news 2026/7/2 0:40:16

hal!KfLowerIrql函数分析和全局变量数组hal!HalpIRQLtoTPR和hal!_HalpVectorToIRQL和APIC_TPR寄存器的关系

作者头像

张小明

前端开发工程师

1.2k 24
文章封面图
hal!KfLowerIrql函数分析和全局变量数组hal!HalpIRQLtoTPR和hal!_HalpVectorToIRQL和APIC_TPR寄存器的关系

hal!KfLowerIrql函数分析和nt!KeRaiseIrql函数分析

hal!HalpIRQLtoTPR

hal!_HalpVectorToIRQL

ds:[FFFE0080h]

ifdef _APIC_TPR_

APIC_TPR equ dword ptr ds:0FFFE0080h

0: kd> x hal!_HalpVectorToIRQL
804fa21c hal!HalpVectorToIRQL = unsigned char [] ""
804fa21c hal!_HalpVectorToIRQL = 0x00 ''
0: kd> db 804fa21c
804fa21c 00 ff ff 01 02 ff 05 06-07 08 09 0a 1b 1c 1d 1e ................
804fa22c 00 00 00 00 00 00 00 00-08 10 00 00 00 00 00 00 ................
804fa23c 00 00 00 00 00 00 00 00-00 00 80 00 00 00 00 00 ................
804fa24c 00 00 00 00 00 00 00 00-02 00 00 00 02 00 00 00 ................
804fa25c e0 51 4f 80 00 00 00 00-00 00 00 00 00 00 00 00 .QO.............
804fa26c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804fa27c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804fa28c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

0: kd> x hal!HalpIRQLtoTPR
804edbb8 hal!HalpIRQLtoTPR = unsigned char [] ""
0: kd> db 804edbb8
804edbb8 00 3d 41 41 51 61 71 81-91 a1 b1 b1 b1 b1 b1 b1 .=AAQaq.........
804edbc8 b1 b1 b1 b1 b1 b1 b1 b1-b1 b1 b1 c1 d1 e1 ef ff ................
804edbd8 0f b6 d1 0f b6 8a b8 db-4e 80 a1 80 00 fe ff 89 ........N.......
804edbe8 0d 80 00 fe ff c1 e8 04-0f b6 80 1c a2 4f 80 c3 .............O..
804edbf8 8b 15 80 00 fe ff c7 05-80 00 fe ff 41 00 00 00 ............A...
804edc08 c1 ea 04 0f b6 82 1c a2-4f 80 c3 90 8b 15 80 00 ........O.......
804edc18 fe ff c7 05 80 00 fe ff-c1 00 00 00 c1 ea 04 0f ................
804edc28 b6 82 1c a2 4f 80 c3 90-33 c0 8a c1 8b 0d 80 00 ....O...3.......

cPublicFastCall KfLowerIrql ,1
cPublicFpo 0,0

xor eax, eax
mov al, cl ; get new irql value

if DBG
;
; Make sure we are not lowering to ABOVE current level
;

mov ecx, dword ptr APIC[LU_TPR] ; (ebx) = Old Priority
shr ecx, 4
movzx ecx, _HalpVectorToIRQL[ecx] ; get IRQL for Old Priority

cmp al, cl
jbe short KliDbg
push ecx ; new irql for debugging
push eax ; old irql for debugging
stdCall _KeBugCheck, <IRQL_NOT_LESS_OR_EQUAL>
KliDbg:
endif
xor ecx, ecx ; Avoid a partial stall
mov cl, _HalpIRQLtoTPR[eax] ; get TPR value corresponding to IRQL
mov dword ptr APIC[LU_TPR], ecx

;
; We have to ensure that the requested priority is set before
; we return. The caller is counting on it.
;
mov eax, dword ptr APIC[LU_TPR]

if DBG
cmp ecx, eax ; Verify IRQL read back is same as
je short @f ; set value
int 3
@@:
endif
fstRET KfLowerIrql
fstENDP KfLowerIrql


参考:c语言版

KIRQL
FORCEINLINE
KeGetCurrentIrql (
VOID
)
{
ULONG tprValue;
KIRQL currentIrql;

tprValue = *APIC_TPR;
currentIrql = HalpVectorToIRQL[ tprValue / 16 ];
return currentIrql;
}

VOID
FORCEINLINE
KfLowerIrql (
IN KIRQL NewIrql
)
{
ULONG tprValue;

ASSERT( NewIrql <= KeGetCurrentIrql() );

tprValue = HalpIRQLToTPR[NewIrql];
KeMemoryBarrier();
*APIC_TPR = tprValue;
*APIC_TPR;
KeMemoryBarrier();
}
参考:c语言版

0: kd> p
eax=00000000 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc32 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x2:
804edc32 8ac1 mov al,cl
0: kd> kc
#
00 hal!KfLowerIrql
01 nt!KeInsertQueueDpc
02 USBPORT!USBPORT_InterruptService
03 nt!KiInterruptDispatch
04 hal!WRITE_PORT_UCHAR
05 PCIIDEX!BmArm
06 atapi!IdeReadWrite
07 atapi!IdeSendCommand
08 atapi!AtapiStartIo
09 atapi!IdeStartIoSynchronized
0a nt!KeSynchronizeExecution
0b atapi!IdePortAllocateAccessToken
0c PCIIDEX!BmReceiveScatterGatherList
0d hal!HalBuildScatterGatherList
0e hal!HalGetScatterGatherList
0f PCIIDEX!BmSetup
10 atapi!IdePortStartIo
11 nt!IoStartPacket
12 atapi!IdePortDispatch
13 nt!IofCallDriver
14 CLASSPNP!SubmitTransferPacket
15 CLASSPNP!ServiceTransferRequest
16 CLASSPNP!ClassReadWrite
17 nt!IofCallDriver
18 PartMgr!PmReadWrite
19 nt!IofCallDriver
1a ftdisk!FtDiskReadWrite
1b nt!IofCallDriver
1c volsnap!VolSnapWrite
1d nt!IofCallDriver
1e Ntfs!NtfsSingleAsync
1f Ntfs!NtfsNonCachedIo
20 Ntfs!NtfsCommonWrite
21 Ntfs!NtfsFsdWrite
22 nt!IofCallDriver
23 nt!IoSynchronousPageWrite
24 nt!MiFlushSectionInternal
25 nt!MmFlushSection
26 nt!CcFlushCache
27 Ntfs!NtfsCheckpointVolume
28 Ntfs!NtfsCheckpointAllVolumes
29 nt!ExpWorkerThread
2a nt!PspSystemThreadStartup
2b nt!KiThreadStartup
0: kd> kv 5
# ChildEBP RetAddr Args to Child
00 f78cdcb8 80a36622 89620bb0 898d4608 105ee601 hal!KfLowerIrql+0x2 (FPO: [0,0,0]) [d:\srv03rtm\base\hals\halmps\i386\mpirql.asm @ 319]
01 f78cdcd4 baed5f37 018d4608 898d460c 00000000 nt!KeInsertQueueDpc+0x19e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\dpcobj.c @ 439]
02 f78cdcf0 80b003ed 89620bb0 898d4030 00010007 USBPORT!USBPORT_InterruptService+0x93 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\int.c @ 106]
03 f78cdcf0 804f4d71 89620bb0 898d4030 00010007 nt!KiInterruptDispatch+0x8d (FPO: [0,2] TrapFrame @ f78cdd14) [d:\srv03rtm\base\ntos\ke\i386\intsup.asm @ 777]
04 f78cdd84 f73a91bb 000010c0 00000001 8948cf14 hal!WRITE_PORT_UCHAR+0x9 (FPO: [2,0,0]) [d:\srv03rtm\base\hals\halx86\i386\xxioacc.asm @ 241]

#define PASSIVE_LEVEL 0 // Passive release level
#define LOW_LEVEL 0 // Lowest interrupt level
#define APC_LEVEL 1 // APC interrupt level
#define DISPATCH_LEVEL 2 // Dispatcher level

#define PROFILE_LEVEL 27 // timer used for profiling.
#define CLOCK1_LEVEL 28 // Interval clock 1 level - Not used on x86
#define CLOCK2_LEVEL 28 // Interval clock 2 level
#define IPI_LEVEL 29 // Interprocessor interrupt level
#define POWER_LEVEL 30 // Power failure level
#define HIGH_LEVEL 31 // Highest interrupt level


KeRaiseIrql(HIGH_LEVEL, &OldIrql); 比时钟中断的优先级还要高!!!

BOOLEAN
KeInsertQueueDpc (
IN PRKDPC Dpc,
IN PVOID SystemArgument1,
IN PVOID SystemArgument2
)
{

KeRaiseIrql(HIGH_LEVEL, &OldIrql); OldIrql=eax=00000007


KeLowerIrql(OldIrql); OldIrql=eax=00000007
return Inserted;
}


VOID
KeRaiseIrql (
IN KIRQL NewIrql,
OUT PKIRQL OldIrql
)
{
*OldIrql = KfRaiseIrql (NewIrql);
}

KIRQL
FORCEINLINE
KfRaiseIrql (
IN KIRQL NewIrql
)
{
KIRQL oldIrql;
ULONG tprValue;

oldIrql = KeGetCurrentIrql();
ASSERT( NewIrql >= oldIrql );

tprValue = HalpIRQLToTPR[NewIrql];

KeMemoryBarrier();
*APIC_TPR = tprValue;
KeMemoryBarrier();

return oldIrql;
}


0: kd> p
eax=00000002 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608
eip=80a3661c esp=f78cdcc0 ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeInsertQueueDpc+0x198:
80a3661c ff150431a080 call dword ptr [nt!_imp_KfLowerIrql (80a03104)] ds:0023:80a03104={hal!KfLowerIrql (804edc30)}
0: kd> t
eax=00000002 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc30 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql:
804edc30 33c0 xor eax,eax
0: kd> p
eax=00000000 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc32 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x2:
804edc32 8ac1 mov al,cl

0: kd> p
eax=00000007 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608 OldIrql=eax=00000007
eip=804edc34 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x4:
804edc34 8b0d8000feffmov ecx,dword ptr ds:[0FFFE0080h] ds:0023:fffe0080=000000ff
0: kd> p
eax=00000007 ebx=ffdff120 ecx=000000e1 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc3a esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0xa:
804edc3a c1e904shr ecx,4
0: kd> x hal!HalpIRQLtoTPR
804edbb8 hal!HalpIRQLtoTPR = unsigned char [] ""
0: kd> db 804edbb8
804edbb8 00 3d 41 41 51 61 71 81-91 a1 b1 b1 b1 b1 b1 b1 .=AAQaq.........
804edbc8 b1 b1 b1 b1 b1 b1 b1 b1-b1 b1 b1 c1 d1 e1 ef ff ................
804edbd8 0f b6 d1 0f b6 8a b8 db-4e 80 a1 80 00 fe ff 89 ........N.......
804edbe8 0d 80 00 fe ff c1 e8 04-0f b6 80 1c a2 4f 80 c3 .............O..
804edbf8 8b 15 80 00 fe ff c7 05-80 00 fe ff 41 00 00 00 ............A...
804edc08 c1 ea 04 0f b6 82 1c a2-4f 80 c3 90 8b 15 80 00 ........O.......
804edc18 fe ff c7 05 80 00 fe ff-c1 00 00 00 c1 ea 04 0f ................
804edc28 b6 82 1c a2 4f 80 c3 90-33 c0 8a c1 8b 0d 80 00 ....O...3.......
0: kd> p
eax=00000007 ebx=ffdff120 ecx=0000000e edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc3d esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
hal!KfLowerIrql+0xd:
804edc3d 0fb6891ca24f80movzx ecx,byte ptr hal!_HalpVectorToIRQL (804fa21c)[ecx] ds:0023:804fa22a=1d
0: kd> db 804fa21c
804fa21c 00 ff ff 01 02 ff 05 06-07 08 09 0a 1b 1c 1d 1e ................
804fa22c 00 00 00 00 00 00 00 00-08 10 00 00 00 00 00 00 ................
804fa23c 00 00 00 00 00 00 00 00-00 00 80 00 00 00 00 00 ................
804fa24c 00 00 00 00 00 00 00 00-02 00 00 00 02 00 00 00 ................
804fa25c e0 51 4f 80 00 00 00 00-00 00 00 00 00 00 00 00 .QO.............
804fa26c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804fa27c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804fa28c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0: kd> p
eax=00000007 ebx=ffdff120ecx=0000001dedx=00000002 esi=ffdff980 edi=898d4608
eip=804edc44 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
hal!KfLowerIrql+0x14:
804edc44 38c8 cmp al,cl
0: kd> p
eax=00000007 ebx=ffdff120 ecx=0000001d edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc46 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
hal!KfLowerIrql+0x16:
804edc46 760a jbe hal!KfLowerIrql+0x22 (804edc52) [br=1]
0: kd> p
eax=00000007 ebx=ffdff120 ecx=0000001d edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc52 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
hal!KfLowerIrql+0x22:
804edc52 33c9 xor ecx,ecx
0: kd> p
eax=00000007 ebx=ffdff120 ecx=00000000 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc54 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x24:
804edc54 8a88b8db4e80 mov cl,byte ptr hal!HalpIRQLtoTPR (804edbb8)[eax] ds:0023:804edbbf=81
0: kd> db 804edbb8
804edbb8 00 3d 41 41 51 61 71 81-91 a1 b1 b1 b1 b1 b1 b1 .=AAQaq.........
804edbc8 b1 b1 b1 b1 b1 b1 b1 b1-b1 b1 b1 c1 d1 e1 ef ff ................
804edbd8 0f b6 d1 0f b6 8a b8 db-4e 80 a1 80 00 fe ff 89 ........N.......
804edbe8 0d 80 00 fe ff c1 e8 04-0f b6 80 1c a2 4f 80 c3 .............O..
804edbf8 8b 15 80 00 fe ff c7 05-80 00 fe ff 41 00 00 00 ............A...
804edc08 c1 ea 04 0f b6 82 1c a2-4f 80 c3 90 8b 15 80 00 ........O.......
804edc18 fe ff c7 05 80 00 fe ff-c1 00 00 00 c1 ea 04 0f ................
804edc28 b6 82 1c a2 4f 80 c3 90-33 c0 8a c1 8b 0d 80 00 ....O...3.......
0: kd> p
eax=00000007 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc5a esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x2a:
804edc5a 890d8000feff mov dword ptr ds:[0FFFE0080h],ecx ds:0023:fffe0080=000000ff
0: kd> p
eax=00000007 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc60 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x30:
804edc60 a18000feff mov eax,dword ptr ds:[FFFE0080h] ds:0023:fffe0080=000000ff
0: kd> p
eax=00000081 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc65 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x35:
804edc65 3bc8 cmp ecx,eax
0: kd> p
eax=00000081 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc67 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x37:
804edc67 7401 je hal!KfLowerIrql+0x3a (804edc6a) [br=1]
0: kd> p
eax=00000081 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc6a esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x3a:
804edc6a c3 ret
0: kd> p
eax=00000081 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=80a36622 esp=f78cdcc0 ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeInsertQueueDpc+0x19e:
80a36622 8a450b mov al,byte ptr [ebp+0Bh] ss:0010:f78cdcdf=01

版权声明: 本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:809451989@qq.com进行投诉反馈,一经查实,立即删除!
网站建设 2026/7/1 1:07:59

固长协议设备,如何 10 分钟接入物联网平台并实现报警与反控?

在实际物联网项目中&#xff0c;固长协议设备往往被认为是“简单设备”&#xff0c;但真正落地时却经常成为系统复杂度的来源。 看似字段固定、结构清晰&#xff0c;但在项目推进过程中&#xff0c;常见问题包括&#xff1a; 每新增一种设备&#xff0c;都需要单独编写协议解析…

作者头像 李华
网站建设 2026/6/29 14:47:16

【医学研究者必看】:R语言下ROC曲线调优的5个隐藏陷阱与破解之道

第一章&#xff1a;临床数据中ROC曲线优化的核心挑战在临床医学研究中&#xff0c;ROC&#xff08;受试者工作特征&#xff09;曲线是评估诊断模型性能的关键工具。然而&#xff0c;在真实世界的应用场景下&#xff0c;其优化过程面临多重挑战&#xff0c;直接影响模型的泛化能…

作者头像 李华
网站建设 2026/7/1 20:01:37

(视频内容检索新突破):Dify模糊匹配如何实现毫秒级响应与高召回率

第一章&#xff1a;视频字幕检索的 Dify 模糊匹配在处理多语言视频内容时&#xff0c;精确查找特定语句或片段是一项挑战。Dify 平台提供的模糊匹配能力&#xff0c;结合自然语言处理技术&#xff0c;能够有效提升字幕检索的准确率与召回率。该机制不依赖完全一致的文本匹配&am…

作者头像 李华
网站建设 2026/7/1 20:01:14

Data Agent:基于 LangChain 1.1 的智能数据分析助手

最近在折腾数据分析项目时&#xff0c;发现传统的数据分析流程往往需要反复切换工具&#xff1a;上传数据、写 Python 脚本、生成图表、分析结果。有没有一种方式能让 AI 直接理解数据并执行分析&#xff1f;基于这个需求&#xff0c;我实践了一个基于 LangChain 1.1 的智能数据…

作者头像 李华
网站建设 2026/7/1 20:00:15

仅限内部使用的监控策略:私有化Dify资源观测性实践秘籍

第一章&#xff1a;私有化 Dify 资源监控的背景与意义在企业级 AI 应用快速落地的今天&#xff0c;大模型服务平台 Dify 因其灵活的编排能力和低代码开发体验被广泛采用。然而&#xff0c;当 Dify 部署于私有化环境时&#xff0c;资源使用情况变得复杂且难以统一掌控。服务器 C…

作者头像 李华
网站建设 2026/7/1 20:02:51

打通 C++ 与 Node.js 的跨语言交互通道

这里写自定义目录标题从实际需求出发&#xff1a;为何需要 callJS&#xff1f;核心功能&#xff1a;从注册到调用的完整闭环注册回调&#xff1a;setCallBack 搭建沟通桥梁合理的创建标题&#xff0c;有助于目录的生成同步调用&#xff1a;call 实现即时交互异步调用&#xff1…

作者头像 李华