逆向一个sys,对其中的一个函数的疑惑
下面是sys中的一个函数。俺在其中的一个循环那里卡住了,分析了半天看不明白,就差这里没逆出来了。
函数的思路如下:
此sys hook了
ZwLoadDriver。在
fake_ZwLoadDriver中处理了很多东西,比如防止IS驱动的加载等.
然后调用了下面这个函数
MyFindValue. 它的参数就一个
FullPath. 为它传递的是其他驱动在注册表中
的
ImagePath里面的内容.也就是sys的全路径.
而这个函数就是按照 FullPath打开文件.映射4KB的内容到自己进程空间.然后遍历里面的节表和引入表.
然后后面俺就有些糊涂了,不知道它到底要干么~~~
.text:00010E8E
; int __stdcall MyFindValue(PCWSTR FullPath)
.text:00010E8E MyFindValue
proc near
; CODE XREF: fake_ZwLoadDriver+18Ap
.text:00010E8E
.text:00010E8E ObjectAttributes= OBJECT_ATTRIBUTES
ptr -7Ch
.text:00010E8E IoStatusBlock = _IO_STATUS_BLOCK
ptr -64h
.text:00010E8E p_wcFullPath = LSA_UNICODE_STRING
ptr -5Ch
.text:00010E8E var_54 =
dword ptr -54h
.text:00010E8E Ntheader_adr =
dword ptr -50h
.text:00010E8E var_4C =
dword ptr -4Ch
.text:00010E8E var_48 =
dword ptr -48h
.text:00010E8E var_44 =
dword ptr -44h
.text:00010E8E var_40 =
dword ptr -40h
.text:00010E8E SectionTableAddress=
dword ptr -3Ch
.text:00010E8E ViewSize =
dword ptr -38h
.text:00010E8E FileHandle =
dword ptr -34h
.text:00010E8E SectionHandle =
dword ptr -30h
.text:00010E8E var_2C =
dword ptr -2Ch
.text:00010E8E BaseAddress =
dword ptr -28h
.text:00010E8E count =
dword ptr -24h
.text:00010E8E var_20 =
dword ptr -20h
.text:00010E8E var_19 =
byte ptr -19h
.text:00010E8E ms_exc = CPPEH_RECORD
ptr -18h
.text:00010E8E FullPath =
dword ptr 8
.text:00010E8E
.text:00010E8E
push 6Ch
.text:00010E90
push offset stru_12F80
.text:00010E95
call __SEH_prolog
.text:00010E9A
xor ebx,
ebx
.text:00010E9C
mov [
ebp+BaseAddress],
ebx
.text:00010E9F
mov [
ebp+var_19],
bl
.text:00010EA2
mov [
ebp+ViewSize],
ebx ; 初始化3个局部变量
.text:00010EA2
;
.text:00010EA5
push [
ebp+FullPath]
; SourceString
.text:00010EA8
lea eax, [
ebp+p_wcFullPath]
.text:00010EAB
push eax ; DestinationString
.text:00010EAC
call ds:RtlInitUnicodeString
.text:00010EB2
mov [
ebp+ObjectAttributes.Length], 18h
.text:00010EB9
mov [
ebp+ObjectAttributes.RootDirectory],
ebx
.text:00010EBC
mov [
ebp+ObjectAttributes.Attributes], 240h
.text:00010EC3
lea eax, [
ebp+p_wcFullPath]
.text:00010EC6
mov [
ebp+ObjectAttributes.ObjectName],
eax
.text:00010EC9
mov [
ebp+ObjectAttributes.SecurityDescriptor],
ebx
.text:00010ECC
mov [
ebp+ObjectAttributes.SecurityQualityOfService],
ebx
.text:00010ECF
push 20h
; OpenOptions
.text:00010ED1
push 1
; ShareAccess
.text:00010ED3
lea eax, [
ebp+IoStatusBlock]
.text:00010ED6
push eax ; IoStatusBlock
.text:00010ED7
lea eax, [
ebp+ObjectAttributes]
.text:00010EDA
push eax ; ObjectAttributes
.text:00010EDB
push 100020h
; DesiredAccess
.text:00010EE0
lea eax, [
ebp+FileHandle]
.text:00010EE3
push eax ; FileHandle
.text:00010EE4
call ds:
ZwOpenFile
.text:00010EEA
test eax,
eax
.text:00010EEC
jl Failed
.text:00010EF2
mov [
ebp+ObjectAttributes.ObjectName],
ebx
.text:00010EF5
push [
ebp+FileHandle]
; FileHandle
.text:00010EF8
push 1000000h
; Attributes
.text:00010EFD
push 10h
; Protect
.text:00010EFF
push ebx ; SectionSize
.text:00010F00
lea eax, [
ebp+ObjectAttributes]
.text:00010F03
push eax ; ObjectAttributes
.text:00010F04
push 0F001Fh
; DesiredAccess
.text:00010F09
lea eax, [
ebp+SectionHandle]
.text:00010F0C
push eax ; SectionHandle
.text:00010F0D
call ds:
ZwCreateSection
.text:00010F13
test eax,
eax
.text:00010F15
jl loc_1106E
.text:00010F1B
push 4
; Protect
.text:00010F1D
push 100000h
; AllocationType
.text:00010F22
push 1
; InheritDisposition
.text:00010F24
lea eax, [
ebp+ViewSize]
.text:00010F27
push eax ; ViewSize
.text:00010F28
push ebx ; SectionOffset
.text:00010F29
push 1000h
; CommitSize
.text:00010F2E
push ebx ; ZeroBits
.text:00010F2F
lea eax, [
ebp+BaseAddress]
.text:00010F32
push eax ; BaseAddress
.text:00010F33
push 0FFFFFFFFh
; ProcessHandle
.text:00010F35
push [
ebp+SectionHandle]
; SectionHandle
.text:00010F38
call ds:
ZwMapViewOfSection ; 从这个文件的开始处,映射4KB大小的内容
.text:00010F38
; 自身进程空间中指定的位置处
.text:00010F3E
cmp eax,
ebx
.text:00010F40
jl FailedToMap
.text:00010F46
mov eax, [
ebp+BaseAddress]
.text:00010F49
cmp eax,
ebx
.text:00010F4B
jz FailedToMap
.text:00010F51
mov [
ebp+ms_exc.disabled],
ebx
.text:00010F54
mov edx, [
eax+3Ch]
.text:00010F57
add edx,
eax ; edx = NT_HEADER
.text:00010F59
mov [
ebp+Ntheader_adr],
edx
.text:00010F5C
cmp dword ptr [
edx], 4550h
.text:00010F62
jnz NotPE
.text:00010F68
lea eax, [
edx+0F8h]
.text:00010F6E
mov [
ebp+SectionTableAddress],
eax ; eax 到了节表了
.text:00010F71
xor esi,
esi
.text:00010F73
.text:00010F73 while_section:
; CODE XREF: MyFindValue+1C7j
.text:00010F73
mov [
ebp+count],
esi ; esi递增
.text:00010F76
movzx eax,
word ptr [
edx+6]
; NumberOfSection 节数
.text:00010F7A
cmp esi,
eax ; 若节表遍历完了,就结束
.text:00010F7C
jnb NotPE
;
.text:00010F7C
;
.text:00010F82
lea eax, [
esi+
esi*4]
.text:00010F85
mov ecx, [
ebp+SectionTableAddress]
.text:00010F88
lea eax, [
ecx+
eax*8]
; eax保存的是每个节表的RVA
.text:00010F8B
mov ecx, [
edx+80h]
; ecx = 引入表的RVA
.text:00010F91
mov edi, [
eax+0Ch]
; edi = +0x00c VirtualAddress; 相对于ImageBase的RVA
.text:00010F91
;
.text:00010F94
cmp ecx,
edi
.text:00010F96
jb Next_section
.text:00010F9C
mov ebx, [
eax+8]
; ebx保存的是该节对齐前的长度
.text:00010F9F
add ebx,
edi ; ebx保存该节结束的RVA
.text:00010FA1
cmp ecx,
ebx
.text:00010FA3
jnb Next_section
.text:00010FA9
mov esi, [
eax+14h]
; +0x014 PointerToRawData 节基于文件的偏移量
.text:00010FAC
sub esi,
edi
.text:00010FAE
add esi, [
ebp+BaseAddress]
;下面这些就有点儿糊涂了. 麻烦帮忙分析下啊=。-!
.text:00010FB1
mov [
ebp+var_54],
esi
.text:00010FB4
lea edi, [
ecx+
esi]
.text:00010FB7
mov [
ebp+var_4C],
edi
.text:00010FBA
and [
ebp+count], 0
.text:00010FBE
.text:00010FBE loc_10FBE:
; CODE XREF: MyFindValue+1B2j
.text:00010FBE
cmp dword ptr [
edi+0Ch], 0
.text:00010FC2
jz NotPE
.text:00010FC8
push edi ; VirtualAddress
.text:00010FC9
call ds:MmIsAddressValid
.text:00010FCF
test al,
al
.text:00010FD1
jz short loc_11037
.text:00010FD3
mov eax, [
edi]
.text:00010FD5
test eax,
eax
.text:00010FD7
jnz short loc_10FDC
.text:00010FD9
mov eax, [
edi+10h]
.text:00010FDC
.text:00010FDC loc_10FDC:
; CODE XREF: MyFindValue+149j
.text:00010FDC
add eax,
esi
.text:00010FDE
mov [
ebp+var_20],
eax
.text:00010FE1
mov ebx, [
edi+10h]
.text:00010FE4
add ebx,
esi
.text:00010FE6
mov [
ebp+var_48],
ebx
.text:00010FE9
and [
ebp+var_2C], 0
.text:00010FED
.text:00010FED loc_10FED:
; CODE XREF: MyFindValue+1C4j
.text:00010FED
mov eax, [
ebp+var_20]
.text:00010FF0
mov eax, [
eax]
.text:00010FF2
test eax,
eax
.text:00010FF4
jz short loc_11037
.text:00010FF6
js short loc_11045
.text:00010FF8
add eax,
esi
.text:00010FFA
mov [
ebp+var_40],
eax
.text:00010FFD
push eax ; VirtualAddress
.text:00010FFE
call ds:MmIsAddressValid
.text:00011004
test al,
al
.text:00011006
jz short loc_11045
.text:00011008
mov eax, [
ebp+var_40]
.text:0001100B
add eax, 2
.text:0001100E
mov [
ebp+var_44],
eax
.text:00011011
push eax ; VirtualAddress
.text:00011012
call ds:MmIsAddressValid
.text:00011018
test al,
al
.text:0001101A
jz short loc_11045
.text:0001101C
push 18h
; size_t
.text:0001101E
push offset aKeservicedes_0
; "KeServiceDescriptorTable"
.text:00011023
push [
ebp+var_44]
; char *
.text:00011026
call ds:
strncmp
.text:0001102C
add esp, 0Ch
.text:0001102F
test eax,
eax
.text:00011031
jnz short loc_11045
.text:00011033
mov [
ebp+var_19], 1
.text:00011037
.text:00011037 loc_11037:
; CODE XREF: MyFindValue+143j
.text:00011037
; MyFindValue+166j
.text:00011037
add edi, 14h
.text:0001103A
mov [
ebp+var_4C],
edi
.text:0001103D
inc [
ebp+count]
.text:00011040
jmp loc_10FBE
.text:00011045
; ---------------------------------------------------------------------------
.text:00011045
.text:00011045 loc_11045:
; CODE XREF: MyFindValue+168j
.text:00011045
; MyFindValue+178j ...
.text:00011045
add [
ebp+var_20], 4
.text:00011049
inc [
ebp+var_2C]
.text:0001104C
add ebx, 4
.text:0001104F
mov [
ebp+var_48],
ebx
.text:00011052
jmp short loc_10FED
.text:00011054
; ---------------------------------------------------------------------------
.text:00011054
.text:00011054 Next_section:
; CODE XREF: MyFindValue+108j
.text:00011054
; MyFindValue+115j
.text:00011054
inc esi
.text:00011055
jmp while_section
; esi递增
.text:0001105A
; ---------------------------------------------------------------------------
.text:0001105A
.text:0001105A loc_1105A:
; DATA XREF: .rdata:stru_12F80o
.text:0001105A
xor eax,
eax
.text:0001105C
inc eax
.text:0001105D
retn
.text:0001105E
; ---------------------------------------------------------------------------
.text:0001105E
.text:0001105E loc_1105E:
; DATA XREF: .rdata:stru_12F80o
.text:0001105E
mov esp, [
ebp+ms_exc.old_esp]
.text:00011061
.text:00011061 NotPE:
; CODE XREF: MyFindValue+D4j
.text:00011061
; MyFindValue+EEj ...
.text:00011061
or [
ebp+ms_exc.disabled], 0FFFFFFFFh
.text:00011065
.text:00011065 FailedToMap:
; CODE XREF: MyFindValue+B2j
.text:00011065
; MyFindValue+BDj
.text:00011065
push [
ebp+SectionHandle]
; Handle
.text:00011068
call ds:ZwClose
.text:0001106E
.text:0001106E loc_1106E:
; CODE XREF: MyFindValue+87j
.text:0001106E
push [
ebp+FileHandle]
; Handle
.text:00011071
call ds:ZwClose
.text:00011077
.text:00011077 Failed:
; CODE XREF: MyFindValue+5Ej
.text:00011077
mov al, [
ebp+var_19]
.text:0001107A
call __SEH_epilog
.text:0001107F
retn 4
.text:0001107F MyFindValue
endp
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)