首页
社区
课程
招聘
[求助]关于函数长度
发表于: 2010-3-4 19:40 5745

[求助]关于函数长度

2010-3-4 19:40
5745
nt!NtOpenProcess:
80573d76 68c4000000      push    0C4h
80573d7b 6810b44e80      push    offset nt!ObReferenceObjectByPointer+0x127 (804eb410)
80573d80 e8b6f6f6ff      call    nt!CIsqrt+0x2da (804e343b)
80573d85 33f6            xor     esi,esi
80573d87 8975d4          mov     dword ptr [ebp-2Ch],esi
80573d8a 33c0            xor     eax,eax
80573d8c 8d7dd8          lea     edi,[ebp-28h]
80573d8f ab              stos    dword ptr es:[edi]
80573d90 64a124010000    mov     eax,dword ptr fs:[00000124h]
80573d96 8a8040010000    mov     al,byte ptr [eax+140h]
80573d9c 8845cc          mov     byte ptr [ebp-34h],al
80573d9f 84c0            test    al,al
80573da1 0f84d8870600    je      nt!ObSetSecurityDescriptorInfo+0x115 (805dc57f)
80573da7 8975fc          mov     dword ptr [ebp-4],esi
80573daa a1b4005680      mov     eax,dword ptr [nt!MmUserProbeAddress (805600b4)]
80573daf 8b4d08          mov     ecx,dword ptr [ebp+8]
80573db2 3bc8            cmp     ecx,eax
80573db4 0f8384490800    jae     nt!IoCheckFunctionAccess+0x1759d (805f873e)
80573dba 8b01            mov     eax,dword ptr [ecx]
80573dbc 8901            mov     dword ptr [ecx],eax
80573dbe 8b5d10          mov     ebx,dword ptr [ebp+10h]
80573dc1 f6c303          test    bl,3
80573dc4 0f857b490800    jne     nt!IoCheckFunctionAccess+0x175a4 (805f8745)
80573dca a1b4005680      mov     eax,dword ptr [nt!MmUserProbeAddress (805600b4)]
80573dcf 3bd8            cmp     ebx,eax
80573dd1 0f8378490800    jae     nt!IoCheckFunctionAccess+0x175ae (805f874f)
80573dd7 397308          cmp     dword ptr [ebx+8],esi
80573dda 0f9545e6        setne   byte ptr [ebp-1Ah]
80573dde 8b4b0c          mov     ecx,dword ptr [ebx+0Ch]
80573de1 894dc8          mov     dword ptr [ebp-38h],ecx
80573de4 8b4d14          mov     ecx,dword ptr [ebp+14h]
80573de7 3bce            cmp     ecx,esi
80573de9 0f84ebe70200    je      nt!ObMakeTemporaryObject+0x4a8 (805a25da)
80573def f6c103          test    cl,3
80573df2 0f8563490800    jne     nt!IoCheckFunctionAccess+0x175ba (805f875b)
80573df8 3bc8            cmp     ecx,eax
80573dfa 0f836d490800    jae     nt!IoCheckFunctionAccess+0x175cc (805f876d)
80573e00 8b01            mov     eax,dword ptr [ecx]
80573e02 8945d4          mov     dword ptr [ebp-2Ch],eax
80573e05 8b4104          mov     eax,dword ptr [ecx+4]
80573e08 8945d8          mov     dword ptr [ebp-28h],eax
80573e0b c645e701        mov     byte ptr [ebp-19h],1
80573e0f 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
80573e13 807de600        cmp     byte ptr [ebp-1Ah],0
80573e17 0f8577490800    jne     nt!IoCheckFunctionAccess+0x175f3 (805f8794)
80573e1d a158185680      mov     eax,dword ptr [nt!PsProcessType (80561858)]
80573e22 83c068          add     eax,68h
80573e25 50              push    eax
80573e26 ff750c          push    dword ptr [ebp+0Ch]
80573e29 8d852cffffff    lea     eax,[ebp-0D4h]
80573e2f 50              push    eax
80573e30 8d8548ffffff    lea     eax,[ebp-0B8h]
80573e36 50              push    eax
80573e37 e88507ffff      call    nt!SeCreateAccessState (805645c1)
80573e3c 3bc6            cmp     eax,esi
80573e3e 0f8cac000000    jl      nt!NtOpenProcess+0x17a (80573ef0)
80573e44 ff75cc          push    dword ptr [ebp-34h]
80573e47 ff357ce66880    push    dword ptr [nt!SeSystemDefaultDacl+0x9c (8068e67c)]
80573e4d ff3578e66880    push    dword ptr [nt!SeSystemDefaultDacl+0x98 (8068e678)]
80573e53 e8b4feffff      call    nt!SeSinglePrivilegeCheck (80573d0c)
80573e58 84c0            test    al,al
80573e5a 0f85c57d0100    jne     nt!RtlNtStatusToDosError+0x7b (8058bc25)
80573e60 807de600        cmp     byte ptr [ebp-1Ah],0
80573e64 0f8548490800    jne     nt!IoCheckFunctionAccess+0x17611 (805f87b2)
80573e6a 807de700        cmp     byte ptr [ebp-19h],0
80573e6e 0f8478e70200    je      nt!ObMakeTemporaryObject+0x4ba (805a25ec)
80573e74 8975d0          mov     dword ptr [ebp-30h],esi
80573e77 3975d8          cmp     dword ptr [ebp-28h],esi
80573e7a 0f8588c90100    jne     nt!NtAdjustPrivilegesToken+0xc07 (80590808)
80573e80 8d45dc          lea     eax,[ebp-24h]
80573e83 50              push    eax
80573e84 ff75d4          push    dword ptr [ebp-2Ch]
80573e87 e871000000      call    nt!PsLookupProcessByProcessId (80573efd)
80573e8c 8bf8            mov     edi,eax
80573e8e 3bfe            cmp     edi,esi
80573e90 0f8c33e70200    jl      nt!ObMakeTemporaryObject+0x497 (805a25c9)
80573e96 8d45e0          lea     eax,[ebp-20h]
80573e99 50              push    eax
80573e9a ff75cc          push    dword ptr [ebp-34h]
80573e9d ff3558185680    push    dword ptr [nt!PsProcessType (80561858)]
80573ea3 56              push    esi
80573ea4 8d8548ffffff    lea     eax,[ebp-0B8h]
80573eaa 50              push    eax
80573eab ff75c8          push    dword ptr [ebp-38h]
80573eae ff75dc          push    dword ptr [ebp-24h]
80573eb1 e87c8dffff      call    nt!ObOpenObjectByPointer (8056cc32)
80573eb6 8bf8            mov     edi,eax
80573eb8 8d8548ffffff    lea     eax,[ebp-0B8h]
80573ebe 50              push    eax
80573ebf e85a07ffff      call    nt!SeDeleteAccessState (8056461e)
80573ec4 8b4dd0          mov     ecx,dword ptr [ebp-30h]
80573ec7 3bce            cmp     ecx,esi
80573ec9 0f854fc90100    jne     nt!NtAdjustPrivilegesToken+0xc1d (8059081e)
80573ecf 8b4ddc          mov     ecx,dword ptr [ebp-24h]
80573ed2 e87961f6ff      call    nt!ObfDereferenceObject (804da050)
80573ed7 3bfe            cmp     edi,esi
80573ed9 7c13            jl      nt!NtOpenProcess+0x178 (80573eee)
80573edb c745fc02000000  mov     dword ptr [ebp-4],2
80573ee2 8b45e0          mov     eax,dword ptr [ebp-20h]
80573ee5 8b4d08          mov     ecx,dword ptr [ebp+8]
80573ee8 8901            mov     dword ptr [ecx],eax
80573eea 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
80573eee 8bc7            mov     eax,edi
80573ef0 e881f5f6ff      call    nt!CIsqrt+0x315 (804e3476)
80573ef5 c21000          ret     10h
80573ef8 90              nop
80573ef9 90              nop
80573efa 90              nop
80573efb 90              nop
80573efc 90              nop


此为函数ntopenprocess,我想知道如何计算出这个函数的长度,别人计算的长度是0x184,我有用80573efc-80573d76+1但是得到的却是0x187,而用80573ef5-80573d76+3却等于0x182, b+`qGJrej  
请问0x184是如何得来的? ;w7s>(ITZ  
而那篇ntopenprocess长度的文章是: vRh)o1u)  
http://bbs.pediy.com/showthread.php?t=85491&highlight=DNF+Inline+%E7%BB%95%E8%BF%87+Hook

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 230
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
最后几个 nop 可以忽略……
2010-3-8 10:23
0
雪    币: 25
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
省略也是182阿 不是184
2010-3-8 17:27
0
雪    币: 581
活跃值: (149)
能力值: ( LV12,RANK:600 )
在线值:
发帖
回帖
粉丝
4
如果有PDB。。那就可以获得具体长度。。没有的话只能靠某些特征了。
2010-3-8 18:37
0
游客
登录 | 注册 方可回帖
返回
//