;SbieDrv.sys of Sandboxie x86 v4.0.8
<00993580>
@OEP2: ;这儿是sub_33580的开头
call @inject ;偷天换日
db 90 90 90
;原来的代码
push ebx
push esi
push 65
pop esi
push 5C
pop eax
push 69
pop ebx
push 73
pop edx
;call Table_KeQuerySystemTime somewhere later
;return
<00995C6A>
@inject:
;EAX is unbound!
call @setQST
add ESP, 4
pop [@tmp1+1]
call [ESP-8]
call @restoreQST
@tmp1:
push DADADADA
ret
@realQST: db DA DA DA DA
@pQST: db [COLOR="Red"]2C E1 03 00 ; point to KeQuerySystemTime
@setQST:
mov EAX, [@pQST]
push [EAX]
pop [@realQST]
push @myQST
pop [EAX] ;蓝屏三解说 ;SbieDrv.sys+25ca1
;[EAX] was 0xa55ba12c = 0xa559c000 (当时的基址) + [COLOR="Red"]1e12c (RVA)
;此RVA 就是import table 里的KeQuerySystemTime 指针, 而IAT属于 section .rdata
ret
@restoreQST:
push EAX
mov EAX, [@pQST]
push [@realQST]
pop [EAX]
mov word [@OEP2], 06EB ;skip injection shall sub_33580 be called again
pop EAX
ret
@myQST:
pop [@tmp2+1]
call [@realQST]
add dword [EAX+4], 001B0000 ;around 24 years
@tmp2:
push DADADADA
ret
