soffensive blog
Posts Tags Categories About
soffensive blog

Contents

Practical Reverse Engineering Exercise Solutions: KiInitializeTSS

 included in practical reverse engineering
   389 words   2 minutes 
Contents

Another exercise for us is the decompilation of the KiInitializeTSS function:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

nt!KiInitializeTSS:
82847359 8bff            mov     edi,edi
8284735b 55              push    ebp
8284735c 8bec            mov     ebp,esp
8284735e 8b4508          mov     eax,dword ptr [ebp+8]
82847361 b9ac200000      mov     ecx,20ACh
82847366 66894866        mov     word ptr [eax+66h],cx
8284736a 33c9            xor     ecx,ecx
8284736c 6a10            push    10h
8284736e 66894864        mov     word ptr [eax+64h],cx
82847372 66894860        mov     word ptr [eax+60h],cx
82847376 59              pop     ecx
82847377 66894808        mov     word ptr [eax+8],cx
8284737b 5d              pop     ebp
8284737c c20400          ret     4

We obtain the function prototype: (source)

1
2
3
4
5

VOID
NTAPI
KiInitializeTSS(IN PKTSS Tss)
{
}

Structure of _KTSS:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

kd> dt nt!_ktss
   +0x000 Backlink         : Uint2B
   +0x002 Reserved0        : Uint2B
   +0x004 Esp0             : Uint4B
   +0x008 Ss0              : Uint2B
   +0x00a Reserved1        : Uint2B
   +0x00c NotUsed1         : [4] Uint4B
   +0x01c CR3              : Uint4B
   +0x020 Eip              : Uint4B
   +0x024 EFlags           : Uint4B
   +0x028 Eax              : Uint4B
   +0x02c Ecx              : Uint4B
   +0x030 Edx              : Uint4B
   +0x034 Ebx              : Uint4B
   +0x038 Esp              : Uint4B
   +0x03c Ebp              : Uint4B
   +0x040 Esi              : Uint4B
   +0x044 Edi              : Uint4B
   +0x048 Es               : Uint2B
   +0x04a Reserved2        : Uint2B
   +0x04c Cs               : Uint2B
   +0x04e Reserved3        : Uint2B
   +0x050 Ss               : Uint2B
   +0x052 Reserved4        : Uint2B
   +0x054 Ds               : Uint2B
   +0x056 Reserved5        : Uint2B
   +0x058 Fs               : Uint2B
   +0x05a Reserved6        : Uint2B
   +0x05c Gs               : Uint2B
   +0x05e Reserved7        : Uint2B
   +0x060 LDT              : Uint2B
   +0x062 Reserved8        : Uint2B
   +0x064 Flags            : Uint2B
   +0x066 IoMapBase        : Uint2B
   +0x068 IoMaps           : [1] _KiIoAccessMap
   +0x208c IntDirectionMap  : [32] UChar

Translaction to C:

1
2
3
4
5
6
7
8

VOID NTAPI iInitializeTSS(IN PKTSS Tss)
{
    Tss->IoMapBase = 0x20AC;
    Tss->Flags = 0;
    Tss->LDT = 0;
    Tss->Ss0 = 0x10;
}

Although we are technically done with the decompilation, it is worthwhile to note the meaning of the hexadecimal values. 

While hexadecimal 0x10 is 16 in decimal notation, 0x20AC is 8364.

We can obtain the size of the data structure _KTSS in WinDbg with the following command. The size coincides with the value assigned to IoMapBase:

1
2

kd> ?? sizeof(_KTSS)
unsigned int 0x20ac
Updated on 2017-07-16
 Practical Reverse Engineeringx64x86
Back | Home