好友
阅读权限10
听众
最后登录1970-1-1
|
200吾爱币
自己逆不出来,网上也没查到,而且出现次数太多了,想忽略都无法做到/故在此请教大神们:
1.CurrentPrcb->VOID *SchedulerAssist指向的结构体 或者[SchedulerAssist+0x00][SchedulerAssist+0x0C]与[SchedulerAssist+0x14]成员含义
2.KiRemoveSystemWorkPriorityKick函数功能,
SchedulerAssist = CurrentPrcb->SchedulerAssist;// VOID* SchedulerAssist调度器协助,猜测指向的是一个结构体类型未知,该结构体首地址+0x14处是一个值,猜测是一个计数单位,时钟还是优先级?
if ( SchedulerAssist )
{
if ( CurrentPrcb->NestingLevel <= 1u )
{
OldValue = *(SchedulerAssist + 5);
v9 = OldValue == -1;
result = (OldValue + 1);
*(SchedulerAssist + 5) = result; // [KeGetCurrentPrcb()->SchedulerAssist+0x14]++
if ( v9 )
result = KiRemoveSystemWorkPriorityKick(CurrentPrcb);// 如果OldValue==0xFFFFFFFF:
// 移除系统工作优先踢
}
}
__int64 __fastcall KiRemoveSystemWorkPriorityKick(_KPRCB *CurrentPrcb)函数部分伪代码:
{
int *SchedulerAssist; // r9
_KPRCB *result; // rax
int SchedulerAssistValue; // r10d
char *PriorityState; // rcx
int charPriorityState; // ecx
_KTHREAD_ONLY *NextThread; // rdx
_KTHREAD_ONLY *IdleThread; // r8
SchedulerAssist = CurrentPrcb->SchedulerAssist;
result = CurrentPrcb;
SchedulerAssistValue = *SchedulerAssist;
if ( (*SchedulerAssist & 0x190000) != 0 )
return result; // 返回&_KPRCB
if ( SchedulerAssist[5] )
return result;
PriorityState = CurrentPrcb->PriorityState;
if ( !PriorityState )
return result; // 优先级状态指针==nullptr时 |
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2024-3-2 14:46
