antonioCoco/KiSystemServiceExit Secret

## KiSystemServiceExit
0: kd> uf nt!KiSystemCall64

nt!KiSystemCall64:

.
.
.

nt!KiSystemServiceExit+0x168:
fffff803`7d9d3d88 488945b0        mov     qword ptr [rbp-50h],rax
fffff803`7d9d3d8c e8dfeafeff      call    nt!KiRestoreDebugRegisterState (fffff803`7d9c2870)
fffff803`7d9d3d91 65488b042588010000 mov   rax,qword ptr gs:[188h] ; Get current thread
fffff803`7d9d3d9a 488b80b8000000  mov     rax,qword ptr [rax+0B8h] ; Thread->Process
fffff803`7d9d3da1 488b80d0020000  mov     rax,qword ptr [rax+2D0h] ; Process->Pcb.InstrumentationCallback
fffff803`7d9d3da8 480bc0          or      rax,rax
fffff803`7d9d3dab 7418            je      nt!KiSystemServiceExit+0x1a5 (fffff803`7d9d3dc5) ; Jump to SkipCallback code

nt!KiSystemServiceExit+0x18d:                                           ; callback present code
fffff803`7d9d3dad 6683bdf000000033 cmp     word ptr [rbp+0F0h],33h      ; SegCs
fffff803`7d9d3db5 750e            jne     nt!KiSystemServiceExit+0x1a5 (fffff803`7d9d3dc5) ; Jump to SkipCallback code

nt!KiSystemServiceExit+0x197:
fffff803`7d9d3db7 4c8b95e8000000  mov     r10,qword ptr [rbp+0E8h]  ; Saves old Rip in R10 -> R10 = ReturnAddressLocal
fffff803`7d9d3dbe 488985e8000000  mov     qword ptr [rbp+0E8h],rax  ; ReturnAddressLocal = InstrumentationCallback

nt!KiSystemServiceExit+0x1a5:                                     ; SkipCallback code
fffff803`7d9d3dc5 488b45b0        mov     rax,qword ptr [rbp-50h]

nt!KiSystemServiceExit+0x1a9:
fffff803`7d9d3dc9 488945b0        mov     qword ptr [rbp-50h],rax

.
.
.
	0: kd> uf nt!KiSystemCall64

	nt!KiSystemCall64:

	.
	.
	.

	nt!KiSystemServiceExit+0x168:
	fffff803`7d9d3d88 488945b0 mov qword ptr [rbp-50h],rax
	fffff803`7d9d3d8c e8dfeafeff call nt!KiRestoreDebugRegisterState (fffff803`7d9c2870)
	fffff803`7d9d3d91 65488b042588010000 mov rax,qword ptr gs:[188h] ; Get current thread
	fffff803`7d9d3d9a 488b80b8000000 mov rax,qword ptr [rax+0B8h] ; Thread->Process
	fffff803`7d9d3da1 488b80d0020000 mov rax,qword ptr [rax+2D0h] ; Process->Pcb.InstrumentationCallback
	fffff803`7d9d3da8 480bc0 or rax,rax
	fffff803`7d9d3dab 7418 je nt!KiSystemServiceExit+0x1a5 (fffff803`7d9d3dc5) ; Jump to SkipCallback code

	nt!KiSystemServiceExit+0x18d: ; callback present code
	fffff803`7d9d3dad 6683bdf000000033 cmp word ptr [rbp+0F0h],33h ; SegCs
	fffff803`7d9d3db5 750e jne nt!KiSystemServiceExit+0x1a5 (fffff803`7d9d3dc5) ; Jump to SkipCallback code

	nt!KiSystemServiceExit+0x197:
	fffff803`7d9d3db7 4c8b95e8000000 mov r10,qword ptr [rbp+0E8h] ; Saves old Rip in R10 -> R10 = ReturnAddressLocal
	fffff803`7d9d3dbe 488985e8000000 mov qword ptr [rbp+0E8h],rax ; ReturnAddressLocal = InstrumentationCallback

	nt!KiSystemServiceExit+0x1a5: ; SkipCallback code
	fffff803`7d9d3dc5 488b45b0 mov rax,qword ptr [rbp-50h]

	nt!KiSystemServiceExit+0x1a9:
	fffff803`7d9d3dc9 488945b0 mov qword ptr [rbp-50h],rax

	.
	.
	.