Prev: rax goes to zero when cycling through a linked list, but the list is valid.
Next: Beginner's anti-piracy: is there a unique unchangeable GUID forevery hardware device?
From: matt_sykes on 10 Sep 2010 08:35
On 10 Sep, 14:19, matt_sykes <zzeb...(a)hotmail.com> wrote:
> Here is the exception:
> fffff880`06159500 483b5020        cmp     rdx,qword ptr [rax+20h] ds:
> 002b:00000000`00000020=????????????????
>
> This is the line that cycles through the linked list in a while loop:
> fffff880`06159506 488b00          mov     rax,qword ptr [rax]
>
> This is the list:
>
>  kd> dl fffffa801ac24f70 100 1
> fffffa80`1ac24f70  fffffa80`1aa8f010  <--- this is the start address
> fffffa80`1aa8f010  fffffa80`1aff6350
> fffffa80`1aff6350  fffffa80`1acec740
> fffffa80`1acec740  fffffa80`1b372cf0
> fffffa80`1b372cf0  fffffa80`1b546190
> fffffa80`1b546190  fffffa80`1b55baf0
> fffffa80`1b55baf0  fffffa80`1b551660
> fffffa80`1b551660  fffffa80`1ac24f70
>
> The list is got from rcx (first param) + 0xa0:
>
> add     rcx,0A0h
>
> and the vale put into rax:
>
> mov     rax,qword ptr [rcx]
>
>  kd> dt trusted!_TRACKED_PROCESS FFFFFA801AC24ED0
>    +0x000 List             : _LIST_ENTRY [ 0xfffffa80`18df0a50 -
> 0xfffffa80`1adea5c0 ]
>    +0x010 Flags            : 1
>    +0x018 ParentId         : 0x00000000`00000450
>    +0x020 ProcessId        : 0x00000000`00000a7c
>    +0x028 ProcessImageNameLength : 0x9a
>    +0x030 ProcessImageName : 0xfffff8a0`02203c30  -> 0x5c
>    +0x038 FileLock         : _ERESOURCE
>    +0x0a0 Files            : _LIST_ENTRY [ 0xfffffa80`1aa8f010 -
> 0xfffffa80`1b551660 ]  <--- 0xfffffa80`1aa8f010 is a valid address in
> the linked list at offset 0xa0 from rcx (the first param).
>
> I dont see how rax can end up zero, it seems utterly impossible.
>
> Here is the assembly for the loop and function initialisation:
>
> fffff880`061594e0 4533d2          xor     r10d,r10d
> fffff880`061594e3 4885c9          test    rcx,rcx
> fffff880`061594e6 41b90d0000c0    mov     r9d,0C000000Dh
> fffff880`061594ec 7428            je      Trusted!TrustLookupFileObject
> +0x36 (fffff880`06159516)
> fffff880`061594ee 4881c1a0000000  add     rcx,0A0h
> fffff880`061594f5 41b90f0000c0    mov     r9d,0C000000Fh
> fffff880`061594fb 488b01          mov     rax,qword ptr [rcx]
> fffff880`061594fe eb09            jmp     Trusted!TrustLookupFileObject
> +0x29 (fffff880`06159509)
> fffff880`06159500 483b5020        cmp     rdx,qword ptr [rax+20h]
> fffff880`06159504 740a            je      Trusted!TrustLookupFileObject
> +0x30 (fffff880`06159510)
> fffff880`06159506 488b00          mov     rax,qword ptr [rax]
> fffff880`06159509 483bc8          cmp     rcx,rax
> fffff880`0615950c 75f2            jne     Trusted!TrustLookupFileObject
> +0x20 (fffff880`06159500)

Why is it that when you formulate the wuesiton correctly the answer
seems to come on its own? :)

Still, thats what discussion is for!

So, this is due to a simultaneous access of the linked list which of
course needs controling by a lock.
 | 
Pages: 1
Prev: rax goes to zero when cycling through a linked list, but the list is valid.
Next: Beginner's anti-piracy: is there a unique unchangeable GUID forevery hardware device?