PHANDLE_TABLE_ENTRY NTAPI ExpLookupHandleTableEntry( PHANDLE_TABLE HandleTable, HANDLE Handle )
{
PHANDLE_TABLE_ENTRY pEntry = NULL;
(ULONG&)Handle &= 0xFFFFFFFC; //
ULONG ulIndex = ULONG(Handle) >> 2; //ulIndex是29位的。Handle的最高位是Kernel标志;右移2位即是取Handle的2-30位,即29个位。
PHANDLE_TABLE pHandleTable = HandleTable;
if( (ULONG)Handle < pHandleTable->NextHandleNeedingPool )
{
PHANDLE_TABLE_ENTRY pTableCode = (PHANDLE_TABLE_ENTRY)
( ULONG(pHandleTable->TableCode) & 0xFFFFFFFC );
ULONG ulLevel = (ULONG)pHandleTable->TableCode & 0x3;
if( ulLevel == 0 )
{
pEntry = pTableCode + ulIndex;
}
else if( ulLevel == 1 )
{
PHANDLE_TABLE_ENTRY* pLevel1Table = (PHANDLE_TABLE_ENTRY*)pTableCode;
PHANDLE_TABLE_ENTRY pLevel2Table = pLevel1Table[ ulIndex >> 0x9 ];
pEntry = pLevel2Table + (ulIndex & 0x1FF) ;
}
else
{
ULONG ulLevel1Index = ulIndex >> 19;//0x13 取ulIndex的高10位。
ULONG ulLevel2Index = ulLevel1Index << 19;//0x13;将0-18个位清空,只留19-29位,即10个有用的高位。
ulIndex -= ulLevel2Index; //抹掉ulIndex的高10位,只取低19位,即0-18位。
ulLevel2Index = ulIndex >> 9; //取ulIndex的19个位中的高10位。
PHANDLE_TABLE_ENTRY** pLevel1Table = (PHANDLE_TABLE_ENTRY**)pTableCode;
PHANDLE_TABLE_ENTRY* pLevel2Table = pLevel1Table[ ulLevel1Index ];
PHANDLE_TABLE_ENTRY pLevel3Table = pLevel2Table[ ulLevel2Index ];
pEntry = pLevel3Table + ( ulIndex & 0x1FF );//ulIndex的低9位为索引值。
}
}
return pEntry;
}
同时相对应的IDA汇编代码如下:
; __stdcall ExpLookupHandleTableEntry(x,x)
_ExpLookupHandleTableEntry@8 proc near ; CODE XREF: ExpMoveFreeHandles(x)+87p
; ExpAllocateHandleTableEntry(x,x)+119p ...
HandleTable = dword ptr 8
Handle = dword ptr 0Ch
mov edi, edi
push ebp
mov ebp, esp
and [ebp+Handle], 0FFFFFFFCh
mov eax, [ebp+Handle]
mov ecx, [ebp+HandleTable]
mov edx, [ebp+Handle]
shr eax, 2
cmp edx, [ecx+38h]
jb short Label1___________
xor eax, eax
jmp short Label5___________
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
Label1___________: ; CODE XREF: ExpLookupHandleTableEntry(x,x)+18j
push esi
mov esi, [ecx]
mov ecx, esi
and ecx, 3
and esi, 0FFFFFFFCh
sub ecx, 0
jz short Label2___________
dec ecx
mov ecx, eax
jz short Label3___________
shr ecx, 13h ;标记处
mov edx, ecx
mov ecx, [esi+ecx*4]
shl edx, 13h
sub eax, edx
mov edx, eax
shr edx, 9
mov ecx, [ecx+edx*4]
Label6___________: ; CODE XREF: ExpLookupHandleTableEntry(x,x)+58j
and eax, 1FFh
lea eax, [ecx+eax*8]
jmp short Label4___________
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
Label3___________: ; CODE XREF: ExpLookupHandleTableEntry(x,x)+31j
shr ecx, 9
mov ecx, [esi+ecx*4]
jmp short Label6___________
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
Label2___________: ; CODE XREF: ExpLookupHandleTableEntry(x,x)+2Cj
lea eax, [esi+eax*8]
Label4___________: ; CODE XREF: ExpLookupHandleTableEntry(x,x)+50j
pop esi
Label5___________: ; CODE XREF: ExpLookupHandleTableEntry(x,x)+1Cj
pop ebp
retn 8
_ExpLookupHandleTableEntry@8 endp
逆向几乎没什么经验;请高手帮忙看看,对应于汇编代码中“标记处”的代码我逆向的对不对?
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!