当前位置：首页 > news >正文

hal!KfLowerIrql函数分析和全局变量数组hal!HalpIRQLtoTPR和hal!_HalpVectorToIRQL和APIC_TPR寄存器的关系

news 2026/6/11 11:31:41

hal!KfLowerIrql函数分析和nt!KeRaiseIrql函数分析

hal!HalpIRQLtoTPR

hal!_HalpVectorToIRQL

ds:[FFFE0080h]

ifdef _APIC_TPR_

APIC_TPR equ dword ptr ds:0FFFE0080h

0: kd> x hal!_HalpVectorToIRQL
804fa21c hal!HalpVectorToIRQL = unsigned char [] ""
804fa21c hal!_HalpVectorToIRQL = 0x00 ''
0: kd> db 804fa21c
804fa21c 00 ff ff 01 02 ff 05 06-07 08 09 0a 1b 1c 1d 1e ................
804fa22c 00 00 00 00 00 00 00 00-08 10 00 00 00 00 00 00 ................
804fa23c 00 00 00 00 00 00 00 00-00 00 80 00 00 00 00 00 ................
804fa24c 00 00 00 00 00 00 00 00-02 00 00 00 02 00 00 00 ................
804fa25c e0 51 4f 80 00 00 00 00-00 00 00 00 00 00 00 00 .QO.............
804fa26c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804fa27c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804fa28c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

0: kd> x hal!HalpIRQLtoTPR
804edbb8 hal!HalpIRQLtoTPR = unsigned char [] ""
0: kd> db 804edbb8
804edbb8 00 3d 41 41 51 61 71 81-91 a1 b1 b1 b1 b1 b1 b1 .=AAQaq.........
804edbc8 b1 b1 b1 b1 b1 b1 b1 b1-b1 b1 b1 c1 d1 e1 ef ff ................
804edbd8 0f b6 d1 0f b6 8a b8 db-4e 80 a1 80 00 fe ff 89 ........N.......
804edbe8 0d 80 00 fe ff c1 e8 04-0f b6 80 1c a2 4f 80 c3 .............O..
804edbf8 8b 15 80 00 fe ff c7 05-80 00 fe ff 41 00 00 00 ............A...
804edc08 c1 ea 04 0f b6 82 1c a2-4f 80 c3 90 8b 15 80 00 ........O.......
804edc18 fe ff c7 05 80 00 fe ff-c1 00 00 00 c1 ea 04 0f ................
804edc28 b6 82 1c a2 4f 80 c3 90-33 c0 8a c1 8b 0d 80 00 ....O...3.......

cPublicFastCall KfLowerIrql ,1
cPublicFpo 0,0

xor eax, eax
mov al, cl ; get new irql value

if DBG
;
; Make sure we are not lowering to ABOVE current level
;

mov ecx, dword ptr APIC[LU_TPR] ; (ebx) = Old Priority
shr ecx, 4
movzx ecx, _HalpVectorToIRQL[ecx] ; get IRQL for Old Priority
cmp al, cl
jbe short KliDbg
push ecx ; new irql for debugging
push eax ; old irql for debugging
stdCall _KeBugCheck, <IRQL_NOT_LESS_OR_EQUAL>
KliDbg:
endif
xor ecx, ecx ; Avoid a partial stall
mov cl, _HalpIRQLtoTPR[eax] ; get TPR value corresponding to IRQL
mov dword ptr APIC[LU_TPR], ecx

;
; We have to ensure that the requested priority is set before
; we return. The caller is counting on it.
;
mov eax, dword ptr APIC[LU_TPR]

if DBG
cmp ecx, eax ; Verify IRQL read back is same as
je short @f ; set value
int 3
@@:
endif
fstRET KfLowerIrql
fstENDP KfLowerIrql

参考：c语言版

KIRQL
FORCEINLINE
KeGetCurrentIrql (
VOID
)
{
ULONG tprValue;
KIRQL currentIrql;

tprValue = *APIC_TPR;
currentIrql = HalpVectorToIRQL[ tprValue / 16 ];
return currentIrql;
}

VOID
FORCEINLINE
KfLowerIrql (
IN KIRQL NewIrql
)
{
ULONG tprValue;

ASSERT( NewIrql <= KeGetCurrentIrql() );

tprValue = HalpIRQLToTPR[NewIrql];
KeMemoryBarrier();
*APIC_TPR = tprValue;
*APIC_TPR;
KeMemoryBarrier();
}
参考：c语言版

0: kd> p
eax=00000000 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc32 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x2:
804edc32 8ac1 mov al,cl
0: kd> kc
#
00 hal!KfLowerIrql
01 nt!KeInsertQueueDpc
02 USBPORT!USBPORT_InterruptService
03 nt!KiInterruptDispatch
04 hal!WRITE_PORT_UCHAR
05 PCIIDEX!BmArm
06 atapi!IdeReadWrite
07 atapi!IdeSendCommand
08 atapi!AtapiStartIo
09 atapi!IdeStartIoSynchronized
0a nt!KeSynchronizeExecution
0b atapi!IdePortAllocateAccessToken
0c PCIIDEX!BmReceiveScatterGatherList
0d hal!HalBuildScatterGatherList
0e hal!HalGetScatterGatherList
0f PCIIDEX!BmSetup
10 atapi!IdePortStartIo
11 nt!IoStartPacket
12 atapi!IdePortDispatch
13 nt!IofCallDriver
14 CLASSPNP!SubmitTransferPacket
15 CLASSPNP!ServiceTransferRequest
16 CLASSPNP!ClassReadWrite
17 nt!IofCallDriver
18 PartMgr!PmReadWrite
19 nt!IofCallDriver
1a ftdisk!FtDiskReadWrite
1b nt!IofCallDriver
1c volsnap!VolSnapWrite
1d nt!IofCallDriver
1e Ntfs!NtfsSingleAsync
1f Ntfs!NtfsNonCachedIo
20 Ntfs!NtfsCommonWrite
21 Ntfs!NtfsFsdWrite
22 nt!IofCallDriver
23 nt!IoSynchronousPageWrite
24 nt!MiFlushSectionInternal
25 nt!MmFlushSection
26 nt!CcFlushCache
27 Ntfs!NtfsCheckpointVolume
28 Ntfs!NtfsCheckpointAllVolumes
29 nt!ExpWorkerThread
2a nt!PspSystemThreadStartup
2b nt!KiThreadStartup
0: kd> kv 5
# ChildEBP RetAddr Args to Child
00 f78cdcb8 80a36622 89620bb0 898d4608 105ee601 hal!KfLowerIrql+0x2 (FPO: [0,0,0]) [d:\srv03rtm\base\hals\halmps\i386\mpirql.asm @ 319]
01 f78cdcd4 baed5f37 018d4608 898d460c 00000000 nt!KeInsertQueueDpc+0x19e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\dpcobj.c @ 439]
02 f78cdcf0 80b003ed 89620bb0 898d4030 00010007 USBPORT!USBPORT_InterruptService+0x93 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\drivers\wdm\usb\hcd\usbport\int.c @ 106]
03 f78cdcf0 804f4d71 89620bb0 898d4030 00010007 nt!KiInterruptDispatch+0x8d (FPO: [0,2] TrapFrame @ f78cdd14) [d:\srv03rtm\base\ntos\ke\i386\intsup.asm @ 777]
04 f78cdd84 f73a91bb 000010c0 00000001 8948cf14 hal!WRITE_PORT_UCHAR+0x9 (FPO: [2,0,0]) [d:\srv03rtm\base\hals\halx86\i386\xxioacc.asm @ 241]

#define PASSIVE_LEVEL 0 // Passive release level
#define LOW_LEVEL 0 // Lowest interrupt level
#define APC_LEVEL 1 // APC interrupt level
#define DISPATCH_LEVEL 2 // Dispatcher level

#define PROFILE_LEVEL 27 // timer used for profiling.
#define CLOCK1_LEVEL 28 // Interval clock 1 level - Not used on x86
#define CLOCK2_LEVEL 28 // Interval clock 2 level
#define IPI_LEVEL 29 // Interprocessor interrupt level
#define POWER_LEVEL 30 // Power failure level
#define HIGH_LEVEL 31 // Highest interrupt level

KeRaiseIrql(HIGH_LEVEL, &OldIrql); 比时钟中断的优先级还要高！！！

BOOLEAN
KeInsertQueueDpc (
IN PRKDPC Dpc,
IN PVOID SystemArgument1,
IN PVOID SystemArgument2
)
{

KeRaiseIrql(HIGH_LEVEL, &OldIrql); OldIrql=eax=00000007

KeLowerIrql(OldIrql); OldIrql=eax=00000007
return Inserted;
}

VOID
KeRaiseIrql (
IN KIRQL NewIrql,
OUT PKIRQL OldIrql
)
{
*OldIrql = KfRaiseIrql (NewIrql);
}

KIRQL
FORCEINLINE
KfRaiseIrql (
IN KIRQL NewIrql
)
{
KIRQL oldIrql;
ULONG tprValue;

oldIrql = KeGetCurrentIrql();
ASSERT( NewIrql >= oldIrql );

tprValue = HalpIRQLToTPR[NewIrql];

KeMemoryBarrier();
*APIC_TPR = tprValue;
KeMemoryBarrier();

return oldIrql;
}

0: kd> p
eax=00000002 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608
eip=80a3661c esp=f78cdcc0 ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeInsertQueueDpc+0x198:
80a3661c ff150431a080 call dword ptr [nt!_imp_KfLowerIrql (80a03104)] ds:0023:80a03104={hal!KfLowerIrql (804edc30)}
0: kd> t
eax=00000002 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc30 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql:
804edc30 33c0 xor eax,eax
0: kd> p
eax=00000000 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc32 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x2:
804edc32 8ac1 mov al,cl

0: kd> p
eax=00000007 ebx=ffdff120 ecx=ffdff907 edx=00000002 esi=ffdff980 edi=898d4608 OldIrql=eax=00000007
eip=804edc34 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x4:
804edc34 8b0d8000feffmov ecx,dword ptr ds:[0FFFE0080h] ds:0023:fffe0080=000000ff
0: kd> p
eax=00000007 ebx=ffdff120 ecx=000000e1 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc3a esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0xa:
804edc3a c1e904shr ecx,4
0: kd> x hal!HalpIRQLtoTPR
804edbb8 hal!HalpIRQLtoTPR = unsigned char [] ""
0: kd> db 804edbb8
804edbb8 00 3d 41 41 51 61 71 81-91 a1 b1 b1 b1 b1 b1 b1 .=AAQaq.........
804edbc8 b1 b1 b1 b1 b1 b1 b1 b1-b1 b1 b1 c1 d1 e1 ef ff ................
804edbd8 0f b6 d1 0f b6 8a b8 db-4e 80 a1 80 00 fe ff 89 ........N.......
804edbe8 0d 80 00 fe ff c1 e8 04-0f b6 80 1c a2 4f 80 c3 .............O..
804edbf8 8b 15 80 00 fe ff c7 05-80 00 fe ff 41 00 00 00 ............A...
804edc08 c1 ea 04 0f b6 82 1c a2-4f 80 c3 90 8b 15 80 00 ........O.......
804edc18 fe ff c7 05 80 00 fe ff-c1 00 00 00 c1 ea 04 0f ................
804edc28 b6 82 1c a2 4f 80 c3 90-33 c0 8a c1 8b 0d 80 00 ....O...3.......
0: kd> p
eax=00000007 ebx=ffdff120 ecx=0000000e edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc3d esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
hal!KfLowerIrql+0xd:
804edc3d 0fb6891ca24f80movzx ecx,byte ptr hal!_HalpVectorToIRQL (804fa21c)[ecx] ds:0023:804fa22a=1d
0: kd> db 804fa21c
804fa21c 00 ff ff 01 02 ff 05 06-07 08 09 0a 1b 1c 1d 1e ................
804fa22c 00 00 00 00 00 00 00 00-08 10 00 00 00 00 00 00 ................
804fa23c 00 00 00 00 00 00 00 00-00 00 80 00 00 00 00 00 ................
804fa24c 00 00 00 00 00 00 00 00-02 00 00 00 02 00 00 00 ................
804fa25c e0 51 4f 80 00 00 00 00-00 00 00 00 00 00 00 00 .QO.............
804fa26c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804fa27c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
804fa28c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0: kd> p
eax=00000007 ebx=ffdff120ecx=0000001dedx=00000002 esi=ffdff980 edi=898d4608
eip=804edc44 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
hal!KfLowerIrql+0x14:
804edc44 38c8 cmp al,cl
0: kd> p
eax=00000007 ebx=ffdff120 ecx=0000001d edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc46 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
hal!KfLowerIrql+0x16:
804edc46 760a jbe hal!KfLowerIrql+0x22 (804edc52) [br=1]
0: kd> p
eax=00000007 ebx=ffdff120 ecx=0000001d edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc52 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000293
hal!KfLowerIrql+0x22:
804edc52 33c9 xor ecx,ecx
0: kd> p
eax=00000007 ebx=ffdff120 ecx=00000000 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc54 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x24:
804edc54 8a88b8db4e80 mov cl,byte ptr hal!HalpIRQLtoTPR (804edbb8)[eax] ds:0023:804edbbf=81
0: kd> db 804edbb8
804edbb8 00 3d 41 41 51 61 71 81-91 a1 b1 b1 b1 b1 b1 b1 .=AAQaq.........
804edbc8 b1 b1 b1 b1 b1 b1 b1 b1-b1 b1 b1 c1 d1 e1 ef ff ................
804edbd8 0f b6 d1 0f b6 8a b8 db-4e 80 a1 80 00 fe ff 89 ........N.......
804edbe8 0d 80 00 fe ff c1 e8 04-0f b6 80 1c a2 4f 80 c3 .............O..
804edbf8 8b 15 80 00 fe ff c7 05-80 00 fe ff 41 00 00 00 ............A...
804edc08 c1 ea 04 0f b6 82 1c a2-4f 80 c3 90 8b 15 80 00 ........O.......
804edc18 fe ff c7 05 80 00 fe ff-c1 00 00 00 c1 ea 04 0f ................
804edc28 b6 82 1c a2 4f 80 c3 90-33 c0 8a c1 8b 0d 80 00 ....O...3.......
0: kd> p
eax=00000007 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc5a esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x2a:
804edc5a 890d8000feff mov dword ptr ds:[0FFFE0080h],ecx ds:0023:fffe0080=000000ff
0: kd> p
eax=00000007 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc60 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x30:
804edc60 a18000feff mov eax,dword ptr ds:[FFFE0080h] ds:0023:fffe0080=000000ff
0: kd> p
eax=00000081 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc65 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x35:
804edc65 3bc8 cmp ecx,eax
0: kd> p
eax=00000081 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc67 esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x37:
804edc67 7401 je hal!KfLowerIrql+0x3a (804edc6a) [br=1]
0: kd> p
eax=00000081 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=804edc6a esp=f78cdcbc ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
hal!KfLowerIrql+0x3a:
804edc6a c3 ret
0: kd> p
eax=00000081 ebx=ffdff120 ecx=00000081 edx=00000002 esi=ffdff980 edi=898d4608
eip=80a36622 esp=f78cdcc0 ebp=f78cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!KeInsertQueueDpc+0x19e:
80a36622 8a450b mov al,byte ptr [ebp+0Bh] ss:0010:f78cdcdf=01