본문 바로가기
코드/kernel

64비트 KeServiceTable Call

by WeZZ 2011. 1. 31.



64비트 OS에서 서비스 테이블 함수 호출 과정

0: kd> dq KeServiceDescriptorTable
fffff800`01a7c980  fffff800`018abd00 00000000`00000000
fffff800`01a7c990  00000000`00000187 fffff800`018ac93c
fffff800`01a7c9a0  00000000`00000000 00000000`00000000
fffff800`01a7c9b0  00000000`00000000 00000000`00000000
fffff800`01a7c9c0  fffff800`018abd00 00000000`00000000
fffff800`01a7c9d0  00000000`00000187 fffff800`018ac93c
fffff800`01a7c9e0  fffff960`00143100 00000000`00000000
fffff800`01a7c9f0  00000000`00000306 fffff960`00144c3c

64비트 OS에서 윈디버거로 서비스 테이블을 보면 중요한 함수들에 한해
아래와 같이 암호화가 되어있다.


0: kd> dqs fffff800`018abd00 L187
fffff800`018abd00  02780a00`03969f00
fffff800`018abd08  02668005`fff69d00
fffff800`018abd10  0289e905`029b2206
fffff800`018abd18  02728700`026aeb01
fffff800`018abd20  023a5e00`023a5c40
fffff800`018abd28  0269a6c0`0241e200
fffff800`018abd30  0249a441`027ad800
fffff800`018abd38  026d6840`024f8f01
fffff800`018abd40  0270d600`0254c002
fffff800`018abd48  0237ebc1`025bc440
fffff800`018abd50  027b2202`0245fa02
fffff800`018abd58  01efd301`02788701
fffff800`018abd60  02938280`03cb7c05
fffff800`018abd68  003ac100`0237dfc3
fffff800`018abd70  02782080`023c2080
fffff800`018abd78  0290c080`0267c001
fffff800`018abd80  0243a000`024a5e02
fffff800`018abd88  02344a00`02782e41
fffff800`018abd90  0299a406`024b5e01
fffff800`018abd98  0299dac0`023a6ac7
fffff800`018abda0  025be800`0239f981
fffff800`018abda8  020d4b05`03640100
fffff800`018abdb0  026e4680`02435901
fffff800`018abdb8  02497b02`02a545c0
fffff800`018abdc0  02781a00`026a8e42
fffff800`018abdc8  0273a700`0266fb07
fffff800`018abdd0  03694e01`0299e240
fffff800`018abdd8  0246e841`028acb06
fffff800`018abde0  0241c703`025eae40
fffff800`018abde8  026fa300`024edec0
fffff800`018abdf0  02301080`025665c1
fffff800`018abdf8  025f6702`023a0d82
fffff800`018abe00  031cdf00`0000de00
fffff800`018abe08  ffcc1200`02306d01
fffff800`018abe10  028c1801`02190040
fffff800`018abe18  024c5683`028da201
fffff800`018abe20  024d1b80`026e5e00
fffff800`018abe28  03508e04`03db5c05
fffff800`018abe30  02923801`03641000
fffff800`018abe38  02973800`02a53281
fffff800`018abe40  03cb7402`02a52d40
fffff800`018abe48  022210c1`028ebf07
fffff800`018abe50  029a3ac0`03cb6c02
fffff800`018abe58  03167600`025ea38c
fffff800`018abe60  02735e00`02799801
fffff800`018abe68  ffbe9040`03633e00
fffff800`018abe70  023d07c2`021f7901
fffff800`018abe78  001831c3`ffc20d40
fffff800`018abe80  ffde7784`020db902
fffff800`018abe88  00ce2807`ffd45c07
fffff800`018abe90  039dc00d`039dcc0c
fffff800`018abe98  039a9200`03824d00
fffff800`018abea0  020c85c2`039a6800
fffff800`018abea8  0224bdc0`0366d800
fffff800`018abeb0  0392fa00`020e0200
fffff800`018abeb8  02528a85`01f238c0
fffff800`018abec0  02383a07`0221a800
fffff800`018abec8  021c0b82`0217c840
fffff800`018abed0  022be100`021a68c0
fffff800`018abed8  021b8ac0`02340800
fffff800`018abee0  0251e280`034a6900
fffff800`018abee8  02514800`023118c0
fffff800`018abef0  023c6f02`02330500
fffff800`018abef8  0218a341`02388402
fffff800`018abf00  034a5200`026ec102
fffff800`018abf08  021bc780`02813e04
fffff800`018abf10  023d4180`01f65d80
fffff800`018abf18  01f43640`02ee8400
fffff800`018abf20  036caf00`036fb000
fffff800`018abf28  038cd300`038ce600
fffff800`018abf30  022ba840`03981100
fffff800`018abf38  03e42e00`020dc300
fffff800`018abf40  03502100`02582644
fffff800`018abf48  038e7204`021c3ec0
fffff800`018abf50  02641c00`03503c00
fffff800`018abf58  03956a00`035c8a00
fffff800`018abf60  021a2a00`036de204
fffff800`018abf68  024ef940`01f674c4
fffff800`018abf70  03ca6600`025ef30a
fffff800`018abf78  021c69c0`036bac01
fffff800`018abf80  03696405`03db6504
fffff800`018abf88  024d3c41`0203c203
fffff800`018abf90  02979787`01fe5f40
fffff800`018abf98  020ed389`0219e000
fffff800`018abfa0  02038842`039c5c06
fffff800`018abfa8  036ba501`02408c07
fffff800`018abfb0  03a3e900`0219f686
fffff800`018abfb8  02132d00`0368ba00
fffff800`018abfc0  03129200`0312e100
fffff800`018abfc8  02280000`02008400
fffff800`018abfd0  03e07100`039b3e00
fffff800`018abfd8  0394aa00`021d0400
fffff800`018abfe0  03a8b600`03a90100
fffff800`018abfe8  036e8301`033b5400
fffff800`018abff0  0210bb02`03a2aa00
fffff800`018abff8  02202440`0387b000
fffff800`018ac000  ffcb9440`020504c0
fffff800`018ac008  02ec1600`02065d80
fffff800`018ac010  00b59900`03963800
fffff800`018ac018  025d5780`03753f00
fffff800`018ac020  01f7b100`02266b00
fffff800`018ac028  03707501`0263f400
fffff800`018ac030  021724c1`03641f02
fffff800`018ac038  0211aa00`02074b03
fffff800`018ac040  0217b640`ffcb2a03
fffff800`018ac048  02523500`02525e00
fffff800`018ac050  03b3bf00`0205ac00
fffff800`018ac058  025dabc0`02eabd00
fffff800`018ac060  03d3fe00`0388f200
fffff800`018ac068  03e61300`03e61600
fffff800`018ac070  021e9f06`03e57b04
fffff800`018ac078  03694500`01f8b7c0
fffff800`018ac080  0364b300`ffb16c00
fffff800`018ac088  02390402`02001600
fffff800`018ac090  039a8f00`03971100
fffff800`018ac098  021e5405`039a6500
fffff800`018ac0a0  02205308`02204c06
fffff800`018ac0a8  033f2c00`036e1501
fffff800`018ac0b0  033f4300`033f0000
fffff800`018ac0b8  0340fe00`036dd900
fffff800`018ac0c0  039b4f08`029aa140
fffff800`018ac0c8  026e5b40`03e08500
fffff800`018ac0d0  0209e380`02075f01
fffff800`018ac0d8  02512e00`033ef700
fffff800`018ac0e0  033f3800`02975f00
fffff800`018ac0e8  020a7082`036ead01
fffff800`018ac0f0  036cba00`022f58c0
fffff800`018ac0f8  036cc500`038cf100
fffff800`018ac100  021604c0`038cfc00
fffff800`018ac108  020dda01`039bce02
fffff800`018ac110  03888900`039b0100
fffff800`018ac118  033b2e00`0207cc00
fffff800`018ac120  003abc00`0312b100
fffff800`018ac128  033b0800`029a4403
fffff800`018ac130  02218a00`03c41f05
fffff800`018ac138  036a2f01`02133001
fffff800`018ac140  03633301`020b9681
fffff800`018ac148  0369c601`0369a001
fffff800`018ac150  00c20801`02067281
fffff800`018ac158  02f99600`025d6180
fffff800`018ac160  024a1701`03690601
fffff800`018ac168  0363e601`03c5c602
fffff800`018ac170  03c55100`03c59500
fffff800`018ac178  03c35105`02ea8c00
fffff800`018ac180  03698b01`0224d701
fffff800`018ac188  039acb00`02516940
fffff800`018ac190  0205e680`03c7cb01
fffff800`018ac198  036fbe02`0000fe00
fffff800`018ac1a0  038d0700`036ca400
fffff800`018ac1a8  0207c340`03753800
fffff800`018ac1b0  03645500`020c1c41
fffff800`018ac1b8  02246d40`03824100
fffff800`018ac1c0  023babc2`001879c0
fffff800`018ac1c8  03c51e00`03638100
fffff800`018ac1d0  03e55f00`039b1200
fffff800`018ac1d8  035c5000`00d59200
fffff800`018ac1e0  029afe40`02ee8400
fffff800`018ac1e8  025c2780`031ece00
fffff800`018ac1f0  03e43d00`ffcb9600
fffff800`018ac1f8  036c0d00`03644e00
fffff800`018ac200  038c8c00`03832600
fffff800`018ac208  03e31d00`03e07a00
fffff800`018ac210  03e2e800`03e30400
fffff800`018ac218  039a6b00`024c9245
fffff800`018ac220  025da1c0`03686d00
fffff800`018ac228  031f8100`0308e800
fffff800`018ac230  031dde00`031ce700
fffff800`018ac238  03c3d600`039a4100
fffff800`018ac240  0363c400`0363b600
fffff800`018ac248  03953200`03683a01
fffff800`018ac250  03bfed00`020bc3c0
fffff800`018ac258  023acb80`02048e40
fffff800`018ac260  036d9400`03950200
fffff800`018ac268  03629e00`ffb7e880
fffff800`018ac270  00720002`0222a941
fffff800`018ac278  0363cc00`0363bd00
fffff800`018ac280  02376740`03cc1100
fffff800`018ac288  03c79a01`039a9500
fffff800`018ac290  01e9bc00`03e7c600
fffff800`018ac298  031f7100`03e61d00
fffff800`018ac2a0  03689100`03282700
fffff800`018ac2a8  03e8c900`01eec041
fffff800`018ac2b0  00c27200`0205ef40
fffff800`018ac2b8  03a89200`038cdb00
fffff800`018ac2c0  036a7800`03734200
fffff800`018ac2c8  02701e82`01fb9900
fffff800`018ac2d0  02965340`01feb500
fffff800`018ac2d8  0321fc00`00b60600
fffff800`018ac2e0  039a1000`02479302
fffff800`018ac2e8  03c6e700`03d3fd00
fffff800`018ac2f0  03c5ff00`03c66900
fffff800`018ac2f8  ffc5af00`021ef101
fffff800`018ac300  036e3c00`03c2aa00
fffff800`018ac308  0017dbc0`02249580
fffff800`018ac310  0363dd00`0363d400
fffff800`018ac318  fffff800`003a64c0
fffff800`018ac320  fffff800`01c42080 nt!NtFreeUserPhysicalPages
fffff800`018ac328  fffff800`01961690 nt!NtFreezeRegistry
fffff800`018ac330  fffff800`01c210f0 nt!NtFreezeTransactions
fffff800`018ac338  fffff800`01b09278 nt!NtGetContextThread
fffff800`018ac340  fffff800`01ad23b0 nt!NtGetCurrentProcessorNumber
fffff800`018ac348  fffff800`01aa3810 nt!NtGetDevicePowerState
fffff800`018ac350  fffff800`01b0fc40 nt!NtGetMUIRegistryInfo
fffff800`018ac358  fffff800`01c1c450 nt!NtGetNextProcess
fffff800`018ac360  fffff800`01c0fef0 nt!NtGetNextThread
fffff800`018ac368  fffff800`01ac2f4c nt!NtGetNlsSectionPtr
fffff800`018ac370  fffff800`01ab31b0 nt!NtGetNotificationResourceManager
fffff800`018ac378  fffff800`01abd7a0 nt!NtGetPlugPlayEvent
fffff800`018ac380  fffff800`01876fa0 nt!NtGetWriteWatch
fffff800`018ac388  fffff800`01ac3864 nt!NtImpersonateAnonymousToken
fffff800`018ac390  fffff800`01afe2e0 nt!NtImpersonateThread
fffff800`018ac398  fffff800`01afe050 nt!NtInitializeNlsFiles
fffff800`018ac3a0  fffff800`01ab17c0 nt!NtInitializeRegistry
fffff800`018ac3a8  fffff800`01c5f8f0 nt!NtInitiatePowerAction
fffff800`018ac3b0  fffff800`01b968d0 nt!NtIsSystemResumeAutomatic
fffff800`018ac3b8  fffff800`01b097bc nt!NtIsUILanguageComitted
fffff800`018ac3c0  fffff800`01c34c20 nt!NtListenPort
fffff800`018ac3c8  fffff800`01c7fce0 nt!NtLoadDriver
fffff800`018ac3d0  fffff800`01c91e60 nt!NtLoadKey
fffff800`018ac3d8  fffff800`01c91e30 nt!NtLoadKey2
fffff800`018ac3e0  fffff800`01c914b0 nt!NtLoadKeyEx
fffff800`018ac3e8  fffff800`01aca6f0 nt!NtLockFile
fffff800`018ac3f0  fffff800`01aa487c nt!NtLockProductActivationKeys
fffff800`018ac3f8  fffff800`01c15150 nt!NtLockRegistryKey
fffff800`018ac400  fffff800`0185d3c0 nt!NtLockVirtualMemory
fffff800`018ac408  fffff800`01c10830 nt!NtMakePermanentObject
fffff800`018ac410  fffff800`01aabe60 nt!NtMakeTemporaryObject
fffff800`018ac418  fffff800`01ae4d40 nt!NtMapCMFModule
fffff800`018ac420  fffff800`01c42e10 nt!NtMapUserPhysicalPages
fffff800`018ac428  fffff800`01c465f0 nt!NtModifyBootEntry
fffff800`018ac430  fffff800`01c46350 nt!NtModifyDriverEntry
fffff800`018ac438  fffff800`01aca240 nt!NtNotifyChangeDirectoryFile
fffff800`018ac440  fffff800`01acc1c0 nt!NtNotifyChangeKey
fffff800`018ac448  fffff800`01acc230 nt!NtNotifyChangeMultipleKeys
fffff800`018ac450  fffff800`01c19e50 nt!NtOpenEnlistment
fffff800`018ac458  fffff800`01beafc0 nt!NtOpenEventPair
fffff800`018ac460  fffff800`01bead00 nt!NtOpenIoCompletion
fffff800`018ac468  fffff800`01beb130 nt!NtOpenJobObject
fffff800`018ac470  fffff800`01c19a90 nt!NtOpenKeyTransacted
fffff800`018ac478  fffff800`01becce0 nt!NtOpenKeyedEvent
fffff800`018ac480  fffff800`01b46714 nt!NtOpenMutant
fffff800`018ac488  fffff800`01c471f0 nt!NtOpenObjectAuditAlarm
fffff800`018ac490  fffff800`01c8c550 nt!NtOpenPrivateNamespace
fffff800`018ac498  fffff800`01b1a2b4 nt!NtOpenProcessToken
fffff800`018ac4a0  fffff800`01ab32f0 nt!NtOpenResourceManager
fffff800`018ac4a8  fffff800`01ab5b38 nt!NtOpenSemaphore
fffff800`018ac4b0  fffff800`01beac70 nt!NtOpenSession
fffff800`018ac4b8  fffff800`01afcfe0 nt!NtOpenSymbolicLinkObject
fffff800`018ac4c0  fffff800`01b432f0 nt!NtOpenThread
fffff800`018ac4c8  fffff800`01beb080 nt!NtOpenTimer
fffff800`018ac4d0  fffff800`01c1a7d0 nt!NtOpenTransaction
fffff800`018ac4d8  fffff800`01ab6408 nt!NtOpenTransactionManager
fffff800`018ac4e0  fffff800`01adb28c nt!NtPlugPlayControl
fffff800`018ac4e8  fffff800`01c188a0 nt!NtPrePrepareComplete
fffff800`018ac4f0  fffff800`01c38c10 nt!NtPrePrepareEnlistment
fffff800`018ac4f8  fffff800`01c18950 nt!NtPrepareComplete
fffff800`018ac500  fffff800`01c38cc0 nt!NtPrepareEnlistment
fffff800`018ac508  fffff800`01ac1d4c nt!NtPrivilegeCheck
fffff800`018ac510  fffff800`01c479e0 nt!NtPrivilegeObjectAuditAlarm
fffff800`018ac518  fffff800`01ab9aa0 nt!NtPrivilegedServiceAuditAlarm
fffff800`018ac520  fffff800`01c46d10 nt!NtPropagationComplete
fffff800`018ac528  fffff800`01c34590 nt!NtPropagationFailed
fffff800`018ac530  fffff800`01ab39c0 nt!NtPulseEvent
fffff800`018ac538  fffff800`01be6fe0 nt!NtQueryBootEntryOrder
fffff800`018ac540  fffff800`01bbe810 nt!NtQueryBootOptions
fffff800`018ac548  fffff800`018e68c0 nt!NtQueryDebugFilterState
fffff800`018ac550  fffff800`01b46140 nt!NtQueryDirectoryObject
fffff800`018ac558  fffff800`01be6d80 nt!NtQueryDriverEntryOrder
fffff800`018ac560  fffff800`01c6fef0 nt!NtQueryEaFile
fffff800`018ac568  fffff800`01acd5a0 nt!NtQueryFullAttributesFile
fffff800`018ac570  fffff800`01abf000 nt!NtQueryInformationAtom
fffff800`018ac578  fffff800`01c15ff0 nt!NtQueryInformationEnlistment
fffff800`018ac580  fffff800`01ab7668 nt!NtQueryInformationJobObject
fffff800`018ac588  fffff800`01c0f030 nt!NtQueryInformationPort
fffff800`018ac590  fffff800`01c15700 nt!NtQueryInformationResourceManager
fffff800`018ac598  fffff800`01c15960 nt!NtQueryInformationTransaction
fffff800`018ac5a0  fffff800`01ab2428 nt!NtQueryInformationTransactionManager
fffff800`018ac5a8  fffff800`0196dd80 nt!NtQueryInformationWorkerFactory
fffff800`018ac5b0  fffff800`01b09318 nt!NtQueryInstallUILanguage
fffff800`018ac5b8  fffff800`01ba5660 nt!NtQueryIntervalProfile
fffff800`018ac5c0  fffff800`01c14d60 nt!NtQueryIoCompletion
fffff800`018ac5c8  fffff800`01af5e70 nt!NtQueryLicenseValue
fffff800`018ac5d0  fffff800`01c71960 nt!NtQueryMultipleValueKey
fffff800`018ac5d8  fffff800`01c0fb60 nt!NtQueryMutant
fffff800`018ac5e0  fffff800`01c71650 nt!NtQueryOpenSubKeys
fffff800`018ac5e8  fffff800`01c71210 nt!NtQueryOpenSubKeysEx
fffff800`018ac5f0  fffff800`01b965c0 nt!NtQueryPortInformationProcess
fffff800`018ac5f8  fffff800`01c6f210 nt!NtQueryQuotaInformationFile
fffff800`018ac600  fffff800`01ad0a70 nt!NtQuerySecurityObject
fffff800`018ac608  fffff800`01c155b0 nt!NtQuerySemaphore
fffff800`018ac610  fffff800`01afd394 nt!NtQuerySymbolicLinkObject
fffff800`018ac618  fffff800`01c469b0 nt!NtQuerySystemEnvironmentValue
fffff800`018ac620  fffff800`01c739b0 nt!NtQuerySystemEnvironmentValueEx
fffff800`018ac628  fffff800`01ab1b68 nt!NtQueryTimerResolution
fffff800`018ac630  fffff800`018acce0 nt!NtRaiseException
fffff800`018ac638  fffff800`01c1b8e0 nt!NtRaiseHardError
fffff800`018ac640  fffff800`01c18740 nt!NtReadOnlyEnlistment
fffff800`018ac648  fffff800`01c38d70 nt!NtRecoverEnlistment
fffff800`018ac650  fffff800`01c21080 nt!NtRecoverResourceManager
fffff800`018ac658  fffff800`01ab3934 nt!NtRecoverTransactionManager
fffff800`018ac660  fffff800`01ab7ec4 nt!NtRegisterProtocolAddressInformation
fffff800`018ac668  fffff800`01c10250 nt!NtRegisterThreadTerminatePort
fffff800`018ac670  fffff800`01c2e110 nt!NtReleaseCMFViewOwnership
fffff800`018ac678  fffff800`01ad03d4 nt!NtReleaseKeyedEvent
fffff800`018ac680  fffff800`018c449c nt!NtReleaseWorkerFactoryWorker
fffff800`018ac688  fffff800`01ae77bc nt!NtRemoveIoCompletionEx
fffff800`018ac690  fffff800`01c0f510 nt!NtRemoveProcessDebug
fffff800`018ac698  fffff800`01c70ee0 nt!NtRenameKey
fffff800`018ac6a0  fffff800`01c46e20 nt!NtRenameTransactionManager
fffff800`018ac6a8  fffff800`01c912f0 nt!NtReplaceKey
fffff800`018ac6b0  fffff800`01981620 nt!NtReplacePartitionUnit
fffff800`018ac6b8  fffff800`01c08200 nt!NtReplyWaitReplyPort
fffff800`018ac6c0  fffff800`01b9a540 nt!NtCancelDeviceWakeupRequest
fffff800`018ac6c8  fffff800`01b46ce4 nt!NtRequestPort
fffff800`018ac6d0  fffff800`01bca9e0 nt!NtRequestWakeupLatency
fffff800`018ac6d8  fffff800`01b07f78 nt!NtResetEvent
fffff800`018ac6e0  fffff800`01877660 nt!NtResetWriteWatch
fffff800`018ac6e8  fffff800`01c900d0 nt!NtRestoreKey
fffff800`018ac6f0  fffff800`01c101e0 nt!NtResumeProcess
fffff800`018ac6f8  fffff800`01c17dd0 nt!NtRollbackComplete
fffff800`018ac700  fffff800`01c2ef60 nt!NtRollbackEnlistment
fffff800`018ac708  fffff800`01c385c0 nt!NtRollbackTransaction
fffff800`018ac710  fffff800`01c8c4a0 nt!NtRollforwardTransactionManager
fffff800`018ac718  fffff800`01c8eed0 nt!NtSaveKey
fffff800`018ac720  fffff800`01c8ed40 nt!NtSaveKeyEx
fffff800`018ac728  fffff800`01c8eb80 nt!NtSaveMergedKeys
fffff800`018ac730  fffff800`01af8624 nt!NtSecureConnectPort
fffff800`018ac738  fffff800`01c463b0 nt!NtSetBootEntryOrder
fffff800`018ac740  fffff800`01c143d0 nt!NtSetBootOptions
fffff800`018ac748  fffff800`01b0971c nt!NtSetContextThread
fffff800`018ac750  fffff800`01bb4b80 nt!NtSetDebugFilterState
fffff800`018ac758  fffff800`01bcb510 nt!NtSetDefaultHardErrorPort
fffff800`018ac760  fffff800`01bc8b70 nt!NtSetDefaultLocale
fffff800`018ac768  fffff800`01bc9ae0 nt!NtSetDefaultUILanguage
fffff800`018ac770  fffff800`01c46110 nt!NtSetDriverEntryOrder
fffff800`018ac778  fffff800`01c6fa60 nt!NtSetEaFile
fffff800`018ac780  fffff800`01c0f860 nt!NtSetHighEventPair
fffff800`018ac788  fffff800`01c0f940 nt!NtSetHighWaitLowEventPair
fffff800`018ac790  fffff800`01c140a0 nt!NtSetInformationDebugObject
fffff800`018ac798  fffff800`01c41020 nt!NtSetInformationEnlistment
fffff800`018ac7a0  fffff800`01ab793c nt!NtSetInformationJobObject
fffff800`018ac7a8  fffff800`01c6bbd0 nt!NtSetInformationKey
fffff800`018ac7b0  fffff800`01ab05e4 nt!NtSetInformationResourceManager
fffff800`018ac7b8  fffff800`01ae69b8 nt!NtSetInformationToken
fffff800`018ac7c0  fffff800`01c40d20 nt!NtSetInformationTransaction
fffff800`018ac7c8  fffff800`01c19640 nt!NtSetInformationTransactionManager
fffff800`018ac7d0  fffff800`01863b88 nt!NtSetInformationWorkerFactory
fffff800`018ac7d8  fffff800`01c0e6e0 nt!NtSetIntervalProfile
fffff800`018ac7e0  fffff800`01ace794 nt!NtSetIoCompletion
fffff800`018ac7e8  fffff800`0191dd00 nt!xHalAllocateMapRegisters
fffff800`018ac7f0  fffff800`01c0f8d0 nt!NtSetLowEventPair
fffff800`018ac7f8  fffff800`01c0f9c0 nt!NtSetLowWaitHighEventPair
fffff800`018ac800  fffff800`01c77e10 nt!NtSetQuotaInformationFile
fffff800`018ac808  fffff800`01ae3374 nt!NtSetSecurityObject
fffff800`018ac810  fffff800`01c46650 nt!NtSetSystemEnvironmentValue
fffff800`018ac818  fffff800`01c736a0 nt!NtSetSystemEnvironmentValueEx
fffff800`018ac820  fffff800`01c93960 nt!NtSetSystemInformation
fffff800`018ac828  fffff800`01a958c0 nt!NtSetSystemPowerState
fffff800`018ac830  fffff800`01c91ed0 nt!NtSetSystemTime
fffff800`018ac838  fffff800`01bcb410 nt!NtSetThreadExecutionState
fffff800`018ac840  fffff800`01bd3f70 nt!NtSetTimerResolution
fffff800`018ac848  fffff800`01c14610 nt!NtSetUuidSeed
fffff800`018ac850  fffff800`01a9a904 nt!NtSetVolumeInformationFile
fffff800`018ac858  fffff800`01c94990 nt!NtShutdownSystem
fffff800`018ac860  fffff800`01ab1bf4 nt!NtShutdownWorkerFactory
fffff800`018ac868  fffff800`0196e420 nt!NtSignalAndWaitForSingleObject
fffff800`018ac870  fffff800`01c38ab0 nt!NtSinglePhaseReject
fffff800`018ac878  fffff800`01c54620 nt!NtStartProfile
fffff800`018ac880  fffff800`01c1f120 nt!NtStopProfile
fffff800`018ac888  fffff800`01c16480 nt!NtSuspendProcess
fffff800`018ac890  fffff800`01aa7690 nt!NtSuspendThread
fffff800`018ac898  fffff800`01b1bee8 nt!NtSystemDebugControl
fffff800`018ac8a0  fffff800`01aaa850 nt!NtTerminateJobObject
fffff800`018ac8a8  fffff800`01b42234 nt!NtTestAlert
fffff800`018ac8b0  fffff800`01961d60 nt!NtThawRegistry
fffff800`018ac8b8  fffff800`01bcdcc0 nt!NtThawTransactions
fffff800`018ac8c0  fffff800`01af3630 nt!NtTraceControl
fffff800`018ac8c8  fffff800`01c45e00 nt!NtTranslateFilePath
fffff800`018ac8d0  fffff800`01c7fcd0 nt!NtUnloadDriver
fffff800`018ac8d8  fffff800`01c72b70 nt!NtUnloadKey
fffff800`018ac8e0  fffff800`01c72390 nt!NtUnloadKey2
fffff800`018ac8e8  fffff800`01c71cf0 nt!NtUnloadKeyEx
fffff800`018ac8f0  fffff800`01acac10 nt!NtUnlockFile
fffff800`018ac8f8  fffff800`018717f0 nt!NtUnlockVirtualMemory
fffff800`018ac900  fffff800`01c6e7a0 nt!NtVdmControl
fffff800`018ac908  fffff800`01c1a0c0 nt!NtWaitForDebugEvent
fffff800`018ac910  fffff800`01ad0658 nt!NtWaitForKeyedEvent
fffff800`018ac918  fffff800`018c3abc nt!NtWaitForWorkViaWorkerFactory
fffff800`018ac920  fffff800`01c0fa40 nt!NtWaitHighEventPair
fffff800`018ac928  fffff800`01c0fad0 nt!NtWaitLowEventPair
fffff800`018ac930  fffff800`018e634c nt!NtWorkerFactoryWorkerReady

그래서 실제 아래의 ZwReadVirtualMemory의 함수로 디스어셈해보면 아래의
KiServiceInternal 커널 함수를 호출하고 있다.

0: kd> u nt!ZwReadVirtualMemory L50
nt!ZwReadVirtualMemory:
fffff800`018a3540 488bc4          mov     rax,rsp
fffff800`018a3543 fa              cli
fffff800`018a3544 4883ec10        sub     rsp,10h
fffff800`018a3548 50              push    rax
fffff800`018a3549 9c              pushfq
fffff800`018a354a 6a10            push    10h
fffff800`018a354c 488d05ed4d0000  lea     rax,[nt!KiServiceLinkage (fffff800`018a8340)]
fffff800`018a3553 50              push    rax
fffff800`018a3554 b83c000000      mov     eax,3Ch
fffff800`018a3559 e922460000      jmp     nt!KiServiceInternal (fffff800`018a7b80)

0: kd> u fffff800`018a7b80
nt!KiServiceInternal:
fffff800`018a7b80 4883ec08        sub     rsp,8
fffff800`018a7b84 55              push    rbp
fffff800`018a7b85 4881ec58010000  sub     rsp,158h
fffff800`018a7b8c 488dac2480000000 lea     rbp,[rsp+80h]
fffff800`018a7b94 48899dc0000000  mov     qword ptr [rbp+0C0h],rbx
fffff800`018a7b9b 4889bdc8000000  mov     qword ptr [rbp+0C8h],rdi
fffff800`018a7ba2 4889b5d0000000  mov     qword ptr [rbp+0D0h],rsi
fffff800`018a7ba9 fb              sti
0: kd> u
nt!KiServiceInternal+0x2a:
fffff800`018a7baa 65488b1c2588010000 mov   rbx,qword ptr gs:[188h]
fffff800`018a7bb3 0f0d8bc8010000  prefetchw [rbx+1C8h]
fffff800`018a7bba 0fb6bb53010000  movzx   edi,byte ptr [rbx+153h]
fffff800`018a7bc1 40887da8        mov     byte ptr [rbp-58h],dil
fffff800`018a7bc5 c6835301000000  mov     byte ptr [rbx+153h],0
fffff800`018a7bcc 4c8b93c8010000  mov     r10,qword ptr [rbx+1C8h]
fffff800`018a7bd3 4c8995b8000000  mov     qword ptr [rbp+0B8h],r10
fffff800`018a7bda 4c8d1ddd000000  lea     r11,[nt!KiSystemServiceStart (fffff800`018a7cbe)] << -- 실제 주소 구해오는 부분


nt!KiSystemServiceStart:
fffff800`018a7cbe 4889a3c8010000  mov     qword ptr [rbx+1C8h],rsp
fffff800`018a7cc5 8bf8            mov     edi,eax
fffff800`018a7cc7 c1ef07          shr     edi,7
fffff800`018a7cca 83e720          and     edi,20h
fffff800`018a7ccd 25ff0f0000      and     eax,0FFFh
nt!KiSystemServiceRepeat:
fffff800`018a7cd2 4c8d15a74c1d00  lea     r10,[nt!KeServiceDescriptorTable (fffff800`01a7c980)]
fffff800`018a7cd9 4c8d1de04c1d00  lea     r11,[nt!KeServiceDescriptorTableShadow (fffff800`01a7c9c0)]
fffff800`018a7ce0 f783f400000000010000 test dword ptr [rbx+0F4h],100h
fffff800`018a7cea 4d0f45d3        cmovne  r10,r11
fffff800`018a7cee 423b441710      cmp     eax,dword ptr [rdi+r10+10h]
fffff800`018a7cf3 0f83ad020000    jae     nt!KiSystemServiceExit+0x16b (fffff800`018a7fa6)
fffff800`018a7cf9 4e8b1417        mov     r10,qword ptr [rdi+r10]

위에 디스어셈 코드를 보면 rax에는 ZwReadVirtualMemory의 함수의 인덱스 값을 받아오고,
r10에는 서비스 테이블의 시작 주소를 받아온다.

>>>>
fffff800`018a7cfd 4d631c82        movsxd  r11,dword ptr [r10+rax*4] rax : 인덱스 r10 : 서비스테이블 시작 주소  <<
fffff800`018a7d01 498bc3          mov     rax,r11 << rax < r11
fffff800`018a7d04 49c1fb04        sar     r11,4 << 4비트 시프트
fffff800`018a7d08 4d03d3          add     r10,r11 << 서비스 테이블 시작주소와 add
>>>>
실제 ZwReadVirtual Memory의 함수의 주소를 계산 하는 방법이다.
위의 디스어셈의 코드를 간단하게 짜보면
ULONG a = (ULONG64)*(PULONG)(서비스 테이블 시작 주소 + 인덱스 * 4);
ULONG b = a >> 4;
ULONG c = 서비스테이블 시작 주소 + b;

fffff800`018a7d0b 83ff20          cmp     edi,20h
fffff800`018a7d0e 7550            jne     nt!KiSystemServiceGdiTebAccess+0x49 (fffff800`018a7d60)
fffff800`018a7d10 4c8b9bb0000000  mov     r11,qword ptr [rbx+0B0h]

nt!KiSystemServiceCopyStart+0x64:
fffff800`018a7e14 48894710        mov     qword ptr [rdi+10h],rax
fffff800`018a7e18 488b4608        mov     rax,qword ptr [rsi+8]
fffff800`018a7e1c 48894708        mov     qword ptr [rdi+8],rax
nt!KiSystemServiceCopyEnd:
fffff800`018a7e20 f7055ea3120040000000 test dword ptr [nt!PerfGlobalGroupMask+0x8 (fffff800`019d2188)],40h
fffff800`018a7e2a 0f8514020000    jne     nt!KiSystemServiceExit+0x209 (fffff800`018a8044)

위에서 계산 된 실제 NtReadVirtualMemory의 함수를 호출한다.
fffff800`018a7e30 41ffd2          call    r10

실제 64비트는 패치가드에 의해 위의 함수들을 후킹 할 수 없지만 Undocument의 API의 함수를 호출 하기 위해선
위와 같이 계산을 해주면 된다.



 

관련글

티스토리툴바