首页
社区
课程
招聘
[原创]Ndis的一些逆向,发现F5真不错
发表于: 2011-9-21 19:21 7195

[原创]Ndis的一些逆向,发现F5真不错

2011-9-21 19:21
7195
对于想研究NDIS protcol以及miniport HOOK的可能会有点用,呵呵

一些备注code
/*
 * 通过搜索NdisIMInitializeDeviceInstanceEx的特征码获取ndisFindMiniportOnGlobalList函数地址
 */
static PVOID search_ndisFindMiniportOnGlobalList()
{
        int i;
        unsigned char* lpbuf;
        SYSTEM_MODULE_INFORMATION ndis_mod_info;
        //
        //search for ndisFindMiniportOnGlobalList from NdisIMInitializeDeviceInstanceEx
        //
        //f99b28a7 ff750c          push    dword ptr [ebp+0Ch]
        //f99b28aa e8b9210000      call    NDIS!ndisFindMiniportOnGlobalList (f99b4a68) 相对跳
        //

        if (!EnumSysModule("ndis.sys", &ndis_mod_info)){
                KdPrint(("!!!!Get NDIS Module Info failed!\n"));
                return NULL;
        }

        lpbuf = HelpGetProcAddress(ndis_mod_info.ImageBase, "NdisIMInitializeDeviceInstanceEx");
         
        KdPrint(("NdisIMInitializeDeviceInstanceEx:%x\n", lpbuf));

        for (i=0; i<100; i++){
                if (lpbuf[i] == 0xff
                        && lpbuf[i+1] == 0x75
                        && lpbuf[i+2] == 0x0c
                        && lpbuf[i+3] == 0xe8){
                        UINT offset;
                        lpbuf = lpbuf + i + 3;
                        offset = *((UINT*)(lpbuf+1));
                        //注意:e8 b9210000 = 5bytes!!! 
                        DbgPrint("ndisFindMiniportOnGlobalList:%x\n", lpbuf + offset + 5);                        
                        return lpbuf + offset + 5;
                }
        }
        return NULL;        
}

直接看我IDA逆向的函数吧:-)
int __stdcall NdisIMInitializeDeviceInstanceEx(_NDIS_M_DRIVER_BLOCK *DriverHandle, PCUNICODE_STRING DriverInstance, int DeviceContext)
{
  _NDIS_MINIPORT_BLOCK *_miniBlock; // eax@1
  _NDIS_MINIPORT_BLOCK *miniBlock; // esi@1
  int flags; // eax@2
  PDEVICE_OBJECT physicDevice; // ST10_4@7
  int Status; // [sp+20h] [bp+10h]@5

  ndisReferencePackage(&unk_1D040);
  KeWaitForSingleObject(&DriverHandle->IMStartRemoveMutex, 0, 0, 0, 0);
  _miniBlock = (_NDIS_MINIPORT_BLOCK *)[B]ndisFindMiniportOnGlobalList[/B](DriverInstance);
  miniBlock = _miniBlock;
  if ( _miniBlock && (flags = _miniBlock->PnPFlags, flags & 0x10000) && !(flags & 0x4010) )
  {
    if ( (unsigned __int8)ndisIsMiniportStarted(miniBlock) )
    {
      Status = 65539;
    }
    else
    {
      Status = ndisIMInitializeDeviceInstance(miniBlock, (PDEVICE_OBJECT)DeviceContext, 0);
      if ( Status )
      {
        physicDevice = (PDEVICE_OBJECT)miniBlock->PhysicalDeviceObject;
        BYTE1(miniBlock->PnPFlags) |= 1u;
        IoInvalidateDeviceState(physicDevice);
      }
    }
  }
  else
  {
    Status = ndisIMQueueDeviceInstance((int)DriverHandle, DriverInstance, DeviceContext);
  }
  KeReleaseMutex(&DriverHandle->IMStartRemoveMutex, 0);
  ndisDereferencePackage(&unk_1D040);
  return Status;
}



注意ndisFindMiniportOnGlobalList是一个非常好的函数:-) enjoy it
ndis.zip

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 412
活跃值: (30)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
2
支持一下吧.
2011-9-21 20:20
0
雪    币: 66
活跃值: (950)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
赞。不错 ..
2011-10-8 13:40
0
雪    币: 12
活跃值: (605)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
4
赞~~~~~~~~
2011-10-10 15:20
0
游客
登录 | 注册 方可回帖
返回
//