WinDbg : u
The u (unassemble) command and it's variants is used to show the assembly code at a particular memory location.
kd> u nt!ntWriteFile
nt!NtWriteFile:
82878f2b 6a5c push 5Ch
82878f2d 6880236682 push offset nt! ?? ::FNODOBFM::`string'+0x6800 (82662380)
82878f32 e871ece0ff call nt!_SEH_prolog4 (82687ba8)
82878f37 33f6 xor esi,esi
82878f39 8975dc mov dword ptr [ebp-24h],esi
82878f3c 8975d0 mov dword ptr [ebp-30h],esi
82878f3f 8975a4 mov dword ptr [ebp-5Ch],esi
82878f42 8975a8 mov dword ptr [ebp-58h],esi
This will start unassembling at the memory location where the symbol nt!ntWriteFile is mapped. If we want it to dump the entire function, we can append the F flag to it.
kd> uF nt!ntWriteFile
nt!NtWriteFile:
82878f2b 6a5c push 5Ch
82878f2d 6880236682 push offset nt! ?? ::FNODOBFM::`string'+0x6800 (82662380)
82878f32 e871ece0ff call nt!_SEH_prolog4 (82687ba8)
82878f37 33f6 xor esi,esi
82878f39 8975dc mov dword ptr [ebp-24h],esi
82878f3c 8975d0 mov dword ptr [ebp-30h],esi
82878f3f 8975a4 mov dword ptr [ebp-5Ch],esi
82878f42 8975a8 mov dword ptr [ebp-58h],esi
82878f45 64a124010000 mov eax,dword ptr fs:[00000124h]
82878f4b 8945bc mov dword ptr [ebp-44h],eax
82878f4e 8a983a010000 mov bl,byte ptr [eax+13Ah]
82878f54 885dd4 mov byte ptr [ebp-2Ch],bl
82878f57 8d4594 lea eax,[ebp-6Ch]
82878f5a 50 push eax
82878f5b 8d45d8 lea eax,[ebp-28h]
82878f5e 50 push eax
82878f5f ff75d4 push dword ptr [ebp-2Ch]
82878f62 ff7508 push dword ptr [ebp+8]
82878f65 e8a7fdffff call nt!ObReferenceFileObjectForWrite (82878d11)
82878f6a 3bc6 cmp eax,esi
82878f6c 0f8ca7060000 jl nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0x47:
82878f72 8b7dd8 mov edi,dword ptr [ebp-28h]
82878f75 57 push edi
82878f76 e887cce1ff call nt!IoGetRelatedDeviceObject (82695c02)
82878f7b 894508 mov dword ptr [ebp+8],eax
82878f7e 84db test bl,bl
82878f80 0f846e010000 je nt!NtWriteFile+0x1c8 (828790f4)
nt!NtWriteFile+0x5b:
82878f86 8975cc mov dword ptr [ebp-34h],esi
82878f89 8975fc mov dword ptr [ebp-4],esi
82878f8c 8b4518 mov eax,dword ptr [ebp+18h]
82878f8f 8b0d1c277782 mov ecx,dword ptr [nt!MmUserProbeAddress (8277271c)]
82878f95 3bc1 cmp eax,ecx
82878f97 7202 jb nt!NtWriteFile+0x70 (82878f9b)
nt!NtWriteFile+0x6e:
82878f99 8bc1 mov eax,ecx
nt!NtWriteFile+0x70:
82878f9b 8b08 mov ecx,dword ptr [eax]
82878f9d 8908 mov dword ptr [eax],ecx
82878f9f 8b4804 mov ecx,dword ptr [eax+4]
82878fa2 894804 mov dword ptr [eax+4],ecx
82878fa5 8b5520 mov edx,dword ptr [ebp+20h]
82878fa8 8b0d1c277782 mov ecx,dword ptr [nt!MmUserProbeAddress (8277271c)]
82878fae 3bd6 cmp edx,esi
82878fb0 7417 je nt!NtWriteFile+0x9e (82878fc9)
nt!NtWriteFile+0x87:
82878fb2 8b5d1c mov ebx,dword ptr [ebp+1Ch]
82878fb5 8d041a lea eax,[edx+ebx]
82878fb8 3bc1 cmp eax,ecx
82878fba 7704 ja nt!NtWriteFile+0x95 (82878fc0)
nt!NtWriteFile+0x91:
82878fbc 3bc3 cmp eax,ebx
82878fbe 7309 jae nt!NtWriteFile+0x9e (82878fc9)
nt!NtWriteFile+0x95:
82878fc0 c60100 mov byte ptr [ecx],0
82878fc3 8b0d1c277782 mov ecx,dword ptr [nt!MmUserProbeAddress (8277271c)]
nt!NtWriteFile+0x9e:
82878fc9 39776c cmp dword ptr [edi+6Ch],esi
82878fcc 741d je nt!NtWriteFile+0xc0 (82878feb)
nt!NtWriteFile+0xa3:
82878fce 397510 cmp dword ptr [ebp+10h],esi
82878fd1 7418 je nt!NtWriteFile+0xc0 (82878feb)
nt!NtWriteFile+0xa8:
82878fd3 8bcf mov ecx,edi
82878fd5 e8e97ce0ff call nt!ObfDereferenceObject (82680cc3)
82878fda c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
nt!NtWriteFile+0xb6:
82878fe1 b80d0000c0 mov eax,0C000000Dh
82878fe6 e92e060000 jmp nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0xc0:
82878feb 8b4524 mov eax,dword ptr [ebp+24h]
82878fee 3bc6 cmp eax,esi
82878ff0 7429 je nt!NtWriteFile+0xef (8287901b)
nt!NtWriteFile+0xc7:
82878ff2 a803 test al,3
82878ff4 7406 je nt!NtWriteFile+0xd0 (82878ffc)
nt!NtWriteFile+0xcb:
82878ff6 e8cfdf0100 call nt!ExRaiseDatatypeMisalignment (82896fca)
82878ffb cc int 3
nt!NtWriteFile+0xd0:
82878ffc 3bc1 cmp eax,ecx
82878ffe 7202 jb nt!NtWriteFile+0xd6 (82879002)
nt!NtWriteFile+0xd4:
82879000 8bc1 mov eax,ecx
nt!NtWriteFile+0xd6:
82879002 8a00 mov al,byte ptr [eax]
82879004 8b4524 mov eax,dword ptr [ebp+24h]
82879007 8b08 mov ecx,dword ptr [eax]
82879009 894da4 mov dword ptr [ebp-5Ch],ecx
8287900c 8b4004 mov eax,dword ptr [eax+4]
8287900f 8945a8 mov dword ptr [ebp-58h],eax
82879012 8b7dd8 mov edi,dword ptr [ebp-28h]
82879015 8b0d1c277782 mov ecx,dword ptr [nt!MmUserProbeAddress (8277271c)]
nt!NtWriteFile+0xef:
8287901b f6472c08 test byte ptr [edi+2Ch],8
8287901f 0f8489000000 je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0xf9:
82879025 8b4508 mov eax,dword ptr [ebp+8]
82879028 0fb7b0ac000000 movzx esi,word ptr [eax+0ACh]
8287902f 6685f6 test si,si
82879032 7408 je nt!NtWriteFile+0x110 (8287903c)
nt!NtWriteFile+0x108:
82879034 0fb7de movzx ebx,si
82879037 4b dec ebx
82879038 85da test edx,ebx
8287903a 7508 jne nt!NtWriteFile+0x118 (82879044)
nt!NtWriteFile+0x110:
8287903c 8b5d1c mov ebx,dword ptr [ebp+1Ch]
8287903f 85585c test dword ptr [eax+5Ch],ebx
82879042 7425 je nt!NtWriteFile+0x13d (82879069)
nt!NtWriteFile+0x118:
82879044 6685f6 test si,si
82879047 7414 je nt!NtWriteFile+0x131 (8287905d)
nt!NtWriteFile+0x11d:
82879049 0fb7de movzx ebx,si
8287904c 8bc2 mov eax,edx
8287904e 33d2 xor edx,edx
82879050 f7f3 div eax,ebx
82879052 85d2 test edx,edx
82879054 0f8579ffffff jne nt!NtWriteFile+0xa8 (82878fd3)
nt!NtWriteFile+0x12e:
8287905a 8b4508 mov eax,dword ptr [ebp+8]
nt!NtWriteFile+0x131:
8287905d 8b551c mov edx,dword ptr [ebp+1Ch]
82879060 85505c test dword ptr [eax+5Ch],edx
82879063 0f856affffff jne nt!NtWriteFile+0xa8 (82878fd3)
nt!NtWriteFile+0x13d:
82879069 837d2400 cmp dword ptr [ebp+24h],0
8287906d 743f je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x143:
8287906f 837da4ff cmp dword ptr [ebp-5Ch],0FFFFFFFFh
82879073 7506 jne nt!NtWriteFile+0x14f (8287907b)
nt!NtWriteFile+0x149:
82879075 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
82879079 7433 je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x14f:
8287907b 6afe push 0FFFFFFFEh
8287907d 5b pop ebx
8287907e 395da4 cmp dword ptr [ebp-5Ch],ebx
82879081 750c jne nt!NtWriteFile+0x163 (8287908f)
nt!NtWriteFile+0x157:
82879083 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
82879087 7506 jne nt!NtWriteFile+0x163 (8287908f)
nt!NtWriteFile+0x15d:
82879089 f6472c02 test byte ptr [edi+2Ch],2
8287908d 751f jne nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x163:
8287908f 6685f6 test si,si
82879092 741a je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x168:
82879094 0fb7c6 movzx eax,si
82879097 48 dec eax
82879098 8b55a4 mov edx,dword ptr [ebp-5Ch]
8287909b 85c2 test edx,eax
8287909d 740f je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x173:
8287909f 8bcf mov ecx,edi
828790a1 e81d7ce0ff call nt!ObfDereferenceObject (82680cc3)
828790a6 895dfc mov dword ptr [ebp-4],ebx
828790a9 e933ffffff jmp nt!NtWriteFile+0xb6 (82878fe1)
nt!NtWriteFile+0x182:
828790ae 8b4528 mov eax,dword ptr [ebp+28h]
828790b1 85c0 test eax,eax
828790b3 740e je nt!NtWriteFile+0x197 (828790c3)
nt!NtWriteFile+0x189:
828790b5 3bc1 cmp eax,ecx
828790b7 7202 jb nt!NtWriteFile+0x18f (828790bb)
nt!NtWriteFile+0x18d:
828790b9 8bc1 mov eax,ecx
nt!NtWriteFile+0x18f:
828790bb 8b00 mov eax,dword ptr [eax]
828790bd 8945d0 mov dword ptr [ebp-30h],eax
828790c0 8b7dd8 mov edi,dword ptr [ebp-28h]
nt!NtWriteFile+0x197:
828790c3 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
828790ca 33f6 xor esi,esi
828790cc eb44 jmp nt!NtWriteFile+0x1e6 (82879112)
nt!NtWriteFile+0x1c8:
828790f4 8b4524 mov eax,dword ptr [ebp+24h]
828790f7 3bc6 cmp eax,esi
828790f9 740b je nt!NtWriteFile+0x1da (82879106)
nt!NtWriteFile+0x1cf:
828790fb 8b08 mov ecx,dword ptr [eax]
828790fd 894da4 mov dword ptr [ebp-5Ch],ecx
82879100 8b4004 mov eax,dword ptr [eax+4]
82879103 8945a8 mov dword ptr [ebp-58h],eax
nt!NtWriteFile+0x1da:
82879106 8b4528 mov eax,dword ptr [ebp+28h]
82879109 3bc6 cmp eax,esi
8287910b 7405 je nt!NtWriteFile+0x1e6 (82879112)
nt!NtWriteFile+0x1e1:
8287910d 8b00 mov eax,dword ptr [eax]
8287910f 8945d0 mov dword ptr [ebp-30h],eax
nt!NtWriteFile+0x1e6:
82879112 8b4598 mov eax,dword ptr [ebp-68h]
82879115 2406 and al,6
82879117 3c04 cmp al,4
82879119 7508 jne nt!NtWriteFile+0x1f7 (82879123)
nt!NtWriteFile+0x1ef:
8287911b 834da4ff or dword ptr [ebp-5Ch],0FFFFFFFFh
8287911f 834da8ff or dword ptr [ebp-58h],0FFFFFFFFh
nt!NtWriteFile+0x1f7:
82879123 39750c cmp dword ptr [ebp+0Ch],esi
82879126 7435 je nt!NtWriteFile+0x231 (8287915d)
nt!NtWriteFile+0x1fc:
82879128 56 push esi
82879129 8d45c4 lea eax,[ebp-3Ch]
8287912c 50 push eax
8287912d ff75d4 push dword ptr [ebp-2Ch]
82879130 ff3510207782 push dword ptr [nt!ExEventObjectType (82772010)]
82879136 6a02 push 2
82879138 ff750c push dword ptr [ebp+0Ch]
8287913b e8d41cfbff call nt!ObReferenceObjectByHandle (8282ae14)
82879140 8b4dc4 mov ecx,dword ptr [ebp-3Ch]
82879143 894ddc mov dword ptr [ebp-24h],ecx
82879146 3bc6 cmp eax,esi
82879148 7d10 jge nt!NtWriteFile+0x22e (8287915a)
nt!NtWriteFile+0x21e:
8287914a 8bf0 mov esi,eax
nt!NtWriteFile+0x220:
8287914c 8bcf mov ecx,edi
8287914e e8707be0ff call nt!ObfDereferenceObject (82680cc3)
82879153 8bc6 mov eax,esi
82879155 e9bf040000 jmp nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0x22e:
8287915a 897104 mov dword ptr [ecx+4],esi
nt!NtWriteFile+0x231:
8287915d 8b4508 mov eax,dword ptr [ebp+8]
82879160 8b4008 mov eax,dword ptr [eax+8]
82879163 8b5828 mov ebx,dword ptr [eax+28h]
82879166 8d4f2c lea ecx,[edi+2Ch]
82879169 894dc8 mov dword ptr [ebp-38h],ecx
8287916c 8b01 mov eax,dword ptr [ecx]
8287916e a802 test al,2
82879170 0f841c020000 je nt!NtWriteFile+0x466 (82879392)
nt!NtWriteFile+0x24a:
82879176 8d4744 lea eax,[edi+44h]
82879179 33d2 xor edx,edx
8287917b 42 inc edx
8287917c 8710 xchg edx,dword ptr [eax]
8287917e 85d2 test edx,edx
82879180 0f8582000000 jne nt!NtWriteFile+0x2dc (82879208)
nt!NtWriteFile+0x25a:
82879186 8bcf mov ecx,edi
82879188 e86797e0ff call nt!ObfReferenceObject (826828f4)
nt!NtWriteFile+0x261:
8287918d c6452801 mov byte ptr [ebp+28h],1
82879191 33c0 xor eax,eax
82879193 394524 cmp dword ptr [ebp+24h],eax
82879196 7505 jne nt!NtWriteFile+0x271 (8287919d)
nt!NtWriteFile+0x26c:
82879198 3945a4 cmp dword ptr [ebp-5Ch],eax
8287919b 740c je nt!NtWriteFile+0x27d (828791a9)
nt!NtWriteFile+0x271:
8287919d 837da4fe cmp dword ptr [ebp-5Ch],0FFFFFFFEh
828791a1 7512 jne nt!NtWriteFile+0x289 (828791b5)
nt!NtWriteFile+0x277:
828791a3 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
828791a7 750c jne nt!NtWriteFile+0x289 (828791b5)
nt!NtWriteFile+0x27d:
828791a9 8b4f38 mov ecx,dword ptr [edi+38h]
828791ac 894da4 mov dword ptr [ebp-5Ch],ecx
828791af 8b4f3c mov ecx,dword ptr [edi+3Ch]
828791b2 894da8 mov dword ptr [ebp-58h],ecx
nt!NtWriteFile+0x289:
828791b5 394718 cmp dword ptr [edi+18h],eax
828791b8 0f84f9010000 je nt!NtWriteFile+0x486 (828793b7)
nt!NtWriteFile+0x292:
828791be 8b730c mov esi,dword ptr [ebx+0Ch]
828791c1 33db xor ebx,ebx
828791c3 395da8 cmp dword ptr [ebp-58h],ebx
828791c6 7d7a jge nt!NtWriteFile+0x316 (82879242)
nt!NtWriteFile+0x29c:
828791c8 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
828791cc 7506 jne nt!NtWriteFile+0x2a8 (828791d4)
nt!NtWriteFile+0x2a2:
828791ce 837da4ff cmp dword ptr [ebp-5Ch],0FFFFFFFFh
828791d2 746e je nt!NtWriteFile+0x316 (82879242)
nt!NtWriteFile+0x2a8:
828791d4 8b4ddc mov ecx,dword ptr [ebp-24h]
828791d7 3bcb cmp ecx,ebx
828791d9 7405 je nt!NtWriteFile+0x2b4 (828791e0)
nt!NtWriteFile+0x2af:
828791db e8e37ae0ff call nt!ObfDereferenceObject (82680cc3)
nt!NtWriteFile+0x2b4:
828791e0 33c9 xor ecx,ecx
828791e2 8d4744 lea eax,[edi+44h]
828791e5 8708 xchg ecx,dword ptr [eax]
nt!NtWriteFile+0x2bb:
828791e7 395f40 cmp dword ptr [edi+40h],ebx
828791ea 740b je nt!NtWriteFile+0x2cb (828791f7)
nt!NtWriteFile+0x2c0:
828791ec 53 push ebx
828791ed 53 push ebx
828791ee 8d474c lea eax,[edi+4Ch]
828791f1 50 push eax
828791f2 e8ce62e0ff call nt!KeSetEvent (8267f4c5)
nt!NtWriteFile+0x2cb:
828791f7 8bcf mov ecx,edi
nt!NtWriteFile+0x2cd:
828791f9 e8c57ae0ff call nt!ObfDereferenceObject (82680cc3)
nt!NtWriteFile+0x2d2:
828791fe be0d0000c0 mov esi,0C000000Dh
82879203 e944ffffff jmp nt!NtWriteFile+0x220 (8287914c)
nt!NtWriteFile+0x2dc:
82879208 8d45e3 lea eax,[ebp-1Dh]
8287920b 50 push eax
8287920c 8b01 mov eax,dword ptr [ecx]
8287920e c1e802 shr eax,2
82879211 2401 and al,1
82879213 0fb6c0 movzx eax,al
82879216 50 push eax
82879217 ff75d4 push dword ptr [ebp-2Ch]
8287921a 8bc7 mov eax,edi
8287921c e82d76f9ff call nt!IopAcquireFileObjectLock (8281084e)
82879221 8bf0 mov esi,eax
82879223 807de300 cmp byte ptr [ebp-1Dh],0
82879227 0f8460ffffff je nt!NtWriteFile+0x261 (8287918d)
nt!NtWriteFile+0x301:
8287922d 8b4ddc mov ecx,dword ptr [ebp-24h]
82879230 85c9 test ecx,ecx
82879232 0f8414ffffff je nt!NtWriteFile+0x220 (8287914c)
nt!NtWriteFile+0x30c:
82879238 e8867ae0ff call nt!ObfDereferenceObject (82680cc3)
8287923d e90affffff jmp nt!NtWriteFile+0x220 (8287914c)
nt!NtWriteFile+0x316:
82879242 391d489f7482 cmp dword ptr [nt!ViVerifierDriverAddedThunkListHead (82749f48)],ebx
82879248 7504 jne nt!NtWriteFile+0x322 (8287924e)
nt!NtWriteFile+0x31e:
8287924a 33db xor ebx,ebx
8287924c eb07 jmp nt!NtWriteFile+0x329 (82879255)
nt!NtWriteFile+0x322:
8287924e e8b82a0c00 call nt!VfFastIoSnapState (8293bd0b)
82879253 8bd8 mov ebx,eax
nt!NtWriteFile+0x329:
82879255 ff7508 push dword ptr [ebp+8]
82879258 8d459c lea eax,[ebp-64h]
8287925b 50 push eax
8287925c ff751c push dword ptr [ebp+1Ch]
8287925f ff75d0 push dword ptr [ebp-30h]
82879262 6a01 push 1
82879264 ff7520 push dword ptr [ebp+20h]
82879267 8d45a4 lea eax,[ebp-5Ch]
8287926a 50 push eax
8287926b 57 push edi
8287926c ffd6 call esi
8287926e 884527 mov byte ptr [ebp+27h],al
82879271 85db test ebx,ebx
82879273 7407 je nt!NtWriteFile+0x350 (8287927c)
nt!NtWriteFile+0x349:
82879275 56 push esi
82879276 53 push ebx
82879277 e8d32a0c00 call nt!VfFastIoCheckState (8293bd4f)
nt!NtWriteFile+0x350:
8287927c 807d2700 cmp byte ptr [ebp+27h],0
82879280 0f8431010000 je nt!NtWriteFile+0x486 (828793b7)
nt!NtWriteFile+0x35a:
82879286 33f6 xor esi,esi
82879288 39759c cmp dword ptr [ebp-64h],esi
8287928b 0f8526010000 jne nt!NtWriteFile+0x486 (828793b7)
nt!NtWriteFile+0x365:
82879291 33d2 xor edx,edx
82879293 42 inc edx
82879294 3915a4337382 cmp dword ptr [nt!IoCountOperations (827333a4)],edx
8287929a 7527 jne nt!NtWriteFile+0x397 (828792c3)
nt!NtWriteFile+0x370:
8287929c 64a124010000 mov eax,dword ptr fs:[00000124h]
828792a2 8bca mov ecx,edx
828792a4 8b8050010000 mov eax,dword ptr [eax+150h]
828792aa 05b8010000 add eax,1B8h
828792af f00108 lock add dword ptr [eax],ecx
828792b2 7305 jae nt!NtWriteFile+0x38d (828792b9)
nt!NtWriteFile+0x388:
828792b4 f083500400 lock adc dword ptr [eax+4],0
nt!NtWriteFile+0x38d:
828792b9 64ff0520060000 inc dword ptr fs:[620h]
828792c0 8b7dd8 mov edi,dword ptr [ebp-28h]
nt!NtWriteFile+0x397:
828792c3 8b4da0 mov ecx,dword ptr [ebp-60h]
828792c6 3915a4337382 cmp dword ptr [nt!IoCountOperations (827333a4)],edx
828792cc 7536 jne nt!NtWriteFile+0x3d8 (82879304)
nt!NtWriteFile+0x3a2:
828792ce 64a124010000 mov eax,dword ptr fs:[00000124h]
828792d4 8b8050010000 mov eax,dword ptr [eax+150h]
828792da 8b7da0 mov edi,dword ptr [ebp-60h]
828792dd 05d0010000 add eax,1D0h
828792e2 f00138 lock add dword ptr [eax],edi
828792e5 7305 jae nt!NtWriteFile+0x3c0 (828792ec)
nt!NtWriteFile+0x3bb:
828792e7 f083500400 lock adc dword ptr [eax+4],0
nt!NtWriteFile+0x3c0:
828792ec 64a120000000 mov eax,dword ptr fs:[00000020h]
828792f2 0510050000 add eax,510h
828792f7 f00108 lock add dword ptr [eax],ecx
828792fa 7305 jae nt!NtWriteFile+0x3d5 (82879301)
nt!NtWriteFile+0x3d0:
828792fc f083500400 lock adc dword ptr [eax+4],0
nt!NtWriteFile+0x3d5:
82879301 8b7dd8 mov edi,dword ptr [ebp-28h]
nt!NtWriteFile+0x3d8:
82879304 8955fc mov dword ptr [ebp-4],edx
82879307 8b4518 mov eax,dword ptr [ebp+18h]
8287930a 8b4d9c mov ecx,dword ptr [ebp-64h]
8287930d 8908 mov dword ptr [eax],ecx
8287930f 8b4da0 mov ecx,dword ptr [ebp-60h]
82879312 894804 mov dword ptr [eax+4],ecx
82879315 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
8287931c eb27 jmp nt!NtWriteFile+0x419 (82879345)
nt!NtWriteFile+0x419:
82879345 39750c cmp dword ptr [ebp+0Ch],esi
82879348 741b je nt!NtWriteFile+0x439 (82879365)
nt!NtWriteFile+0x41e:
8287934a f7472c00000008 test dword ptr [edi+2Ch],8000000h
82879351 750a jne nt!NtWriteFile+0x431 (8287935d)
nt!NtWriteFile+0x427:
82879353 56 push esi
82879354 56 push esi
82879355 ff75dc push dword ptr [ebp-24h]
82879358 e86861e0ff call nt!KeSetEvent (8267f4c5)
nt!NtWriteFile+0x431:
8287935d 8b4ddc mov ecx,dword ptr [ebp-24h]
82879360 e85e79e0ff call nt!ObfDereferenceObject (82680cc3)
nt!NtWriteFile+0x439:
82879365 33c0 xor eax,eax
82879367 8d4f44 lea ecx,[edi+44h]
8287936a 8701 xchg eax,dword ptr [ecx]
8287936c 397740 cmp dword ptr [edi+40h],esi
8287936f 740b je nt!NtWriteFile+0x450 (8287937c)
nt!NtWriteFile+0x445:
82879371 56 push esi
82879372 56 push esi
82879373 8d474c lea eax,[edi+4Ch]
82879376 50 push eax
82879377 e84961e0ff call nt!KeSetEvent (8267f4c5)
nt!NtWriteFile+0x450:
8287937c 8bcf mov ecx,edi
8287937e e84079e0ff call nt!ObfDereferenceObject (82680cc3)
82879383 8bcf mov ecx,edi
82879385 e83979e0ff call nt!ObfDereferenceObject (82680cc3)
8287938a 8b459c mov eax,dword ptr [ebp-64h]
8287938d e987020000 jmp nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0x466:
82879392 397524 cmp dword ptr [ebp+24h],esi
82879395 751c jne nt!NtWriteFile+0x482 (828793b3)
nt!NtWriteFile+0x46b:
82879397 a980020000 test eax,280h
8287939c 7515 jne nt!NtWriteFile+0x482 (828793b3)
nt!NtWriteFile+0x472:
8287939e 8b4ddc mov ecx,dword ptr [ebp-24h]
828793a1 3bce cmp ecx,esi
828793a3 0f8550feffff jne nt!NtWriteFile+0x2cd (828791f9)
nt!NtWriteFile+0x47d:
828793a9 e950feffff jmp nt!NtWriteFile+0x2d2 (828791fe)
nt!NtWriteFile+0x482:
828793b3 c6452800 mov byte ptr [ebp+28h],0
nt!NtWriteFile+0x486:
828793b7 33db xor ebx,ebx
828793b9 395da8 cmp dword ptr [ebp-58h],ebx
828793bc 7d2e jge nt!NtWriteFile+0x4bb (828793ec)
nt!NtWriteFile+0x48d:
828793be 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
828793c2 7506 jne nt!NtWriteFile+0x499 (828793ca)
nt!NtWriteFile+0x493:
828793c4 837da4ff cmp dword ptr [ebp-5Ch],0FFFFFFFFh
828793c8 7422 je nt!NtWriteFile+0x4bb (828793ec)
nt!NtWriteFile+0x499:
828793ca 8b4ddc mov ecx,dword ptr [ebp-24h]
828793cd 3bcb cmp ecx,ebx
828793cf 7405 je nt!NtWriteFile+0x4a5 (828793d6)
nt!NtWriteFile+0x4a0:
828793d1 e8ed78e0ff call nt!ObfDereferenceObject (82680cc3)
nt!NtWriteFile+0x4a5:
828793d6 807d2800 cmp byte ptr [ebp+28h],0
828793da 0f841efeffff je nt!NtWriteFile+0x2d2 (828791fe)
nt!NtWriteFile+0x4af:
828793e0 33c0 xor eax,eax
828793e2 8d4f44 lea ecx,[edi+44h]
828793e5 8701 xchg eax,dword ptr [ecx]
828793e7 e9fbfdffff jmp nt!NtWriteFile+0x2bb (828791e7)
nt!NtWriteFile+0x4bb:
828793ec 895f60 mov dword ptr [edi+60h],ebx
828793ef 807d2800 cmp byte ptr [ebp+28h],0
828793f3 0f94c0 sete al
828793f6 0fb6c0 movzx eax,al
828793f9 50 push eax
828793fa 8b4508 mov eax,dword ptr [ebp+8]
828793fd 0fb64030 movzx eax,byte ptr [eax+30h]
82879401 50 push eax
82879402 e8ce30e2ff call nt!IoAllocateIrp (8269c4d5)
82879407 8bf0 mov esi,eax
82879409 897524 mov dword ptr [ebp+24h],esi
8287940c 3bf3 cmp esi,ebx
8287940e 7514 jne nt!NtWriteFile+0x4f3 (82879424)
nt!NtWriteFile+0x4df:
82879410 8b4ddc mov ecx,dword ptr [ebp-24h]
82879413 8bf7 mov esi,edi
82879415 e8fa530400 call nt!IopAllocateIrpCleanup (828be814)
8287941a b89a0000c0 mov eax,0C000009Ah
8287941f e9f5010000 jmp nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0x4f3:
82879424 897e64 mov dword ptr [esi+64h],edi
82879427 8b45bc mov eax,dword ptr [ebp-44h]
8287942a 894650 mov dword ptr [esi+50h],eax
8287942d 33c9 xor ecx,ecx
8287942f 894e54 mov dword ptr [esi+54h],ecx
82879432 8a45d4 mov al,byte ptr [ebp-2Ch]
82879435 884620 mov byte ptr [esi+20h],al
82879438 884e21 mov byte ptr [esi+21h],cl
8287943b 884e24 mov byte ptr [esi+24h],cl
8287943e 894e38 mov dword ptr [esi+38h],ecx
82879441 8b45dc mov eax,dword ptr [ebp-24h]
82879444 89462c mov dword ptr [esi+2Ch],eax
82879447 8b4518 mov eax,dword ptr [ebp+18h]
8287944a 894628 mov dword ptr [esi+28h],eax
8287944d 8b4510 mov eax,dword ptr [ebp+10h]
82879450 894630 mov dword ptr [esi+30h],eax
82879453 8b4514 mov eax,dword ptr [ebp+14h]
82879456 894634 mov dword ptr [esi+34h],eax
82879459 8b5e60 mov ebx,dword ptr [esi+60h]
8287945c 83eb24 sub ebx,24h
8287945f c70304000000 mov dword ptr [ebx],4
82879465 897b18 mov dword ptr [ebx+18h],edi
82879468 6a10 push 10h
8287946a 5a pop edx
8287946b 8b45c8 mov eax,dword ptr [ebp-38h]
8287946e 8410 test byte ptr [eax],dl
82879470 7404 je nt!NtWriteFile+0x545 (82879476)
nt!NtWriteFile+0x541:
82879472 c6430204 mov byte ptr [ebx+2],4
nt!NtWriteFile+0x545:
82879476 894e0c mov dword ptr [esi+0Ch],ecx
82879479 894e04 mov dword ptr [esi+4],ecx
8287947c 8b4508 mov eax,dword ptr [ebp+8]
8287947f 8b401c mov eax,dword ptr [eax+1Ch]
82879482 a804 test al,4
82879484 0f84ae000000 je nt!NtWriteFile+0x607 (82879538)
nt!NtWriteFile+0x559:
8287948a 394d20 cmp dword ptr [ebp+20h],ecx
8287948d 0f849d000000 je nt!NtWriteFile+0x5ff (82879530)
nt!NtWriteFile+0x562:
82879493 c745fc02000000 mov dword ptr [ebp-4],2
8287949a 390d489f7482 cmp dword ptr [nt!ViVerifierDriverAddedThunkListHead (82749f48)],ecx
828794a0 7511 jne nt!NtWriteFile+0x582 (828794b3)
nt!NtWriteFile+0x571:
828794a2 68496f2020 push 20206F49h
828794a7 ff7520 push dword ptr [ebp+20h]
828794aa 6a04 push 4
828794ac e8ee66e3ff call nt!ExAllocatePoolWithQuotaTag (826afb9f)
828794b1 eb2f jmp nt!NtWriteFile+0x5b1 (828794e2)
nt!NtWriteFile+0x582:
828794b3 0fb605802b7582 movzx eax,byte ptr [nt!MmVerifierData (82752b80)]
828794ba 23c2 and eax,edx
828794bc 83c840 or eax,40h
828794bf d1e8 shr eax,1
828794c1 50 push eax
828794c2 68496f2020 push 20206F49h
828794c7 ff7520 push dword ptr [ebp+20h]
828794ca 6a04 push 4
828794cc e84610e3ff call nt!ExAllocatePoolWithTagPriority (826aa517)
828794d1 85c0 test eax,eax
828794d3 750a jne nt!NtWriteFile+0x5ae (828794df)
nt!NtWriteFile+0x5a4:
828794d5 689a0000c0 push 0C000009Ah
828794da e815a2dcff call nt!RtlRaiseStatus (826436f4)
nt!NtWriteFile+0x5ae:
828794df 8b7dd8 mov edi,dword ptr [ebp-28h]
nt!NtWriteFile+0x5b1:
828794e2 89460c mov dword ptr [esi+0Ch],eax
828794e5 ff7520 push dword ptr [ebp+20h]
828794e8 ff751c push dword ptr [ebp+1Ch]
828794eb 50 push eax
828794ec e8cf82dcff call nt!memcpy (826417c0)
828794f1 83c40c add esp,0Ch
828794f4 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
828794fb c7460830000000 mov dword ptr [esi+8],30h
82879502 e9cd000000 jmp nt!NtWriteFile+0x6a3 (828795d4)
nt!NtWriteFile+0x5ff:
82879530 895608 mov dword ptr [esi+8],edx
82879533 e99c000000 jmp nt!NtWriteFile+0x6a3 (828795d4)
nt!NtWriteFile+0x607:
82879538 894e08 mov dword ptr [esi+8],ecx
8287953b 84c2 test dl,al
8287953d 0f848b000000 je nt!NtWriteFile+0x69d (828795ce)
nt!NtWriteFile+0x612:
82879543 394d20 cmp dword ptr [ebp+20h],ecx
82879546 0f8488000000 je nt!NtWriteFile+0x6a3 (828795d4)
nt!NtWriteFile+0x61b:
8287954c c745fc03000000 mov dword ptr [ebp-4],3
82879553 56 push esi
82879554 6a01 push 1
82879556 6a00 push 0
82879558 ff7520 push dword ptr [ebp+20h]
8287955b ff751c push dword ptr [ebp+1Ch]
8287955e e8923fe2ff call nt!IoAllocateMdl (8269d4f5)
82879563 8945b4 mov dword ptr [ebp-4Ch],eax
82879566 85c0 test eax,eax
82879568 0f8467ffffff je nt!NtWriteFile+0x5a4 (828794d5)
nt!NtWriteFile+0x63d:
8287956e 0fb63b movzx edi,byte ptr [ebx]
82879571 6a00 push 0
82879573 ff75d4 push dword ptr [ebp-2Ch]
82879576 50 push eax
82879577 e86374dfff call nt!MmProbeAndLockPages (826709df)
8287957c a188257782 mov eax,dword ptr [nt!MmTrackLockedPages (82772588)]
82879581 a801 test al,1
82879583 7414 je nt!NtWriteFile+0x668 (82879599)
nt!NtWriteFile+0x654:
82879585 8b4508 mov eax,dword ptr [ebp+8]
82879588 8b4808 mov ecx,dword ptr [eax+8]
8287958b 8b7cb938 mov edi,dword ptr [ecx+edi*4+38h]
8287958f 50 push eax
82879590 57 push edi
82879591 8b7db4 mov edi,dword ptr [ebp-4Ch]
82879594 e8148fdfff call nt!MmUpdateMdlTracker (826724ad)
nt!NtWriteFile+0x668:
82879599 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
828795a0 8b7dd8 mov edi,dword ptr [ebp-28h]
828795a3 eb2f jmp nt!NtWriteFile+0x6a3 (828795d4)
nt!NtWriteFile+0x69d:
828795ce 8b451c mov eax,dword ptr [ebp+1Ch]
828795d1 89463c mov dword ptr [esi+3Ch],eax
nt!NtWriteFile+0x6a3:
828795d4 8b45c8 mov eax,dword ptr [ebp-38h]
828795d7 f60008 test byte ptr [eax],8
828795da 7409 je nt!NtWriteFile+0x6b4 (828795e5)
nt!NtWriteFile+0x6ab:
828795dc 814e08010a0000 or dword ptr [esi+8],0A01h
828795e3 eb07 jmp nt!NtWriteFile+0x6bb (828795ec)
nt!NtWriteFile+0x6b4:
828795e5 814e08000a0000 or dword ptr [esi+8],0A00h
nt!NtWriteFile+0x6bb:
828795ec 8b4520 mov eax,dword ptr [ebp+20h]
828795ef 894304 mov dword ptr [ebx+4],eax
828795f2 8b45d0 mov eax,dword ptr [ebp-30h]
828795f5 894308 mov dword ptr [ebx+8],eax
828795f8 8b45a4 mov eax,dword ptr [ebp-5Ch]
828795fb 89430c mov dword ptr [ebx+0Ch],eax
828795fe 8b45a8 mov eax,dword ptr [ebp-58h]
82879601 894310 mov dword ptr [ebx+10h],eax
82879604 6a01 push 1
82879606 ff7528 push dword ptr [ebp+28h]
82879609 ff75d4 push dword ptr [ebp-2Ch]
8287960c 6a01 push 1
8287960e 57 push edi
8287960f ff7508 push dword ptr [ebp+8]
82879612 8bc6 mov eax,esi
82879614 e88ea1fbff call nt!IopSynchronousServiceTail (828337a7)
nt!NtWriteFile+0x6e8:
82879619 e8cfe5e0ff call nt!_SEH_epilog4 (82687bed)
8287961e c22400 ret 24h
Sometimes we want to go backwards from a symbol/memory location and unassemble. The B flag will help you get that output.
kd> uB 82878f42
nt!ObReferenceFileObjectForWrite+0x219:
82878f2a 90 nop
nt!NtWriteFile:
82878f2b 6a5c push 5Ch
82878f2d 6880236682 push offset nt! ?? ::FNODOBFM::`string'+0x6800 (82662380)
82878f32 e871ece0ff call nt!_SEH_prolog4 (82687ba8)
82878f37 33f6 xor esi,esi
82878f39 8975dc mov dword ptr [ebp-24h],esi
82878f3c 8975d0 mov dword ptr [ebp-30h],esi
82878f3f 8975a4 mov dword ptr [ebp-5Ch],esi
Note: I used a known address inside the NtWrite function taken from the previous output for the sake of example. As we see, that while going backwards, the unassemble command also disassembled the last line of the previous function nt!ObReferenceFileObjectForWrite.
If we want specific number of lines before the address to be unassembled, we can use the L flag.
kd> uB 82878f42 L5
nt!NtWriteFile+0x7:
82878f32 e871ece0ff call nt!_SEH_prolog4 (82687ba8)
82878f37 33f6 xor esi,esi
82878f39 8975dc mov dword ptr [ebp-24h],esi
82878f3c 8975d0 mov dword ptr [ebp-30h],esi
82878f3f 8975a4 mov dword ptr [ebp-5Ch],esi
The u (unassemble) command and it's variants is used to show the assembly code at a particular memory location.
kd> u nt!ntWriteFile
nt!NtWriteFile:
82878f2b 6a5c push 5Ch
82878f2d 6880236682 push offset nt! ?? ::FNODOBFM::`string'+0x6800 (82662380)
82878f32 e871ece0ff call nt!_SEH_prolog4 (82687ba8)
82878f37 33f6 xor esi,esi
82878f39 8975dc mov dword ptr [ebp-24h],esi
82878f3c 8975d0 mov dword ptr [ebp-30h],esi
82878f3f 8975a4 mov dword ptr [ebp-5Ch],esi
82878f42 8975a8 mov dword ptr [ebp-58h],esi
This will start unassembling at the memory location where the symbol nt!ntWriteFile is mapped. If we want it to dump the entire function, we can append the F flag to it.
kd> uF nt!ntWriteFile
nt!NtWriteFile:
82878f2b 6a5c push 5Ch
82878f2d 6880236682 push offset nt! ?? ::FNODOBFM::`string'+0x6800 (82662380)
82878f32 e871ece0ff call nt!_SEH_prolog4 (82687ba8)
82878f37 33f6 xor esi,esi
82878f39 8975dc mov dword ptr [ebp-24h],esi
82878f3c 8975d0 mov dword ptr [ebp-30h],esi
82878f3f 8975a4 mov dword ptr [ebp-5Ch],esi
82878f42 8975a8 mov dword ptr [ebp-58h],esi
82878f45 64a124010000 mov eax,dword ptr fs:[00000124h]
82878f4b 8945bc mov dword ptr [ebp-44h],eax
82878f4e 8a983a010000 mov bl,byte ptr [eax+13Ah]
82878f54 885dd4 mov byte ptr [ebp-2Ch],bl
82878f57 8d4594 lea eax,[ebp-6Ch]
82878f5a 50 push eax
82878f5b 8d45d8 lea eax,[ebp-28h]
82878f5e 50 push eax
82878f5f ff75d4 push dword ptr [ebp-2Ch]
82878f62 ff7508 push dword ptr [ebp+8]
82878f65 e8a7fdffff call nt!ObReferenceFileObjectForWrite (82878d11)
82878f6a 3bc6 cmp eax,esi
82878f6c 0f8ca7060000 jl nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0x47:
82878f72 8b7dd8 mov edi,dword ptr [ebp-28h]
82878f75 57 push edi
82878f76 e887cce1ff call nt!IoGetRelatedDeviceObject (82695c02)
82878f7b 894508 mov dword ptr [ebp+8],eax
82878f7e 84db test bl,bl
82878f80 0f846e010000 je nt!NtWriteFile+0x1c8 (828790f4)
nt!NtWriteFile+0x5b:
82878f86 8975cc mov dword ptr [ebp-34h],esi
82878f89 8975fc mov dword ptr [ebp-4],esi
82878f8c 8b4518 mov eax,dword ptr [ebp+18h]
82878f8f 8b0d1c277782 mov ecx,dword ptr [nt!MmUserProbeAddress (8277271c)]
82878f95 3bc1 cmp eax,ecx
82878f97 7202 jb nt!NtWriteFile+0x70 (82878f9b)
nt!NtWriteFile+0x6e:
82878f99 8bc1 mov eax,ecx
nt!NtWriteFile+0x70:
82878f9b 8b08 mov ecx,dword ptr [eax]
82878f9d 8908 mov dword ptr [eax],ecx
82878f9f 8b4804 mov ecx,dword ptr [eax+4]
82878fa2 894804 mov dword ptr [eax+4],ecx
82878fa5 8b5520 mov edx,dword ptr [ebp+20h]
82878fa8 8b0d1c277782 mov ecx,dword ptr [nt!MmUserProbeAddress (8277271c)]
82878fae 3bd6 cmp edx,esi
82878fb0 7417 je nt!NtWriteFile+0x9e (82878fc9)
nt!NtWriteFile+0x87:
82878fb2 8b5d1c mov ebx,dword ptr [ebp+1Ch]
82878fb5 8d041a lea eax,[edx+ebx]
82878fb8 3bc1 cmp eax,ecx
82878fba 7704 ja nt!NtWriteFile+0x95 (82878fc0)
nt!NtWriteFile+0x91:
82878fbc 3bc3 cmp eax,ebx
82878fbe 7309 jae nt!NtWriteFile+0x9e (82878fc9)
nt!NtWriteFile+0x95:
82878fc0 c60100 mov byte ptr [ecx],0
82878fc3 8b0d1c277782 mov ecx,dword ptr [nt!MmUserProbeAddress (8277271c)]
nt!NtWriteFile+0x9e:
82878fc9 39776c cmp dword ptr [edi+6Ch],esi
82878fcc 741d je nt!NtWriteFile+0xc0 (82878feb)
nt!NtWriteFile+0xa3:
82878fce 397510 cmp dword ptr [ebp+10h],esi
82878fd1 7418 je nt!NtWriteFile+0xc0 (82878feb)
nt!NtWriteFile+0xa8:
82878fd3 8bcf mov ecx,edi
82878fd5 e8e97ce0ff call nt!ObfDereferenceObject (82680cc3)
82878fda c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
nt!NtWriteFile+0xb6:
82878fe1 b80d0000c0 mov eax,0C000000Dh
82878fe6 e92e060000 jmp nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0xc0:
82878feb 8b4524 mov eax,dword ptr [ebp+24h]
82878fee 3bc6 cmp eax,esi
82878ff0 7429 je nt!NtWriteFile+0xef (8287901b)
nt!NtWriteFile+0xc7:
82878ff2 a803 test al,3
82878ff4 7406 je nt!NtWriteFile+0xd0 (82878ffc)
nt!NtWriteFile+0xcb:
82878ff6 e8cfdf0100 call nt!ExRaiseDatatypeMisalignment (82896fca)
82878ffb cc int 3
nt!NtWriteFile+0xd0:
82878ffc 3bc1 cmp eax,ecx
82878ffe 7202 jb nt!NtWriteFile+0xd6 (82879002)
nt!NtWriteFile+0xd4:
82879000 8bc1 mov eax,ecx
nt!NtWriteFile+0xd6:
82879002 8a00 mov al,byte ptr [eax]
82879004 8b4524 mov eax,dword ptr [ebp+24h]
82879007 8b08 mov ecx,dword ptr [eax]
82879009 894da4 mov dword ptr [ebp-5Ch],ecx
8287900c 8b4004 mov eax,dword ptr [eax+4]
8287900f 8945a8 mov dword ptr [ebp-58h],eax
82879012 8b7dd8 mov edi,dword ptr [ebp-28h]
82879015 8b0d1c277782 mov ecx,dword ptr [nt!MmUserProbeAddress (8277271c)]
nt!NtWriteFile+0xef:
8287901b f6472c08 test byte ptr [edi+2Ch],8
8287901f 0f8489000000 je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0xf9:
82879025 8b4508 mov eax,dword ptr [ebp+8]
82879028 0fb7b0ac000000 movzx esi,word ptr [eax+0ACh]
8287902f 6685f6 test si,si
82879032 7408 je nt!NtWriteFile+0x110 (8287903c)
nt!NtWriteFile+0x108:
82879034 0fb7de movzx ebx,si
82879037 4b dec ebx
82879038 85da test edx,ebx
8287903a 7508 jne nt!NtWriteFile+0x118 (82879044)
nt!NtWriteFile+0x110:
8287903c 8b5d1c mov ebx,dword ptr [ebp+1Ch]
8287903f 85585c test dword ptr [eax+5Ch],ebx
82879042 7425 je nt!NtWriteFile+0x13d (82879069)
nt!NtWriteFile+0x118:
82879044 6685f6 test si,si
82879047 7414 je nt!NtWriteFile+0x131 (8287905d)
nt!NtWriteFile+0x11d:
82879049 0fb7de movzx ebx,si
8287904c 8bc2 mov eax,edx
8287904e 33d2 xor edx,edx
82879050 f7f3 div eax,ebx
82879052 85d2 test edx,edx
82879054 0f8579ffffff jne nt!NtWriteFile+0xa8 (82878fd3)
nt!NtWriteFile+0x12e:
8287905a 8b4508 mov eax,dword ptr [ebp+8]
nt!NtWriteFile+0x131:
8287905d 8b551c mov edx,dword ptr [ebp+1Ch]
82879060 85505c test dword ptr [eax+5Ch],edx
82879063 0f856affffff jne nt!NtWriteFile+0xa8 (82878fd3)
nt!NtWriteFile+0x13d:
82879069 837d2400 cmp dword ptr [ebp+24h],0
8287906d 743f je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x143:
8287906f 837da4ff cmp dword ptr [ebp-5Ch],0FFFFFFFFh
82879073 7506 jne nt!NtWriteFile+0x14f (8287907b)
nt!NtWriteFile+0x149:
82879075 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
82879079 7433 je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x14f:
8287907b 6afe push 0FFFFFFFEh
8287907d 5b pop ebx
8287907e 395da4 cmp dword ptr [ebp-5Ch],ebx
82879081 750c jne nt!NtWriteFile+0x163 (8287908f)
nt!NtWriteFile+0x157:
82879083 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
82879087 7506 jne nt!NtWriteFile+0x163 (8287908f)
nt!NtWriteFile+0x15d:
82879089 f6472c02 test byte ptr [edi+2Ch],2
8287908d 751f jne nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x163:
8287908f 6685f6 test si,si
82879092 741a je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x168:
82879094 0fb7c6 movzx eax,si
82879097 48 dec eax
82879098 8b55a4 mov edx,dword ptr [ebp-5Ch]
8287909b 85c2 test edx,eax
8287909d 740f je nt!NtWriteFile+0x182 (828790ae)
nt!NtWriteFile+0x173:
8287909f 8bcf mov ecx,edi
828790a1 e81d7ce0ff call nt!ObfDereferenceObject (82680cc3)
828790a6 895dfc mov dword ptr [ebp-4],ebx
828790a9 e933ffffff jmp nt!NtWriteFile+0xb6 (82878fe1)
nt!NtWriteFile+0x182:
828790ae 8b4528 mov eax,dword ptr [ebp+28h]
828790b1 85c0 test eax,eax
828790b3 740e je nt!NtWriteFile+0x197 (828790c3)
nt!NtWriteFile+0x189:
828790b5 3bc1 cmp eax,ecx
828790b7 7202 jb nt!NtWriteFile+0x18f (828790bb)
nt!NtWriteFile+0x18d:
828790b9 8bc1 mov eax,ecx
nt!NtWriteFile+0x18f:
828790bb 8b00 mov eax,dword ptr [eax]
828790bd 8945d0 mov dword ptr [ebp-30h],eax
828790c0 8b7dd8 mov edi,dword ptr [ebp-28h]
nt!NtWriteFile+0x197:
828790c3 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
828790ca 33f6 xor esi,esi
828790cc eb44 jmp nt!NtWriteFile+0x1e6 (82879112)
nt!NtWriteFile+0x1c8:
828790f4 8b4524 mov eax,dword ptr [ebp+24h]
828790f7 3bc6 cmp eax,esi
828790f9 740b je nt!NtWriteFile+0x1da (82879106)
nt!NtWriteFile+0x1cf:
828790fb 8b08 mov ecx,dword ptr [eax]
828790fd 894da4 mov dword ptr [ebp-5Ch],ecx
82879100 8b4004 mov eax,dword ptr [eax+4]
82879103 8945a8 mov dword ptr [ebp-58h],eax
nt!NtWriteFile+0x1da:
82879106 8b4528 mov eax,dword ptr [ebp+28h]
82879109 3bc6 cmp eax,esi
8287910b 7405 je nt!NtWriteFile+0x1e6 (82879112)
nt!NtWriteFile+0x1e1:
8287910d 8b00 mov eax,dword ptr [eax]
8287910f 8945d0 mov dword ptr [ebp-30h],eax
nt!NtWriteFile+0x1e6:
82879112 8b4598 mov eax,dword ptr [ebp-68h]
82879115 2406 and al,6
82879117 3c04 cmp al,4
82879119 7508 jne nt!NtWriteFile+0x1f7 (82879123)
nt!NtWriteFile+0x1ef:
8287911b 834da4ff or dword ptr [ebp-5Ch],0FFFFFFFFh
8287911f 834da8ff or dword ptr [ebp-58h],0FFFFFFFFh
nt!NtWriteFile+0x1f7:
82879123 39750c cmp dword ptr [ebp+0Ch],esi
82879126 7435 je nt!NtWriteFile+0x231 (8287915d)
nt!NtWriteFile+0x1fc:
82879128 56 push esi
82879129 8d45c4 lea eax,[ebp-3Ch]
8287912c 50 push eax
8287912d ff75d4 push dword ptr [ebp-2Ch]
82879130 ff3510207782 push dword ptr [nt!ExEventObjectType (82772010)]
82879136 6a02 push 2
82879138 ff750c push dword ptr [ebp+0Ch]
8287913b e8d41cfbff call nt!ObReferenceObjectByHandle (8282ae14)
82879140 8b4dc4 mov ecx,dword ptr [ebp-3Ch]
82879143 894ddc mov dword ptr [ebp-24h],ecx
82879146 3bc6 cmp eax,esi
82879148 7d10 jge nt!NtWriteFile+0x22e (8287915a)
nt!NtWriteFile+0x21e:
8287914a 8bf0 mov esi,eax
nt!NtWriteFile+0x220:
8287914c 8bcf mov ecx,edi
8287914e e8707be0ff call nt!ObfDereferenceObject (82680cc3)
82879153 8bc6 mov eax,esi
82879155 e9bf040000 jmp nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0x22e:
8287915a 897104 mov dword ptr [ecx+4],esi
nt!NtWriteFile+0x231:
8287915d 8b4508 mov eax,dword ptr [ebp+8]
82879160 8b4008 mov eax,dword ptr [eax+8]
82879163 8b5828 mov ebx,dword ptr [eax+28h]
82879166 8d4f2c lea ecx,[edi+2Ch]
82879169 894dc8 mov dword ptr [ebp-38h],ecx
8287916c 8b01 mov eax,dword ptr [ecx]
8287916e a802 test al,2
82879170 0f841c020000 je nt!NtWriteFile+0x466 (82879392)
nt!NtWriteFile+0x24a:
82879176 8d4744 lea eax,[edi+44h]
82879179 33d2 xor edx,edx
8287917b 42 inc edx
8287917c 8710 xchg edx,dword ptr [eax]
8287917e 85d2 test edx,edx
82879180 0f8582000000 jne nt!NtWriteFile+0x2dc (82879208)
nt!NtWriteFile+0x25a:
82879186 8bcf mov ecx,edi
82879188 e86797e0ff call nt!ObfReferenceObject (826828f4)
nt!NtWriteFile+0x261:
8287918d c6452801 mov byte ptr [ebp+28h],1
82879191 33c0 xor eax,eax
82879193 394524 cmp dword ptr [ebp+24h],eax
82879196 7505 jne nt!NtWriteFile+0x271 (8287919d)
nt!NtWriteFile+0x26c:
82879198 3945a4 cmp dword ptr [ebp-5Ch],eax
8287919b 740c je nt!NtWriteFile+0x27d (828791a9)
nt!NtWriteFile+0x271:
8287919d 837da4fe cmp dword ptr [ebp-5Ch],0FFFFFFFEh
828791a1 7512 jne nt!NtWriteFile+0x289 (828791b5)
nt!NtWriteFile+0x277:
828791a3 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
828791a7 750c jne nt!NtWriteFile+0x289 (828791b5)
nt!NtWriteFile+0x27d:
828791a9 8b4f38 mov ecx,dword ptr [edi+38h]
828791ac 894da4 mov dword ptr [ebp-5Ch],ecx
828791af 8b4f3c mov ecx,dword ptr [edi+3Ch]
828791b2 894da8 mov dword ptr [ebp-58h],ecx
nt!NtWriteFile+0x289:
828791b5 394718 cmp dword ptr [edi+18h],eax
828791b8 0f84f9010000 je nt!NtWriteFile+0x486 (828793b7)
nt!NtWriteFile+0x292:
828791be 8b730c mov esi,dword ptr [ebx+0Ch]
828791c1 33db xor ebx,ebx
828791c3 395da8 cmp dword ptr [ebp-58h],ebx
828791c6 7d7a jge nt!NtWriteFile+0x316 (82879242)
nt!NtWriteFile+0x29c:
828791c8 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
828791cc 7506 jne nt!NtWriteFile+0x2a8 (828791d4)
nt!NtWriteFile+0x2a2:
828791ce 837da4ff cmp dword ptr [ebp-5Ch],0FFFFFFFFh
828791d2 746e je nt!NtWriteFile+0x316 (82879242)
nt!NtWriteFile+0x2a8:
828791d4 8b4ddc mov ecx,dword ptr [ebp-24h]
828791d7 3bcb cmp ecx,ebx
828791d9 7405 je nt!NtWriteFile+0x2b4 (828791e0)
nt!NtWriteFile+0x2af:
828791db e8e37ae0ff call nt!ObfDereferenceObject (82680cc3)
nt!NtWriteFile+0x2b4:
828791e0 33c9 xor ecx,ecx
828791e2 8d4744 lea eax,[edi+44h]
828791e5 8708 xchg ecx,dword ptr [eax]
nt!NtWriteFile+0x2bb:
828791e7 395f40 cmp dword ptr [edi+40h],ebx
828791ea 740b je nt!NtWriteFile+0x2cb (828791f7)
nt!NtWriteFile+0x2c0:
828791ec 53 push ebx
828791ed 53 push ebx
828791ee 8d474c lea eax,[edi+4Ch]
828791f1 50 push eax
828791f2 e8ce62e0ff call nt!KeSetEvent (8267f4c5)
nt!NtWriteFile+0x2cb:
828791f7 8bcf mov ecx,edi
nt!NtWriteFile+0x2cd:
828791f9 e8c57ae0ff call nt!ObfDereferenceObject (82680cc3)
nt!NtWriteFile+0x2d2:
828791fe be0d0000c0 mov esi,0C000000Dh
82879203 e944ffffff jmp nt!NtWriteFile+0x220 (8287914c)
nt!NtWriteFile+0x2dc:
82879208 8d45e3 lea eax,[ebp-1Dh]
8287920b 50 push eax
8287920c 8b01 mov eax,dword ptr [ecx]
8287920e c1e802 shr eax,2
82879211 2401 and al,1
82879213 0fb6c0 movzx eax,al
82879216 50 push eax
82879217 ff75d4 push dword ptr [ebp-2Ch]
8287921a 8bc7 mov eax,edi
8287921c e82d76f9ff call nt!IopAcquireFileObjectLock (8281084e)
82879221 8bf0 mov esi,eax
82879223 807de300 cmp byte ptr [ebp-1Dh],0
82879227 0f8460ffffff je nt!NtWriteFile+0x261 (8287918d)
nt!NtWriteFile+0x301:
8287922d 8b4ddc mov ecx,dword ptr [ebp-24h]
82879230 85c9 test ecx,ecx
82879232 0f8414ffffff je nt!NtWriteFile+0x220 (8287914c)
nt!NtWriteFile+0x30c:
82879238 e8867ae0ff call nt!ObfDereferenceObject (82680cc3)
8287923d e90affffff jmp nt!NtWriteFile+0x220 (8287914c)
nt!NtWriteFile+0x316:
82879242 391d489f7482 cmp dword ptr [nt!ViVerifierDriverAddedThunkListHead (82749f48)],ebx
82879248 7504 jne nt!NtWriteFile+0x322 (8287924e)
nt!NtWriteFile+0x31e:
8287924a 33db xor ebx,ebx
8287924c eb07 jmp nt!NtWriteFile+0x329 (82879255)
nt!NtWriteFile+0x322:
8287924e e8b82a0c00 call nt!VfFastIoSnapState (8293bd0b)
82879253 8bd8 mov ebx,eax
nt!NtWriteFile+0x329:
82879255 ff7508 push dword ptr [ebp+8]
82879258 8d459c lea eax,[ebp-64h]
8287925b 50 push eax
8287925c ff751c push dword ptr [ebp+1Ch]
8287925f ff75d0 push dword ptr [ebp-30h]
82879262 6a01 push 1
82879264 ff7520 push dword ptr [ebp+20h]
82879267 8d45a4 lea eax,[ebp-5Ch]
8287926a 50 push eax
8287926b 57 push edi
8287926c ffd6 call esi
8287926e 884527 mov byte ptr [ebp+27h],al
82879271 85db test ebx,ebx
82879273 7407 je nt!NtWriteFile+0x350 (8287927c)
nt!NtWriteFile+0x349:
82879275 56 push esi
82879276 53 push ebx
82879277 e8d32a0c00 call nt!VfFastIoCheckState (8293bd4f)
nt!NtWriteFile+0x350:
8287927c 807d2700 cmp byte ptr [ebp+27h],0
82879280 0f8431010000 je nt!NtWriteFile+0x486 (828793b7)
nt!NtWriteFile+0x35a:
82879286 33f6 xor esi,esi
82879288 39759c cmp dword ptr [ebp-64h],esi
8287928b 0f8526010000 jne nt!NtWriteFile+0x486 (828793b7)
nt!NtWriteFile+0x365:
82879291 33d2 xor edx,edx
82879293 42 inc edx
82879294 3915a4337382 cmp dword ptr [nt!IoCountOperations (827333a4)],edx
8287929a 7527 jne nt!NtWriteFile+0x397 (828792c3)
nt!NtWriteFile+0x370:
8287929c 64a124010000 mov eax,dword ptr fs:[00000124h]
828792a2 8bca mov ecx,edx
828792a4 8b8050010000 mov eax,dword ptr [eax+150h]
828792aa 05b8010000 add eax,1B8h
828792af f00108 lock add dword ptr [eax],ecx
828792b2 7305 jae nt!NtWriteFile+0x38d (828792b9)
nt!NtWriteFile+0x388:
828792b4 f083500400 lock adc dword ptr [eax+4],0
nt!NtWriteFile+0x38d:
828792b9 64ff0520060000 inc dword ptr fs:[620h]
828792c0 8b7dd8 mov edi,dword ptr [ebp-28h]
nt!NtWriteFile+0x397:
828792c3 8b4da0 mov ecx,dword ptr [ebp-60h]
828792c6 3915a4337382 cmp dword ptr [nt!IoCountOperations (827333a4)],edx
828792cc 7536 jne nt!NtWriteFile+0x3d8 (82879304)
nt!NtWriteFile+0x3a2:
828792ce 64a124010000 mov eax,dword ptr fs:[00000124h]
828792d4 8b8050010000 mov eax,dword ptr [eax+150h]
828792da 8b7da0 mov edi,dword ptr [ebp-60h]
828792dd 05d0010000 add eax,1D0h
828792e2 f00138 lock add dword ptr [eax],edi
828792e5 7305 jae nt!NtWriteFile+0x3c0 (828792ec)
nt!NtWriteFile+0x3bb:
828792e7 f083500400 lock adc dword ptr [eax+4],0
nt!NtWriteFile+0x3c0:
828792ec 64a120000000 mov eax,dword ptr fs:[00000020h]
828792f2 0510050000 add eax,510h
828792f7 f00108 lock add dword ptr [eax],ecx
828792fa 7305 jae nt!NtWriteFile+0x3d5 (82879301)
nt!NtWriteFile+0x3d0:
828792fc f083500400 lock adc dword ptr [eax+4],0
nt!NtWriteFile+0x3d5:
82879301 8b7dd8 mov edi,dword ptr [ebp-28h]
nt!NtWriteFile+0x3d8:
82879304 8955fc mov dword ptr [ebp-4],edx
82879307 8b4518 mov eax,dword ptr [ebp+18h]
8287930a 8b4d9c mov ecx,dword ptr [ebp-64h]
8287930d 8908 mov dword ptr [eax],ecx
8287930f 8b4da0 mov ecx,dword ptr [ebp-60h]
82879312 894804 mov dword ptr [eax+4],ecx
82879315 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
8287931c eb27 jmp nt!NtWriteFile+0x419 (82879345)
nt!NtWriteFile+0x419:
82879345 39750c cmp dword ptr [ebp+0Ch],esi
82879348 741b je nt!NtWriteFile+0x439 (82879365)
nt!NtWriteFile+0x41e:
8287934a f7472c00000008 test dword ptr [edi+2Ch],8000000h
82879351 750a jne nt!NtWriteFile+0x431 (8287935d)
nt!NtWriteFile+0x427:
82879353 56 push esi
82879354 56 push esi
82879355 ff75dc push dword ptr [ebp-24h]
82879358 e86861e0ff call nt!KeSetEvent (8267f4c5)
nt!NtWriteFile+0x431:
8287935d 8b4ddc mov ecx,dword ptr [ebp-24h]
82879360 e85e79e0ff call nt!ObfDereferenceObject (82680cc3)
nt!NtWriteFile+0x439:
82879365 33c0 xor eax,eax
82879367 8d4f44 lea ecx,[edi+44h]
8287936a 8701 xchg eax,dword ptr [ecx]
8287936c 397740 cmp dword ptr [edi+40h],esi
8287936f 740b je nt!NtWriteFile+0x450 (8287937c)
nt!NtWriteFile+0x445:
82879371 56 push esi
82879372 56 push esi
82879373 8d474c lea eax,[edi+4Ch]
82879376 50 push eax
82879377 e84961e0ff call nt!KeSetEvent (8267f4c5)
nt!NtWriteFile+0x450:
8287937c 8bcf mov ecx,edi
8287937e e84079e0ff call nt!ObfDereferenceObject (82680cc3)
82879383 8bcf mov ecx,edi
82879385 e83979e0ff call nt!ObfDereferenceObject (82680cc3)
8287938a 8b459c mov eax,dword ptr [ebp-64h]
8287938d e987020000 jmp nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0x466:
82879392 397524 cmp dword ptr [ebp+24h],esi
82879395 751c jne nt!NtWriteFile+0x482 (828793b3)
nt!NtWriteFile+0x46b:
82879397 a980020000 test eax,280h
8287939c 7515 jne nt!NtWriteFile+0x482 (828793b3)
nt!NtWriteFile+0x472:
8287939e 8b4ddc mov ecx,dword ptr [ebp-24h]
828793a1 3bce cmp ecx,esi
828793a3 0f8550feffff jne nt!NtWriteFile+0x2cd (828791f9)
nt!NtWriteFile+0x47d:
828793a9 e950feffff jmp nt!NtWriteFile+0x2d2 (828791fe)
nt!NtWriteFile+0x482:
828793b3 c6452800 mov byte ptr [ebp+28h],0
nt!NtWriteFile+0x486:
828793b7 33db xor ebx,ebx
828793b9 395da8 cmp dword ptr [ebp-58h],ebx
828793bc 7d2e jge nt!NtWriteFile+0x4bb (828793ec)
nt!NtWriteFile+0x48d:
828793be 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
828793c2 7506 jne nt!NtWriteFile+0x499 (828793ca)
nt!NtWriteFile+0x493:
828793c4 837da4ff cmp dword ptr [ebp-5Ch],0FFFFFFFFh
828793c8 7422 je nt!NtWriteFile+0x4bb (828793ec)
nt!NtWriteFile+0x499:
828793ca 8b4ddc mov ecx,dword ptr [ebp-24h]
828793cd 3bcb cmp ecx,ebx
828793cf 7405 je nt!NtWriteFile+0x4a5 (828793d6)
nt!NtWriteFile+0x4a0:
828793d1 e8ed78e0ff call nt!ObfDereferenceObject (82680cc3)
nt!NtWriteFile+0x4a5:
828793d6 807d2800 cmp byte ptr [ebp+28h],0
828793da 0f841efeffff je nt!NtWriteFile+0x2d2 (828791fe)
nt!NtWriteFile+0x4af:
828793e0 33c0 xor eax,eax
828793e2 8d4f44 lea ecx,[edi+44h]
828793e5 8701 xchg eax,dword ptr [ecx]
828793e7 e9fbfdffff jmp nt!NtWriteFile+0x2bb (828791e7)
nt!NtWriteFile+0x4bb:
828793ec 895f60 mov dword ptr [edi+60h],ebx
828793ef 807d2800 cmp byte ptr [ebp+28h],0
828793f3 0f94c0 sete al
828793f6 0fb6c0 movzx eax,al
828793f9 50 push eax
828793fa 8b4508 mov eax,dword ptr [ebp+8]
828793fd 0fb64030 movzx eax,byte ptr [eax+30h]
82879401 50 push eax
82879402 e8ce30e2ff call nt!IoAllocateIrp (8269c4d5)
82879407 8bf0 mov esi,eax
82879409 897524 mov dword ptr [ebp+24h],esi
8287940c 3bf3 cmp esi,ebx
8287940e 7514 jne nt!NtWriteFile+0x4f3 (82879424)
nt!NtWriteFile+0x4df:
82879410 8b4ddc mov ecx,dword ptr [ebp-24h]
82879413 8bf7 mov esi,edi
82879415 e8fa530400 call nt!IopAllocateIrpCleanup (828be814)
8287941a b89a0000c0 mov eax,0C000009Ah
8287941f e9f5010000 jmp nt!NtWriteFile+0x6e8 (82879619)
nt!NtWriteFile+0x4f3:
82879424 897e64 mov dword ptr [esi+64h],edi
82879427 8b45bc mov eax,dword ptr [ebp-44h]
8287942a 894650 mov dword ptr [esi+50h],eax
8287942d 33c9 xor ecx,ecx
8287942f 894e54 mov dword ptr [esi+54h],ecx
82879432 8a45d4 mov al,byte ptr [ebp-2Ch]
82879435 884620 mov byte ptr [esi+20h],al
82879438 884e21 mov byte ptr [esi+21h],cl
8287943b 884e24 mov byte ptr [esi+24h],cl
8287943e 894e38 mov dword ptr [esi+38h],ecx
82879441 8b45dc mov eax,dword ptr [ebp-24h]
82879444 89462c mov dword ptr [esi+2Ch],eax
82879447 8b4518 mov eax,dword ptr [ebp+18h]
8287944a 894628 mov dword ptr [esi+28h],eax
8287944d 8b4510 mov eax,dword ptr [ebp+10h]
82879450 894630 mov dword ptr [esi+30h],eax
82879453 8b4514 mov eax,dword ptr [ebp+14h]
82879456 894634 mov dword ptr [esi+34h],eax
82879459 8b5e60 mov ebx,dword ptr [esi+60h]
8287945c 83eb24 sub ebx,24h
8287945f c70304000000 mov dword ptr [ebx],4
82879465 897b18 mov dword ptr [ebx+18h],edi
82879468 6a10 push 10h
8287946a 5a pop edx
8287946b 8b45c8 mov eax,dword ptr [ebp-38h]
8287946e 8410 test byte ptr [eax],dl
82879470 7404 je nt!NtWriteFile+0x545 (82879476)
nt!NtWriteFile+0x541:
82879472 c6430204 mov byte ptr [ebx+2],4
nt!NtWriteFile+0x545:
82879476 894e0c mov dword ptr [esi+0Ch],ecx
82879479 894e04 mov dword ptr [esi+4],ecx
8287947c 8b4508 mov eax,dword ptr [ebp+8]
8287947f 8b401c mov eax,dword ptr [eax+1Ch]
82879482 a804 test al,4
82879484 0f84ae000000 je nt!NtWriteFile+0x607 (82879538)
nt!NtWriteFile+0x559:
8287948a 394d20 cmp dword ptr [ebp+20h],ecx
8287948d 0f849d000000 je nt!NtWriteFile+0x5ff (82879530)
nt!NtWriteFile+0x562:
82879493 c745fc02000000 mov dword ptr [ebp-4],2
8287949a 390d489f7482 cmp dword ptr [nt!ViVerifierDriverAddedThunkListHead (82749f48)],ecx
828794a0 7511 jne nt!NtWriteFile+0x582 (828794b3)
nt!NtWriteFile+0x571:
828794a2 68496f2020 push 20206F49h
828794a7 ff7520 push dword ptr [ebp+20h]
828794aa 6a04 push 4
828794ac e8ee66e3ff call nt!ExAllocatePoolWithQuotaTag (826afb9f)
828794b1 eb2f jmp nt!NtWriteFile+0x5b1 (828794e2)
nt!NtWriteFile+0x582:
828794b3 0fb605802b7582 movzx eax,byte ptr [nt!MmVerifierData (82752b80)]
828794ba 23c2 and eax,edx
828794bc 83c840 or eax,40h
828794bf d1e8 shr eax,1
828794c1 50 push eax
828794c2 68496f2020 push 20206F49h
828794c7 ff7520 push dword ptr [ebp+20h]
828794ca 6a04 push 4
828794cc e84610e3ff call nt!ExAllocatePoolWithTagPriority (826aa517)
828794d1 85c0 test eax,eax
828794d3 750a jne nt!NtWriteFile+0x5ae (828794df)
nt!NtWriteFile+0x5a4:
828794d5 689a0000c0 push 0C000009Ah
828794da e815a2dcff call nt!RtlRaiseStatus (826436f4)
nt!NtWriteFile+0x5ae:
828794df 8b7dd8 mov edi,dword ptr [ebp-28h]
nt!NtWriteFile+0x5b1:
828794e2 89460c mov dword ptr [esi+0Ch],eax
828794e5 ff7520 push dword ptr [ebp+20h]
828794e8 ff751c push dword ptr [ebp+1Ch]
828794eb 50 push eax
828794ec e8cf82dcff call nt!memcpy (826417c0)
828794f1 83c40c add esp,0Ch
828794f4 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
828794fb c7460830000000 mov dword ptr [esi+8],30h
82879502 e9cd000000 jmp nt!NtWriteFile+0x6a3 (828795d4)
nt!NtWriteFile+0x5ff:
82879530 895608 mov dword ptr [esi+8],edx
82879533 e99c000000 jmp nt!NtWriteFile+0x6a3 (828795d4)
nt!NtWriteFile+0x607:
82879538 894e08 mov dword ptr [esi+8],ecx
8287953b 84c2 test dl,al
8287953d 0f848b000000 je nt!NtWriteFile+0x69d (828795ce)
nt!NtWriteFile+0x612:
82879543 394d20 cmp dword ptr [ebp+20h],ecx
82879546 0f8488000000 je nt!NtWriteFile+0x6a3 (828795d4)
nt!NtWriteFile+0x61b:
8287954c c745fc03000000 mov dword ptr [ebp-4],3
82879553 56 push esi
82879554 6a01 push 1
82879556 6a00 push 0
82879558 ff7520 push dword ptr [ebp+20h]
8287955b ff751c push dword ptr [ebp+1Ch]
8287955e e8923fe2ff call nt!IoAllocateMdl (8269d4f5)
82879563 8945b4 mov dword ptr [ebp-4Ch],eax
82879566 85c0 test eax,eax
82879568 0f8467ffffff je nt!NtWriteFile+0x5a4 (828794d5)
nt!NtWriteFile+0x63d:
8287956e 0fb63b movzx edi,byte ptr [ebx]
82879571 6a00 push 0
82879573 ff75d4 push dword ptr [ebp-2Ch]
82879576 50 push eax
82879577 e86374dfff call nt!MmProbeAndLockPages (826709df)
8287957c a188257782 mov eax,dword ptr [nt!MmTrackLockedPages (82772588)]
82879581 a801 test al,1
82879583 7414 je nt!NtWriteFile+0x668 (82879599)
nt!NtWriteFile+0x654:
82879585 8b4508 mov eax,dword ptr [ebp+8]
82879588 8b4808 mov ecx,dword ptr [eax+8]
8287958b 8b7cb938 mov edi,dword ptr [ecx+edi*4+38h]
8287958f 50 push eax
82879590 57 push edi
82879591 8b7db4 mov edi,dword ptr [ebp-4Ch]
82879594 e8148fdfff call nt!MmUpdateMdlTracker (826724ad)
nt!NtWriteFile+0x668:
82879599 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
828795a0 8b7dd8 mov edi,dword ptr [ebp-28h]
828795a3 eb2f jmp nt!NtWriteFile+0x6a3 (828795d4)
nt!NtWriteFile+0x69d:
828795ce 8b451c mov eax,dword ptr [ebp+1Ch]
828795d1 89463c mov dword ptr [esi+3Ch],eax
nt!NtWriteFile+0x6a3:
828795d4 8b45c8 mov eax,dword ptr [ebp-38h]
828795d7 f60008 test byte ptr [eax],8
828795da 7409 je nt!NtWriteFile+0x6b4 (828795e5)
nt!NtWriteFile+0x6ab:
828795dc 814e08010a0000 or dword ptr [esi+8],0A01h
828795e3 eb07 jmp nt!NtWriteFile+0x6bb (828795ec)
nt!NtWriteFile+0x6b4:
828795e5 814e08000a0000 or dword ptr [esi+8],0A00h
nt!NtWriteFile+0x6bb:
828795ec 8b4520 mov eax,dword ptr [ebp+20h]
828795ef 894304 mov dword ptr [ebx+4],eax
828795f2 8b45d0 mov eax,dword ptr [ebp-30h]
828795f5 894308 mov dword ptr [ebx+8],eax
828795f8 8b45a4 mov eax,dword ptr [ebp-5Ch]
828795fb 89430c mov dword ptr [ebx+0Ch],eax
828795fe 8b45a8 mov eax,dword ptr [ebp-58h]
82879601 894310 mov dword ptr [ebx+10h],eax
82879604 6a01 push 1
82879606 ff7528 push dword ptr [ebp+28h]
82879609 ff75d4 push dword ptr [ebp-2Ch]
8287960c 6a01 push 1
8287960e 57 push edi
8287960f ff7508 push dword ptr [ebp+8]
82879612 8bc6 mov eax,esi
82879614 e88ea1fbff call nt!IopSynchronousServiceTail (828337a7)
nt!NtWriteFile+0x6e8:
82879619 e8cfe5e0ff call nt!_SEH_epilog4 (82687bed)
8287961e c22400 ret 24h
Sometimes we want to go backwards from a symbol/memory location and unassemble. The B flag will help you get that output.
kd> uB 82878f42
nt!ObReferenceFileObjectForWrite+0x219:
82878f2a 90 nop
nt!NtWriteFile:
82878f2b 6a5c push 5Ch
82878f2d 6880236682 push offset nt! ?? ::FNODOBFM::`string'+0x6800 (82662380)
82878f32 e871ece0ff call nt!_SEH_prolog4 (82687ba8)
82878f37 33f6 xor esi,esi
82878f39 8975dc mov dword ptr [ebp-24h],esi
82878f3c 8975d0 mov dword ptr [ebp-30h],esi
82878f3f 8975a4 mov dword ptr [ebp-5Ch],esi
Note: I used a known address inside the NtWrite function taken from the previous output for the sake of example. As we see, that while going backwards, the unassemble command also disassembled the last line of the previous function nt!ObReferenceFileObjectForWrite.
If we want specific number of lines before the address to be unassembled, we can use the L flag.
kd> uB 82878f42 L5
nt!NtWriteFile+0x7:
82878f32 e871ece0ff call nt!_SEH_prolog4 (82687ba8)
82878f37 33f6 xor esi,esi
82878f39 8975dc mov dword ptr [ebp-24h],esi
82878f3c 8975d0 mov dword ptr [ebp-30h],esi
82878f3f 8975a4 mov dword ptr [ebp-5Ch],esi
No comments:
Post a Comment