#define KeQueryTickCount(CurrentCount ) { \
volatile PKSYSTEM_TIME _TickCount = *((PKSYSTEM_TIME *)(&KeTickCount)); \
while (TRUE) { \
(CurrentCount)->HighPart = _TickCount->High1Time; \
(CurrentCount)->LowPart = _TickCount->LowPart; \
if ((CurrentCount)->HighPart == _TickCount->High2Time) break; \
_asm { rep nop } \
} \
}
一下是c语言代码
LARGE_INTEGER testNumber; _asm nop; KeQueryTickCount(&testNumber); _asm nop;
下面是编译的汇编代码
.text:000104C9 nop
.text:000104CA mov eax, ds:KeTickCount
.text:000104CF mov [ebp+var_18], eax
.text:000104D2
.text:000104D2 loc_104D2: ; CODE XREF: DriverEntry+3Bj
.text:000104D2 mov ecx, 1
.text:000104D7 test ecx, ecx
.text:000104D9 jz short loc_104FD
.text:000104DB mov edx, [ebp+var_18]
.text:000104DE mov eax, [edx+4]
.text:000104E1 mov [ebp+var_C], eax
.text:000104E4 mov ecx, [ebp+var_18]
.text:000104E7 mov edx, [ecx]
.text:000104E9 mov [ebp+var_10], edx//var_10就是testNumber
.text:000104EC mov eax, [ebp+var_18]
.text:000104EF mov ecx, [ebp+var_C]
.text:000104F2 cmp ecx, [eax+8]
.text:000104F5 jnz short loc_104F9
.text:000104F7 jmp short loc_104FD
.text:000104F9 ; ---------------------------------------------------------------------------
.text:000104F9
.text:000104F9 loc_104F9: ; CODE XREF: DriverEntry+35j
.text:000104F9 pause
.text:000104FB jmp short loc_104D2
.text:000104FD ; ---------------------------------------------------------------------------
.text:000104FD
.text:000104FD loc_104FD: ; CODE XREF: DriverEntry+19j
.text:000104FD ; DriverEntry+37j
.text:000104FD nop