-
-
[旧帖] IoSetSystemPartition函数在驱动文件的Function Name框内和系统默认的不一样 0.00雪花
-
发表于: 2011-2-1 06:08
-
.这个是驱动的
tvm:0101880A ; NTSTATUS __stdcall IoSetSystemPartition(PUNICODE_STRING VolumeNameString)
.tvm:0101880A _IoSetSystemPartition@4 proc near
.tvm:0101880A
.tvm:0101880A VolumeNameString= dword ptr 4
.tvm:0101880A
.tvm:0101880A mov eax, ds:0A8F11DA4h
.tvm:0101880F test eax, eax
.tvm:01018811 mov ecx, 0BB40h
.tvm:01018816 jz short loc_101881C
.tvm:01018818 cmp eax, ecx
.tvm:0101881A jnz short loc_101883F
.tvm:0101881C
.tvm:0101881C loc_101881C: ; CODE XREF: IoSetSystemPartition(x)+Cj
.tvm:0101881C mov edx, ds:0A8F0F05Ch
.tvm:01018822 mov eax, 0A8F11DA4h
.tvm:01018827 shr eax, 8
.tvm:0101882A xor eax, [edx]
.tvm:0101882C and eax, 0FFFFh
.tvm:01018831 mov ds:0A8F11DA4h, eax
.tvm:01018836 jnz short loc_101883F
.tvm:01018838 mov eax, ecx
.tvm:0101883A mov ds:0A8F11DA4h, eax
.tvm:0101883F
.tvm:0101883F loc_101883F: ; CODE XREF: IoSetSystemPartition(x)+10j
.tvm:0101883F ; IoSetSystemPartition(x)+2Cj
.tvm:0101883F not eax
.tvm:01018841 mov ds:0A8F11DA0h, eax
.tvm:01018846 pop ebp
.tvm:01018847 jmp near ptr unk_10106BA
.tvm:01018847 _IoSetSystemPartition@4 endp ; sp-analysis failed
这个是系统的
.text:0041880A ; NTSTATUS __stdcall IoSetSystemPartition(PUNICODE_STRING VolumeNameString)
.text:0041880A public _IoSetSystemPartition@4
.text:0041880A _IoSetSystemPartition@4 proc near ; DATA XREF: .edata:off_58B528o
.text:0041880A
.text:0041880A DestinationString= LSA_UNICODE_STRING ptr -3Ch
.text:0041880A KeyHandle = dword ptr -34h
.text:0041880A Handle = dword ptr -30h
.text:0041880A ValueName = LSA_UNICODE_STRING ptr -2Ch
.text:0041880A var_24 = word ptr -24h
.text:0041880A var_22 = word ptr -22h
.text:0041880A var_20 = word ptr -20h
.text:0041880A var_1E = word ptr -1Eh
.text:0041880A var_1C = word ptr -1Ch
.text:0041880A var_1A = word ptr -1Ah
.text:0041880A var_18 = word ptr -18h
.text:0041880A var_16 = word ptr -16h
.text:0041880A var_14 = word ptr -14h
.text:0041880A var_12 = word ptr -12h
.text:0041880A var_10 = word ptr -10h
.text:0041880A var_E = word ptr -0Eh
.text:0041880A var_C = word ptr -0Ch
.text:0041880A var_A = word ptr -0Ah
.text:0041880A var_8 = word ptr -8
.text:0041880A var_6 = word ptr -6
.text:0041880A var_4 = dword ptr -4
.text:0041880A VolumeNameString= dword ptr 8
.text:0041880A
.text:0041880A mov edi, edi
.text:0041880C push ebp
.text:0041880D mov ebp, esp
.text:0041880F sub esp, 3Ch
.text:00418812 mov eax, ___security_cookie
.text:00418817 push ebx
.text:00418818 push esi
.text:00418819 mov esi, [ebp+VolumeNameString]
.text:0041881C push edi
.text:0041881D mov [ebp+var_4], eax
.text:00418820 push offset SourceString ; SourceString
.text:00418825 lea eax, [ebp+DestinationString]
.text:00418828 push eax ; DestinationString
.text:00418829 call _RtlInitUnicodeString@8 ; RtlInitUnicodeString(x,x)
.text:0041882E mov edi, 0F003Fh
.text:00418833 push edi ; DesiredAccess
.text:00418834 lea eax, [ebp+DestinationString]
.text:00418837 push eax ; int
.text:00418838 xor ebx, ebx
.text:0041883A push ebx ; int
.text:0041883B lea eax, [ebp+Handle]
.text:0041883E push eax ; KeyHandle
.text:0041883F call _IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
.text:00418844 cmp eax, ebx
.text:00418846 jl loc_41892A
.text:0041884C push ebx ; int
.text:0041884D push ebx ; CreateOptions
.text:0041884E lea eax, [ebp+var_24]
.text:00418851 mov [ebp+ValueName.Buffer], eax
.text:00418854 push edi ; DesiredAccess
.text:00418855 lea eax, [ebp+ValueName]
.text:00418858 push eax ; int
.text:00418859 push [ebp+Handle] ; int
.text:0041885C lea eax, [ebp+KeyHandle]
.text:0041885F push eax ; int
.text:00418860 mov [ebp+var_24], 53h
.text:00418866 mov [ebp+var_22], 65h
.text:0041886C mov [ebp+var_20], 74h
.text:00418872 mov [ebp+var_1E], 75h
.text:00418878 mov [ebp+var_1C], 70h
.text:0041887E mov [ebp+var_1A], bx
.text:00418882 mov [ebp+ValueName.MaximumLength], 0Ch
.text:00418888 mov [ebp+ValueName.Length], 0Ah
.text:0041888E call _IopCreateRegistryKeyEx@24 ; IopCreateRegistryKeyEx(x,x,x,x,x,x)
.text:00418893 push [ebp+Handle] ; Handle
.text:00418896 mov edi, eax
.text:00418898 call _NtClose@4 ; NtClose(x)
.text:0041889D cmp edi, ebx
.text:0041889F jge short loc_4188A8
.text:004188A1 mov eax, edi
.text:004188A3 jmp loc_41892A
.text:004188A8 ; ---------------------------------------------------------------------------
.text:004188A8
.text:004188A8 loc_4188A8: ; CODE XREF: IoSetSystemPartition(x)+95j
.text:004188A8 movzx eax, word ptr [esi]
.text:004188AB inc eax
.text:004188AC inc eax
.text:004188AD push eax ; DataSize
.text:004188AE push dword ptr [esi+4] ; Data
.text:004188B1 lea eax, [ebp+ValueName]
.text:004188B4 push 1 ; Type
.text:004188B6 push ebx ; TitleIndex
.text:004188B7 push eax ; ValueName
.text:004188B8 push [ebp+KeyHandle] ; KeyHandle
.text:004188BB mov [ebp+var_24], 53h
.text:004188C1 mov [ebp+var_22], 79h
.text:004188C7 mov [ebp+var_20], 73h
.text:004188CD mov [ebp+var_1E], 74h
.text:004188D3 mov [ebp+var_1C], 65h
.text:004188D9 mov [ebp+var_1A], 6Dh
.text:004188DF mov [ebp+var_18], 50h
.text:004188E5 mov [ebp+var_16], 61h
.text:004188EB mov [ebp+var_14], 72h
.text:004188F1 mov [ebp+var_12], 74h
.text:004188F7 mov [ebp+var_10], 69h
.text:004188FD mov [ebp+var_E], 74h
.text:00418903 mov [ebp+var_C], 69h
.text:00418909 mov [ebp+var_A], 6Fh
.text:0041890F mov [ebp+var_8], 6Eh
.text:00418915 mov [ebp+var_6], bx
.text:00418919 mov [ebp+ValueName.MaximumLength], 20h
.text:0041891F mov [ebp+ValueName.Length], 1Eh
.text:00418925 call _ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
.text:0041892A
.text:0041892A loc_41892A: ; CODE XREF: IoSetSystemPartition(x)+3Cj
.text:0041892A ; IoSetSystemPartition(x)+99j
.text:0041892A mov ecx, [ebp+var_4]
.text:0041892D pop edi
.text:0041892E pop esi
.text:0041892F pop ebx
.text:00418930 call @xHalReferenceHandler@4 ; xHalReferenceHandler(x)
.text:00418935 leave
.text:00418936 retn 4
.text:00418936 _IoSetSystemPartition@4 endp
.text:00418936
为啥不一样
这张图是某某驱动的
请问某某驱动的
Function Name 里面的函数有的是跟系统的ntkrpamp.exe里的Function Name 名字一样
但是函数内容确不一样 请问他有啥区别
是加密了 但是功能一样 还是 HOOK了这个函数
tvm:0101880A ; NTSTATUS __stdcall IoSetSystemPartition(PUNICODE_STRING VolumeNameString)
.tvm:0101880A _IoSetSystemPartition@4 proc near
.tvm:0101880A
.tvm:0101880A VolumeNameString= dword ptr 4
.tvm:0101880A
.tvm:0101880A mov eax, ds:0A8F11DA4h
.tvm:0101880F test eax, eax
.tvm:01018811 mov ecx, 0BB40h
.tvm:01018816 jz short loc_101881C
.tvm:01018818 cmp eax, ecx
.tvm:0101881A jnz short loc_101883F
.tvm:0101881C
.tvm:0101881C loc_101881C: ; CODE XREF: IoSetSystemPartition(x)+Cj
.tvm:0101881C mov edx, ds:0A8F0F05Ch
.tvm:01018822 mov eax, 0A8F11DA4h
.tvm:01018827 shr eax, 8
.tvm:0101882A xor eax, [edx]
.tvm:0101882C and eax, 0FFFFh
.tvm:01018831 mov ds:0A8F11DA4h, eax
.tvm:01018836 jnz short loc_101883F
.tvm:01018838 mov eax, ecx
.tvm:0101883A mov ds:0A8F11DA4h, eax
.tvm:0101883F
.tvm:0101883F loc_101883F: ; CODE XREF: IoSetSystemPartition(x)+10j
.tvm:0101883F ; IoSetSystemPartition(x)+2Cj
.tvm:0101883F not eax
.tvm:01018841 mov ds:0A8F11DA0h, eax
.tvm:01018846 pop ebp
.tvm:01018847 jmp near ptr unk_10106BA
.tvm:01018847 _IoSetSystemPartition@4 endp ; sp-analysis failed
这个是系统的
.text:0041880A ; NTSTATUS __stdcall IoSetSystemPartition(PUNICODE_STRING VolumeNameString)
.text:0041880A public _IoSetSystemPartition@4
.text:0041880A _IoSetSystemPartition@4 proc near ; DATA XREF: .edata:off_58B528o
.text:0041880A
.text:0041880A DestinationString= LSA_UNICODE_STRING ptr -3Ch
.text:0041880A KeyHandle = dword ptr -34h
.text:0041880A Handle = dword ptr -30h
.text:0041880A ValueName = LSA_UNICODE_STRING ptr -2Ch
.text:0041880A var_24 = word ptr -24h
.text:0041880A var_22 = word ptr -22h
.text:0041880A var_20 = word ptr -20h
.text:0041880A var_1E = word ptr -1Eh
.text:0041880A var_1C = word ptr -1Ch
.text:0041880A var_1A = word ptr -1Ah
.text:0041880A var_18 = word ptr -18h
.text:0041880A var_16 = word ptr -16h
.text:0041880A var_14 = word ptr -14h
.text:0041880A var_12 = word ptr -12h
.text:0041880A var_10 = word ptr -10h
.text:0041880A var_E = word ptr -0Eh
.text:0041880A var_C = word ptr -0Ch
.text:0041880A var_A = word ptr -0Ah
.text:0041880A var_8 = word ptr -8
.text:0041880A var_6 = word ptr -6
.text:0041880A var_4 = dword ptr -4
.text:0041880A VolumeNameString= dword ptr 8
.text:0041880A
.text:0041880A mov edi, edi
.text:0041880C push ebp
.text:0041880D mov ebp, esp
.text:0041880F sub esp, 3Ch
.text:00418812 mov eax, ___security_cookie
.text:00418817 push ebx
.text:00418818 push esi
.text:00418819 mov esi, [ebp+VolumeNameString]
.text:0041881C push edi
.text:0041881D mov [ebp+var_4], eax
.text:00418820 push offset SourceString ; SourceString
.text:00418825 lea eax, [ebp+DestinationString]
.text:00418828 push eax ; DestinationString
.text:00418829 call _RtlInitUnicodeString@8 ; RtlInitUnicodeString(x,x)
.text:0041882E mov edi, 0F003Fh
.text:00418833 push edi ; DesiredAccess
.text:00418834 lea eax, [ebp+DestinationString]
.text:00418837 push eax ; int
.text:00418838 xor ebx, ebx
.text:0041883A push ebx ; int
.text:0041883B lea eax, [ebp+Handle]
.text:0041883E push eax ; KeyHandle
.text:0041883F call _IopOpenRegistryKeyEx@16 ; IopOpenRegistryKeyEx(x,x,x,x)
.text:00418844 cmp eax, ebx
.text:00418846 jl loc_41892A
.text:0041884C push ebx ; int
.text:0041884D push ebx ; CreateOptions
.text:0041884E lea eax, [ebp+var_24]
.text:00418851 mov [ebp+ValueName.Buffer], eax
.text:00418854 push edi ; DesiredAccess
.text:00418855 lea eax, [ebp+ValueName]
.text:00418858 push eax ; int
.text:00418859 push [ebp+Handle] ; int
.text:0041885C lea eax, [ebp+KeyHandle]
.text:0041885F push eax ; int
.text:00418860 mov [ebp+var_24], 53h
.text:00418866 mov [ebp+var_22], 65h
.text:0041886C mov [ebp+var_20], 74h
.text:00418872 mov [ebp+var_1E], 75h
.text:00418878 mov [ebp+var_1C], 70h
.text:0041887E mov [ebp+var_1A], bx
.text:00418882 mov [ebp+ValueName.MaximumLength], 0Ch
.text:00418888 mov [ebp+ValueName.Length], 0Ah
.text:0041888E call _IopCreateRegistryKeyEx@24 ; IopCreateRegistryKeyEx(x,x,x,x,x,x)
.text:00418893 push [ebp+Handle] ; Handle
.text:00418896 mov edi, eax
.text:00418898 call _NtClose@4 ; NtClose(x)
.text:0041889D cmp edi, ebx
.text:0041889F jge short loc_4188A8
.text:004188A1 mov eax, edi
.text:004188A3 jmp loc_41892A
.text:004188A8 ; ---------------------------------------------------------------------------
.text:004188A8
.text:004188A8 loc_4188A8: ; CODE XREF: IoSetSystemPartition(x)+95j
.text:004188A8 movzx eax, word ptr [esi]
.text:004188AB inc eax
.text:004188AC inc eax
.text:004188AD push eax ; DataSize
.text:004188AE push dword ptr [esi+4] ; Data
.text:004188B1 lea eax, [ebp+ValueName]
.text:004188B4 push 1 ; Type
.text:004188B6 push ebx ; TitleIndex
.text:004188B7 push eax ; ValueName
.text:004188B8 push [ebp+KeyHandle] ; KeyHandle
.text:004188BB mov [ebp+var_24], 53h
.text:004188C1 mov [ebp+var_22], 79h
.text:004188C7 mov [ebp+var_20], 73h
.text:004188CD mov [ebp+var_1E], 74h
.text:004188D3 mov [ebp+var_1C], 65h
.text:004188D9 mov [ebp+var_1A], 6Dh
.text:004188DF mov [ebp+var_18], 50h
.text:004188E5 mov [ebp+var_16], 61h
.text:004188EB mov [ebp+var_14], 72h
.text:004188F1 mov [ebp+var_12], 74h
.text:004188F7 mov [ebp+var_10], 69h
.text:004188FD mov [ebp+var_E], 74h
.text:00418903 mov [ebp+var_C], 69h
.text:00418909 mov [ebp+var_A], 6Fh
.text:0041890F mov [ebp+var_8], 6Eh
.text:00418915 mov [ebp+var_6], bx
.text:00418919 mov [ebp+ValueName.MaximumLength], 20h
.text:0041891F mov [ebp+ValueName.Length], 1Eh
.text:00418925 call _ZwSetValueKey@24 ; ZwSetValueKey(x,x,x,x,x,x)
.text:0041892A
.text:0041892A loc_41892A: ; CODE XREF: IoSetSystemPartition(x)+3Cj
.text:0041892A ; IoSetSystemPartition(x)+99j
.text:0041892A mov ecx, [ebp+var_4]
.text:0041892D pop edi
.text:0041892E pop esi
.text:0041892F pop ebx
.text:00418930 call @xHalReferenceHandler@4 ; xHalReferenceHandler(x)
.text:00418935 leave
.text:00418936 retn 4
.text:00418936 _IoSetSystemPartition@4 endp
.text:00418936
为啥不一样
这张图是某某驱动的
请问某某驱动的
Function Name 里面的函数有的是跟系统的ntkrpamp.exe里的Function Name 名字一样
但是函数内容确不一样 请问他有啥区别
是加密了 但是功能一样 还是 HOOK了这个函数
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
