[求助]Sentinel 驱动模拟应该如何修改呢-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]Sentinel 驱动模拟应该如何修改呢

发表于: 2011-2-23 18:56 5595

[求助]Sentinel 驱动模拟应该如何修改呢

lixiangren 活跃值

2011-2-23 18:56

5595

;===================================================================================

; code by laomms 2007.4.25

;===================================================================================

.386

.model flat, stdcall

option casemap:none

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

include w2k\ntstatus.inc

include w2k\ntddk.inc

include w2k\ntoskrnl.inc

includelib d:\masm32\lib\w2k\ntoskrnl.lib

include Strings.mac

include Sentinel.Inc

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

.data

datfile       dw '\','?','?','\','c',':','\','s','u','p','e','r','p','r','o','.','d','a','t',0,0

hFile dd 0

Buffer1  dw 0

Buffer2       dw 0

Buffer3       dw 0

Buffer4       dw 0

Buffer5       dw 64 dup(0)

Buffer6       dw 0

  db 128 dup(0)

Buffer7       dd 0

  db 24 dup(0)

Buffer8       db 4 dup(0)

Buffer9       dd 0

  db 512 dup(0)



Buffer  dd 0

data1       dd 0

data2       dd 0

data3       dd 0

data4       dd 0

  db 16 dup(0)

data5       db 4 dup(0)

data6       dd 0

data7       dd 0

  db 256 dup(0)



data8       dd 0

.const

CCOUNTED_UNICODE_STRING "\\Device\\RNBODEV0",DONGLE_DEVICE_NAME,4

CCOUNTED_UNICODE_STRING "\\Device\\RNBODEV1",DeviceString,4

CCOUNTED_UNICODE_STRING                "\\DosDevices\\RNBODRV0",SymbolicLinkName,4

CCOUNTED_UNICODE_STRING                "\\DosDevices\\RNBODRV1",DestinationString,4

CCOUNTED_UNICODE_STRING                "\\??\\c:\\superpro.dat", DataFileName, 4



;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

.code

DriverEntry proc pDriverObject:PDRIVER_OBJECT,RegistryPath:PUNICODE_STRING

LOCAL deviceNameUnicodeString,deviceLinkUnicodeString:UNICODE_STRING

LOCAL status:NTSTATUS

LOCAL pDeviceObject:PVOID

   mov status,STATUS_DEVICE_CONFIGURATION_ERROR

   invoke IoCreateDevice, pDriverObject, 0, addr DONGLE_DEVICE_NAME, FILE_DEVICE_UNKNOWN, \

                                          0, FALSE, addr pDeviceObject



   .if eax == STATUS_SUCCESS

         invoke IoCreateSymbolicLink, addr SymbolicLinkName, addr DONGLE_DEVICE_NAME

         .if eax == STATUS_SUCCESS

            mov eax, pDriverObject

            assume eax:PTR DRIVER_OBJECT

            mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose

            mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose

            mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose

            mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl

            mov [eax].DriverUnload, offset DriverUnload

            assume eax:nothing

            mov status, STATUS_SUCCESS

            jmp @f

         .else

            invoke IoDeleteDevice, pDeviceObject

            jmp @exit

         .endif

   .endif



   invoke IoCreateDevice, pDriverObject, 0, addr DeviceString, FILE_DEVICE_UNKNOWN, \

                                          0, FALSE, addr pDeviceObject



   .if eax == STATUS_SUCCESS

         invoke IoCreateSymbolicLink, addr DestinationString, addr DeviceString

         .if eax == STATUS_SUCCESS

            mov eax, pDriverObject

            assume eax:PTR DRIVER_OBJECT

            mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose

            mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose

            mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose

            mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl

            mov [eax].DriverUnload, offset DriverUnload

            assume eax:nothing

            mov status, STATUS_SUCCESS

            jmp @f

         .else

            invoke IoDeleteDevice, pDeviceObject

            jmp @exit

         .endif

   .endif



@@:

            call MyCreateFile

  cmp hFile, esi

  jz @xor

  push 10h  ; Length

  push esi  ; int

  push offset Buffer ; Buffer

  call MyReadFile

  mov eax, Buffer

  push 10h

  test eax, eax

  pop esi

  jz @@3

  shl eax, 4

  push eax  ; Length

  push esi  ; int

  push offset data5 ; Buffer

  call MyReadFile

  mov eax, Buffer

  xor ebx, ebx

  xor edx, edx

  lea esi, [eax+1]

  shl esi, 4

  test eax, eax

  jbe @@4

  mov edi, pDriverObject

@@1:

  test edx, edx

  jnz @@2

  mov edi, data6

@@2:

  mov ecx, edx

  shl ecx, 4

  add ebx, data7[ecx]

  sub data6[ecx], edi

  inc edx

  cmp edx, eax

  jb @@1

  jmp @@4

@@3:

  mov ebx, pDriverObject

@@4:

  mov edi, 80h

  mov Buffer7, esi

  push edi  ; Length

  push esi  ; int

  push Buffer1 ; Buffer

  call MyReadFile

  add esi, edi

  push edi  ; Length

  push esi  ; int

  push offset Buffer6 ; Buffer

  call MyReadFile

  test ebx, ebx

  jbe @xor

  mov eax, ebx

  add esi, edi

  shl eax, 3

  push eax  ; Length

  push esi  ; int

  push offset Buffer8 ; Buffer

  call MyReadFile

@xor:

  xor eax, eax

@exit:



  pop edi

  pop esi

  pop ebx

  leave

  retn 8

DriverEntry endp

DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP

   mov eax, pIrp

   assume eax:ptr _IRP

   mov [eax].IoStatus.Status, STATUS_SUCCESS

   and [eax].IoStatus.Information, 0

   assume eax:nothing

   fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT

   mov eax, STATUS_SUCCESS

   ret

DispatchCreateClose endp

DriverUnload proc pDriverObject:PDRIVER_OBJECT

   invoke IoDeleteSymbolicLink, addr SymbolicLinkName

   invoke IoDeleteSymbolicLink, addr DestinationString

   mov eax, pDriverObject

   invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject

   ret

DriverUnload endp

DispatchControl proc near  ; DATA XREF: start+B3o

var_418  = dword ptr -418h

var_412  = word ptr -412h

var_408  = dword ptr -408h

var_404  = dword ptr -404h

var_400  = dword ptr -400h

var_3F8  = dword ptr -3F8h

var_3E8  = byte ptr -3E8h

var_3E4  = word ptr -3E4h

var_3E2  = word ptr -3E2h

var_3E0  = word ptr -3E0h

var_3DE  = word ptr -3DEh

var_3DC  = dword ptr -3DCh

var_1C  = dword ptr -1Ch

var_18  = dword ptr -18h

var_14  = dword ptr -14h

var_10  = dword ptr -10h

var_C  = dword ptr -0Ch

var_8  = dword ptr -8

var_1  = byte ptr -1

pIrp  = dword ptr  0Ch

  push ebp

  mov ebp, esp

  sub esp, 418h

  mov eax, [ebp+pIrp]

  push ebx

  push esi

  mov edx, 100h

  mov ebx, [eax+3Ch]

  push edi

  mov ecx, edx

  mov esi, ebx

  lea edi, [ebp+var_418]

  mov [ebp+var_14], ebx

  rep movsd

  cmp [ebp+var_408], 80003h

  jnz @@1

  and [ebp+var_412], 0

  mov ecx, edx

  lea esi, [ebp+var_418]

  mov edi, ebx

  rep movsd

  and dword ptr [eax+18h], 0

  mov dword ptr [eax+1Ch], 400h

  xor dl, dl

  mov ecx, eax

  jmp @@exit

@@1:

  mov esi, [ebp+var_404]

  mov edi, [ebp+var_400]

  mov [ebp+var_10], esi

  xor ebx, ebx

  mov [ebp+var_18], esi

  mov [ebp+var_1], 1

@@2:

  movsx eax, [ebp+var_1]

  dec eax

  push eax

  push esi

  call func1

  cmp eax, edi

  jz @@3

  inc [ebp+var_1]

  cmp [ebp+var_1], 3

  jl @@2

  jmp @@4

@@3:

  mov esi, ebx

  mov [ebp+var_404], esi

@@4:

  cmp [ebp+var_1], 3

  jnz @@7

  mov eax, [ebp+var_1C]

  push eax

  mov data8, eax

  call func4

  lea eax, [ebp+var_C]

  mov [ebp+var_8], esi

  push eax

  lea eax, [ebp+var_8]

  push eax

  mov [ebp+var_C], edi

  call func6

  xor ebx, ebx

  cmp [ebp+var_8], ebx

  jnz @@6

  cmp [ebp+var_C], ebx

  jnz @@6

  push 7Ch

  mov [ebp+var_404], ebx

  mov [ebp+var_400], ebx

  lea esi, [ebp+var_3F8]

  pop edi

@@5:

  mov eax, [esi-4]

  mov [ebp+var_8], eax

  mov eax, [esi]

  mov [ebp+var_C], eax

  lea eax, [ebp+var_C]

  push eax

  lea eax, [ebp+var_8]

  push eax

  call func5

  mov eax, [ebp+var_8]

  mov [esi-4], eax

  mov eax, [ebp+var_C]

  mov [esi], eax

  add esi, 8

  dec edi

  jnz @@5

  jmp @@11

@@6:

  mov [ebp+var_412], bx

  jmp @@34

@@7:

  push 1

  lea esi, [ebp+var_400]

  pop edi

@@8:

  lea eax, [edi-3]

  push 4

  cdq

  pop ecx

  idiv ecx

  movsx eax, [ebp+var_1]

  test edx, edx

  jz @@9

  dec eax

  push eax

  push [ebp+var_10]

  call func1

  jmp @@10

@@9:

  dec eax

  push eax

  push [ebp+var_10]

  call func2

@@10:

  mov ecx, [esi]

  xor eax, ecx

  inc edi

  mov [esi], eax

  add esi, 4

  cmp edi, 0FAh

  mov [ebp+var_10], ecx

  jle @@8

  xor ebx, ebx

@@11:

  movzx eax, [ebp+var_3E8]

  cmp eax, 0Bh

  jg @@15

  jz @@14

  dec eax

  jz @13

  dec eax

  dec eax

  jz @@27

  sub eax, 5

  jz @12

  dec eax

  jz @@27

  dec eax

  jnz @@28

  cmp [ebp+var_3E4], 40h

  mov [ebp+var_412], 3

  jnb @@28

  movzx eax, [ebp+var_3E4]

  mov ax, Buffer1[eax*2]

  mov [ebp+var_3E2], ax

  jmp @@27

@12:

  mov ax, Buffer2

  mov [ebp+var_412], 3

  cmp [ebp+var_3DE], ax

  jnz @@28

  mov [ebp+var_3E4], ax

  jmp @@27

@13:

  mov [ebp+var_3E4], 3207h

  mov [ebp+var_3E2], 508h

  jmp @@27

@@14:

  cmp [ebp+var_3E4], 40h

  mov [ebp+var_412], 3

  jnb @@28

  movzx eax, [ebp+var_3E4]

  shl eax, 1

  mov cx, Buffer1[eax]

  mov ax, Buffer6[eax]

  mov [ebp+var_3E2], cx

  mov [ebp+var_3E0], ax

  jmp @@27

@@15:

  sub eax, 0Ch

  jz @@25

  dec eax

  jz @@23

  dec eax

  jz @@22

  dec eax

  jz @@21

  dec eax

  jnz @@28

  mov ecx, Buffer

  xor eax, eax

  cmp ecx, ebx

  jbe @@17

  movzx esi, [ebp+var_3E4]

  mov edx, offset data5

@@16:

  cmp [edx], esi

  jz @@17

  inc eax

  add edx, 10h

  cmp eax, ecx

  jb @@16

@@17:

  cmp eax, ecx

  jnz @@18

  mov [ebp+var_412], 3

  jmp @@28

@@18:

  shl eax, 4

  xor edx, edx

  mov ecx, data6[eax]

  mov eax, data7[eax]

  cmp eax, ebx

  jbe @@27

  lea esi, Buffer8[ecx*4]

@@19:

  mov edi, [esi]

  cmp edi, [ebp+var_3DC]

  jz @@20

  inc edx

  add esi, 8

  cmp edx, eax

  jb @@19

  jmp @@27

@@20:

  lea eax, [ecx+edx*2]

  mov eax, Buffer9[eax*4]

  mov [ebp+var_3DC], eax

  jmp @@27

@@21:

  cmp [ebp+var_3E4], 40h

  mov [ebp+var_412], 3

  jnb @@28

  movzx eax, [ebp+var_3E4]

  cmp Buffer6[eax*2], 3

  jnz @@28

  jmp @@27

@@22:

  cmp [ebp+var_3E4], 40h

  mov [ebp+var_412], 3

  jnb @@28

  mov ax, [ebp+var_3DE]

  cmp ax, Buffer3

  jnz @@28

  mov ax, word ptr [ebp+var_3DC]

  cmp ax, Buffer4

  jnz @@28

  mov ax, word ptr [ebp+var_3DC+2]

  cmp ax, Buffer5

  jmp @@24

@@23:

  cmp [ebp+var_3E4], 40h

  mov [ebp+var_412], 3

  jnb @@28

  mov ax, [ebp+var_3DE]

  cmp ax, Buffer3

@@24:

  jnz @@28

  movzx eax, [ebp+var_3E4]

  mov cx, [ebp+var_3E2]

  mov Buffer1[eax*2], cx

  jmp @@26

@@25:

  cmp [ebp+var_3E4], 40h

  mov [ebp+var_412], 3

  jnb @@28

  mov ax, [ebp+var_3DE]

  cmp ax, Buffer3

  jnz @@28

  movzx eax, [ebp+var_3E4]

  dec Buffer1[eax*2]

  lea eax, Buffer1[eax*2]

@@26:

  call MyCreateFile

  cmp hFile, ebx

  jz @@27

  push 80h  ; Length

  push Buffer7 ; int

  push Buffer1 ; Buffer

  call MyWriteFile

  call MyCloseFile

@@27: ;

  mov [ebp+var_412], bx

@@28:

  cmp [ebp+var_1], 1

  jl @@32

  cmp [ebp+var_1], 2

  jg @@32

  mov ecx, [ebp+var_18]

  push 1

  xor ecx, [ebp+var_404]

  pop edi

  lea esi, [ebp+var_400]

  mov [ebp+var_404], ecx

@@29:

  lea eax, [edi-3]

  push 4

  cdq

  pop ebx

  idiv ebx

  movsx eax, [ebp+var_1]

  test edx, edx

  jz @@30

  dec eax

  push eax

  push ecx

  call func1

  jmp @@31

@@30:

  dec eax

  push eax

  push ecx

  call func2

@@31:

  xor [esi], eax

  mov ecx, [esi]

  inc edi

  add esi, 4

  cmp edi, 0FAh

  jle @@29

  xor ebx, ebx

  jmp @@34

@@32:

  mov eax, [ebp+var_1C]

  push eax

  mov data8, eax

  call func4

  push 7Dh

  lea esi, [ebp+var_400]

  pop edi

@@33:

  mov eax, [esi-4]

  mov [ebp+var_8], eax

  mov eax, [esi]

  mov [ebp+var_C], eax

  lea eax, [ebp+var_C]

  push eax

  lea eax, [ebp+var_8]

  push eax

  call func5

  mov eax, [ebp+var_8]

  mov [esi-4], eax

  mov eax, [ebp+var_C]

  mov [esi], eax

  add esi, 8

  dec edi

  jnz @@33

@@34:

  mov edi, [ebp+var_14]

  mov ecx, 100h

  lea esi, [ebp+var_418]

  xor dl, dl  ; PriorityBoost

  rep movsd

  mov ecx, [ebp+pIrp] ; Irp

  mov [ecx+18h], ebx

  mov dword ptr [ecx+1Ch], 400h

@@exit:

  call ds:IofCompleteRequest

  pop edi

  pop esi

  xor eax, eax

  pop ebx

  leave

  retn 8

DispatchControl endp

func1 proc near

var_10  = dword ptr -10h

var_C  = dword ptr -0Ch

var_8  = word ptr -8

var_6  = word ptr -6

var_4  = word ptr -4

var_2  = word ptr -2

arg_0  = dword ptr  8

arg_4  = dword ptr  0Ch

  push ebp

  mov ebp, esp

  sub esp, 10h

  mov edx, [ebp+arg_0]

  push ebx

  mov ebx, [ebp+arg_4]

  mov eax, edx

  shr eax, 1Fh

  lea ecx, [edx+edx]

  push esi

  or eax, ecx

  mov ecx, edx

  shr ecx, 10h

  mov [ebp+var_4], 2B8Dh

  mov [ebp+var_2], 2E75h

  mov si, [ebp+ebx*2+var_4]

  xor ecx, eax

  imul esi, ecx

  mov ecx, 0FFFFh

  push edi

  mov [ebp+var_8], 27C5h

  mov [ebp+var_6], 294Ch

  mov di, [ebp+ebx*2+var_8]

  and esi, ecx

  shr eax, 10h

  add edi, esi

  xor eax, edx

  imul edi, eax

  and edi, ecx

  mov [ebp+var_10], 27C52B8Dh

  mov [ebp+var_C], 294C2E75h

  jnz @@1

  test esi, esi

  jnz @@1

  mov eax, [ebp+ebx*4+var_10]

  jmp @exit

@@1:

  test ebx, ebx

  push 10h

  push 2

  jnz @@2

  call func3

  imul eax, edi

  add eax, esi

  jmp @exit

@@2:

  call func3

  imul eax, esi

  add eax, edi

@exit:

  pop edi

  pop esi

  pop ebx

  leave

  retn 8

func1 endp

func2 proc near

var_1C  = dword ptr -1Ch

var_18  = dword ptr -18h

var_14  = dword ptr -14h

var_10  = dword ptr -10h

var_C  = dword ptr -0Ch

var_8  = dword ptr -8

var_4  = dword ptr -4

arg_0  = dword ptr  8

arg_4  = dword ptr  0Ch

  push ebp

  mov ebp, esp

  sub esp, 1Ch

  mov ecx, [ebp+arg_0]

  mov eax, [ebp+arg_4]

  and [ebp+var_4], 0

  mov edx, ecx

  push ebx

  add eax, eax

  push esi

  push edi

  shr edx, 10h

  mov word ptr [ebp+var_8], 2F51h

  mov word ptr [ebp+var_8+2], 3105h

  mov di, word ptr [ebp+eax+var_8]

  inc edx

  imul edi, edx

  mov esi, 0FFFFh

  mov word ptr [ebp+var_C], 4A0Fh

  mov word ptr [ebp+var_C+2], 3FE6h

  mov bx, word ptr [ebp+eax+var_C]

  and edi, esi

  inc ecx

  imul ebx, ecx

  and ebx, esi

  and [ebp+var_8], 0

  mov [ebp+var_1C], 0FFFFFE1Dh

  mov [ebp+var_18], 0E9F19FDFh

@@1:

  mov [ebp+var_10], 8

@1:

  push 0Ah

  push 2

  call func3

  imul eax, edi

  and eax, esi

  push 0Ch

  push 2

  mov [ebp+arg_0], eax

  call func3

  imul eax, edi

  and eax, esi

  push 0Dh

  xor [ebp+arg_0], eax

  push 2

  call func3

  imul eax, edi

  xor eax, [ebp+arg_0]

  push 0Fh

  push 2

  and eax, 8000h

  mov [ebp+arg_0], eax

  call func3

  imul eax, edi

  and eax, esi

  xor [ebp+arg_0], eax

  shr edi, 1

  and edi, esi

  xor [ebp+arg_0], edi

  mov eax, [ebp+arg_0]

  not eax

  and eax, 1

  mov [ebp+var_C], eax

  jz @2

  push 0Eh

  push 2

  call func3

  imul eax, ebx

  mov ecx, ebx

  shl ecx, 2

  xor ecx, ebx

  shl ecx, 1

  xor ecx, ebx

  and cx, 0C000h

  xor eax, ecx

  shl eax, 1

  and eax, esi

  shr ebx, 1

  or ebx, eax

@2:

  mov ecx, [ebp+var_C]

  mov eax, ebx

  and eax, 1

  mov edi, [ebp+arg_0]

  xor ecx, eax

  mov eax, [ebp+var_4]

  shl ecx, 1

  shl eax, 2

  or ecx, eax

  and ecx, esi

  or ecx, [ebp+var_C]

  dec [ebp+var_10]

  mov [ebp+var_4], ecx

  jnz @1

  cmp [ebp+var_8], 0

  jnz @3

  mov eax, ecx

  mov [ebp+var_14], eax

  jmp @4

@3:

  mov ebx, [ebp+var_4]

@4:

  inc [ebp+var_8]

  cmp [ebp+var_8], 2

  jl @@1

  mov esi, [ebp+arg_4]

  push 10h

  test esi, esi

  push 2

  jnz @@2

  call func3

  imul eax, [ebp+var_14]

  add eax, ebx

  jmp @@3

@@2:

  call func3

  imul eax, ebx

  add eax, [ebp+var_14]

@@3:

  test eax, eax

  jnz @exit

  mov eax, [ebp+esi*4+var_1C]

@exit:

  pop edi

  pop esi

  pop ebx

  leave

  retn 8

func2  endp

func4 proc near

arg_0  = dword ptr  10h

  push ebx

  push ebp

  push esi

  mov esi, [esp+arg_0]

  push edi

  push 1

  push esi

  call func2

  mov edi, eax

  push 1

  shl esi, 2

  xor esi, edi

  push esi

  call func1

  shl esi, 2

  xor esi, edi

  push 0

  push esi

  mov ebx, eax

  call func2

  mov ebp, eax

  mov eax, esi

  shl eax, 2

  xor eax, edi

  push 0

  push eax

  call func1

  mov data1, edi

  pop edi

  mov data3, ebp

  pop esi

  mov data2, ebx

  pop ebp

  mov data4, eax

  pop ebx

  retn 4

func4       endp

func5 proc near

var_8  = dword ptr -8

var_4  = dword ptr -4

arg_0  = dword ptr  8

arg_4  = dword ptr  0Ch

  push ebp

  mov ebp, esp

  push ecx

  push ecx

  mov eax, [ebp+arg_0]

  push ebx

  push esi

  push edi

  mov eax, [eax]

  xor ebx, ebx

  mov [ebp+var_4], eax

  mov eax, [ebp+arg_4]

  mov [ebp+var_8], 20h

  mov edi, [eax]

@@1:

  push 4

  push 2

  sub ebx, 61C88647h

  call func3

  imul eax, edi

  mov ecx, data1

  mov esi, edi

  shr esi, 5

  add esi, data2

  add ecx, eax

  lea eax, [ebx+edi]

  push 4

  xor esi, ecx

  push 2

  xor esi, eax

  add esi, [ebp+var_4]

  call func3

  imul eax, esi

  mov edx, data3

  mov ecx, esi

  shr ecx, 5

  add ecx, data4

  add edx, eax

  lea eax, [esi+ebx]

  mov [ebp+var_4], esi

  xor ecx, edx

  xor ecx, eax

  add edi, ecx

  dec [ebp+var_8]

  jnz @@1

  mov eax, [ebp+arg_0]

  mov [eax], esi

  mov eax, [ebp+arg_4]

  mov [eax], edi

  pop edi

  pop esi

  pop ebx

  leave

  retn 8

func5 endp

func6 proc near

var_4  = dword ptr -4

arg_0  = dword ptr  8

arg_4  = dword ptr  0Ch

  push ebp

  mov ebp, esp

  push ecx

  mov eax, [ebp+arg_0]

  push ebx

  push esi

  push edi

  mov ebx, [eax]

  mov eax, [ebp+arg_4]

  mov edi, 0C6EF3720h

  mov [ebp+var_4], 20h

  mov esi, [eax]

@@:

  push 4

  push 2

  call func3

  imul eax, ebx

  mov edx, ebx

  add edi, 61C88647h

  shr edx, 5

  add edx, data4

  lea ecx, [edi+ebx-61C88647h]

  push 4

  push 2

  xor ecx, edx

  mov edx, data3

  add edx, eax

  xor ecx, edx

  sub esi, ecx

  call func3

  imul eax, esi

  mov edx, esi

  lea ecx, [esi+edi-61C88647h]

  shr edx, 5

  add edx, data2

  xor ecx, edx

  mov edx, data1

  add edx, eax

  xor ecx, edx

  sub ebx, ecx

  dec [ebp+var_4]

  jnz @b

  mov eax, [ebp+arg_0]

  pop edi

  mov [eax], ebx

  mov eax, [ebp+arg_4]

  mov [eax], esi

  pop esi

  pop ebx

  leave

  retn 8

func6 endp

func3       proc near

  mov ecx, [esp+4]

  mov eax, [esp+8]

  cmp ecx, 1

  jbe @exit

  dec ecx

@@:

  imul eax, [esp+arg_0]

  dec ecx

  jnz @b

@exit:

  ret

func3 endp

MyCreateFile proc

local oa:OBJECT_ATTRIBUTES

local iosb:IO_STATUS_BLOCK

            InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL

            invoke ZwCreateFile, addr hFile, SYNCHRONIZE, addr oa, addr iosb, 0, FILE_ATTRIBUTE_NORMAL, \

                                 0, FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0

            .if eax == STATUS_SUCCESS

                     mov hFile, eax

                     invoke ZwClose, hFile

            .else

                     jmp @exit

            .endif

@exit:

            ret



MyCreateFile endp

MyReadFile proc

local oa:OBJECT_ATTRIBUTES

local iosb:IO_STATUS_BLOCK

local p:PVOID

local cb:DWORD

local fsi:FILE_STANDARD_INFORMATION

invoke DbgPrint, $CTA0("\nFileWorks: Opening file for reading\n")

InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL

invoke ZwOpenFile, addr hFile, FILE_READ_DATA + SYNCHRONIZE, addr oa, addr iosb, \

            FILE_SHARE_READ + FILE_SHARE_WRITE + FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT

.if eax == STATUS_SUCCESS

      invoke DbgPrint, $CTA0("File openeded\n")

      invoke ZwQueryInformationFile, hFile, addr iosb, addr fsi, sizeof fsi, FileStandardInformation

      .if eax == STATUS_SUCCESS

         mov eax, fsi.EndOfFile.LowPart

         inc eax

         mov cb, eax

         invoke ExAllocatePool, PagedPool, cb

         .if eax != NULL

            mov p, eax

            invoke RtlZeroMemory, p, cb

            invoke ZwReadFile, hFile, 0, NULL, NULL, addr iosb, p, cb, 0, NULL

            .if eax == STATUS_SUCCESS

                  invoke DbgPrint, $CTA0("File content: \=%s\=\n"), p

            .else

                  invoke DbgPrint, $CTA0("Can't read from the file. Status: %08X\n"), eax

            .endif

            invoke ExFreePool, p

         .else

            invoke DbgPrint, $CTA0("Can't allocate memory. Status: %08X\n"), eax

         .endif

      .else

         invoke DbgPrint, $CTA0("Can't query file size. Status: %08X\n"), eax

      .endif

      invoke ZwClose, hFile

.else

      invoke DbgPrint, $CTA0("Can't open file. Status: %08X\n"), eax

.endif

ret

MyReadFile endp

MyWriteFile proc

local oa:OBJECT_ATTRIBUTES

local iosb:IO_STATUS_BLOCK

invoke DbgPrint, $CTA0("\ Opening file for writing\n")

InitializeObjectAttributes addr oa, addr DataFileName, OBJ_CASE_INSENSITIVE + OBJ_KERNEL_HANDLE, NULL, NULL

invoke ZwCreateFile, addr hFile, FILE_WRITE_DATA + SYNCHRONIZE, addr oa, addr iosb, \

                     0, 0, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0

.if eax == STATUS_SUCCESS

      invoke DbgPrint, $CTA0("File openeded\n")

      CTA0 "Data can be written to an open file", g_szData, 4

      invoke ZwWriteFile, hFile, 0, NULL, NULL, addr iosb, addr g_szData, sizeof g_szData - 1, NULL, NULL

      .if eax == STATUS_SUCCESS

         invoke DbgPrint, $CTA0(" File was written\n")

      .else

         invoke DbgPrint, $CTA0("Can't write to the file. Status: %08X\n"), eax

      .endif

      invoke ZwClose, hFile

.else

      invoke DbgPrint, $CTA0("Can't open file. Status: %08X\n"), eax

.endif

ret

MyWriteFile endp

MyCloseFile proc near

            invoke ZwClose,hFile

            xor eax, eax

            ret



MyCloseFile endp

end DriverEntry

请教各位高手，上面的汇编应该如何按DUMP的数据进行修改呢。请高手指点。谢谢！

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

#调试逆向

收藏・0

免费・0

支持

最新回复 (1)
easyweng 雪币： 168 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 35 粉丝 0 关注私信	easyweng 2 楼这个是模拟sentinel驱动吗？ 2011-8-25 16:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

lixiangren

发帖

187

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
easyweng 雪币： 168 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 11 回帖 35 粉丝 0 关注私信	easyweng 2 楼这个是模拟sentinel驱动吗？ 2011-8-25 16:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复