Thanks for the reply! More detail.
lkd> u nt!KiIdleLoop
nt!KiIdleLoop:
fffff800030d1c70 4883ec28 sub rsp,28h fffff800
030d1c74 488364242800 and qword ptr [rsp+28h],0
fffff800030d1c7a 65488b1c2520000000 mov rbx,qword ptr gs:[20h] fffff800
030d1c83 eb25 jmp nt!KiIdleLoop+0x3a (fffff800030d1caa) fffff800
030d1c85 f683dc2100003f test byte ptr [rbx+21DCh],3Fh
fffff800030d1c8c 7518 jne nt!KiIdleLoop+0x36 (fffff800
030d1ca6)
fffff800030d1c8e 33c9 xor ecx,ecx fffff800
030d1c90 440f22c1 mov cr8,rcx
*** dumpbin ***
KiIdleLoop:
0000000140076C70: 48 83 EC 28 sub rsp,28h
0000000140076C74: 48 83 64 24 28 00 and qword ptr [rsp+28h],0
0000000140076C7A: 65 48 8B 1C 25 20 mov rbx,qword ptr gs:[20h]
00 00 00
0000000140076C83: EB 25 jmp 0000000140076CAA
0000000140076C85: F6 83 DC 21 00 00 test byte ptr [rbx+21DCh],3Fh
3F
0000000140076C8C: 75 18 jne 0000000140076CA6
0000000140076C8E: 33 C9 xor ecx,ecx
0000000140076C90: 44 0F 22 C1 mov cr8,rcx
lkd> ? nt!KiIdleLoop - nt
Evaluate expression: 486512 = 00000000`00076c70
The following simple program reports 76C70 is routine ExfAcquirePushLockExclusive at address 47653d. I don?t understand why SymFromAddr wouldn’t yield KiIdleLoop.
int _tmain(int argc, _TCHAR* argv)
{
DWORD options = SymGetOptions();
options |= SYMOPT_DEBUG;
SymSetOptions(options);
if(!SymInitialize(GetCurrentProcess(), NULL, FALSE))
{
std::cout
<< "SymInitialize() failed with: "
<< GetLastError()
<< “\n\n”;
return -1;
}
DWORD64 base = SymLoadModuleEx(
GetCurrentProcess(),
NULL,
“c:\windows\system32\ntoskrnl.exe”,
NULL,
0,
0,
NULL,
0);
if(base == 0)
{
std::cout
<< "SymLoadModuleEx() failed with: "
<< GetLastError()
<< “\n\n”;
goto end;
}
char buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME * sizeof(TCHAR)];
PSYMBOL_INFO symbol = (PSYMBOL_INFO)buffer;
symbol->SizeOfStruct = sizeof(SYMBOL_INFO);
symbol->MaxNameLen = MAX_SYM_NAME;
DWORD64 offset = 0x76ca0; // offset of KiIdleLoop
if(!SymFromAddr(GetCurrentProcess(), base + offset, NULL, symbol))
{
std::cout
<< "SymFromAddr() failed with: "
<< GetLastError()
<< “\n\n”;
goto end;
}
// returns ExfAcquirePushLockExclusive
end:
SymCleanup(GetCurrentProcess());
return 0;
}
ExfAcquirePushLockExclusive:
0000000140070000: 48 89 5C 24 18 mov qword ptr [rsp+18h],rbx
0000000140070005: 48 89 74 24 20 mov qword ptr [rsp+20h],rsi
000000014007000A: 57 push rdi
000000014007000B: 48 83 EC 70 sub rsp,70h
000000014007000F: 33 F6 xor esi,esi
0000000140070011: 48 8B F9 mov rdi,rcx