nt!KiEnableFastSyscallReturn函数和nt!KiRestoreFastSyscallReturnState函数分析和SharedUserData-＞SystemCall的由来

sitelist

于 2025-05-05 15:36:15 发布

阅读量303

点赞数 7

分类专栏： nt4源代码分析文章标签： FastSyscallRetu KiRestoreFast KiEnableFast SharedUserData

本文链接：https://blog.csdn.net/oldlinux/article/details/147718343

版权

第一部分：SharedUserData->SystemCall中汇编代码指令的由来
VOID
KiEnableFastSyscallReturn(
VOID
)

/*++

Routine Description:

    The fast syscall/return feature cannot be used until
    certain processor specific registers have been initialized.
    This routine is called once the registers are known to
    have been set on all processors.

    This routine adjusts the exit path for system calls to
    use the appropriate sequence for the processor, it does
    this by adjusting the offset of a branch.

Arguments:

None.

Return Value:

None.

--*/

{
    //
    // Adjust the second byte of the two byte branch instruction.
    // It can never be otherwise, but, make sure we aren't going
    // to adjust it out of range.
    //

    //
    // The following is a workaround for the fact that in resume
    // from hibernate the kernel is read only.   Basically, we
    // won't try to do it again, we also don't undo it when
    // hibernating/suspending.
    //

if ((KiSystemCallExitAdjusted == KiSystemCallExitAdjust) &&
KiFastCallCopyDoneOnce) {

        //
        // It's already done, don't try to do it again.
        //

return;
}

if ((KiSystemCallExitAdjust + KiSystemCallExitBranch[1]) < 0x80) {

        //
        // It's good, undo any previous adjustment.
        //

KiDisableFastSyscallReturn();

        //
        // Adjust the branch.
        //

KiSystemCallExitAdjusted = (UCHAR)KiSystemCallExitAdjust;
KiSystemCallExitBranch[1] = (UCHAR) (KiSystemCallExitBranch[1] + KiSystemCallExitAdjusted);

        //
        // Copy the appropriate system entry code into user shared
        // data where it can be executed from user mode.
        //

RtlCopyMemory(SharedUserData->SystemCall,