枚举并删除系统上CmRegisterCallback回调

DemonGan

发布日期: 2019-03-27 13:02:47 浏览量: 877
评分:
star star star star star star star star star star_border
*转载请注明来自write-bug.com

背景

我们学习内核 Rootkit 编程,那么肯定会接触到各种无 HOOK 回调函数的设置,这些回调函数都是官方为我们做好的接口,我们直接调用就好。这些回调使用方便,运行在底层,功能强大,而且非常稳定。很多杀软、游戏保护等就是设置这些回调,实现对计算机的监控的。

既然可以设置回调,自然也可以删除回调。如果是自己程序设置的回调,当然可以很容易删除。但是,我们要做的是要枚举系统上存在的回调,不管是不是自己程序创建的,然后,并对这些回调进行删除,使其失效。

本文要介绍的是枚举并删除系统上 CmRegisterCallback 回调,支持 32 位和 64 位、Win7 到 Win10 全平台系统。现在,我把实现的过程和原理整理成文档,分享给大家。

实现原理

我们注册的注册表回调,会存储在一个表头为 CallbackListHead 的双向链表里,它存储着系统里所有 CmRegisterCallback 注册表回调函数地址和 Cookie 的信息。

经过使用 WinDbg 逆向,总结得出 CallbackListHead 双向链表指向的数据结构为:

  1. typedef struct _CM_NOTIFY_ENTRY
  2. {
  3. LIST_ENTRY ListEntryHead;
  4. ULONG UnKnown1;
  5. ULONG UnKnown2;
  6. LARGE_INTEGER Cookie;
  7. PVOID Context;
  8. PVOID Function;
  9. }CM_NOTIFY_ENTRY, *PCM_NOTIFY_ENTRY;

其中,ListEntryHead 中存储着下一个或者上一个 CM_NOTIFY_ENTRY 结构体指针的信息,我们通过遍历这个双向链表,就可以枚举出 CmRegisterCallback 注册表回调函数地址和 Cookie 的信息。

CallbackListHead 表头地址的获取

CallbackListHead 表头,可以从内核导出函数 CmUnRegisterCallback 中获取。 我们借助 WinDbg 帮助我们逆向 CmUnRegisterCallback 内核函数,下面是 Win10 64 位系统上 CmUnRegisterCallback 函数的逆向代码:

  1. nt!CmUnRegisterCallback+0x44:
  2. fffff800`24b17dc8 4533c0 xor r8d,r8d
  3. fffff800`24b17dcb 488d542438 lea rdx,[rsp+38h]
  4. fffff800`24b17dd0 488d0d39f5dbff lea rcx,[nt!CallbackListHead (fffff800`248d7310)]

由上面的代码,我们可以通过在内核函数 CmUnRegisterCallback 中扫描内存特征码,在 32 位系统下,可以直接定位得到 CallbackListHead 表头的地址;在 64 位下,可以获取 CallbackListHead 表头的偏移,从而根据偏移计算出地址。但是,特征码在不同系统上也会不同,下面是我使用 WinDbg 逆向各个版本系统上的函数,总结的特征码:

Win7 win8.1 win10
32 位 BF BE B9
64 位 488D54 488D0D 488D0D

上述中,Win7 64 位的逆向信息如下:

  1. nt!CmUnRegisterCallback+0xc6:
  2. fffff800`042b7856 4533c0 xor r8d,r8d
  3. fffff800`042b7859 488d542420 lea rdx,[rsp+20h]
  4. fffff800`042b785e 488d0d6b69dcff lea rcx,[nt!CallbackListHead (fffff800`0407e1d0)]

特征码我们选用的是 488D54,因为特征码 488D0D 在出现 CallbackListHead 内存之前就多次出现,为了特征码唯一,所以,选取 488D54 特征码来定位。

总的来说,我们直接通过扫描 CmUnRegisterCallback 函数内存,就可获取 CallbackListHead 表头地址了。其中,特征码的确定就变得至关重要。

删除回调

我们可以通过上述介绍的方法,枚举系统中的回调函数。那么,要删除回调函数可以有 3 种方式:

  • 可以直接调用 CmUnRegisterCallback 函数,传入回调 Cookie,即可删除回调

  • 修改 CallbackListHead 双向链表中的数据,使其指向我们自己定义的空回调函数地址。这样,当触发回调函数的时候,执行的是我们自己的空回调函数

  • 修改回调函数的前几字节内存数据,写入直接返回指令 RET,不进行任何操作

编码实现

遍历回调

  1. // 遍历回调
  2. BOOLEAN EnumCallback()
  3. {
  4. ULONG i = 0;
  5. PVOID pCallbackListHeadAddress = NULL;
  6. PCM_NOTIFY_ENTRY pNotifyEntry = NULL;
  7. // 获取 CallbackListHead 链表地址
  8. pCallbackListHeadAddress = GetCallbackListHead();
  9. if (NULL == pCallbackListHeadAddress)
  10. {
  11. DbgPrint("GetCallbackListHead Error!\n");
  12. return FALSE;
  13. }
  14. DbgPrint("pCallbackListHeadAddress=0x%p\n", pCallbackListHeadAddress);
  15. // 开始遍历双向链表
  16. pNotifyEntry = (PCM_NOTIFY_ENTRY)pCallbackListHeadAddress;
  17. do
  18. {
  19. // 判断 pNotifyEntry 地址是否有效
  20. if (FALSE == MmIsAddressValid(pNotifyEntry))
  21. {
  22. break;
  23. }
  24. // 判断 回调函数 地址是否有效
  25. if (MmIsAddressValid(pNotifyEntry->Function))
  26. {
  27. // 显示
  28. DbgPrint("CallbackFunction=0x%p, Cookie=0x%I64X\n", pNotifyEntry->Function, pNotifyEntry->Cookie.QuadPart);
  29. }
  30. // 获取下一链表
  31. pNotifyEntry = (PCM_NOTIFY_ENTRY)pNotifyEntry->ListEntryHead.Flink;
  32. } while (pCallbackListHeadAddress != (PVOID)pNotifyEntry);
  33. return TRUE;
  34. }

移除回调

  1. // 移除回调
  2. NTSTATUS RemoveCallback(LARGE_INTEGER Cookie)
  3. {
  4. NTSTATUS status = CmUnRegisterCallback(Cookie);
  5. if (!NT_SUCCESS(status))
  6. {
  7. ShowError("CmUnRegisterCallback", status);
  8. }
  9. return status;
  10. }

获取 CallbackListHead 链表地址

  1. // 获取 CallbackListHead 链表地址
  2. PVOID GetCallbackListHead()
  3. {
  4. PVOID pCallbackListHeadAddress = NULL;
  5. RTL_OSVERSIONINFOW osInfo = { 0 };
  6. UCHAR pSpecialData[50] = { 0 };
  7. ULONG ulSpecialDataSize = 0;
  8. LONG lSpecialOffset = 0;
  9. // 获取系统版本信息, 判断系统版本
  10. RtlGetVersion(&osInfo);
  11. if (6 == osInfo.dwMajorVersion)
  12. {
  13. if (1 == osInfo.dwMinorVersion)
  14. {
  15. // Win7
  16. #ifdef _WIN64
  17. // 64 位
  18. // 488D54
  19. pSpecialData[0] = 0x48;
  20. pSpecialData[1] = 0x8D;
  21. pSpecialData[2] = 0x54;
  22. ulSpecialDataSize = 3;
  23. lSpecialOffset = 5;
  24. #else
  25. // 32 位
  26. // BF
  27. pSpecialData[0] = 0xBF;
  28. ulSpecialDataSize = 1;
  29. #endif
  30. }
  31. else if (2 == osInfo.dwMinorVersion)
  32. {
  33. // Win8
  34. #ifdef _WIN64
  35. // 64 位
  36. #else
  37. // 32 位
  38. #endif
  39. }
  40. else if (3 == osInfo.dwMinorVersion)
  41. {
  42. // Win8.1
  43. #ifdef _WIN64
  44. // 64 位
  45. // 488D0D
  46. pSpecialData[0] = 0x48;
  47. pSpecialData[1] = 0x8D;
  48. pSpecialData[2] = 0x0D;
  49. ulSpecialDataSize = 3;
  50. #else
  51. // 32 位
  52. // BE
  53. pSpecialData[0] = 0xBE;
  54. ulSpecialDataSize = 1;
  55. #endif
  56. }
  57. }
  58. else if (10 == osInfo.dwMajorVersion)
  59. {
  60. // Win10
  61. #ifdef _WIN64
  62. // 64 位
  63. // 488D0D
  64. pSpecialData[0] = 0x48;
  65. pSpecialData[1] = 0x8D;
  66. pSpecialData[2] = 0x0D;
  67. ulSpecialDataSize = 3;
  68. #else
  69. // 32 位
  70. // B9
  71. pSpecialData[0] = 0xB9;
  72. ulSpecialDataSize = 1;
  73. #endif
  74. }
  75. // 根据特征码获取地址
  76. pCallbackListHeadAddress = SearchCallbackListHead(pSpecialData, ulSpecialDataSize, lSpecialOffset);
  77. return pCallbackListHeadAddress;
  78. }

根据特征码获取 CallbackListHead 链表地址

  1. // 根据特征码获取 CallbackListHead 链表地址
  2. PVOID SearchCallbackListHead(PUCHAR pSpecialData, ULONG ulSpecialDataSize, LONG lSpecialOffset)
  3. {
  4. UNICODE_STRING ustrFuncName;
  5. PVOID pAddress = NULL;
  6. LONG lOffset = 0;
  7. PVOID pCmUnRegisterCallback = NULL;
  8. PVOID pCallbackListHead = NULL;
  9. // 先获取 CmUnRegisterCallback 函数地址
  10. RtlInitUnicodeString(&ustrFuncName, L"CmUnRegisterCallback");
  11. pCmUnRegisterCallback = MmGetSystemRoutineAddress(&ustrFuncName);
  12. if (NULL == pCmUnRegisterCallback)
  13. {
  14. ShowError("MmGetSystemRoutineAddress", 0);
  15. return pCallbackListHead;
  16. }
  17. // 然后, 查找 PspSetCreateProcessNotifyRoutine 函数地址
  18. pAddress = SearchMemory(pCmUnRegisterCallback,
  19. (PVOID)((PUCHAR)pCmUnRegisterCallback + 0xFF),
  20. pSpecialData, ulSpecialDataSize);
  21. if (NULL == pAddress)
  22. {
  23. ShowError("SearchMemory", 0);
  24. return pCallbackListHead;
  25. }
  26. // 获取地址
  27. #ifdef _WIN64
  28. // 64 位先获取偏移, 再计算地址
  29. lOffset = *(PLONG)((PUCHAR)pAddress + lSpecialOffset);
  30. pCallbackListHead = (PVOID)((PUCHAR)pAddress + lSpecialOffset + sizeof(LONG) + lOffset);
  31. #else
  32. // 32 位直接获取地址
  33. pCallbackListHead = *(PVOID *)((PUCHAR)pAddress + lSpecialOffset);
  34. #endif
  35. return pCallbackListHead;
  36. }

指定内存区域的特征码扫描

  1. // 指定内存区域的特征码扫描
  2. PVOID SearchMemory(PVOID pStartAddress, PVOID pEndAddress, PUCHAR pMemoryData, ULONG ulMemoryDataSize)
  3. {
  4. PVOID pAddress = NULL;
  5. PUCHAR i = NULL;
  6. ULONG m = 0;
  7. // 扫描内存
  8. for (i = (PUCHAR)pStartAddress; i < (PUCHAR)pEndAddress; i++)
  9. {
  10. // 判断特征码
  11. for (m = 0; m < ulMemoryDataSize; m++)
  12. {
  13. if (*(PUCHAR)(i + m) != pMemoryData[m])
  14. {
  15. break;
  16. }
  17. }
  18. // 判断是否找到符合特征码的地址
  19. if (m >= ulMemoryDataSize)
  20. {
  21. // 找到特征码位置, 获取紧接着特征码的下一地址
  22. pAddress = (PVOID)(i + ulMemoryDataSize);
  23. break;
  24. }
  25. }
  26. return pAddress;
  27. }

程序测试

在 Win7 32 位系统下,驱动程序正常执行:

在 Win8.1 32 位系统下,驱动程序正常执行:

在 Win10 32 位系统下,驱动程序正常执行:

在 Win7 64 位系统下,驱动程序正常执行:

在 Win8.1 64 位系统下,驱动程序正常执行:

在 Win10 64 位系统下,驱动程序正常执行:

总结

要理解清楚获取 CallbackListHead 表头地址的流程,其中,不同系统的内存特征码是不同的,要注意区分。大家也不用记忆这些特征码,如果需要用到,可以随时使用 WinDbg 来进行逆向查看就好。

删除回调常用就有 3 种方式,自己根据需要选择一种使用即可。

参考

参考自《Windows黑客编程技术详解》一书

附录

Win7 32 位 CmUnRegisterCallback

  1. lkd> uf CmUnRegisterCallback
  2. nt!CmUnRegisterCallback:
  3. 840b0791 6a38 push 38h
  4. 840b0793 683082e683 push offset nt! ?? ::FNODOBFM::`string'+0x57a0 (83e68230)
  5. 840b0798 e8ebe5ddff call nt!_SEH_prolog4 (83e8ed88)
  6. 840b079d c745d80d0000c0 mov dword ptr [ebp-28h],0C000000Dh
  7. 840b07a4 33f6 xor esi,esi
  8. 840b07a6 8975b8 mov dword ptr [ebp-48h],esi
  9. 840b07a9 33c0 xor eax,eax
  10. 840b07ab 8d7dbc lea edi,[ebp-44h]
  11. 840b07ae ab stos dword ptr es:[edi]
  12. 840b07af ab stos dword ptr es:[edi]
  13. 840b07b0 c645e201 mov byte ptr [ebp-1Eh],1
  14. 840b07b4 b101 mov cl,1
  15. 840b07b6 ff155c01e183 call dword ptr [nt!_imp_KfRaiseIrql (83e1015c)]
  16. 840b07bc 8ad8 mov bl,al
  17. 840b07be b80098f783 mov eax,offset nt!CallbackUnregisterLock (83f79800)
  18. 840b07c3 8bc8 mov ecx,eax
  19. 840b07c5 f00fba3100 lock btr dword ptr [ecx],0
  20. 840b07ca 7209 jb nt!CmUnRegisterCallback+0x44 (840b07d5)
  21. nt!CmUnRegisterCallback+0x3b:
  22. 840b07cc 8bf0 mov esi,eax
  23. 840b07ce e850f0d8ff call nt!KiAcquireFastMutex (83e3f823)
  24. 840b07d3 33f6 xor esi,esi
  25. nt!CmUnRegisterCallback+0x44:
  26. 840b07d5 64a124010000 mov eax,dword ptr fs:[00000124h]
  27. 840b07db a30498f783 mov dword ptr [nt!CallbackUnregisterLock+0x4 (83f79804)],eax
  28. 840b07e0 0fb6c3 movzx eax,bl
  29. 840b07e3 a31c98f783 mov dword ptr [nt!CallbackUnregisterLock+0x1c (83f7981c)],eax
  30. 840b07e8 c745c49cffffff mov dword ptr [ebp-3Ch],0FFFFFF9Ch
  31. 840b07ef 834dc8ff or dword ptr [ebp-38h],0FFFFFFFFh
  32. 840b07f3 8975d4 mov dword ptr [ebp-2Ch],esi
  33. 840b07f6 64a124010000 mov eax,dword ptr fs:[00000124h]
  34. 840b07fc 66ff8884000000 dec word ptr [eax+84h]
  35. 840b0803 bbfc97f783 mov ebx,offset nt!CallbackListLock (83f797fc)
  36. 840b0808 8bc3 mov eax,ebx
  37. 840b080a f00fba2800 lock bts dword ptr [eax],0
  38. 840b080f 7307 jae nt!CmUnRegisterCallback+0x87 (840b0818)
  39. nt!CmUnRegisterCallback+0x80:
  40. 840b0811 8bcb mov ecx,ebx
  41. 840b0813 e8b612dfff call nt!ExfAcquirePushLockExclusive (83ea1ace)
  42. nt!CmUnRegisterCallback+0x87:
  43. 840b0818 c645e301 mov byte ptr [ebp-1Dh],1
  44. 840b081c 56 push esi
  45. 840b081d 8d4dd4 lea ecx,[ebp-2Ch]
  46. 840b0820 bff097f783 mov edi,offset nt!CallbackListHead (83f797f0)
  47. 840b0825 8bc7 mov eax,edi
  48. 840b0827 e8221cf3ff call nt!CmListGetNextElement (83fe244e)
  49. 840b082c 8bd0 mov edx,eax
  50. 840b082e 8955dc mov dword ptr [ebp-24h],edx
  51. 840b0831 3bd6 cmp edx,esi
  52. 840b0833 750a jne nt!CmUnRegisterCallback+0xad (840b083f)
  53. nt!CmUnRegisterCallback+0xa4:
  54. 840b0835 e9c1000000 jmp nt!CmUnRegisterCallback+0x163 (840b08fb)
  55. nt!CmUnRegisterCallback+0xaa:
  56. 840b083c 8b55dc mov edx,dword ptr [ebp-24h]
  57. nt!CmUnRegisterCallback+0xad:
  58. 840b083f 8b4210 mov eax,dword ptr [edx+10h]
  59. 840b0842 3b4508 cmp eax,dword ptr [ebp+8]
  60. 840b0845 7508 jne nt!CmUnRegisterCallback+0xbd (840b084f)
  61. nt!CmUnRegisterCallback+0xb5:
  62. 840b0847 8b4214 mov eax,dword ptr [edx+14h]
  63. 840b084a 3b450c cmp eax,dword ptr [ebp+0Ch]
  64. 840b084d 741d je nt!CmUnRegisterCallback+0xd4 (840b086c)
  65. nt!CmUnRegisterCallback+0xbd:
  66. 840b084f 56 push esi
  67. 840b0850 8d4dd4 lea ecx,[ebp-2Ch]
  68. 840b0853 8bc7 mov eax,edi
  69. 840b0855 e8f41bf3ff call nt!CmListGetNextElement (83fe244e)
  70. 840b085a 8945dc mov dword ptr [ebp-24h],eax
  71. 840b085d 3bc6 cmp eax,esi
  72. 840b085f 0f8496000000 je nt!CmUnRegisterCallback+0x163 (840b08fb)
  73. nt!CmUnRegisterCallback+0xd3:
  74. 840b0865 ebd5 jmp nt!CmUnRegisterCallback+0xaa (840b083c)
  75. nt!CmUnRegisterCallback+0xd4:
  76. 840b086c 8b02 mov eax,dword ptr [edx]
  77. 840b086e 8b4a04 mov ecx,dword ptr [edx+4]
  78. 840b0871 8901 mov dword ptr [ecx],eax
  79. 840b0873 894804 mov dword ptr [eax+4],ecx
  80. 840b0876 8b4208 mov eax,dword ptr [edx+8]
  81. 840b0879 eb79 jmp nt!CmUnRegisterCallback+0x15c (840b08f4)
  82. nt!CmUnRegisterCallback+0xe3:
  83. 840b087b 807de300 cmp byte ptr [ebp-1Dh],0
  84. 840b087f 7462 je nt!CmUnRegisterCallback+0x14b (840b08e3)
  85. nt!CmUnRegisterCallback+0xe9:
  86. 840b0881 8b0dfc97f783 mov ecx,dword ptr [nt!CallbackListLock (83f797fc)]
  87. 840b0887 8bc1 mov eax,ecx
  88. 840b0889 83e0f0 and eax,0FFFFFFF0h
  89. 840b088c 83f810 cmp eax,10h
  90. 840b088f 7605 jbe nt!CmUnRegisterCallback+0xfe (840b0896)
  91. nt!CmUnRegisterCallback+0xf9:
  92. 840b0891 8d41f0 lea eax,[ecx-10h]
  93. 840b0894 eb02 jmp nt!CmUnRegisterCallback+0x100 (840b0898)
  94. nt!CmUnRegisterCallback+0xfe:
  95. 840b0896 33c0 xor eax,eax
  96. nt!CmUnRegisterCallback+0x100:
  97. 840b0898 f6c102 test cl,2
  98. 840b089b 750e jne nt!CmUnRegisterCallback+0x113 (840b08ab)
  99. nt!CmUnRegisterCallback+0x105:
  100. 840b089d 8bd0 mov edx,eax
  101. 840b089f 8bfb mov edi,ebx
  102. 840b08a1 8bc1 mov eax,ecx
  103. 840b08a3 f00fb117 lock cmpxchg dword ptr [edi],edx
  104. 840b08a7 3bc1 cmp eax,ecx
  105. 840b08a9 7407 je nt!CmUnRegisterCallback+0x11a (840b08b2)
  106. nt!CmUnRegisterCallback+0x113:
  107. 840b08ab 8bcb mov ecx,ebx
  108. 840b08ad e8de2fe1ff call nt!ExfReleasePushLock (83ec3890)
  109. nt!CmUnRegisterCallback+0x11a:
  110. 840b08b2 648b0d24010000 mov ecx,dword ptr fs:[124h]
  111. 840b08b9 8d8184000000 lea eax,[ecx+84h]
  112. 840b08bf 66ff00 inc word ptr [eax]
  113. 840b08c2 0fb700 movzx eax,word ptr [eax]
  114. 840b08c5 663bc6 cmp ax,si
  115. 840b08c8 7515 jne nt!CmUnRegisterCallback+0x147 (840b08df)
  116. nt!CmUnRegisterCallback+0x132:
  117. 840b08ca 8d4140 lea eax,[ecx+40h]
  118. 840b08cd 3900 cmp dword ptr [eax],eax
  119. 840b08cf 740e je nt!CmUnRegisterCallback+0x147 (840b08df)
  120. nt!CmUnRegisterCallback+0x139:
  121. 840b08d1 6639b186000000 cmp word ptr [ecx+86h],si
  122. 840b08d8 7505 jne nt!CmUnRegisterCallback+0x147 (840b08df)
  123. nt!CmUnRegisterCallback+0x142:
  124. 840b08da e8a663d8ff call nt!KiCheckForKernelApcDelivery (83e36c85)
  125. nt!CmUnRegisterCallback+0x147:
  126. 840b08df c645e300 mov byte ptr [ebp-1Dh],0
  127. nt!CmUnRegisterCallback+0x14b:
  128. 840b08e3 8d45c4 lea eax,[ebp-3Ch]
  129. 840b08e6 50 push eax
  130. 840b08e7 56 push esi
  131. 840b08e8 56 push esi
  132. 840b08e9 e831b8ddff call nt!KeDelayExecutionThread (83e8c11f)
  133. 840b08ee 8b45dc mov eax,dword ptr [ebp-24h]
  134. 840b08f1 8b4008 mov eax,dword ptr [eax+8]
  135. nt!CmUnRegisterCallback+0x15c:
  136. 840b08f4 85c0 test eax,eax
  137. 840b08f6 7583 jne nt!CmUnRegisterCallback+0xe3 (840b087b)
  138. nt!CmUnRegisterCallback+0x160:
  139. 840b08f8 8975d8 mov dword ptr [ebp-28h],esi
  140. nt!CmUnRegisterCallback+0x163:
  141. 840b08fb 89350498f783 mov dword ptr [nt!CallbackUnregisterLock+0x4 (83f79804)],esi
  142. 840b0901 8a1d1c98f783 mov bl,byte ptr [nt!CallbackUnregisterLock+0x1c (83f7981c)]
  143. 840b0907 33c9 xor ecx,ecx
  144. 840b0909 41 inc ecx
  145. 840b090a ba0098f783 mov edx,offset nt!CallbackUnregisterLock (83f79800)
  146. 840b090f 8bc2 mov eax,edx
  147. 840b0911 f00fc108 lock xadd dword ptr [eax],ecx
  148. 840b0915 85c9 test ecx,ecx
  149. 840b0917 7423 je nt!CmUnRegisterCallback+0x1a4 (840b093c)
  150. nt!CmUnRegisterCallback+0x181:
  151. 840b0919 f6c102 test cl,2
  152. 840b091c 751e jne nt!CmUnRegisterCallback+0x1a4 (840b093c)
  153. nt!CmUnRegisterCallback+0x186:
  154. 840b091e 41 inc ecx
  155. 840b091f 8d41fe lea eax,[ecx-2]
  156. 840b0922 8bf0 mov esi,eax
  157. 840b0924 8bc1 mov eax,ecx
  158. 840b0926 f00fb132 lock cmpxchg dword ptr [edx],esi
  159. 840b092a 3bc1 cmp eax,ecx
  160. 840b092c 750e jne nt!CmUnRegisterCallback+0x1a4 (840b093c)
  161. nt!CmUnRegisterCallback+0x196:
  162. 840b092e 6a00 push 0
  163. 840b0930 6a01 push 1
  164. 840b0932 680c98f783 push offset nt!CallbackUnregisterLock+0xc (83f7980c)
  165. 840b0937 e8d959ddff call nt!KeSetEvent (83e86315)
  166. nt!CmUnRegisterCallback+0x1a4:
  167. 840b093c 8acb mov cl,bl
  168. 840b093e ff155801e183 call dword ptr [nt!_imp_KfLowerIrql (83e10158)]
  169. 840b0944 807de301 cmp byte ptr [ebp-1Dh],1
  170. 840b0948 7565 jne nt!CmUnRegisterCallback+0x217 (840b09af)
  171. nt!CmUnRegisterCallback+0x1b2:
  172. 840b094a 8b0dfc97f783 mov ecx,dword ptr [nt!CallbackListLock (83f797fc)]
  173. 840b0950 8bc1 mov eax,ecx
  174. 840b0952 83e0f0 and eax,0FFFFFFF0h
  175. 840b0955 83f810 cmp eax,10h
  176. 840b0958 7605 jbe nt!CmUnRegisterCallback+0x1c7 (840b095f)
  177. nt!CmUnRegisterCallback+0x1c2:
  178. 840b095a 8d41f0 lea eax,[ecx-10h]
  179. 840b095d eb02 jmp nt!CmUnRegisterCallback+0x1c9 (840b0961)
  180. nt!CmUnRegisterCallback+0x1c7:
  181. 840b095f 33c0 xor eax,eax
  182. nt!CmUnRegisterCallback+0x1c9:
  183. 840b0961 f6c102 test cl,2
  184. 840b0964 7511 jne nt!CmUnRegisterCallback+0x1df (840b0977)
  185. nt!CmUnRegisterCallback+0x1ce:
  186. 840b0966 8bd0 mov edx,eax
  187. 840b0968 befc97f783 mov esi,offset nt!CallbackListLock (83f797fc)
  188. 840b096d 8bc1 mov eax,ecx
  189. 840b096f f00fb116 lock cmpxchg dword ptr [esi],edx
  190. 840b0973 3bc1 cmp eax,ecx
  191. 840b0975 740a je nt!CmUnRegisterCallback+0x1e9 (840b0981)
  192. nt!CmUnRegisterCallback+0x1df:
  193. 840b0977 b9fc97f783 mov ecx,offset nt!CallbackListLock (83f797fc)
  194. 840b097c e80f2fe1ff call nt!ExfReleasePushLock (83ec3890)
  195. nt!CmUnRegisterCallback+0x1e9:
  196. 840b0981 648b0d24010000 mov ecx,dword ptr fs:[124h]
  197. 840b0988 8d8184000000 lea eax,[ecx+84h]
  198. 840b098e 66ff00 inc word ptr [eax]
  199. 840b0991 0fb700 movzx eax,word ptr [eax]
  200. 840b0994 6685c0 test ax,ax
  201. 840b0997 7516 jne nt!CmUnRegisterCallback+0x217 (840b09af)
  202. nt!CmUnRegisterCallback+0x201:
  203. 840b0999 8d4140 lea eax,[ecx+40h]
  204. 840b099c 3900 cmp dword ptr [eax],eax
  205. 840b099e 740f je nt!CmUnRegisterCallback+0x217 (840b09af)
  206. nt!CmUnRegisterCallback+0x208:
  207. 840b09a0 6683b98600000000 cmp word ptr [ecx+86h],0
  208. 840b09a8 7505 jne nt!CmUnRegisterCallback+0x217 (840b09af)
  209. nt!CmUnRegisterCallback+0x212:
  210. 840b09aa e8d662d8ff call nt!KiCheckForKernelApcDelivery (83e36c85)
  211. nt!CmUnRegisterCallback+0x217:
  212. 840b09af 8b45d8 mov eax,dword ptr [ebp-28h]
  213. 840b09b2 85c0 test eax,eax
  214. 840b09b4 0f8c8a010000 jl nt!CmUnRegisterCallback+0x3ac (840b0b44)
  215. nt!CmUnRegisterCallback+0x222:
  216. 840b09ba 8d45cc lea eax,[ebp-34h]
  217. 840b09bd 8945d0 mov dword ptr [ebp-30h],eax
  218. 840b09c0 8945cc mov dword ptr [ebp-34h],eax
  219. 840b09c3 64a124010000 mov eax,dword ptr fs:[00000124h]
  220. 840b09c9 66ff8884000000 dec word ptr [eax+84h]
  221. 840b09d0 bbf897f783 mov ebx,offset nt!ContextListLock (83f797f8)
  222. 840b09d5 8bc3 mov eax,ebx
  223. 840b09d7 f00fba2800 lock bts dword ptr [eax],0
  224. 840b09dc 7307 jae nt!CmUnRegisterCallback+0x24d (840b09e5)
  225. nt!CmUnRegisterCallback+0x246:
  226. 840b09de 8bcb mov ecx,ebx
  227. 840b09e0 e8e910dfff call nt!ExfAcquirePushLockExclusive (83ea1ace)
  228. nt!CmUnRegisterCallback+0x24d:
  229. 840b09e5 8b7ddc mov edi,dword ptr [ebp-24h]
  230. 840b09e8 83c728 add edi,28h
  231. 840b09eb 8b37 mov esi,dword ptr [edi]
  232. 840b09ed 3bf7 cmp esi,edi
  233. 840b09ef 7444 je nt!CmUnRegisterCallback+0x29d (840b0a35)
  234. nt!CmUnRegisterCallback+0x259:
  235. 840b09f1 8b1e mov ebx,dword ptr [esi]
  236. 840b09f3 8b5614 mov edx,dword ptr [esi+14h]
  237. 840b09f6 e83839dfff call nt!ObReferenceObjectSafe (83ea4333)
  238. 840b09fb 84c0 test al,al
  239. 840b09fd 7427 je nt!CmUnRegisterCallback+0x28e (840b0a26)
  240. nt!CmUnRegisterCallback+0x267:
  241. 840b09ff 8b06 mov eax,dword ptr [esi]
  242. 840b0a01 8b4e04 mov ecx,dword ptr [esi+4]
  243. 840b0a04 8901 mov dword ptr [ecx],eax
  244. 840b0a06 894804 mov dword ptr [eax+4],ecx
  245. 840b0a09 8b46f8 mov eax,dword ptr [esi-8]
  246. 840b0a0c 8b4efc mov ecx,dword ptr [esi-4]
  247. 840b0a0f 8901 mov dword ptr [ecx],eax
  248. 840b0a11 894804 mov dword ptr [eax+4],ecx
  249. 840b0a14 8b45d0 mov eax,dword ptr [ebp-30h]
  250. 840b0a17 8d4dcc lea ecx,[ebp-34h]
  251. 840b0a1a 890e mov dword ptr [esi],ecx
  252. 840b0a1c 894604 mov dword ptr [esi+4],eax
  253. 840b0a1f 8930 mov dword ptr [eax],esi
  254. 840b0a21 8975d0 mov dword ptr [ebp-30h],esi
  255. 840b0a24 eb04 jmp nt!CmUnRegisterCallback+0x292 (840b0a2a)
  256. nt!CmUnRegisterCallback+0x28e:
  257. 840b0a26 c645e200 mov byte ptr [ebp-1Eh],0
  258. nt!CmUnRegisterCallback+0x292:
  259. 840b0a2a 8bf3 mov esi,ebx
  260. 840b0a2c 3bdf cmp ebx,edi
  261. 840b0a2e 75c1 jne nt!CmUnRegisterCallback+0x259 (840b09f1)
  262. nt!CmUnRegisterCallback+0x298:
  263. 840b0a30 bbf897f783 mov ebx,offset nt!ContextListLock (83f797f8)
  264. nt!CmUnRegisterCallback+0x29d:
  265. 840b0a35 8b0df897f783 mov ecx,dword ptr [nt!ContextListLock (83f797f8)]
  266. 840b0a3b 8bc1 mov eax,ecx
  267. 840b0a3d 83e0f0 and eax,0FFFFFFF0h
  268. 840b0a40 83f810 cmp eax,10h
  269. 840b0a43 7605 jbe nt!CmUnRegisterCallback+0x2b2 (840b0a4a)
  270. nt!CmUnRegisterCallback+0x2ad:
  271. 840b0a45 8d41f0 lea eax,[ecx-10h]
  272. 840b0a48 eb02 jmp nt!CmUnRegisterCallback+0x2b4 (840b0a4c)
  273. nt!CmUnRegisterCallback+0x2b2:
  274. 840b0a4a 33c0 xor eax,eax
  275. nt!CmUnRegisterCallback+0x2b4:
  276. 840b0a4c f6c102 test cl,2
  277. 840b0a4f 750e jne nt!CmUnRegisterCallback+0x2c7 (840b0a5f)
  278. nt!CmUnRegisterCallback+0x2b9:
  279. 840b0a51 8bd0 mov edx,eax
  280. 840b0a53 8bf3 mov esi,ebx
  281. 840b0a55 8bc1 mov eax,ecx
  282. 840b0a57 f00fb116 lock cmpxchg dword ptr [esi],edx
  283. 840b0a5b 3bc1 cmp eax,ecx
  284. 840b0a5d 7407 je nt!CmUnRegisterCallback+0x2ce (840b0a66)
  285. nt!CmUnRegisterCallback+0x2c7:
  286. 840b0a5f 8bcb mov ecx,ebx
  287. 840b0a61 e82a2ee1ff call nt!ExfReleasePushLock (83ec3890)
  288. nt!CmUnRegisterCallback+0x2ce:
  289. 840b0a66 648b0d24010000 mov ecx,dword ptr fs:[124h]
  290. 840b0a6d 8d8184000000 lea eax,[ecx+84h]
  291. 840b0a73 66ff00 inc word ptr [eax]
  292. 840b0a76 0fb700 movzx eax,word ptr [eax]
  293. 840b0a79 6685c0 test ax,ax
  294. 840b0a7c 7516 jne nt!CmUnRegisterCallback+0x2fc (840b0a94)
  295. nt!CmUnRegisterCallback+0x2e6:
  296. 840b0a7e 8d4140 lea eax,[ecx+40h]
  297. 840b0a81 3900 cmp dword ptr [eax],eax
  298. 840b0a83 740f je nt!CmUnRegisterCallback+0x2fc (840b0a94)
  299. nt!CmUnRegisterCallback+0x2ed:
  300. 840b0a85 6683b98600000000 cmp word ptr [ecx+86h],0
  301. 840b0a8d 7505 jne nt!CmUnRegisterCallback+0x2fc (840b0a94)
  302. nt!CmUnRegisterCallback+0x2f7:
  303. 840b0a8f e8f161d8ff call nt!KiCheckForKernelApcDelivery (83e36c85)
  304. nt!CmUnRegisterCallback+0x2fc:
  305. 840b0a94 8d4dcc lea ecx,[ebp-34h]
  306. 840b0a97 8b45cc mov eax,dword ptr [ebp-34h]
  307. 840b0a9a 3bc1 cmp eax,ecx
  308. 840b0a9c 7461 je nt!CmUnRegisterCallback+0x367 (840b0aff)
  309. nt!CmUnRegisterCallback+0x306:
  310. 840b0a9e 8bc8 mov ecx,eax
  311. 840b0aa0 8b00 mov eax,dword ptr [eax]
  312. 840b0aa2 8945cc mov dword ptr [ebp-34h],eax
  313. 840b0aa5 8d55cc lea edx,[ebp-34h]
  314. 840b0aa8 895004 mov dword ptr [eax+4],edx
  315. 840b0aab 8d71f8 lea esi,[ecx-8]
  316. 840b0aae 8975d4 mov dword ptr [ebp-2Ch],esi
  317. 840b0ab1 8b461c mov eax,dword ptr [esi+1Ch]
  318. 840b0ab4 8945b8 mov dword ptr [ebp-48h],eax
  319. 840b0ab7 8b4620 mov eax,dword ptr [esi+20h]
  320. 840b0aba 8945bc mov dword ptr [ebp-44h],eax
  321. 840b0abd 8365fc00 and dword ptr [ebp-4],0
  322. 840b0ac1 8d45b8 lea eax,[ebp-48h]
  323. 840b0ac4 50 push eax
  324. 840b0ac5 6a28 push 28h
  325. 840b0ac7 8b45dc mov eax,dword ptr [ebp-24h]
  326. 840b0aca ff7018 push dword ptr [eax+18h]
  327. 840b0acd ff501c call dword ptr [eax+1Ch]
  328. 840b0ad0 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
  329. 840b0ad7 eb11 jmp nt!CmUnRegisterCallback+0x352 (840b0aea)
  330. nt!CmUnRegisterCallback+0x352:
  331. 840b0aea 8b4e1c mov ecx,dword ptr [esi+1Ch]
  332. 840b0aed e8d171ddff call nt!ObfDereferenceObject (83e87cc3)
  333. 840b0af2 68434d6363 push 63634D43h
  334. 840b0af7 56 push esi
  335. 840b0af8 e8bd0fe8ff call nt!ExFreePoolWithTag (83f31aba)
  336. 840b0afd eb95 jmp nt!CmUnRegisterCallback+0x2fc (840b0a94)
  337. nt!CmUnRegisterCallback+0x367:
  338. 840b0aff 8b7ddc mov edi,dword ptr [ebp-24h]
  339. 840b0b02 807de200 cmp byte ptr [ebp-1Eh],0
  340. 840b0b06 7516 jne nt!CmUnRegisterCallback+0x386 (840b0b1e)
  341. nt!CmUnRegisterCallback+0x370:
  342. 840b0b08 8d7728 lea esi,[edi+28h]
  343. 840b0b0b eb0d jmp nt!CmUnRegisterCallback+0x382 (840b0b1a)
  344. nt!CmUnRegisterCallback+0x375:
  345. 840b0b0d 8d45c4 lea eax,[ebp-3Ch]
  346. 840b0b10 50 push eax
  347. 840b0b11 6a00 push 0
  348. 840b0b13 6a00 push 0
  349. 840b0b15 e805b6ddff call nt!KeDelayExecutionThread (83e8c11f)
  350. nt!CmUnRegisterCallback+0x382:
  351. 840b0b1a 3936 cmp dword ptr [esi],esi
  352. 840b0b1c 75ef jne nt!CmUnRegisterCallback+0x375 (840b0b0d)
  353. nt!CmUnRegisterCallback+0x386:
  354. 840b0b1e b8b08bf483 mov eax,offset nt!CmpCallBackCount (83f48bb0)
  355. 840b0b23 83c9ff or ecx,0FFFFFFFFh
  356. 840b0b26 f00fc108 lock xadd dword ptr [eax],ecx
  357. 840b0b2a 8b4724 mov eax,dword ptr [edi+24h]
  358. 840b0b2d 85c0 test eax,eax
  359. 840b0b2f 7408 je nt!CmUnRegisterCallback+0x3a1 (840b0b39)
  360. nt!CmUnRegisterCallback+0x399:
  361. 840b0b31 6a00 push 0
  362. 840b0b33 50 push eax
  363. 840b0b34 e8810fe8ff call nt!ExFreePoolWithTag (83f31aba)
  364. nt!CmUnRegisterCallback+0x3a1:
  365. 840b0b39 6a00 push 0
  366. 840b0b3b 57 push edi
  367. 840b0b3c e8790fe8ff call nt!ExFreePoolWithTag (83f31aba)
  368. 840b0b41 8b45d8 mov eax,dword ptr [ebp-28h]
  369. nt!CmUnRegisterCallback+0x3ac:
  370. 840b0b44 e884e2ddff call nt!_SEH_epilog4 (83e8edcd)
  371. 840b0b49 c20800 ret 8

Win7 64 位 CmUnRegisterCallback

  1. lkd> uf CmUnRegisterCallback
  2. nt!CmUnRegisterCallback:
  3. fffff800`042b7790 48894c2408 mov qword ptr [rsp+8],rcx
  4. fffff800`042b7795 53 push rbx
  5. fffff800`042b7796 56 push rsi
  6. fffff800`042b7797 57 push rdi
  7. fffff800`042b7798 4154 push r12
  8. fffff800`042b779a 4155 push r13
  9. fffff800`042b779c 4156 push r14
  10. fffff800`042b779e 4157 push r15
  11. fffff800`042b77a0 4883ec60 sub rsp,60h
  12. fffff800`042b77a4 41bc0d0000c0 mov r12d,0C000000Dh
  13. fffff800`042b77aa 4489a424b0000000 mov dword ptr [rsp+0B0h],r12d
  14. fffff800`042b77b2 33db xor ebx,ebx
  15. fffff800`042b77b4 48895c2448 mov qword ptr [rsp+48h],rbx
  16. fffff800`042b77b9 33c0 xor eax,eax
  17. fffff800`042b77bb 4889442450 mov qword ptr [rsp+50h],rax
  18. fffff800`042b77c0 4889442458 mov qword ptr [rsp+58h],rax
  19. fffff800`042b77c5 448d6b01 lea r13d,[rbx+1]
  20. fffff800`042b77c9 458afd mov r15b,r13b
  21. fffff800`042b77cc 4488ac24a8000000 mov byte ptr [rsp+0A8h],r13b
  22. fffff800`042b77d4 440f20c7 mov rdi,cr8
  23. fffff800`042b77d8 450f22c5 mov cr8,r13
  24. fffff800`042b77dc f00fba351b6adcff00 lock btr dword ptr [nt!CallbackUnregisterLock (fffff800`0407e200)],0
  25. fffff800`042b77e5 720c jb nt!CmUnRegisterCallback+0x63 (fffff800`042b77f3)
  26. nt!CmUnRegisterCallback+0x57:
  27. fffff800`042b77e7 488d0d126adcff lea rcx,[nt!CallbackUnregisterLock (fffff800`0407e200)]
  28. fffff800`042b77ee e85db7b9ff call nt!KiAcquireFastMutex (fffff800`03e52f50)
  29. nt!CmUnRegisterCallback+0x63:
  30. fffff800`042b77f3 65488b042588010000 mov rax,qword ptr gs:[188h]
  31. fffff800`042b77fc 488905056adcff mov qword ptr [nt!CallbackUnregisterLock+0x8 (fffff800`0407e208)],rax
  32. fffff800`042b7803 400fb6c7 movzx eax,dil
  33. fffff800`042b7807 8905236adcff mov dword ptr [nt!CallbackUnregisterLock+0x30 (fffff800`0407e230)],eax
  34. fffff800`042b780d 48c78424b80000009cffffff mov qword ptr [rsp+0B8h],0FFFFFFFFFFFFFF9Ch
  35. fffff800`042b7819 48895c2420 mov qword ptr [rsp+20h],rbx
  36. fffff800`042b781e 65488b042588010000 mov rax,qword ptr gs:[188h]
  37. fffff800`042b7827 4183ceff or r14d,0FFFFFFFFh
  38. fffff800`042b782b 664401b0c4010000 add word ptr [rax+1C4h],r14w
  39. fffff800`042b7833 f0480fba2dab69dcff00 lock bts qword ptr [nt!CallbackListLock (fffff800`0407e1e8)],0
  40. fffff800`042b783d 730c jae nt!CmUnRegisterCallback+0xbb (fffff800`042b784b)
  41. nt!CmUnRegisterCallback+0xaf:
  42. fffff800`042b783f 488d0da269dcff lea rcx,[nt!CallbackListLock (fffff800`0407e1e8)]
  43. fffff800`042b7846 e875aabbff call nt!ExfAcquirePushLockExclusive (fffff800`03e722c0)
  44. nt!CmUnRegisterCallback+0xbb:
  45. fffff800`042b784b 418af5 mov sil,r13b
  46. fffff800`042b784e 4c8b9424a0000000 mov r10,qword ptr [rsp+0A0h]
  47. nt!CmUnRegisterCallback+0xc6:
  48. fffff800`042b7856 4533c0 xor r8d,r8d
  49. fffff800`042b7859 488d542420 lea rdx,[rsp+20h]
  50. fffff800`042b785e 488d0d6b69dcff lea rcx,[nt!CallbackListHead (fffff800`0407e1d0)]
  51. fffff800`042b7865 e8a261e5ff call nt!CmListGetNextElement (fffff800`0410da0c)
  52. fffff800`042b786a 488bf8 mov rdi,rax
  53. fffff800`042b786d 4889442428 mov qword ptr [rsp+28h],rax
  54. fffff800`042b7872 483bc3 cmp rax,rbx
  55. fffff800`042b7875 0f84b8000000 je nt!CmUnRegisterCallback+0x1a3 (fffff800`042b7933)
  56. nt!CmUnRegisterCallback+0xeb:
  57. fffff800`042b787b 4c395018 cmp qword ptr [rax+18h],r10
  58. fffff800`042b787f 75d5 jne nt!CmUnRegisterCallback+0xc6 (fffff800`042b7856)
  59. nt!CmUnRegisterCallback+0xf1:
  60. fffff800`042b7881 488b08 mov rcx,qword ptr [rax]
  61. fffff800`042b7884 488b4008 mov rax,qword ptr [rax+8]
  62. fffff800`042b7888 488908 mov qword ptr [rax],rcx
  63. fffff800`042b788b 48894108 mov qword ptr [rcx+8],rax
  64. fffff800`042b788f 8b4710 mov eax,dword ptr [rdi+10h]
  65. fffff800`042b7892 3bc3 cmp eax,ebx
  66. fffff800`042b7894 0f848f000000 je nt!CmUnRegisterCallback+0x199 (fffff800`042b7929)
  67. nt!CmUnRegisterCallback+0x10a:
  68. fffff800`042b789a 403af3 cmp sil,bl
  69. fffff800`042b789d 746c je nt!CmUnRegisterCallback+0x17b (fffff800`042b790b)
  70. nt!CmUnRegisterCallback+0x10f:
  71. fffff800`042b789f 0f0d0d4269dcff prefetchw [nt!CallbackListLock (fffff800`0407e1e8)]
  72. fffff800`042b78a6 488b053b69dcff mov rax,qword ptr [nt!CallbackListLock (fffff800`0407e1e8)]
  73. fffff800`042b78ad 488bc8 mov rcx,rax
  74. fffff800`042b78b0 4883e1f0 and rcx,0FFFFFFFFFFFFFFF0h
  75. fffff800`042b78b4 4883f910 cmp rcx,10h
  76. fffff800`042b78b8 7606 jbe nt!CmUnRegisterCallback+0x130 (fffff800`042b78c0)
  77. nt!CmUnRegisterCallback+0x12a:
  78. fffff800`042b78ba 488d48f0 lea rcx,[rax-10h]
  79. fffff800`042b78be eb03 jmp nt!CmUnRegisterCallback+0x133 (fffff800`042b78c3)
  80. nt!CmUnRegisterCallback+0x130:
  81. fffff800`042b78c0 488bcb mov rcx,rbx
  82. nt!CmUnRegisterCallback+0x133:
  83. fffff800`042b78c3 a802 test al,2
  84. fffff800`042b78c5 750b jne nt!CmUnRegisterCallback+0x142 (fffff800`042b78d2)
  85. nt!CmUnRegisterCallback+0x137:
  86. fffff800`042b78c7 f0480fb10d1869dcff lock cmpxchg qword ptr [nt!CallbackListLock (fffff800`0407e1e8)],rcx
  87. fffff800`042b78d0 740c je nt!CmUnRegisterCallback+0x14e (fffff800`042b78de)
  88. nt!CmUnRegisterCallback+0x142:
  89. fffff800`042b78d2 488d0d0f69dcff lea rcx,[nt!CallbackListLock (fffff800`0407e1e8)]
  90. fffff800`042b78d9 e89283b8ff call nt!ExfReleasePushLock (fffff800`03e3fc70)
  91. nt!CmUnRegisterCallback+0x14e:
  92. fffff800`042b78de 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
  93. fffff800`042b78e7 664401a9c4010000 add word ptr [rcx+1C4h],r13w
  94. fffff800`042b78ef 7517 jne nt!CmUnRegisterCallback+0x178 (fffff800`042b7908)
  95. nt!CmUnRegisterCallback+0x161:
  96. fffff800`042b78f1 488d4150 lea rax,[rcx+50h]
  97. fffff800`042b78f5 483900 cmp qword ptr [rax],rax
  98. fffff800`042b78f8 740e je nt!CmUnRegisterCallback+0x178 (fffff800`042b7908)
  99. nt!CmUnRegisterCallback+0x16a:
  100. fffff800`042b78fa 663999c6010000 cmp word ptr [rcx+1C6h],bx
  101. fffff800`042b7901 7505 jne nt!CmUnRegisterCallback+0x178 (fffff800`042b7908)
  102. nt!CmUnRegisterCallback+0x173:
  103. fffff800`042b7903 e8a85eb7ff call nt!KiCheckForKernelApcDelivery (fffff800`03e2d7b0)
  104. nt!CmUnRegisterCallback+0x178:
  105. fffff800`042b7908 408af3 mov sil,bl
  106. nt!CmUnRegisterCallback+0x17b:
  107. fffff800`042b790b 4c8d8424b8000000 lea r8,[rsp+0B8h]
  108. fffff800`042b7913 33d2 xor edx,edx
  109. fffff800`042b7915 33c9 xor ecx,ecx
  110. fffff800`042b7917 e800f7bcff call nt!KeDelayExecutionThread (fffff800`03e8701c)
  111. fffff800`042b791c 448b5f10 mov r11d,dword ptr [rdi+10h]
  112. fffff800`042b7920 443bdb cmp r11d,ebx
  113. fffff800`042b7923 0f8571ffffff jne nt!CmUnRegisterCallback+0x10a (fffff800`042b789a)
  114. nt!CmUnRegisterCallback+0x199:
  115. fffff800`042b7929 448be3 mov r12d,ebx
  116. fffff800`042b792c 899c24b0000000 mov dword ptr [rsp+0B0h],ebx
  117. nt!CmUnRegisterCallback+0x1a3:
  118. fffff800`042b7933 48891dce68dcff mov qword ptr [nt!CallbackUnregisterLock+0x8 (fffff800`0407e208)],rbx
  119. fffff800`042b793a 448a2def68dcff mov r13b,byte ptr [nt!CallbackUnregisterLock+0x30 (fffff800`0407e230)]
  120. fffff800`042b7941 ba01000000 mov edx,1
  121. fffff800`042b7946 8bc2 mov eax,edx
  122. fffff800`042b7948 f00fc105b068dcff lock xadd dword ptr [nt!CallbackUnregisterLock (fffff800`0407e200)],eax
  123. fffff800`042b7950 3bc3 cmp eax,ebx
  124. fffff800`042b7952 7427 je nt!CmUnRegisterCallback+0x1eb (fffff800`042b797b)
  125. nt!CmUnRegisterCallback+0x1c4:
  126. fffff800`042b7954 a802 test al,2
  127. fffff800`042b7956 7523 jne nt!CmUnRegisterCallback+0x1eb (fffff800`042b797b)
  128. nt!CmUnRegisterCallback+0x1c8:
  129. fffff800`042b7958 03c2 add eax,edx
  130. fffff800`042b795a 8d48fe lea ecx,[rax-2]
  131. fffff800`042b795d f00fb10d9b68dcff lock cmpxchg dword ptr [nt!CallbackUnregisterLock (fffff800`0407e200)],ecx
  132. fffff800`042b7965 7514 jne nt!CmUnRegisterCallback+0x1eb (fffff800`042b797b)
  133. nt!CmUnRegisterCallback+0x1d7:
  134. fffff800`042b7967 4533c0 xor r8d,r8d
  135. fffff800`042b796a 488d0da768dcff lea rcx,[nt!CallbackUnregisterLock+0x18 (fffff800`0407e218)]
  136. fffff800`042b7971 e88accbcff call nt!KeSetEvent (fffff800`03e84600)
  137. fffff800`042b7976 ba01000000 mov edx,1
  138. nt!CmUnRegisterCallback+0x1eb:
  139. fffff800`042b797b 410fb6c5 movzx eax,r13b
  140. fffff800`042b797f 440f22c0 mov cr8,rax
  141. fffff800`042b7983 403af2 cmp sil,dl
  142. fffff800`042b7986 756d jne nt!CmUnRegisterCallback+0x265 (fffff800`042b79f5)
  143. nt!CmUnRegisterCallback+0x1f8:
  144. fffff800`042b7988 0f0d0d5968dcff prefetchw [nt!CallbackListLock (fffff800`0407e1e8)]
  145. fffff800`042b798f 488b055268dcff mov rax,qword ptr [nt!CallbackListLock (fffff800`0407e1e8)]
  146. fffff800`042b7996 488bc8 mov rcx,rax
  147. fffff800`042b7999 4883e1f0 and rcx,0FFFFFFFFFFFFFFF0h
  148. fffff800`042b799d 4883f910 cmp rcx,10h
  149. fffff800`042b79a1 7606 jbe nt!CmUnRegisterCallback+0x219 (fffff800`042b79a9)
  150. nt!CmUnRegisterCallback+0x213:
  151. fffff800`042b79a3 488d48f0 lea rcx,[rax-10h]
  152. fffff800`042b79a7 eb03 jmp nt!CmUnRegisterCallback+0x21c (fffff800`042b79ac)
  153. nt!CmUnRegisterCallback+0x219:
  154. fffff800`042b79a9 488bcb mov rcx,rbx
  155. nt!CmUnRegisterCallback+0x21c:
  156. fffff800`042b79ac a802 test al,2
  157. fffff800`042b79ae 750b jne nt!CmUnRegisterCallback+0x22b (fffff800`042b79bb)
  158. nt!CmUnRegisterCallback+0x220:
  159. fffff800`042b79b0 f0480fb10d2f68dcff lock cmpxchg qword ptr [nt!CallbackListLock (fffff800`0407e1e8)],rcx
  160. fffff800`042b79b9 740c je nt!CmUnRegisterCallback+0x237 (fffff800`042b79c7)
  161. nt!CmUnRegisterCallback+0x22b:
  162. fffff800`042b79bb 488d0d2668dcff lea rcx,[nt!CallbackListLock (fffff800`0407e1e8)]
  163. fffff800`042b79c2 e8a982b8ff call nt!ExfReleasePushLock (fffff800`03e3fc70)
  164. nt!CmUnRegisterCallback+0x237:
  165. fffff800`042b79c7 65488b142588010000 mov rdx,qword ptr gs:[188h]
  166. fffff800`042b79d0 b801000000 mov eax,1
  167. fffff800`042b79d5 660182c4010000 add word ptr [rdx+1C4h],ax
  168. fffff800`042b79dc 7517 jne nt!CmUnRegisterCallback+0x265 (fffff800`042b79f5)
  169. nt!CmUnRegisterCallback+0x24e:
  170. fffff800`042b79de 488d4a50 lea rcx,[rdx+50h]
  171. fffff800`042b79e2 483909 cmp qword ptr [rcx],rcx
  172. fffff800`042b79e5 740e je nt!CmUnRegisterCallback+0x265 (fffff800`042b79f5)
  173. nt!CmUnRegisterCallback+0x257:
  174. fffff800`042b79e7 66399ac6010000 cmp word ptr [rdx+1C6h],bx
  175. fffff800`042b79ee 7505 jne nt!CmUnRegisterCallback+0x265 (fffff800`042b79f5)
  176. nt!CmUnRegisterCallback+0x260:
  177. fffff800`042b79f0 e8bb5db7ff call nt!KiCheckForKernelApcDelivery (fffff800`03e2d7b0)
  178. nt!CmUnRegisterCallback+0x265:
  179. fffff800`042b79f5 443be3 cmp r12d,ebx
  180. fffff800`042b79f8 7d08 jge nt!CmUnRegisterCallback+0x272 (fffff800`042b7a02)
  181. nt!CmUnRegisterCallback+0x26a:
  182. fffff800`042b79fa 418bc4 mov eax,r12d
  183. fffff800`042b79fd e9e5010000 jmp nt!CmUnRegisterCallback+0x457 (fffff800`042b7be7)
  184. nt!CmUnRegisterCallback+0x272:
  185. fffff800`042b7a02 488d442438 lea rax,[rsp+38h]
  186. fffff800`042b7a07 4889442440 mov qword ptr [rsp+40h],rax
  187. fffff800`042b7a0c 488d442438 lea rax,[rsp+38h]
  188. fffff800`042b7a11 4889442438 mov qword ptr [rsp+38h],rax
  189. fffff800`042b7a16 65488b042588010000 mov rax,qword ptr gs:[188h]
  190. fffff800`042b7a1f 664401b0c4010000 add word ptr [rax+1C4h],r14w
  191. fffff800`042b7a27 f0480fba2daf67dcff00 lock bts qword ptr [nt!ContextListLock (fffff800`0407e1e0)],0
  192. fffff800`042b7a31 730c jae nt!CmUnRegisterCallback+0x2af (fffff800`042b7a3f)
  193. nt!CmUnRegisterCallback+0x2a3:
  194. fffff800`042b7a33 488d0da667dcff lea rcx,[nt!ContextListLock (fffff800`0407e1e0)]
  195. fffff800`042b7a3a e881a8bbff call nt!ExfAcquirePushLockExclusive (fffff800`03e722c0)
  196. nt!CmUnRegisterCallback+0x2af:
  197. fffff800`042b7a3f 4c8d6f40 lea r13,[rdi+40h]
  198. fffff800`042b7a43 498b7500 mov rsi,qword ptr [r13]
  199. fffff800`042b7a47 493bf5 cmp rsi,r13
  200. fffff800`042b7a4a 745f je nt!CmUnRegisterCallback+0x31b (fffff800`042b7aab)
  201. nt!CmUnRegisterCallback+0x2bc:
  202. fffff800`042b7a4c 4c8b36 mov r14,qword ptr [rsi]
  203. fffff800`042b7a4f 488b4e20 mov rcx,qword ptr [rsi+20h]
  204. fffff800`042b7a53 e8a851beff call nt!ObReferenceObjectSafe (fffff800`03e9cc00)
  205. fffff800`042b7a58 3ac3 cmp al,bl
  206. fffff800`042b7a5a 7438 je nt!CmUnRegisterCallback+0x304 (fffff800`042b7a94)
  207. nt!CmUnRegisterCallback+0x2cc:
  208. fffff800`042b7a5c 488b0e mov rcx,qword ptr [rsi]
  209. fffff800`042b7a5f 488b4608 mov rax,qword ptr [rsi+8]
  210. fffff800`042b7a63 488908 mov qword ptr [rax],rcx
  211. fffff800`042b7a66 48894108 mov qword ptr [rcx+8],rax
  212. fffff800`042b7a6a 488b4ef0 mov rcx,qword ptr [rsi-10h]
  213. fffff800`042b7a6e 488b46f8 mov rax,qword ptr [rsi-8]
  214. fffff800`042b7a72 488908 mov qword ptr [rax],rcx
  215. fffff800`042b7a75 48894108 mov qword ptr [rcx+8],rax
  216. fffff800`042b7a79 488b442440 mov rax,qword ptr [rsp+40h]
  217. fffff800`042b7a7e 488d4c2438 lea rcx,[rsp+38h]
  218. fffff800`042b7a83 48890e mov qword ptr [rsi],rcx
  219. fffff800`042b7a86 48894608 mov qword ptr [rsi+8],rax
  220. fffff800`042b7a8a 488930 mov qword ptr [rax],rsi
  221. fffff800`042b7a8d 4889742440 mov qword ptr [rsp+40h],rsi
  222. fffff800`042b7a92 eb03 jmp nt!CmUnRegisterCallback+0x307 (fffff800`042b7a97)
  223. nt!CmUnRegisterCallback+0x304:
  224. fffff800`042b7a94 448afb mov r15b,bl
  225. nt!CmUnRegisterCallback+0x307:
  226. fffff800`042b7a97 498bf6 mov rsi,r14
  227. fffff800`042b7a9a 4d3bf5 cmp r14,r13
  228. fffff800`042b7a9d 75ad jne nt!CmUnRegisterCallback+0x2bc (fffff800`042b7a4c)
  229. nt!CmUnRegisterCallback+0x30f:
  230. fffff800`042b7a9f 4488bc24a8000000 mov byte ptr [rsp+0A8h],r15b
  231. fffff800`042b7aa7 4183ceff or r14d,0FFFFFFFFh
  232. nt!CmUnRegisterCallback+0x31b:
  233. fffff800`042b7aab 0f0d0d2e67dcff prefetchw [nt!ContextListLock (fffff800`0407e1e0)]
  234. fffff800`042b7ab2 488b052767dcff mov rax,qword ptr [nt!ContextListLock (fffff800`0407e1e0)]
  235. fffff800`042b7ab9 488bc8 mov rcx,rax
  236. fffff800`042b7abc 4883e1f0 and rcx,0FFFFFFFFFFFFFFF0h
  237. fffff800`042b7ac0 4883f910 cmp rcx,10h
  238. fffff800`042b7ac4 7606 jbe nt!CmUnRegisterCallback+0x33c (fffff800`042b7acc)
  239. nt!CmUnRegisterCallback+0x336:
  240. fffff800`042b7ac6 488d48f0 lea rcx,[rax-10h]
  241. fffff800`042b7aca eb03 jmp nt!CmUnRegisterCallback+0x33f (fffff800`042b7acf)
  242. nt!CmUnRegisterCallback+0x33c:
  243. fffff800`042b7acc 488bcb mov rcx,rbx
  244. nt!CmUnRegisterCallback+0x33f:
  245. fffff800`042b7acf a802 test al,2
  246. fffff800`042b7ad1 750b jne nt!CmUnRegisterCallback+0x34e (fffff800`042b7ade)
  247. nt!CmUnRegisterCallback+0x343:
  248. fffff800`042b7ad3 f0480fb10d0467dcff lock cmpxchg qword ptr [nt!ContextListLock (fffff800`0407e1e0)],rcx
  249. fffff800`042b7adc 740c je nt!CmUnRegisterCallback+0x35a (fffff800`042b7aea)
  250. nt!CmUnRegisterCallback+0x34e:
  251. fffff800`042b7ade 488d0dfb66dcff lea rcx,[nt!ContextListLock (fffff800`0407e1e0)]
  252. fffff800`042b7ae5 e88681b8ff call nt!ExfReleasePushLock (fffff800`03e3fc70)
  253. nt!CmUnRegisterCallback+0x35a:
  254. fffff800`042b7aea 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
  255. fffff800`042b7af3 b801000000 mov eax,1
  256. fffff800`042b7af8 660181c4010000 add word ptr [rcx+1C4h],ax
  257. fffff800`042b7aff 7517 jne nt!CmUnRegisterCallback+0x388 (fffff800`042b7b18)
  258. nt!CmUnRegisterCallback+0x371:
  259. fffff800`042b7b01 488d4150 lea rax,[rcx+50h]
  260. fffff800`042b7b05 483900 cmp qword ptr [rax],rax
  261. fffff800`042b7b08 740e je nt!CmUnRegisterCallback+0x388 (fffff800`042b7b18)
  262. nt!CmUnRegisterCallback+0x37a:
  263. fffff800`042b7b0a 663999c6010000 cmp word ptr [rcx+1C6h],bx
  264. fffff800`042b7b11 7505 jne nt!CmUnRegisterCallback+0x388 (fffff800`042b7b18)
  265. nt!CmUnRegisterCallback+0x383:
  266. fffff800`042b7b13 e8985cb7ff call nt!KiCheckForKernelApcDelivery (fffff800`03e2d7b0)
  267. nt!CmUnRegisterCallback+0x388:
  268. fffff800`042b7b18 488d442438 lea rax,[rsp+38h]
  269. fffff800`042b7b1d 488b742438 mov rsi,qword ptr [rsp+38h]
  270. fffff800`042b7b22 483bf0 cmp rsi,rax
  271. fffff800`042b7b25 747a je nt!CmUnRegisterCallback+0x411 (fffff800`042b7ba1)
  272. nt!CmUnRegisterCallback+0x397:
  273. fffff800`042b7b27 488b06 mov rax,qword ptr [rsi]
  274. fffff800`042b7b2a 4889442438 mov qword ptr [rsp+38h],rax
  275. fffff800`042b7b2f 488d4c2438 lea rcx,[rsp+38h]
  276. fffff800`042b7b34 48894808 mov qword ptr [rax+8],rcx
  277. fffff800`042b7b38 4883c6f0 add rsi,0FFFFFFFFFFFFFFF0h
  278. fffff800`042b7b3c 4889742430 mov qword ptr [rsp+30h],rsi
  279. fffff800`042b7b41 488b4630 mov rax,qword ptr [rsi+30h]
  280. fffff800`042b7b45 4889442448 mov qword ptr [rsp+48h],rax
  281. fffff800`042b7b4a 488b4638 mov rax,qword ptr [rsi+38h]
  282. fffff800`042b7b4e 4889442450 mov qword ptr [rsp+50h],rax
  283. fffff800`042b7b53 4c8d442448 lea r8,[rsp+48h]
  284. fffff800`042b7b58 ba28000000 mov edx,28h
  285. fffff800`042b7b5d 488b4f20 mov rcx,qword ptr [rdi+20h]
  286. fffff800`042b7b61 ff5728 call qword ptr [rdi+28h]
  287. fffff800`042b7b64 eb20 jmp nt!CmUnRegisterCallback+0x3f6 (fffff800`042b7b86)
  288. nt!CmUnRegisterCallback+0x3f6:
  289. fffff800`042b7b86 488b4e30 mov rcx,qword ptr [rsi+30h]
  290. fffff800`042b7b8a e8b128bdff call nt!ObfDereferenceObject (fffff800`03e8a440)
  291. fffff800`042b7b8f ba434d6363 mov edx,63634D43h
  292. fffff800`042b7b94 488bce mov rcx,rsi
  293. fffff800`042b7b97 e8f441cfff call nt!ExFreePoolWithTag (fffff800`03fabd90)
  294. fffff800`042b7b9c e977ffffff jmp nt!CmUnRegisterCallback+0x388 (fffff800`042b7b18)
  295. nt!CmUnRegisterCallback+0x411:
  296. fffff800`042b7ba1 443afb cmp r15b,bl
  297. fffff800`042b7ba4 751c jne nt!CmUnRegisterCallback+0x432 (fffff800`042b7bc2)
  298. nt!CmUnRegisterCallback+0x416:
  299. fffff800`042b7ba6 488d7740 lea rsi,[rdi+40h]
  300. nt!CmUnRegisterCallback+0x41a:
  301. fffff800`042b7baa 483936 cmp qword ptr [rsi],rsi
  302. fffff800`042b7bad 7413 je nt!CmUnRegisterCallback+0x432 (fffff800`042b7bc2)
  303. nt!CmUnRegisterCallback+0x41f:
  304. fffff800`042b7baf 4c8d8424b8000000 lea r8,[rsp+0B8h]
  305. fffff800`042b7bb7 33d2 xor edx,edx
  306. fffff800`042b7bb9 33c9 xor ecx,ecx
  307. fffff800`042b7bbb e85cf4bcff call nt!KeDelayExecutionThread (fffff800`03e8701c)
  308. fffff800`042b7bc0 ebe8 jmp nt!CmUnRegisterCallback+0x41a (fffff800`042b7baa)
  309. nt!CmUnRegisterCallback+0x432:
  310. fffff800`042b7bc2 f0440135ca12d5ff lock add dword ptr [nt!CmpCallBackCount (fffff800`04008e94)],r14d
  311. fffff800`042b7bca 488b4f38 mov rcx,qword ptr [rdi+38h]
  312. fffff800`042b7bce 483bcb cmp rcx,rbx
  313. fffff800`042b7bd1 7407 je nt!CmUnRegisterCallback+0x44a (fffff800`042b7bda)
  314. nt!CmUnRegisterCallback+0x443:
  315. fffff800`042b7bd3 33d2 xor edx,edx
  316. fffff800`042b7bd5 e8b641cfff call nt!ExFreePoolWithTag (fffff800`03fabd90)
  317. nt!CmUnRegisterCallback+0x44a:
  318. fffff800`042b7bda 33d2 xor edx,edx
  319. fffff800`042b7bdc 488bcf mov rcx,rdi
  320. fffff800`042b7bdf e8ac41cfff call nt!ExFreePoolWithTag (fffff800`03fabd90)
  321. fffff800`042b7be4 418bc4 mov eax,r12d
  322. nt!CmUnRegisterCallback+0x457:
  323. fffff800`042b7be7 4883c460 add rsp,60h
  324. fffff800`042b7beb 415f pop r15
  325. fffff800`042b7bed 415e pop r14
  326. fffff800`042b7bef 415d pop r13
  327. fffff800`042b7bf1 415c pop r12
  328. fffff800`042b7bf3 5f pop rdi
  329. fffff800`042b7bf4 5e pop rsi
  330. fffff800`042b7bf5 5b pop rbx
  331. fffff800`042b7bf6 c3 ret

Win8.1 32 位 CmUnRegisterCallback

  1. lkd> uf CmUnRegisterCallback
  2. nt!CmUnRegisterCallback:
  3. 8118a854 6a38 push 38h
  4. 8118a856 68a84afe80 push offset nt!RtlpSparseBitmapCtxPrepareRanges+0x6429 (80fe4aa8)
  5. 8118a85b e8183dd9ff call nt!_SEH_prolog4 (80f1e578)
  6. 8118a860 c745d80d0000c0 mov dword ptr [ebp-28h],0C000000Dh
  7. 8118a867 33db xor ebx,ebx
  8. 8118a869 895db8 mov dword ptr [ebp-48h],ebx
  9. 8118a86c 895dbc mov dword ptr [ebp-44h],ebx
  10. 8118a86f 895dc0 mov dword ptr [ebp-40h],ebx
  11. 8118a872 895dd0 mov dword ptr [ebp-30h],ebx
  12. 8118a875 e8a4020000 call nt!CmpLockCallbackListExclusive (8118ab1e)
  13. 8118a87a be00fb0081 mov esi,offset nt!CallbackListHead (8100fb00)
  14. nt!CmUnRegisterCallback+0x2b:
  15. 8118a87f 53 push ebx
  16. 8118a880 8d55d0 lea edx,[ebp-30h]
  17. 8118a883 8bce mov ecx,esi
  18. 8118a885 e81458f4ff call nt!CmListGetNextElement (810d009e)
  19. 8118a88a 8bf8 mov edi,eax
  20. 8118a88c 85ff test edi,edi
  21. 8118a88e 897dd4 mov dword ptr [ebp-2Ch],edi
  22. 8118a891 0f8409010000 je nt!CmUnRegisterCallback+0x14c (8118a9a0)
  23. nt!CmUnRegisterCallback+0x43:
  24. 8118a897 ba00000080 mov edx,80000000h
  25. 8118a89c 8b4f10 mov ecx,dword ptr [edi+10h]
  26. 8118a89f 3b4d08 cmp ecx,dword ptr [ebp+8]
  27. 8118a8a2 75db jne nt!CmUnRegisterCallback+0x2b (8118a87f)
  28. nt!CmUnRegisterCallback+0x50:
  29. 8118a8a4 8b4714 mov eax,dword ptr [edi+14h]
  30. 8118a8a7 3b450c cmp eax,dword ptr [ebp+0Ch]
  31. 8118a8aa 75d3 jne nt!CmUnRegisterCallback+0x2b (8118a87f)
  32. nt!CmUnRegisterCallback+0x58:
  33. 8118a8ac 8b4708 mov eax,dword ptr [edi+8]
  34. 8118a8af 8945dc mov dword ptr [ebp-24h],eax
  35. 8118a8b2 3bc3 cmp eax,ebx
  36. 8118a8b4 0f8591000000 jne nt!CmUnRegisterCallback+0xf7 (8118a94b)
  37. nt!CmUnRegisterCallback+0x66:
  38. 8118a8ba 8b0f mov ecx,dword ptr [edi]
  39. 8118a8bc 8b4704 mov eax,dword ptr [edi+4]
  40. 8118a8bf 397904 cmp dword ptr [ecx+4],edi
  41. 8118a8c2 0f85e6000000 jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  42. nt!CmUnRegisterCallback+0x74:
  43. 8118a8c8 3938 cmp dword ptr [eax],edi
  44. 8118a8ca 0f85de000000 jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  45. nt!CmUnRegisterCallback+0x7c:
  46. 8118a8d0 8908 mov dword ptr [eax],ecx
  47. 8118a8d2 894104 mov dword ptr [ecx+4],eax
  48. 8118a8d5 e8467befff call nt!CmpUnlockCallbackList (81082420)
  49. 8118a8da 895dd8 mov dword ptr [ebp-28h],ebx
  50. nt!CmUnRegisterCallback+0x89:
  51. 8118a8dd 8d45c4 lea eax,[ebp-3Ch]
  52. 8118a8e0 8945c8 mov dword ptr [ebp-38h],eax
  53. 8118a8e3 8945c4 mov dword ptr [ebp-3Ch],eax
  54. 8118a8e6 885de3 mov byte ptr [ebp-1Dh],bl
  55. 8118a8e9 e8f0020000 call nt!CmpLockContextListExclusive (8118abde)
  56. 8118a8ee 8d4728 lea eax,[edi+28h]
  57. 8118a8f1 8b30 mov esi,dword ptr [eax]
  58. 8118a8f3 3bf0 cmp esi,eax
  59. 8118a8f5 0f85c8d40800 jne nt! ?? ::NNGAKEGL::`string'+0x79759 (81217dc3)
  60. nt!CmUnRegisterCallback+0xa7:
  61. 8118a8fb e86e020000 call nt!CmpUnlockContextList (8118ab6e)
  62. nt!CmUnRegisterCallback+0xac:
  63. 8118a900 8d4dc4 lea ecx,[ebp-3Ch]
  64. 8118a903 8b45c4 mov eax,dword ptr [ebp-3Ch]
  65. 8118a906 3bc1 cmp eax,ecx
  66. 8118a908 0f853fd50800 jne nt! ?? ::NNGAKEGL::`string'+0x797e3 (81217e4d)
  67. nt!CmUnRegisterCallback+0xba:
  68. 8118a90e 807de300 cmp byte ptr [ebp-1Dh],0
  69. 8118a912 0f85aad50800 jne nt! ?? ::NNGAKEGL::`string'+0x79858 (81217ec2)
  70. nt!CmUnRegisterCallback+0xc4:
  71. 8118a918 b9787eff80 mov ecx,offset nt!CmpCallBackCount (80ff7e78)
  72. 8118a91d 83c8ff or eax,0FFFFFFFFh
  73. 8118a920 f00fc101 lock xadd dword ptr [ecx],eax
  74. 8118a924 48 dec eax
  75. 8118a925 0f84d8d50800 je nt! ?? ::NNGAKEGL::`string'+0x79899 (81217f03)
  76. nt!CmUnRegisterCallback+0xd7:
  77. 8118a92b 8b4724 mov eax,dword ptr [edi+24h]
  78. 8118a92e 85c0 test eax,eax
  79. 8118a930 7407 je nt!CmUnRegisterCallback+0xe5 (8118a939)
  80. nt!CmUnRegisterCallback+0xde:
  81. 8118a932 53 push ebx
  82. 8118a933 50 push eax
  83. 8118a934 e8d7e6e5ff call nt!ExFreePoolWithTag (80fe9010)
  84. nt!CmUnRegisterCallback+0xe5:
  85. 8118a939 53 push ebx
  86. 8118a93a 57 push edi
  87. 8118a93b e8d0e6e5ff call nt!ExFreePoolWithTag (80fe9010)
  88. nt!CmUnRegisterCallback+0xec:
  89. 8118a940 8b45d8 mov eax,dword ptr [ebp-28h]
  90. 8118a943 e8753cd9ff call nt!_SEH_epilog4 (80f1e5bd)
  91. 8118a948 c20800 ret 8
  92. nt!CmUnRegisterCallback+0xf7:
  93. 8118a94b 8555dc test dword ptr [ebp-24h],edx
  94. 8118a94e 0f852bffffff jne nt!CmUnRegisterCallback+0x2b (8118a87f)
  95. nt!CmUnRegisterCallback+0x100:
  96. 8118a954 8d7708 lea esi,[edi+8]
  97. 8118a957 f00916 lock or dword ptr [esi],edx
  98. 8118a95a e8c17aefff call nt!CmpUnlockCallbackList (81082420)
  99. 8118a95f eb13 jmp nt!CmUnRegisterCallback+0x120 (8118a974)
  100. nt!CmUnRegisterCallback+0x10d:
  101. 8118a961 53 push ebx
  102. 8118a962 6a04 push 4
  103. 8118a964 8d45dc lea eax,[ebp-24h]
  104. 8118a967 50 push eax
  105. 8118a968 8bd6 mov edx,esi
  106. 8118a96a b908fb0081 mov ecx,offset nt!CallbackListDeleteEvent (8100fb08)
  107. 8118a96f e8e626caff call nt!ExBlockOnAddressPushLock (80e2d05a)
  108. nt!CmUnRegisterCallback+0x120:
  109. 8118a974 8b06 mov eax,dword ptr [esi]
  110. 8118a976 8945dc mov dword ptr [ebp-24h],eax
  111. 8118a979 3d00000080 cmp eax,80000000h
  112. 8118a97e 75e1 jne nt!CmUnRegisterCallback+0x10d (8118a961)
  113. nt!CmUnRegisterCallback+0x12c:
  114. 8118a980 e899010000 call nt!CmpLockCallbackListExclusive (8118ab1e)
  115. 8118a985 8b0f mov ecx,dword ptr [edi]
  116. 8118a987 8b4704 mov eax,dword ptr [edi+4]
  117. 8118a98a 397904 cmp dword ptr [ecx+4],edi
  118. 8118a98d 751f jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  119. nt!CmUnRegisterCallback+0x13b:
  120. 8118a98f 3938 cmp dword ptr [eax],edi
  121. 8118a991 751b jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  122. nt!CmUnRegisterCallback+0x13f:
  123. 8118a993 8908 mov dword ptr [eax],ecx
  124. 8118a995 894104 mov dword ptr [ecx+4],eax
  125. 8118a998 e8837aefff call nt!CmpUnlockCallbackList (81082420)
  126. 8118a99d 895dd8 mov dword ptr [ebp-28h],ebx
  127. nt!CmUnRegisterCallback+0x14c:
  128. 8118a9a0 395dd8 cmp dword ptr [ebp-28h],ebx
  129. 8118a9a3 0f8d34ffffff jge nt!CmUnRegisterCallback+0x89 (8118a8dd)
  130. nt!CmUnRegisterCallback+0x155:
  131. 8118a9a9 e90bd40800 jmp nt! ?? ::NNGAKEGL::`string'+0x7974f (81217db9)
  132. nt!CmUnRegisterCallback+0x15a:
  133. 8118a9ae 6a03 push 3
  134. 8118a9b0 59 pop ecx
  135. 8118a9b1 cd29 int 29h
  136. 8118a9b3 cc int 3
  137. 8118a9b4 cc int 3
  138. 8118a9b5 cc int 3
  139. 8118a9b6 cc int 3
  140. 8118a9b7 cc int 3
  141. 8118a9b8 8bff mov edi,edi
  142. 8118a9ba 55 push ebp
  143. 8118a9bb 8bec mov ebp,esp
  144. 8118a9bd 53 push ebx
  145. 8118a9be 56 push esi
  146. 8118a9bf 57 push edi
  147. 8118a9c0 68434d6362 push 62634D43h
  148. 8118a9c5 6a30 push 30h
  149. 8118a9c7 6a01 push 1
  150. 8118a9c9 8bfa mov edi,edx
  151. 8118a9cb 8bd9 mov ebx,ecx
  152. 8118a9cd e8feefe5ff call nt!ExAllocatePoolWithTag (80fe99d0)
  153. 8118a9d2 8bf0 mov esi,eax
  154. 8118a9d4 85f6 test esi,esi
  155. 8118a9d6 0f8449d50800 je nt! ?? ::NNGAKEGL::`string'+0x798bb (81217f25)
  156. nt!CmpRegisterCallbackInternal+0x24:
  157. 8118a9dc 897604 mov dword ptr [esi+4],esi
  158. 8118a9df 8d4628 lea eax,[esi+28h]
  159. 8118a9e2 8936 mov dword ptr [esi],esi
  160. 8118a9e4 894004 mov dword ptr [eax+4],eax
  161. 8118a9e7 8900 mov dword ptr [eax],eax
  162. 8118a9e9 897e18 mov dword ptr [esi+18h],edi
  163. 8118a9ec 8b7d08 mov edi,dword ptr [ebp+8]
  164. 8118a9ef c7460800000000 mov dword ptr [esi+8],0
  165. 8118a9f6 895e1c mov dword ptr [esi+1Ch],ebx
  166. 8118a9f9 68434d6361 push 61634D43h
  167. 8118a9fe 0fb707 movzx eax,word ptr [edi]
  168. 8118aa01 66894622 mov word ptr [esi+22h],ax
  169. 8118aa05 66894620 mov word ptr [esi+20h],ax
  170. 8118aa09 0fb707 movzx eax,word ptr [edi]
  171. 8118aa0c 50 push eax
  172. 8118aa0d 6a01 push 1
  173. 8118aa0f e8bcefe5ff call nt!ExAllocatePoolWithTag (80fe99d0)
  174. 8118aa14 8bc8 mov ecx,eax
  175. 8118aa16 894e24 mov dword ptr [esi+24h],ecx
  176. 8118aa19 85c9 test ecx,ecx
  177. 8118aa1b 743b je nt!CmpRegisterCallbackInternal+0xa0 (8118aa58)
  178. nt!CmpRegisterCallbackInternal+0x65:
  179. 8118aa1d 0fb707 movzx eax,word ptr [edi]
  180. 8118aa20 50 push eax
  181. 8118aa21 ff7704 push dword ptr [edi+4]
  182. 8118aa24 51 push ecx
  183. 8118aa25 e82678d8ff call nt!memcpy (80f12250)
  184. 8118aa2a 8a550c mov dl,byte ptr [ebp+0Ch]
  185. 8118aa2d 83c40c add esp,0Ch
  186. 8118aa30 8bce mov ecx,esi
  187. 8118aa32 e831000000 call nt!CmpInsertCallbackInListByAltitude (8118aa68)
  188. 8118aa37 8b5510 mov edx,dword ptr [ebp+10h]
  189. 8118aa3a 8bf8 mov edi,eax
  190. 8118aa3c 8b4e10 mov ecx,dword ptr [esi+10h]
  191. 8118aa3f 890a mov dword ptr [edx],ecx
  192. 8118aa41 8b4e14 mov ecx,dword ptr [esi+14h]
  193. 8118aa44 894a04 mov dword ptr [edx+4],ecx
  194. 8118aa47 85ff test edi,edi
  195. 8118aa49 0f88e0d40800 js nt! ?? ::NNGAKEGL::`string'+0x798c5 (81217f2f)
  196. nt!CmpRegisterCallbackInternal+0x97:
  197. 8118aa4f 8bc7 mov eax,edi
  198. nt!CmpRegisterCallbackInternal+0x99:
  199. 8118aa51 5f pop edi
  200. 8118aa52 5e pop esi
  201. 8118aa53 5b pop ebx
  202. 8118aa54 5d pop ebp
  203. 8118aa55 c20c00 ret 0Ch
  204. nt!CmpRegisterCallbackInternal+0xa0:
  205. 8118aa58 bf9a0000c0 mov edi,0C000009Ah
  206. 8118aa5d e9cdd40800 jmp nt! ?? ::NNGAKEGL::`string'+0x798c5 (81217f2f)
  207. nt! ?? ::NNGAKEGL::`string'+0x7974f:
  208. 81217db9 e862a6e6ff call nt!CmpUnlockCallbackList (81082420)
  209. 81217dbe e97d2bf7ff jmp nt!CmUnRegisterCallback+0xec (8118a940)
  210. nt! ?? ::NNGAKEGL::`string'+0x79759:
  211. 81217dc3 8b06 mov eax,dword ptr [esi]
  212. 81217dc5 8945dc mov dword ptr [ebp-24h],eax
  213. 81217dc8 8b4e14 mov ecx,dword ptr [esi+14h]
  214. 81217dcb e83219c2ff call nt!ObReferenceObjectSafe (80e39702)
  215. 81217dd0 84c0 test al,al
  216. 81217dd2 7462 je nt! ?? ::NNGAKEGL::`string'+0x797cc (81217e36)
  217. nt! ?? ::NNGAKEGL::`string'+0x7976a:
  218. 81217dd4 8d46f8 lea eax,[esi-8]
  219. 81217dd7 8d4808 lea ecx,[eax+8]
  220. 81217dda 8b11 mov edx,dword ptr [ecx]
  221. 81217ddc 8955d0 mov dword ptr [ebp-30h],edx
  222. 81217ddf 8b5104 mov edx,dword ptr [ecx+4]
  223. 81217de2 8b7dd0 mov edi,dword ptr [ebp-30h]
  224. 81217de5 394f04 cmp dword ptr [edi+4],ecx
  225. 81217de8 8b7dd4 mov edi,dword ptr [ebp-2Ch]
  226. 81217deb 0f85bd2bf7ff jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  227. nt! ?? ::NNGAKEGL::`string'+0x79787:
  228. 81217df1 390a cmp dword ptr [edx],ecx
  229. 81217df3 0f85b52bf7ff jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  230. nt! ?? ::NNGAKEGL::`string'+0x7978f:
  231. 81217df9 8b4dd0 mov ecx,dword ptr [ebp-30h]
  232. 81217dfc 890a mov dword ptr [edx],ecx
  233. 81217dfe 895104 mov dword ptr [ecx+4],edx
  234. 81217e01 8b10 mov edx,dword ptr [eax]
  235. 81217e03 8b4804 mov ecx,dword ptr [eax+4]
  236. 81217e06 394204 cmp dword ptr [edx+4],eax
  237. 81217e09 0f859f2bf7ff jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  238. nt! ?? ::NNGAKEGL::`string'+0x797a5:
  239. 81217e0f 3901 cmp dword ptr [ecx],eax
  240. 81217e11 0f85972bf7ff jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  241. nt! ?? ::NNGAKEGL::`string'+0x797ad:
  242. 81217e17 8911 mov dword ptr [ecx],edx
  243. 81217e19 894a04 mov dword ptr [edx+4],ecx
  244. 81217e1c 8b45c8 mov eax,dword ptr [ebp-38h]
  245. 81217e1f 8d4dc4 lea ecx,[ebp-3Ch]
  246. 81217e22 890e mov dword ptr [esi],ecx
  247. 81217e24 894604 mov dword ptr [esi+4],eax
  248. 81217e27 3908 cmp dword ptr [eax],ecx
  249. 81217e29 0f857f2bf7ff jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  250. nt! ?? ::NNGAKEGL::`string'+0x797c5:
  251. 81217e2f 8930 mov dword ptr [eax],esi
  252. 81217e31 8975c8 mov dword ptr [ebp-38h],esi
  253. 81217e34 eb04 jmp nt! ?? ::NNGAKEGL::`string'+0x797d0 (81217e3a)
  254. nt! ?? ::NNGAKEGL::`string'+0x797cc:
  255. 81217e36 c645e301 mov byte ptr [ebp-1Dh],1
  256. nt! ?? ::NNGAKEGL::`string'+0x797d0:
  257. 81217e3a 8b75dc mov esi,dword ptr [ebp-24h]
  258. 81217e3d 8d4728 lea eax,[edi+28h]
  259. 81217e40 3bf0 cmp esi,eax
  260. 81217e42 0f857bffffff jne nt! ?? ::NNGAKEGL::`string'+0x79759 (81217dc3)
  261. nt! ?? ::NNGAKEGL::`string'+0x797de:
  262. 81217e48 e9ae2af7ff jmp nt!CmUnRegisterCallback+0xa7 (8118a8fb)
  263. nt! ?? ::NNGAKEGL::`string'+0x797e3:
  264. 81217e4d 8b08 mov ecx,dword ptr [eax]
  265. 81217e4f 8d55c4 lea edx,[ebp-3Ch]
  266. 81217e52 395004 cmp dword ptr [eax+4],edx
  267. 81217e55 0f85532bf7ff jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  268. nt! ?? ::NNGAKEGL::`string'+0x797f1:
  269. 81217e5b 394104 cmp dword ptr [ecx+4],eax
  270. 81217e5e 0f854a2bf7ff jne nt!CmUnRegisterCallback+0x15a (8118a9ae)
  271. nt! ?? ::NNGAKEGL::`string'+0x797fa:
  272. 81217e64 894dc4 mov dword ptr [ebp-3Ch],ecx
  273. 81217e67 895104 mov dword ptr [ecx+4],edx
  274. 81217e6a 8d70f8 lea esi,[eax-8]
  275. 81217e6d 8975d0 mov dword ptr [ebp-30h],esi
  276. 81217e70 8b461c mov eax,dword ptr [esi+1Ch]
  277. 81217e73 8945b8 mov dword ptr [ebp-48h],eax
  278. 81217e76 8b4620 mov eax,dword ptr [esi+20h]
  279. 81217e79 8945bc mov dword ptr [ebp-44h],eax
  280. 81217e7c 895dfc mov dword ptr [ebp-4],ebx
  281. 81217e7f 8d45b8 lea eax,[ebp-48h]
  282. 81217e82 50 push eax
  283. 81217e83 6a28 push 28h
  284. 81217e85 ff7718 push dword ptr [edi+18h]
  285. 81217e88 ff571c call dword ptr [edi+1Ch]
  286. 81217e8b c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
  287. 81217e92 eb13 jmp nt! ?? ::NNGAKEGL::`string'+0x7983d (81217ea7)
  288. nt! ?? ::NNGAKEGL::`string'+0x7983d:
  289. 81217ea7 8b75d0 mov esi,dword ptr [ebp-30h]
  290. 81217eaa 8b4e1c mov ecx,dword ptr [esi+1Ch]
  291. 81217ead e89ec3c3ff call nt!ObfDereferenceObject (80e54250)
  292. 81217eb2 68434d6363 push 63634D43h
  293. 81217eb7 56 push esi
  294. 81217eb8 e85311ddff call nt!ExFreePoolWithTag (80fe9010)
  295. 81217ebd e93e2af7ff jmp nt!CmUnRegisterCallback+0xac (8118a900)
  296. nt! ?? ::NNGAKEGL::`string'+0x79858:
  297. 81217ec2 8d4728 lea eax,[edi+28h]
  298. 81217ec5 8945d0 mov dword ptr [ebp-30h],eax
  299. 81217ec8 8bf8 mov edi,eax
  300. nt! ?? ::NNGAKEGL::`string'+0x79860:
  301. 81217eca e80f2df7ff call nt!CmpLockContextListExclusive (8118abde)
  302. 81217ecf 8b37 mov esi,dword ptr [edi]
  303. 81217ed1 8975cc mov dword ptr [ebp-34h],esi
  304. 81217ed4 e8952cf7ff call nt!CmpUnlockContextList (8118ab6e)
  305. 81217ed9 3bf7 cmp esi,edi
  306. 81217edb 7415 je nt! ?? ::NNGAKEGL::`string'+0x79888 (81217ef2)
  307. nt! ?? ::NNGAKEGL::`string'+0x79873:
  308. 81217edd 53 push ebx
  309. 81217ede 6a04 push 4
  310. 81217ee0 8d45cc lea eax,[ebp-34h]
  311. 81217ee3 50 push eax
  312. 81217ee4 8bd7 mov edx,edi
  313. 81217ee6 b908fb0081 mov ecx,offset nt!CallbackListDeleteEvent (8100fb08)
  314. 81217eeb e86a51c1ff call nt!ExBlockOnAddressPushLock (80e2d05a)
  315. 81217ef0 eb03 jmp nt! ?? ::NNGAKEGL::`string'+0x7988b (81217ef5)
  316. nt! ?? ::NNGAKEGL::`string'+0x79888:
  317. 81217ef2 885de3 mov byte ptr [ebp-1Dh],bl
  318. nt! ?? ::NNGAKEGL::`string'+0x7988b:
  319. 81217ef5 807de300 cmp byte ptr [ebp-1Dh],0
  320. 81217ef9 75cf jne nt! ?? ::NNGAKEGL::`string'+0x79860 (81217eca)
  321. nt! ?? ::NNGAKEGL::`string'+0x79891:
  322. 81217efb 8b7dd4 mov edi,dword ptr [ebp-2Ch]
  323. 81217efe e9152af7ff jmp nt!CmUnRegisterCallback+0xc4 (8118a918)
  324. nt! ?? ::NNGAKEGL::`string'+0x79899:
  325. 81217f03 b918fb0081 mov ecx,offset nt!CmpCallbackContextSList (8100fb18)
  326. 81217f08 e803c1d0ff call nt!ExInterlockedFlushSList (80f24010)
  327. 81217f0d 8bf0 mov esi,eax
  328. 81217f0f eb0b jmp nt! ?? ::NNGAKEGL::`string'+0x798b2 (81217f1c)
  329. nt! ?? ::NNGAKEGL::`string'+0x798a7:
  330. 81217f11 8bce mov ecx,esi
  331. 81217f13 8b36 mov esi,dword ptr [esi]
  332. 81217f15 53 push ebx
  333. 81217f16 51 push ecx
  334. 81217f17 e8f410ddff call nt!ExFreePoolWithTag (80fe9010)
  335. nt! ?? ::NNGAKEGL::`string'+0x798b2:
  336. 81217f1c 85f6 test esi,esi
  337. 81217f1e 75f1 jne nt! ?? ::NNGAKEGL::`string'+0x798a7 (81217f11)
  338. nt! ?? ::NNGAKEGL::`string'+0x798b6:
  339. 81217f20 e9062af7ff jmp nt!CmUnRegisterCallback+0xd7 (8118a92b)
  340. nt! ?? ::NNGAKEGL::`string'+0x798bb:
  341. 81217f25 b89a0000c0 mov eax,0C000009Ah
  342. 81217f2a e9222bf7ff jmp nt!CmpRegisterCallbackInternal+0x99 (8118aa51)
  343. nt! ?? ::NNGAKEGL::`string'+0x798c5:
  344. 81217f2f 8b4624 mov eax,dword ptr [esi+24h]
  345. 81217f32 85c0 test eax,eax
  346. 81217f34 7408 je nt! ?? ::NNGAKEGL::`string'+0x798d4 (81217f3e)
  347. nt! ?? ::NNGAKEGL::`string'+0x798cc:
  348. 81217f36 6a00 push 0
  349. 81217f38 50 push eax
  350. 81217f39 e8d210ddff call nt!ExFreePoolWithTag (80fe9010)
  351. nt! ?? ::NNGAKEGL::`string'+0x798d4:
  352. 81217f3e 6a00 push 0
  353. 81217f40 56 push esi
  354. 81217f41 e8ca10ddff call nt!ExFreePoolWithTag (80fe9010)
  355. 81217f46 e9042bf7ff jmp nt!CmpRegisterCallbackInternal+0x97 (8118aa4f)

Win8.1 64 位 CmUnRegisterCallback

  1. lkd> uf CmUnRegisterCallback
  2. nt!CmUnRegisterCallback:
  3. fffff803`10797d84 48894c2408 mov qword ptr [rsp+8],rcx
  4. fffff803`10797d89 4c8bdc mov r11,rsp
  5. fffff803`10797d8c 53 push rbx
  6. fffff803`10797d8d 56 push rsi
  7. fffff803`10797d8e 57 push rdi
  8. fffff803`10797d8f 4154 push r12
  9. fffff803`10797d91 4155 push r13
  10. fffff803`10797d93 4156 push r14
  11. fffff803`10797d95 4157 push r15
  12. fffff803`10797d97 4881ec80000000 sub rsp,80h
  13. fffff803`10797d9e be0d0000c0 mov esi,0C000000Dh
  14. fffff803`10797da3 89b424d8000000 mov dword ptr [rsp+0D8h],esi
  15. fffff803`10797daa 498363a800 and qword ptr [r11-58h],0
  16. fffff803`10797daf 33c0 xor eax,eax
  17. fffff803`10797db1 498943b0 mov qword ptr [r11-50h],rax
  18. fffff803`10797db5 498943b8 mov qword ptr [r11-48h],rax
  19. fffff803`10797db9 49214380 and qword ptr [r11-80h],rax
  20. fffff803`10797dbd e856030000 call nt!CmpLockCallbackListExclusive (fffff803`10798118)
  21. fffff803`10797dc2 41be00000080 mov r14d,80000000h
  22. nt!CmUnRegisterCallback+0x44:
  23. fffff803`10797dc8 4533c0 xor r8d,r8d
  24. fffff803`10797dcb 488d542438 lea rdx,[rsp+38h]
  25. fffff803`10797dd0 488d0d39f5dbff lea rcx,[nt!CallbackListHead (fffff803`10557310)]
  26. fffff803`10797dd7 e85469f1ff call nt!CmListGetNextElement (fffff803`106ae730)
  27. fffff803`10797ddc 488bf8 mov rdi,rax
  28. fffff803`10797ddf 4889442440 mov qword ptr [rsp+40h],rax
  29. fffff803`10797de4 4885c0 test rax,rax
  30. fffff803`10797de7 0f845e010000 je nt!CmUnRegisterCallback+0x1c7 (fffff803`10797f4b)
  31. nt!CmUnRegisterCallback+0x69:
  32. fffff803`10797ded 488b8424c0000000 mov rax,qword ptr [rsp+0C0h]
  33. fffff803`10797df5 48394718 cmp qword ptr [rdi+18h],rax
  34. fffff803`10797df9 75cd jne nt!CmUnRegisterCallback+0x44 (fffff803`10797dc8)
  35. nt!CmUnRegisterCallback+0x77:
  36. fffff803`10797dfb 8b4710 mov eax,dword ptr [rdi+10h]
  37. fffff803`10797dfe 898424d0000000 mov dword ptr [rsp+0D0h],eax
  38. fffff803`10797e05 85c0 test eax,eax
  39. fffff803`10797e07 0f85c6000000 jne nt!CmUnRegisterCallback+0x14f (fffff803`10797ed3)
  40. nt!CmUnRegisterCallback+0x89:
  41. fffff803`10797e0d 488b0f mov rcx,qword ptr [rdi]
  42. fffff803`10797e10 488b4708 mov rax,qword ptr [rdi+8]
  43. fffff803`10797e14 48397908 cmp qword ptr [rcx+8],rdi
  44. fffff803`10797e18 0f8598bc0900 jne nt! ?? ::NNGAKEGL::`string'+0x84eb6 (fffff803`10833ab6)
  45. nt!CmUnRegisterCallback+0x9a:
  46. fffff803`10797e1e 483938 cmp qword ptr [rax],rdi
  47. fffff803`10797e21 0f858fbc0900 jne nt! ?? ::NNGAKEGL::`string'+0x84eb6 (fffff803`10833ab6)
  48. nt!CmUnRegisterCallback+0xa3:
  49. fffff803`10797e27 488908 mov qword ptr [rax],rcx
  50. fffff803`10797e2a 48894108 mov qword ptr [rcx+8],rax
  51. fffff803`10797e2e e8116afcff call nt!CmpUnlockCallbackList (fffff803`1075e844)
  52. fffff803`10797e33 33f6 xor esi,esi
  53. fffff803`10797e35 89b424d8000000 mov dword ptr [rsp+0D8h],esi
  54. nt!CmUnRegisterCallback+0xb8:
  55. fffff803`10797e3c 488d442450 lea rax,[rsp+50h]
  56. fffff803`10797e41 4889442458 mov qword ptr [rsp+58h],rax
  57. fffff803`10797e46 488d442450 lea rax,[rsp+50h]
  58. fffff803`10797e4b 4889442450 mov qword ptr [rsp+50h],rax
  59. fffff803`10797e50 4532f6 xor r14b,r14b
  60. fffff803`10797e53 4488b424c8000000 mov byte ptr [rsp+0C8h],r14b
  61. fffff803`10797e5b e894030000 call nt!CmpLockContextListExclusive (fffff803`107981f4)
  62. fffff803`10797e60 4c8d6740 lea r12,[rdi+40h]
  63. fffff803`10797e64 498b1c24 mov rbx,qword ptr [r12]
  64. nt!CmUnRegisterCallback+0xe4:
  65. fffff803`10797e68 48895c2430 mov qword ptr [rsp+30h],rbx
  66. fffff803`10797e6d 493bdc cmp rbx,r12
  67. fffff803`10797e70 0f8547bc0900 jne nt! ?? ::NNGAKEGL::`string'+0x84ebd (fffff803`10833abd)
  68. nt!CmUnRegisterCallback+0xf2:
  69. fffff803`10797e76 e8f1020000 call nt!CmpUnlockContextList (fffff803`1079816c)
  70. nt!CmUnRegisterCallback+0xf7:
  71. fffff803`10797e7b 488d4c2450 lea rcx,[rsp+50h]
  72. fffff803`10797e80 488b442450 mov rax,qword ptr [rsp+50h]
  73. fffff803`10797e85 483bc1 cmp rax,rcx
  74. fffff803`10797e88 0f85c6bc0900 jne nt! ?? ::NNGAKEGL::`string'+0x84f54 (fffff803`10833b54)
  75. nt!CmUnRegisterCallback+0x10a:
  76. fffff803`10797e8e 4584f6 test r14b,r14b
  77. fffff803`10797e91 0f8549bd0900 jne nt! ?? ::NNGAKEGL::`string'+0x84fe0 (fffff803`10833be0)
  78. nt!CmUnRegisterCallback+0x113:
  79. fffff803`10797e97 f0ff0deebfd8ff lock dec dword ptr [nt!CmpCallBackCount (fffff803`10523e8c)]
  80. fffff803`10797e9e 0f8485bd0900 je nt! ?? ::NNGAKEGL::`string'+0x85029 (fffff803`10833c29)
  81. nt!CmUnRegisterCallback+0x120:
  82. fffff803`10797ea4 488b4f38 mov rcx,qword ptr [rdi+38h]
  83. fffff803`10797ea8 4885c9 test rcx,rcx
  84. fffff803`10797eab 7407 je nt!CmUnRegisterCallback+0x130 (fffff803`10797eb4)
  85. nt!CmUnRegisterCallback+0x129:
  86. fffff803`10797ead 33d2 xor edx,edx
  87. fffff803`10797eaf e86cdfd7ff call nt!ExFreePoolWithTag (fffff803`10515e20)
  88. nt!CmUnRegisterCallback+0x130:
  89. fffff803`10797eb4 33d2 xor edx,edx
  90. fffff803`10797eb6 488bcf mov rcx,rdi
  91. fffff803`10797eb9 e862dfd7ff call nt!ExFreePoolWithTag (fffff803`10515e20)
  92. nt!CmUnRegisterCallback+0x13a:
  93. fffff803`10797ebe 8bc6 mov eax,esi
  94. fffff803`10797ec0 4881c480000000 add rsp,80h
  95. fffff803`10797ec7 415f pop r15
  96. fffff803`10797ec9 415e pop r14
  97. fffff803`10797ecb 415d pop r13
  98. fffff803`10797ecd 415c pop r12
  99. fffff803`10797ecf 5f pop rdi
  100. fffff803`10797ed0 5e pop rsi
  101. fffff803`10797ed1 5b pop rbx
  102. fffff803`10797ed2 c3 ret
  103. nt!CmUnRegisterCallback+0x14f:
  104. fffff803`10797ed3 4185c6 test r14d,eax
  105. fffff803`10797ed6 0f85ecfeffff jne nt!CmUnRegisterCallback+0x44 (fffff803`10797dc8)
  106. nt!CmUnRegisterCallback+0x158:
  107. fffff803`10797edc 488d5f10 lea rbx,[rdi+10h]
  108. fffff803`10797ee0 f0810b00000080 lock or dword ptr [rbx],80000000h
  109. fffff803`10797ee7 e85869fcff call nt!CmpUnlockCallbackList (fffff803`1075e844)
  110. nt!CmUnRegisterCallback+0x168:
  111. fffff803`10797eec 8b03 mov eax,dword ptr [rbx]
  112. fffff803`10797eee 898424d0000000 mov dword ptr [rsp+0D0h],eax
  113. fffff803`10797ef5 413bc6 cmp eax,r14d
  114. fffff803`10797ef8 7425 je nt!CmUnRegisterCallback+0x19b (fffff803`10797f1f)
  115. nt!CmUnRegisterCallback+0x176:
  116. fffff803`10797efa 488364242000 and qword ptr [rsp+20h],0
  117. fffff803`10797f00 41b904000000 mov r9d,4
  118. fffff803`10797f06 4c8d8424d0000000 lea r8,[rsp+0D0h]
  119. fffff803`10797f0e 488bd3 mov rdx,rbx
  120. fffff803`10797f11 488d0d08f4dbff lea rcx,[nt!CallbackListDeleteEvent (fffff803`10557320)]
  121. fffff803`10797f18 e88313baff call nt!ExBlockOnAddressPushLock (fffff803`103392a0)
  122. fffff803`10797f1d ebcd jmp nt!CmUnRegisterCallback+0x168 (fffff803`10797eec)
  123. nt!CmUnRegisterCallback+0x19b:
  124. fffff803`10797f1f e8f4010000 call nt!CmpLockCallbackListExclusive (fffff803`10798118)
  125. fffff803`10797f24 488b0f mov rcx,qword ptr [rdi]
  126. fffff803`10797f27 488b4708 mov rax,qword ptr [rdi+8]
  127. fffff803`10797f2b 48397908 cmp qword ptr [rcx+8],rdi
  128. fffff803`10797f2f 7524 jne nt!CmUnRegisterCallback+0x1d1 (fffff803`10797f55)
  129. nt!CmUnRegisterCallback+0x1ad:
  130. fffff803`10797f31 483938 cmp qword ptr [rax],rdi
  131. fffff803`10797f34 751f jne nt!CmUnRegisterCallback+0x1d1 (fffff803`10797f55)
  132. nt!CmUnRegisterCallback+0x1b2:
  133. fffff803`10797f36 488908 mov qword ptr [rax],rcx
  134. fffff803`10797f39 48894108 mov qword ptr [rcx+8],rax
  135. fffff803`10797f3d e80269fcff call nt!CmpUnlockCallbackList (fffff803`1075e844)
  136. fffff803`10797f42 33f6 xor esi,esi
  137. fffff803`10797f44 89b424d8000000 mov dword ptr [rsp+0D8h],esi
  138. nt!CmUnRegisterCallback+0x1c7:
  139. fffff803`10797f4b 85f6 test esi,esi
  140. fffff803`10797f4d 0f89e9feffff jns nt!CmUnRegisterCallback+0xb8 (fffff803`10797e3c)
  141. nt!CmUnRegisterCallback+0x1cf:
  142. fffff803`10797f53 eb07 jmp nt!CmUnRegisterCallback+0x1d8 (fffff803`10797f5c)
  143. nt!CmUnRegisterCallback+0x1d1:
  144. fffff803`10797f55 b903000000 mov ecx,3
  145. fffff803`10797f5a cd29 int 29h
  146. nt!CmUnRegisterCallback+0x1d8:
  147. fffff803`10797f5c e8e368fcff call nt!CmpUnlockCallbackList (fffff803`1075e844)
  148. fffff803`10797f61 e958ffffff jmp nt!CmUnRegisterCallback+0x13a (fffff803`10797ebe)
  149. nt! ?? ::NNGAKEGL::`string'+0x84eb6:
  150. fffff803`10833ab6 b903000000 mov ecx,3
  151. fffff803`10833abb cd29 int 29h
  152. nt! ?? ::NNGAKEGL::`string'+0x84ebd:
  153. fffff803`10833abd 4c8b2b mov r13,qword ptr [rbx]
  154. fffff803`10833ac0 4c8d7bf0 lea r15,[rbx-10h]
  155. fffff803`10833ac4 498b4f30 mov rcx,qword ptr [r15+30h]
  156. fffff803`10833ac8 e8c712abff call nt!ObReferenceObjectSafe (fffff803`102e4d94)
  157. fffff803`10833acd 84c0 test al,al
  158. fffff803`10833acf 745b je nt! ?? ::NNGAKEGL::`string'+0x84f2c (fffff803`10833b2c)
  159. nt! ?? ::NNGAKEGL::`string'+0x84ed1:
  160. fffff803`10833ad1 498d4710 lea rax,[r15+10h]
  161. fffff803`10833ad5 488b10 mov rdx,qword ptr [rax]
  162. fffff803`10833ad8 488b4808 mov rcx,qword ptr [rax+8]
  163. fffff803`10833adc 48394208 cmp qword ptr [rdx+8],rax
  164. fffff803`10833ae0 756b jne nt! ?? ::NNGAKEGL::`string'+0x84f4d (fffff803`10833b4d)
  165. nt! ?? ::NNGAKEGL::`string'+0x84ee2:
  166. fffff803`10833ae2 483901 cmp qword ptr [rcx],rax
  167. fffff803`10833ae5 7566 jne nt! ?? ::NNGAKEGL::`string'+0x84f4d (fffff803`10833b4d)
  168. nt! ?? ::NNGAKEGL::`string'+0x84ee7:
  169. fffff803`10833ae7 488911 mov qword ptr [rcx],rdx
  170. fffff803`10833aea 48894a08 mov qword ptr [rdx+8],rcx
  171. fffff803`10833aee 498b0f mov rcx,qword ptr [r15]
  172. fffff803`10833af1 498b4708 mov rax,qword ptr [r15+8]
  173. fffff803`10833af5 4c397908 cmp qword ptr [rcx+8],r15
  174. fffff803`10833af9 754b jne nt! ?? ::NNGAKEGL::`string'+0x84f46 (fffff803`10833b46)
  175. nt! ?? ::NNGAKEGL::`string'+0x84efb:
  176. fffff803`10833afb 4c3938 cmp qword ptr [rax],r15
  177. fffff803`10833afe 7546 jne nt! ?? ::NNGAKEGL::`string'+0x84f46 (fffff803`10833b46)
  178. nt! ?? ::NNGAKEGL::`string'+0x84f00:
  179. fffff803`10833b00 488908 mov qword ptr [rax],rcx
  180. fffff803`10833b03 48894108 mov qword ptr [rcx+8],rax
  181. fffff803`10833b07 488b442458 mov rax,qword ptr [rsp+58h]
  182. fffff803`10833b0c 488d4c2450 lea rcx,[rsp+50h]
  183. fffff803`10833b11 48890b mov qword ptr [rbx],rcx
  184. fffff803`10833b14 48894308 mov qword ptr [rbx+8],rax
  185. fffff803`10833b18 488d4c2450 lea rcx,[rsp+50h]
  186. fffff803`10833b1d 483908 cmp qword ptr [rax],rcx
  187. fffff803`10833b20 751d jne nt! ?? ::NNGAKEGL::`string'+0x84f3f (fffff803`10833b3f)
  188. nt! ?? ::NNGAKEGL::`string'+0x84f22:
  189. fffff803`10833b22 488918 mov qword ptr [rax],rbx
  190. fffff803`10833b25 48895c2458 mov qword ptr [rsp+58h],rbx
  191. fffff803`10833b2a eb0b jmp nt! ?? ::NNGAKEGL::`string'+0x84f37 (fffff803`10833b37)
  192. nt! ?? ::NNGAKEGL::`string'+0x84f2c:
  193. fffff803`10833b2c 41b601 mov r14b,1
  194. fffff803`10833b2f 4488b424c8000000 mov byte ptr [rsp+0C8h],r14b
  195. nt! ?? ::NNGAKEGL::`string'+0x84f37:
  196. fffff803`10833b37 498bdd mov rbx,r13
  197. fffff803`10833b3a e92943f6ff jmp nt!CmUnRegisterCallback+0xe4 (fffff803`10797e68)
  198. nt! ?? ::NNGAKEGL::`string'+0x84f3f:
  199. fffff803`10833b3f b903000000 mov ecx,3
  200. fffff803`10833b44 cd29 int 29h
  201. nt! ?? ::NNGAKEGL::`string'+0x84f46:
  202. fffff803`10833b46 b903000000 mov ecx,3
  203. fffff803`10833b4b cd29 int 29h
  204. nt! ?? ::NNGAKEGL::`string'+0x84f4d:
  205. fffff803`10833b4d b903000000 mov ecx,3
  206. fffff803`10833b52 cd29 int 29h
  207. nt! ?? ::NNGAKEGL::`string'+0x84f54:
  208. fffff803`10833b54 488b08 mov rcx,qword ptr [rax]
  209. fffff803`10833b57 488d542450 lea rdx,[rsp+50h]
  210. fffff803`10833b5c 48395008 cmp qword ptr [rax+8],rdx
  211. fffff803`10833b60 7577 jne nt! ?? ::NNGAKEGL::`string'+0x84fd9 (fffff803`10833bd9)
  212. nt! ?? ::NNGAKEGL::`string'+0x84f62:
  213. fffff803`10833b62 48394108 cmp qword ptr [rcx+8],rax
  214. fffff803`10833b66 7571 jne nt! ?? ::NNGAKEGL::`string'+0x84fd9 (fffff803`10833bd9)
  215. nt! ?? ::NNGAKEGL::`string'+0x84f68:
  216. fffff803`10833b68 48894c2450 mov qword ptr [rsp+50h],rcx
  217. fffff803`10833b6d 488d542450 lea rdx,[rsp+50h]
  218. fffff803`10833b72 48895108 mov qword ptr [rcx+8],rdx
  219. fffff803`10833b76 488d58f0 lea rbx,[rax-10h]
  220. fffff803`10833b7a 48895c2448 mov qword ptr [rsp+48h],rbx
  221. fffff803`10833b7f 488b4330 mov rax,qword ptr [rbx+30h]
  222. fffff803`10833b83 4889442460 mov qword ptr [rsp+60h],rax
  223. fffff803`10833b88 488b4338 mov rax,qword ptr [rbx+38h]
  224. fffff803`10833b8c 4889442468 mov qword ptr [rsp+68h],rax
  225. fffff803`10833b91 4c8d442460 lea r8,[rsp+60h]
  226. fffff803`10833b96 ba28000000 mov edx,28h
  227. fffff803`10833b9b 488b4f20 mov rcx,qword ptr [rdi+20h]
  228. fffff803`10833b9f ff5728 call qword ptr [rdi+28h]
  229. fffff803`10833ba2 eb19 jmp nt! ?? ::NNGAKEGL::`string'+0x84fbd (fffff803`10833bbd)
  230. nt! ?? ::NNGAKEGL::`string'+0x84fbd:
  231. fffff803`10833bbd 488b4b30 mov rcx,qword ptr [rbx+30h]
  232. fffff803`10833bc1 e80a64abff call nt!ObfDereferenceObject (fffff803`102e9fd0)
  233. fffff803`10833bc6 ba434d6363 mov edx,63634D43h
  234. fffff803`10833bcb 488bcb mov rcx,rbx
  235. fffff803`10833bce e84d22ceff call nt!ExFreePoolWithTag (fffff803`10515e20)
  236. fffff803`10833bd3 90 nop
  237. fffff803`10833bd4 e9a242f6ff jmp nt!CmUnRegisterCallback+0xf7 (fffff803`10797e7b)
  238. nt! ?? ::NNGAKEGL::`string'+0x84fd9:
  239. fffff803`10833bd9 b903000000 mov ecx,3
  240. fffff803`10833bde cd29 int 29h
  241. nt! ?? ::NNGAKEGL::`string'+0x84fe0:
  242. fffff803`10833be0 e80f46f6ff call nt!CmpLockContextListExclusive (fffff803`107981f4)
  243. fffff803`10833be5 4c8d7f40 lea r15,[rdi+40h]
  244. fffff803`10833be9 498b1f mov rbx,qword ptr [r15]
  245. fffff803`10833bec 48895c2430 mov qword ptr [rsp+30h],rbx
  246. fffff803`10833bf1 e87645f6ff call nt!CmpUnlockContextList (fffff803`1079816c)
  247. fffff803`10833bf6 493bdf cmp rbx,r15
  248. fffff803`10833bf9 7426 je nt! ?? ::NNGAKEGL::`string'+0x85021 (fffff803`10833c21)
  249. nt! ?? ::NNGAKEGL::`string'+0x84ffb:
  250. fffff803`10833bfb 488364242000 and qword ptr [rsp+20h],0
  251. fffff803`10833c01 41b908000000 mov r9d,8
  252. fffff803`10833c07 4c8d442430 lea r8,[rsp+30h]
  253. fffff803`10833c0c 498bd7 mov rdx,r15
  254. fffff803`10833c0f 488d0d0a37d2ff lea rcx,[nt!CallbackListDeleteEvent (fffff803`10557320)]
  255. fffff803`10833c16 e88556b0ff call nt!ExBlockOnAddressPushLock (fffff803`103392a0)
  256. fffff803`10833c1b 90 nop
  257. fffff803`10833c1c e96d42f6ff jmp nt!CmUnRegisterCallback+0x10a (fffff803`10797e8e)
  258. nt! ?? ::NNGAKEGL::`string'+0x85021:
  259. fffff803`10833c21 4532f6 xor r14b,r14b
  260. fffff803`10833c24 e96542f6ff jmp nt!CmUnRegisterCallback+0x10a (fffff803`10797e8e)
  261. nt! ?? ::NNGAKEGL::`string'+0x85029:
  262. fffff803`10833c29 488d0dd057d2ff lea rcx,[nt!CmpCallbackContextSList (fffff803`10559400)]
  263. fffff803`10833c30 e85b51baff call nt!ExpInterlockedFlushSList (fffff803`103d8d90)
  264. fffff803`10833c35 488bd8 mov rbx,rax
  265. nt! ?? ::NNGAKEGL::`string'+0x85038:
  266. fffff803`10833c38 4885db test rbx,rbx
  267. fffff803`10833c3b 0f846342f6ff je nt!CmUnRegisterCallback+0x120 (fffff803`10797ea4)
  268. nt! ?? ::NNGAKEGL::`string'+0x85041:
  269. fffff803`10833c41 488bcb mov rcx,rbx
  270. fffff803`10833c44 488b1b mov rbx,qword ptr [rbx]
  271. fffff803`10833c47 33d2 xor edx,edx
  272. fffff803`10833c49 e8d221ceff call nt!ExFreePoolWithTag (fffff803`10515e20)
  273. fffff803`10833c4e ebe8 jmp nt! ?? ::NNGAKEGL::`string'+0x85038 (fffff803`10833c38)

Win10 32 位 CmUnRegisterCallback

  1. kd> uf CmUnRegisterCallback
  2. nt!CmUnRegisterCallback:
  3. 81ee7c8f 6a38 push 38h
  4. 81ee7c91 6880eac881 push offset nt!RtlpSparseBitmapCtxUpdateBits+0x6a49 (81c8ea80)
  5. 81ee7c96 e8154bcbff call nt!_SEH_prolog4 (81b9c7b0)
  6. 81ee7c9b 33db xor ebx,ebx
  7. 81ee7c9d 895dbc mov dword ptr [ebp-44h],ebx
  8. 81ee7ca0 895dc0 mov dword ptr [ebp-40h],ebx
  9. 81ee7ca3 895dc4 mov dword ptr [ebp-3Ch],ebx
  10. 81ee7ca6 895dd0 mov dword ptr [ebp-30h],ebx
  11. 81ee7ca9 64a124010000 mov eax,dword ptr fs:[00000124h]
  12. 81ee7caf 66ff883c010000 dec word ptr [eax+13Ch]
  13. 81ee7cb6 53 push ebx
  14. 81ee7cb7 33d2 xor edx,edx
  15. 81ee7cb9 bf9817cb81 mov edi,offset nt!CmpCallbackListLock (81cb1798)
  16. 81ee7cbe 8bcf mov ecx,edi
  17. 81ee7cc0 e85b8dc4ff call nt!KeAbPreAcquire (81b30a20)
  18. 81ee7cc5 8bf0 mov esi,eax
  19. 81ee7cc7 f00fba2f00 lock bts dword ptr [edi],0
  20. 81ee7ccc 730a jae nt!CmUnRegisterCallback+0x49 (81ee7cd8)
  21. nt!CmUnRegisterCallback+0x3f:
  22. 81ee7cce 57 push edi
  23. 81ee7ccf 8bd6 mov edx,esi
  24. 81ee7cd1 8bcf mov ecx,edi
  25. 81ee7cd3 e82877bbff call nt!ExfAcquirePushLockExclusiveEx (81a9f400)
  26. nt!CmUnRegisterCallback+0x49:
  27. 81ee7cd8 85f6 test esi,esi
  28. 81ee7cda 7407 je nt!CmUnRegisterCallback+0x54 (81ee7ce3)
  29. nt!CmUnRegisterCallback+0x4d:
  30. 81ee7cdc 8b4610 mov eax,dword ptr [esi+10h]
  31. 81ee7cdf 804e0e01 or byte ptr [esi+0Eh],1
  32. nt!CmUnRegisterCallback+0x54:
  33. 81ee7ce3 53 push ebx
  34. 81ee7ce4 8d55d0 lea edx,[ebp-30h]
  35. 81ee7ce7 b9a017cb81 mov ecx,offset nt!CallbackListHead (81cb17a0)
  36. 81ee7cec e853cae8ff call nt!CmListGetNextElement (81d74744)
  37. 81ee7cf1 8bf0 mov esi,eax
  38. 81ee7cf3 8975dc mov dword ptr [ebp-24h],esi
  39. 81ee7cf6 85f6 test esi,esi
  40. 81ee7cf8 0f8496040000 je nt!CmUnRegisterCallback+0x505 (81ee8194)
  41. nt!CmUnRegisterCallback+0x6f:
  42. 81ee7cfe 8b4e10 mov ecx,dword ptr [esi+10h]
  43. 81ee7d01 3b4d08 cmp ecx,dword ptr [ebp+8]
  44. 81ee7d04 75dd jne nt!CmUnRegisterCallback+0x54 (81ee7ce3)
  45. nt!CmUnRegisterCallback+0x77:
  46. 81ee7d06 8b4e14 mov ecx,dword ptr [esi+14h]
  47. 81ee7d09 3b4d0c cmp ecx,dword ptr [ebp+0Ch]
  48. 81ee7d0c 75d5 jne nt!CmUnRegisterCallback+0x54 (81ee7ce3)
  49. nt!CmUnRegisterCallback+0x7f:
  50. 81ee7d0e 8b4608 mov eax,dword ptr [esi+8]
  51. 81ee7d11 8945e0 mov dword ptr [ebp-20h],eax
  52. 81ee7d14 3bc3 cmp eax,ebx
  53. 81ee7d16 0f8412010000 je nt!CmUnRegisterCallback+0x19f (81ee7e2e)
  54. nt!CmUnRegisterCallback+0x8d:
  55. 81ee7d1c b800000080 mov eax,80000000h
  56. 81ee7d21 8545e0 test dword ptr [ebp-20h],eax
  57. 81ee7d24 75bd jne nt!CmUnRegisterCallback+0x54 (81ee7ce3)
  58. nt!CmUnRegisterCallback+0x97:
  59. 81ee7d26 8d7e08 lea edi,[esi+8]
  60. 81ee7d29 f00907 lock or dword ptr [edi],eax
  61. 81ee7d2c 8b0d9817cb81 mov ecx,dword ptr [nt!CmpCallbackListLock (81cb1798)]
  62. 81ee7d32 8bc1 mov eax,ecx
  63. 81ee7d34 83e0f0 and eax,0FFFFFFF0h
  64. 81ee7d37 83f810 cmp eax,10h
  65. 81ee7d3a 8d51f0 lea edx,[ecx-10h]
  66. 81ee7d3d 7702 ja nt!CmUnRegisterCallback+0xb2 (81ee7d41)
  67. nt!CmUnRegisterCallback+0xb0:
  68. 81ee7d3f 8bd3 mov edx,ebx
  69. nt!CmUnRegisterCallback+0xb2:
  70. 81ee7d41 f6c102 test cl,2
  71. 81ee7d44 7512 jne nt!CmUnRegisterCallback+0xc9 (81ee7d58)
  72. nt!CmUnRegisterCallback+0xb7:
  73. 81ee7d46 8bc1 mov eax,ecx
  74. 81ee7d48 be9817cb81 mov esi,offset nt!CmpCallbackListLock (81cb1798)
  75. 81ee7d4d f00fb116 lock cmpxchg dword ptr [esi],edx
  76. 81ee7d51 3bc1 cmp eax,ecx
  77. 81ee7d53 8b75dc mov esi,dword ptr [ebp-24h]
  78. 81ee7d56 740a je nt!CmUnRegisterCallback+0xd3 (81ee7d62)
  79. nt!CmUnRegisterCallback+0xc9:
  80. 81ee7d58 b99817cb81 mov ecx,offset nt!CmpCallbackListLock (81cb1798)
  81. 81ee7d5d e81e87bbff call nt!ExfReleasePushLock (81aa0480)
  82. nt!CmUnRegisterCallback+0xd3:
  83. 81ee7d62 b99817cb81 mov ecx,offset nt!CmpCallbackListLock (81cb1798)
  84. 81ee7d67 e8f488c4ff call nt!KeAbPostRelease (81b30660)
  85. 81ee7d6c 648b0d24010000 mov ecx,dword ptr fs:[124h]
  86. 81ee7d73 0fbf813c010000 movsx eax,word ptr [ecx+13Ch]
  87. 81ee7d7a 40 inc eax
  88. 81ee7d7b 6689813c010000 mov word ptr [ecx+13Ch],ax
  89. 81ee7d82 6685c0 test ax,ax
  90. 81ee7d85 752a jne nt!CmUnRegisterCallback+0x122 (81ee7db1)
  91. nt!CmUnRegisterCallback+0xf8:
  92. 81ee7d87 8d4170 lea eax,[ecx+70h]
  93. 81ee7d8a 3900 cmp dword ptr [eax],eax
  94. 81ee7d8c 7423 je nt!CmUnRegisterCallback+0x122 (81ee7db1)
  95. nt!CmUnRegisterCallback+0xff:
  96. 81ee7d8e 6639993e010000 cmp word ptr [ecx+13Eh],bx
  97. 81ee7d95 751a jne nt!CmUnRegisterCallback+0x122 (81ee7db1)
  98. nt!CmUnRegisterCallback+0x108:
  99. 81ee7d97 e8707abbff call nt!KiCheckForKernelApcDelivery (81a9f80c)
  100. 81ee7d9c eb13 jmp nt!CmUnRegisterCallback+0x122 (81ee7db1)
  101. nt!CmUnRegisterCallback+0x10f:
  102. 81ee7d9e 53 push ebx
  103. 81ee7d9f 6a04 push 4
  104. 81ee7da1 8d45e0 lea eax,[ebp-20h]
  105. 81ee7da4 50 push eax
  106. 81ee7da5 8bd7 mov edx,edi
  107. 81ee7da7 b9a817cb81 mov ecx,offset nt!CallbackListDeleteEvent (81cb17a8)
  108. 81ee7dac e8c715c1ff call nt!ExBlockOnAddressPushLock (81af9378)
  109. nt!CmUnRegisterCallback+0x122:
  110. 81ee7db1 8b07 mov eax,dword ptr [edi]
  111. 81ee7db3 8945e0 mov dword ptr [ebp-20h],eax
  112. 81ee7db6 3d00000080 cmp eax,80000000h
  113. 81ee7dbb 75e1 jne nt!CmUnRegisterCallback+0x10f (81ee7d9e)
  114. nt!CmUnRegisterCallback+0x12e:
  115. 81ee7dbd 64a124010000 mov eax,dword ptr fs:[00000124h]
  116. 81ee7dc3 66ff883c010000 dec word ptr [eax+13Ch]
  117. 81ee7dca 53 push ebx
  118. 81ee7dcb 33d2 xor edx,edx
  119. 81ee7dcd b99817cb81 mov ecx,offset nt!CmpCallbackListLock (81cb1798)
  120. 81ee7dd2 e8498cc4ff call nt!KeAbPreAcquire (81b30a20)
  121. 81ee7dd7 8bf8 mov edi,eax
  122. 81ee7dd9 b89817cb81 mov eax,offset nt!CmpCallbackListLock (81cb1798)
  123. 81ee7dde f00fba2800 lock bts dword ptr [eax],0
  124. 81ee7de3 730a jae nt!CmUnRegisterCallback+0x160 (81ee7def)
  125. nt!CmUnRegisterCallback+0x156:
  126. 81ee7de5 50 push eax
  127. 81ee7de6 8bd7 mov edx,edi
  128. 81ee7de8 8bc8 mov ecx,eax
  129. 81ee7dea e81176bbff call nt!ExfAcquirePushLockExclusiveEx (81a9f400)
  130. nt!CmUnRegisterCallback+0x160:
  131. 81ee7def 85ff test edi,edi
  132. 81ee7df1 7407 je nt!CmUnRegisterCallback+0x16b (81ee7dfa)
  133. nt!CmUnRegisterCallback+0x164:
  134. 81ee7df3 8b4710 mov eax,dword ptr [edi+10h]
  135. 81ee7df6 804f0e01 or byte ptr [edi+0Eh],1
  136. nt!CmUnRegisterCallback+0x16b:
  137. 81ee7dfa 8b0e mov ecx,dword ptr [esi]
  138. 81ee7dfc 8b4604 mov eax,dword ptr [esi+4]
  139. 81ee7dff 397104 cmp dword ptr [ecx+4],esi
  140. 81ee7e02 7525 jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  141. nt!CmUnRegisterCallback+0x175:
  142. 81ee7e04 3930 cmp dword ptr [eax],esi
  143. 81ee7e06 7521 jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  144. nt!CmUnRegisterCallback+0x179:
  145. 81ee7e08 8908 mov dword ptr [eax],ecx
  146. 81ee7e0a 894104 mov dword ptr [ecx+4],eax
  147. 81ee7e0d 8b0d9817cb81 mov ecx,dword ptr [nt!CmpCallbackListLock (81cb1798)]
  148. 81ee7e13 8bc1 mov eax,ecx
  149. 81ee7e15 83e0f0 and eax,0FFFFFFF0h
  150. 81ee7e18 83f810 cmp eax,10h
  151. 81ee7e1b 8d51f0 lea edx,[ecx-10h]
  152. 81ee7e1e 7702 ja nt!CmUnRegisterCallback+0x193 (81ee7e22)
  153. nt!CmUnRegisterCallback+0x191:
  154. 81ee7e20 8bd3 mov edx,ebx
  155. nt!CmUnRegisterCallback+0x193:
  156. 81ee7e22 bf9817cb81 mov edi,offset nt!CmpCallbackListLock (81cb1798)
  157. 81ee7e27 eb2d jmp nt!CmUnRegisterCallback+0x1c7 (81ee7e56)
  158. nt!CmUnRegisterCallback+0x19a:
  159. 81ee7e29 6a03 push 3
  160. 81ee7e2b 59 pop ecx
  161. 81ee7e2c cd29 int 29h
  162. nt!CmUnRegisterCallback+0x19f:
  163. 81ee7e2e 8b0e mov ecx,dword ptr [esi]
  164. 81ee7e30 8b4604 mov eax,dword ptr [esi+4]
  165. 81ee7e33 397104 cmp dword ptr [ecx+4],esi
  166. 81ee7e36 75f1 jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  167. nt!CmUnRegisterCallback+0x1a9:
  168. 81ee7e38 3930 cmp dword ptr [eax],esi
  169. 81ee7e3a 75ed jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  170. nt!CmUnRegisterCallback+0x1ad:
  171. 81ee7e3c 8908 mov dword ptr [eax],ecx
  172. 81ee7e3e 894104 mov dword ptr [ecx+4],eax
  173. 81ee7e41 8b0d9817cb81 mov ecx,dword ptr [nt!CmpCallbackListLock (81cb1798)]
  174. 81ee7e47 8bc1 mov eax,ecx
  175. 81ee7e49 83e0f0 and eax,0FFFFFFF0h
  176. 81ee7e4c 83f810 cmp eax,10h
  177. 81ee7e4f 8d51f0 lea edx,[ecx-10h]
  178. 81ee7e52 7702 ja nt!CmUnRegisterCallback+0x1c7 (81ee7e56)
  179. nt!CmUnRegisterCallback+0x1c5:
  180. 81ee7e54 8bd3 mov edx,ebx
  181. nt!CmUnRegisterCallback+0x1c7:
  182. 81ee7e56 f6c102 test cl,2
  183. 81ee7e59 750a jne nt!CmUnRegisterCallback+0x1d6 (81ee7e65)
  184. nt!CmUnRegisterCallback+0x1cc:
  185. 81ee7e5b 8bc1 mov eax,ecx
  186. 81ee7e5d f00fb117 lock cmpxchg dword ptr [edi],edx
  187. 81ee7e61 3bc1 cmp eax,ecx
  188. 81ee7e63 7407 je nt!CmUnRegisterCallback+0x1dd (81ee7e6c)
  189. nt!CmUnRegisterCallback+0x1d6:
  190. 81ee7e65 8bcf mov ecx,edi
  191. 81ee7e67 e81486bbff call nt!ExfReleasePushLock (81aa0480)
  192. nt!CmUnRegisterCallback+0x1dd:
  193. 81ee7e6c 8bcf mov ecx,edi
  194. 81ee7e6e e8ed87c4ff call nt!KeAbPostRelease (81b30660)
  195. 81ee7e73 648b0d24010000 mov ecx,dword ptr fs:[124h]
  196. 81ee7e7a 0fbf813c010000 movsx eax,word ptr [ecx+13Ch]
  197. 81ee7e81 40 inc eax
  198. 81ee7e82 6685c0 test ax,ax
  199. 81ee7e85 6689813c010000 mov word ptr [ecx+13Ch],ax
  200. 81ee7e8c 7515 jne nt!CmUnRegisterCallback+0x214 (81ee7ea3)
  201. nt!CmUnRegisterCallback+0x1ff:
  202. 81ee7e8e 8d4170 lea eax,[ecx+70h]
  203. 81ee7e91 3900 cmp dword ptr [eax],eax
  204. 81ee7e93 740e je nt!CmUnRegisterCallback+0x214 (81ee7ea3)
  205. nt!CmUnRegisterCallback+0x206:
  206. 81ee7e95 6639993e010000 cmp word ptr [ecx+13Eh],bx
  207. 81ee7e9c 7505 jne nt!CmUnRegisterCallback+0x214 (81ee7ea3)
  208. nt!CmUnRegisterCallback+0x20f:
  209. 81ee7e9e e86979bbff call nt!KiCheckForKernelApcDelivery (81a9f80c)
  210. nt!CmUnRegisterCallback+0x214:
  211. 81ee7ea3 895dd4 mov dword ptr [ebp-2Ch],ebx
  212. 81ee7ea6 8d45c8 lea eax,[ebp-38h]
  213. 81ee7ea9 8945cc mov dword ptr [ebp-34h],eax
  214. 81ee7eac 8945c8 mov dword ptr [ebp-38h],eax
  215. 81ee7eaf 885de7 mov byte ptr [ebp-19h],bl
  216. 81ee7eb2 64a124010000 mov eax,dword ptr fs:[00000124h]
  217. 81ee7eb8 66ff883c010000 dec word ptr [eax+13Ch]
  218. 81ee7ebf 53 push ebx
  219. 81ee7ec0 33d2 xor edx,edx
  220. 81ee7ec2 bf9c17cb81 mov edi,offset nt!CmpContextListLock (81cb179c)
  221. 81ee7ec7 8bcf mov ecx,edi
  222. 81ee7ec9 e8528bc4ff call nt!KeAbPreAcquire (81b30a20)
  223. 81ee7ece 8bc8 mov ecx,eax
  224. 81ee7ed0 894dd0 mov dword ptr [ebp-30h],ecx
  225. 81ee7ed3 f00fba2f00 lock bts dword ptr [edi],0
  226. 81ee7ed8 730d jae nt!CmUnRegisterCallback+0x258 (81ee7ee7)
  227. nt!CmUnRegisterCallback+0x24b:
  228. 81ee7eda 57 push edi
  229. 81ee7edb 8bd1 mov edx,ecx
  230. 81ee7edd 8bcf mov ecx,edi
  231. 81ee7edf e81c75bbff call nt!ExfAcquirePushLockExclusiveEx (81a9f400)
  232. 81ee7ee4 8b4dd0 mov ecx,dword ptr [ebp-30h]
  233. nt!CmUnRegisterCallback+0x258:
  234. 81ee7ee7 85c9 test ecx,ecx
  235. 81ee7ee9 7407 je nt!CmUnRegisterCallback+0x263 (81ee7ef2)
  236. nt!CmUnRegisterCallback+0x25c:
  237. 81ee7eeb 8b4110 mov eax,dword ptr [ecx+10h]
  238. 81ee7eee 80490e01 or byte ptr [ecx+0Eh],1
  239. nt!CmUnRegisterCallback+0x263:
  240. 81ee7ef2 8d4628 lea eax,[esi+28h]
  241. 81ee7ef5 8b38 mov edi,dword ptr [eax]
  242. 81ee7ef7 3bf8 cmp edi,eax
  243. 81ee7ef9 0f8485000000 je nt!CmUnRegisterCallback+0x2f5 (81ee7f84)
  244. nt!CmUnRegisterCallback+0x270:
  245. 81ee7eff 8b07 mov eax,dword ptr [edi]
  246. 81ee7f01 8945d0 mov dword ptr [ebp-30h],eax
  247. 81ee7f04 8b4f14 mov ecx,dword ptr [edi+14h]
  248. 81ee7f07 e85430c4ff call nt!ObReferenceObjectSafe (81b2af60)
  249. 81ee7f0c 84c0 test al,al
  250. 81ee7f0e 7462 je nt!CmUnRegisterCallback+0x2e3 (81ee7f72)
  251. nt!CmUnRegisterCallback+0x281:
  252. 81ee7f10 8d47f8 lea eax,[edi-8]
  253. 81ee7f13 8d4808 lea ecx,[eax+8]
  254. 81ee7f16 8b11 mov edx,dword ptr [ecx]
  255. 81ee7f18 8955e0 mov dword ptr [ebp-20h],edx
  256. 81ee7f1b 8b5104 mov edx,dword ptr [ecx+4]
  257. 81ee7f1e 8b75e0 mov esi,dword ptr [ebp-20h]
  258. 81ee7f21 394e04 cmp dword ptr [esi+4],ecx
  259. 81ee7f24 8b75dc mov esi,dword ptr [ebp-24h]
  260. 81ee7f27 0f85fcfeffff jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  261. nt!CmUnRegisterCallback+0x29e:
  262. 81ee7f2d 390a cmp dword ptr [edx],ecx
  263. 81ee7f2f 0f85f4feffff jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  264. nt!CmUnRegisterCallback+0x2a6:
  265. 81ee7f35 8b4de0 mov ecx,dword ptr [ebp-20h]
  266. 81ee7f38 890a mov dword ptr [edx],ecx
  267. 81ee7f3a 895104 mov dword ptr [ecx+4],edx
  268. 81ee7f3d 8b10 mov edx,dword ptr [eax]
  269. 81ee7f3f 8b4804 mov ecx,dword ptr [eax+4]
  270. 81ee7f42 394204 cmp dword ptr [edx+4],eax
  271. 81ee7f45 0f85defeffff jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  272. nt!CmUnRegisterCallback+0x2bc:
  273. 81ee7f4b 3901 cmp dword ptr [ecx],eax
  274. 81ee7f4d 0f85d6feffff jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  275. nt!CmUnRegisterCallback+0x2c4:
  276. 81ee7f53 8911 mov dword ptr [ecx],edx
  277. 81ee7f55 894a04 mov dword ptr [edx+4],ecx
  278. 81ee7f58 8b45cc mov eax,dword ptr [ebp-34h]
  279. 81ee7f5b 8d4dc8 lea ecx,[ebp-38h]
  280. 81ee7f5e 890f mov dword ptr [edi],ecx
  281. 81ee7f60 894704 mov dword ptr [edi+4],eax
  282. 81ee7f63 3908 cmp dword ptr [eax],ecx
  283. 81ee7f65 0f85befeffff jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  284. nt!CmUnRegisterCallback+0x2dc:
  285. 81ee7f6b 8938 mov dword ptr [eax],edi
  286. 81ee7f6d 897dcc mov dword ptr [ebp-34h],edi
  287. 81ee7f70 eb04 jmp nt!CmUnRegisterCallback+0x2e7 (81ee7f76)
  288. nt!CmUnRegisterCallback+0x2e3:
  289. 81ee7f72 c645e701 mov byte ptr [ebp-19h],1
  290. nt!CmUnRegisterCallback+0x2e7:
  291. 81ee7f76 8b7dd0 mov edi,dword ptr [ebp-30h]
  292. 81ee7f79 8d4628 lea eax,[esi+28h]
  293. 81ee7f7c 3bf8 cmp edi,eax
  294. 81ee7f7e 0f857bffffff jne nt!CmUnRegisterCallback+0x270 (81ee7eff)
  295. nt!CmUnRegisterCallback+0x2f5:
  296. 81ee7f84 8b0d9c17cb81 mov ecx,dword ptr [nt!CmpContextListLock (81cb179c)]
  297. 81ee7f8a 8bc1 mov eax,ecx
  298. 81ee7f8c 83e0f0 and eax,0FFFFFFF0h
  299. 81ee7f8f 83f810 cmp eax,10h
  300. 81ee7f92 8d51f0 lea edx,[ecx-10h]
  301. 81ee7f95 7702 ja nt!CmUnRegisterCallback+0x30a (81ee7f99)
  302. nt!CmUnRegisterCallback+0x308:
  303. 81ee7f97 8bd3 mov edx,ebx
  304. nt!CmUnRegisterCallback+0x30a:
  305. 81ee7f99 bf9c17cb81 mov edi,offset nt!CmpContextListLock (81cb179c)
  306. 81ee7f9e f6c102 test cl,2
  307. 81ee7fa1 750a jne nt!CmUnRegisterCallback+0x31e (81ee7fad)
  308. nt!CmUnRegisterCallback+0x314:
  309. 81ee7fa3 8bc1 mov eax,ecx
  310. 81ee7fa5 f00fb117 lock cmpxchg dword ptr [edi],edx
  311. 81ee7fa9 3bc1 cmp eax,ecx
  312. 81ee7fab 7407 je nt!CmUnRegisterCallback+0x325 (81ee7fb4)
  313. nt!CmUnRegisterCallback+0x31e:
  314. 81ee7fad 8bcf mov ecx,edi
  315. 81ee7faf e8cc84bbff call nt!ExfReleasePushLock (81aa0480)
  316. nt!CmUnRegisterCallback+0x325:
  317. 81ee7fb4 8bcf mov ecx,edi
  318. 81ee7fb6 e8a586c4ff call nt!KeAbPostRelease (81b30660)
  319. 81ee7fbb 648b0d24010000 mov ecx,dword ptr fs:[124h]
  320. 81ee7fc2 0fbf813c010000 movsx eax,word ptr [ecx+13Ch]
  321. 81ee7fc9 40 inc eax
  322. 81ee7fca 6689813c010000 mov word ptr [ecx+13Ch],ax
  323. 81ee7fd1 6685c0 test ax,ax
  324. 81ee7fd4 7515 jne nt!CmUnRegisterCallback+0x35c (81ee7feb)
  325. nt!CmUnRegisterCallback+0x347:
  326. 81ee7fd6 8d4170 lea eax,[ecx+70h]
  327. 81ee7fd9 3900 cmp dword ptr [eax],eax
  328. 81ee7fdb 740e je nt!CmUnRegisterCallback+0x35c (81ee7feb)
  329. nt!CmUnRegisterCallback+0x34e:
  330. 81ee7fdd 6639993e010000 cmp word ptr [ecx+13Eh],bx
  331. 81ee7fe4 7505 jne nt!CmUnRegisterCallback+0x35c (81ee7feb)
  332. nt!CmUnRegisterCallback+0x357:
  333. 81ee7fe6 e82178bbff call nt!KiCheckForKernelApcDelivery (81a9f80c)
  334. nt!CmUnRegisterCallback+0x35c:
  335. 81ee7feb 8d4dc8 lea ecx,[ebp-38h]
  336. 81ee7fee 8b45c8 mov eax,dword ptr [ebp-38h]
  337. 81ee7ff1 3bc1 cmp eax,ecx
  338. 81ee7ff3 747c je nt!CmUnRegisterCallback+0x3e2 (81ee8071)
  339. nt!CmUnRegisterCallback+0x366:
  340. 81ee7ff5 8b08 mov ecx,dword ptr [eax]
  341. 81ee7ff7 8d55c8 lea edx,[ebp-38h]
  342. 81ee7ffa 395004 cmp dword ptr [eax+4],edx
  343. 81ee7ffd 0f8526feffff jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  344. nt!CmUnRegisterCallback+0x374:
  345. 81ee8003 394104 cmp dword ptr [ecx+4],eax
  346. 81ee8006 0f851dfeffff jne nt!CmUnRegisterCallback+0x19a (81ee7e29)
  347. nt!CmUnRegisterCallback+0x37d:
  348. 81ee800c 894dc8 mov dword ptr [ebp-38h],ecx
  349. 81ee800f 895104 mov dword ptr [ecx+4],edx
  350. 81ee8012 8d48f8 lea ecx,[eax-8]
  351. 81ee8015 894de0 mov dword ptr [ebp-20h],ecx
  352. 81ee8018 8b411c mov eax,dword ptr [ecx+1Ch]
  353. 81ee801b 8945bc mov dword ptr [ebp-44h],eax
  354. 81ee801e 8b4120 mov eax,dword ptr [ecx+20h]
  355. 81ee8021 8945c0 mov dword ptr [ebp-40h],eax
  356. 81ee8024 895dfc mov dword ptr [ebp-4],ebx
  357. 81ee8027 8d45bc lea eax,[ebp-44h]
  358. 81ee802a 50 push eax
  359. 81ee802b 6a28 push 28h
  360. 81ee802d ff7618 push dword ptr [esi+18h]
  361. 81ee8030 ff561c call dword ptr [esi+1Ch]
  362. 81ee8033 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
  363. 81ee803a eb18 jmp nt!CmUnRegisterCallback+0x3c5 (81ee8054)
  364. nt!CmUnRegisterCallback+0x3c5:
  365. 81ee8054 8b4de0 mov ecx,dword ptr [ebp-20h]
  366. 81ee8057 8b491c mov ecx,dword ptr [ecx+1Ch]
  367. 81ee805a e8713bc4ff call nt!ObfDereferenceObject (81b2bbd0)
  368. 81ee805f 68434d6363 push 63634D43h
  369. 81ee8064 ff75e0 push dword ptr [ebp-20h]
  370. 81ee8067 e8b49fdaff call nt!ExFreePoolWithTag (81c92020)
  371. 81ee806c e97affffff jmp nt!CmUnRegisterCallback+0x35c (81ee7feb)
  372. nt!CmUnRegisterCallback+0x3e2:
  373. 81ee8071 807de700 cmp byte ptr [ebp-19h],0
  374. 81ee8075 0f84d4000000 je nt!CmUnRegisterCallback+0x4c0 (81ee814f)
  375. nt!CmUnRegisterCallback+0x3ec:
  376. 81ee807b 8d4628 lea eax,[esi+28h]
  377. 81ee807e 8945d0 mov dword ptr [ebp-30h],eax
  378. 81ee8081 8bf0 mov esi,eax
  379. nt!CmUnRegisterCallback+0x3f4:
  380. 81ee8083 64a124010000 mov eax,dword ptr fs:[00000124h]
  381. 81ee8089 66ff883c010000 dec word ptr [eax+13Ch]
  382. 81ee8090 53 push ebx
  383. 81ee8091 33d2 xor edx,edx
  384. 81ee8093 8bcf mov ecx,edi
  385. 81ee8095 e88689c4ff call nt!KeAbPreAcquire (81b30a20)
  386. 81ee809a 8bc8 mov ecx,eax
  387. 81ee809c 894dd0 mov dword ptr [ebp-30h],ecx
  388. 81ee809f f00fba2f00 lock bts dword ptr [edi],0
  389. 81ee80a4 730d jae nt!CmUnRegisterCallback+0x424 (81ee80b3)
  390. nt!CmUnRegisterCallback+0x417:
  391. 81ee80a6 57 push edi
  392. 81ee80a7 8bd1 mov edx,ecx
  393. 81ee80a9 8bcf mov ecx,edi
  394. 81ee80ab e85073bbff call nt!ExfAcquirePushLockExclusiveEx (81a9f400)
  395. 81ee80b0 8b4dd0 mov ecx,dword ptr [ebp-30h]
  396. nt!CmUnRegisterCallback+0x424:
  397. 81ee80b3 85c9 test ecx,ecx
  398. 81ee80b5 7407 je nt!CmUnRegisterCallback+0x42f (81ee80be)
  399. nt!CmUnRegisterCallback+0x428:
  400. 81ee80b7 8b4110 mov eax,dword ptr [ecx+10h]
  401. 81ee80ba 80490e01 or byte ptr [ecx+0Eh],1
  402. nt!CmUnRegisterCallback+0x42f:
  403. 81ee80be 8b06 mov eax,dword ptr [esi]
  404. 81ee80c0 8945d8 mov dword ptr [ebp-28h],eax
  405. 81ee80c3 8b0d9c17cb81 mov ecx,dword ptr [nt!CmpContextListLock (81cb179c)]
  406. 81ee80c9 8bc1 mov eax,ecx
  407. 81ee80cb 83e0f0 and eax,0FFFFFFF0h
  408. 81ee80ce 83f810 cmp eax,10h
  409. 81ee80d1 8d51f0 lea edx,[ecx-10h]
  410. 81ee80d4 7702 ja nt!CmUnRegisterCallback+0x449 (81ee80d8)
  411. nt!CmUnRegisterCallback+0x447:
  412. 81ee80d6 8bd3 mov edx,ebx
  413. nt!CmUnRegisterCallback+0x449:
  414. 81ee80d8 f6c102 test cl,2
  415. 81ee80db 750a jne nt!CmUnRegisterCallback+0x458 (81ee80e7)
  416. nt!CmUnRegisterCallback+0x44e:
  417. 81ee80dd 8bc1 mov eax,ecx
  418. 81ee80df f00fb117 lock cmpxchg dword ptr [edi],edx
  419. 81ee80e3 3bc1 cmp eax,ecx
  420. 81ee80e5 7407 je nt!CmUnRegisterCallback+0x45f (81ee80ee)
  421. nt!CmUnRegisterCallback+0x458:
  422. 81ee80e7 8bcf mov ecx,edi
  423. 81ee80e9 e89283bbff call nt!ExfReleasePushLock (81aa0480)
  424. nt!CmUnRegisterCallback+0x45f:
  425. 81ee80ee 8bcf mov ecx,edi
  426. 81ee80f0 e86b85c4ff call nt!KeAbPostRelease (81b30660)
  427. 81ee80f5 648b0d24010000 mov ecx,dword ptr fs:[124h]
  428. 81ee80fc 0fbf813c010000 movsx eax,word ptr [ecx+13Ch]
  429. 81ee8103 40 inc eax
  430. 81ee8104 6689813c010000 mov word ptr [ecx+13Ch],ax
  431. 81ee810b 6685c0 test ax,ax
  432. 81ee810e 7515 jne nt!CmUnRegisterCallback+0x496 (81ee8125)
  433. nt!CmUnRegisterCallback+0x481:
  434. 81ee8110 8d4170 lea eax,[ecx+70h]
  435. 81ee8113 3900 cmp dword ptr [eax],eax
  436. 81ee8115 740e je nt!CmUnRegisterCallback+0x496 (81ee8125)
  437. nt!CmUnRegisterCallback+0x488:
  438. 81ee8117 6639993e010000 cmp word ptr [ecx+13Eh],bx
  439. 81ee811e 7505 jne nt!CmUnRegisterCallback+0x496 (81ee8125)
  440. nt!CmUnRegisterCallback+0x491:
  441. 81ee8120 e8e776bbff call nt!KiCheckForKernelApcDelivery (81a9f80c)
  442. nt!CmUnRegisterCallback+0x496:
  443. 81ee8125 3975d8 cmp dword ptr [ebp-28h],esi
  444. 81ee8128 7415 je nt!CmUnRegisterCallback+0x4b0 (81ee813f)
  445. nt!CmUnRegisterCallback+0x49b:
  446. 81ee812a 53 push ebx
  447. 81ee812b 6a04 push 4
  448. 81ee812d 8d45d8 lea eax,[ebp-28h]
  449. 81ee8130 50 push eax
  450. 81ee8131 8bd6 mov edx,esi
  451. 81ee8133 b9a817cb81 mov ecx,offset nt!CallbackListDeleteEvent (81cb17a8)
  452. 81ee8138 e83b12c1ff call nt!ExBlockOnAddressPushLock (81af9378)
  453. 81ee813d eb03 jmp nt!CmUnRegisterCallback+0x4b3 (81ee8142)
  454. nt!CmUnRegisterCallback+0x4b0:
  455. 81ee813f 885de7 mov byte ptr [ebp-19h],bl
  456. nt!CmUnRegisterCallback+0x4b3:
  457. 81ee8142 807de700 cmp byte ptr [ebp-19h],0
  458. 81ee8146 0f8537ffffff jne nt!CmUnRegisterCallback+0x3f4 (81ee8083)
  459. nt!CmUnRegisterCallback+0x4bd:
  460. 81ee814c 8b75dc mov esi,dword ptr [ebp-24h]
  461. nt!CmUnRegisterCallback+0x4c0:
  462. 81ee814f 83c8ff or eax,0FFFFFFFFh
  463. 81ee8152 f00fc105b87ecb81 lock xadd dword ptr [nt!CmpCallBackCount (81cb7eb8)],eax
  464. 81ee815a 48 dec eax
  465. 81ee815b 751d jne nt!CmUnRegisterCallback+0x4eb (81ee817a)
  466. nt!CmUnRegisterCallback+0x4ce:
  467. 81ee815d b9b817cb81 mov ecx,offset nt!CmpCallbackContextSList (81cb17b8)
  468. 81ee8162 e809a5cbff call nt!ExInterlockedFlushSList (81ba2670)
  469. 81ee8167 8bf8 mov edi,eax
  470. 81ee8169 eb0b jmp nt!CmUnRegisterCallback+0x4e7 (81ee8176)
  471. nt!CmUnRegisterCallback+0x4dc:
  472. 81ee816b 8bcf mov ecx,edi
  473. 81ee816d 8b3f mov edi,dword ptr [edi]
  474. 81ee816f 53 push ebx
  475. 81ee8170 51 push ecx
  476. 81ee8171 e8aa9edaff call nt!ExFreePoolWithTag (81c92020)
  477. nt!CmUnRegisterCallback+0x4e7:
  478. 81ee8176 85ff test edi,edi
  479. 81ee8178 75f1 jne nt!CmUnRegisterCallback+0x4dc (81ee816b)
  480. nt!CmUnRegisterCallback+0x4eb:
  481. 81ee817a 8b4624 mov eax,dword ptr [esi+24h]
  482. 81ee817d 85c0 test eax,eax
  483. 81ee817f 7407 je nt!CmUnRegisterCallback+0x4f9 (81ee8188)
  484. nt!CmUnRegisterCallback+0x4f2:
  485. 81ee8181 53 push ebx
  486. 81ee8182 50 push eax
  487. 81ee8183 e8989edaff call nt!ExFreePoolWithTag (81c92020)
  488. nt!CmUnRegisterCallback+0x4f9:
  489. 81ee8188 53 push ebx
  490. 81ee8189 56 push esi
  491. 81ee818a e8919edaff call nt!ExFreePoolWithTag (81c92020)
  492. 81ee818f 8b45d4 mov eax,dword ptr [ebp-2Ch]
  493. 81ee8192 eb67 jmp nt!CmUnRegisterCallback+0x56c (81ee81fb)
  494. nt!CmUnRegisterCallback+0x505:
  495. 81ee8194 8b0d9817cb81 mov ecx,dword ptr [nt!CmpCallbackListLock (81cb1798)]
  496. 81ee819a 8bc1 mov eax,ecx
  497. 81ee819c 83e0f0 and eax,0FFFFFFF0h
  498. 81ee819f 83f810 cmp eax,10h
  499. 81ee81a2 8d51f0 lea edx,[ecx-10h]
  500. 81ee81a5 7702 ja nt!CmUnRegisterCallback+0x51a (81ee81a9)
  501. nt!CmUnRegisterCallback+0x518:
  502. 81ee81a7 8bd3 mov edx,ebx
  503. nt!CmUnRegisterCallback+0x51a:
  504. 81ee81a9 f6c102 test cl,2
  505. 81ee81ac 750a jne nt!CmUnRegisterCallback+0x529 (81ee81b8)
  506. nt!CmUnRegisterCallback+0x51f:
  507. 81ee81ae 8bc1 mov eax,ecx
  508. 81ee81b0 f00fb117 lock cmpxchg dword ptr [edi],edx
  509. 81ee81b4 3bc1 cmp eax,ecx
  510. 81ee81b6 7407 je nt!CmUnRegisterCallback+0x530 (81ee81bf)
  511. nt!CmUnRegisterCallback+0x529:
  512. 81ee81b8 8bcf mov ecx,edi
  513. 81ee81ba e8c182bbff call nt!ExfReleasePushLock (81aa0480)
  514. nt!CmUnRegisterCallback+0x530:
  515. 81ee81bf 8bcf mov ecx,edi
  516. 81ee81c1 e89a84c4ff call nt!KeAbPostRelease (81b30660)
  517. 81ee81c6 648b0d24010000 mov ecx,dword ptr fs:[124h]
  518. 81ee81cd 0fbf813c010000 movsx eax,word ptr [ecx+13Ch]
  519. 81ee81d4 40 inc eax
  520. 81ee81d5 6689813c010000 mov word ptr [ecx+13Ch],ax
  521. 81ee81dc 6685c0 test ax,ax
  522. 81ee81df 7515 jne nt!CmUnRegisterCallback+0x567 (81ee81f6)
  523. nt!CmUnRegisterCallback+0x552:
  524. 81ee81e1 8d4170 lea eax,[ecx+70h]
  525. 81ee81e4 3900 cmp dword ptr [eax],eax
  526. 81ee81e6 740e je nt!CmUnRegisterCallback+0x567 (81ee81f6)
  527. nt!CmUnRegisterCallback+0x559:
  528. 81ee81e8 6639993e010000 cmp word ptr [ecx+13Eh],bx
  529. 81ee81ef 7505 jne nt!CmUnRegisterCallback+0x567 (81ee81f6)
  530. nt!CmUnRegisterCallback+0x562:
  531. 81ee81f1 e81676bbff call nt!KiCheckForKernelApcDelivery (81a9f80c)
  532. nt!CmUnRegisterCallback+0x567:
  533. 81ee81f6 b80d0000c0 mov eax,0C000000Dh
  534. nt!CmUnRegisterCallback+0x56c:
  535. 81ee81fb e8f545cbff call nt!_SEH_epilog4 (81b9c7f5)
  536. 81ee8200 c20800 ret 8

Win10 64 位 CmUnRegisterCallback

  1. kd> uf CmUnRegisterCallback
  2. nt!CmUnRegisterCallback:
  3. fffff800`a0a5b718 4c8bdc mov r11,rsp
  4. fffff800`a0a5b71b 49894b08 mov qword ptr [r11+8],rcx
  5. fffff800`a0a5b71f 53 push rbx
  6. fffff800`a0a5b720 56 push rsi
  7. fffff800`a0a5b721 57 push rdi
  8. fffff800`a0a5b722 4154 push r12
  9. fffff800`a0a5b724 4155 push r13
  10. fffff800`a0a5b726 4156 push r14
  11. fffff800`a0a5b728 4157 push r15
  12. fffff800`a0a5b72a 4881ec80000000 sub rsp,80h
  13. fffff800`a0a5b731 498363a800 and qword ptr [r11-58h],0
  14. fffff800`a0a5b736 33c0 xor eax,eax
  15. fffff800`a0a5b738 498943b0 mov qword ptr [r11-50h],rax
  16. fffff800`a0a5b73c 498943b8 mov qword ptr [r11-48h],rax
  17. fffff800`a0a5b740 49214380 and qword ptr [r11-80h],rax
  18. fffff800`a0a5b744 e8a318f6ff call nt!CmpLockCallbackListExclusive (fffff800`a09bcfec)
  19. fffff800`a0a5b749 be00000080 mov esi,80000000h
  20. nt!CmUnRegisterCallback+0x36:
  21. fffff800`a0a5b74e 4533c0 xor r8d,r8d
  22. fffff800`a0a5b751 488d542438 lea rdx,[rsp+38h]
  23. fffff800`a0a5b756 488d0d83cfd1ff lea rcx,[nt!CallbackListHead (fffff800`a07786e0)]
  24. fffff800`a0a5b75d e8ba6aefff call nt!CmListGetNextElement (fffff800`a095221c)
  25. fffff800`a0a5b762 488bf8 mov rdi,rax
  26. fffff800`a0a5b765 4889442440 mov qword ptr [rsp+40h],rax
  27. fffff800`a0a5b76a 4885c0 test rax,rax
  28. fffff800`a0a5b76d 0f84c8020000 je nt!CmUnRegisterCallback+0x323 (fffff800`a0a5ba3b)
  29. nt!CmUnRegisterCallback+0x5b:
  30. fffff800`a0a5b773 488b8c24c0000000 mov rcx,qword ptr [rsp+0C0h]
  31. fffff800`a0a5b77b 48394818 cmp qword ptr [rax+18h],rcx
  32. fffff800`a0a5b77f 75cd jne nt!CmUnRegisterCallback+0x36 (fffff800`a0a5b74e)
  33. nt!CmUnRegisterCallback+0x69:
  34. fffff800`a0a5b781 8b4810 mov ecx,dword ptr [rax+10h]
  35. fffff800`a0a5b784 898c24d0000000 mov dword ptr [rsp+0D0h],ecx
  36. fffff800`a0a5b78b 8bc1 mov eax,ecx
  37. fffff800`a0a5b78d 85c0 test eax,eax
  38. fffff800`a0a5b78f 7464 je nt!CmUnRegisterCallback+0xdd (fffff800`a0a5b7f5)
  39. nt!CmUnRegisterCallback+0x79:
  40. fffff800`a0a5b791 85c6 test esi,eax
  41. fffff800`a0a5b793 75b9 jne nt!CmUnRegisterCallback+0x36 (fffff800`a0a5b74e)
  42. nt!CmUnRegisterCallback+0x7d:
  43. fffff800`a0a5b795 488d5f10 lea rbx,[rdi+10h]
  44. fffff800`a0a5b799 f0810b00000080 lock or dword ptr [rbx],80000000h
  45. fffff800`a0a5b7a0 e80b92ebff call nt!CmpUnlockCallbackList (fffff800`a09149b0)
  46. nt!CmUnRegisterCallback+0x8d:
  47. fffff800`a0a5b7a5 8b03 mov eax,dword ptr [rbx]
  48. fffff800`a0a5b7a7 898424d0000000 mov dword ptr [rsp+0D0h],eax
  49. fffff800`a0a5b7ae 3bc6 cmp eax,esi
  50. fffff800`a0a5b7b0 7425 je nt!CmUnRegisterCallback+0xbf (fffff800`a0a5b7d7)
  51. nt!CmUnRegisterCallback+0x9a:
  52. fffff800`a0a5b7b2 488364242000 and qword ptr [rsp+20h],0
  53. fffff800`a0a5b7b8 41b904000000 mov r9d,4
  54. fffff800`a0a5b7be 4c8d8424d0000000 lea r8,[rsp+0D0h]
  55. fffff800`a0a5b7c6 488bd3 mov rdx,rbx
  56. fffff800`a0a5b7c9 488d0d20cfd1ff lea rcx,[nt!CallbackListDeleteEvent (fffff800`a07786f0)]
  57. fffff800`a0a5b7d0 e8934fb1ff call nt!ExBlockOnAddressPushLock (fffff800`a0570768)
  58. fffff800`a0a5b7d5 ebce jmp nt!CmUnRegisterCallback+0x8d (fffff800`a0a5b7a5)
  59. nt!CmUnRegisterCallback+0xbf:
  60. fffff800`a0a5b7d7 e81018f6ff call nt!CmpLockCallbackListExclusive (fffff800`a09bcfec)
  61. fffff800`a0a5b7dc 488b0f mov rcx,qword ptr [rdi]
  62. fffff800`a0a5b7df 488b4708 mov rax,qword ptr [rdi+8]
  63. fffff800`a0a5b7e3 48397908 cmp qword ptr [rcx+8],rdi
  64. fffff800`a0a5b7e7 7505 jne nt!CmUnRegisterCallback+0xd6 (fffff800`a0a5b7ee)
  65. nt!CmUnRegisterCallback+0xd1:
  66. fffff800`a0a5b7e9 483938 cmp qword ptr [rax],rdi
  67. fffff800`a0a5b7ec 7421 je nt!CmUnRegisterCallback+0xf7 (fffff800`a0a5b80f)
  68. nt!CmUnRegisterCallback+0xd6:
  69. fffff800`a0a5b7ee b903000000 mov ecx,3
  70. fffff800`a0a5b7f3 cd29 int 29h
  71. nt!CmUnRegisterCallback+0xdd:
  72. fffff800`a0a5b7f5 488b0f mov rcx,qword ptr [rdi]
  73. fffff800`a0a5b7f8 488b4708 mov rax,qword ptr [rdi+8]
  74. fffff800`a0a5b7fc 48397908 cmp qword ptr [rcx+8],rdi
  75. fffff800`a0a5b800 0f852e020000 jne nt!CmUnRegisterCallback+0x31c (fffff800`a0a5ba34)
  76. nt!CmUnRegisterCallback+0xee:
  77. fffff800`a0a5b806 483938 cmp qword ptr [rax],rdi
  78. fffff800`a0a5b809 0f8525020000 jne nt!CmUnRegisterCallback+0x31c (fffff800`a0a5ba34)
  79. nt!CmUnRegisterCallback+0xf7:
  80. fffff800`a0a5b80f 488908 mov qword ptr [rax],rcx
  81. fffff800`a0a5b812 48894108 mov qword ptr [rcx+8],rax
  82. fffff800`a0a5b816 e89591ebff call nt!CmpUnlockCallbackList (fffff800`a09149b0)
  83. fffff800`a0a5b81b 4533ff xor r15d,r15d
  84. fffff800`a0a5b81e 4489bc24d8000000 mov dword ptr [rsp+0D8h],r15d
  85. fffff800`a0a5b826 488d442450 lea rax,[rsp+50h]
  86. fffff800`a0a5b82b 4889442458 mov qword ptr [rsp+58h],rax
  87. fffff800`a0a5b830 488d442450 lea rax,[rsp+50h]
  88. fffff800`a0a5b835 4889442450 mov qword ptr [rsp+50h],rax
  89. fffff800`a0a5b83a 4032f6 xor sil,sil
  90. fffff800`a0a5b83d 4088b424c8000000 mov byte ptr [rsp+0C8h],sil
  91. fffff800`a0a5b845 e86a900000 call nt!CmpLockContextListExclusive (fffff800`a0a648b4)
  92. fffff800`a0a5b84a 4c8d6740 lea r12,[rdi+40h]
  93. fffff800`a0a5b84e 498b1c24 mov rbx,qword ptr [r12]
  94. nt!CmUnRegisterCallback+0x13a:
  95. fffff800`a0a5b852 48895c2430 mov qword ptr [rsp+30h],rbx
  96. fffff800`a0a5b857 493bdc cmp rbx,r12
  97. fffff800`a0a5b85a 0f8497000000 je nt!CmUnRegisterCallback+0x1df (fffff800`a0a5b8f7)
  98. nt!CmUnRegisterCallback+0x148:
  99. fffff800`a0a5b860 4c8b2b mov r13,qword ptr [rbx]
  100. fffff800`a0a5b863 4c8d73f0 lea r14,[rbx-10h]
  101. fffff800`a0a5b867 498b4e30 mov rcx,qword ptr [r14+30h]
  102. fffff800`a0a5b86b e85017aeff call nt!ObReferenceObjectSafe (fffff800`a053cfc0)
  103. fffff800`a0a5b870 84c0 test al,al
  104. fffff800`a0a5b872 745b je nt!CmUnRegisterCallback+0x1b7 (fffff800`a0a5b8cf)
  105. nt!CmUnRegisterCallback+0x15c:
  106. fffff800`a0a5b874 498d4610 lea rax,[r14+10h]
  107. fffff800`a0a5b878 488b10 mov rdx,qword ptr [rax]
  108. fffff800`a0a5b87b 488b4808 mov rcx,qword ptr [rax+8]
  109. fffff800`a0a5b87f 48394208 cmp qword ptr [rdx+8],rax
  110. fffff800`a0a5b883 756b jne nt!CmUnRegisterCallback+0x1d8 (fffff800`a0a5b8f0)
  111. nt!CmUnRegisterCallback+0x16d:
  112. fffff800`a0a5b885 483901 cmp qword ptr [rcx],rax
  113. fffff800`a0a5b888 7566 jne nt!CmUnRegisterCallback+0x1d8 (fffff800`a0a5b8f0)
  114. nt!CmUnRegisterCallback+0x172:
  115. fffff800`a0a5b88a 488911 mov qword ptr [rcx],rdx
  116. fffff800`a0a5b88d 48894a08 mov qword ptr [rdx+8],rcx
  117. fffff800`a0a5b891 498b0e mov rcx,qword ptr [r14]
  118. fffff800`a0a5b894 498b4608 mov rax,qword ptr [r14+8]
  119. fffff800`a0a5b898 4c397108 cmp qword ptr [rcx+8],r14
  120. fffff800`a0a5b89c 754b jne nt!CmUnRegisterCallback+0x1d1 (fffff800`a0a5b8e9)
  121. nt!CmUnRegisterCallback+0x186:
  122. fffff800`a0a5b89e 4c3930 cmp qword ptr [rax],r14
  123. fffff800`a0a5b8a1 7546 jne nt!CmUnRegisterCallback+0x1d1 (fffff800`a0a5b8e9)
  124. nt!CmUnRegisterCallback+0x18b:
  125. fffff800`a0a5b8a3 488908 mov qword ptr [rax],rcx
  126. fffff800`a0a5b8a6 48894108 mov qword ptr [rcx+8],rax
  127. fffff800`a0a5b8aa 488b442458 mov rax,qword ptr [rsp+58h]
  128. fffff800`a0a5b8af 488d4c2450 lea rcx,[rsp+50h]
  129. fffff800`a0a5b8b4 48890b mov qword ptr [rbx],rcx
  130. fffff800`a0a5b8b7 48894308 mov qword ptr [rbx+8],rax
  131. fffff800`a0a5b8bb 488d4c2450 lea rcx,[rsp+50h]
  132. fffff800`a0a5b8c0 483908 cmp qword ptr [rax],rcx
  133. fffff800`a0a5b8c3 751d jne nt!CmUnRegisterCallback+0x1ca (fffff800`a0a5b8e2)
  134. nt!CmUnRegisterCallback+0x1ad:
  135. fffff800`a0a5b8c5 488918 mov qword ptr [rax],rbx
  136. fffff800`a0a5b8c8 48895c2458 mov qword ptr [rsp+58h],rbx
  137. fffff800`a0a5b8cd eb0b jmp nt!CmUnRegisterCallback+0x1c2 (fffff800`a0a5b8da)
  138. nt!CmUnRegisterCallback+0x1b7:
  139. fffff800`a0a5b8cf 40b601 mov sil,1
  140. fffff800`a0a5b8d2 4088b424c8000000 mov byte ptr [rsp+0C8h],sil
  141. nt!CmUnRegisterCallback+0x1c2:
  142. fffff800`a0a5b8da 498bdd mov rbx,r13
  143. fffff800`a0a5b8dd e970ffffff jmp nt!CmUnRegisterCallback+0x13a (fffff800`a0a5b852)
  144. nt!CmUnRegisterCallback+0x1ca:
  145. fffff800`a0a5b8e2 b903000000 mov ecx,3
  146. fffff800`a0a5b8e7 cd29 int 29h
  147. nt!CmUnRegisterCallback+0x1d1:
  148. fffff800`a0a5b8e9 b903000000 mov ecx,3
  149. fffff800`a0a5b8ee cd29 int 29h
  150. nt!CmUnRegisterCallback+0x1d8:
  151. fffff800`a0a5b8f0 b903000000 mov ecx,3
  152. fffff800`a0a5b8f5 cd29 int 29h
  153. nt!CmUnRegisterCallback+0x1df:
  154. fffff800`a0a5b8f7 e8d0910000 call nt!CmpUnlockContextList (fffff800`a0a64acc)
  155. nt!CmUnRegisterCallback+0x1e4:
  156. fffff800`a0a5b8fc 488d4c2450 lea rcx,[rsp+50h]
  157. fffff800`a0a5b901 488b442450 mov rax,qword ptr [rsp+50h]
  158. fffff800`a0a5b906 483bc1 cmp rax,rcx
  159. fffff800`a0a5b909 0f848c000000 je nt!CmUnRegisterCallback+0x283 (fffff800`a0a5b99b)
  160. nt!CmUnRegisterCallback+0x1f7:
  161. fffff800`a0a5b90f 488b08 mov rcx,qword ptr [rax]
  162. fffff800`a0a5b912 488d542450 lea rdx,[rsp+50h]
  163. fffff800`a0a5b917 48395008 cmp qword ptr [rax+8],rdx
  164. fffff800`a0a5b91b 7577 jne nt!CmUnRegisterCallback+0x27c (fffff800`a0a5b994)
  165. nt!CmUnRegisterCallback+0x205:
  166. fffff800`a0a5b91d 48394108 cmp qword ptr [rcx+8],rax
  167. fffff800`a0a5b921 7571 jne nt!CmUnRegisterCallback+0x27c (fffff800`a0a5b994)
  168. nt!CmUnRegisterCallback+0x20b:
  169. fffff800`a0a5b923 48894c2450 mov qword ptr [rsp+50h],rcx
  170. fffff800`a0a5b928 488d542450 lea rdx,[rsp+50h]
  171. fffff800`a0a5b92d 48895108 mov qword ptr [rcx+8],rdx
  172. fffff800`a0a5b931 488d58f0 lea rbx,[rax-10h]
  173. fffff800`a0a5b935 48895c2448 mov qword ptr [rsp+48h],rbx
  174. fffff800`a0a5b93a 488b4330 mov rax,qword ptr [rbx+30h]
  175. fffff800`a0a5b93e 4889442460 mov qword ptr [rsp+60h],rax
  176. fffff800`a0a5b943 488b4338 mov rax,qword ptr [rbx+38h]
  177. fffff800`a0a5b947 4889442468 mov qword ptr [rsp+68h],rax
  178. fffff800`a0a5b94c 4c8d442460 lea r8,[rsp+60h]
  179. fffff800`a0a5b951 ba28000000 mov edx,28h
  180. fffff800`a0a5b956 488b4f20 mov rcx,qword ptr [rdi+20h]
  181. fffff800`a0a5b95a ff5728 call qword ptr [rdi+28h]
  182. fffff800`a0a5b95d eb1a jmp nt!CmUnRegisterCallback+0x261 (fffff800`a0a5b979)
  183. nt!CmUnRegisterCallback+0x261:
  184. fffff800`a0a5b979 488b4b30 mov rcx,qword ptr [rbx+30h]
  185. fffff800`a0a5b97d e87e2da7ff call nt!ObfDereferenceObject (fffff800`a04ce700)
  186. fffff800`a0a5b982 ba434d6363 mov edx,63634D43h
  187. fffff800`a0a5b987 488bcb mov rcx,rbx
  188. fffff800`a0a5b98a e87126c5ff call nt!ExFreePoolWithTag (fffff800`a06ae000)
  189. fffff800`a0a5b98f e968ffffff jmp nt!CmUnRegisterCallback+0x1e4 (fffff800`a0a5b8fc)
  190. nt!CmUnRegisterCallback+0x27c:
  191. fffff800`a0a5b994 b903000000 mov ecx,3
  192. fffff800`a0a5b999 cd29 int 29h
  193. nt!CmUnRegisterCallback+0x283:
  194. fffff800`a0a5b99b 4084f6 test sil,sil
  195. fffff800`a0a5b99e 7442 je nt!CmUnRegisterCallback+0x2ca (fffff800`a0a5b9e2)
  196. nt!CmUnRegisterCallback+0x288:
  197. fffff800`a0a5b9a0 e80f8f0000 call nt!CmpLockContextListExclusive (fffff800`a0a648b4)
  198. fffff800`a0a5b9a5 4c8d7740 lea r14,[rdi+40h]
  199. fffff800`a0a5b9a9 498b1e mov rbx,qword ptr [r14]
  200. fffff800`a0a5b9ac 48895c2430 mov qword ptr [rsp+30h],rbx
  201. fffff800`a0a5b9b1 e816910000 call nt!CmpUnlockContextList (fffff800`a0a64acc)
  202. fffff800`a0a5b9b6 493bde cmp rbx,r14
  203. fffff800`a0a5b9b9 7422 je nt!CmUnRegisterCallback+0x2c5 (fffff800`a0a5b9dd)
  204. nt!CmUnRegisterCallback+0x2a3:
  205. fffff800`a0a5b9bb 488364242000 and qword ptr [rsp+20h],0
  206. fffff800`a0a5b9c1 41b908000000 mov r9d,8
  207. fffff800`a0a5b9c7 4c8d442430 lea r8,[rsp+30h]
  208. fffff800`a0a5b9cc 498bd6 mov rdx,r14
  209. fffff800`a0a5b9cf 488d0d1acdd1ff lea rcx,[nt!CallbackListDeleteEvent (fffff800`a07786f0)]
  210. fffff800`a0a5b9d6 e88d4db1ff call nt!ExBlockOnAddressPushLock (fffff800`a0570768)
  211. fffff800`a0a5b9db ebbe jmp nt!CmUnRegisterCallback+0x283 (fffff800`a0a5b99b)
  212. nt!CmUnRegisterCallback+0x2c5:
  213. fffff800`a0a5b9dd 4032f6 xor sil,sil
  214. fffff800`a0a5b9e0 ebb9 jmp nt!CmUnRegisterCallback+0x283 (fffff800`a0a5b99b)
  215. nt!CmUnRegisterCallback+0x2ca:
  216. fffff800`a0a5b9e2 83c8ff or eax,0FFFFFFFFh
  217. fffff800`a0a5b9e5 f00fc105732ad2ff lock xadd dword ptr [nt!CmpCallBackCount (fffff800`a077e460)],eax
  218. fffff800`a0a5b9ed 83f801 cmp eax,1
  219. fffff800`a0a5b9f0 7523 jne nt!CmUnRegisterCallback+0x2fd (fffff800`a0a5ba15)
  220. nt!CmUnRegisterCallback+0x2da:
  221. fffff800`a0a5b9f2 488d0d0766d2ff lea rcx,[nt!CmpCallbackContextSList (fffff800`a0782000)]
  222. fffff800`a0a5b9f9 e8d29db6ff call nt!ExpInterlockedFlushSList (fffff800`a05c57d0)
  223. fffff800`a0a5b9fe 488bd8 mov rbx,rax
  224. nt!CmUnRegisterCallback+0x2e9:
  225. fffff800`a0a5ba01 4885db test rbx,rbx
  226. fffff800`a0a5ba04 740f je nt!CmUnRegisterCallback+0x2fd (fffff800`a0a5ba15)
  227. nt!CmUnRegisterCallback+0x2ee:
  228. fffff800`a0a5ba06 488bcb mov rcx,rbx
  229. fffff800`a0a5ba09 488b1b mov rbx,qword ptr [rbx]
  230. fffff800`a0a5ba0c 33d2 xor edx,edx
  231. fffff800`a0a5ba0e e8ed25c5ff call nt!ExFreePoolWithTag (fffff800`a06ae000)
  232. fffff800`a0a5ba13 ebec jmp nt!CmUnRegisterCallback+0x2e9 (fffff800`a0a5ba01)
  233. nt!CmUnRegisterCallback+0x2fd:
  234. fffff800`a0a5ba15 488b4f38 mov rcx,qword ptr [rdi+38h]
  235. fffff800`a0a5ba19 4885c9 test rcx,rcx
  236. fffff800`a0a5ba1c 7407 je nt!CmUnRegisterCallback+0x30d (fffff800`a0a5ba25)
  237. nt!CmUnRegisterCallback+0x306:
  238. fffff800`a0a5ba1e 33d2 xor edx,edx
  239. fffff800`a0a5ba20 e8db25c5ff call nt!ExFreePoolWithTag (fffff800`a06ae000)
  240. nt!CmUnRegisterCallback+0x30d:
  241. fffff800`a0a5ba25 33d2 xor edx,edx
  242. fffff800`a0a5ba27 488bcf mov rcx,rdi
  243. fffff800`a0a5ba2a e8d125c5ff call nt!ExFreePoolWithTag (fffff800`a06ae000)
  244. fffff800`a0a5ba2f 418bc7 mov eax,r15d
  245. fffff800`a0a5ba32 eb11 jmp nt!CmUnRegisterCallback+0x32d (fffff800`a0a5ba45)
  246. nt!CmUnRegisterCallback+0x31c:
  247. fffff800`a0a5ba34 b903000000 mov ecx,3
  248. fffff800`a0a5ba39 cd29 int 29h
  249. nt!CmUnRegisterCallback+0x323:
  250. fffff800`a0a5ba3b e8708febff call nt!CmpUnlockCallbackList (fffff800`a09149b0)
  251. fffff800`a0a5ba40 b80d0000c0 mov eax,0C000000Dh
  252. nt!CmUnRegisterCallback+0x32d:
  253. fffff800`a0a5ba45 4881c480000000 add rsp,80h
  254. fffff800`a0a5ba4c 415f pop r15
  255. fffff800`a0a5ba4e 415e pop r14
  256. fffff800`a0a5ba50 415d pop r13
  257. fffff800`a0a5ba52 415c pop r12
  258. fffff800`a0a5ba54 5f pop rdi
  259. fffff800`a0a5ba55 5e pop rsi
  260. fffff800`a0a5ba56 5b pop rbx
  261. fffff800`a0a5ba57 c3 ret
上传的附件 cloud_download CmRegisterCallback_Enum_Remove_Test.7z ( 10.92kb, 2次下载 )

发送私信

这一切都不是我的,但总有一天,会是我的

73
文章数
67
评论数
最近文章
eject