初始化DPC与APC
本文介绍了Windows内核中延迟过程调用(DPC)及异步过程调用(APC)的初始化过程。通过反编译代码详细展示了KeInitializeDpc与KeInitializeApc函数的具体实现细节,帮助读者理解DPC和APC结构体的内部组织。
(反编译代码均来自Windows的WinDbg的输出)
KeInitializedpc,如下:
nt!KeInitializeDpc:
840a2d25 8bff mov edi,edi
840a2d27 55 push ebp
840a2d28 8bec mov ebp,esp
840a2d2a 8b4508 mov eax,dword ptr [ebp+8]
840a2d2d 33c9 xor ecx,ecx
840a2d2f 83601c00 and dword ptr [eax+1Ch],0
840a2d33 c60013 mov byte ptr [eax],13h
840a2d36 c6400101 mov byte ptr [eax+1],1
840a2d3a 66894802 mov word ptr [eax+2],cx
840a2d3e 8b4d0c mov ecx,dword ptr [ebp+0Ch]
840a2d41 89480c mov dword ptr [eax+0Ch],ecx
840a2d44 8b4d10 mov ecx,dword ptr [ebp+10h]
840a2d47 894810 mov dword ptr [eax+10h],ecx
840a2d4a 5d pop ebp
840a2d4b c20c00 ret 0Chlkd> dt nt!_kdpc //dpc结构体
+0x000 Type : UChar
+0x001 Importance : UChar
+0x002 Number : Uint2B
+0x004 DpcListEntry : _LIST_ENTRY
+0x00c DeferredRoutine : Ptr32 void
+0x010 DeferredContext : Ptr32 Void
+0x014 SystemArgument1 : Ptr32 Void
+0x018 SystemArgument2 : Ptr32 Void
+0x01c DpcData : Ptr32 Void
VOID KeInitializeDpc(
IN PRKDPC Dpc,
IN PKDEFERRED_ROUTINE DeferredRoutine,//指向与Dpc相关的 CustomDpc 例程
IN PVOID DeferredContext//将作为参数传给DeferredRoutine)
{
Dpc->DpcData=0;
Dpc->Type=0x13;
Dpc->Importance=1;
Dpc->Number=0x0000;
Dpc->DeferredRoutine=DeferredRoutine;
Dpc->DeferredContext=DeferredContext;
}
KDEFERRED_ROUTINE CustomDpc;
VOID
CustomDpc(
__in struct _KDPC *Dpc,
__in_opt PVOID DeferredContext,
__in_opt PVOID SystemArgument1,
__in_opt PVOID SystemArgument2
)
{...}//to do sth here!
KeInitializeApc如下:
nt!KeInitializeApc:
84104df3 8bff mov edi,edi
84104df5 55 push ebp
84104df6 8bec mov ebp,esp
84104df8 8b4508 mov eax,dword ptr [ebp+8]
84104dfb 8b5510 mov edx,dword ptr [ebp+10h]
84104dfe 8b4d0c mov ecx,dword ptr [ebp+0Ch]
84104e01 c60012 mov byte ptr [eax],12h
84104e04 c6400230 mov byte ptr [eax+2],30h
84104e08 83fa02 cmp edx,2
84104e0b 7506 jne nt!KeInitializeApc+0x20 (84104e13)
nt!KeInitializeApc+0x1a:
84104e0d 8a9134010000 mov dl,byte ptr [ecx+134h]
nt!KeInitializeApc+0x20:
84104e13 894808 mov dword ptr [eax+8],ecx
84104e16 8b4d14 mov ecx,dword ptr [ebp+14h]
84104e19 894814 mov dword ptr [eax+14h],ecx
84104e1c 8b4d18 mov ecx,dword ptr [ebp+18h]
84104e1f 88502c mov byte ptr [eax+2Ch],dl
84104e22 894818 mov dword ptr [eax+18h],ecx
84104e25 8b4d1c mov ecx,dword ptr [ebp+1Ch]
84104e28 33d2 xor edx,edx
84104e2a 89481c mov dword ptr [eax+1Ch],ecx
84104e2d 3bca cmp ecx,edx
84104e2f 740e je nt!KeInitializeApc+0x4c (84104e3f)
nt!KeInitializeApc+0x3e:
84104e31 8a4d20 mov cl,byte ptr [ebp+20h]
84104e34 88482d mov byte ptr [eax+2Dh],cl
84104e37 8b4d24 mov ecx,dword ptr [ebp+24h]
84104e3a 894820 mov dword ptr [eax+20h],ecx
84104e3d eb06 jmp nt!KeInitializeApc+0x52 (84104e45)
nt!KeInitializeApc+0x4c:
84104e3f 88502d mov byte ptr [eax+2Dh],dl
84104e42 895020 mov dword ptr [eax+20h],edx
nt!KeInitializeApc+0x52:
84104e45 88502e mov byte ptr [eax+2Eh],dl
84104e48 5d pop ebp
84104e49 c22000 ret 20h
void KeInitializeApc(PRKAPC Apc,PRKTHREAD Thread,CHAR Index,
PVOID KernelRoutine,PVOID RundownRoutine,PVOID NormalRoutine,
CHAR Mode,PVOID Context)
{
Apc->Type=0x12;
Apc->Size=sizeof(KAPC)/*0x30*/;
if(2==Index)
{
Index=Thread->ApcStateIndex;
}
Apc->Thread=Thread;
Apc->KernelRoutine=KernelRoutine;
Apc->ApcStateIndex=Index;
Apc->RoudownRoutine=RundownRoutine;
Apc->NormalRoutine=NormalRoutine;
if(!NormalRoutine)
{
Apc->ApcMode=Mode;
Apc->NormalContext=Context;
Apc->Inserted=0;
}
Apc->ApcMode=0;
Apc->NormalContext=NULL;
Apc->Inserted=0;
}
还原的正确性不敢保证:)。我觉得这个工作很有意义:可以训练逻辑能力,简单的代码优化,还可以理解内核的实现过程。
扫一扫
692
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
