correy · 2015/02/06 10:25
0x00 简介
记得2008年看保护模式的教程时,痛苦与那些众多的位信息等复杂的结构。 后来入这行,干了几年的驱动。 这是才对这些CPU基本的知识有点了解。
IDT,中断描述符表,这个基本的东西,岂能不会。 IDT HOOK的东西已经很多了,不过这里不是搞这个的(因为64位windows上是不建议的,除非...),而是检测IDT HOOK,向处理器虚拟化进军的。
好了,闲话不说,进入正题,之前之所以没有搞是因为没有找到权威的,可行的资料,具体的说是结构。
0x01 start
这里不说保护模式的一些基本原理,假定看官已经知道了。
下面正式进入主题: 如何开始呢? IDT是由IDTR指定的
这里先用WINDBG手工分析下,然后编程实现。
#!bash0: kd> r idtr idtr=8003f400复制代码
这个IDT有多大呢?
#!bash0: kd> r idtlidtl=000007ff复制代码
其实大小就是这个数加一。
地址找到了,大小找到了,关键是这个是啥结构,IDT长啥样呢?
#!bash0: kd> dt _KIDTENTRYntdll!_KIDTENTRY +0x000 Offset : Uint2B +0x002 Selector : Uint2B +0x004 Access : Uint2B +0x006 ExtendedOffset : Uint2B复制代码
就这样。
就是这个结构的数组。
下面看看第一个成员。
#!bash0: kd> dt _KIDTENTRY 8003f400ntdll!_KIDTENTRY +0x000 Offset : 0x3360 +0x002 Selector : 8 +0x004 Access : 0x8e00 +0x006 ExtendedOffset : 0x8054复制代码
这个结构的具体的含义,请看Intel的手册或者相关的资料。
经过计算得出地址是:0x80543360
验证的方式之一:
#!bash0: kd> u 0x80543360nt!KiTrap00:80543360 6a00 push 080543362 66c74424020000 mov word ptr [esp+2],080543369 55 push ebp8054336a 53 push ebx8054336b 56 push esi8054336c 57 push edi8054336d 0fa0 push fs8054336f bb30000000 mov ebx,30h复制代码
看到了吧!显示的是正确的。
另一个办法是:
#!bash0: kd> !idt -a Dumping IDT: 8003f4008cde863500000000: 80543360 nt!KiTrap008cde863500000001: 805434dc nt!KiTrap018cde863500000002: Task Selector = 0x00588cde863500000003: 805438f0 nt!KiTrap038cde863500000004: 80543a70 nt!KiTrap048cde863500000005: 80543bd0 nt!KiTrap058cde863500000006: 80543d44 nt!KiTrap068cde863500000007: 805443bc nt!KiTrap078cde863500000008: Task Selector = 0x00508cde863500000009: 805447c0 nt!KiTrap098cde86350000000a: 805448e0 nt!KiTrap0A8cde86350000000b: 80544a20 nt!KiTrap0B8cde86350000000c: 80544c80 nt!KiTrap0C8cde86350000000d: 80544f6c nt!KiTrap0D8cde86350000000e: 8054568c nt!KiTrap0E8cde86350000000f: 8054590c nt!KiTrap0F8cde863500000010: 80545a2c nt!KiTrap108cde863500000011: 80545b68 nt!KiTrap118cde863500000012: Task Selector = 0x00A08cde863500000013: 80545cd0 nt!KiTrap138cde863500000014: 8054590c nt!KiTrap0F8cde863500000015: 8054590c nt!KiTrap0F8cde863500000016: 8054590c nt!KiTrap0F8cde863500000017: 8054590c nt!KiTrap0F8cde863500000018: 8054590c nt!KiTrap0F8cde863500000019: 8054590c nt!KiTrap0F8cde86350000001a: 8054590c nt!KiTrap0F8cde86350000001b: 8054590c nt!KiTrap0F8cde86350000001c: 8054590c nt!KiTrap0F8cde86350000001d: 8054590c nt!KiTrap0F8cde86350000001e: 8054590c nt!KiTrap0F8cde86350000001f: 806e810c hal!HalpApicSpuriousService8cde863500000020: 000000008cde863500000021: 000000008cde863500000022: 000000008cde863500000023: 000000008cde863500000024: 000000008cde863500000025: 000000008cde863500000026: 000000008cde863500000027: 000000008cde863500000028: 000000008cde863500000029: 000000008cde86350000002a: 80542b8e nt!KiGetTickCount8cde86350000002b: 80542c90 nt!KiCallbackReturn8cde86350000002c: 80542e40 nt!KiSetLowWaitHighThread8cde86350000002d: 805437cc nt!KiDebugService8cde86350000002e: 80542611 nt!KiSystemService8cde86350000002f: 8054590c nt!KiTrap0F8cde863500000030: 80541cd0 nt!KiStartUnexpectedRange8cde863500000031: 80541cda nt!KiUnexpectedInterrupt18cde863500000032: 80541ce4 nt!KiUnexpectedInterrupt28cde863500000033: 80541cee nt!KiUnexpectedInterrupt38cde863500000034: 80541cf8 nt!KiUnexpectedInterrupt48cde863500000035: 80541d02 nt!KiUnexpectedInterrupt58cde863500000036: 80541d0c nt!KiUnexpectedInterrupt68cde863500000037: 806e7864 hal!PicSpuriousService378cde863500000038: 80541d20 nt!KiUnexpectedInterrupt88cde863500000039: 80541d2a nt!KiUnexpectedInterrupt98cde86350000003a: 80541d34 nt!KiUnexpectedInterrupt108cde86350000003b: 80541d3e nt!KiUnexpectedInterrupt118cde86350000003c: 80541d48 nt!KiUnexpectedInterrupt128cde86350000003d: 806e8e2c hal!HalpApcInterrupt8cde86350000003e: 80541d5c nt!KiUnexpectedInterrupt148cde86350000003f: 80541d66 nt!KiUnexpectedInterrupt158cde863500000040: 80541d70 nt!KiUnexpectedInterrupt168cde863500000041: 806e8c88 hal!HalpDispatchInterrupt8cde863500000042: 80541d84 nt!KiUnexpectedInterrupt188cde863500000043: 80541d8e nt!KiUnexpectedInterrupt198cde863500000044: 80541d98 nt!KiUnexpectedInterrupt208cde863500000045: 80541da2 nt!KiUnexpectedInterrupt218cde863500000046: 80541dac nt!KiUnexpectedInterrupt228cde863500000047: 80541db6 nt!KiUnexpectedInterrupt238cde863500000048: 80541dc0 nt!KiUnexpectedInterrupt248cde863500000049: 80541dca nt!KiUnexpectedInterrupt258cde86350000004a: 80541dd4 nt!KiUnexpectedInterrupt268cde86350000004b: 80541dde nt!KiUnexpectedInterrupt278cde86350000004c: 80541de8 nt!KiUnexpectedInterrupt288cde86350000004d: 80541df2 nt!KiUnexpectedInterrupt298cde86350000004e: 80541dfc nt!KiUnexpectedInterrupt308cde86350000004f: 80541e06 nt!KiUnexpectedInterrupt318cde863500000050: 806e793c hal!HalpApicRebootService8cde863500000051: 80541e1a nt!KiUnexpectedInterrupt338cde863500000052: 80541e24 nt!KiUnexpectedInterrupt348cde863500000053: 80541e2e nt!KiUnexpectedInterrupt358cde863500000054: 80541e38 nt!KiUnexpectedInterrupt368cde863500000055: 80541e42 nt!KiUnexpectedInterrupt378cde863500000056: 80541e4c nt!KiUnexpectedInterrupt388cde863500000057: 80541e56 nt!KiUnexpectedInterrupt398cde863500000058: 80541e60 nt!KiUnexpectedInterrupt408cde863500000059: 80541e6a nt!KiUnexpectedInterrupt418cde86350000005a: 80541e74 nt!KiUnexpectedInterrupt428cde86350000005b: 80541e7e nt!KiUnexpectedInterrupt438cde86350000005c: 80541e88 nt!KiUnexpectedInterrupt448cde86350000005d: 80541e92 nt!KiUnexpectedInterrupt458cde86350000005e: 80541e9c nt!KiUnexpectedInterrupt468cde86350000005f: 80541ea6 nt!KiUnexpectedInterrupt478cde863500000060: 80541eb0 nt!KiUnexpectedInterrupt488cde863500000061: 80541eba nt!KiUnexpectedInterrupt498cde863500000062: 81c2f044 atapi!IdePortInterrupt (KINTERRUPT 81c2f008)8cde863500000063: 81c0a624 portcls!CKsShellRequestor::`vector deleting destructor'+0x26 (KINTERRUPT 81c0a5e8)8cde863500000064: 80541ed8 nt!KiUnexpectedInterrupt528cde863500000065: 80541ee2 nt!KiUnexpectedInterrupt538cde863500000066: 80541eec nt!KiUnexpectedInterrupt548cde863500000067: 80541ef6 nt!KiUnexpectedInterrupt558cde863500000068: 80541f00 nt!KiUnexpectedInterrupt568cde863500000069: 80541f0a nt!KiUnexpectedInterrupt578cde86350000006a: 80541f14 nt!KiUnexpectedInterrupt588cde86350000006b: 80541f1e nt!KiUnexpectedInterrupt598cde86350000006c: 80541f28 nt!KiUnexpectedInterrupt608cde86350000006d: 80541f32 nt!KiUnexpectedInterrupt618cde86350000006e: 80541f3c nt!KiUnexpectedInterrupt628cde86350000006f: 80541f46 nt!KiUnexpectedInterrupt638cde863500000070: 80541f50 nt!KiUnexpectedInterrupt648cde863500000071: 80541f5a nt!KiUnexpectedInterrupt658cde863500000072: 80541f64 nt!KiUnexpectedInterrupt668cde863500000073: 81efabec SCSIPORT!ScsiPortInterrupt (KINTERRUPT 81efabb0)8cde863500000074: 80541f78 nt!KiUnexpectedInterrupt688cde863500000075: 80541f82 nt!KiUnexpectedInterrupt698cde863500000076: 80541f8c nt!KiUnexpectedInterrupt708cde863500000077: 80541f96 nt!KiUnexpectedInterrupt718cde863500000078: 80541fa0 nt!KiUnexpectedInterrupt728cde863500000079: 80541faa nt!KiUnexpectedInterrupt738cde86350000007a: 80541fb4 nt!KiUnexpectedInterrupt748cde86350000007b: 80541fbe nt!KiUnexpectedInterrupt758cde86350000007c: 80541fc8 nt!KiUnexpectedInterrupt768cde86350000007d: 80541fd2 nt!KiUnexpectedInterrupt778cde86350000007e: 80541fdc nt!KiUnexpectedInterrupt788cde86350000007f: 80541fe6 nt!KiUnexpectedInterrupt798cde863500000080: 80541ff0 nt!KiUnexpectedInterrupt808cde863500000081: 80541ffa nt!KiUnexpectedInterrupt818cde863500000082: 820c1bec atapi!IdePortInterrupt (KINTERRUPT 820c1bb0)8cde863500000083: 81c1d044 *** ERROR: Symbol file could not be found. Defaulted to export symbols for vmci.sys - vmci!DllUnload+0x7d6 (KINTERRUPT 81c1d008)8cde863500000084: 80542018 nt!KiUnexpectedInterrupt848cde863500000085: 80542022 nt!KiUnexpectedInterrupt858cde863500000086: 8054202c nt!KiUnexpectedInterrupt868cde863500000087: 80542036 nt!KiUnexpectedInterrupt878cde863500000088: 80542040 nt!KiUnexpectedInterrupt888cde863500000089: 8054204a nt!KiUnexpectedInterrupt898cde86350000008a: 80542054 nt!KiUnexpectedInterrupt908cde86350000008b: 8054205e nt!KiUnexpectedInterrupt918cde86350000008c: 80542068 nt!KiUnexpectedInterrupt928cde86350000008d: 80542072 nt!KiUnexpectedInterrupt938cde86350000008e: 8054207c nt!KiUnexpectedInterrupt948cde86350000008f: 80542086 nt!KiUnexpectedInterrupt958cde863500000090: 80542090 nt!KiUnexpectedInterrupt968cde863500000091: 8054209a nt!KiUnexpectedInterrupt978cde863500000092: 805420a4 nt!KiUnexpectedInterrupt988cde863500000093: 82059bec i8042prt!I8042KeyboardInterruptService (KINTERRUPT 82059bb0)8cde863500000094: 805420b8 nt!KiUnexpectedInterrupt1008cde863500000095: 805420c2 nt!KiUnexpectedInterrupt1018cde863500000096: 805420cc nt!KiUnexpectedInterrupt1028cde863500000097: 805420d6 nt!KiUnexpectedInterrupt1038cde863500000098: 805420e0 nt!KiUnexpectedInterrupt1048cde863500000099: 805420ea nt!KiUnexpectedInterrupt1058cde86350000009a: 805420f4 nt!KiUnexpectedInterrupt1068cde86350000009b: 805420fe nt!KiUnexpectedInterrupt1078cde86350000009c: 80542108 nt!KiUnexpectedInterrupt1088cde86350000009d: 80542112 nt!KiUnexpectedInterrupt1098cde86350000009e: 8054211c nt!KiUnexpectedInterrupt1108cde86350000009f: 80542126 nt!KiUnexpectedInterrupt1118cde8635000000a0: 80542130 nt!KiUnexpectedInterrupt1128cde8635000000a1: 8054213a nt!KiUnexpectedInterrupt1138cde8635000000a2: 80542144 nt!KiUnexpectedInterrupt1148cde8635000000a3: 82002044 i8042prt!I8042MouseInterruptService (KINTERRUPT 82002008)8cde8635000000a4: 80542158 nt!KiUnexpectedInterrupt1168cde8635000000a5: 80542162 nt!KiUnexpectedInterrupt1178cde8635000000a6: 8054216c nt!KiUnexpectedInterrupt1188cde8635000000a7: 80542176 nt!KiUnexpectedInterrupt1198cde8635000000a8: 80542180 nt!KiUnexpectedInterrupt1208cde8635000000a9: 8054218a nt!KiUnexpectedInterrupt1218cde8635000000aa: 80542194 nt!KiUnexpectedInterrupt1228cde8635000000ab: 8054219e nt!KiUnexpectedInterrupt1238cde8635000000ac: 805421a8 nt!KiUnexpectedInterrupt1248cde8635000000ad: 805421b2 nt!KiUnexpectedInterrupt1258cde8635000000ae: 805421bc nt!KiUnexpectedInterrupt1268cde8635000000af: 805421c6 nt!KiUnexpectedInterrupt1278cde8635000000b0: 805421d0 nt!KiUnexpectedInterrupt1288cde8635000000b1: 820ca044 ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 820ca008)8cde8635000000b2: 805421e4 nt!KiUnexpectedInterrupt1308cde8635000000b3: 805421ee nt!KiUnexpectedInterrupt1318cde8635000000b4: 81f43a94 NDIS!ndisMIsr (KINTERRUPT 81f43a58)8cde8635000000b5: 80542202 nt!KiUnexpectedInterrupt1338cde8635000000b6: 8054220c nt!KiUnexpectedInterrupt1348cde8635000000b7: 80542216 nt!KiUnexpectedInterrupt1358cde8635000000b8: 80542220 nt!KiUnexpectedInterrupt1368cde8635000000b9: 8054222a nt!KiUnexpectedInterrupt1378cde8635000000ba: 80542234 nt!KiUnexpectedInterrupt1388cde8635000000bb: 8054223e nt!KiUnexpectedInterrupt1398cde8635000000bc: 80542248 nt!KiUnexpectedInterrupt1408cde8635000000bd: 80542252 nt!KiUnexpectedInterrupt1418cde8635000000be: 8054225c nt!KiUnexpectedInterrupt1428cde8635000000bf: 80542266 nt!KiUnexpectedInterrupt1438cde8635000000c0: 80542270 nt!KiUnexpectedInterrupt1448cde8635000000c1: 806e7ac0 hal!HalpBroadcastCallService8cde8635000000c2: 80542284 nt!KiUnexpectedInterrupt1468cde8635000000c3: 8054228e nt!KiUnexpectedInterrupt1478cde8635000000c4: 80542298 nt!KiUnexpectedInterrupt1488cde8635000000c5: 805422a2 nt!KiUnexpectedInterrupt1498cde8635000000c6: 805422ac nt!KiUnexpectedInterrupt1508cde8635000000c7: 805422b6 nt!KiUnexpectedInterrupt1518cde8635000000c8: 805422c0 nt!KiUnexpectedInterrupt1528cde8635000000c9: 805422ca nt!KiUnexpectedInterrupt1538cde8635000000ca: 805422d4 nt!KiUnexpectedInterrupt1548cde8635000000cb: 805422de nt!KiUnexpectedInterrupt1558cde8635000000cc: 805422e8 nt!KiUnexpectedInterrupt1568cde8635000000cd: 805422f2 nt!KiUnexpectedInterrupt1578cde8635000000ce: 805422fc nt!KiUnexpectedInterrupt1588cde8635000000cf: 80542306 nt!KiUnexpectedInterrupt1598cde8635000000d0: 80542310 nt!KiUnexpectedInterrupt1608cde8635000000d1: 806e6e54 hal!HalpClockInterrupt8cde8635000000d2: 80542324 nt!KiUnexpectedInterrupt1628cde8635000000d3: 8054232e nt!KiUnexpectedInterrupt1638cde8635000000d4: 80542338 nt!KiUnexpectedInterrupt1648cde8635000000d5: 80542342 nt!KiUnexpectedInterrupt1658cde8635000000d6: 8054234c nt!KiUnexpectedInterrupt1668cde8635000000d7: 80542356 nt!KiUnexpectedInterrupt1678cde8635000000d8: 80542360 nt!KiUnexpectedInterrupt1688cde8635000000d9: 8054236a nt!KiUnexpectedInterrupt1698cde8635000000da: 80542374 nt!KiUnexpectedInterrupt1708cde8635000000db: 8054237e nt!KiUnexpectedInterrupt1718cde8635000000dc: 80542388 nt!KiUnexpectedInterrupt1728cde8635000000dd: 80542392 nt!KiUnexpectedInterrupt1738cde8635000000de: 8054239c nt!KiUnexpectedInterrupt1748cde8635000000df: 805423a6 nt!KiUnexpectedInterrupt1758cde8635000000e0: 805423b0 nt!KiUnexpectedInterrupt1768cde8635000000e1: 806e8048 hal!HalpIpiHandler8cde8635000000e2: 805423c4 nt!KiUnexpectedInterrupt1788cde8635000000e3: 806e7dac hal!HalpLocalApicErrorService8cde8635000000e4: 805423d8 nt!KiUnexpectedInterrupt1808cde8635000000e5: 805423e2 nt!KiUnexpectedInterrupt1818cde8635000000e6: 805423ec nt!KiUnexpectedInterrupt1828cde8635000000e7: 805423f6 nt!KiUnexpectedInterrupt1838cde8635000000e8: 80542400 nt!KiUnexpectedInterrupt1848cde8635000000e9: 8054240a nt!KiUnexpectedInterrupt1858cde8635000000ea: 80542414 nt!KiUnexpectedInterrupt1868cde8635000000eb: 8054241e nt!KiUnexpectedInterrupt1878cde8635000000ec: 80542428 nt!KiUnexpectedInterrupt1888cde8635000000ed: 80542432 nt!KiUnexpectedInterrupt1898cde8635000000ee: 80542439 nt!KiUnexpectedInterrupt1908cde8635000000ef: 80542440 nt!KiUnexpectedInterrupt1918cde8635000000f0: 80542447 nt!KiUnexpectedInterrupt1928cde8635000000f1: 8054244e nt!KiUnexpectedInterrupt1938cde8635000000f2: 80542455 nt!KiUnexpectedInterrupt1948cde8635000000f3: 8054245c nt!KiUnexpectedInterrupt1958cde8635000000f4: 80542463 nt!KiUnexpectedInterrupt1968cde8635000000f5: 8054246a nt!KiUnexpectedInterrupt1978cde8635000000f6: 80542471 nt!KiUnexpectedInterrupt1988cde8635000000f7: 80542478 nt!KiUnexpectedInterrupt1998cde8635000000f8: 8054247f nt!KiUnexpectedInterrupt2008cde8635000000f9: 80542486 nt!KiUnexpectedInterrupt2018cde8635000000fa: 8054248d nt!KiUnexpectedInterrupt2028cde8635000000fb: 80542494 nt!KiUnexpectedInterrupt2038cde8635000000fc: 8054249b nt!KiUnexpectedInterrupt2048cde8635000000fd: 806e85a8 hal!HalpProfileInterrupt8cde8635000000fe: 806e8748 hal!HalpPerfInterrupt8cde8635000000ff: 805424b0 nt!KiUnexpectedInterrupt207复制代码
注意:要带参数,不然不显示NTOS*.EXE中的中断。
至此:X86上的一个CPU的IDT样例分析完毕。
至于剩余CPU的,X64的分析类似,具体的分析可以看附件。
也可以作为看官的作业题。作业完成算是看懂了本文。
下面简单说一下编码的注意事项:
1.首先是多CPU。
早期的Windows版本可以用内核导出的变量KeNumberProcessors。
高版本的可以搜索KeGet*或者KeQuery系列的函数。
2.附加/贴近CPU,具体的说是线程,可以参考:
KeSetSystemAffinityThread
KeRevertToUserAffinityThread
3.因为是底层的操作,大多是用汇编实现的,还好微软提供了:
__sidt 参见:http://msdn.microsoft.com/zh-cn/library/aa983358%28v=vs.120%29.aspx
另一个思路是用:KeGetPcr()。
这个在X86上可以自己实现,其实也是用封装的汇编指令。
X64上这个可以直接调用。
4.如果要HOOK,看看如下两个链接:
_disable https://msdn.microsoft.com/zh-cn/library/y14401ab(v=vs.90).aspx
_enable https://msdn.microsoft.com/zh-cn/library/ad820yz3(v=vs.90).aspx
5.具体的编码和处理就看你的了。
再补充点: 32位下IDTR指向的位置可以用结构:
#!c// Special Registers for i386typedef struct _X86_DESCRIPTOR { USHORT Pad; USHORT Limit; ULONG Base;} X86_DESCRIPTOR, *PX86_DESCRIPTOR;kd> dt _DESCRIPTOR 注意:64位下没有这个结构。nt!_DESCRIPTOR +0x000 Pad : Uint2B +0x002 Limit : Uint2B +0x004 Base : Uint4B复制代码 64位下IDTR指向的位置可以用结构:
#!c// Special Registers for AMD64.typedef struct _AMD64_DESCRIPTOR { USHORT Pad[3]; USHORT Limit; ULONG64 Base;} AMD64_DESCRIPTOR, *PAMD64_DESCRIPTOR;1: kd> dt _AMD64_DESCRIPTOR 注意:运行环境是64位系统。test!_AMD64_DESCRIPTOR +0x000 Pad : [3] Uint2B +0x006 Limit : Uint2B +0x008 Base : Uint8B复制代码 不说了:看垃圾代码吧! 注释以上的结构摘自:WRK。 书于匆忙之后,如有不足请指正。
#!c/*功能:显示每个CPU的IDT信息。注释:一下结构摘自WRK。参考:http://uninformed.org/index.cgi?v=8&a=2&p=8http://resources.infosecinstitute.com/hooking-idt/made by correy.made at 2015.01.05.*/#include#include typedefVOID(*PKINTERRUPT_ROUTINE) ( VOID );struct _KINTERRUPT;// begin_ntddk begin_wdm begin_ntifs begin_ntosptypedefBOOLEAN(*PKSERVICE_ROUTINE) ( IN struct _KINTERRUPT *Interrupt, IN PVOID ServiceContext );#define NORMAL_DISPATCH_LENGTH 106 // ntddk wdm#define DISPATCH_LENGTH NORMAL_DISPATCH_LENGTH // ntddk wdm// Interrupt objecttypedef struct _KINTERRUPT { CSHORT Type; CSHORT Size; LIST_ENTRY InterruptListEntry; PKSERVICE_ROUTINE ServiceRoutine; PVOID ServiceContext; KSPIN_LOCK SpinLock; ULONG TickCount; PKSPIN_LOCK ActualLock; PKINTERRUPT_ROUTINE DispatchAddress; ULONG Vector; KIRQL Irql; KIRQL SynchronizeIrql; BOOLEAN FloatingSave; BOOLEAN Connected; CCHAR Number; BOOLEAN ShareVector; KINTERRUPT_MODE Mode; ULONG ServiceCount; ULONG DispatchCount;#if defined(_AMD64_) PKTRAP_FRAME TrapFrame; PVOID Reserved; ULONG DispatchCode[DISPATCH_LENGTH];#else ULONG DispatchCode[DISPATCH_LENGTH];#endif} KINTERRUPT;#if defined(_WIN64)// Special Registers for AMD64.typedef struct _AMD64_DESCRIPTOR { USHORT Pad[3]; USHORT Limit; ULONG64 Base;} AMD64_DESCRIPTOR, *PAMD64_DESCRIPTOR;// Define Interrupt Descriptor Table (IDT) entry structure and constants.typedef union _KIDTENTRY64 { struct { USHORT OffsetLow; USHORT Selector; USHORT IstIndex : 3; USHORT Reserved0 : 5; USHORT Type : 5; USHORT Dpl : 2; USHORT Present : 1; USHORT OffsetMiddle; ULONG OffsetHigh; ULONG Reserved1; }; ULONG64 Alignment;} KIDTENTRY64, *PKIDTENTRY64;typedef union _KIDT_HANDLER_ADDRESS { struct { USHORT OffsetLow; USHORT OffsetMiddle; ULONG OffsetHigh; }; ULONG64 Address;} KIDT_HANDLER_ADDRESS, *PKIDT_HANDLER_ADDRESS;#define KiGetIdtFromVector(Vector) \ &KeGetPcr()->IdtBase[HalVectorToIDTEntry(Vector)]#define KeGetIdtHandlerAddress(Vector,Addr) { \ KIDT_HANDLER_ADDRESS Handler; \ PKIDTENTRY64 Idt; \ \ Idt = KiGetIdtFromVector(Vector); \ Handler.OffsetLow = Idt->OffsetLow; \ Handler.OffsetMiddle = Idt->OffsetMiddle; \ Handler.OffsetHigh = Idt->OffsetHigh; \ *(Addr) = (PVOID)(Handler.Address); \}#define KeSetIdtHandlerAddress(Vector,Addr) { \ KIDT_HANDLER_ADDRESS Handler; \ PKIDTENTRY64 Idt; \ \ Idt = KiGetIdtFromVector(Vector); \ Handler.Address = (ULONG64)(Addr); \ Idt->OffsetLow = Handler.OffsetLow; \ Idt->OffsetMiddle = Handler.OffsetMiddle; \ Idt->OffsetHigh = Handler.OffsetHigh; \}#else // Special Registers for i386typedef struct _X86_DESCRIPTOR { USHORT Pad; USHORT Limit; ULONG Base;} X86_DESCRIPTOR, *PX86_DESCRIPTOR;// Entry of Interrupt Descriptor Table (IDTENTRY)typedef struct _KIDTENTRY { USHORT Offset; USHORT Selector; USHORT Access; USHORT ExtendedOffset;} KIDTENTRY;typedef KIDTENTRY *PKIDTENTRY;// begin_nthal//// Macro to set address of a trap/interrupt handler to IDT//#define KiSetHandlerAddressToIDT(Vector, HandlerAddress) {\ UCHAR IDTEntry = HalVectorToIDTEntry(Vector); \ ULONG Ha = (ULONG)HandlerAddress; \ KeGetPcr()->IDT[IDTEntry].ExtendedOffset = HIGHWORD(Ha); \ KeGetPcr()->IDT[IDTEntry].Offset = LOWWORD(Ha); \}//// Macro to return address of a trap/interrupt handler in IDT//#define KiReturnHandlerAddressFromIDT(Vector) \ MAKEULONG(KiPcr()->IDT[HalVectorToIDTEntry(Vector)].ExtendedOffset, KiPcr()->IDT[HalVectorToIDTEntry(Vector)].Offset)#endifDRIVER_UNLOAD DriverUnload;VOID DriverUnload(__in PDRIVER_OBJECT DriverObject){ }#if defined(_WIN64)void show_idt(int i) /* i的取值可以是0. */{ AMD64_DESCRIPTOR idtr = {0}; SIZE_T r = 0; PVOID p = 0; int index = 0; int maximun = 0; PKIDTENTRY64 pkidte = 0; SIZE_T ISR = 0; USHORT us = 0; KeSetSystemAffinityThread(i + 1); __sidt(&idtr);//KeGetPcr函数可是可用的哟! KeRevertToUserAffinityThread(); p = &idtr.Pad[1]; r = * (SIZE_T *)p; pkidte = (PKIDTENTRY64)r; if (idtr.Pad[0] % sizeof(KIDTENTRY64) == 0) {//idtr.Pad[0] == 0xfff. maximun = idtr.Pad[0] / sizeof(KIDTENTRY64); } else { maximun = idtr.Pad[0] / sizeof(KIDTENTRY64); maximun++;//这个数也是256. } for ( ;index < maximun ;index++ ) { PKIDTENTRY64 pkidte_t = &pkidte[index]; ISR = pkidte_t->OffsetHigh; ISR = (ISR << 32); ISR += (pkidte_t->OffsetLow + (pkidte_t->OffsetMiddle << 16)); if (pkidte_t->IstIndex == 0) { KdPrint(("第%d号CPU的第0x%02x中断的地址:0x%p\n", i, index, ISR)); } else { KdPrint(("第%d号CPU的第0x%02x中断的地址:0x%p\n", i, index, ISR));//还可以进一步获取Stack的信息。 } }}#else void show_idt(int i) /* i的取值可以是0. */{ //SIZE_T IDTR; X86_DESCRIPTOR idtr = {0};//A pointer to the memory location where the IDTR is stored. SIZE_T r = 0; PVOID p = 0; int index = 0; int maximun = 0; PKIDTENTRY pkidte; SIZE_T ISR = 0; KeSetSystemAffinityThread(i + 1); __sidt(&idtr);// http://msdn.microsoft.com/zh-cn/library/aa983358%28v=vs.120%29.aspx 另一个思路是自己实现:KeGetPcr()。 KeRevertToUserAffinityThread(); p = &idtr.Limit; r = * (SIZE_T *)p; pkidte = (PKIDTENTRY)r; /* 其实直接: maximun = (idtr.Base + 1) / sizeof(KIDTENTRY); 也可以。 maximun一般等于256. */ if (idtr.Pad % sizeof(KIDTENTRY) == 0) { maximun = idtr.Pad / sizeof(KIDTENTRY); } else { maximun = idtr.Pad / sizeof(KIDTENTRY); maximun++; } for ( ;index < maximun ;index++ ) //另一个思路是根据Limit来遍历,这个数一般是2047 == 0x7ff. { PKIDTENTRY pkidte_t = &pkidte[index]; if (pkidte_t->ExtendedOffset) { ISR = pkidte_t->Offset + (pkidte_t->ExtendedOffset << 16); KdPrint(("第%d号CPU的第0x%02x中断的地址:0x%p\n", i, index, ISR)); } else {//注意:pkidte_t->ExtendedOffset == 0的情况的分析。 if (pkidte_t->Selector == 8) { KdPrint(("第%d号CPU的第0x%02x中断没有使用。Offset:0x%x,Access:0x%x.\n", i, index, pkidte_t->Offset, pkidte_t->Access)); } else { KdPrint(("第%d号CPU的第0x%02x中断的Task Selector:0x%x, Offset:0x%x, Access:0x%x。\n", i, index, pkidte_t->Selector, pkidte_t->Offset, pkidte_t->Access)); } } }}#endif#pragma INITCODEDRIVER_INITIALIZE DriverEntry;NTSTATUS DriverEntry(__in struct _DRIVER_OBJECT * DriverObject, __in PUNICODE_STRING RegistryPath){ int i = 0; KdBreakPoint(); DriverObject->DriverUnload = DriverUnload; for ( ;i < KeNumberProcessors ;i++ )//KeQueryMaximumProcessorCount() { show_idt(i); } return STATUS_SUCCESS;} 复制代码
#!bash/*0: kd> !idtDumping IDT: 8003f400455901d000000037: 806e7864 hal!PicSpuriousService37455901d00000003d: 806e8e2c hal!HalpApcInterrupt455901d000000041: 806e8c88 hal!HalpDispatchInterrupt455901d000000050: 806e793c hal!HalpApicRebootService455901d000000062: 81fd6044 atapi!IdePortInterrupt (KINTERRUPT 81fd6008)455901d000000063: 81f1ebec portcls!CKsShellRequestor::`vector deleting destructor'+0x26 (KINTERRUPT 81f1ebb0)455901d000000073: 81d17bec SCSIPORT!ScsiPortInterrupt (KINTERRUPT 81d17bb0)455901d000000082: 81e26bec atapi!IdePortInterrupt (KINTERRUPT 81e26bb0)455901d000000083: 81c42044 vmci!DllUnload+0x7d6 (KINTERRUPT 81c42008) VIDEOPRT!pVideoPortInterrupt (KINTERRUPT 81d0e758)455901d000000093: 81fcd684 i8042prt!I8042KeyboardInterruptService (KINTERRUPT 81fcd648)455901d0000000a3: 81d0ebec i8042prt!I8042MouseInterruptService (KINTERRUPT 81d0ebb0)455901d0000000b1: 820ce8cc ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 820ce890)455901d0000000b4: 81e1e9ec NDIS!ndisMIsr (KINTERRUPT 81e1e9b0)455901d0000000c1: 806e7ac0 hal!HalpBroadcastCallService455901d0000000d1: 806e6e54 hal!HalpClockInterrupt455901d0000000e1: 806e8048 hal!HalpIpiHandler455901d0000000e3: 806e7dac hal!HalpLocalApicErrorService455901d0000000fd: 806e85a8 hal!HalpProfileInterrupt455901d0000000fe: 806e8748 hal!HalpPerfInterrupt0: kd> !pcr KPCR for Processor 0 at ffdff000: Major 1 Minor 1 NtTib.ExceptionList: 80551cb0 NtTib.StackBase: 805524f0 NtTib.StackLimit: 8054f700 NtTib.SubSystemTib: 00000000 NtTib.Version: 00000000 NtTib.UserPointer: 00000000 NtTib.SelfTib: 00000000 SelfPcr: ffdff000 Prcb: ffdff120 Irql: 00000000 IRR: 00000000 IDR: ffffffff InterruptMode: 00000000 IDT: 8003f400 GDT: 8003f000 TSS: 80042000 CurrentThread: 8055ce60 NextThread: 00000000 IdleThread: 8055ce60 DpcQueue: 0: kd> r idtridtr=8003f4000: kd> dw idtr8003f400 3360 0008 8e00 8054 34dc 0008 8e00 80548003f410 113e 0058 8500 0000 38f0 0008 ee00 80548003f420 3a70 0008 ee00 8054 3bd0 0008 8e00 80548003f430 3d44 0008 8e00 8054 43bc 0008 8e00 80548003f440 1198 0050 8500 0000 47c0 0008 8e00 80548003f450 48e0 0008 8e00 8054 4a20 0008 8e00 80548003f460 4c80 0008 8e00 8054 4f6c 0008 8e00 80548003f470 568c 0008 8e00 8054 590c 0008 8e00 80540: kd> u 80543360nt!KiTrap00:80543360 6a00 push 080543362 66c74424020000 mov word ptr [esp+2],080543369 55 push ebp8054336a 53 push ebx8054336b 56 push esi8054336c 57 push edi8054336d 0fa0 push fs8054336f bb30000000 mov ebx,30h0: kd> u 805434dcnt!KiTrap01:805434dc 6a00 push 0805434de 66c74424020000 mov word ptr [esp+2],0805434e5 55 push ebp805434e6 53 push ebx805434e7 56 push esi805434e8 57 push edi805434e9 0fa0 push fs805434eb bb30000000 mov ebx,30h1: kd> !idt -a Dumping IDT: f87335902d65dee600000000: 80543360 nt!KiTrap002d65dee600000001: 805434dc nt!KiTrap012d65dee600000002: Task Selector = 0x00582d65dee600000003: 805438f0 nt!KiTrap032d65dee600000004: 80543a70 nt!KiTrap042d65dee600000005: 80543bd0 nt!KiTrap052d65dee600000006: 80543d44 nt!KiTrap062d65dee600000007: 805443bc nt!KiTrap072d65dee600000008: Task Selector = 0x00502d65dee600000009: 805447c0 nt!KiTrap092d65dee60000000a: 805448e0 nt!KiTrap0A2d65dee60000000b: 80544a20 nt!KiTrap0B2d65dee60000000c: 80544c80 nt!KiTrap0C2d65dee60000000d: 80544f6c nt!KiTrap0D2d65dee60000000e: 8054568c nt!KiTrap0E2d65dee60000000f: 8054590c nt!KiTrap0F2d65dee600000010: 80545a2c nt!KiTrap102d65dee600000011: 80545b68 nt!KiTrap112d65dee600000012: Task Selector = 0x00A02d65dee600000013: 80545cd0 nt!KiTrap132d65dee600000014: 8054590c nt!KiTrap0F2d65dee600000015: 8054590c nt!KiTrap0F2d65dee600000016: 8054590c nt!KiTrap0F2d65dee600000017: 8054590c nt!KiTrap0F2d65dee600000018: 8054590c nt!KiTrap0F2d65dee600000019: 8054590c nt!KiTrap0F2d65dee60000001a: 8054590c nt!KiTrap0F2d65dee60000001b: 8054590c nt!KiTrap0F2d65dee60000001c: 8054590c nt!KiTrap0F2d65dee60000001d: 8054590c nt!KiTrap0F2d65dee60000001e: 8054590c nt!KiTrap0F2d65dee60000001f: 806e810c hal!HalpApicSpuriousService2d65dee600000020: 000000002d65dee600000021: 000000002d65dee600000022: 000000002d65dee600000023: 000000002d65dee600000024: 000000002d65dee600000025: 000000002d65dee600000026: 000000002d65dee600000027: 000000002d65dee600000028: 000000002d65dee600000029: 000000002d65dee60000002a: 80542b8e nt!KiGetTickCount2d65dee60000002b: 80542c90 nt!KiCallbackReturn2d65dee60000002c: 80542e40 nt!KiSetLowWaitHighThread2d65dee60000002d: 805437cc nt!KiDebugService2d65dee60000002e: 80542611 nt!KiSystemService2d65dee60000002f: 8054590c nt!KiTrap0F2d65dee600000030: 80541cd0 nt!KiStartUnexpectedRange2d65dee600000031: 80541cda nt!KiUnexpectedInterrupt12d65dee600000032: 80541ce4 nt!KiUnexpectedInterrupt22d65dee600000033: 80541cee nt!KiUnexpectedInterrupt32d65dee600000034: 80541cf8 nt!KiUnexpectedInterrupt42d65dee600000035: 80541d02 nt!KiUnexpectedInterrupt52d65dee600000036: 80541d0c nt!KiUnexpectedInterrupt62d65dee600000037: 806e7864 hal!PicSpuriousService372d65dee600000038: 80541d20 nt!KiUnexpectedInterrupt82d65dee600000039: 80541d2a nt!KiUnexpectedInterrupt92d65dee60000003a: 80541d34 nt!KiUnexpectedInterrupt102d65dee60000003b: 80541d3e nt!KiUnexpectedInterrupt112d65dee60000003c: 80541d48 nt!KiUnexpectedInterrupt122d65dee60000003d: 806e8e2c hal!HalpApcInterrupt2d65dee60000003e: 80541d5c nt!KiUnexpectedInterrupt142d65dee60000003f: 80541d66 nt!KiUnexpectedInterrupt152d65dee600000040: 80541d70 nt!KiUnexpectedInterrupt162d65dee600000041: 806e8c88 hal!HalpDispatchInterrupt2d65dee600000042: 80541d84 nt!KiUnexpectedInterrupt182d65dee600000043: 80541d8e nt!KiUnexpectedInterrupt192d65dee600000044: 80541d98 nt!KiUnexpectedInterrupt202d65dee600000045: 80541da2 nt!KiUnexpectedInterrupt212d65dee600000046: 80541dac nt!KiUnexpectedInterrupt222d65dee600000047: 80541db6 nt!KiUnexpectedInterrupt232d65dee600000048: 80541dc0 nt!KiUnexpectedInterrupt242d65dee600000049: 80541dca nt!KiUnexpectedInterrupt252d65dee60000004a: 80541dd4 nt!KiUnexpectedInterrupt262d65dee60000004b: 80541dde nt!KiUnexpectedInterrupt272d65dee60000004c: 80541de8 nt!KiUnexpectedInterrupt282d65dee60000004d: 80541df2 nt!KiUnexpectedInterrupt292d65dee60000004e: 80541dfc nt!KiUnexpectedInterrupt302d65dee60000004f: 80541e06 nt!KiUnexpectedInterrupt312d65dee600000050: 806e793c hal!HalpApicRebootService2d65dee600000051: 80541e1a nt!KiUnexpectedInterrupt332d65dee600000052: 80541e24 nt!KiUnexpectedInterrupt342d65dee600000053: 80541e2e nt!KiUnexpectedInterrupt352d65dee600000054: 80541e38 nt!KiUnexpectedInterrupt362d65dee600000055: 80541e42 nt!KiUnexpectedInterrupt372d65dee600000056: 80541e4c nt!KiUnexpectedInterrupt382d65dee600000057: 80541e56 nt!KiUnexpectedInterrupt392d65dee600000058: 80541e60 nt!KiUnexpectedInterrupt402d65dee600000059: 80541e6a nt!KiUnexpectedInterrupt412d65dee60000005a: 80541e74 nt!KiUnexpectedInterrupt422d65dee60000005b: 80541e7e nt!KiUnexpectedInterrupt432d65dee60000005c: 80541e88 nt!KiUnexpectedInterrupt442d65dee60000005d: 80541e92 nt!KiUnexpectedInterrupt452d65dee60000005e: 80541e9c nt!KiUnexpectedInterrupt462d65dee60000005f: 80541ea6 nt!KiUnexpectedInterrupt472d65dee600000060: 80541eb0 nt!KiUnexpectedInterrupt482d65dee600000061: 80541eba nt!KiUnexpectedInterrupt492d65dee600000062: 8208e63c atapi!IdePortInterrupt (KINTERRUPT 8208e600)2d65dee600000063: 82070c74 portcls!CKsShellRequestor::`vector deleting destructor'+0x26 (KINTERRUPT 82070c38)2d65dee600000064: 80541ed8 nt!KiUnexpectedInterrupt522d65dee600000065: 80541ee2 nt!KiUnexpectedInterrupt532d65dee600000066: 80541eec nt!KiUnexpectedInterrupt542d65dee600000067: 80541ef6 nt!KiUnexpectedInterrupt552d65dee600000068: 80541f00 nt!KiUnexpectedInterrupt562d65dee600000069: 80541f0a nt!KiUnexpectedInterrupt572d65dee60000006a: 80541f14 nt!KiUnexpectedInterrupt582d65dee60000006b: 80541f1e nt!KiUnexpectedInterrupt592d65dee60000006c: 80541f28 nt!KiUnexpectedInterrupt602d65dee60000006d: 80541f32 nt!KiUnexpectedInterrupt612d65dee60000006e: 80541f3c nt!KiUnexpectedInterrupt622d65dee60000006f: 80541f46 nt!KiUnexpectedInterrupt632d65dee600000070: 80541f50 nt!KiUnexpectedInterrupt642d65dee600000071: 80541f5a nt!KiUnexpectedInterrupt652d65dee600000072: 80541f64 nt!KiUnexpectedInterrupt662d65dee600000073: 81f80bbc SCSIPORT!ScsiPortInterrupt (KINTERRUPT 81f80b80)2d65dee600000074: 80541f78 nt!KiUnexpectedInterrupt682d65dee600000075: 80541f82 nt!KiUnexpectedInterrupt692d65dee600000076: 80541f8c nt!KiUnexpectedInterrupt702d65dee600000077: 80541f96 nt!KiUnexpectedInterrupt712d65dee600000078: 80541fa0 nt!KiUnexpectedInterrupt722d65dee600000079: 80541faa nt!KiUnexpectedInterrupt732d65dee60000007a: 80541fb4 nt!KiUnexpectedInterrupt742d65dee60000007b: 80541fbe nt!KiUnexpectedInterrupt752d65dee60000007c: 80541fc8 nt!KiUnexpectedInterrupt762d65dee60000007d: 80541fd2 nt!KiUnexpectedInterrupt772d65dee60000007e: 80541fdc nt!KiUnexpectedInterrupt782d65dee60000007f: 80541fe6 nt!KiUnexpectedInterrupt792d65dee600000080: 80541ff0 nt!KiUnexpectedInterrupt802d65dee600000081: 80541ffa nt!KiUnexpectedInterrupt812d65dee600000082: 81f99bbc atapi!IdePortInterrupt (KINTERRUPT 81f99b80)2d65dee600000083: 81ccd48c vmci!DllUnload+0x7d6 (KINTERRUPT 81ccd450) VIDEOPRT!pVideoPortInterrupt (KINTERRUPT 82091ca0)2d65dee600000084: 80542018 nt!KiUnexpectedInterrupt842d65dee600000085: 80542022 nt!KiUnexpectedInterrupt852d65dee600000086: 8054202c nt!KiUnexpectedInterrupt862d65dee600000087: 80542036 nt!KiUnexpectedInterrupt872d65dee600000088: 80542040 nt!KiUnexpectedInterrupt882d65dee600000089: 8054204a nt!KiUnexpectedInterrupt892d65dee60000008a: 80542054 nt!KiUnexpectedInterrupt902d65dee60000008b: 8054205e nt!KiUnexpectedInterrupt912d65dee60000008c: 80542068 nt!KiUnexpectedInterrupt922d65dee60000008d: 80542072 nt!KiUnexpectedInterrupt932d65dee60000008e: 8054207c nt!KiUnexpectedInterrupt942d65dee60000008f: 80542086 nt!KiUnexpectedInterrupt952d65dee600000090: 80542090 nt!KiUnexpectedInterrupt962d65dee600000091: 8054209a nt!KiUnexpectedInterrupt972d65dee600000092: 805420a4 nt!KiUnexpectedInterrupt982d65dee600000093: 81c7435c i8042prt!I8042KeyboardInterruptService (KINTERRUPT 81c74320)2d65dee600000094: 805420b8 nt!KiUnexpectedInterrupt1002d65dee600000095: 805420c2 nt!KiUnexpectedInterrupt1012d65dee600000096: 805420cc nt!KiUnexpectedInterrupt1022d65dee600000097: 805420d6 nt!KiUnexpectedInterrupt1032d65dee600000098: 805420e0 nt!KiUnexpectedInterrupt1042d65dee600000099: 805420ea nt!KiUnexpectedInterrupt1052d65dee60000009a: 805420f4 nt!KiUnexpectedInterrupt1062d65dee60000009b: 805420fe nt!KiUnexpectedInterrupt1072d65dee60000009c: 80542108 nt!KiUnexpectedInterrupt1082d65dee60000009d: 80542112 nt!KiUnexpectedInterrupt1092d65dee60000009e: 8054211c nt!KiUnexpectedInterrupt1102d65dee60000009f: 80542126 nt!KiUnexpectedInterrupt1112d65dee6000000a0: 80542130 nt!KiUnexpectedInterrupt1122d65dee6000000a1: 8054213a nt!KiUnexpectedInterrupt1132d65dee6000000a2: 80542144 nt!KiUnexpectedInterrupt1142d65dee6000000a3: 81f306ec i8042prt!I8042MouseInterruptService (KINTERRUPT 81f306b0)2d65dee6000000a4: 80542158 nt!KiUnexpectedInterrupt1162d65dee6000000a5: 80542162 nt!KiUnexpectedInterrupt1172d65dee6000000a6: 8054216c nt!KiUnexpectedInterrupt1182d65dee6000000a7: 80542176 nt!KiUnexpectedInterrupt1192d65dee6000000a8: 80542180 nt!KiUnexpectedInterrupt1202d65dee6000000a9: 8054218a nt!KiUnexpectedInterrupt1212d65dee6000000aa: 80542194 nt!KiUnexpectedInterrupt1222d65dee6000000ab: 8054219e nt!KiUnexpectedInterrupt1232d65dee6000000ac: 805421a8 nt!KiUnexpectedInterrupt1242d65dee6000000ad: 805421b2 nt!KiUnexpectedInterrupt1252d65dee6000000ae: 805421bc nt!KiUnexpectedInterrupt1262d65dee6000000af: 805421c6 nt!KiUnexpectedInterrupt1272d65dee6000000b0: 805421d0 nt!KiUnexpectedInterrupt1282d65dee6000000b1: 821522ac ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 82152270)2d65dee6000000b2: 805421e4 nt!KiUnexpectedInterrupt1302d65dee6000000b3: 805421ee nt!KiUnexpectedInterrupt1312d65dee6000000b4: 8201b2ac NDIS!ndisMIsr (KINTERRUPT 8201b270)2d65dee6000000b5: 80542202 nt!KiUnexpectedInterrupt1332d65dee6000000b6: 8054220c nt!KiUnexpectedInterrupt1342d65dee6000000b7: 80542216 nt!KiUnexpectedInterrupt1352d65dee6000000b8: 80542220 nt!KiUnexpectedInterrupt1362d65dee6000000b9: 8054222a nt!KiUnexpectedInterrupt1372d65dee6000000ba: 80542234 nt!KiUnexpectedInterrupt1382d65dee6000000bb: 8054223e nt!KiUnexpectedInterrupt1392d65dee6000000bc: 80542248 nt!KiUnexpectedInterrupt1402d65dee6000000bd: 80542252 nt!KiUnexpectedInterrupt1412d65dee6000000be: 8054225c nt!KiUnexpectedInterrupt1422d65dee6000000bf: 80542266 nt!KiUnexpectedInterrupt1432d65dee6000000c0: 80542270 nt!KiUnexpectedInterrupt1442d65dee6000000c1: 806e7ac0 hal!HalpBroadcastCallService2d65dee6000000c2: 80542284 nt!KiUnexpectedInterrupt1462d65dee6000000c3: 8054228e nt!KiUnexpectedInterrupt1472d65dee6000000c4: 80542298 nt!KiUnexpectedInterrupt1482d65dee6000000c5: 805422a2 nt!KiUnexpectedInterrupt1492d65dee6000000c6: 805422ac nt!KiUnexpectedInterrupt1502d65dee6000000c7: 805422b6 nt!KiUnexpectedInterrupt1512d65dee6000000c8: 805422c0 nt!KiUnexpectedInterrupt1522d65dee6000000c9: 805422ca nt!KiUnexpectedInterrupt1532d65dee6000000ca: 805422d4 nt!KiUnexpectedInterrupt1542d65dee6000000cb: 805422de nt!KiUnexpectedInterrupt1552d65dee6000000cc: 805422e8 nt!KiUnexpectedInterrupt1562d65dee6000000cd: 805422f2 nt!KiUnexpectedInterrupt1572d65dee6000000ce: 805422fc nt!KiUnexpectedInterrupt1582d65dee6000000cf: 80542306 nt!KiUnexpectedInterrupt1592d65dee6000000d0: 80542310 nt!KiUnexpectedInterrupt1602d65dee6000000d1: 806e72a0 hal!HalpClockInterruptPn2d65dee6000000d2: 80542324 nt!KiUnexpectedInterrupt1622d65dee6000000d3: 8054232e nt!KiUnexpectedInterrupt1632d65dee6000000d4: 80542338 nt!KiUnexpectedInterrupt1642d65dee6000000d5: 80542342 nt!KiUnexpectedInterrupt1652d65dee6000000d6: 8054234c nt!KiUnexpectedInterrupt1662d65dee6000000d7: 80542356 nt!KiUnexpectedInterrupt1672d65dee6000000d8: 80542360 nt!KiUnexpectedInterrupt1682d65dee6000000d9: 8054236a nt!KiUnexpectedInterrupt1692d65dee6000000da: 80542374 nt!KiUnexpectedInterrupt1702d65dee6000000db: 8054237e nt!KiUnexpectedInterrupt1712d65dee6000000dc: 80542388 nt!KiUnexpectedInterrupt1722d65dee6000000dd: 80542392 nt!KiUnexpectedInterrupt1732d65dee6000000de: 8054239c nt!KiUnexpectedInterrupt1742d65dee6000000df: 805423a6 nt!KiUnexpectedInterrupt1752d65dee6000000e0: 805423b0 nt!KiUnexpectedInterrupt1762d65dee6000000e1: 806e8048 hal!HalpIpiHandler2d65dee6000000e2: 805423c4 nt!KiUnexpectedInterrupt1782d65dee6000000e3: 806e7dac hal!HalpLocalApicErrorService2d65dee6000000e4: 805423d8 nt!KiUnexpectedInterrupt1802d65dee6000000e5: 805423e2 nt!KiUnexpectedInterrupt1812d65dee6000000e6: 805423ec nt!KiUnexpectedInterrupt1822d65dee6000000e7: 805423f6 nt!KiUnexpectedInterrupt1832d65dee6000000e8: 80542400 nt!KiUnexpectedInterrupt1842d65dee6000000e9: 8054240a nt!KiUnexpectedInterrupt1852d65dee6000000ea: 80542414 nt!KiUnexpectedInterrupt1862d65dee6000000eb: 8054241e nt!KiUnexpectedInterrupt1872d65dee6000000ec: 80542428 nt!KiUnexpectedInterrupt1882d65dee6000000ed: 80542432 nt!KiUnexpectedInterrupt1892d65dee6000000ee: 80542439 nt!KiUnexpectedInterrupt1902d65dee6000000ef: 80542440 nt!KiUnexpectedInterrupt1912d65dee6000000f0: 80542447 nt!KiUnexpectedInterrupt1922d65dee6000000f1: 8054244e nt!KiUnexpectedInterrupt1932d65dee6000000f2: 80542455 nt!KiUnexpectedInterrupt1942d65dee6000000f3: 8054245c nt!KiUnexpectedInterrupt1952d65dee6000000f4: 80542463 nt!KiUnexpectedInterrupt1962d65dee6000000f5: 8054246a nt!KiUnexpectedInterrupt1972d65dee6000000f6: 80542471 nt!KiUnexpectedInterrupt1982d65dee6000000f7: 80542478 nt!KiUnexpectedInterrupt1992d65dee6000000f8: 8054247f nt!KiUnexpectedInterrupt2002d65dee6000000f9: 80542486 nt!KiUnexpectedInterrupt2012d65dee6000000fa: 8054248d nt!KiUnexpectedInterrupt2022d65dee6000000fb: 80542494 nt!KiUnexpectedInterrupt2032d65dee6000000fc: 8054249b nt!KiUnexpectedInterrupt2042d65dee6000000fd: 806e85a8 hal!HalpProfileInterrupt2d65dee6000000fe: 806e8748 hal!HalpPerfInterrupt2d65dee6000000ff: 805424b0 nt!KiUnexpectedInterrupt207kd> r idtridtr=8003f400kd> !idt 8003f400Dumping IDT: 8003f400fbf4ec7d8003f400: Task Selector = 0x6F4Ckd> dt _KIDTENTRYnt!_KIDTENTRY +0x000 Offset : Uint2B +0x002 Selector : Uint2B +0x004 Access : Uint2B +0x006 ExtendedOffset : Uint2Bkd> dt _X86_DESCRIPTORSymbol _X86_DESCRIPTOR not found.kd> dt _DESCRIPTOR 注意:64位下没有这个结构。nt!_DESCRIPTOR +0x000 Pad : Uint2B +0x002 Limit : Uint2B +0x004 Base : Uint4B0: kd> dt nt!_KINTERRUPT 8208e398 +0x000 Type : 0n22 +0x002 Size : 0n484 +0x004 InterruptListEntry : _LIST_ENTRY [ 0x8208e39c - 0x8208e39c ] +0x00c ServiceRoutine : 0xba63e67e unsigned char atapi!IdePortInterrupt+0 +0x010 ServiceContext : 0x81fa4030 Void +0x014 SpinLock : 0 +0x018 TickCount : 0xffffffff +0x01c ActualLock : 0x8208e5fc -> 0 +0x020 DispatchAddress : 0x80546780 void nt!KiInterruptDispatch+0 +0x024 Vector : 0x162 +0x028 Irql : 0x5 '' +0x029 SynchronizeIrql : 0x5 '' +0x02a FloatingSave : 0 '' +0x02b Connected : 0x1 '' +0x02c Number : 0 '' +0x02d ShareVector : 0 '' +0x030 Mode : 1 ( Latched ) +0x034 ServiceCount : 0 +0x038 DispatchCount : 0xffffffff +0x03c DispatchCode : [106] 0x565355541: kd> dt _AMD64_DESCRIPTOR 注意:运行环境是64位系统。test!_AMD64_DESCRIPTOR +0x000 Pad : [3] Uint2B +0x006 Limit : Uint2B +0x008 Base : Uint8B1: kd> dt _KIDTENTRY64 注意:运行环境是64位系统。nt!_KIDTENTRY64 +0x000 OffsetLow : Uint2B +0x002 Selector : Uint2B +0x004 IstIndex : Pos 0, 3 Bits +0x004 Reserved0 : Pos 3, 5 Bits +0x004 Type : Pos 8, 5 Bits +0x004 Dpl : Pos 13, 2 Bits +0x004 Present : Pos 15, 1 Bit +0x006 OffsetMiddle : Uint2B +0x008 OffsetHigh : Uint4B +0x00c Reserved1 : Uint4B +0x000 Alignment : Uint8B*/复制代码