-
-
[讨论][讨论][讨论]分析某个过机器码的驱动文件2
-
发表于: 2023-11-5 13:36 9234
-
第一个call没法用,第二个硬盘序列号可以修改,第三个硬件厂商信息,及ID型号能找到存储地址但是没法修改,第四个未知信息(我查了好久也不知道什么意思)可以修改。第三,第四call也差不多是先寻找内核模块,再特征码搜索函数或者全局变量(模块里面的全局变量和函数),然后用全局变量,函数经各种操作找到存储机器信息地址,最后用统一的随机字符串写入算法修改。
插入代码```#include <ntifs.h>
extern "C" int _fltused;
#include<ntddk.h>#include<VARARGS.H>#include<emmintrin.h>#include<stdarg.h>#include<stdio.h>#include<varargs.h>extern "C" extern POBJECT_TYPE* IoDriverObjectType;
typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; //下一个结构的偏移量,最后一个偏移量为0
ULONG NumberOfThreads;
LARGE_INTEGER SpareLi1;
LARGE_INTEGER SpareLi2;
LARGE_INTEGER SpareLi3;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName; //进程名
KPRIORITY BasePriority;
HANDLE UniqueProcessId; //进程ID
HANDLE InheritedFromUniqueProcessId; //父进程ID
ULONG HandleCount;
ULONG SessionId; //会话ID ULONG_PTR PageDirectoryBase;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS{ SystemBasicInformation = 0x0,
SystemProcessorInformation = 0x1,
SystemPerformanceInformation = 0x2,
SystemTimeOfDayInformation = 0x3,
SystemPathInformation = 0x4,
SystemProcessInformation = 0x5,
SystemCallCountInformation = 0x6,
SystemDeviceInformation = 0x7,
SystemProcessorPerformanceInformation = 0x8,
SystemFlagsInformation = 0x9,
SystemCallTimeInformation = 0xa,
SystemModuleInformation = 0xb,
SystemLocksInformation = 0xc,
SystemStackTraceInformation = 0xd,
SystemPagedPoolInformation = 0xe,
SystemNonPagedPoolInformation = 0xf,
SystemHandleInformation = 0x10,
SystemObjectInformation = 0x11,
SystemPageFileInformation = 0x12,
SystemVdmInstemulInformation = 0x13,
SystemVdmBopInformation = 0x14,
SystemFileCacheInformation = 0x15,
SystemPoolTagInformation = 0x16,
SystemInterruptInformation = 0x17,
SystemDpcBehaviorInformation = 0x18,
SystemFullMemoryInformation = 0x19,
SystemLoadGdiDriverInformation = 0x1a,
SystemUnloadGdiDriverInformation = 0x1b,
SystemTimeAdjustmentInformation = 0x1c,
SystemSummaryMemoryInformation = 0x1d,
SystemMirrorMemoryInformation = 0x1e,
SystemPerformanceTraceInformation = 0x1f,
SystemObsolete0 = 0x20,
SystemExceptionInformation = 0x21,
SystemCrashDumpStateInformation = 0x22,
SystemKernelDebuggerInformation = 0x23,
SystemContextSwitchInformation = 0x24,
SystemRegistryQuotaInformation = 0x25,
SystemExtendServiceTableInformation = 0x26,
SystemPrioritySeperation = 0x27,
SystemVerifierAddDriverInformation = 0x28,
SystemVerifierRemoveDriverInformation = 0x29,
SystemProcessorIdleInformation = 0x2a,
SystemLegacyDriverInformation = 0x2b,
SystemCurrentTimeZoneInformation = 0x2c,
SystemLookasideInformation = 0x2d,
SystemTimeSlipNotification = 0x2e,
SystemSessionCreate = 0x2f,
SystemSessionDetach = 0x30,
SystemSessionInformation = 0x31,
SystemRangeStartInformation = 0x32,
SystemVerifierInformation = 0x33,
SystemVerifierThunkExtend = 0x34,
SystemSessionProcessInformation = 0x35,
SystemLoadGdiDriverInSystemSpace = 0x36,
SystemNumaProcessorMap = 0x37,
SystemPrefetcherInformation = 0x38,
SystemExtendedProcessInformation = 0x39,
SystemRecommendedSharedDataAlignment = 0x3a,
SystemComPlusPackage = 0x3b,
SystemNumaAvailableMemory = 0x3c,
SystemProcessorPowerInformation = 0x3d,
SystemEmulationBasicInformation = 0x3e,
SystemEmulationProcessorInformation = 0x3f,
SystemExtendedHandleInformation = 0x40,
SystemLostDelayedWriteInformation = 0x41,
SystemBigPoolInformation = 0x42,
SystemSessionPoolTagInformation = 0x43,
SystemSessionMappedViewInformation = 0x44,
SystemHotpatchInformation = 0x45,
SystemObjectSecurityMode = 0x46,
SystemWatchdogTimerHandler = 0x47,
SystemWatchdogTimerInformation = 0x48,
SystemLogicalProcessorInformation = 0x49,
SystemWow64SharedInformationObsolete = 0x4a,
SystemRegisterFirmwareTableInformationHandler = 0x4b,
SystemFirmwareTableInformation = 0x4c,
SystemModuleInformationEx = 0x4d,
SystemVerifierTriageInformation = 0x4e,
SystemSuperfetchInformation = 0x4f,
SystemMemoryListInformation = 0x50,
SystemFileCacheInformationEx = 0x51,
SystemThreadPriorityClientIdInformation = 0x52,
SystemProcessorIdleCycleTimeInformation = 0x53,
SystemVerifierCancellationInformation = 0x54,
SystemProcessorPowerInformationEx = 0x55,
SystemRefTraceInformation = 0x56,
SystemSpecialPoolInformation = 0x57,
SystemProcessIdInformation = 0x58,
SystemErrorPortInformation = 0x59,
SystemBootEnvironmentInformation = 0x5a,
SystemHypervisorInformation = 0x5b,
SystemVerifierInformationEx = 0x5c,
SystemTimeZoneInformation = 0x5d,
SystemImageFileExecutionOptionsInformation = 0x5e,
SystemCoverageInformation = 0x5f,
SystemPrefetchPatchInformation = 0x60,
SystemVerifierFaultsInformation = 0x61,
SystemSystemPartitionInformation = 0x62,
SystemSystemDiskInformation = 0x63,
SystemProcessorPerformanceDistribution = 0x64,
SystemNumaProximityNodeInformation = 0x65,
SystemDynamicTimeZoneInformation = 0x66,
SystemCodeIntegrityInformation = 0x67,
SystemProcessorMicrocodeUpdateInformation = 0x68,
SystemProcessorBrandString = 0x69,
SystemVirtualAddressInformation = 0x6a,
SystemLogicalProcessorAndGroupInformation = 0x6b,
SystemProcessorCycleTimeInformation = 0x6c,
SystemStoreInformation = 0x6d,
SystemRegistryAppendString = 0x6e,
SystemAitSamplingValue = 0x6f,
SystemVhdBootInformation = 0x70,
SystemCpuQuotaInformation = 0x71,
SystemNativeBasicInformation = 0x72,
SystemErrorPortTimeouts = 0x73,
SystemLowPriorityIoInformation = 0x74,
SystemBootEntropyInformation = 0x75,
SystemVerifierCountersInformation = 0x76,
SystemPagedPoolInformationEx = 0x77,
SystemSystemPtesInformationEx = 0x78,
SystemNodeDistanceInformation = 0x79,
SystemAcpiAuditInformation = 0x7a,
SystemBasicPerformanceInformation = 0x7b,
SystemQueryPerformanceCounterInformation = 0x7c,
SystemSessionBigPoolInformation = 0x7d,
SystemBootGraphicsInformation = 0x7e,
SystemScrubPhysicalMemoryInformation = 0x7f,
SystemBadPageInformation = 0x80,
SystemProcessorProfileControlArea = 0x81,
SystemCombinePhysicalMemoryInformation = 0x82,
SystemEntropyInterruptTimingInformation = 0x83,
SystemConsoleInformation = 0x84,
SystemPlatformBinaryInformation = 0x85,
SystemThrottleNotificationInformation = 0x86,
SystemHypervisorProcessorCountInformation = 0x87,
SystemDeviceDataInformation = 0x88,
SystemDeviceDataEnumerationInformation = 0x89,
SystemMemoryTopologyInformation = 0x8a,
SystemMemoryChannelInformation = 0x8b,
SystemBootLogoInformation = 0x8c,
SystemProcessorPerformanceInformationEx = 0x8d,
SystemSpare0 = 0x8e,
SystemSecureBootPolicyInformation = 0x8f,
SystemPageFileInformationEx = 0x90,
SystemSecureBootInformation = 0x91,
SystemEntropyInterruptTimingRawInformation = 0x92,
SystemPortableWorkspaceEfiLauncherInformation = 0x93,
SystemFullProcessInformation = 0x94,
SystemKernelDebuggerInformationEx = 0x95,
SystemBootMetadataInformation = 0x96,
SystemSoftRebootInformation = 0x97,
SystemElamCertificateInformation = 0x98,
SystemOfflineDumpConfigInformation = 0x99,
SystemProcessorFeaturesInformation = 0x9a,
SystemRegistryReconciliationInformation = 0x9b,
MaxSystemInfoClass = 0x9c,
} SYSTEM_INFORMATION_CLASS;extern "C" typedef NTSTATUS(*PZwQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
extern "C" typedef void(__fastcall* hhh)(
__int64 ReturnLength
);
PZwQuerySystemInformation ZwQuerySystemInformation = NULL;
extern "C" NTKERNELAPI
NTSTATUSObReferenceObjectByName( IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID* Object
);#define _QWORD ULONG64#define _DWORD unsigned int#define LODWORD *(unsigned int*)#define _WORD short int#define _BYTE unsigned char char __fastcall sub_1400016A8(__int64 a1, _BYTE* a2, __int64 a3)
{
__int64 v3; // r9
__int64 v4; // r10
_BYTE* v5; // rcx
__int64 v6; // r8
v3 = -1i64;
do
++v3;
while (*(_BYTE*)(a3 + v3));//计算字符串长度
if (!v3)
return 1;
v4 = a1 - (_QWORD)a2;
v5 = a2;
v6 = a3 - (_QWORD)a2;
while (v5[v4] == *v5 || v5[v6] == 63)
{
//v5[v4]=a1=baseaddress
if (++v5 - a2 >= v3)
return 1;
}
return 0;
}
char __fastcall sub_140001480(char* SubStr, _QWORD* a2, _DWORD* a3)
{
char v3; // bl
char* PoolWithTag; // rax
char* v8; // rdi
unsigned __int64 v9; // rbp
const char* v10; // rsi
SIZE_T NumberOfBytes = 0; // [rsp+68h] [rbp+20h] BYREF
v3 = 0;
//*(unsigned int*)(NumberOfBytes) = 0;
ZwQuerySystemInformation(SystemModuleInformation, &NumberOfBytes, 0, (PULONG)&NumberOfBytes);
if (!(_DWORD)NumberOfBytes)
return 0;
PoolWithTag = (char*)ExAllocatePoolWithTag(NonPagedPool, (unsigned int)NumberOfBytes, 0x5574696Cu);
v8 = PoolWithTag;
if (!PoolWithTag)
return 0;
if (ZwQuerySystemInformation(SystemModuleInformation, PoolWithTag, NumberOfBytes, 0i64) >= 0)
{
v9 = 0i64;
if (*(_QWORD*)v8)
{
v10 = v8;
while (!strstr(v10 + 48, SubStr))
{
++v9;
v10 += 296;
if (v9 >= *(_QWORD*)v8)
goto LABEL_10;
}
*a2 = *((_QWORD*)v10 + 3);
*a3 = *((_DWORD*)v10 + 8);
}
LABEL_10:
v3 = 1;
}
ExFreePoolWithTag(v8, 0x5574696Cu);
return v3;
}
__int64 __fastcall sub_140001344(__int64 a1, unsigned int a2, __int64 a3, __int64 a4)
{
__int64 v7; // rax
unsigned int v8; // ebx
unsigned int v9; // edi
v7 = -1i64;
do
++v7;
while (*(_BYTE*)(v7 + a4));
v8 = 0;
v9 = a2 - v7;
if (a2 == (_DWORD)v7)
return 0i64;
while (!(unsigned __int8)sub_1400016A8(a1 + v8, (_BYTE*)a3, a4))
{
if (++v8 >= v9)
return 0i64;
}
return a1 + v8;
}
unsigned char qword_140002210[] = {
0x48 ,0x89 ,0x5C ,0x24 ,0x00 ,
0x48 ,0x89 ,0x74 ,0x24 ,0x00 ,0x57 ,0x48 ,0x81 ,0xEC ,0x00 ,0x00,
0x00 ,0x00 ,0x48 ,0x8B ,0x05 ,
0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x33 ,0xC4 ,0x48 ,0x89 ,0x84 ,0x24,
0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B ,0x59 ,0x60 ,0x48 ,0x8B ,0xF1 ,0x40 ,
0x8A ,0xFA ,0x8B ,0x4B,
0x10 ,0x0
};_int64 __fastcall sub_1400013C0(__int64 a1, __int64 a2, __int64 a3){ __int64 v6; // rbx
__int64 v7; // r12
unsigned __int16 v8; // si
__int64 v9; // rbp
__int64 result; // rax
if (*(_WORD*)a1 != 23117)
return 0i64;
v6 = a1 + *(int*)(a1 + 60);
if (*(_DWORD*)v6 != 17744)
return 0i64;
//判断PE文件有效性
v7 = *(unsigned __int16*)(v6 + 20) + v6 + 24;
v8 = 0;
if (!*(_WORD*)(v6 + 6))
return 0i64;
while (1)
{
v9 = v7 + 40i64 * v8;
if (strstr((const char*)v9, ".text") || *(_DWORD*)v9 == 1162297680)//PAGE
{
result = sub_140001344(a1 + *(unsigned int*)(v9 + 12), *(unsigned int*)(v9 + 8), a2, a3);
//找到代码段,加上virtualaddress,v9加8可能是size
if (result)
break;
}
if (++v8 >= *(_WORD*)(v6 + 6))
return 0i64;
}
return result;
}int _fltused;
int __cdecl vsnwprintf(wchar_t* Dest, size_t Count, const wchar_t* Format, va_list Args)
{ return _vsnwprintf(Dest, Count, Format, Args);
}__int64 sub_140001000(wchar_t* Dest, unsigned __int64 a2, const wchar_t* a3, ...)
{ unsigned __int64 v3; // rdx
int v5; // esi
unsigned __int64 v6; // rbx
int v7 = 0; // eax
va_list Args; // [rsp+68h] [rbp+20h] BYREF
va_start(Args, a3);
v3 = a2 >> 1;
v5 = 0;
if (v3 - 1 > 0x7FFFFFFE) // 长度判断是不是大于0
v5 = -1073741811;
if (v5 < 0)
{
if (v3)
*Dest = 0;
}
else
{
v6 = v3 - 1;
v5 = 0;
v7 = vsnwprintf(Dest, v3 - 1, a3, Args);
if (v7 < 0 || v7 > v6)
{
Dest[v6] = 0;
return (unsigned int)-2147483643;
}
else if (v7 == v6)
{
Dest[v6] = 0;
}
}
return (unsigned int)v5;
}__m128* __fastcall sub_140001E00(__m128* a1, unsigned __int8 a2, unsigned __int64 a3)
{ __m128* result; // rax
unsigned __int64 v4; // rdx
unsigned __int64 v5; // r9
char* v6; // rcx
unsigned __int64 v7; // r8
__m128 v8; // xmm0
char* v9; // r8
__m128* v10; // rcx
unsigned __int64 v11; // r8
unsigned __int64 v12; // r9
unsigned __int64 i; // r9
__int64 v14; // r8
result = a1;
if (a3 < 8)
{
for (; a3; --a3)
a1->m128_i8[a3 - 1] = a2;
}
else
{
v4 = 0x101010101010101i64 * a2;
if (a3 >= 0x4F)
{
//v8 = _mm_movelh_ps((__m128)v4, (__m128)v4);
__m128 bjj = { 0 };
v8 = bjj;
*a1 = v8;
v9 = (char*)a1 + a3;
v10 = (__m128*)((unsigned __int64)&a1[1] & 0xFFFFFFFFFFFFFFF0ui64);
v11 = v9 - (char*)v10;
v12 = v11 >> 7;
if (v11 >> 7)
{
do
{
*v10 = v8;
v10[1] = v8;
v10 += 8;
v10[-6] = v8;
v10[-5] = v8;
--v12;
v10[-4] = v8;
v10[-3] = v8;
v10[-2] = v8;
v10[-1] = v8;
} while (v12);
v11 &= 0x7Fu;
}
for (i = v11 >> 4; i; --i)
*v10++ = v8;
v14 = v11 & 0xF;
if (v14)
*(__m128*)((char*)v10 + v14 - 16) = v8;
}
else
{
v5 = a3 & 0x78;
v6 = (char*)a1 + (a3 & 0xFFFFFFFFFFFFFFF8ui64);
do
{
*(unsigned __int64*)((char*)&result->m128_u64[-1] + v5) = v4;
v5 -= 8i64;
} while (v5); // 超出部分,则再次清零
v7 = a3 & 7;
if (v7)
*(_QWORD*)&v6[v7 - 8] = v4;
}
}
return result;
}__int64 __fastcall sub_14000199C(__int64 a1, int a2)
{ __int64 v2; // rdi
__int64 v3 = 0; // rbx
char v6[64]; // [rsp+20h] [rbp-48h] BYREF
ULONG Seed; // [rsp+78h] [rbp+10h] BYREF
v3 = a2;
v2 = 0i64;
if (!a2)
{
v3 = -1i64;
do
++v3;
while (*(_BYTE*)(a1 + v3));
if (!(_DWORD)v3)
return 0i64;
}
strcpy(v6, "QWERTYUIOPASDFGHJKLZXCVBNMzxcvbnmasdfghjklqwertyuiop0123456789");
Seed = KeQueryTimeIncrement();
if ((int)v3 > 0)
{
do
{
*(_BYTE*)(v2 + a1) = v6[RtlRandomEx(&Seed) % 0x3F];
++v2;
} while (v2 < (int)v3);
}
return a1;
}hhh a888 = 0;
char __fastcall sub_14000158C(__int64 a1, ULONG64 a2){ a888 = (hhh)a2;
__int64 v4; // rdi rcx为设备基地址,rdx为特征码搜索到的函数地址
unsigned __int16 v5; // si
__int64* v6; // rbx
if (!a1 || !a2)
return 0;
while (1)
{
v6 = (__int64*)(a1 + 16);
if (!*(_QWORD*)(a1 + 16))
break;
if (*(_DWORD*)(a1 + 72) == 7)
{
v4 = *(_QWORD*)(a1 + 64);
if (v4)
{
v5 = *(_WORD*)(v4 + 112);
if (v5)
{
//sub_1400016EC("old disk serial number : %s \n", *(const char**)(v4 + 120));
sub_14000199C(*(_QWORD*)(v4 + 120), v5);
DbgPrintEx(77, 0, "硬件序列号所在地址为%p\n", *(_QWORD*)(v4 + 120));
//memcpy((void*)*(_QWORD*)(v4 + 120),)
//sub_1400016EC("new disk serial number : %s \n", *(const char**)(v4 + 120));
*(_DWORD*)(v4 + 1992) = 0;
a888(v4);
}
else
{
//sub_1400016EC("serial_number length is null \n");
}
}
else
{
//sub_1400016EC("DeviceExtension buffer is null \n");
}
}
a1 = *v6;
}
return 1;
}unsigned char qword_140002410[] = { 0x48 ,0x89 ,0x5C ,0x24 ,
0x00 ,0x55 ,0x56 ,0x57 ,0x48 ,0x83,0xEC,0x50 };
int second() {
__int64 v0; // rax
__int64 v1; // rdi
int i; // ebx
struct _UNICODE_STRING DestinationString; // [rsp+20h] [rbp-40h] BYREF
__m128 SourceString[3]; // [rsp+30h] [rbp-30h] BYREF
PDEVICE_OBJECT DeviceObject = 0; // [rsp+70h] [rbp+10h] BYREF
PFILE_OBJECT FileObject; // [rsp+78h] [rbp+18h] BYREF
FileObject = 0i64;
if (!sub_140001480("storport.sys", (ULONG64*)&FileObject, (_DWORD*)&DeviceObject))
return 0;
DbgPrintEx(77, 0, "FileObjectis%p\n", FileObject);
DbgPrintEx(77, 0, "DeviceObject%p\n", DeviceObject);
v0 = sub_1400013C0((__int64)FileObject, (__int64)qword_140002410, (__int64)"xxxx?xxxxxxx");
v1 = v0;
if (!v0)
return 0;
DbgPrintEx(77, 0, "v0%p\n", v0);
for (i = 0; i < 5; ++i)
{
sub_140001E00(SourceString, 0, 0x24ui64);
sub_140001000((wchar_t*)SourceString, 0x24, L"\\Device\\RaidPort%d", 0);
DbgPrintEx(77, 0, "SourceString%ws\n", (wchar_t*)SourceString);
RtlInitUnicodeString(&DestinationString, (PCWSTR)SourceString);
FileObject = 0i64;
DeviceObject = 0i64;
if (IoGetDeviceObjectPointer(&DestinationString, 1u, &FileObject, &DeviceObject) >= 0)
{
sub_14000158C((__int64)DeviceObject->DriverObject->DeviceObject, (ULONG64)v1);
ObfDereferenceObject(FileObject);
}
}
return 1;
}LONGLONG __fastcall sub_140001558( char* a1, char a2)
{ _BYTE* result; // rax
__int64 v3; // rcx
if (!a1)
return 0i64;
if (!a2)
return 0i64;
result = (_BYTE*)(a1 + *(unsigned __int8*)(a1 + 1));
if (!*result)
return 0i64;
while (--a2)
{
v3 = -1i64;
do
++v3;
while (result[v3]);
result += v3 + 1;
}
return (LONGLONG)result;
}void __fastcall sub_140001728(char* a1)
{ __int64 a2=0;
char v3; // al
__int64 v4; // rax
__int64 v5; // rdx
__int64 v6=0; // rbx
__int64 v7; // rax
__int64 v8; // rdx
__int64 v9; // rdi
__int64 v10; // rsi
const CHAR* v11; // rcx
__int64 v12; // rax
__int64 v13; // rdx
__int64 v14; // rbx
__int64 v15; // rax
__int64 v16; // rdx
__int64 v17; // rdi
__int64 v18; // rax
__int64 v19; // rdx
__int64 v20; // rsi
__int64 v21; // rbp
__int64 v22; // rcx
__int64 v23; // rax
__int64 v24; // rdx
__int64 v25; // rbx
__int64 v26; // rax
__int64 v27; // rdx
__int64 v28; // rsi
__int64 v29; // rdi
if (a1 && a1[1])
{
v3 = *a1;
if (*a1)
{
if (v3 == 1 || v3 == 2)
{
(a2) = a1[4];
v12 = sub_140001558(a1, a2);
v13 = a1[5];
v14 = v12;
v15 = sub_140001558(a1, v13);
(v16) = a1[7];
v17 = v15;
v18 = sub_140001558(a1, v16);
(v19) = a1[6];
v20 = v18;
v21 = sub_140001558(a1, v19);
//sub_1400016EC("old manufacturer : %s \n");
sub_14000199C(v14, 0);
sub_14000199C(v17, 0);
sub_14000199C(v20, 0);
DbgPrintEx(77, 0, "v14%p\n", v14);
memset((void*)v14, 0, 10);
DbgPrintEx(77, 0, "v17%p\n", v17);
memset((void*)v17, 0, 10);
DbgPrintEx(77, 0, "v20%p\n", v20);
memset((void*)v20, 0, 10);
v22 = v21;
}
else
{
if (v3 != 3)
return;
a2 = a1[4];
v23 = sub_140001558(a1, a2);
v24 = a1[6];
v25 = v23;
v26 = sub_140001558(a1, v24);
(v27) = a1[7];
v28 = v26;
v29 = sub_140001558(a1, v27);
sub_14000199C(v25, 0);
sub_14000199C(v29, 0);
DbgPrintEx(77, 0, "v25%p\n", v25);
memset((void*)v25, 0, 10);
DbgPrintEx(77, 0, "v29%p\n", v29);
memset((void*)v29, 0, 10);
v22 = v28;
}
sub_14000199C(v22, 0);
DbgPrintEx(77, 0, "v22%p\n", v22);
memset((void*)v22, 0, 10);
}
else
{
a2 = a1[4];
v4 = sub_140001558(a1, a2);
(v5) = a1[5];
v6 = v4;
v7 = sub_140001558(a1, v5);
(v8) = a1[8];
v9 = v7;
v10 = sub_140001558(a1, v8);
sub_14000199C(v6, 0);
DbgPrintEx(77, 0, "v6%p\n", v6);
memset((void*)v6, 0, 10);
sub_14000199C(v9, 0);
DbgPrintEx(77, 0, "v9%p\n", v9);
memset((void*)v9, 0, 10);
}
//sub_1400016EC(v11);
}
}unsigned char byte_140002100[] = {
0x48 ,0x8B ,0x0D ,0x00 ,
0x00 ,0x00 ,0x00 ,0x48 , 0x85 ,0xC9 ,
0x74 ,0x00 ,0x8B ,0x15
};unsigned char byte_140002150[] = {
0x8B ,0x1D ,0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B,
0xD0 ,0x44 ,0x8B ,0xC3 ,0x48 ,0x8B ,0xCD ,0xE8,
0x00 ,0x00 ,0x00 ,0x00 ,0x8B ,0xD3 ,
0x48 ,0x8B };//8B 1D 00 00 00 00 48 8B D0 44 8B C3 48 8B CD E8
//00 00 00 00 8B D3 48 8B 00 CC CC CC CC CC CC CC
char __fastcall sub_140001650(_BYTE* a1, int a2)
{ _BYTE* v2; // rbx
unsigned __int64 v3; // rdi
_BYTE* v4; // rbx
_BYTE* i; // rdx
char result=0; // al
v2 = a1;
v3 = (unsigned __int64)&a1[a2]; // v3=a1+a2
do
{
if (*v2 == 127 && v2[1] == 4)
break;
sub_140001728((char*)v2);
v4 = &v2[(unsigned __int8)v2[1]];
for (i = v4 + 1; ; ++i)
{
result = *v4 | *i;
if (!result)
break;
v4 = i;
}
v2 = v4 + 2;
} while ((unsigned __int64)v2 < v3);
return result;
}//
char Third(){ __int64 v0; // rbx
__int64 v1; // rax
PHYSICAL_ADDRESS* v2; // rdi
__int64 v3; // rax
unsigned int v4; // ebx
PVOID v5; // rax
void* v6; // rdi
int v8; // [rsp+30h] [rbp+8h] BYREF
__int64 v9; // [rsp+38h] [rbp+10h] BYREF
v9 = 0i64;
v8 = 0;
sub_140001480("ntoskrnl.exe", (ULONG64*)&v9, (_DWORD*)&v8);
v0 = v9;
v1 = sub_1400013C0(v0, (__int64)byte_140002100, (__int64)"xxx????xxxx?xx");
if (!v1)
return 0;
v2 = (PHYSICAL_ADDRESS*)(v1 + *(int*)(v1 + 3) + 7i64);
if (!v2)
return 0;
v3 = sub_1400013C0(v0, (__int64)byte_140002150, (__int64)"xx????xxxxxxxxxx????xxxx");
if (!v3)
return 0;
v4 = *(_DWORD*)(*(int*)(v3 + 2) + v3 + 6);
if (!v4)
return 0;
DbgPrintEx(77, 0, "v1 + *(int*)(v1 + 3) + 7i64%p\n", v1 + *(int*)(v1 + 3) + 7);
DbgPrintEx(77, 0, "%p\n", v1);
//DbgPrintEx(77, 0, "v2&p\n", v2);
v5 = MmMapIoSpace(*v2, v4, MmNonCached);
v6 = v5;
if (!v5)
return 0;
sub_140001650((unsigned char*)v5, v4);
MmUnmapIoSpace(v6, v4);
return 1;
}char Thourd() { DbgPrintEx(77, 0, "进来了\n");
__int64 v0; // rbx
__int64 v1; // rdi
unsigned int v2; // edi
__int64 v3; // rbx
__int64 v4; // rsi
__int64 v5; // rdi
ULONG64 baseaddress = 0;
ULONG64 size = 0;
KSPIN_LOCK SpinLock;
KeInitializeSpinLock(&SpinLock);
sub_140001480(("ndis.sys"), &baseaddress,(unsigned int*) &size);
DbgPrintEx(77, 0, "baseaddress%p\n", baseaddress);
DbgPrintEx(77, 0, "size%p\n", size);
if (baseaddress == 0) {
return 0;
}
//40 8A F0 48 8B 05 00 CC CC CC CC CC CC CC CC CC
unsigned char qword_1400024D0[] = {
0x40 ,0x8A ,0xF0 ,0x48 ,0x8B ,0x05
};
v0 = sub_1400013C0(baseaddress, (LONGLONG)qword_1400024D0, (LONGLONG)"xxxxxx");
DbgPrintEx(77, 0, "v0%p\n", v0);
if (!v0)
return 0;
unsigned char qword_140002530[] = {
0x48 ,0x85 ,0x00 ,0x0F ,0x84 ,
0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x8B ,0x00 ,0x00 ,
0x00 ,0x00 ,0x00,
0x33 ,00
};
v1 = sub_1400013C0(baseaddress,(LONGLONG)qword_140002530, (LONGLONG)"xx?xx?????x???xxx");
DbgPrintEx(77, 0, "v1%p\n", v1);
if (!v1)
return 0;
v2 = *(_DWORD*)(v1 + 12);
if (!v2)
return 0;
v3 = *(_QWORD*)(*(int*)(v0 + 6) + v0 + 10);
DbgPrintEx(77, 0, "*(int*)(v0 + 6) + v0 + 10%p\n", *(int*)(v0 + 6) + v0 + 10);
//*(int*)(v0 + 6) + v0 + 10
DbgPrintEx(77, 0, "v3%p\n", v3);
if (v3)
{
v4 = v2;
do
{
v5 = *(_QWORD*)(v4 + v3);
if (v5)
{
sub_14000199C(v5 + 1126, *(unsigned __int16*)(v5 + 1124));
DbgPrintEx(77, 0, "v5 + 1126%p\n", v5 + 1126);
sub_14000199C(v5 + 1160, *(unsigned __int16*)(v5 + 1158));
DbgPrintEx(77, 0, "v5 + 1126%p\n", v5 + 1160);
}
v3 = *(_QWORD*)(v3 + 8);
} while (v3);
}
return 1;
}extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Driver_Reg)
{ UNICODE_STRING temp = { 0 };
RtlInitUnicodeString(&temp, L"ZwQuerySystemInformation");
ZwQuerySystemInformation = (PZwQuerySystemInformation)MmGetSystemRoutineAddress(&temp);
if (ZwQuerySystemInformation ==0)
{
DbgPrintEx(77, 0, "ZwQuerySystemInformation");
return STATUS_UNSUCCESSFUL;
}
DbgPrintEx(77, 0, "成功");
__try {
//first();
second();
Third();
Thourd();
}
__except (1) {
DbgPrintEx(77, 0, "异常");
}
//PsCreateSystemThread(&SystemHandle, THREAD_ALL_ACCESS, NULL, NULL, NULL, (PKSTART_ROUTINE)DriverEntry666, NULL);
return STATUS_UNSUCCESSFUL;
}插入代码```#include <ntifs.h>
extern "C" int _fltused;
#include<ntddk.h>#include<VARARGS.H>#include<emmintrin.h>#include<stdarg.h>#include<stdio.h>#include<varargs.h>extern "C" extern POBJECT_TYPE* IoDriverObjectType;
typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; //下一个结构的偏移量,最后一个偏移量为0
ULONG NumberOfThreads;
LARGE_INTEGER SpareLi1;
LARGE_INTEGER SpareLi2;
LARGE_INTEGER SpareLi3;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName; //进程名
KPRIORITY BasePriority;
HANDLE UniqueProcessId; //进程ID
HANDLE InheritedFromUniqueProcessId; //父进程ID
ULONG HandleCount;
ULONG SessionId; //会话ID ULONG_PTR PageDirectoryBase;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS{ SystemBasicInformation = 0x0,
SystemProcessorInformation = 0x1,
SystemPerformanceInformation = 0x2,
SystemTimeOfDayInformation = 0x3,
SystemPathInformation = 0x4,
SystemProcessInformation = 0x5,
SystemCallCountInformation = 0x6,
SystemDeviceInformation = 0x7,
SystemProcessorPerformanceInformation = 0x8,
SystemFlagsInformation = 0x9,
SystemCallTimeInformation = 0xa,
SystemModuleInformation = 0xb,
SystemLocksInformation = 0xc,
SystemStackTraceInformation = 0xd,
SystemPagedPoolInformation = 0xe,
SystemNonPagedPoolInformation = 0xf,
SystemHandleInformation = 0x10,
SystemObjectInformation = 0x11,
SystemPageFileInformation = 0x12,
SystemVdmInstemulInformation = 0x13,
SystemVdmBopInformation = 0x14,
SystemFileCacheInformation = 0x15,
SystemPoolTagInformation = 0x16,
SystemInterruptInformation = 0x17,
SystemDpcBehaviorInformation = 0x18,
SystemFullMemoryInformation = 0x19,
SystemLoadGdiDriverInformation = 0x1a,
SystemUnloadGdiDriverInformation = 0x1b,
SystemTimeAdjustmentInformation = 0x1c,
SystemSummaryMemoryInformation = 0x1d,
SystemMirrorMemoryInformation = 0x1e,
SystemPerformanceTraceInformation = 0x1f,
SystemObsolete0 = 0x20,
SystemExceptionInformation = 0x21,
SystemCrashDumpStateInformation = 0x22,
SystemKernelDebuggerInformation = 0x23,
SystemContextSwitchInformation = 0x24,
SystemRegistryQuotaInformation = 0x25,
SystemExtendServiceTableInformation = 0x26,
SystemPrioritySeperation = 0x27,
SystemVerifierAddDriverInformation = 0x28,
SystemVerifierRemoveDriverInformation = 0x29,
SystemProcessorIdleInformation = 0x2a,
SystemLegacyDriverInformation = 0x2b,
SystemCurrentTimeZoneInformation = 0x2c,
SystemLookasideInformation = 0x2d,
SystemTimeSlipNotification = 0x2e,
SystemSessionCreate = 0x2f,
SystemSessionDetach = 0x30,
SystemSessionInformation = 0x31,
SystemRangeStartInformation = 0x32,
SystemVerifierInformation = 0x33,
SystemVerifierThunkExtend = 0x34,
SystemSessionProcessInformation = 0x35,
SystemLoadGdiDriverInSystemSpace = 0x36,
SystemNumaProcessorMap = 0x37,
SystemPrefetcherInformation = 0x38,
SystemExtendedProcessInformation = 0x39,
SystemRecommendedSharedDataAlignment = 0x3a,
SystemComPlusPackage = 0x3b,
SystemNumaAvailableMemory = 0x3c,
SystemProcessorPowerInformation = 0x3d,
SystemEmulationBasicInformation = 0x3e,
SystemEmulationProcessorInformation = 0x3f,
SystemExtendedHandleInformation = 0x40,
SystemLostDelayedWriteInformation = 0x41,
SystemBigPoolInformation = 0x42,
SystemSessionPoolTagInformation = 0x43,
SystemSessionMappedViewInformation = 0x44,
SystemHotpatchInformation = 0x45,
SystemObjectSecurityMode = 0x46,
SystemWatchdogTimerHandler = 0x47,
SystemWatchdogTimerInformation = 0x48,
SystemLogicalProcessorInformation = 0x49,
SystemWow64SharedInformationObsolete = 0x4a,
SystemRegisterFirmwareTableInformationHandler = 0x4b,
SystemFirmwareTableInformation = 0x4c,
SystemModuleInformationEx = 0x4d,
SystemVerifierTriageInformation = 0x4e,
SystemSuperfetchInformation = 0x4f,
SystemMemoryListInformation = 0x50,
SystemFileCacheInformationEx = 0x51,
SystemThreadPriorityClientIdInformation = 0x52,
SystemProcessorIdleCycleTimeInformation = 0x53,
SystemVerifierCancellationInformation = 0x54,
SystemProcessorPowerInformationEx = 0x55,
SystemRefTraceInformation = 0x56,
SystemSpecialPoolInformation = 0x57,
SystemProcessIdInformation = 0x58,
SystemErrorPortInformation = 0x59,
SystemBootEnvironmentInformation = 0x5a,
SystemHypervisorInformation = 0x5b,
SystemVerifierInformationEx = 0x5c,
SystemTimeZoneInformation = 0x5d,
SystemImageFileExecutionOptionsInformation = 0x5e,
SystemCoverageInformation = 0x5f,
SystemPrefetchPatchInformation = 0x60,
SystemVerifierFaultsInformation = 0x61,
SystemSystemPartitionInformation = 0x62,
SystemSystemDiskInformation = 0x63,
SystemProcessorPerformanceDistribution = 0x64,
SystemNumaProximityNodeInformation = 0x65,
SystemDynamicTimeZoneInformation = 0x66,
SystemCodeIntegrityInformation = 0x67,
SystemProcessorMicrocodeUpdateInformation = 0x68,
SystemProcessorBrandString = 0x69,
SystemVirtualAddressInformation = 0x6a,
SystemLogicalProcessorAndGroupInformation = 0x6b,
SystemProcessorCycleTimeInformation = 0x6c,
SystemStoreInformation = 0x6d,
SystemRegistryAppendString = 0x6e,
SystemAitSamplingValue = 0x6f,
SystemVhdBootInformation = 0x70,
SystemCpuQuotaInformation = 0x71,
SystemNativeBasicInformation = 0x72,
SystemErrorPortTimeouts = 0x73,
SystemLowPriorityIoInformation = 0x74,
SystemBootEntropyInformation = 0x75,
SystemVerifierCountersInformation = 0x76,
SystemPagedPoolInformationEx = 0x77,
SystemSystemPtesInformationEx = 0x78,
SystemNodeDistanceInformation = 0x79,
SystemAcpiAuditInformation = 0x7a,
SystemBasicPerformanceInformation = 0x7b,
SystemQueryPerformanceCounterInformation = 0x7c,
SystemSessionBigPoolInformation = 0x7d,
SystemBootGraphicsInformation = 0x7e,
SystemScrubPhysicalMemoryInformation = 0x7f,
SystemBadPageInformation = 0x80,
SystemProcessorProfileControlArea = 0x81,
SystemCombinePhysicalMemoryInformation = 0x82,
SystemEntropyInterruptTimingInformation = 0x83,
SystemConsoleInformation = 0x84,
SystemPlatformBinaryInformation = 0x85,
SystemThrottleNotificationInformation = 0x86,
SystemHypervisorProcessorCountInformation = 0x87,
SystemDeviceDataInformation = 0x88,
SystemDeviceDataEnumerationInformation = 0x89,
SystemMemoryTopologyInformation = 0x8a,
SystemMemoryChannelInformation = 0x8b,
SystemBootLogoInformation = 0x8c,
SystemProcessorPerformanceInformationEx = 0x8d,
SystemSpare0 = 0x8e,
SystemSecureBootPolicyInformation = 0x8f,
SystemPageFileInformationEx = 0x90,
SystemSecureBootInformation = 0x91,
SystemEntropyInterruptTimingRawInformation = 0x92,
SystemPortableWorkspaceEfiLauncherInformation = 0x93,
SystemFullProcessInformation = 0x94,
SystemKernelDebuggerInformationEx = 0x95,
SystemBootMetadataInformation = 0x96,
SystemSoftRebootInformation = 0x97,
SystemElamCertificateInformation = 0x98,
SystemOfflineDumpConfigInformation = 0x99,
SystemProcessorFeaturesInformation = 0x9a,
SystemRegistryReconciliationInformation = 0x9b,
MaxSystemInfoClass = 0x9c,
} SYSTEM_INFORMATION_CLASS;extern "C" typedef NTSTATUS(*PZwQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
extern "C" typedef void(__fastcall* hhh)(
__int64 ReturnLength
);
PZwQuerySystemInformation ZwQuerySystemInformation = NULL;
extern "C" NTKERNELAPI
NTSTATUSObReferenceObjectByName( IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID* Object
);#define _QWORD ULONG64#define _DWORD unsigned int#define LODWORD *(unsigned int*)#define _WORD short int#define _BYTE unsigned char char __fastcall sub_1400016A8(__int64 a1, _BYTE* a2, __int64 a3)
{
__int64 v3; // r9
__int64 v4; // r10
_BYTE* v5; // rcx
__int64 v6; // r8
v3 = -1i64;
do
++v3;
while (*(_BYTE*)(a3 + v3));//计算字符串长度
if (!v3)
return 1;
v4 = a1 - (_QWORD)a2;
v5 = a2;
v6 = a3 - (_QWORD)a2;
while (v5[v4] == *v5 || v5[v6] == 63)
{
//v5[v4]=a1=baseaddress
if (++v5 - a2 >= v3)
return 1;
}
return 0;
}
char __fastcall sub_140001480(char* SubStr, _QWORD* a2, _DWORD* a3)
{
char v3; // bl
char* PoolWithTag; // rax
char* v8; // rdi
unsigned __int64 v9; // rbp
const char* v10; // rsi
SIZE_T NumberOfBytes = 0; // [rsp+68h] [rbp+20h] BYREF
v3 = 0;
//*(unsigned int*)(NumberOfBytes) = 0;
ZwQuerySystemInformation(SystemModuleInformation, &NumberOfBytes, 0, (PULONG)&NumberOfBytes);
if (!(_DWORD)NumberOfBytes)
return 0;
PoolWithTag = (char*)ExAllocatePoolWithTag(NonPagedPool, (unsigned int)NumberOfBytes, 0x5574696Cu);
v8 = PoolWithTag;
if (!PoolWithTag)
return 0;
if (ZwQuerySystemInformation(SystemModuleInformation, PoolWithTag, NumberOfBytes, 0i64) >= 0)
{
v9 = 0i64;
if (*(_QWORD*)v8)
{
v10 = v8;
while (!strstr(v10 + 48, SubStr))
{
++v9;
v10 += 296;
if (v9 >= *(_QWORD*)v8)
goto LABEL_10;
}
*a2 = *((_QWORD*)v10 + 3);
*a3 = *((_DWORD*)v10 + 8);
}
LABEL_10:
v3 = 1;
}
ExFreePoolWithTag(v8, 0x5574696Cu);
return v3;
}
__int64 __fastcall sub_140001344(__int64 a1, unsigned int a2, __int64 a3, __int64 a4)
{
__int64 v7; // rax
unsigned int v8; // ebx
unsigned int v9; // edi
v7 = -1i64;
do
++v7;
while (*(_BYTE*)(v7 + a4));
v8 = 0;
v9 = a2 - v7;
if (a2 == (_DWORD)v7)
return 0i64;
while (!(unsigned __int8)sub_1400016A8(a1 + v8, (_BYTE*)a3, a4))
{
if (++v8 >= v9)
return 0i64;
}
return a1 + v8;
}
unsigned char qword_140002210[] = {
0x48 ,0x89 ,0x5C ,0x24 ,0x00 ,
0x48 ,0x89 ,0x74 ,0x24 ,0x00 ,0x57 ,0x48 ,0x81 ,0xEC ,0x00 ,0x00,
0x00 ,0x00 ,0x48 ,0x8B ,0x05 ,
0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x33 ,0xC4 ,0x48 ,0x89 ,0x84 ,0x24,
0x00 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B ,0x59 ,0x60 ,0x48 ,0x8B ,0xF1 ,0x40 ,
0x8A ,0xFA ,0x8B ,0x4B,
0x10 ,0x0
};_int64 __fastcall sub_1400013C0(__int64 a1, __int64 a2, __int64 a3){ __int64 v6; // rbx
__int64 v7; // r12
unsigned __int16 v8; // si
__int64 v9; // rbp
__int64 result; // rax
if (*(_WORD*)a1 != 23117)
return 0i64;
v6 = a1 + *(int*)(a1 + 60);
if (*(_DWORD*)v6 != 17744)
return 0i64;
//判断PE文件有效性
v7 = *(unsigned __int16*)(v6 + 20) + v6 + 24;
v8 = 0;
if (!*(_WORD*)(v6 + 6))
return 0i64;
while (1)
{
v9 = v7 + 40i64 * v8;
if (strstr((const char*)v9, ".text") || *(_DWORD*)v9 == 1162297680)//PAGE
{
result = sub_140001344(a1 + *(unsigned int*)(v9 + 12), *(unsigned int*)(v9 + 8), a2, a3);
//找到代码段,加上virtualaddress,v9加8可能是size
if (result)
break;
}
if (++v8 >= *(_WORD*)(v6 + 6))
return 0i64;
}
return result;
}int _fltused;
int __cdecl vsnwprintf(wchar_t* Dest, size_t Count, const wchar_t* Format, va_list Args)
{ return _vsnwprintf(Dest, Count, Format, Args);
}__int64 sub_140001000(wchar_t* Dest, unsigned __int64 a2, const wchar_t* a3, ...)
{ unsigned __int64 v3; // rdx
int v5; // esi
unsigned __int64 v6; // rbx
int v7 = 0; // eax
va_list Args; // [rsp+68h] [rbp+20h] BYREF
va_start(Args, a3);
v3 = a2 >> 1;
v5 = 0;
if (v3 - 1 > 0x7FFFFFFE) // 长度判断是不是大于0
v5 = -1073741811;
if (v5 < 0)
{
if (v3)
*Dest = 0;
}
else
{
v6 = v3 - 1;
v5 = 0;
v7 = vsnwprintf(Dest, v3 - 1, a3, Args);
if (v7 < 0 || v7 > v6)
{
Dest[v6] = 0;
return (unsigned int)-2147483643;
}
else if (v7 == v6)
{
Dest[v6] = 0;
}
}
return (unsigned int)v5;
}__m128* __fastcall sub_140001E00(__m128* a1, unsigned __int8 a2, unsigned __int64 a3)
{ __m128* result; // rax
unsigned __int64 v4; // rdx
unsigned __int64 v5; // r9
char* v6; // rcx
unsigned __int64 v7; // r8
__m128 v8; // xmm0
char* v9; // r8
__m128* v10; // rcx
unsigned __int64 v11; // r8
unsigned __int64 v12; // r9
unsigned __int64 i; // r9
__int64 v14; // r8
result = a1;
if (a3 < 8)
{
for (; a3; --a3)
a1->m128_i8[a3 - 1] = a2;
}
else
{
v4 = 0x101010101010101i64 * a2;
if (a3 >= 0x4F)
{
//v8 = _mm_movelh_ps((__m128)v4, (__m128)v4);
__m128 bjj = { 0 };
v8 = bjj;
*a1 = v8;
v9 = (char*)a1 + a3;
v10 = (__m128*)((unsigned __int64)&a1[1] & 0xFFFFFFFFFFFFFFF0ui64);
v11 = v9 - (char*)v10;
v12 = v11 >> 7;
if (v11 >> 7)
{
do
{
*v10 = v8;
v10[1] = v8;
v10 += 8;
v10[-6] = v8;
v10[-5] = v8;
--v12;
v10[-4] = v8;
v10[-3] = v8;
v10[-2] = v8;
v10[-1] = v8;
} while (v12);
v11 &= 0x7Fu;
}
for (i = v11 >> 4; i; --i)
*v10++ = v8;
v14 = v11 & 0xF;
if (v14)
*(__m128*)((char*)v10 + v14 - 16) = v8;
}
else
{
v5 = a3 & 0x78;
v6 = (char*)a1 + (a3 & 0xFFFFFFFFFFFFFFF8ui64);
do
{
*(unsigned __int64*)((char*)&result->m128_u64[-1] + v5) = v4;
v5 -= 8i64;
} while (v5); // 超出部分,则再次清零
v7 = a3 & 7;
if (v7)
*(_QWORD*)&v6[v7 - 8] = v4;
}
}
return result;
}__int64 __fastcall sub_14000199C(__int64 a1, int a2)
{ __int64 v2; // rdi
__int64 v3 = 0; // rbx
char v6[64]; // [rsp+20h] [rbp-48h] BYREF
ULONG Seed; // [rsp+78h] [rbp+10h] BYREF
v3 = a2;
v2 = 0i64;
if (!a2)
{
赞赏
|
|
|---|---|
|
|
他的文章
- [讨论]这种call咋调用 3189
- [讨论]隐藏内存可执行属性问题 2446
- [讨论]注入的时候把分配地址拆分进行分配 1967
- VSbug,概率闪退 1938
- [讨论][讨论]Unity_Mono 子弹追踪分析1 2605
赞赏
雪币:
留言:
