[注意]rmcoff 2.0开发进度-编程技术-看雪-安全社区|安全招聘|kanxue.com

[注意]rmcoff 2.0开发进度

发表于: 2009-12-8 11:58 5116

[注意]rmcoff 2.0开发进度

mickeylan

2009-12-8 11:58

5116

rmcoff 2.0的开发工作已接近尾声，目前已进入测试阶段，相信很快就能放出alpha版供大家测试了。
相比1.0版本，新版本在执行效率及转换后的coff格式文件的质量上均有较大的提高，解决了跨单元变量引用等bug。以下以一个简单的驱动来对比对一下1.0版本和2.0版本。

unit driver;
 
interface
 
uses nt_status, ntoskrnl;
 
function _DriverEntry(DriverObject:PDriverObject;RegistryPath:PUnicodeString):NTSTATUS; stdcall;
 
implementation
 
procedure DriverUnload(DriverObject:PDriverObject); stdcall;
begin
 DbgPrint('DriverUnload(DriverObject:0x%.8X)',DriverObject);
 DbgPrint('DriverUnload(-)');
end;
 
function _DriverEntry(DriverObject:PDriverObject;RegistryPath:PUnicodeString):NTSTATUS; stdcall;
begin
 DbgPrint('DriverEntry(DriverObject:0x%.8X;RegistryPath:0x%.8X)', DriverObject, RegistryPath);
 
 DriverObject^.DriverUnload:=@DriverUnload;
 
 Result:=STATUS_SUCCESS;
 DbgPrint('DriverEntry(-):0x%.8X', Result);
end;
 
end.

上面是一个最简单的驱动程序，这里使用Delphi 2010编译。先看一下dcc32编译生成的OMF格式文件dump出来的信息：

100

101

102

103

104

105

106

107

108

109

110

111

Turbo Dump  Version 6.3.0.0 Copyright (c) 1988-2009 Embarcadero Technologies, Inc.
                    Display of File driver.obj
 
000000 THEADR  driver.pas
00000F COMENT  Purge: No , List: Yes, Class: 0   (000h)
    Translator: Delphi Pascal V21.0
000029 COMENT  Purge: Yes, List: Yes, Class: 251 (0FBh), SubClass: 12 (0Ch)
    Package Module Record, Lead Byte: 01h, Flags: 00004000h
000034 COMENT  Purge: No , List: Yes, Class: 251 (0FBh), SubClass: 10 (0Ah)
    Implements: driver.obj
000046 COMENT  Purge: No , List: Yes, Class: 251 (0FBh), SubClass: 8 (08h)
    Link: ntoskrnl.obj
00005A COMENT  Purge: No , List: Yes, Class: 251 (0FBh), SubClass: 8 (08h)
    Link: nt_status.obj
00006F COMENT  Purge: No , List: Yes, Class: 251 (0FBh), SubClass: 8 (08h)
    Link: SysInit.obj
000082 COMENT  Purge: No , List: Yes, Class: 251 (0FBh), SubClass: 8 (08h)
    Link: System.obj
000094 LNAMES
    Name  1: ''
    Name  2: '_TEXT'
    Name  3: 'CODE'
    Name  4: '_DATA'
    Name  5: 'DATA'
    Name  6: '_BSS'
    Name  7: 'BSS'
    Name  8: '$$BSYMS'
    Name  9: 'DEBSYM'
    Name 10: '$$BTYPES'
    Name 11: 'DEBTYP'
    Name 12: '$$BNAMES'
    Name 13: 'DEBNAM'
    Name 14: '$$BROWSE'
    Name 15: 'DEBSYM'
    Name 16: '$$BROWFILE'
    Name 17: 'DEBSYM'
    Name 18: 'DGROUP'
    Name 19: '_TLS'
    Name 20: 'TLS'
    Name 21: '_INIT_'
    Name 22: 'INITDATA'
    Name 23: '_EXIT_'
    Name 24: 'EXITDATA'
000139 SEGDEF 1 : _TEXT           DWORD PUBLIC  USE32 Class 'CODE'   Length: 0000
000143 SEGDEF 2 : _DATA           DWORD PUBLIC  USE32 Class 'DATA'   Length: 0000
00014D SEGDEF 3 : _BSS            DWORD PUBLIC  USE32 Class 'BSS'    Length: 0004
000157 SEGDEF 4 : _TLS            DWORD PUBLIC  USE32 Class 'TLS'    Length: 0000
000161 SEGDEF 5 : _INIT_          WORD  PUBLIC  USE32 Class 'INITDATA'   Length: 0006
00016B SEGDEF 6 : _EXIT_          WORD  PUBLIC  USE32 Class 'EXITDATA'   Length: 0006
000175 GRPDEF Group: DGROUP
    Segment: _DATA          
    Segment: _BSS           
00017E COMDEF
    Name:  1: 'Driver::_16385'      virtual(_TEXT) Length: 0058 bytes
000194 COMDEF
    Name:  2: '__stdcall _DriverEntry(TDriverObject *, TUnicodeString *)'  virtual(_TEXT) Length: 0088 bytes
0001D0 COMDEF
    Name:  3: '__fastcall Finalization()'  virtual(_TEXT) Length: 0007 bytes
0001EA COMDEF
    Name:  4: '__fastcall initialization()'  virtual(_TEXT) Length: 0008 bytes
000206 EXTDEF 5 : '_DbgPrint'           Type: 0  
000215 LEDATA  Segment: (16385) 'Driver::_16385'Offset: 0000  Length: 0058
    0000: 55 8B EC 8B 45 08 50 68  24 00 00 00 E8 00 00 00   U嬱.E.Ph$.......
    0010: 00 83 C4 08 68 48 00 00  00 E8 00 00 00 00 59 5D   .兡.hH........Y]
    0020: C2 04 00 00 44 72 69 76  65 72 55 6E 6C 6F 61 64   ....DriverUnload
    0030: 28 44 72 69 76 65 72 4F  62 6A 65 63 74 3A 30 78   (DriverObject:0x
    0040: 25 2E 38 58 29 00 00 00  44 72 69 76 65 72 55 6E   %.8X)...DriverUn
    0050: 6C 6F 61 64 28 2D 29 00                            load(-).
000275 FIXU32
    FixUp: 008  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: VEI[1]: Driver::_16385
    FixUp: 00d  Mode: Self Loc: Offset32    Frame: TARGET  Target: EI[5]: _DbgPrint
    FixUp: 015  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: VEI[1]: Driver::_16385
    FixUp: 01a  Mode: Self Loc: Offset32    Frame: TARGET  Target: EI[5]: _DbgPrint
00028B LEDATA  Segment: (16386) '__stdcall _DriverEntry(TDriverObject *, TUnicodeString *)'Offset: 0000  Length: 0088
    0000: 55 8B EC 53 8B 5D 08 8B  45 0C 50 53 68 38 00 00   U嬱S.]..E.PSh8..
    0010: 00 E8 00 00 00 00 83 C4  0C C7 43 34 00 00 00 00   ......兡..C4....
    0020: 33 DB 53 68 70 00 00 00  E8 00 00 00 00 83 C4 08   3.Shp........兡.
    0030: 8B C3 5B 5D C2 08 00 00  44 72 69 76 65 72 45 6E   嬅[]....DriverEn
    0040: 74 72 79 28 44 72 69 76  65 72 4F 62 6A 65 63 74   try(DriverObject
    0050: 3A 30 78 25 2E 38 58 3B  52 65 67 69 73 74 72 79   :0x%.8X;Registry
    0060: 50 61 74 68 3A 30 78 25  2E 38 58 29 00 00 00 00   Path:0x%.8X)....
    0070: 44 72 69 76 65 72 45 6E  74 72 79 28 2D 29 3A 30   DriverEntry(-):0
    0080: 78 25 2E 38 58 00 00 00                            x%.8X...
00031B FIXU32
    FixUp: 00d  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: VEI[2]: __stdcall _DriverEntry(TDriverObject *, TUnicodeString *)
    FixUp: 012  Mode: Self Loc: Offset32    Frame: TARGET  Target: EI[5]: _DbgPrint
    FixUp: 01c  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: VEI[1]: Driver::_16385
    FixUp: 024  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: VEI[2]: __stdcall _DriverEntry(TDriverObject *, TUnicodeString *)
    FixUp: 029  Mode: Self Loc: Offset32    Frame: TARGET  Target: EI[5]: _DbgPrint
000336 LEDATA  Segment: (16387) '__fastcall Finalization()'Offset: 0000  Length: 0007
    0000: FF 05 00 00 00 00 C3                               .......
000345 FIXU32
    FixUp: 002  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: SI[3]: _BSS
00034D LEDATA  Segment: (16388) '__fastcall initialization()'Offset: 0000  Length: 0008
    0000: 83 2D 00 00 00 00 01 C3                            .-......
00035D FIXU32
    FixUp: 002  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: SI[3]: _BSS
000365 LEDATA  Segment: (5) _INIT_         Offset: 0000  Length: 0006
    0000: 00 1E 00 00 00 00                                  ......
000372 FIXU32
    FixUp: 002  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: VEI[4]: __fastcall initialization()
00037B LEDATA  Segment: (6) _EXIT_         Offset: 0000  Length: 0006
    0000: 00 1E 00 00 00 00                                  ......
000388 FIXU32
    FixUp: 002  Mode: Seg  Loc: Offset32    Frame: TARGET  Target: VEI[3]: __fastcall Finalization()
000391 LIDATA
  Segment: _BSS           Offset: 0000
    Repeat     4. times,     1. Blocks
    Repeat     1. times,     1. Bytes
    0000: 00                                                 .
0003A2 MODE32

下面是经过rmcoff1.0转换后的COFF文件的dump信息：

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

Microsoft (R) COFF Binary File Dumper Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
 
 
Dump of file driver.obj
 
File Type: COFF OBJECT
 
FILE HEADER VALUES
             14C machine (i386)
               6 number of sections
        4B1C7573 time date stamp Mon Dec 07 11:24:35 2009
             25E file pointer to symbol table
              19 number of symbols
               0 size of optional header
             100 characteristics
                   32 bit word machine
 
SECTION HEADER #1
   .text name
       0 physical address
       0 virtual address
      E0 size of raw data
     104 file pointer to raw data
     1F0 file pointer to relocation table
       0 file pointer to line numbers
       9 number of relocations
       0 number of line numbers
60300020 flags
         Code
         4 byte align
         Execute Read
 
RAW DATA #1
  00000000: 55 8B EC 8B 45 08 50 68 24 00 00 00 E8 00 00 00  U...E.Ph$.......
  00000010: 00 83 C4 08 68 48 00 00 00 E8 00 00 00 00 59 5D  ....hH........Y]
  00000020: C2 04 00 00 44 72 69 76 65 72 55 6E 6C 6F 61 64  ....DriverUnload
  00000030: 28 44 72 69 76 65 72 4F 62 6A 65 63 74 3A 30 78  (DriverObject:0x
  00000040: 25 2E 38 58 29 00 00 00 44 72 69 76 65 72 55 6E  %.8X)...DriverUn
  00000050: 6C 6F 61 64 28 2D 29 00 55 8B EC 53 8B 5D 08 8B  load(-).U..S.]..
  00000060: 45 0C 50 53 68 90 00 00 00 E8 00 00 00 00 83 C4  E.PSh...........
  00000070: 0C C7 43 34 00 00 00 00 33 DB 53 68 C8 00 00 00  ..C4....3.Sh....
  00000080: E8 00 00 00 00 83 C4 08 8B C3 5B 5D C2 08 00 00  ..........[]....
  00000090: 44 72 69 76 65 72 45 6E 74 72 79 28 44 72 69 76  DriverEntry(Driv
  000000A0: 65 72 4F 62 6A 65 63 74 3A 30 78 25 2E 38 58 3B  erObject:0x%.8X;
  000000B0: 52 65 67 69 73 74 72 79 50 61 74 68 3A 30 78 25  RegistryPath:0x%
  000000C0: 2E 38 58 29 00 00 00 00 44 72 69 76 65 72 45 6E  .8X)....DriverEn
  000000D0: 74 72 79 28 2D 29 3A 30 78 25 2E 38 58 00 00 00  try(-):0x%.8X...
 
RELOCATIONS #1
                                                Symbol    Symbol
 Offset    Type              Applied To         Index     Name
 --------  ----------------  -----------------  --------  ------
 0000001A  REL32                      00000000        18  _DbgPrint
 00000015  DIR32                      00000048         3  .text
 0000000D  REL32                      00000000        18  _DbgPrint
 00000008  DIR32                      00000024         3  .text
 00000081  REL32                      00000000        18  _DbgPrint
 0000007C  DIR32                      000000C8         3  .text
 00000074  DIR32                      00000000         3  .text
 0000006A  REL32                      00000000        18  _DbgPrint
 00000065  DIR32                      00000090         3  .text
 
SECTION HEADER #2
   .data name
       0 physical address
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0300040 flags
         Initialized Data
         4 byte align
         Read Write
 
SECTION HEADER #3
    .bss name
       0 physical address
       0 virtual address
       4 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0300080 flags
         Uninitialized Data
         4 byte align
         Read Write
 
SECTION HEADER #4
    _TLS name
       0 physical address
       0 virtual address
       0 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0300040 flags
         Initialized Data
         4 byte align
         Read Write
 
SECTION HEADER #5
  _INIT_ name
       0 physical address
       0 virtual address
       6 size of raw data
     1E4 file pointer to raw data
     24A file pointer to relocation table
       0 file pointer to line numbers
       1 number of relocations
       0 number of line numbers
C0200040 flags
         Initialized Data
         2 byte align
         Read Write
 
RAW DATA #5
  00000000: 00 1E E7 00 00 00                                ......
 
RELOCATIONS #5
                                                Symbol    Symbol
 Offset    Type              Applied To         Index     Name
 --------  ----------------  -----------------  --------  ------
 00000002  DIR32                      000000E7         3  .text
 
SECTION HEADER #6
  _EXIT_ name
       0 physical address
       0 virtual address
       6 size of raw data
     1EA file pointer to raw data
     254 file pointer to relocation table
       0 file pointer to line numbers
       1 number of relocations
       0 number of line numbers
C0200040 flags
         Initialized Data
         2 byte align
         Read Write
 
RAW DATA #6
  00000000: 00 1E E0 00 00 00                                ......
 
RELOCATIONS #6
                                                Symbol    Symbol
 Offset    Type              Applied To         Index     Name
 --------  ----------------  -----------------  --------  ------
 00000002  DIR32                      000000E0         3  .text
 
COFF SYMBOL TABLE
000 001A23FA ABS    notype       Static       | @comp.id
001 00000001 DEBUG  notype       Filename     | .file
    driver.pas
003 00000000 SECT1  notype       Static       | .text
    Section length   EF, #relocs    B, #linenums    0, checksum        0
005 00000000 SECT2  notype       Static       | .data
    Section length    0, #relocs    0, #linenums    0, checksum        0
007 00000000 SECT3  notype       Static       | .bss
    Section length    4, #relocs    0, #linenums    0, checksum        0
009 00000000 SECT4  notype       Static       | _TLS
    tag index 00000000 size 00000000 lines 00000000 next function 00000000
00B 00000000 SECT5  notype       Static       | _INIT_
    Section length    6, #relocs    1, #linenums    0, checksum        0
00D 00000000 SECT6  notype       Static       | _EXIT_
    tag index 00000000 size 00000000 lines 00000000 next function 00000000
00F 00000000 SECT3  notype       Static       | DGROUP
010 00000000 UNDEF  notype       NoClass      |  
011 00000000 UNDEF  notype       NoClass      |  
012 00000058 SECT1  notype       External     | _DriverEntry
013 00000000 UNDEF  notype       NoClass      |  
014 00000000 SECT1  notype       External     | Driver
015 00000000 UNDEF  notype       NoClass      |  
016 00000000 UNDEF  notype       NoClass      |  
017 00000000 UNDEF  notype       NoClass      |  
018 00000000 UNDEF  notype       External     | _DbgPrint
 
String Table Size = 0x1B bytes
 
  Summary
 
           4 .bss
           0 .data
          E0 .text
           6 _EXIT_
           6 _INIT_
           0 _TLS

下面是通过rmcoff2.0转换的COFF文件的dump结果：

100

101

102

103

104

105

106

Microsoft (R) COFF Binary File Dumper Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
 
 
Dump of file driver.obj
 
File Type: COFF OBJECT
 
FILE HEADER VALUES
             14C machine (i386)
               3 number of sections
        4B1C75B5 time date stamp Mon Dec 07 11:25:41 2009
             1C6 file pointer to symbol table
               4 number of symbols
               0 size of optional header
             100 characteristics
                   32 bit word machine
 
SECTION HEADER #1
   .text name
       0 physical address
       0 virtual address
      E0 size of raw data
      8C file pointer to raw data
     16C file pointer to relocation table
       0 file pointer to line numbers
       9 number of relocations
       0 number of line numbers
60300020 flags
         Code
         4 byte align
         Execute Read
 
RAW DATA #1
  00000000: 55 8B EC 8B 45 08 50 68 24 00 00 00 E8 00 00 00  U...E.Ph$.......
  00000010: 00 83 C4 08 68 48 00 00 00 E8 00 00 00 00 59 5D  ....hH........Y]
  00000020: C2 04 00 00 44 72 69 76 65 72 55 6E 6C 6F 61 64  ....DriverUnload
  00000030: 28 44 72 69 76 65 72 4F 62 6A 65 63 74 3A 30 78  (DriverObject:0x
  00000040: 25 2E 38 58 29 00 00 00 44 72 69 76 65 72 55 6E  %.8X)...DriverUn
  00000050: 6C 6F 61 64 28 2D 29 00 55 8B EC 53 8B 5D 08 8B  load(-).U..S.]..
  00000060: 45 0C 50 53 68 38 00 00 00 E8 00 00 00 00 83 C4  E.PSh8..........
  00000070: 0C C7 43 34 00 00 00 00 33 DB 53 68 70 00 00 00  ..C4....3.Shp...
  00000080: E8 00 00 00 00 83 C4 08 8B C3 5B 5D C2 08 00 00  ..........[]....
  00000090: 44 72 69 76 65 72 45 6E 74 72 79 28 44 72 69 76  DriverEntry(Driv
  000000A0: 65 72 4F 62 6A 65 63 74 3A 30 78 25 2E 38 58 3B  erObject:0x%.8X;
  000000B0: 52 65 67 69 73 74 72 79 50 61 74 68 3A 30 78 25  RegistryPath:0x%
  000000C0: 2E 38 58 29 00 00 00 00 44 72 69 76 65 72 45 6E  .8X)....DriverEn
  000000D0: 74 72 79 28 2D 29 3A 30 78 25 2E 38 58 00 00 00  try(-):0x%.8X...
 
RELOCATIONS #1
                                                Symbol    Symbol
 Offset    Type              Applied To         Index     Name
 --------  ----------------  -----------------  --------  ------
 00000008  DIR32                      00000024         0  Driver::_16385
 0000000D  REL32                      00000000         2  _DbgPrint
 00000015  DIR32                      00000048         0  Driver::_16385
 0000001A  REL32                      00000000         2  _DbgPrint
 00000065  DIR32                      00000038         1  _DriverEntry
 0000006A  REL32                      00000000         2  _DbgPrint
 00000074  DIR32                      00000000         0  Driver::_16385
 0000007C  DIR32                      00000070         1  _DriverEntry
 00000081  REL32                      00000000         2  _DbgPrint
 
SECTION HEADER #2
   .data name
       0 physical address
       0 virtual address
       0 size of raw data
     16C file pointer to raw data
     1C6 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0300040 flags
         Initialized Data
         4 byte align
         Read Write
 
SECTION HEADER #3
    .bss name
       0 physical address
       0 virtual address
       4 size of raw data
       0 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0300080 flags
         Uninitialized Data
         4 byte align
         Read Write
 
COFF SYMBOL TABLE
000 00000000 SECT1  notype       External     | Driver::_16385
001 00000058 SECT1  notype       External     | _DriverEntry
002 00000000 UNDEF  notype       External     | _DbgPrint
003 00000000 SECT3  notype       Static       | .bss
 
String Table Size = 0x2A bytes
 
  Summary
 
           4 .bss
           0 .data
          E0 .text

对比一下就可以发现，rmcoff2.0转换的COFF目标文件更接近原来的OMF格式文件，文件中的符号表等信息也更准确。默认时Delphi生成的目标文件有6个段，TEXT、DATA、BSS、_TLS、_INIT_、_EXIT_，并会为每个单元加入Finalization和initialization两个函数用于单元的初始化和退出前的资源释放等工作，而_TLS、_INIT_、_EXIT_这三个段和Finalization、initialization这两个函数在驱动中是没有用的，因此转换后，rmcoff2会把它们删除，这样生成的驱动文件就会更小。
最后感谢广大Delphi fans对我的支持和鼓励。

[注意]看雪招聘，专注安全领域的专业人才平台！

收藏・1

免费

支持

最新回复 (2)
xicao 雪币： 243 活跃值： (244) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 113 粉丝 0 关注私信	xicao 2 楼对于楼主的贡献，只能膜拜了 2009-12-9 17:16 0
SIsIa 雪币： 270 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 215 粉丝 0 关注私信	SIsIa 3 楼支持楼主，那个图形界面的转换器在哪里下载呀？ 2009-12-14 18:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

mickeylan

发帖

162

回帖

570

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
xicao 雪币： 243 活跃值： (244) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 113 粉丝 0 关注私信	xicao 2 楼对于楼主的贡献，只能膜拜了 2009-12-9 17:16 0
SIsIa 雪币： 270 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 215 粉丝 0 关注私信	SIsIa 3 楼支持楼主，那个图形界面的转换器在哪里下载呀？ 2009-12-14 18:23 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[注意]rmcoff 2.0开发进度

账号登录 验证码登录

账号登录

验证码登录