技术宅的结界

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 2592|回复: 3
收起左侧

自己实现PCHunter的一个功能:超级暴力重启者

[复制链接]

38

主题

108

帖子

4799

积分

用户组: 管理员

UID
1043
精华
19
威望
223 点
宅币
3689 个
贡献
461 次
宅之契约
0 份
在线时间
754 小时
注册时间
2015-8-15
发表于 2015-8-25 16:28:46 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有帐号?立即注册→加入我们

x
用过ARK的人都会知道PCHunter这么个玩意,个人认为这款ARK是相当不错的,今天我们就来实现PCHunter的其中一个功能:暴力重启。
网上看到有人提出的一个强制重启的方法,是通过调用KeBugCheck来实现重启,一行代码如下:
[C] 纯文本查看 复制代码
KeBugCheck(POWER_FAILURE_SIMULATE);

看着觉得不太对劲啊,还BugCheck。。。虽然测试了的确没蓝屏,总感觉怪怪的,于是就在WinDbg查看一番这个KeBugCheck的具体实现:
[Actionscript3] 纯文本查看 复制代码
nt!KeBugCheck:
80826d8e 8bff            mov     edi,edi
80826d90 55              push    ebp
80826d91 8bec            mov     ebp,esp
80826d93 33c0            xor     eax,eax
80826d95 50              push    eax
80826d96 50              push    eax
80826d97 50              push    eax
80826d98 50              push    eax
80826d99 50              push    eax
80826d9a ff7508          push    dword ptr [ebp+8]
80826d9d e8bcf6ffff      call    nt!KeBugCheck2 (8082645e)
80826da2 5d              pop     ebp
80826da3 c20400          ret     4

可以看到它只是简单地调用了KeBugCheck2函数,接着看反汇编:
[Asm] 纯文本查看 复制代码
nt!KeBugCheck2:
8082645e 8bff            mov     edi,edi
80826460 55              push    ebp
80826461 8bec            mov     ebp,esp
80826463 81ec80030000    sub     esp,380h
80826469 a124e18880      mov     eax,dword ptr [nt!__security_cookie (8088e124)]
8082646e 8945fc          mov     dword ptr [ebp-4],eax
80826471 8b450c          mov     eax,dword ptr [ebp+0Ch]
80826474 648b0d24010000  mov     ecx,dword ptr fs:[124h]
8082647b 898594fcffff    mov     dword ptr [ebp-36Ch],eax
80826481 8b4514          mov     eax,dword ptr [ebp+14h]
80826484 8985a4fcffff    mov     dword ptr [ebp-35Ch],eax
8082648a 8b4518          mov     eax,dword ptr [ebp+18h]
8082648d 898584fcffff    mov     dword ptr [ebp-37Ch],eax
80826493 8b451c          mov     eax,dword ptr [ebp+1Ch]
80826496 53              push    ebx
80826497 8b5d10          mov     ebx,dword ptr [ebp+10h]
8082649a 8985a8fcffff    mov     dword ptr [ebp-358h],eax
808264a0 33c0            xor     eax,eax
808264a2 817d08e5000000  cmp     dword ptr [ebp+8],0E5h
808264a9 56              push    esi
808264aa 57              push    edi
808264ab 899d80fcffff    mov     dword ptr [ebp-380h],ebx
808264b1 888588fcffff    mov     byte ptr [ebp-378h],al
808264b7 8885adfcffff    mov     byte ptr [ebp-353h],al
808264bd 898598fcffff    mov     dword ptr [ebp-368h],eax
808264c3 898590fcffff    mov     dword ptr [ebp-370h],eax
808264c9 8985a0fcffff    mov     dword ptr [ebp-360h],eax
808264cf 898d8cfcffff    mov     dword ptr [ebp-374h],ecx
808264d5 8885affcffff    mov     byte ptr [ebp-351h],al
808264db a310f68980      mov     dword ptr [nt!KiBugCheckDriver (8089f610)],eax
808264e0 c605c86d898001  mov     byte ptr [nt!KeBugCheckActive (80896dc8)],1
808264e7 750d            jne     nt!KeBugCheck2+0x98 (808264f6)

nt!KeBugCheck2+0x8b:
808264e9 e8bef8ffff      call    nt!KiScanBugCheckCallbackList (80825dac)
808264ee 6a03            push    3
808264f0 ff15f8108080    call    dword ptr [nt!_imp__HalReturnToFirmware (808010f8)]

nt!KeBugCheck2+0x98:
808264f6 648b3520000000  mov     esi,dword ptr fs:[20h]
808264fd ff15f0108080    call    dword ptr [nt!_imp__KeGetCurrentIrql (808010f0)]
80826503 33c9            xor     ecx,ecx
80826505 888645050000    mov     byte ptr [esi+545h],al
8082650b b8c46d8980      mov     eax,offset nt!KiHardwareTrigger (80896dc4)
80826510 41              inc     ecx
80826511 f00fc108        lock xadd dword ptr [eax],ecx
80826515 64a120000000    mov     eax,dword ptr fs:[00000020h]
8082651b 83c01c          add     eax,1Ch
8082651e 50              push    eax
8082651f e8cc250600      call    nt!RtlCaptureContext (80888af0)
80826524 64a120000000    mov     eax,dword ptr fs:[00000020h]
8082652a 83c01c          add     eax,1Ch
8082652d 50              push    eax
8082652e e8cd810000      call    nt!KiSaveProcessorControlState (8082e700)
80826533 648b3520000000  mov     esi,dword ptr fs:[20h]
8082653a a150cb8980      mov     eax,dword ptr [nt!ExpWdHandler (8089cb50)]
8082653f 83c61c          add     esi,1Ch
80826542 85c0            test    eax,eax
80826544 b9b3000000      mov     ecx,0B3h
80826549 8dbdb0fcffff    lea     edi,[ebp-350h]
8082654f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
80826551 740e            je      nt!KeBugCheck2+0x103 (80826561)

nt!KeBugCheck2+0xf5:
80826553 6a01            push    1
80826555 6a00            push    0
80826557 ff3554cb8980    push    dword ptr [nt!ExpWdHandlerContext (8089cb54)]
8082655d 6a03            push    3
8082655f ffd0            call    eax

nt!KeBugCheck2+0x103:
80826561 8b7508          mov     esi,dword ptr [ebp+8]
80826564 83fe7f          cmp     esi,7Fh
80826567 6a1e            push    1Eh
80826569 b8c5000000      mov     eax,0C5h
8082656e 59              pop     ecx
8082656f 0f87c0000000    ja      nt!KeBugCheck2+0x1d7 (80826635)

nt!KeBugCheck2+0x117:
80826575 0f841b010000    je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x11d:
8082657b 8bc6            mov     eax,esi
8082657d 2bc1            sub     eax,ecx
8082657f 7434            je      nt!KeBugCheck2+0x157 (808265b5)

nt!KeBugCheck2+0x123:
80826581 83e805          sub     eax,5
80826584 0f840c010000    je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x12c:
8082658a 48              dec     eax
8082658b 0f8498000000    je      nt!KeBugCheck2+0x1cb (80826629)

nt!KeBugCheck2+0x133:
80826591 83e80a          sub     eax,0Ah
80826594 0f84fc000000    je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x13c:
8082659a 83e811          sub     eax,11h
8082659d 0f84f3000000    je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x145:
808265a3 83e83c          sub     eax,3Ch
808265a6 0f84ea000000    je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x14e:
808265ac 83e803          sub     eax,3
808265af 0f85b8000000    jne     nt!KeBugCheck2+0x20f (8082666d)

nt!KeBugCheck2+0x157:
808265b5 898d9cfcffff    mov     dword ptr [ebp-364h],ecx

nt!KeBugCheck2+0x15d:
808265bb 8bbd94fcffff    mov     edi,dword ptr [ebp-36Ch]
808265c1 8b95a4fcffff    mov     edx,dword ptr [ebp-35Ch]
808265c7 8b8d84fcffff    mov     ecx,dword ptr [ebp-37Ch]
808265cd b8be000000      mov     eax,0BEh
808265d2 3bf0            cmp     esi,eax
808265d4 893520f68980    mov     dword ptr [nt!KiBugCheckData (8089f620)],esi
808265da 893d24f68980    mov     dword ptr [nt!KiBugCheckData+0x4 (8089f624)],edi
808265e0 891d28f68980    mov     dword ptr [nt!KiBugCheckData+0x8 (8089f628)],ebx
808265e6 89152cf68980    mov     dword ptr [nt!KiBugCheckData+0xc (8089f62c)],edx
808265ec 890d30f68980    mov     dword ptr [nt!KiBugCheckData+0x10 (8089f630)],ecx
808265f2 0f87c3020000    ja      nt!KeBugCheck2+0x45d (808268bb)

nt!KeBugCheck2+0x19a:
808265f8 0f84d5020000    je      nt!KeBugCheck2+0x475 (808268d3)

nt!KeBugCheck2+0x1a0:
808265fe 8bc6            mov     eax,esi
80826600 83e80a          sub     eax,0Ah
80826603 0f84d7010000    je      nt!KeBugCheck2+0x382 (808267e0)

nt!KeBugCheck2+0x1ab:
80826609 83e842          sub     eax,42h
8082660c 0f8491010000    je      nt!KeBugCheck2+0x345 (808267a3)

nt!KeBugCheck2+0x1b4:
80826612 83e804          sub     eax,4
80826615 0f8486000000    je      nt!KeBugCheck2+0x243 (808266a1)

nt!KeBugCheck2+0x1bd:
8082661b 83e83e          sub     eax,3Eh
8082661e 0f84af020000    je      nt!KeBugCheck2+0x475 (808268d3)

nt!KeBugCheck2+0x1c6:
80826624 e9ef020000      jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x1cb:
80826629 c7859cfcffff23000000 mov dword ptr [ebp-364h],23h
80826633 eb86            jmp     nt!KeBugCheck2+0x15d (808265bb)

nt!KeBugCheck2+0x1d7:
80826635 81fe8e000000    cmp     esi,8Eh
8082663b 0f8474ffffff    je      nt!KeBugCheck2+0x157 (808265b5)

nt!KeBugCheck2+0x1e3:
80826641 81fea5000000    cmp     esi,0A5h
80826647 744d            je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x1eb:
80826649 3bf0            cmp     esi,eax
8082664b 7449            je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x1ef:
8082664d 81fed0000000    cmp     esi,0D0h
80826653 7436            je      nt!KeBugCheck2+0x22d (8082668b)

nt!KeBugCheck2+0x1f7:
80826655 81fee0000000    cmp     esi,0E0h
8082665b 7439            je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x1ff:
8082665d 81feea000000    cmp     esi,0EAh
80826663 7431            je      nt!KeBugCheck2+0x238 (80826696)

nt!KeBugCheck2+0x207:
80826665 81fed10200c0    cmp     esi,0C00002D1h
8082666b 740f            je      nt!KeBugCheck2+0x21e (8082667c)

nt!KeBugCheck2+0x20f:
8082666d c7859cfcffff82000040 mov dword ptr [ebp-364h],40000082h
80826677 e93fffffff      jmp     nt!KeBugCheck2+0x15d (808265bb)

nt!KeBugCheck2+0x21e:
8082667c c7859cfcffffc3000000 mov dword ptr [ebp-364h],0C3h
80826686 e930ffffff      jmp     nt!KeBugCheck2+0x15d (808265bb)

nt!KeBugCheck2+0x22d:
8082668b 89859cfcffff    mov     dword ptr [ebp-364h],eax
80826691 e925ffffff      jmp     nt!KeBugCheck2+0x15d (808265bb)

nt!KeBugCheck2+0x238:
80826696 89b59cfcffff    mov     dword ptr [ebp-364h],esi
8082669c e91affffff      jmp     nt!KeBugCheck2+0x15d (808265bb)

nt!KeBugCheck2+0x243:
808266a1 83a5a4fcffff00  and     dword ptr [ebp-35Ch],0
808266a8 83bda8fcffff00  cmp     dword ptr [ebp-358h],0
808266af 750a            jne     nt!KeBugCheck2+0x25d (808266bb)

nt!KeBugCheck2+0x253:
808266b1 85d2            test    edx,edx
808266b3 743f            je      nt!KeBugCheck2+0x296 (808266f4)

nt!KeBugCheck2+0x257:
808266b5 8995a8fcffff    mov     dword ptr [ebp-358h],edx

nt!KeBugCheck2+0x25d:
808266bb 8b85a8fcffff    mov     eax,dword ptr [ebp-358h]
808266c1 8b7068          mov     esi,dword ptr [eax+68h]
808266c4 8d85aefcffff    lea     eax,[ebp-352h]
808266ca 50              push    eax
808266cb 6a00            push    0
808266cd 8d85a4fcffff    lea     eax,[ebp-35Ch]
808266d3 50              push    eax
808266d4 56              push    esi
808266d5 89b5a0fcffff    mov     dword ptr [ebp-360h],esi
808266db 89352cf68980    mov     dword ptr [nt!KiBugCheckData+0xc (8089f62c)],esi
808266e1 e8d0f4ffff      call    nt!KiPcToFileHeader (80825bb6)
808266e6 8a9daefcffff    mov     bl,byte ptr [ebp-352h]
808266ec 8985a4fcffff    mov     dword ptr [ebp-35Ch],eax
808266f2 eb08            jmp     nt!KeBugCheck2+0x29e (808266fc)

nt!KeBugCheck2+0x296:
808266f4 8bb5a0fcffff    mov     esi,dword ptr [ebp-360h]
808266fa b301            mov     bl,1

nt!KeBugCheck2+0x29e:
808266fc 8bbd94fcffff    mov     edi,dword ptr [ebp-36Ch]
80826702 57              push    edi
80826703 e88e310300      call    nt!MmIsSpecialPoolAddress (80859896)
80826708 83f801          cmp     eax,1
8082670b 7534            jne     nt!KeBugCheck2+0x2e3 (80826741)

nt!KeBugCheck2+0x2af:
8082670d 57              push    edi
8082670e e8ab310300      call    nt!MmIsSpecialPoolAddressFree (808598be)
80826713 fecb            dec     bl
80826715 83f801          cmp     eax,1
80826718 750f            jne     nt!KeBugCheck2+0x2cb (80826729)

nt!KeBugCheck2+0x2bc:
8082671a f6db            neg     bl
8082671c 1bdb            sbb     ebx,ebx
8082671e 83e309          and     ebx,9
80826721 81c3cc000000    add     ebx,0CCh
80826727 eb0d            jmp     nt!KeBugCheck2+0x2d8 (80826736)

nt!KeBugCheck2+0x2cb:
80826729 f6db            neg     bl
8082672b 1bdb            sbb     ebx,ebx
8082672d 83e309          and     ebx,9
80826730 81c3cd000000    add     ebx,0CDh

nt!KeBugCheck2+0x2d8:
80826736 891d20f68980    mov     dword ptr [nt!KiBugCheckData (8089f620)],ebx
8082673c e9d7010000      jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x2e3:
80826741 3bf7            cmp     esi,edi
80826743 752f            jne     nt!KeBugCheck2+0x316 (80826774)

nt!KeBugCheck2+0x2e7:
80826745 57              push    edi
80826746 e865150300      call    nt!MmIsSessionAddress (80857cb0)
8082674b 83f801          cmp     eax,1
8082674e 7524            jne     nt!KeBugCheck2+0x316 (80826774)

nt!KeBugCheck2+0x2f2:
80826750 8b858cfcffff    mov     eax,dword ptr [ebp-374h]
80826756 8b4074          mov     eax,dword ptr [eax+74h]
80826759 85c0            test    eax,eax
8082675b 7408            je      nt!KeBugCheck2+0x307 (80826765)

nt!KeBugCheck2+0x2ff:
8082675d 3b05e4588980    cmp     eax,dword ptr [nt!MmSystemRangeStart (808958e4)]
80826763 720f            jb      nt!KeBugCheck2+0x316 (80826774)

nt!KeBugCheck2+0x307:
80826765 c70520f68980cf000000 mov dword ptr [nt!KiBugCheckData (8089f620)],0CFh
8082676f e9a4010000      jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x316:
80826774 83bda4fcffff00  cmp     dword ptr [ebp-35Ch],0
8082677b 0f8597010000    jne     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x323:
80826781 57              push    edi
80826782 e83fe30100      call    nt!MmLocateUnloadedDriver (80844ac6)
80826787 85c0            test    eax,eax
80826789 a310f68980      mov     dword ptr [nt!KiBugCheckDriver (8089f610)],eax
8082678e 0f84a3010000    je      nt!KeBugCheck2+0x4d9 (80826937)

nt!KeBugCheck2+0x336:
80826794 c70520f68980ce000000 mov dword ptr [nt!KiBugCheckData (8089f620)],0CEh
8082679e e975010000      jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x345:
808267a3 893d20f68980    mov     dword ptr [nt!KiBugCheckData (8089f620)],edi
808267a9 8b03            mov     eax,dword ptr [ebx]
808267ab a324f68980      mov     dword ptr [nt!KiBugCheckData+0x4 (8089f624)],eax
808267b0 8b4304          mov     eax,dword ptr [ebx+4]
808267b3 a328f68980      mov     dword ptr [nt!KiBugCheckData+0x8 (8089f628)],eax
808267b8 8b4308          mov     eax,dword ptr [ebx+8]
808267bb a32cf68980      mov     dword ptr [nt!KiBugCheckData+0xc (8089f62c)],eax
808267c0 8b430c          mov     eax,dword ptr [ebx+0Ch]
808267c3 c68588fcffff01  mov     byte ptr [ebp-378h],1
808267ca 899598fcffff    mov     dword ptr [ebp-368h],edx
808267d0 898d90fcffff    mov     dword ptr [ebp-370h],ecx
808267d6 a330f68980      mov     dword ptr [nt!KiBugCheckData+0x10 (8089f630)],eax
808267db e938010000      jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x382:
808267e0 3b0d0c008a80    cmp     ecx,dword ptr [nt!ExPoolCodeStart (808a000c)]
808267e6 7217            jb      nt!KeBugCheck2+0x3a1 (808267ff)

nt!KeBugCheck2+0x38a:
808267e8 3b0d08008a80    cmp     ecx,dword ptr [nt!ExPoolCodeEnd (808a0008)]
808267ee 730f            jae     nt!KeBugCheck2+0x3a1 (808267ff)

nt!KeBugCheck2+0x392:
808267f0 c70520f68980c5000000 mov dword ptr [nt!KiBugCheckData (8089f620)],0C5h
808267fa e9b3000000      jmp     nt!KeBugCheck2+0x454 (808268b2)

nt!KeBugCheck2+0x3a1:
808267ff 3b0d04008a80    cmp     ecx,dword ptr [nt!MmPoolCodeStart (808a0004)]
80826805 7217            jb      nt!KeBugCheck2+0x3c0 (8082681e)

nt!KeBugCheck2+0x3a9:
80826807 3b0d00008a80    cmp     ecx,dword ptr [nt!MmPoolCodeEnd (808a0000)]
8082680d 730f            jae     nt!KeBugCheck2+0x3c0 (8082681e)

nt!KeBugCheck2+0x3b1:
8082680f c70520f68980d0000000 mov dword ptr [nt!KiBugCheckData (8089f620)],0D0h
80826819 e994000000      jmp     nt!KeBugCheck2+0x454 (808268b2)

nt!KeBugCheck2+0x3c0:
8082681e 3b0dfcff8980    cmp     ecx,dword ptr [nt!MmPteCodeStart (8089fffc)]
80826824 7214            jb      nt!KeBugCheck2+0x3dc (8082683a)

nt!KeBugCheck2+0x3c8:
80826826 3b0df8ff8980    cmp     ecx,dword ptr [nt!MmPteCodeEnd (8089fff8)]
8082682c 730c            jae     nt!KeBugCheck2+0x3dc (8082683a)

nt!KeBugCheck2+0x3d0:
8082682e c70520f68980db000000 mov dword ptr [nt!KiBugCheckData (8089f620)],0DBh
80826838 eb78            jmp     nt!KeBugCheck2+0x454 (808268b2)

nt!KeBugCheck2+0x3dc:
8082683a 8d85aefcffff    lea     eax,[ebp-352h]
80826840 50              push    eax
80826841 6a00            push    0
80826843 8d85a4fcffff    lea     eax,[ebp-35Ch]
80826849 50              push    eax
8082684a 51              push    ecx
8082684b e866f3ffff      call    nt!KiPcToFileHeader (80825bb6)
80826850 80bdaefcffff01  cmp     byte ptr [ebp-352h],1
80826857 754f            jne     nt!KeBugCheck2+0x44a (808268a8)

nt!KeBugCheck2+0x3fb:
80826859 8d85aefcffff    lea     eax,[ebp-352h]
8082685f 50              push    eax
80826860 6a01            push    1
80826862 8d85a4fcffff    lea     eax,[ebp-35Ch]
80826868 50              push    eax
80826869 57              push    edi
8082686a e847f3ffff      call    nt!KiPcToFileHeader (80825bb6)
8082686f 85c0            test    eax,eax
80826871 741a            je      nt!KeBugCheck2+0x42f (8082688d)

nt!KeBugCheck2+0x415:
80826873 8b85a4fcffff    mov     eax,dword ptr [ebp-35Ch]
80826879 83c02c          add     eax,2Ch
8082687c a310f68980      mov     dword ptr [nt!KiBugCheckDriver (8089f610)],eax
80826881 c70520f68980d3000000 mov dword ptr [nt!KiBugCheckData (8089f620)],0D3h
8082688b eb25            jmp     nt!KeBugCheck2+0x454 (808268b2)

nt!KeBugCheck2+0x42f:
8082688d 57              push    edi
8082688e e833e20100      call    nt!MmLocateUnloadedDriver (80844ac6)
80826893 85c0            test    eax,eax
80826895 a310f68980      mov     dword ptr [nt!KiBugCheckDriver (8089f610)],eax
8082689a 7416            je      nt!KeBugCheck2+0x454 (808268b2)

nt!KeBugCheck2+0x43e:
8082689c c70520f68980d4000000 mov dword ptr [nt!KiBugCheckData (8089f620)],0D4h
808268a6 eb0a            jmp     nt!KeBugCheck2+0x454 (808268b2)

nt!KeBugCheck2+0x44a:
808268a8 c70520f68980d1000000 mov dword ptr [nt!KiBugCheckData (8089f620)],0D1h

nt!KeBugCheck2+0x454:
808268b2 83a5a0fcffff00  and     dword ptr [ebp-360h],0
808268b9 eb5d            jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x45d:
808268bb 8bc6            mov     eax,esi
808268bd 2dcb000000      sub     eax,0CBh
808268c2 744e            je      nt!KeBugCheck2+0x4b4 (80826912)

nt!KeBugCheck2+0x466:
808268c4 83e80d          sub     eax,0Dh
808268c7 743e            je      nt!KeBugCheck2+0x4a9 (80826907)

nt!KeBugCheck2+0x46b:
808268c9 83e812          sub     eax,12h
808268cc 7431            je      nt!KeBugCheck2+0x4a1 (808268ff)

nt!KeBugCheck2+0x470:
808268ce 83e812          sub     eax,12h
808268d1 7545            jne     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x475:
808268d3 83bda8fcffff00  cmp     dword ptr [ebp-358h],0
808268da 750a            jne     nt!KeBugCheck2+0x488 (808268e6)

nt!KeBugCheck2+0x47e:
808268dc 85d2            test    edx,edx
808268de 7438            je      nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x482:
808268e0 8995a8fcffff    mov     dword ptr [ebp-358h],edx

nt!KeBugCheck2+0x488:
808268e6 81fe8e000000    cmp     esi,8Eh
808268ec 742a            je      nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x490:
808268ee 8b85a8fcffff    mov     eax,dword ptr [ebp-358h]
808268f4 8b4068          mov     eax,dword ptr [eax+68h]
808268f7 8985a0fcffff    mov     dword ptr [ebp-360h],eax
808268fd eb19            jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x4a1:
808268ff 891510f68980    mov     dword ptr [nt!KiBugCheckDriver (8089f610)],edx
80826905 eb11            jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x4a9:
80826907 83c72c          add     edi,2Ch
8082690a 893d10f68980    mov     dword ptr [nt!KiBugCheckDriver (8089f610)],edi
80826910 eb06            jmp     nt!KeBugCheck2+0x4ba (80826918)

nt!KeBugCheck2+0x4b4:
80826912 89bda0fcffff    mov     dword ptr [ebp-360h],edi

nt!KeBugCheck2+0x4ba:
80826918 a110f68980      mov     eax,dword ptr [nt!KiBugCheckDriver (8089f610)]
8082691d 85c0            test    eax,eax
8082691f 7416            je      nt!KeBugCheck2+0x4d9 (80826937)

nt!KeBugCheck2+0x4c3:
80826921 6880000000      push    80h
80826926 8d8d7cffffff    lea     ecx,[ebp-84h]
8082692c 51              push    ecx
8082692d 50              push    eax
8082692e e8adf1ffff      call    nt!KeBugCheckUnicodeToAnsi (80825ae0)
80826933 33f6            xor     esi,esi
80826935 eb24            jmp     nt!KeBugCheck2+0x4fd (8082695b)

nt!KeBugCheck2+0x4d9:
80826937 33f6            xor     esi,esi
80826939 39b5a0fcffff    cmp     dword ptr [ebp-360h],esi
8082693f 741a            je      nt!KeBugCheck2+0x4fd (8082695b)

nt!KeBugCheck2+0x4e3:
80826941 68e05a8280      push    offset nt!KeBugCheckUnicodeToAnsi (80825ae0)
80826946 6a01            push    1
80826948 8d85a0fcffff    lea     eax,[ebp-360h]
8082694e 50              push    eax
8082694f 8d857cffffff    lea     eax,[ebp-84h]
80826955 50              push    eax
80826956 e805f7ffff      call    nt!KiDumpParameterImages (80826060)

nt!KeBugCheck2+0x4fd:
8082695b 803da8e8888000  cmp     byte ptr [nt!KdPitchDebugger (8088e8a8)],0
80826962 7511            jne     nt!KeBugCheck2+0x517 (80826975)

nt!KeBugCheck2+0x506:
80826964 8d85b0fcffff    lea     eax,[ebp-350h]
8082696a a308e48880      mov     dword ptr [nt!KdDebuggerDataBlock+0x28 (8088e408)],eax
8082696f 89350ce48880    mov     dword ptr [nt!KdDebuggerDataBlock+0x2c (8088e40c)],esi

nt!KeBugCheck2+0x517:
80826975 b8ec498980      mov     eax,offset nt!KeBugCheckCount (808949ec)
8082697a 83c9ff          or      ecx,0FFFFFFFFh
8082697d f00fc108        lock xadd dword ptr [eax],ecx
80826981 0f85a8000000    jne     nt!KeBugCheck2+0x5d1 (80826a2f)

nt!KeBugCheck2+0x529:
80826987 817d08e2000000  cmp     dword ptr [ebp+8],0E2h
8082698e c685adfcffff01  mov     byte ptr [ebp-353h],1
80826995 0f8494000000    je      nt!KeBugCheck2+0x5d1 (80826a2f)

nt!KeBugCheck2+0x53d:
8082699b 803dd0ec898000  cmp     byte ptr [nt!KdDebuggerEnabled (8089ecd0)],0
808269a2 0f8487000000    je      nt!KeBugCheck2+0x5d1 (80826a2f)

nt!KeBugCheck2+0x54a:
808269a8 ff3530f68980    push    dword ptr [nt!KiBugCheckData+0x10 (8089f630)]
808269ae ff352cf68980    push    dword ptr [nt!KiBugCheckData+0xc (8089f62c)]
808269b4 ff3528f68980    push    dword ptr [nt!KiBugCheckData+0x8 (8089f628)]
808269ba ff3524f68980    push    dword ptr [nt!KiBugCheckData+0x4 (8089f624)]
808269c0 ff3520f68980    push    dword ptr [nt!KiBugCheckData (8089f620)]
808269c6 68ee638280      push    offset nt!KiDisplayBlueScreen+0x1ba (808263ee)
808269cb e8b0670400      call    nt!DbgPrint (8086d180)
808269d0 83c418          add     esp,18h
808269d3 803dd1ec898000  cmp     byte ptr [nt!KdDebuggerNotPresent (8089ecd1)],0
808269da 7553            jne     nt!KeBugCheck2+0x5d1 (80826a2f)

nt!KeBugCheck2+0x57e:
808269dc 393510f68980    cmp     dword ptr [nt!KiBugCheckDriver (8089f610)],esi
808269e2 7413            je      nt!KeBugCheck2+0x599 (808269f7)

nt!KeBugCheck2+0x586:
808269e4 8d857cffffff    lea     eax,[ebp-84h]
808269ea 50              push    eax
808269eb 683e648280      push    offset nt!KiDisplayBlueScreen+0x20a (8082643e)
808269f0 e88b670400      call    nt!DbgPrint (8086d180)
808269f5 59              pop     ecx
808269f6 59              pop     ecx

nt!KeBugCheck2+0x599:
808269f7 80bd88fcffff00  cmp     byte ptr [ebp-378h],0
808269fe 7428            je      nt!KeBugCheck2+0x5ca (80826a28)

nt!KeBugCheck2+0x5a2:
80826a00 39b598fcffff    cmp     dword ptr [ebp-368h],esi
80826a06 740c            je      nt!KeBugCheck2+0x5b6 (80826a14)

nt!KeBugCheck2+0x5aa:
80826a08 ffb598fcffff    push    dword ptr [ebp-368h]
80826a0e e86d670400      call    nt!DbgPrint (8086d180)
80826a13 59              pop     ecx

nt!KeBugCheck2+0x5b6:
80826a14 39b590fcffff    cmp     dword ptr [ebp-370h],esi
80826a1a 740c            je      nt!KeBugCheck2+0x5ca (80826a28)

nt!KeBugCheck2+0x5be:
80826a1c ffb590fcffff    push    dword ptr [ebp-370h]
80826a22 e859670400      call    nt!DbgPrint (8086d180)
80826a27 59              pop     ecx

nt!KeBugCheck2+0x5ca:
80826a28 6a03            push    3
80826a2a e8f3f0ffff      call    nt!KiBugCheckDebugBreak (80825b22)

nt!KeBugCheck2+0x5d1:
80826a2f e8907c0000      call    nt!KeDisableInterrupts (8082e6c4)
80826a34 b11f            mov     cl,1Fh
80826a36 ff15fc108080    call    dword ptr [nt!_imp_KfRaiseIrql (808010fc)]
80826a3c 80bdadfcffff00  cmp     byte ptr [ebp-353h],0
80826a43 0f84d0020000    je      nt!KeBugCheck2+0x8bb (80826d19)

nt!KeBugCheck2+0x5eb:
80826a49 8d857cffffff    lea     eax,[ebp-84h]
80826a4f 50              push    eax
80826a50 ffb590fcffff    push    dword ptr [ebp-370h]
80826a56 ffb598fcffff    push    dword ptr [ebp-368h]
80826a5c ffb588fcffff    push    dword ptr [ebp-378h]
80826a62 ffb59cfcffff    push    dword ptr [ebp-364h]
80826a68 e8c7f7ffff      call    nt!KiDisplayBlueScreen (80826234)
80826a6d e8b6f4ffff      call    nt!KiInvokeBugCheckEntryCallbacks (80825f28)
80826a72 803dd0ec898000  cmp     byte ptr [nt!KdDebuggerEnabled (8089ecd0)],0
80826a79 7511            jne     nt!KeBugCheck2+0x62e (80826a8c)

nt!KeBugCheck2+0x61d:
80826a7b 803da8e8888000  cmp     byte ptr [nt!KdPitchDebugger (8088e8a8)],0
80826a82 7508            jne     nt!KeBugCheck2+0x62e (80826a8c)

nt!KeBugCheck2+0x626:
80826a84 56              push    esi
80826a85 e888d1ffff      call    nt!KdEnableDebuggerWithLock (80823c12)
80826a8a eb0a            jmp     nt!KeBugCheck2+0x638 (80826a96)

nt!KeBugCheck2+0x62e:
80826a8c 6856648280      push    offset nt!KiDisplayBlueScreen+0x222 (80826456)
80826a91 e8e444ffff      call    nt!InbvDisplayString (8081af7a)

nt!KeBugCheck2+0x638:
80826a96 648b3d20000000  mov     edi,dword ptr fs:[20h]
80826a9d bbb3000000      mov     ebx,0B3h
80826aa2 83c71c          add     edi,1Ch
80826aa5 8bcb            mov     ecx,ebx
80826aa7 8db5b0fcffff    lea     esi,[ebp-350h]
80826aad f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
80826aaf e83078ffff      call    nt!IoIsTriageDumpEnabled (8081e2e4)
80826ab4 84c0            test    al,al
80826ab6 0f8424020000    je      nt!KeBugCheck2+0x882 (80826ce0)

nt!KeBugCheck2+0x65e:
80826abc 83bda8fcffff00  cmp     dword ptr [ebp-358h],0
80826ac3 7423            je      nt!KeBugCheck2+0x68a (80826ae8)

nt!KeBugCheck2+0x667:
80826ac5 8d85b0fcffff    lea     eax,[ebp-350h]
80826acb 50              push    eax
80826acc 6a00            push    0
80826ace ffb5a8fcffff    push    dword ptr [ebp-358h]
80826ad4 c785b0fcffff07000100 mov dword ptr [ebp-350h],10007h
80826ade e891450000      call    nt!KeContextFromKframes (8082b074)
80826ae3 e949010000      jmp     nt!KeBugCheck2+0x7d3 (80826c31)

nt!KeBugCheck2+0x68a:
80826ae8 8b4508          mov     eax,dword ptr [ebp+8]
80826aeb 83e87e          sub     eax,7Eh
80826aee 0f8429010000    je      nt!KeBugCheck2+0x7bf (80826c1d)

nt!KeBugCheck2+0x696:
80826af4 48              dec     eax
80826af5 7450            je      nt!KeBugCheck2+0x6e9 (80826b47)

nt!KeBugCheck2+0x699:
80826af7 83e86b          sub     eax,6Bh
80826afa 0f8538010000    jne     nt!KeBugCheck2+0x7da (80826c38)

nt!KeBugCheck2+0x6a2:
80826b00 8b8594fcffff    mov     eax,dword ptr [ebp-36Ch]
80826b06 80784c02        cmp     byte ptr [eax+4Ch],2
80826b0a 89858cfcffff    mov     dword ptr [ebp-374h],eax
80826b10 7513            jne     nt!KeBugCheck2+0x6c7 (80826b25)

nt!KeBugCheck2+0x6b4:
80826b12 0fb64040        movzx   eax,byte ptr [eax+40h]
80826b16 8b348500f38980  mov     esi,dword ptr nt!KiProcessorBlock (8089f300)[eax*4]
80826b1d 83c61c          add     esi,1Ch
80826b20 e902010000      jmp     nt!KeBugCheck2+0x7c9 (80826c27)

nt!KeBugCheck2+0x6c7:
80826b25 8b4020          mov     eax,dword ptr [eax+20h]
80826b28 8d480c          lea     ecx,[eax+0Ch]
80826b2b 898d74fdffff    mov     dword ptr [ebp-28Ch],ecx
80826b31 8b09            mov     ecx,dword ptr [ecx]
80826b33 898d64fdffff    mov     dword ptr [ebp-29Ch],ecx
80826b39 8b4008          mov     eax,dword ptr [eax+8]
80826b3c 898568fdffff    mov     dword ptr [ebp-298h],eax
80826b42 e9ea000000      jmp     nt!KeBugCheck2+0x7d3 (80826c31)

nt!KeBugCheck2+0x6e9:
80826b47 83bd94fcffff08  cmp     dword ptr [ebp-36Ch],8
80826b4e 0f85e4000000    jne     nt!KeBugCheck2+0x7da (80826c38)

nt!KeBugCheck2+0x6f6:
80826b54 8b8580fcffff    mov     eax,dword ptr [ebp-380h]
80826b5a 85c0            test    eax,eax
80826b5c 0f84cf000000    je      nt!KeBugCheck2+0x7d3 (80826c31)

nt!KeBugCheck2+0x704:
80826b62 8b4824          mov     ecx,dword ptr [eax+24h]
80826b65 f7c100000200    test    ecx,20000h
80826b6b 740c            je      nt!KeBugCheck2+0x71b (80826b79)

nt!KeBugCheck2+0x70f:
80826b6d 0fb75050        movzx   edx,word ptr [eax+50h]

nt!KeBugCheck2+0x713:
80826b71 899578fdffff    mov     dword ptr [ebp-288h],edx
80826b77 eb19            jmp     nt!KeBugCheck2+0x734 (80826b92)

nt!KeBugCheck2+0x71b:
80826b79 f6404c01        test    byte ptr [eax+4Ch],1
80826b7d 7409            je      nt!KeBugCheck2+0x72a (80826b88)

nt!KeBugCheck2+0x721:
80826b7f 0fb75050        movzx   edx,word ptr [eax+50h]
80826b83 83ca03          or      edx,3
80826b86 ebe9            jmp     nt!KeBugCheck2+0x713 (80826b71)

nt!KeBugCheck2+0x72a:
80826b88 c78578fdffff10000000 mov dword ptr [ebp-288h],10h

nt!KeBugCheck2+0x734:
80826b92 0fb7505c        movzx   edx,word ptr [eax+5Ch]
80826b96 89953cfdffff    mov     dword ptr [ebp-2C4h],edx
80826b9c 0fb75058        movzx   edx,word ptr [eax+58h]
80826ba0 899540fdffff    mov     dword ptr [ebp-2C0h],edx
80826ba6 0fb75048        movzx   edx,word ptr [eax+48h]
80826baa 899544fdffff    mov     dword ptr [ebp-2BCh],edx
80826bb0 0fb75054        movzx   edx,word ptr [eax+54h]
80826bb4 899548fdffff    mov     dword ptr [ebp-2B8h],edx
80826bba 0fb7504c        movzx   edx,word ptr [eax+4Ch]
80826bbe 89956cfdffff    mov     dword ptr [ebp-294h],edx
80826bc4 8b5038          mov     edx,dword ptr [eax+38h]
80826bc7 899574fdffff    mov     dword ptr [ebp-28Ch],edx
80826bcd 8b5020          mov     edx,dword ptr [eax+20h]
80826bd0 899568fdffff    mov     dword ptr [ebp-298h],edx
80826bd6 8b503c          mov     edx,dword ptr [eax+3Ch]
80826bd9 899564fdffff    mov     dword ptr [ebp-29Ch],edx
80826bdf 8b5028          mov     edx,dword ptr [eax+28h]
80826be2 899560fdffff    mov     dword ptr [ebp-2A0h],edx
80826be8 8b5034          mov     edx,dword ptr [eax+34h]
80826beb 899554fdffff    mov     dword ptr [ebp-2ACh],edx
80826bf1 8b502c          mov     edx,dword ptr [eax+2Ch]
80826bf4 89955cfdffff    mov     dword ptr [ebp-2A4h],edx
80826bfa 8b5030          mov     edx,dword ptr [eax+30h]
80826bfd 899558fdffff    mov     dword ptr [ebp-2A8h],edx
80826c03 8b5044          mov     edx,dword ptr [eax+44h]
80826c06 8b4040          mov     eax,dword ptr [eax+40h]
80826c09 89954cfdffff    mov     dword ptr [ebp-2B4h],edx
80826c0f 898550fdffff    mov     dword ptr [ebp-2B0h],eax
80826c15 898d70fdffff    mov     dword ptr [ebp-290h],ecx
80826c1b eb14            jmp     nt!KeBugCheck2+0x7d3 (80826c31)

nt!KeBugCheck2+0x7bf:
80826c1d 8bb584fcffff    mov     esi,dword ptr [ebp-37Ch]
80826c23 85f6            test    esi,esi
80826c25 7411            je      nt!KeBugCheck2+0x7da (80826c38)

nt!KeBugCheck2+0x7c9:
80826c27 8dbdb0fcffff    lea     edi,[ebp-350h]
80826c2d 8bcb            mov     ecx,ebx
80826c2f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

nt!KeBugCheck2+0x7d3:
80826c31 800d23f6898010  or      byte ptr [nt!KiBugCheckData+0x3 (8089f623)],10h

nt!KeBugCheck2+0x7da:
80826c38 a124f68980      mov     eax,dword ptr [nt!KiBugCheckData+0x4 (8089f624)]
80826c3d bf00100000      mov     edi,1000h
80826c42 be00f0ffff      mov     esi,0FFFFF000h
80826c47 57              push    edi
80826c48 23c6            and     eax,esi
80826c4a 50              push    eax
80826c4b e8b475ffff      call    nt!IoAddTriageDumpDataBlock (8081e204)
80826c50 a128f68980      mov     eax,dword ptr [nt!KiBugCheckData+0x8 (8089f628)]
80826c55 57              push    edi
80826c56 23c6            and     eax,esi
80826c58 50              push    eax
80826c59 e8a675ffff      call    nt!IoAddTriageDumpDataBlock (8081e204)
80826c5e a12cf68980      mov     eax,dword ptr [nt!KiBugCheckData+0xc (8089f62c)]
80826c63 57              push    edi
80826c64 23c6            and     eax,esi
80826c66 50              push    eax
80826c67 e89875ffff      call    nt!IoAddTriageDumpDataBlock (8081e204)
80826c6c a130f68980      mov     eax,dword ptr [nt!KiBugCheckData+0x10 (8089f630)]
80826c71 57              push    edi
80826c72 23c6            and     eax,esi
80826c74 50              push    eax
80826c75 e88a75ffff      call    nt!IoAddTriageDumpDataBlock (8081e204)
80826c7a a120f68980      mov     eax,dword ptr [nt!KiBugCheckData (8089f620)]
80826c7f 25ffffffef      and     eax,0EFFFFFFFh
80826c84 3dcd000000      cmp     eax,0CDh
80826c89 741d            je      nt!KeBugCheck2+0x84a (80826ca8)

nt!KeBugCheck2+0x82d:
80826c8b 3dd6000000      cmp     eax,0D6h
80826c90 7416            je      nt!KeBugCheck2+0x84a (80826ca8)

nt!KeBugCheck2+0x834:
80826c92 3dd1000000      cmp     eax,0D1h
80826c97 7522            jne     nt!KeBugCheck2+0x85d (80826cbb)

nt!KeBugCheck2+0x83b:
80826c99 ff3524f68980    push    dword ptr [nt!KiBugCheckData+0x4 (8089f624)]
80826c9f e8f22b0300      call    nt!MmIsSpecialPoolAddress (80859896)
80826ca4 85c0            test    eax,eax
80826ca6 7413            je      nt!KeBugCheck2+0x85d (80826cbb)

nt!KeBugCheck2+0x84a:
80826ca8 a124f68980      mov     eax,dword ptr [nt!KiBugCheckData+0x4 (8089f624)]
80826cad 0500f0ffff      add     eax,0FFFFF000h
80826cb2 23c6            and     eax,esi
80826cb4 57              push    edi
80826cb5 50              push    eax
80826cb6 e84975ffff      call    nt!IoAddTriageDumpDataBlock (8081e204)

nt!KeBugCheck2+0x85d:
80826cbb 64a120000000    mov     eax,dword ptr fs:[00000020h]
80826cc1 80b85a09000000  cmp     byte ptr [eax+95Ah],0
80826cc8 7416            je      nt!KeBugCheck2+0x882 (80826ce0)

nt!KeBugCheck2+0x86c:
80826cca 64a120000000    mov     eax,dword ptr fs:[00000020h]
80826cd0 0fb6805a090000  movzx   eax,byte ptr [eax+95Ah]
80826cd7 57              push    edi
80826cd8 23c6            and     eax,esi
80826cda 50              push    eax
80826cdb e82475ffff      call    nt!IoAddTriageDumpDataBlock (8081e204)

nt!KeBugCheck2+0x882:
80826ce0 8d85affcffff    lea     eax,[ebp-351h]
80826ce6 50              push    eax
80826ce7 ffb58cfcffff    push    dword ptr [ebp-374h]
80826ced 8d85b0fcffff    lea     eax,[ebp-350h]
80826cf3 50              push    eax
80826cf4 ff3530f68980    push    dword ptr [nt!KiBugCheckData+0x10 (8089f630)]
80826cfa ff352cf68980    push    dword ptr [nt!KiBugCheckData+0xc (8089f62c)]
80826d00 ff3528f68980    push    dword ptr [nt!KiBugCheckData+0x8 (8089f628)]
80826d06 ff3524f68980    push    dword ptr [nt!KiBugCheckData+0x4 (8089f624)]
80826d0c ff3520f68980    push    dword ptr [nt!KiBugCheckData (8089f620)]
80826d12 e87191ffff      call    nt!IoWriteCrashDump (8081fe88)
80826d17 eb1f            jmp     nt!KeBugCheck2+0x8da (80826d38)

nt!KeBugCheck2+0x8bb:
80826d19 ff0534f68980    inc     dword ptr [nt!KeBugCheckOwnerRecursionCount (8089f634)]
80826d1f 833d34f6898001  cmp     dword ptr [nt!KeBugCheckOwnerRecursionCount (8089f634)],1
80826d26 7410            je      nt!KeBugCheck2+0x8da (80826d38)

nt!KeBugCheck2+0x8ca:
80826d28 833d34f6898002  cmp     dword ptr [nt!KeBugCheckOwnerRecursionCount (8089f634)],2
80826d2f 7554            jne     nt!KeBugCheck2+0x927 (80826d85)

nt!KeBugCheck2+0x8d3:
80826d31 6a04            push    4
80826d33 e8eaedffff      call    nt!KiBugCheckDebugBreak (80825b22)

nt!KeBugCheck2+0x8da:
80826d38 e86ff0ffff      call    nt!KiScanBugCheckCallbackList (80825dac)
80826d3d a150cb8980      mov     eax,dword ptr [nt!ExpWdHandler (8089cb50)]
80826d42 33f6            xor     esi,esi
80826d44 3bc6            cmp     eax,esi
80826d46 740d            je      nt!KeBugCheck2+0x8f7 (80826d55)

nt!KeBugCheck2+0x8ea:
80826d48 6a01            push    1
80826d4a 56              push    esi
80826d4b ff3554cb8980    push    dword ptr [nt!ExpWdHandlerContext (8089cb54)]
80826d51 6a04            push    4
80826d53 ffd0            call    eax

nt!KeBugCheck2+0x8f7:
80826d55 80bdaffcffff00  cmp     byte ptr [ebp-351h],0
80826d5c 7411            je      nt!KeBugCheck2+0x911 (80826d6f)

nt!KeBugCheck2+0x900:
80826d5e 56              push    esi
80826d5f 6aff            push    0FFFFFFFFh
80826d61 56              push    esi
80826d62 e877630400      call    nt!DbgUnLoadImageSymbols (8086d0de)
80826d67 6a03            push    3
80826d69 ff15f8108080    call    dword ptr [nt!_imp__HalReturnToFirmware (808010f8)]

nt!KeBugCheck2+0x911:
80826d6f 6a04            push    4
80826d71 e8acedffff      call    nt!KiBugCheckDebugBreak (80825b22)
80826d76 8b4dfc          mov     ecx,dword ptr [ebp-4]
80826d79 5f              pop     edi
80826d7a 5e              pop     esi
80826d7b 5b              pop     ebx
80826d7c e8ef9d0500      call    nt!__security_check_cookie (80880b70)
80826d81 c9              leave
80826d82 c21800          ret     18h

nt!KeBugCheck2+0x927:
80826d85 f390            pause
80826d87 ebfc            jmp     nt!KeBugCheck2+0x927 (80826d85)

大家注意下开头的代码:
[Asm] 纯文本查看 复制代码
nt!KeBugCheck2:
8082645e 8bff            mov     edi,edi
80826460 55              push    ebp
80826461 8bec            mov     ebp,esp
80826463 81ec80030000    sub     esp,380h
80826469 a124e18880      mov     eax,dword ptr [nt!__security_cookie (8088e124)]
8082646e 8945fc          mov     dword ptr [ebp-4],eax
80826471 8b450c          mov     eax,dword ptr [ebp+0Ch]
80826474 648b0d24010000  mov     ecx,dword ptr fs:[124h]
8082647b 898594fcffff    mov     dword ptr [ebp-36Ch],eax
80826481 8b4514          mov     eax,dword ptr [ebp+14h]
80826484 8985a4fcffff    mov     dword ptr [ebp-35Ch],eax
8082648a 8b4518          mov     eax,dword ptr [ebp+18h]
8082648d 898584fcffff    mov     dword ptr [ebp-37Ch],eax
80826493 8b451c          mov     eax,dword ptr [ebp+1Ch]
80826496 53              push    ebx
80826497 8b5d10          mov     ebx,dword ptr [ebp+10h]
8082649a 8985a8fcffff    mov     dword ptr [ebp-358h],eax
808264a0 33c0            xor     eax,eax
808264a2 817d08e5000000  cmp     dword ptr [ebp+8],0E5h
808264a9 56              push    esi
808264aa 57              push    edi
808264ab 899d80fcffff    mov     dword ptr [ebp-380h],ebx
808264b1 888588fcffff    mov     byte ptr [ebp-378h],al
808264b7 8885adfcffff    mov     byte ptr [ebp-353h],al
808264bd 898598fcffff    mov     dword ptr [ebp-368h],eax
808264c3 898590fcffff    mov     dword ptr [ebp-370h],eax
808264c9 8985a0fcffff    mov     dword ptr [ebp-360h],eax
808264cf 898d8cfcffff    mov     dword ptr [ebp-374h],ecx
808264d5 8885affcffff    mov     byte ptr [ebp-351h],al
808264db a310f68980      mov     dword ptr [nt!KiBugCheckDriver (8089f610)],eax
808264e0 c605c86d898001  mov     byte ptr [nt!KeBugCheckActive (80896dc8)],1
808264e7 750d            jne     nt!KeBugCheck2+0x98 (808264f6)

nt!KeBugCheck2+0x8b:
808264e9 e8bef8ffff      call    nt!KiScanBugCheckCallbackList (80825dac)
808264ee 6a03            push    3
808264f0 ff15f8108080    call    dword ptr [nt!_imp__HalReturnToFirmware (808010f8)]

808264a2的这句cmp     dword ptr [ebp+8],0E5h,意思是确认第一个参数是不是0xE5,而翻了WDK中的bugcodes.h后发现这么一句:
[C] 纯文本查看 复制代码
#define POWER_FAILURE_SIMULATE  0xE5

那么就说明了当BugCheckCode=0xE5的时候,系统就会执行KeBugCheck2+0x8B的内容。
首先先执行了KiScanBugCheckCallbackList,我也不知道有什么用,然后将3压进堆栈,并执行了导入表函数nt!_imp__HalReturnToFirmware函数。这句是重点!
而根据网上对HalReturnToFirmware的描述,这个函数是调用了BIOS例程实现断电重启。这个应该算是相当暴力的手法了吧,首先先看看其原型:
[C] 纯文本查看 复制代码
NTKERNELAPI void HalReturnToFirmware(IN FIRMWARE_REENTRY FirmwareReentry);

其中FIRMWARE_REENTRY是一个枚举类型:
[C] 纯文本查看 复制代码
typedef enum _FIRMWARE_REENTRY
{ 
	HalHaltRoutine, 
	HalPowerDownRoutine, 
	HalRestartRoutine, 
	HalRebootRoutine, 
	HalInteractiveModeRoutine, 
	HalMaximumRoutine 
}FIRMWARE_REENTRY, *PFIRMWARE_REENTRY;

我们只要选择HalRebootRoutine就能实现重启,所以重启只需要一句代码就行了:
[C] 纯文本查看 复制代码
HalReturnToFirmware(HalRebootRoutine);

经测试,通用于任何Windows操作系统。无论是32位还是64位的操作系统。
超级暴力重启者源码(x86&x64).zip (213.33 KB, 下载次数: 6, 售价: 3 个宅币)
flowers for Broken spirits - a woman turned into stake will hold the world in the basin of fire.
回复

使用道具 举报

5

主题

48

帖子

197

积分

用户组: 小·技术宅

UID
167
精华
0
威望
3 点
宅币
132 个
贡献
11 次
宅之契约
0 份
在线时间
30 小时
注册时间
2014-3-30
发表于 2015-8-27 02:39:15 | 显示全部楼层
厉害额,学了个习的

0

主题

18

帖子

51

积分

用户组: 小·技术宅

UID
2933
精华
0
威望
2 点
宅币
29 个
贡献
0 次
宅之契约
0 份
在线时间
2 小时
注册时间
2017-10-9
发表于 2017-10-11 23:03:59 | 显示全部楼层
牛逼{:4_98:}
回复

使用道具 举报

1

主题

84

帖子

89

积分

用户组: 小·技术宅

UID
3026
精华
0
威望
1 点
宅币
3 个
贡献
0 次
宅之契约
0 份
在线时间
6 小时
注册时间
2017-10-31
发表于 2017-11-5 18:28:33 | 显示全部楼层
牛逼得不得了。破坏性爆表。

本版积分规则

QQ|申请友链||Archiver|手机版|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图  

GMT+8, 2020-7-11 18:13 , Processed in 0.101702 second(s), 31 queries , Gzip On.

Powered by Discuz! X3.4

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表