Since RtlRestoreContext used to restore context saved by RtlCaptureContext
maybe it is better to post capture function code ?
nt!RtlCaptureContext:
pushfq
mov qword ptr[rcx + 78h], rax
mov qword ptr[rcx + 80h], rcx
mov qword ptr[rcx + 88h], rdx
mov qword ptr[rcx + 0B8h], r8
mov qword ptr[rcx + 0C0h], r9
mov qword ptr[rcx + 0C8h], r10
mov qword ptr[rcx + 0D0h], r11
movaps xmmword ptr[rcx + 1A0h], xmm0
movaps xmmword ptr[rcx + 1B0h], xmm1
movaps xmmword ptr[rcx + 1C0h], xmm2
movaps xmmword ptr[rcx + 1D0h], xmm3
movaps xmmword ptr[rcx + 1E0h], xmm4
movaps xmmword ptr[rcx + 1F0h], xmm5
mov word ptr[rcx + 38h], cs
mov word ptr[rcx + 3Ah], ds
mov word ptr[rcx + 3Ch], es
mov word ptr[rcx + 42h], ss
mov word ptr[rcx + 3Eh], fs
mov word ptr[rcx + 40h], gs
mov qword ptr[rcx + 90h], rbx
mov qword ptr[rcx + 0A0h], rbp
mov qword ptr[rcx + 0A8h], rsi
mov qword ptr[rcx + 0B0h], rdi
mov qword ptr[rcx + 0D8h], r12
mov qword ptr[rcx + 0E0h], r13
mov qword ptr[rcx + 0E8h], r14
mov qword ptr[rcx + 0F0h], r15
fnstcw word ptr[rcx + 100h]
mov dword ptr[rcx + 102h], 0
movaps xmmword ptr[rcx + 200h], xmm6
movaps xmmword ptr[rcx + 210h], xmm7
movaps xmmword ptr[rcx + 220h], xmm8
movaps xmmword ptr[rcx + 230h], xmm9
movaps xmmword ptr[rcx + 240h], xmm10
movaps xmmword ptr[rcx + 250h], xmm11
movaps xmmword ptr[rcx + 260h], xmm12
movaps xmmword ptr[rcx + 270h], xmm13
movaps xmmword ptr[rcx + 280h], xmm14
movaps xmmword ptr[rcx + 290h], xmm15
stmxcsr dword ptr[rcx + 118h]
stmxcsr dword ptr[rcx + 34h]
lea rax, [rsp + 10h]
mov qword ptr[rcx + 98h], rax
mov rax, qword ptr[rsp + 8]
mov qword ptr[rcx + 0F8h], rax
mov eax, dword ptr[rsp]
mov dword ptr[rcx + 44h], eax
mov dword ptr[rcx + 30h], 10000Fh
add rsp, 8
ret
input argument for capture function is pointer to _CONTEXT structure
nt!_CONTEXT
+0x000 P1Home : Uint8B
+0x008 P2Home : Uint8B
+0x010 P3Home : Uint8B
+0x018 P4Home : Uint8B
+0x020 P5Home : Uint8B
+0x028 P6Home : Uint8B
+0x030 ContextFlags : Uint4B
+0x034 MxCsr : Uint4B
+0x038 SegCs : Uint2B
+0x03a SegDs : Uint2B
+0x03c SegEs : Uint2B
+0x03e SegFs : Uint2B
+0x040 SegGs : Uint2B
+0x042 SegSs : Uint2B
+0x044 EFlags : Uint4B
+0x048 Dr0 : Uint8B
+0x050 Dr1 : Uint8B
+0x058 Dr2 : Uint8B
+0x060 Dr3 : Uint8B
+0x068 Dr6 : Uint8B
+0x070 Dr7 : Uint8B
+0x078 Rax : Uint8B
+0x080 Rcx : Uint8B
+0x088 Rdx : Uint8B
+0x090 Rbx : Uint8B
+0x098 Rsp : Uint8B
+0x0a0 Rbp : Uint8B
+0x0a8 Rsi : Uint8B
+0x0b0 Rdi : Uint8B
+0x0b8 R8 : Uint8B
+0x0c0 R9 : Uint8B
+0x0c8 R10 : Uint8B
+0x0d0 R11 : Uint8B
+0x0d8 R12 : Uint8B
+0x0e0 R13 : Uint8B
+0x0e8 R14 : Uint8B
+0x0f0 R15 : Uint8B
+0x0f8 Rip : Uint8B
+0x100 FltSave : _XSAVE_FORMAT
+0x100 Header : [2] _M128A
+0x120 Legacy : [8] _M128A
+0x1a0 Xmm0 : _M128A
+0x1b0 Xmm1 : _M128A
+0x1c0 Xmm2 : _M128A
+0x1d0 Xmm3 : _M128A
+0x1e0 Xmm4 : _M128A
+0x1f0 Xmm5 : _M128A
+0x200 Xmm6 : _M128A
+0x210 Xmm7 : _M128A
+0x220 Xmm8 : _M128A
+0x230 Xmm9 : _M128A
+0x240 Xmm10 : _M128A
+0x250 Xmm11 : _M128A
+0x260 Xmm12 : _M128A
+0x270 Xmm13 : _M128A
+0x280 Xmm14 : _M128A
+0x290 Xmm15 : _M128A
+0x300 VectorRegister : [26] _M128A
+0x4a0 VectorControl : Uint8B
+0x4a8 DebugControl : Uint8B
+0x4b0 LastBranchToRip : Uint8B
+0x4b8 LastBranchFromRip : Uint8B
+0x4c0 LastExceptionToRip : Uint8B
+0x4c8 LastExceptionFromRip : Uint8B
On Thu, Mar 22, 2018 at 7:54 AM, xxxxx@hotmail.com <
xxxxx@lists.osr.com> wrote:
> This is the part that saves register state.
Well, this part saves just a PART of what has to be saved,and the original
code shows a part of what gets restored. Certainly, they don’t match. What
I want to do is to analyse how the entire stack frame gets saved and
restored.
It is obvious that RCX in the returning part acts as a frame pointer. It
would be a great idea to see where it actually comes from- I don’t see it
in your original code. I also wonder whether RBP and RSI get saved once
again somewhere in the frame or whether they stay where they are, i.e. just
above interrupt frame (which, BTW, could also get duplicated - after all, a
single byte above RAX gets zeroed for some reason, and this thing just
cannot be related to the register state alone). Your code does not show
this part either
Concerning your actual question, it is obvious that interrupts get
disabled in order to preserve the stack frame consistency. What I am trying
to understand is WHY this consistency would be violated if interrupt
occurs, and it is, apparently, somehow related to RCX register and its
interactions with RBP. Therefore, I would certainly prefer to see as much
code as you can provide
Anton Bassov
NTDEV is sponsored by OSR
Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>