-
-
[求助]Sentinel 驱动模拟应该如何修改呢
-
发表于: 2011-2-23 18:56 5596
-
;===================================================================================
; code by laomms 2007.4.25
;===================================================================================
.386
.model flat, stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include Strings.mac
include Sentinel.Inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
datfile dw '\','?','?','\','c',':','\','s','u','p','e','r','p','r','o','.','d','a','t',0,0
hFile dd 0
Buffer1 dw 0
Buffer2 dw 0
Buffer3 dw 0
Buffer4 dw 0
Buffer5 dw 64 dup(0)
Buffer6 dw 0
db 128 dup(0)
Buffer7 dd 0
db 24 dup(0)
Buffer8 db 4 dup(0)
Buffer9 dd 0
db 512 dup(0)
Buffer dd 0
data1 dd 0
data2 dd 0
data3 dd 0
data4 dd 0
db 16 dup(0)
data5 db 4 dup(0)
data6 dd 0
data7 dd 0
db 256 dup(0)
data8 dd 0
.const
CCOUNTED_UNICODE_STRING "\\Device\\RNBODEV0",DONGLE_DEVICE_NAME,4
CCOUNTED_UNICODE_STRING "\\Device\\RNBODEV1",DeviceString,4
CCOUNTED_UNICODE_STRING "\\DosDevices\\RNBODRV0",SymbolicLinkName,4
CCOUNTED_UNICODE_STRING "\\DosDevices\\RNBODRV1",DestinationString,4
CCOUNTED_UNICODE_STRING "\\??\\c:\\superpro.dat", DataFileName, 4
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
DriverEntry proc pDriverObject:PDRIVER_OBJECT,RegistryPath:PUNICODE_STRING
LOCAL deviceNameUnicodeString,deviceLinkUnicodeString:UNICODE_STRING
LOCAL status:NTSTATUS
LOCAL pDeviceObject:PVOID
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr DONGLE_DEVICE_NAME, FILE_DEVICE_UNKNOWN, \
0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr SymbolicLinkName, addr DONGLE_DEVICE_NAME
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
jmp @f
.else
invoke IoDeleteDevice, pDeviceObject
jmp @exit
.endif
.endif
invoke IoCreateDevice, pDriverObject, 0, addr DeviceString, FILE_DEVICE_UNKNOWN, \
0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr DestinationString, addr DeviceString
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
jmp @f
.else
invoke IoDeleteDevice, pDeviceObject
jmp @exit
.endif
.endif
@@:
call MyCreateFile
cmp hFile, esi
jz @xor
push 10h ; Length
push esi ; int
push offset Buffer ; Buffer
call MyReadFile
mov eax, Buffer
push 10h
test eax, eax
pop esi
jz @@3
shl eax, 4
push eax ; Length
push esi ; int
push offset data5 ; Buffer
call MyReadFile
mov eax, Buffer
xor ebx, ebx
xor edx, edx
lea esi, [eax+1]
shl esi, 4
test eax, eax
jbe @@4
mov edi, pDriverObject
@@1:
test edx, edx
jnz @@2
mov edi, data6
@@2:
mov ecx, edx
shl ecx, 4
add ebx, data7[ecx]
sub data6[ecx], edi
inc edx
cmp edx, eax
jb @@1
jmp @@4
@@3:
mov ebx, pDriverObject
@@4:
mov edi, 80h
mov Buffer7, esi
push edi ; Length
push esi ; int
push Buffer1 ; Buffer
call MyReadFile
add esi, edi
push edi ; Length
push esi ; int
push offset Buffer6 ; Buffer
call MyReadFile
test ebx, ebx
jbe @xor
mov eax, ebx
add esi, edi
shl eax, 3
push eax ; Length
push esi ; int
push offset Buffer8 ; Buffer
call MyReadFile
@xor:
xor eax, eax
@exit:
pop edi
pop esi
pop ebx
leave
retn 8
DriverEntry endp
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke IoDeleteSymbolicLink, addr SymbolicLinkName
invoke IoDeleteSymbolicLink, addr DestinationString
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
DispatchControl proc near ; DATA XREF: start+B3o
var_418 = dword ptr -418h
var_412 = word ptr -412h
var_408 = dword ptr -408h
var_404 = dword ptr -404h
var_400 = dword ptr -400h
var_3F8 = dword ptr -3F8h
var_3E8 = byte ptr -3E8h
var_3E4 = word ptr -3E4h
var_3E2 = word ptr -3E2h
var_3E0 = word ptr -3E0h
var_3DE = word ptr -3DEh
var_3DC = dword ptr -3DCh
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
pIrp = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 418h
mov eax, [ebp+pIrp]
push ebx
push esi
mov edx, 100h
mov ebx, [eax+3Ch]
push edi
mov ecx, edx
mov esi, ebx
lea edi, [ebp+var_418]
mov [ebp+var_14], ebx
rep movsd
cmp [ebp+var_408], 80003h
jnz @@1
and [ebp+var_412], 0
mov ecx, edx
lea esi, [ebp+var_418]
mov edi, ebx
rep movsd
and dword ptr [eax+18h], 0
mov dword ptr [eax+1Ch], 400h
xor dl, dl
mov ecx, eax
jmp @@exit
@@1:
mov esi, [ebp+var_404]
mov edi, [ebp+var_400]
mov [ebp+var_10], esi
xor ebx, ebx
mov [ebp+var_18], esi
mov [ebp+var_1], 1
@@2:
movsx eax, [ebp+var_1]
dec eax
push eax
push esi
call func1
cmp eax, edi
jz @@3
inc [ebp+var_1]
cmp [ebp+var_1], 3
jl @@2
jmp @@4
@@3:
mov esi, ebx
mov [ebp+var_404], esi
@@4:
cmp [ebp+var_1], 3
jnz @@7
mov eax, [ebp+var_1C]
push eax
mov data8, eax
call func4
lea eax, [ebp+var_C]
mov [ebp+var_8], esi
push eax
lea eax, [ebp+var_8]
push eax
mov [ebp+var_C], edi
call func6
xor ebx, ebx
cmp [ebp+var_8], ebx
jnz @@6
cmp [ebp+var_C], ebx
jnz @@6
push 7Ch
mov [ebp+var_404], ebx
mov [ebp+var_400], ebx
lea esi, [ebp+var_3F8]
pop edi
@@5:
mov eax, [esi-4]
mov [ebp+var_8], eax
mov eax, [esi]
mov [ebp+var_C], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_8]
push eax
call func5
mov eax, [ebp+var_8]
mov [esi-4], eax
mov eax, [ebp+var_C]
mov [esi], eax
add esi, 8
dec edi
jnz @@5
jmp @@11
@@6:
mov [ebp+var_412], bx
jmp @@34
@@7:
push 1
lea esi, [ebp+var_400]
pop edi
@@8:
lea eax, [edi-3]
push 4
cdq
pop ecx
idiv ecx
movsx eax, [ebp+var_1]
test edx, edx
jz @@9
dec eax
push eax
push [ebp+var_10]
call func1
jmp @@10
@@9:
dec eax
push eax
push [ebp+var_10]
call func2
@@10:
mov ecx, [esi]
xor eax, ecx
inc edi
mov [esi], eax
add esi, 4
cmp edi, 0FAh
mov [ebp+var_10], ecx
jle @@8
xor ebx, ebx
@@11:
movzx eax, [ebp+var_3E8]
cmp eax, 0Bh
jg @@15
jz @@14
dec eax
jz @13
dec eax
dec eax
jz @@27
sub eax, 5
jz @12
dec eax
jz @@27
dec eax
jnz @@28
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
movzx eax, [ebp+var_3E4]
mov ax, Buffer1[eax*2]
mov [ebp+var_3E2], ax
jmp @@27
@12:
mov ax, Buffer2
mov [ebp+var_412], 3
cmp [ebp+var_3DE], ax
jnz @@28
mov [ebp+var_3E4], ax
jmp @@27
@13:
mov [ebp+var_3E4], 3207h
mov [ebp+var_3E2], 508h
jmp @@27
@@14:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
movzx eax, [ebp+var_3E4]
shl eax, 1
mov cx, Buffer1[eax]
mov ax, Buffer6[eax]
mov [ebp+var_3E2], cx
mov [ebp+var_3E0], ax
jmp @@27
@@15:
sub eax, 0Ch
jz @@25
dec eax
jz @@23
dec eax
jz @@22
dec eax
jz @@21
dec eax
jnz @@28
mov ecx, Buffer
xor eax, eax
cmp ecx, ebx
jbe @@17
movzx esi, [ebp+var_3E4]
mov edx, offset data5
@@16:
cmp [edx], esi
jz @@17
inc eax
add edx, 10h
cmp eax, ecx
jb @@16
@@17:
cmp eax, ecx
jnz @@18
mov [ebp+var_412], 3
jmp @@28
@@18:
shl eax, 4
xor edx, edx
mov ecx, data6[eax]
mov eax, data7[eax]
cmp eax, ebx
jbe @@27
lea esi, Buffer8[ecx*4]
@@19:
mov edi, [esi]
cmp edi, [ebp+var_3DC]
jz @@20
inc edx
add esi, 8
cmp edx, eax
jb @@19
jmp @@27
@@20:
lea eax, [ecx+edx*2]
mov eax, Buffer9[eax*4]
mov [ebp+var_3DC], eax
jmp @@27
@@21:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
movzx eax, [ebp+var_3E4]
cmp Buffer6[eax*2], 3
jnz @@28
jmp @@27
@@22:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
mov ax, [ebp+var_3DE]
cmp ax, Buffer3
jnz @@28
mov ax, word ptr [ebp+var_3DC]
cmp ax, Buffer4
jnz @@28
mov ax, word ptr [ebp+var_3DC+2]
cmp ax, Buffer5
jmp @@24
@@23:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
mov ax, [ebp+var_3DE]
cmp ax, Buffer3
@@24:
jnz @@28
movzx eax, [ebp+var_3E4]
mov cx, [ebp+var_3E2]
mov Buffer1[eax*2], cx
jmp @@26
@@25:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
mov ax, [ebp+var_3DE]
cmp ax, Buffer3
jnz @@28
movzx eax, [ebp+var_3E4]
dec Buffer1[eax*2]
lea eax, Buffer1[eax*2]
@@26:
call MyCreateFile
cmp hFile, ebx
jz @@27
push 80h ; Length
push Buffer7 ; int
push Buffer1 ; Buffer
call MyWriteFile
call MyCloseFile
@@27: ;
mov [ebp+var_412], bx
@@28:
cmp [ebp+var_1], 1
jl @@32
cmp [ebp+var_1], 2
jg @@32
mov ecx, [ebp+var_18]
push 1
xor ecx, [ebp+var_404]
pop edi
lea esi, [ebp+var_400]
mov [ebp+var_404], ecx
@@29:
lea eax, [edi-3]
push 4
cdq
pop ebx
idiv ebx
movsx eax, [ebp+var_1]
test edx, edx
jz @@30
dec eax
push eax
push ecx
call func1
jmp @@31
@@30:
dec eax
push eax
push ecx
call func2
@@31:
xor [esi], eax
mov ecx, [esi]
inc edi
add esi, 4
cmp edi, 0FAh
jle @@29
xor ebx, ebx
jmp @@34
@@32:
mov eax, [ebp+var_1C]
push eax
mov data8, eax
call func4
push 7Dh
lea esi, [ebp+var_400]
pop edi
@@33:
mov eax, [esi-4]
mov [ebp+var_8], eax
mov eax, [esi]
mov [ebp+var_C], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_8]
push eax
call func5
mov eax, [ebp+var_8]
mov [esi-4], eax
mov eax, [ebp+var_C]
mov [esi], eax
add esi, 8
dec edi
jnz @@33
@@34:
mov edi, [ebp+var_14]
mov ecx, 100h
lea esi, [ebp+var_418]
xor dl, dl ; PriorityBoost
rep movsd
mov ecx, [ebp+pIrp] ; Irp
mov [ecx+18h], ebx
mov dword ptr [ecx+1Ch], 400h
@@exit:
call ds:IofCompleteRequest
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 8
DispatchControl endp
func1 proc near
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = word ptr -8
var_6 = word ptr -6
var_4 = word ptr -4
var_2 = word ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10h
mov edx, [ebp+arg_0]
push ebx
mov ebx, [ebp+arg_4]
mov eax, edx
shr eax, 1Fh
lea ecx, [edx+edx]
push esi
or eax, ecx
mov ecx, edx
shr ecx, 10h
mov [ebp+var_4], 2B8Dh
mov [ebp+var_2], 2E75h
mov si, [ebp+ebx*2+var_4]
xor ecx, eax
imul esi, ecx
mov ecx, 0FFFFh
push edi
mov [ebp+var_8], 27C5h
mov [ebp+var_6], 294Ch
mov di, [ebp+ebx*2+var_8]
and esi, ecx
shr eax, 10h
add edi, esi
xor eax, edx
imul edi, eax
and edi, ecx
mov [ebp+var_10], 27C52B8Dh
mov [ebp+var_C], 294C2E75h
jnz @@1
test esi, esi
jnz @@1
mov eax, [ebp+ebx*4+var_10]
jmp @exit
@@1:
test ebx, ebx
push 10h
push 2
jnz @@2
call func3
imul eax, edi
add eax, esi
jmp @exit
@@2:
call func3
imul eax, esi
add eax, edi
@exit:
pop edi
pop esi
pop ebx
leave
retn 8
func1 endp
func2 proc near
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 1Ch
mov ecx, [ebp+arg_0]
mov eax, [ebp+arg_4]
and [ebp+var_4], 0
mov edx, ecx
push ebx
add eax, eax
push esi
push edi
shr edx, 10h
mov word ptr [ebp+var_8], 2F51h
mov word ptr [ebp+var_8+2], 3105h
mov di, word ptr [ebp+eax+var_8]
inc edx
imul edi, edx
mov esi, 0FFFFh
mov word ptr [ebp+var_C], 4A0Fh
mov word ptr [ebp+var_C+2], 3FE6h
mov bx, word ptr [ebp+eax+var_C]
and edi, esi
inc ecx
imul ebx, ecx
and ebx, esi
and [ebp+var_8], 0
mov [ebp+var_1C], 0FFFFFE1Dh
mov [ebp+var_18], 0E9F19FDFh
@@1:
mov [ebp+var_10], 8
@1:
push 0Ah
push 2
call func3
imul eax, edi
and eax, esi
push 0Ch
push 2
mov [ebp+arg_0], eax
call func3
imul eax, edi
and eax, esi
push 0Dh
xor [ebp+arg_0], eax
push 2
call func3
imul eax, edi
xor eax, [ebp+arg_0]
push 0Fh
push 2
and eax, 8000h
mov [ebp+arg_0], eax
call func3
imul eax, edi
and eax, esi
xor [ebp+arg_0], eax
shr edi, 1
and edi, esi
xor [ebp+arg_0], edi
mov eax, [ebp+arg_0]
not eax
and eax, 1
mov [ebp+var_C], eax
jz @2
push 0Eh
push 2
call func3
imul eax, ebx
mov ecx, ebx
shl ecx, 2
xor ecx, ebx
shl ecx, 1
xor ecx, ebx
and cx, 0C000h
xor eax, ecx
shl eax, 1
and eax, esi
shr ebx, 1
or ebx, eax
@2:
mov ecx, [ebp+var_C]
mov eax, ebx
and eax, 1
mov edi, [ebp+arg_0]
xor ecx, eax
mov eax, [ebp+var_4]
shl ecx, 1
shl eax, 2
or ecx, eax
and ecx, esi
or ecx, [ebp+var_C]
dec [ebp+var_10]
mov [ebp+var_4], ecx
jnz @1
cmp [ebp+var_8], 0
jnz @3
mov eax, ecx
mov [ebp+var_14], eax
jmp @4
@3:
mov ebx, [ebp+var_4]
@4:
inc [ebp+var_8]
cmp [ebp+var_8], 2
jl @@1
mov esi, [ebp+arg_4]
push 10h
test esi, esi
push 2
jnz @@2
call func3
imul eax, [ebp+var_14]
add eax, ebx
jmp @@3
@@2:
call func3
imul eax, ebx
add eax, [ebp+var_14]
@@3:
test eax, eax
jnz @exit
mov eax, [ebp+esi*4+var_1C]
@exit:
pop edi
pop esi
pop ebx
leave
retn 8
func2 endp
func4 proc near
arg_0 = dword ptr 10h
push ebx
push ebp
push esi
mov esi, [esp+arg_0]
push edi
push 1
push esi
call func2
mov edi, eax
push 1
shl esi, 2
xor esi, edi
push esi
call func1
shl esi, 2
xor esi, edi
push 0
push esi
mov ebx, eax
call func2
mov ebp, eax
mov eax, esi
shl eax, 2
xor eax, edi
push 0
push eax
call func1
mov data1, edi
pop edi
mov data3, ebp
pop esi
mov data2, ebx
pop ebp
mov data4, eax
pop ebx
retn 4
func4 endp
func5 proc near
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, [ebp+arg_0]
push ebx
push esi
push edi
mov eax, [eax]
xor ebx, ebx
mov [ebp+var_4], eax
mov eax, [ebp+arg_4]
mov [ebp+var_8], 20h
mov edi, [eax]
@@1:
push 4
push 2
sub ebx, 61C88647h
call func3
imul eax, edi
mov ecx, data1
mov esi, edi
shr esi, 5
add esi, data2
add ecx, eax
lea eax, [ebx+edi]
push 4
xor esi, ecx
push 2
xor esi, eax
add esi, [ebp+var_4]
call func3
imul eax, esi
mov edx, data3
mov ecx, esi
shr ecx, 5
add ecx, data4
add edx, eax
lea eax, [esi+ebx]
mov [ebp+var_4], esi
xor ecx, edx
xor ecx, eax
add edi, ecx
dec [ebp+var_8]
jnz @@1
mov eax, [ebp+arg_0]
mov [eax], esi
mov eax, [ebp+arg_4]
mov [eax], edi
pop edi
pop esi
pop ebx
leave
retn 8
func5 endp
func6 proc near
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_0]
push ebx
push esi
push edi
mov ebx, [eax]
mov eax, [ebp+arg_4]
mov edi, 0C6EF3720h
mov [ebp+var_4], 20h
mov esi, [eax]
@@:
push 4
push 2
call func3
imul eax, ebx
mov edx, ebx
add edi, 61C88647h
shr edx, 5
add edx, data4
lea ecx, [edi+ebx-61C88647h]
push 4
push 2
xor ecx, edx
mov edx, data3
add edx, eax
xor ecx, edx
sub esi, ecx
call func3
imul eax, esi
mov edx, esi
lea ecx, [esi+edi-61C88647h]
shr edx, 5
add edx, data2
xor ecx, edx
mov edx, data1
add edx, eax
xor ecx, edx
sub ebx, ecx
dec [ebp+var_4]
jnz @b
mov eax, [ebp+arg_0]
pop edi
mov [eax], ebx
mov eax, [ebp+arg_4]
mov [eax], esi
pop esi
pop ebx
leave
retn 8
func6 endp
func3 proc near
mov ecx, [esp+4]
mov eax, [esp+8]
cmp ecx, 1
jbe @exit
dec ecx
@@:
imul eax, [esp+arg_0]
dec ecx
jnz @b
@exit:
ret
func3 endp
MyCreateFile proc
local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
invoke ZwCreateFile, addr hFile, SYNCHRONIZE, addr oa, addr iosb, 0, FILE_ATTRIBUTE_NORMAL, \
0, FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
.if eax == STATUS_SUCCESS
mov hFile, eax
invoke ZwClose, hFile
.else
jmp @exit
.endif
@exit:
ret
MyCreateFile endp
MyReadFile proc
local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local p:PVOID
local cb:DWORD
local fsi:FILE_STANDARD_INFORMATION
invoke DbgPrint, $CTA0("\nFileWorks: Opening file for reading\n")
InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
invoke ZwOpenFile, addr hFile, FILE_READ_DATA + SYNCHRONIZE, addr oa, addr iosb, \
FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0("File openeded\n")
invoke ZwQueryInformationFile, hFile, addr iosb, addr fsi, sizeof fsi, FileStandardInformation
.if eax == STATUS_SUCCESS
mov eax, fsi.EndOfFile.LowPart
inc eax
mov cb, eax
invoke ExAllocatePool, PagedPool, cb
.if eax != NULL
mov p, eax
invoke RtlZeroMemory, p, cb
invoke ZwReadFile, hFile, 0, NULL, NULL, addr iosb, p, cb, 0, NULL
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0("File content: \=%s\=\n"), p
.else
invoke DbgPrint, $CTA0("Can't read from the file. Status: %08X\n"), eax
.endif
invoke ExFreePool, p
.else
invoke DbgPrint, $CTA0("Can't allocate memory. Status: %08X\n"), eax
.endif
.else
invoke DbgPrint, $CTA0("Can't query file size. Status: %08X\n"), eax
.endif
invoke ZwClose, hFile
.else
invoke DbgPrint, $CTA0("Can't open file. Status: %08X\n"), eax
.endif
ret
MyReadFile endp
MyWriteFile proc
local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
invoke DbgPrint, $CTA0("\ Opening file for writing\n")
InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
invoke ZwCreateFile, addr hFile, FILE_WRITE_DATA + SYNCHRONIZE, addr oa, addr iosb, \
0, 0, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0("File openeded\n")
CTA0 "Data can be written to an open file", g_szData, 4
invoke ZwWriteFile, hFile, 0, NULL, NULL, addr iosb, addr g_szData, sizeof g_szData - 1, NULL, NULL
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0(" File was written\n")
.else
invoke DbgPrint, $CTA0("Can't write to the file. Status: %08X\n"), eax
.endif
invoke ZwClose, hFile
.else
invoke DbgPrint, $CTA0("Can't open file. Status: %08X\n"), eax
.endif
ret
MyWriteFile endp
MyCloseFile proc near
invoke ZwClose,hFile
xor eax, eax
ret
MyCloseFile endp
end DriverEntry
请教各位高手,上面的汇编应该如何按DUMP的数据进行修改呢。请高手指点。谢谢!
; code by laomms 2007.4.25
;===================================================================================
.386
.model flat, stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include Strings.mac
include Sentinel.Inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
datfile dw '\','?','?','\','c',':','\','s','u','p','e','r','p','r','o','.','d','a','t',0,0
hFile dd 0
Buffer1 dw 0
Buffer2 dw 0
Buffer3 dw 0
Buffer4 dw 0
Buffer5 dw 64 dup(0)
Buffer6 dw 0
db 128 dup(0)
Buffer7 dd 0
db 24 dup(0)
Buffer8 db 4 dup(0)
Buffer9 dd 0
db 512 dup(0)
Buffer dd 0
data1 dd 0
data2 dd 0
data3 dd 0
data4 dd 0
db 16 dup(0)
data5 db 4 dup(0)
data6 dd 0
data7 dd 0
db 256 dup(0)
data8 dd 0
.const
CCOUNTED_UNICODE_STRING "\\Device\\RNBODEV0",DONGLE_DEVICE_NAME,4
CCOUNTED_UNICODE_STRING "\\Device\\RNBODEV1",DeviceString,4
CCOUNTED_UNICODE_STRING "\\DosDevices\\RNBODRV0",SymbolicLinkName,4
CCOUNTED_UNICODE_STRING "\\DosDevices\\RNBODRV1",DestinationString,4
CCOUNTED_UNICODE_STRING "\\??\\c:\\superpro.dat", DataFileName, 4
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
DriverEntry proc pDriverObject:PDRIVER_OBJECT,RegistryPath:PUNICODE_STRING
LOCAL deviceNameUnicodeString,deviceLinkUnicodeString:UNICODE_STRING
LOCAL status:NTSTATUS
LOCAL pDeviceObject:PVOID
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr DONGLE_DEVICE_NAME, FILE_DEVICE_UNKNOWN, \
0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr SymbolicLinkName, addr DONGLE_DEVICE_NAME
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
jmp @f
.else
invoke IoDeleteDevice, pDeviceObject
jmp @exit
.endif
.endif
invoke IoCreateDevice, pDriverObject, 0, addr DeviceString, FILE_DEVICE_UNKNOWN, \
0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr DestinationString, addr DeviceString
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
jmp @f
.else
invoke IoDeleteDevice, pDeviceObject
jmp @exit
.endif
.endif
@@:
call MyCreateFile
cmp hFile, esi
jz @xor
push 10h ; Length
push esi ; int
push offset Buffer ; Buffer
call MyReadFile
mov eax, Buffer
push 10h
test eax, eax
pop esi
jz @@3
shl eax, 4
push eax ; Length
push esi ; int
push offset data5 ; Buffer
call MyReadFile
mov eax, Buffer
xor ebx, ebx
xor edx, edx
lea esi, [eax+1]
shl esi, 4
test eax, eax
jbe @@4
mov edi, pDriverObject
@@1:
test edx, edx
jnz @@2
mov edi, data6
@@2:
mov ecx, edx
shl ecx, 4
add ebx, data7[ecx]
sub data6[ecx], edi
inc edx
cmp edx, eax
jb @@1
jmp @@4
@@3:
mov ebx, pDriverObject
@@4:
mov edi, 80h
mov Buffer7, esi
push edi ; Length
push esi ; int
push Buffer1 ; Buffer
call MyReadFile
add esi, edi
push edi ; Length
push esi ; int
push offset Buffer6 ; Buffer
call MyReadFile
test ebx, ebx
jbe @xor
mov eax, ebx
add esi, edi
shl eax, 3
push eax ; Length
push esi ; int
push offset Buffer8 ; Buffer
call MyReadFile
@xor:
xor eax, eax
@exit:
pop edi
pop esi
pop ebx
leave
retn 8
DriverEntry endp
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke IoDeleteSymbolicLink, addr SymbolicLinkName
invoke IoDeleteSymbolicLink, addr DestinationString
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
DispatchControl proc near ; DATA XREF: start+B3o
var_418 = dword ptr -418h
var_412 = word ptr -412h
var_408 = dword ptr -408h
var_404 = dword ptr -404h
var_400 = dword ptr -400h
var_3F8 = dword ptr -3F8h
var_3E8 = byte ptr -3E8h
var_3E4 = word ptr -3E4h
var_3E2 = word ptr -3E2h
var_3E0 = word ptr -3E0h
var_3DE = word ptr -3DEh
var_3DC = dword ptr -3DCh
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_1 = byte ptr -1
pIrp = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 418h
mov eax, [ebp+pIrp]
push ebx
push esi
mov edx, 100h
mov ebx, [eax+3Ch]
push edi
mov ecx, edx
mov esi, ebx
lea edi, [ebp+var_418]
mov [ebp+var_14], ebx
rep movsd
cmp [ebp+var_408], 80003h
jnz @@1
and [ebp+var_412], 0
mov ecx, edx
lea esi, [ebp+var_418]
mov edi, ebx
rep movsd
and dword ptr [eax+18h], 0
mov dword ptr [eax+1Ch], 400h
xor dl, dl
mov ecx, eax
jmp @@exit
@@1:
mov esi, [ebp+var_404]
mov edi, [ebp+var_400]
mov [ebp+var_10], esi
xor ebx, ebx
mov [ebp+var_18], esi
mov [ebp+var_1], 1
@@2:
movsx eax, [ebp+var_1]
dec eax
push eax
push esi
call func1
cmp eax, edi
jz @@3
inc [ebp+var_1]
cmp [ebp+var_1], 3
jl @@2
jmp @@4
@@3:
mov esi, ebx
mov [ebp+var_404], esi
@@4:
cmp [ebp+var_1], 3
jnz @@7
mov eax, [ebp+var_1C]
push eax
mov data8, eax
call func4
lea eax, [ebp+var_C]
mov [ebp+var_8], esi
push eax
lea eax, [ebp+var_8]
push eax
mov [ebp+var_C], edi
call func6
xor ebx, ebx
cmp [ebp+var_8], ebx
jnz @@6
cmp [ebp+var_C], ebx
jnz @@6
push 7Ch
mov [ebp+var_404], ebx
mov [ebp+var_400], ebx
lea esi, [ebp+var_3F8]
pop edi
@@5:
mov eax, [esi-4]
mov [ebp+var_8], eax
mov eax, [esi]
mov [ebp+var_C], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_8]
push eax
call func5
mov eax, [ebp+var_8]
mov [esi-4], eax
mov eax, [ebp+var_C]
mov [esi], eax
add esi, 8
dec edi
jnz @@5
jmp @@11
@@6:
mov [ebp+var_412], bx
jmp @@34
@@7:
push 1
lea esi, [ebp+var_400]
pop edi
@@8:
lea eax, [edi-3]
push 4
cdq
pop ecx
idiv ecx
movsx eax, [ebp+var_1]
test edx, edx
jz @@9
dec eax
push eax
push [ebp+var_10]
call func1
jmp @@10
@@9:
dec eax
push eax
push [ebp+var_10]
call func2
@@10:
mov ecx, [esi]
xor eax, ecx
inc edi
mov [esi], eax
add esi, 4
cmp edi, 0FAh
mov [ebp+var_10], ecx
jle @@8
xor ebx, ebx
@@11:
movzx eax, [ebp+var_3E8]
cmp eax, 0Bh
jg @@15
jz @@14
dec eax
jz @13
dec eax
dec eax
jz @@27
sub eax, 5
jz @12
dec eax
jz @@27
dec eax
jnz @@28
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
movzx eax, [ebp+var_3E4]
mov ax, Buffer1[eax*2]
mov [ebp+var_3E2], ax
jmp @@27
@12:
mov ax, Buffer2
mov [ebp+var_412], 3
cmp [ebp+var_3DE], ax
jnz @@28
mov [ebp+var_3E4], ax
jmp @@27
@13:
mov [ebp+var_3E4], 3207h
mov [ebp+var_3E2], 508h
jmp @@27
@@14:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
movzx eax, [ebp+var_3E4]
shl eax, 1
mov cx, Buffer1[eax]
mov ax, Buffer6[eax]
mov [ebp+var_3E2], cx
mov [ebp+var_3E0], ax
jmp @@27
@@15:
sub eax, 0Ch
jz @@25
dec eax
jz @@23
dec eax
jz @@22
dec eax
jz @@21
dec eax
jnz @@28
mov ecx, Buffer
xor eax, eax
cmp ecx, ebx
jbe @@17
movzx esi, [ebp+var_3E4]
mov edx, offset data5
@@16:
cmp [edx], esi
jz @@17
inc eax
add edx, 10h
cmp eax, ecx
jb @@16
@@17:
cmp eax, ecx
jnz @@18
mov [ebp+var_412], 3
jmp @@28
@@18:
shl eax, 4
xor edx, edx
mov ecx, data6[eax]
mov eax, data7[eax]
cmp eax, ebx
jbe @@27
lea esi, Buffer8[ecx*4]
@@19:
mov edi, [esi]
cmp edi, [ebp+var_3DC]
jz @@20
inc edx
add esi, 8
cmp edx, eax
jb @@19
jmp @@27
@@20:
lea eax, [ecx+edx*2]
mov eax, Buffer9[eax*4]
mov [ebp+var_3DC], eax
jmp @@27
@@21:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
movzx eax, [ebp+var_3E4]
cmp Buffer6[eax*2], 3
jnz @@28
jmp @@27
@@22:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
mov ax, [ebp+var_3DE]
cmp ax, Buffer3
jnz @@28
mov ax, word ptr [ebp+var_3DC]
cmp ax, Buffer4
jnz @@28
mov ax, word ptr [ebp+var_3DC+2]
cmp ax, Buffer5
jmp @@24
@@23:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
mov ax, [ebp+var_3DE]
cmp ax, Buffer3
@@24:
jnz @@28
movzx eax, [ebp+var_3E4]
mov cx, [ebp+var_3E2]
mov Buffer1[eax*2], cx
jmp @@26
@@25:
cmp [ebp+var_3E4], 40h
mov [ebp+var_412], 3
jnb @@28
mov ax, [ebp+var_3DE]
cmp ax, Buffer3
jnz @@28
movzx eax, [ebp+var_3E4]
dec Buffer1[eax*2]
lea eax, Buffer1[eax*2]
@@26:
call MyCreateFile
cmp hFile, ebx
jz @@27
push 80h ; Length
push Buffer7 ; int
push Buffer1 ; Buffer
call MyWriteFile
call MyCloseFile
@@27: ;
mov [ebp+var_412], bx
@@28:
cmp [ebp+var_1], 1
jl @@32
cmp [ebp+var_1], 2
jg @@32
mov ecx, [ebp+var_18]
push 1
xor ecx, [ebp+var_404]
pop edi
lea esi, [ebp+var_400]
mov [ebp+var_404], ecx
@@29:
lea eax, [edi-3]
push 4
cdq
pop ebx
idiv ebx
movsx eax, [ebp+var_1]
test edx, edx
jz @@30
dec eax
push eax
push ecx
call func1
jmp @@31
@@30:
dec eax
push eax
push ecx
call func2
@@31:
xor [esi], eax
mov ecx, [esi]
inc edi
add esi, 4
cmp edi, 0FAh
jle @@29
xor ebx, ebx
jmp @@34
@@32:
mov eax, [ebp+var_1C]
push eax
mov data8, eax
call func4
push 7Dh
lea esi, [ebp+var_400]
pop edi
@@33:
mov eax, [esi-4]
mov [ebp+var_8], eax
mov eax, [esi]
mov [ebp+var_C], eax
lea eax, [ebp+var_C]
push eax
lea eax, [ebp+var_8]
push eax
call func5
mov eax, [ebp+var_8]
mov [esi-4], eax
mov eax, [ebp+var_C]
mov [esi], eax
add esi, 8
dec edi
jnz @@33
@@34:
mov edi, [ebp+var_14]
mov ecx, 100h
lea esi, [ebp+var_418]
xor dl, dl ; PriorityBoost
rep movsd
mov ecx, [ebp+pIrp] ; Irp
mov [ecx+18h], ebx
mov dword ptr [ecx+1Ch], 400h
@@exit:
call ds:IofCompleteRequest
pop edi
pop esi
xor eax, eax
pop ebx
leave
retn 8
DispatchControl endp
func1 proc near
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = word ptr -8
var_6 = word ptr -6
var_4 = word ptr -4
var_2 = word ptr -2
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 10h
mov edx, [ebp+arg_0]
push ebx
mov ebx, [ebp+arg_4]
mov eax, edx
shr eax, 1Fh
lea ecx, [edx+edx]
push esi
or eax, ecx
mov ecx, edx
shr ecx, 10h
mov [ebp+var_4], 2B8Dh
mov [ebp+var_2], 2E75h
mov si, [ebp+ebx*2+var_4]
xor ecx, eax
imul esi, ecx
mov ecx, 0FFFFh
push edi
mov [ebp+var_8], 27C5h
mov [ebp+var_6], 294Ch
mov di, [ebp+ebx*2+var_8]
and esi, ecx
shr eax, 10h
add edi, esi
xor eax, edx
imul edi, eax
and edi, ecx
mov [ebp+var_10], 27C52B8Dh
mov [ebp+var_C], 294C2E75h
jnz @@1
test esi, esi
jnz @@1
mov eax, [ebp+ebx*4+var_10]
jmp @exit
@@1:
test ebx, ebx
push 10h
push 2
jnz @@2
call func3
imul eax, edi
add eax, esi
jmp @exit
@@2:
call func3
imul eax, esi
add eax, edi
@exit:
pop edi
pop esi
pop ebx
leave
retn 8
func1 endp
func2 proc near
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 1Ch
mov ecx, [ebp+arg_0]
mov eax, [ebp+arg_4]
and [ebp+var_4], 0
mov edx, ecx
push ebx
add eax, eax
push esi
push edi
shr edx, 10h
mov word ptr [ebp+var_8], 2F51h
mov word ptr [ebp+var_8+2], 3105h
mov di, word ptr [ebp+eax+var_8]
inc edx
imul edi, edx
mov esi, 0FFFFh
mov word ptr [ebp+var_C], 4A0Fh
mov word ptr [ebp+var_C+2], 3FE6h
mov bx, word ptr [ebp+eax+var_C]
and edi, esi
inc ecx
imul ebx, ecx
and ebx, esi
and [ebp+var_8], 0
mov [ebp+var_1C], 0FFFFFE1Dh
mov [ebp+var_18], 0E9F19FDFh
@@1:
mov [ebp+var_10], 8
@1:
push 0Ah
push 2
call func3
imul eax, edi
and eax, esi
push 0Ch
push 2
mov [ebp+arg_0], eax
call func3
imul eax, edi
and eax, esi
push 0Dh
xor [ebp+arg_0], eax
push 2
call func3
imul eax, edi
xor eax, [ebp+arg_0]
push 0Fh
push 2
and eax, 8000h
mov [ebp+arg_0], eax
call func3
imul eax, edi
and eax, esi
xor [ebp+arg_0], eax
shr edi, 1
and edi, esi
xor [ebp+arg_0], edi
mov eax, [ebp+arg_0]
not eax
and eax, 1
mov [ebp+var_C], eax
jz @2
push 0Eh
push 2
call func3
imul eax, ebx
mov ecx, ebx
shl ecx, 2
xor ecx, ebx
shl ecx, 1
xor ecx, ebx
and cx, 0C000h
xor eax, ecx
shl eax, 1
and eax, esi
shr ebx, 1
or ebx, eax
@2:
mov ecx, [ebp+var_C]
mov eax, ebx
and eax, 1
mov edi, [ebp+arg_0]
xor ecx, eax
mov eax, [ebp+var_4]
shl ecx, 1
shl eax, 2
or ecx, eax
and ecx, esi
or ecx, [ebp+var_C]
dec [ebp+var_10]
mov [ebp+var_4], ecx
jnz @1
cmp [ebp+var_8], 0
jnz @3
mov eax, ecx
mov [ebp+var_14], eax
jmp @4
@3:
mov ebx, [ebp+var_4]
@4:
inc [ebp+var_8]
cmp [ebp+var_8], 2
jl @@1
mov esi, [ebp+arg_4]
push 10h
test esi, esi
push 2
jnz @@2
call func3
imul eax, [ebp+var_14]
add eax, ebx
jmp @@3
@@2:
call func3
imul eax, ebx
add eax, [ebp+var_14]
@@3:
test eax, eax
jnz @exit
mov eax, [ebp+esi*4+var_1C]
@exit:
pop edi
pop esi
pop ebx
leave
retn 8
func2 endp
func4 proc near
arg_0 = dword ptr 10h
push ebx
push ebp
push esi
mov esi, [esp+arg_0]
push edi
push 1
push esi
call func2
mov edi, eax
push 1
shl esi, 2
xor esi, edi
push esi
call func1
shl esi, 2
xor esi, edi
push 0
push esi
mov ebx, eax
call func2
mov ebp, eax
mov eax, esi
shl eax, 2
xor eax, edi
push 0
push eax
call func1
mov data1, edi
pop edi
mov data3, ebp
pop esi
mov data2, ebx
pop ebp
mov data4, eax
pop ebx
retn 4
func4 endp
func5 proc near
var_8 = dword ptr -8
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
push ecx
mov eax, [ebp+arg_0]
push ebx
push esi
push edi
mov eax, [eax]
xor ebx, ebx
mov [ebp+var_4], eax
mov eax, [ebp+arg_4]
mov [ebp+var_8], 20h
mov edi, [eax]
@@1:
push 4
push 2
sub ebx, 61C88647h
call func3
imul eax, edi
mov ecx, data1
mov esi, edi
shr esi, 5
add esi, data2
add ecx, eax
lea eax, [ebx+edi]
push 4
xor esi, ecx
push 2
xor esi, eax
add esi, [ebp+var_4]
call func3
imul eax, esi
mov edx, data3
mov ecx, esi
shr ecx, 5
add ecx, data4
add edx, eax
lea eax, [esi+ebx]
mov [ebp+var_4], esi
xor ecx, edx
xor ecx, eax
add edi, ecx
dec [ebp+var_8]
jnz @@1
mov eax, [ebp+arg_0]
mov [eax], esi
mov eax, [ebp+arg_4]
mov [eax], edi
pop edi
pop esi
pop ebx
leave
retn 8
func5 endp
func6 proc near
var_4 = dword ptr -4
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ecx
mov eax, [ebp+arg_0]
push ebx
push esi
push edi
mov ebx, [eax]
mov eax, [ebp+arg_4]
mov edi, 0C6EF3720h
mov [ebp+var_4], 20h
mov esi, [eax]
@@:
push 4
push 2
call func3
imul eax, ebx
mov edx, ebx
add edi, 61C88647h
shr edx, 5
add edx, data4
lea ecx, [edi+ebx-61C88647h]
push 4
push 2
xor ecx, edx
mov edx, data3
add edx, eax
xor ecx, edx
sub esi, ecx
call func3
imul eax, esi
mov edx, esi
lea ecx, [esi+edi-61C88647h]
shr edx, 5
add edx, data2
xor ecx, edx
mov edx, data1
add edx, eax
xor ecx, edx
sub ebx, ecx
dec [ebp+var_4]
jnz @b
mov eax, [ebp+arg_0]
pop edi
mov [eax], ebx
mov eax, [ebp+arg_4]
mov [eax], esi
pop esi
pop ebx
leave
retn 8
func6 endp
func3 proc near
mov ecx, [esp+4]
mov eax, [esp+8]
cmp ecx, 1
jbe @exit
dec ecx
@@:
imul eax, [esp+arg_0]
dec ecx
jnz @b
@exit:
ret
func3 endp
MyCreateFile proc
local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
invoke ZwCreateFile, addr hFile, SYNCHRONIZE, addr oa, addr iosb, 0, FILE_ATTRIBUTE_NORMAL, \
0, FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
.if eax == STATUS_SUCCESS
mov hFile, eax
invoke ZwClose, hFile
.else
jmp @exit
.endif
@exit:
ret
MyCreateFile endp
MyReadFile proc
local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
local p:PVOID
local cb:DWORD
local fsi:FILE_STANDARD_INFORMATION
invoke DbgPrint, $CTA0("\nFileWorks: Opening file for reading\n")
InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
invoke ZwOpenFile, addr hFile, FILE_READ_DATA + SYNCHRONIZE, addr oa, addr iosb, \
FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0("File openeded\n")
invoke ZwQueryInformationFile, hFile, addr iosb, addr fsi, sizeof fsi, FileStandardInformation
.if eax == STATUS_SUCCESS
mov eax, fsi.EndOfFile.LowPart
inc eax
mov cb, eax
invoke ExAllocatePool, PagedPool, cb
.if eax != NULL
mov p, eax
invoke RtlZeroMemory, p, cb
invoke ZwReadFile, hFile, 0, NULL, NULL, addr iosb, p, cb, 0, NULL
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0("File content: \=%s\=\n"), p
.else
invoke DbgPrint, $CTA0("Can't read from the file. Status: %08X\n"), eax
.endif
invoke ExFreePool, p
.else
invoke DbgPrint, $CTA0("Can't allocate memory. Status: %08X\n"), eax
.endif
.else
invoke DbgPrint, $CTA0("Can't query file size. Status: %08X\n"), eax
.endif
invoke ZwClose, hFile
.else
invoke DbgPrint, $CTA0("Can't open file. Status: %08X\n"), eax
.endif
ret
MyReadFile endp
MyWriteFile proc
local oa:OBJECT_ATTRIBUTES
local iosb:IO_STATUS_BLOCK
invoke DbgPrint, $CTA0("\ Opening file for writing\n")
InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL
invoke ZwCreateFile, addr hFile, FILE_WRITE_DATA + SYNCHRONIZE, addr oa, addr iosb, \
0, 0, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0("File openeded\n")
CTA0 "Data can be written to an open file", g_szData, 4
invoke ZwWriteFile, hFile, 0, NULL, NULL, addr iosb, addr g_szData, sizeof g_szData - 1, NULL, NULL
.if eax == STATUS_SUCCESS
invoke DbgPrint, $CTA0(" File was written\n")
.else
invoke DbgPrint, $CTA0("Can't write to the file. Status: %08X\n"), eax
.endif
invoke ZwClose, hFile
.else
invoke DbgPrint, $CTA0("Can't open file. Status: %08X\n"), eax
.endif
ret
MyWriteFile endp
MyCloseFile proc near
invoke ZwClose,hFile
xor eax, eax
ret
MyCloseFile endp
end DriverEntry
请教各位高手,上面的汇编应该如何按DUMP的数据进行修改呢。请高手指点。谢谢!
赞赏
他的文章
看原图
赞赏
雪币:
留言: