среда, 21 января 2015 г.

interrupts in w10 build 9879 64bit

it seems that Microsoft completely removed KiInterruptTemplate in this version of windows and interrutps now stored in KPRCB (like in w8.1)
Lets see on function KiConnectInterrupt

 mov    rax, gs:20h ; load KPCR.CurrentPrcb
 mov    r10, [rax+rdi*8+2E00h] ; KPRCB.InterruptObject
 test   r10, r10
 jnz    short loc_1401006FC
 cmp    [rbx+_KINTERRUPT.SynchronizeIrql], r10b
 jz     loc_1401918E5

loc_1401006A1: 
 mov    r14b, 1
 mov    [rbx+_KINTERRUPT.Connected], r14b
loc_1401006A8:
 mov    rax, gs:20h
 mov    [rax+rdi*8+2E00h], rbx ; store this interrupt in
KPRCB.InterruptObject[rdi]
From this code it's obvious that KINTERRUPTS now stored in KPRCB.InterruptObject

sample of wincheck output from this w10 build:
KInterrupt 35 (FFFFF800F484E000):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F4828790 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CCF0 
KInterrupt 50 (FFFFD001A9D5FC00):
 Size F0 type 16
 Flink FFFFD001A9D5F708
 Blink FFFFD001A9D5F708
 ServiceRoutine  FFFFF80140293390 \SystemRoot\System32\drivers\storport.sys
 DispatchAddress FFFFF800F499C1C0 
KInterrupt 50 (FFFFD001A9D5F700):
 Size F0 type 16
 Flink FFFFD001A9D5FC08
 Blink FFFFD001A9D5FC08
 ServiceRoutine  FFFFF80141F728C0 \SystemRoot\System32\drivers\HDAudBus.sys
 DispatchAddress FFFFF800F499C8E0 
KInterrupt 60 (FFFFD001A9D5FD00):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF8014020E140 \SystemRoot\System32\drivers\ataport.SYS
 DispatchAddress FFFFF800F499C8E0 
KInterrupt 70 (FFFFD001A9D5FE00):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF8014020E140 \SystemRoot\System32\drivers\ataport.SYS
 DispatchAddress FFFFF800F499C8E0 
KInterrupt 90 (FFFFD001A9D5F900):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF801414E7AD0 \SystemRoot\System32\drivers\i8042prt.sys
 DispatchAddress FFFFF800F499C8E0 
KInterrupt 91 (FFFFD001A9D5F800):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF80140658710 \SystemRoot\system32\drivers\ndis.sys
 DispatchAddress FFFFF800F499C8E0 
KInterrupt A0 (FFFFD001A9D5FA00):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF801414E5F10 \SystemRoot\System32\drivers\i8042prt.sys
 DispatchAddress FFFFF800F499C8E0 
KInterrupt A1 (FFFFD001A9D5F600):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF80141A03680 \SystemRoot\System32\drivers\USBPORT.SYS
 DispatchAddress FFFFF800F499C8E0 
KInterrupt B0 (FFFFD001A9D5FF00):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF8013FE8E710 \SystemRoot\System32\drivers\ACPI.sys
 DispatchAddress FFFFF800F499C8E0 
KInterrupt B1 (FFFFD001A9D5FB00):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF801417612A0 \SystemRoot\system32\DRIVERS\VBoxGuest.sys
 DispatchAddress FFFFF800F499C8E0 
KInterrupt CE (FFFFF800F484E870):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F482DE98 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CCF0 
KInterrupt D1 (FFFFF800F484E780):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F4803BA0 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CEE0 
KInterrupt D2 (FFFFF800F484E690):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F48049A0 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CEE0 
KInterrupt D7 (FFFFF800F484E4B0):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F48287B4 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CCF0 
KInterrupt D8 (FFFFF800F484E2D0):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F4828818 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CCF0 
KInterrupt DF (FFFFF800F484E1E0):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F48287F8 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499D2B0 
KInterrupt E2 (FFFFF800F484E3C0):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F480A2E8 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CCF0 
KInterrupt E3 (FFFFF800F484E0F0):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F48287A0 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CCF0 
KInterrupt FE (FFFFF800F484E5A0):
 Size F0 type 16
 Flink 0000000000000000
 Blink 0000000000000000
 ServiceRoutine  FFFFF800F4826570 \SystemRoot\system32\hal.dll
 DispatchAddress FFFFF800F499CEE0 

Автор: redp на 15:41
Ярлыки: , , ,

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)