在逆向的时候发现有KeTickCount,它其实是应该调用KeQueryTickCount时产生的。
KeQueryTickCount其实是个宏
#define KeQueryTickCount(CurrentCount ) { \
volatile PKSYSTEM_TIME _TickCount = *((PKSYSTEM_TIME *)(&KeTickCount)); \
while (TRUE) { \
(CurrentCount)->HighPart = _TickCount->High1Time; \
(CurrentCount)->LowPart = _TickCount->LowPart; \
if ((CurrentCount)->HighPart == _TickCount->High2Time) break; \
_asm { rep nop } \
} \
}