-
-
[求助]KeTickCount是什么意思
-
发表于: 2016-5-30 23:49
-
DriverEntry
第一个调用的函数:
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
int v3; // ST10_4@4
int v4; // ST14_4@4
int v5; // ST18_4@4
int v6; // ST1C_4@4
int v7; // [sp-14h] [bp-34h]@4
LSA_UNICODE_STRING DestinationString; // [sp+0h] [bp-20h]@2
CPPEH_RECORD ms_exc; // [sp+8h] [bp-18h]@4
int v10; // [sp+20h] [bp+0h]@4
sub_14985();
_SEH_prolog4(&unk_12C88, 16);
KeGetCurrentIrql();
dword_148F8 = (int)DriverObject;
if ( (PUNICODE_STRING)DriverObject == RegistryPath )
{
if ( (PDRIVER_OBJECT)&DestinationString == DriverObject )
{
RtlInitUnicodeString(&DestinationString, L"asdfkasdjfaksfkaskdfsa");
FltUnloadFilter(&DestinationString);
}
}
Buffer = (PVOID)sub_1070C(0x804u, 0);
memset(Buffer, 0, 0x800u);
P = ExAllocatePool(0, RegistryPath->Length + 10);
word_148EC = RegistryPath->Length;
word_148EE = RegistryPath->MaximumLength;
memcpy(P, RegistryPath->Buffer, RegistryPath->Length);
*((_WORD *)P + ((unsigned int)RegistryPath->Length >> 1)) = 0;
dword_148F8 = (int)DriverObject;
DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_12140;
sub_12220("\r\n***** own_s **** \r\n");
ms_exc.disabled = 0;
sub_12016();
sub_12220("***** end of own_s\r\n");
return _SEH_epilog4(
v7,
v3,
v4,
v5,
v6,
*(_DWORD *)&DestinationString,
DestinationString.Buffer,
ms_exc.old_esp,
ms_exc.exc_ptr,
ms_exc.prev_er,
ms_exc.handler,
ms_exc.msEH_ptr,
-2,
v10);
}
//------------sub_14985-------------
int __cdecl sub_14985()
{
ULONG v0; // eax@1
int result; // eax@5
v0 = dword_12D34;
if ( !dword_12D34 || dword_12D34 == -1153374642 )
{
v0 = (unsigned int)&dword_12D34 ^ KeTickCount.LowPart;
dword_12D34 = (unsigned int)&dword_12D34 ^ KeTickCount.LowPart;
if ( &dword_12D34 == (int *)KeTickCount.LowPart )
{
v0 = -1153374642;
dword_12D34 = -1153374642;
}
}
//求指导
第一个调用的函数:
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
int v3; // ST10_4@4
int v4; // ST14_4@4
int v5; // ST18_4@4
int v6; // ST1C_4@4
int v7; // [sp-14h] [bp-34h]@4
LSA_UNICODE_STRING DestinationString; // [sp+0h] [bp-20h]@2
CPPEH_RECORD ms_exc; // [sp+8h] [bp-18h]@4
int v10; // [sp+20h] [bp+0h]@4
sub_14985();
_SEH_prolog4(&unk_12C88, 16);
KeGetCurrentIrql();
dword_148F8 = (int)DriverObject;
if ( (PUNICODE_STRING)DriverObject == RegistryPath )
{
if ( (PDRIVER_OBJECT)&DestinationString == DriverObject )
{
RtlInitUnicodeString(&DestinationString, L"asdfkasdjfaksfkaskdfsa");
FltUnloadFilter(&DestinationString);
}
}
Buffer = (PVOID)sub_1070C(0x804u, 0);
memset(Buffer, 0, 0x800u);
P = ExAllocatePool(0, RegistryPath->Length + 10);
word_148EC = RegistryPath->Length;
word_148EE = RegistryPath->MaximumLength;
memcpy(P, RegistryPath->Buffer, RegistryPath->Length);
*((_WORD *)P + ((unsigned int)RegistryPath->Length >> 1)) = 0;
dword_148F8 = (int)DriverObject;
DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_12140;
sub_12220("\r\n***** own_s **** \r\n");
ms_exc.disabled = 0;
sub_12016();
sub_12220("***** end of own_s\r\n");
return _SEH_epilog4(
v7,
v3,
v4,
v5,
v6,
*(_DWORD *)&DestinationString,
DestinationString.Buffer,
ms_exc.old_esp,
ms_exc.exc_ptr,
ms_exc.prev_er,
ms_exc.handler,
ms_exc.msEH_ptr,
-2,
v10);
}
//------------sub_14985-------------
int __cdecl sub_14985()
{
ULONG v0; // eax@1
int result; // eax@5
v0 = dword_12D34;
if ( !dword_12D34 || dword_12D34 == -1153374642 )
{
v0 = (unsigned int)&dword_12D34 ^ KeTickCount.LowPart;
dword_12D34 = (unsigned int)&dword_12D34 ^ KeTickCount.LowPart;
if ( &dword_12D34 == (int *)KeTickCount.LowPart )
{
v0 = -1153374642;
dword_12D34 = -1153374642;
}
}
//求指导
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
