-
-
[求助]编译了一个x64驱动,输入表里面为什么会有R3函数
-
发表于:
2020-5-23 15:23
4192
-
[求助]编译了一个x64驱动,输入表里面为什么会有R3函数
开发环境使用CB+DDK7600,配置x64驱动开发环境
测试空壳驱动,编译通过不报错,可以正常加载
但是添加下面执行内联汇编的代码后,编译不通过
VOID test()
{
SCFN scfn;
UINT64 ret;
UCHAR strShellCode[14]="\x48\x03\xCA\x49\x03\xC8\x49\x03\xC9\x48\x8B\xC1\xC3";
/
add rcx,rdx
add rcx,r8
add rcx,r9
mov rax,rcx
ret
/
scfn=ExAllocatePool(NonPagedPool,14);
memcpy(scfn,strShellCode,14);
ret=scfn(11,22,33,44);
DbgPrint("[x64Drv] Inline ASM return: %lld",ret);
ExFreePool(scfn);
}
报错提示如下
||=== Build: Release in 1212 (compiler: [DRI_X64]) ===|
MSVCRT.lib(gs_report.obj)||error LNK2019: unresolved external symbol imp_TerminateProcess referenced in function report_gsfailure|
MSVCRT.lib(gs_report.obj)||error LNK2019: unresolved external symbol imp_GetCurrentProcess referenced in function report_gsfailure|
MSVCRT.lib(gs_report.obj)||error LNK2019: unresolved external symbol imp_UnhandledExceptionFilter referenced in function report_gsfailure|
MSVCRT.lib(gs_report.obj)||error LNK2019: unresolved external symbol imp_SetUnhandledExceptionFilter referenced in function report_gsfailure|
bin\Release\1212.sys||fatal error LNK1120: 4 unresolved externals|
||=== Build failed: 5 error(s), 0 warning(s) (0 minute(s), 0 second(s)) ===|
竟然提示缺少R3的函数
添加kernel32.lib后 编译通过,但是无法加载
IDA查看添加kernel32.lib编译后的驱动文件:
Address Ordinal Name Library
0000000140002000 UnhandledExceptionFilter KERNEL32
0000000140002008 GetCurrentProcess KERNEL32
0000000140002010 TerminateProcess KERNEL32
0000000140002018 SetUnhandledExceptionFilter KERNEL32
0000000140002028 RtlInitUnicodeString ntoskrnl
0000000140002030 IofCompleteRequest ntoskrnl
0000000140002038 IoCreateSymbolicLink ntoskrnl
0000000140002040 IoIsWdmVersionAvailable ntoskrnl
0000000140002048 IoDeleteSymbolicLink ntoskrnl
0000000140002050 RtlVirtualUnwind ntoskrnl
0000000140002058 RtlLookupFunctionEntry ntoskrnl
0000000140002060 RtlCaptureContext ntoskrnl
0000000140002068 IoDeleteDevice ntoskrnl
0000000140002070 ExAllocatePool ntoskrnl
0000000140002078 DbgPrint ntoskrnl
0000000140002080 IoCreateDevice ntoskrnl
0000000140002088 ExFreePoolWithTag ntoskrnl
输入表里面的确有R3函数,导致加载驱动失败,提示"无法找到指定文件"
求解这是什么原因?
配置环境问题吗?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)