000000078B62E14                 align 8
.text:0000000078B62E18 stru_78B62E18   UNWIND_INFO <1, 0, 0, 0>
.text:0000000078B62E18                                         ; DATA XREF: .pdata:0000000078B650A8o
.text:0000000078B62E1C stru_78B62E1C   UNWIND_INFO <19h, 44h, 12h, 0>
.text:0000000078B62E1C                                         ; DATA XREF: .pdata:0000000078B650B4o
.text:0000000078B62E20                 UNWIND_CODE <44h, 0F4h> ; UWOP_SAVE_NONVOL
.text:0000000078B62E22                 dw 16h
.text:0000000078B62E24                 UNWIND_CODE <3Ch, 0E4h> ; UWOP_SAVE_NONVOL
.text:0000000078B62E26                 dw 15h
.text:0000000078B62E28                 UNWIND_CODE <34h, 0D4h> ; UWOP_SAVE_NONVOL
.text:0000000078B62E2A                 dw 14h
.text:0000000078B62E2C                 UNWIND_CODE <2Ch, 0C4h> ; UWOP_SAVE_NONVOL
.text:0000000078B62E2E                 dw 13h
.text:0000000078B62E30                 UNWIND_CODE <24h, 34h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62E32                 dw 12h
.text:0000000078B62E34                 UNWIND_CODE <1Ch, 64h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62E36                 dw 11h
.text:0000000078B62E38                 UNWIND_CODE <14h, 74h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62E3A                 dw 10h
.text:0000000078B62E3C                 UNWIND_CODE <0Ch, 54h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62E3E                 dw 0Fh
.text:0000000078B62E40                 UNWIND_CODE <7, 1>      ; UWOP_ALLOC_LARGE
.text:0000000078B62E42                 dw 17h
.text:0000000078B62E44                 dd rva CpupSimulateHandler
.text:0000000078B62E48                 dd 0
.text:0000000078B62E4C stru_78B62E4C   UNWIND_INFO <1, 0, 0, 0>
.text:0000000078B62E4C                                         ; DATA XREF: .pdata:0000000078B650C0o
.text:0000000078B62E50 stru_78B62E50   UNWIND_INFO <1, 6, 2, 0>
.text:0000000078B62E50                                         ; DATA XREF: .pdata:0000000078B65060o
.text:0000000078B62E50                                         ; .pdata:0000000078B65084o
.text:0000000078B62E54                 UNWIND_CODE <6, 32h>    ; UWOP_ALLOC_SMALL
.text:0000000078B62E56                 UNWIND_CODE <2, 30h>    ; UWOP_PUSH_NONVOL
.text:0000000078B62E58 stru_78B62E58   UNWIND_INFO <1, 8, 4, 0>
.text:0000000078B62E58                                         ; DATA XREF: .pdata:0000000078B6506Co
.text:0000000078B62E5C                 UNWIND_CODE <8, 92h>    ; UWOP_ALLOC_SMALL
.text:0000000078B62E5E                 UNWIND_CODE <4, 70h>    ; UWOP_PUSH_NONVOL
.text:0000000078B62E60                 UNWIND_CODE <3, 60h>    ; UWOP_PUSH_NONVOL
.text:0000000078B62E62                 UNWIND_CODE <2, 30h>    ; UWOP_PUSH_NONVOL
.text:0000000078B62E64 stru_78B62E64   UNWIND_INFO <1, 20h, 0Ch, 0>
.text:0000000078B62E64                                         ; DATA XREF: .pdata:0000000078B65054o
.text:0000000078B62E68                 UNWIND_CODE <20h, 64h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62E6A                 dw 0Dh
.text:0000000078B62E6C                 UNWIND_CODE <20h, 54h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62E6E                 dw 0Ch
.text:0000000078B62E70                 UNWIND_CODE <20h, 34h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62E72                 dw 0Ah
.text:0000000078B62E74                 UNWIND_CODE <20h, 32h>  ; UWOP_ALLOC_SMALL
.text:0000000078B62E76                 UNWIND_CODE <1Ch, 0F0h> ; UWOP_PUSH_NONVOL
.text:0000000078B62E78                 UNWIND_CODE <1Ah, 0E0h> ; UWOP_PUSH_NONVOL
.text:0000000078B62E7A                 UNWIND_CODE <18h, 0D0h> ; UWOP_PUSH_NONVOL
.text:0000000078B62E7C                 UNWIND_CODE <16h, 0C0h> ; UWOP_PUSH_NONVOL
.text:0000000078B62E7E                 UNWIND_CODE <14h, 70h>  ; UWOP_PUSH_NONVOL
.text:0000000078B62E80 stru_78B62E80   UNWIND_INFO <1, 4, 1, 0>
.text:0000000078B62E80                                         ; DATA XREF: .pdata:0000000078B65048o
.text:0000000078B62E80                                         ; .pdata:0000000078B65078o ...
.text:0000000078B62E84                 UNWIND_CODE <4, 42h>    ; UWOP_ALLOC_SMALL
.text:0000000078B62E86                 align 4
.text:0000000078B62E88 stru_78B62E88   UNWIND_INFO <19h, 1Dh, 5, 0>
.text:0000000078B62E88                                         ; DATA XREF: .pdata:ExceptionDiro
.text:0000000078B62E8C                 UNWIND_CODE <0Bh, 1>    ; UWOP_ALLOC_LARGE
.text:0000000078B62E8E                 dw 66h
.text:0000000078B62E90                 UNWIND_CODE <4, 70h>    ; UWOP_PUSH_NONVOL
.text:0000000078B62E92                 UNWIND_CODE <3, 60h>    ; UWOP_PUSH_NONVOL
.text:0000000078B62E94                 UNWIND_CODE <2, 30h>    ; UWOP_PUSH_NONVOL
.text:0000000078B62E96                 align 4
.text:0000000078B62E98                 dd rva __GSHandlerCheck
.text:0000000078B62E9C                 dd 320h
.text:0000000078B62EA0 stru_78B62EA0   UNWIND_INFO <1, 0Fh, 6, 0>
.text:0000000078B62EA0                                         ; DATA XREF: .pdata:0000000078B65024o
.text:0000000078B62EA4                 UNWIND_CODE <0Fh, 64h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62EA6                 dw 7
.text:0000000078B62EA8                 UNWIND_CODE <0Fh, 34h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62EAA                 dw 6
.text:0000000078B62EAC                 UNWIND_CODE <0Fh, 32h>  ; UWOP_ALLOC_SMALL
.text:0000000078B62EAE                 UNWIND_CODE <0Bh, 70h>  ; UWOP_PUSH_NONVOL
.text:0000000078B62EB0 stru_78B62EB0   UNWIND_INFO <1, 14h, 8, 0>
.text:0000000078B62EB0                                         ; DATA XREF: .pdata:0000000078B6500Co
.text:0000000078B62EB4                 UNWIND_CODE <14h, 64h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62EB6                 dw 8
.text:0000000078B62EB8                 UNWIND_CODE <14h, 54h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62EBA                 dw 7
.text:0000000078B62EBC                 UNWIND_CODE <14h, 34h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62EBE                 dw 6
.text:0000000078B62EC0                 UNWIND_CODE <14h, 32h>  ; UWOP_ALLOC_SMALL
.text:0000000078B62EC2                 UNWIND_CODE <10h, 70h>  ; UWOP_PUSH_NONVOL
.text:0000000078B62EC4 stru_78B62EC4   UNWIND_INFO <1, 0Ah, 4, 0>
.text:0000000078B62EC4                                         ; DATA XREF: .pdata:0000000078B6503Co
.text:0000000078B62EC8                 UNWIND_CODE <0Ah, 34h>  ; UWOP_SAVE_NONVOL
.text:0000000078B62ECA                 dw 7
.text:0000000078B62ECC                 UNWIND_CODE <0Ah, 32h>  ; UWOP_ALLOC_SMALL
.text:0000000078B62ECE                 UNWIND_CODE <6, 70h>    ; UWOP_PUSH_NONVOL
.text:0000000078B62ED0 stru_78B62ED0   UNWIND_INFO <1, 4, 1, 0>
.text:0000000078B62ED0                                         ; DATA XREF: .pdata:0000000078B65030o
.text:0000000078B62ED4                 UNWIND_CODE <4, 62h>    ; UWOP_ALLOC_SMALL
.text:0000000078B62ED6                 align 4
.text:0000000078B62ED8 stru_78B62ED8   UNWIND_INFO <1, 0Fh, 2, 0>
.text:0000000078B62ED8                                         ; DATA XREF: .pdata:0000000078B65018o
.text:0000000078B62EDC                 UNWIND_CODE <0Fh, 0B2h> ; UWOP_ALLOC_SMALL
.text:0000000078B62EDE                 UNWIND_CODE <0Bh, 70h>  ; UWOP_PUSH_NONVOL
.text:0000000078B62EE0 __IMPORT_DESCRIPTOR_ntdll dd rva off_78B62F20 ; Import Name Table
.text:0000000078B62EE4                 dd 0FFFFFFFFh           ; Time stamp
.text:0000000078B62EE8                 dd 0FFFFFFFFh           ; Forwarder Chain
.text:0000000078B62EEC                 dd rva aNtdll_dll       ; DLL Name
.text:0000000078B62EF0                 dd rva __imp_NtProtectVirtualMemory ; Import Address Table
.text:0000000078B62EF4 __IMPORT_DESCRIPTOR_wow64 dd rva off_78B62FA0 ; Import Name Table
.text:0000000078B62EF8                 dd 0FFFFFFFFh           ; Time stamp
.text:0000000078B62EFC                 dd 0FFFFFFFFh           ; Forwarder Chain
.text:0000000078B62F00                 dd rva aWow64_dll       ; DLL Name
.text:0000000078B62F04                 dd rva __imp_Wow64SystemServiceEx ; Import Address Table
.text:0000000078B62F08 __NULL_IMPORT_DESCRIPTOR dq 3 dup(0)
.text:0000000078B62F20 ;
.text:0000000078B62F20 ; Import names for ntdll.dll
.text:0000000078B62F20 ;
.text:0000000078B62F20 off_78B62F20    dq rva word_78B62FB8    ; DATA XREF: .text:__IMPORT_DESCRIPTOR_ntdllo
.text:0000000078B62F28                 dq rva word_78B62FD2
.text:0000000078B62F30                 dq rva word_78B62FDC
.text:0000000078B62F38                 dq rva word_78B62FF8
.text:0000000078B62F40                 dq rva word_78B63010
.text:0000000078B62F48                 dq rva word_78B6302A
.text:0000000078B62F50                 dq rva word_78B63044
.text:0000000078B62F58                 dq rva word_78B63058
.text:0000000078B62F60                 dq rva word_78B6307A
.text:0000000078B62F68                 dq rva word_78B63090
.text:0000000078B62F70                 dq rva word_78B630AE
.text:0000000078B62F78                 dq rva word_78B630C2
.text:0000000078B62F80                 dq rva word_78B630DC
.text:0000000078B62F88                 dq rva word_78B6312C
.text:0000000078B62F90                 dq rva word_78B63136
.text:0000000078B62F98                 dq 0
.text:0000000078B62FA0 ;
.text:0000000078B62FA0 ; Import names for wow64.dll
.text:0000000078B62FA0 ;
.text:0000000078B62FA0 off_78B62FA0    dq rva word_78B630FA    ; DATA XREF: .text:__IMPORT_DESCRIPTOR_wow64o
.text:0000000078B62FA8                 dq rva word_78B63112
.text:0000000078B62FB0                 dq 0
.text:0000000078B62FB8 word_78B62FB8   dw 17Ch                 ; DATA XREF: .text:off_78B62F20o
.text:0000000078B62FBA                 db 'NtProtectVirtualMemory',0
.text:0000000078B62FD1                 align 2
.text:0000000078B62FD2 word_78B62FD2   dw 793h                 ; DATA XREF: .text:0000000078B62F28o
.text:0000000078B62FD4                 db 'strncmp',0
.text:0000000078B62FDC word_78B62FDC   dw 191h                 ; DATA XREF: .text:0000000078B62F30o
.text:0000000078B62FDE                 db 'NtQueryInformationThread',0
.text:0000000078B62FF7                 align 8
.text:0000000078B62FF8 word_78B62FF8   dw 234h                 ; DATA XREF: .text:0000000078B62F38o
.text:0000000078B62FFA                 db 'NtWriteVirtualMemory',0
.text:0000000078B6300F                 align 10h
.text:0000000078B63010 word_78B63010   dw 1F4h                 ; DATA XREF: .text:0000000078B62F40o
.text:0000000078B63012                 db 'NtSetInformationThread',0
.text:0000000078B63029                 align 2
.text:0000000078B6302A word_78B6302A   dw 121h                 ; DATA XREF: .text:0000000078B62F48o
.text:0000000078B6302C                 db 'NtFlushInstructionCache',0
.text:0000000078B63044 word_78B63044   dw 394h                 ; DATA XREF: .text:0000000078B62F50o
.text:0000000078B63046                 db 'RtlImageNtHeader',0
.text:0000000078B63057                 align 8
.text:0000000078B63058 word_78B63058   dw 65h                  ; DATA XREF: .text:0000000078B62F58o
.text:0000000078B6305A                 db 'LdrDisableThreadCalloutsForDll',0
.text:0000000078B63079                 align 2
.text:0000000078B6307A word_78B6307A   dw 217h                 ; DATA XREF: .text:0000000078B62F60o
.text:0000000078B6307C                 db 'NtTerminateProcess',0
.text:0000000078B6308F                 align 10h
.text:0000000078B63090 word_78B63090   dw 4C4h                 ; DATA XREF: .text:0000000078B62F68o
.text:0000000078B63092                 db 'RtlUnhandledExceptionFilter',0
.text:0000000078B630AE word_78B630AE   dw 4F1h                 ; DATA XREF: .text:0000000078B62F70o
.text:0000000078B630B0                 db 'RtlVirtualUnwind',0
.text:0000000078B630C1                 align 2
.text:0000000078B630C2 word_78B630C2   dw 402h                 ; DATA XREF: .text:0000000078B62F78o
.text:0000000078B630C4                 db 'RtlLookupFunctionEntry',0
.text:0000000078B630DB                 align 4
.text:0000000078B630DC word_78B630DC   dw 27Bh                 ; DATA XREF: .text:0000000078B62F80o
.text:0000000078B630DE                 db 'RtlCaptureContext',0
.text:0000000078B630F0 aNtdll_dll      db 'ntdll.dll',0        ; DATA XREF: .text:0000000078B62EECo
.text:0000000078B630FA word_78B630FA   dw 17h                  ; DATA XREF: .text:off_78B62FA0o
.text:0000000078B630FC                 db 'Wow64SystemServiceEx',0
.text:0000000078B63111                 align 2
.text:0000000078B63112 word_78B63112   dw 0Bh                  ; DATA XREF: .text:0000000078B62FA8o
.text:0000000078B63114                 db 'Wow64LogPrint',0
.text:0000000078B63122 aWow64_dll      db 'wow64.dll',0        ; DATA XREF: .text:0000000078B62F00o
.text:0000000078B6312C word_78B6312C   dw 77Ch                 ; DATA XREF: .text:0000000078B62F88o
.text:0000000078B6312E                 db 'memcpy',0
.text:0000000078B63135                 align 2
.text:0000000078B63136 word_78B63136   dw 780h                 ; DATA XREF: .text:0000000078B62F90o
.text:0000000078B63138                 db 'memset',0
.text:0000000078B6313F                 align 20h
.text:0000000078B63140 ;
.text:0000000078B63140 ; Export directory for wow64cpu.dll
.text:0000000078B63140 ;
.text:0000000078B63140                 dd 0                    ; Characteristics
.text:0000000078B63144                 dd 4CE7546Eh            ; TimeDateStamp: Sat Nov 20 04:54:06 2010
.text:0000000078B63148                 dw 0                    ; MajorVersion
.text:0000000078B6314A                 dw 0                    ; MinorVersion
.text:0000000078B6314C                 dd rva aWow64cpu_dll    ; Name
.text:0000000078B63150                 dd 1                    ; Base
.text:0000000078B63154                 dd 19h                  ; NumberOfFunctions
.text:0000000078B63158                 dd 19h                  ; NumberOfNames
.text:0000000078B6315C                 dd rva off_78B63168     ; AddressOfFunctions
.text:0000000078B63160                 dd rva off_78B631CC     ; AddressOfNames
.text:0000000078B63164                 dd rva word_78B63230    ; AddressOfNameOrdinals
.text:0000000078B63168 ;
.text:0000000078B63168 ; Export Address Table for wow64cpu.dll
.text:0000000078B63168 ;
.text:0000000078B63168 off_78B63168    dd rva CpuFlushInstructionCache, rva CpuGetContext, rva CpuGetStackPointer
.text:0000000078B63168                                         ; DATA XREF: .text:0000000078B6315Co
.text:0000000078B63168                 dd rva CpuInitializeStartupContext, 4 dup(rva CpuNotifyAffinityChange) ; 到64为程序入口
.text:0000000078B63168                 dd rva CpuNotifyDllUnload, rva CpuNotifyAffinityChange
.text:0000000078B63168                 dd rva CpuProcessDebugEvent, rva CpuProcessInit, rva CpuThreadTerm
.text:0000000078B63168                 dd rva CpuNotifyAffinityChange, rva CpuResetToConsistentState
.text:0000000078B63168                 dd rva CpuSetContext, rva CpuSetInstructionPointer, rva CpuSetStackPointer
.text:0000000078B63168                 dd rva CpuSimulate, rva CpuSuspendLocalThread, rva CpuThreadTerm
.text:0000000078B63168                 dd rva CpuThreadInit, rva CpuThreadTerm, rva TurboDispatchJumpAddressEnd
.text:0000000078B63168                 dd rva TurboDispatchJumpAddressStart
.text:0000000078B631CC ;
.text:0000000078B631CC ; Export Names Table for wow64cpu.dll
.text:0000000078B631CC ;
.text:0000000078B631CC off_78B631CC    dd rva aCpuflushinstru, rva aCpugetcontext, rva aCpugetstackpoi
.text:0000000078B631CC                                         ; DATA XREF: .text:0000000078B63160o
.text:0000000078B631CC                 dd rva aCpuinitializes, rva aCpunotifyaffin, rva aCpunotifyafter ; "CpuFlushInstructionCache"
.text:0000000078B631CC                 dd rva aCpunotifybefor, rva aCpunotifydlllo, rva aCpunotifydllun
.text:0000000078B631CC                 dd rva aCpuprepareford, rva aCpuprocessdebu, rva aCpuprocessinit
.text:0000000078B631CC                 dd rva aCpuprocessterm, rva aCpuresetfloati, rva aCpuresettocons
.text:0000000078B631CC                 dd rva aCpusetcontext, rva aCpusetinstruct, rva aCpusetstackpoi
.text:0000000078B631CC                 dd rva aCpusimulate, rva aCpususpendloca, rva aCpususpendthre
.text:0000000078B631CC                 dd rva aCputhreadinit, rva aCputhreadterm, rva aTurbodispatchj
.text:0000000078B631CC                 dd rva aTurbodispatc_0
.text:0000000078B63230 ;
.text:0000000078B63230 ; Export Ordinals Table for wow64cpu.dll
.text:0000000078B63230 ;
.text:0000000078B63230 word_78B63230   dw 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0Ah, 0Bh, 0Ch, 0Dh, 0Eh
.text:0000000078B63230                                         ; DATA XREF: .text:0000000078B63164o
.text:0000000078B63230                 dw 0Fh, 10h, 11h, 12h, 13h, 14h, 15h, 16h, 17h, 18h
.text:0000000078B63262 aWow64cpu_dll   db 'wow64cpu.dll',0     ; DATA XREF: .text:0000000078B6314Co
.text:0000000078B6326F aCpuflushinstru db 'CpuFlushInstructionCache',0
.text:0000000078B6326F                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63288 aCpugetcontext  db 'CpuGetContext',0    ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63296 aCpugetstackpoi db 'CpuGetStackPointer',0
.text:0000000078B63296                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B632A9 aCpuinitializes db 'CpuInitializeStartupContext',0
.text:0000000078B632A9                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B632C5 aCpunotifyaffin db 'CpuNotifyAffinityChange',0
.text:0000000078B632C5                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B632DD aCpunotifyafter db 'CpuNotifyAfterFork',0
.text:0000000078B632DD                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B632F0 aCpunotifybefor db 'CpuNotifyBeforeFork',0
.text:0000000078B632F0                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63304 aCpunotifydlllo db 'CpuNotifyDllLoad',0 ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63315 aCpunotifydllun db 'CpuNotifyDllUnload',0
.text:0000000078B63315                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63328 aCpuprepareford db 'CpuPrepareForDebuggerAttach',0
.text:0000000078B63328                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63344 aCpuprocessdebu db 'CpuProcessDebugEvent',0
.text:0000000078B63344                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63359 aCpuprocessinit db 'CpuProcessInit',0   ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63368 aCpuprocessterm db 'CpuProcessTerm',0   ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63377 aCpuresetfloati db 'CpuResetFloatingPoint',0
.text:0000000078B63377                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B6338D aCpuresettocons db 'CpuResetToConsistentState',0
.text:0000000078B6338D                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B633A7 aCpusetcontext  db 'CpuSetContext',0    ; DATA XREF: .text:off_78B631CCo
.text:0000000078B633B5 aCpusetinstruct db 'CpuSetInstructionPointer',0
.text:0000000078B633B5                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B633CE aCpusetstackpoi db 'CpuSetStackPointer',0
.text:0000000078B633CE                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B633E1 aCpusimulate    db 'CpuSimulate',0      ; DATA XREF: .text:off_78B631CCo
.text:0000000078B633ED aCpususpendloca db 'CpuSuspendLocalThread',0
.text:0000000078B633ED                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63403 aCpususpendthre db 'CpuSuspendThread',0 ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63414 aCputhreadinit  db 'CpuThreadInit',0    ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63422 aCputhreadterm  db 'CpuThreadTerm',0    ; DATA XREF: .text:off_78B631CCo
.text:0000000078B63430 aTurbodispatchj db 'TurboDispatchJumpAddressEnd',0
.text:0000000078B63430                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B6344C aTurbodispatc_0 db 'TurboDispatchJumpAddressStart',0
.text:0000000078B6344C                                         ; DATA XREF: .text:off_78B631CCo
.text:0000000078B6346A                 align 200h
.text:0000000078B63600                 dq 140h dup(?)
.text:0000000078B63600 _text           ends
.text:0000000078B63600
.data:0000000078B64000 ; Section 2. (virtual address 00004000)

(1)这个函数包含了从32位到64位,以及从64位返回的代码

TurboDispatchJumpAddressEnd_78B62450 包含了一个服务表,通过r15=函数表
.text:0000000078B62602                                         ; ecx=index来使用
这个ecx来自r13,r13来自【r12+1488h】,而r12是TEB(参见wow64ext),因此,32位程序进入64位前通过TEB进行指定服务编号index




TurboDispatchJumpAddressEnd_78B62450 dq offset TurboDispatchJumpAddressEnd
.text:0000000078B62450                                         ; DATA XREF: CpuSimulate+52o
.text:0000000078B62458                 dq offset Thunk0Arg
.text:0000000078B62460                 dq offset Thunk0ArgReloadState
.text:0000000078B62468                 dq offset Thunk1ArgSp
.text:0000000078B62470                 dq offset Thunk1ArgNSp
.text:0000000078B62478                 dq offset Thunk2ArgNSpNSp
.text:0000000078B62480                 dq offset Thunk2ArgNSpNSpReloadState
.text:0000000078B62488                 dq offset Thunk2ArgSpNSp
.text:0000000078B62490                 dq offset Thunk2ArgSpSp
.text:0000000078B62498                 dq offset Thunk2ArgNSpSp
.text:0000000078B624A0                 dq offset Thunk3ArgNSpNSpNSp
.text:0000000078B624A8                 dq offset Thunk3ArgSpSpSp
.text:0000000078B624B0                 dq offset Thunk3ArgSpNSpNSp
.text:0000000078B624B8                 dq offset Thunk3ArgSpNSpNSpReloadState
.text:0000000078B624C0                 dq offset Thunk3ArgSpSpNSp
.text:0000000078B624C8                 dq offset Thunk3ArgNSpSpNSp
.text:0000000078B624D0                 dq offset Thunk3ArgSpNSpSp
.text:0000000078B624D8                 dq offset Thunk4ArgNSpNSpNSpNSp
.text:0000000078B624E0                 dq offset Thunk4ArgSpSpNSpNSp
.text:0000000078B624E8                 dq offset Thunk4ArgSpSpNSpNSpReloadState
.text:0000000078B624F0                 dq offset Thunk4ArgSpNSpNSpNSp
.text:0000000078B624F8                 dq offset Thunk4ArgSpNSpNSpNSpReloadState
.text:0000000078B62500                 dq offset Thunk4ArgNSpSpNSpNSp
.text:0000000078B62508                 dq offset Thunk4ArgSpSpSpNSp
.text:0000000078B62510                 dq offset QuerySystemTime
.text:0000000078B62518                 dq offset GetCurrentProcessorNumber
.text:0000000078B62520                 dq offset ReadWriteFile
.text:0000000078B62528                 dq offset DeviceIoctlFile
.text:0000000078B62530                 dq offset RemoveIoCompletion
.text:0000000078B62538                 dq offset WaitForMultipleObjects
.text:0000000078B62540                 dq offset WaitForMultipleObjects32
.text:0000000078B62548                 dq offset ThunkNone

jmp     qword ptr [r15+rcx*8] ; 到64为程序入口

      mov     dword ptr [r14+4], 23h
.text:0000000078B627A1                 mov     r8d, 2Bh
.text:0000000078B627A7                 mov     ss, r8d
.text:0000000078B627AA                 mov     esp, [r13+0C8h]
.text:0000000078B627B1                 mov     r9d, [r13+0BCh]
.text:0000000078B627B8                 mov     [r14], r9d

.text:0000000078B627BB                 jmp     fword ptr [r14];fword 6字节地址高2字节就是cs此处=23h,正好是32位描述符










nLif
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
32位程序如何在64位系统上运行_WOW64!Hooks:深入考察WOW64子系统运行机制及其Hooking技术(上)...
weixin_33305027的博客
12-01 967
在本文中,我们将为读者详细介绍WOW64子系统运行机制及其Hooking技术。Microsoft公司一直以其向后兼容性而闻名。几年前,当他们推出Windows的64位版本时,他们需要提供与现有32位应用程序的兼容性。为了实现32位和64位应用程序的无缝衔接,WoW(Windows on Windows)系统便应运而生了;在本文中,我们将其称为“WOW64”,它负责将所有Windows A...
wow-32-64 汇编调试器 V2.0
02-23
wow_32_64 汇编调试器 V2.0
Windows WOW64 nativeapi 逆向详解,32程序兼容剖析
qq_31314583的博客
11-19 1301
前言 windows有很多核心的原生api,其中包含sdk声明的和文档未声明的。主要由于ntdll.dll和win32u.dll(服务号0x1000-0x1FFF)导出。 WOW64 (Windows-on-Windows 64-bit)是一个Windows操作系统的子系统,用于模拟32位环境,使得32位执行程序在x64系统正常运行。 而64位系统字长变为64位,因此是无法直接执行32位的可执行代码的。因此x64引入了兼容32位执行程序的wow64 子系...
从o开始的pwn学习之ret2csu
jzc020121的博客
04-09 2888
ret2csu 前置知识 X64寄存器 我们知道,64位寄存器有RAX,RBX,RCX,RDX,RDI,RSI,RBP,RSP,R8,R9,R10,R11,R12,R13,R14,R15,而rdi,rsi,rdx,rcx,r8,r9便用来传递函数的前六个参数,如多于六个,便在放到栈里。 __libc_csu_init 一般的程序都会调用libc中的函数,而此函数便是来将libc初始化的,故此函数几乎是每一个程序所必备的。 gadget 我们在构造ROP链的时候,往往会用到能够给寄存器赋值的gadget,形如
【原】wow64 x86/x64 代码切换过程分析
weixin_30872733的博客
10-12 595
下面以ntdll32!ZwQueryInformationProcess API为例分析 x86代码与x64代码之间的切换过程, 32bit的test程序: step1: ntdll32!ZwQueryInformationProcess:775bfb18 b816000000 mov eax,16h775bfb1d 33c9 xor ecx,...
cpu 的simulation
jason的笔记
12-23 1089
arm_cpu_class_init中会调用arm_cpu_realizefn->qemu_init_vcpu void qemu_init_vcpu(CPUState *cpu) {     cpu->nr_cores = smp_cores;     cpu->nr_threads = smp_threads;     cpu->stopped = true;     if (
wow-32-64 汇编调试器 V1.5
02-23
wow_32_64 汇编调试器 V1.5
WOW64通过PEB获取32/64位进程以及模块信息(附带DEMO)
06-23
使用API NtWow64QueryInformationProcess64 获取进程的64位PEB结构地址。使用API NtWow64ReadVirtualMemory64 读取进程的64位内存地址的数据。通过PEB64结构进行遍历进程的64位模块。对于32位进程,通过 ...
rewolf.wow64ext.v1.0.0.4
03-20
"rewolf.wow64ext.v1.0.0.4" 是一个针对Windows操作系统中的WOW64环境的扩展工具。WOW64全称为Windows-on-Windows 64-bit,是微软在32位版本的Windows系统上运行64位应用程序的一种技术。这个扩展工具主要用于帮助...
android:Wow~Bianmi!
06-21
"android:Wow~Bianmi!"这个标题可能代表了一个让人惊喜的Android项目,它可能是开发者在探索或者实现某些创新功能时的创意表达。下面我们将深入探讨Android开发与Java语言的相关知识点。 1. **Android SDK**: ...
windbg 调试 r3 死循环
wowolook的专栏
08-29 3327
这两天调试一程序,
win7x64新进程画面均无显示一例分析——从内核态到用户态,从x64到wow64,从汇编到托管
u010607621的博客
10-18 748
新进程无画面是因为0号线程被mutex(DictManager_GlobalLocker)卡住。 输入法SOGOUPY用到的mutex(DictManager_GlobalLocker)无法释放是新进程卡住的直接原因。 无法释放是因为本该由进程Imclient里线程fffffa80c895c950释放,但是它也被CriticalSection=7b0138卡住无法释放。 cs=7b0138本该由Imclient里线程574来释放,但是它出了异常,异常代码的执行中也进入Wait了。
Windows WoW64浅析
最新发布
u010551008的博客
03-08 253
在默认情况下,32位组件访问32位视图,64位组件访问64位视图,这为32位和64位组件提供了一个安全的环境,并且将32位应用程序的状态与64位应用程序的状态隔开来。由于X64是X86扩展,从32位代码向64位代码切换并不是那么困难,代码段描述符告诉处理器将代码当作X86代码还是X64代码,32位寄存器其实就是64位寄存器忽略高一半内容,32位模式RAM的4GB的编址和64位模式低4GB一样,因此从X86代码调用到X64代码,所有需要做的就是调用一个X64段选择子即完成了切换。
CPU虚拟化
u012413204的博客
03-19 6297
虚拟化概念 Qemu-KVM虚拟机 – 核心由Qemu和KVM两部分组成,Qemu本身是一个独立的虚拟机 软件,运行在OS的用户态;KVM是Linux的内核模块,利用CPU 硬件虚拟化特性对CPU和内存虚拟化进行加速 – Libvirt是对KVM虚拟机进行管理的工具和应用编程接口 – Virsh是Linux下管理KVM虚拟机的命令行接口,它基于libvirt API 工作 – Virt-manager是一个Linux上的GUI程序,实现对KVM虚拟机的图 形化管理,也是基于libvirt API工作 **
调试wow64进程
xbgprogrammer的专栏
09-29 4649
当使用64位debugger调试wow64进程时,cpu context默认为64位,这是查看wow64进程调用栈时,会发现只有64位调用栈,而没有32位调用栈,例如查看32位notepad进程在64位Windows上的主线程调用栈: fffff880`0382b740 fffff800`03eea992: nt!KiSwapContext+0x7a fffff880`0382b880 ffff
调试运行在Wow64子系统下的程序----x64版windbg调试win32程序
lixiangminghate的专栏
01-29 3785
    大家有没有遇到过这种情况:程序崩溃了,windbg分析线程堆栈时,输出了一堆乱七八糟的调用栈。更烦心的是,这堆调用栈中根本找不到跟自己程序相关的信息。来看一个类似的场景:运行C:\Windows\SysWOW64\calc.exe (win32版的calc.exe),windbg(x64 bit)附加到calc.exe: 0:003&gt; ~*kb 0 Id: 2718.1c...
an exception or a breakpoint comes from wow64.dll.
byytj
09-11 221
Sometimes we get a process dump from x64 Windows and when we load it into WinDbg we get the output telling us that an exception or a breakpoint comes from wow64.dll. For example: Loading Dump File [X...
有没有什么方法快速能找到导致软件崩溃的进程_FireWalker:一种绕过用户空间EDR Hooking的新方法...
weixin_39641697的博客
11-24 357
0X00概述在红队攻击过程中,经常会遇到终端防御与响应(EDR)或终端防御与阻止(EDP)产品,这些产品实现了用户层的挂钩,以判断进程的行为特征并监控潜在的恶意代码。此前,攻击者不断尝试如何绕过EDR/EDP产品,其中包括一位在Outflank的朋友,他们使用直接系统调用的方式来尝试绕过。在本文中,我们将详细描述一种新的通用方法,可以绕过用户层的EDR挂钩。我们所使用的技术包括跟踪可能...
debug 64bit dump of a 32bit process in windows 7 64bit
weixin_34040079的博客
08-14 185
In Windows 7 the TaskMgr provides one easy way to create dump for the applications. You can right click the Application from Applications tab or click the process from Processes tab and click the Crea...
wow64cpu.dll
05-31
Wow64cpu.dll是Windows操作系统中的一个动态链接库文件,它是WOW64(Windows-on-Windows 64)子系统的一部分,用于在64位版本的Windows操作系统上运行32位应用程序。它提供了一些函数和服务,使32位应用程序能够在64...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值