[原创] windows线程恢复流程逆向分析 | 宜武汇-ag真人国际厅网站

nt!kireadythread:

 mov     edi,edi

 push    ebp

 mov     ebp,esp

 push    ecx

 push    ecx

 push    ebx

 push    esi

 mov     esi,ecx        ;esi = ecx = kthread = readythread

 lea     ecx,[esi 128h]    ;ecx = pchar preempted = &_kthread->preempted

 mov     al,byte ptr [ecx]    ;al = *preempted;

 mov     byte ptr [ecx],0    ;*preempted = 0;

 mov     ecx,dword ptr [nt!ketickcount (8055b000)]

 push    edi

 mov     edi,dword ptr [esi 44h]    ;esi = _kthread->apc_state->process

 mov     byte ptr [ebp-1],al

 movsx   eax,byte ptr [esi 33h]        ;eax = _kthread->priority

 mov     dword ptr [esi 68h],ecx    ;_kthread->waittime = ketickcount

 

nt!kireadythread 0x12a:

 cmp     byte ptr [edi 65h],0                ;if

 jne     nt!kireadythread 0x134 ;_kprocess->state != standby(0)

 

nt!kireadythread 0x2f:

 cmp     byte ptr [esi 12ah],0                ;if

 je      nt!kireadythread 0x17d ;_kthread->kernelstackresident == false 

 

nt!kireadythread 0x3c:

 movzx   ecx,byte ptr [esi 1bah]        ;ecx = _kthread->idealprocessor

 mov     edi,dword ptr [esi 124h]        ;edi = _kthread->affinity

 mov     byte ptr [esi 2dh],3            ;_kthread->state = processinswap(3)

 mov     edx,dword ptr nt!kiprocessorblock (805633c0)[ecx*4]    ;edx = kprcb

 mov     ebx,dword ptr [edx 4d0h]        ;ebx = _kprcb->multithreadprocessorset

 mov     edx,dword ptr [esi 120h]        ;edx = _kthread->softaffinity

 and     edx,edi                        ;if

 je      nt!kireadythread 0x66 (804dd6c2)  ;affinity == softaffinity

 

nt!kireadythread 0x64:

 mov     edi,edx        ;affinity = softaffinity

 

nt!kireadythread 0x66:

 mov     edx,dword ptr [nt!kiidlesummary (8055ae80)];edx = 调度链表数组

 and     edx,edi        ;根据cpu编号找到对应调度链表,edx=调度链表

 jne     nt!kireadythread 0x1aa (804e8755)  ;如果调度链表不为空,跳转

 

nt!kireadythread 0x74:

 xor     edx,edx    ;edx = 0

 inc     edx        ;edx = 1

 mov     ebx,edx    ;

 shl     ebx,cl        ;ebx << cpu

 test    edi,ebx    ;edi = affinity & (1 << cpu)

 je      nt!kireadythread 0x7f (8051992b)  ; if(! edi & ebx)

 

nt!kireadythread 0xb4:

 mov     byte ptr [esi 12bh],cl        ;_kthread->nextprocessor = ecx

 mov     ebx,dword ptr nt!kiprocessorblock (805633c0)[ecx*4]    ;ebx = kprcb

 mov     edi,dword ptr [ebx 8]        ;edi = nextthread

 test    edi,edi                            ;if

 jne     nt!kireadythread 0xcc (804e6ea0)      ;nextthread != null

 

nt!kireadythread 0x2d1:

 mov     ecx,dword ptr [ebx 4]                ;ecx = currentthread

 movsx   edi,byte ptr [ecx 33h]                ;edi = _kthread->priority

 cmp     eax,edi                            ;if

 jg      nt!kireadythread 0x2dc ;readythread->priority > currentthread->priority

 

nt!kireadythread 0x307:

 mov     byte ptr [esi 2dh],1                ;_kthread->state = ready(1)

 add     esi,60h                            ;esi = &_kthread->waitlistentry

 cmp     byte ptr [ebp-1],0                    ; if _kthread->preetempt != 0

 lea     ecx,nt!kidispatcherreadylisthead (80563da0)[eax*8]    ;ecx = 调度链表

 jne     nt!kireadythread 0x31b (804dd641)  ;_kthread->preetempt ! 0

 

nt!kireadythread 0x329:    ;将readythread挂入调度链表

 mov     edi,dword ptr [ecx 4]    ;edi = 调度链表->blink

 mov     dword ptr [esi],ecx    ;_kthread->waitlistentry.flink = 调度链表

 mov     dword ptr [esi 4],edi    ;_kthread->waitlistentry.blink = 调度链表.blink

 mov     dword ptr [edi],esi    ;调度链表.blink.flink = _kthread->waitlistentry

 mov     dword ptr [ecx 4],esi    ;调度链表.blink = _kthread->waitlistentry

 

nt!kireadythread 0x336:

 mov     ecx,eax    ;ecx = readythread->priority

 shl     edx,cl        ;edx = cpu

 or      dword ptr [nt!kireadysummary (8055ae88)],edx

 

nt!kireadythread 0x340:

 pop     edi

 pop     esi

 pop     ebx

 leave

 ret

原文链接:https://bbs.kanxue.com/thread-277150.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/原创-windows线程恢复流程逆向分析/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图