Hello

Question

Hello

hyglvy opened this issue 9 years ago · 3 comments

When I see you code by KiSystemServiceRepeat_Emulate PROC

; RAX = [IN ] syscall index
; RAX = [OUT] number of parameters
; R10 = [OUT] function address
; R11 = [I/O] trashed

lea         r11, offset SyscallPointerTable
mov         r10, qword ptr [r11 + rax * 8h]

lea         r11, offset SyscallParamTable
movzx       rax, byte ptr [r11 + rax]   ; RAX = paramter count

mov         r11, qword ptr [NtKernelBase]
add         r11, 280H                ; <------------------ FIXME
jmp         r11                         ; R11 = and/jz KiSystemServiceCopyEnd

KiSystemServiceRepeat_Emulate ENDP
I have some questions to ask you,Could you help me?
The System Code is
nt!KiSystemServiceRepeat:
fffff80003e8dcb2 4c8d15878c2300 lea r10,[nt!KeServiceDescriptorTable (fffff800040c6940)]
fffff80003e8dcb9 4c8d1dc08c2300 lea r11,[nt!KeServiceDescriptorTableShadow (fffff800040c6980)]
fffff80003e8dcc0 f7830001000080000000 test dword ptr [rbx+100h],80h fffff80003e8dcca 4d0f45d3 cmovne r10,r11
fffff80003e8dcce 423b441710 cmp eax,dword ptr [rdi+r10+10h] fffff80003e8dcd3 0f83e9020000 jae nt!KiSystemServiceExit+0x1a7 (fffff80003e8dfc2) fffff80003e8dcd9 4e8b1417 mov r10,qword ptr [rdi+r10]
fffff800`03e8dcdd 4d631c82 movsxd r11,dword ptr [r10+rax*4]
; RAX = [IN ] syscall index
; RAX = [OUT] number of parameters
; R10 = [OUT] function address
; R11 = [I/O] trashed
I expect you to answer my questions thank you.

Answer 1 · 2015-11-07T21:49:30.000Z

It's not very clear what you are asking.....do you need to know the new value for 0x280?

0x000000014015C3E0 - 0x0000000140000000 = 0x15C3E0

so the fixed version is.......

    mov         r11, qword ptr [NtKernelBase]
    add         r11, 15C3E0h
    jmp         r11                         ; R11 = and/jz KiSystemServiceCopyEnd

Answer 2 · 2015-11-11T17:26:21.000Z

Thanks, ti's windows x64 not win8 x64.I fix your code readmsr(MSR_LSTAR)+0x280=KiSystemServiceCopyEnd..I don't not why asm code write
lea r11, offset SyscallPointerTable
mov r10, qword ptr [r11 + rax * 8h]
lea r11, offset SyscallParamTable
movzx rax, byte ptr [r11 + rax] ; RAX = paramter count

Answer 3 · 2015-11-11T17:31:20.000Z

When I change code value
VmExecControl |= CPU_BASED_RDTSC_EXITING;
VmExecControl |= CPU_BASED_ACTIVATE_MSR_BITMAP;
VmExecControl |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS
to
CPU_BASED_ACTIVATE_MSR_BITMAP | CPU_BASED_ACTIVATE_IO_BITMA |CPU_BASED_MOV_DR_EXITING
The computer will Computer crash。