-
-
[求助]逆向一个sys,对其中的一个函数的疑惑[已解决]
-
发表于: 2008-2-29 13:26
-
逆向一个sys,对其中的一个函数的疑惑
下面是sys中的一个函数。俺在其中的一个循环那里卡住了,分析了半天看不明白,就差这里没逆出来了。
函数的思路如下:
此sys hook了 ZwLoadDriver。在fake_ZwLoadDriver中处理了很多东西,比如防止IS驱动的加载等.
然后调用了下面这个函数MyFindValue. 它的参数就一个 FullPath. 为它传递的是其他驱动在注册表中
的ImagePath里面的内容.也就是sys的全路径.
而这个函数就是按照 FullPath打开文件.映射4KB的内容到自己进程空间.然后遍历里面的节表和引入表.
然后后面俺就有些糊涂了,不知道它到底要干么~~~
.text:00010E8E ; int __stdcall MyFindValue(PCWSTR FullPath)
.text:00010E8E MyFindValue proc near ; CODE XREF: fake_ZwLoadDriver+18Ap
.text:00010E8E
.text:00010E8E ObjectAttributes= OBJECT_ATTRIBUTES ptr -7Ch
.text:00010E8E IoStatusBlock = _IO_STATUS_BLOCK ptr -64h
.text:00010E8E p_wcFullPath = LSA_UNICODE_STRING ptr -5Ch
.text:00010E8E var_54 = dword ptr -54h
.text:00010E8E Ntheader_adr = dword ptr -50h
.text:00010E8E var_4C = dword ptr -4Ch
.text:00010E8E var_48 = dword ptr -48h
.text:00010E8E var_44 = dword ptr -44h
.text:00010E8E var_40 = dword ptr -40h
.text:00010E8E SectionTableAddress= dword ptr -3Ch
.text:00010E8E ViewSize = dword ptr -38h
.text:00010E8E FileHandle = dword ptr -34h
.text:00010E8E SectionHandle = dword ptr -30h
.text:00010E8E var_2C = dword ptr -2Ch
.text:00010E8E BaseAddress = dword ptr -28h
.text:00010E8E count = dword ptr -24h
.text:00010E8E var_20 = dword ptr -20h
.text:00010E8E var_19 = byte ptr -19h
.text:00010E8E ms_exc = CPPEH_RECORD ptr -18h
.text:00010E8E FullPath = dword ptr 8
.text:00010E8E
.text:00010E8E push 6Ch
.text:00010E90 push offset stru_12F80
.text:00010E95 call __SEH_prolog
.text:00010E9A xor ebx, ebx
.text:00010E9C mov [ebp+BaseAddress], ebx
.text:00010E9F mov [ebp+var_19], bl
.text:00010EA2 mov [ebp+ViewSize], ebx ; 初始化3个局部变量
.text:00010EA2 ;
.text:00010EA5 push [ebp+FullPath] ; SourceString
.text:00010EA8 lea eax, [ebp+p_wcFullPath]
.text:00010EAB push eax ; DestinationString
.text:00010EAC call ds:RtlInitUnicodeString
.text:00010EB2 mov [ebp+ObjectAttributes.Length], 18h
.text:00010EB9 mov [ebp+ObjectAttributes.RootDirectory], ebx
.text:00010EBC mov [ebp+ObjectAttributes.Attributes], 240h
.text:00010EC3 lea eax, [ebp+p_wcFullPath]
.text:00010EC6 mov [ebp+ObjectAttributes.ObjectName], eax
.text:00010EC9 mov [ebp+ObjectAttributes.SecurityDescriptor], ebx
.text:00010ECC mov [ebp+ObjectAttributes.SecurityQualityOfService], ebx
.text:00010ECF push 20h ; OpenOptions
.text:00010ED1 push 1 ; ShareAccess
.text:00010ED3 lea eax, [ebp+IoStatusBlock]
.text:00010ED6 push eax ; IoStatusBlock
.text:00010ED7 lea eax, [ebp+ObjectAttributes]
.text:00010EDA push eax ; ObjectAttributes
.text:00010EDB push 100020h ; DesiredAccess
.text:00010EE0 lea eax, [ebp+FileHandle]
.text:00010EE3 push eax ; FileHandle
.text:00010EE4 call ds:ZwOpenFile
.text:00010EEA test eax, eax
.text:00010EEC jl Failed
.text:00010EF2 mov [ebp+ObjectAttributes.ObjectName], ebx
.text:00010EF5 push [ebp+FileHandle] ; FileHandle
.text:00010EF8 push 1000000h ; Attributes
.text:00010EFD push 10h ; Protect
.text:00010EFF push ebx ; SectionSize
.text:00010F00 lea eax, [ebp+ObjectAttributes]
.text:00010F03 push eax ; ObjectAttributes
.text:00010F04 push 0F001Fh ; DesiredAccess
.text:00010F09 lea eax, [ebp+SectionHandle]
.text:00010F0C push eax ; SectionHandle
.text:00010F0D call ds:ZwCreateSection
.text:00010F13 test eax, eax
.text:00010F15 jl loc_1106E
.text:00010F1B push 4 ; Protect
.text:00010F1D push 100000h ; AllocationType
.text:00010F22 push 1 ; InheritDisposition
.text:00010F24 lea eax, [ebp+ViewSize]
.text:00010F27 push eax ; ViewSize
.text:00010F28 push ebx ; SectionOffset
.text:00010F29 push 1000h ; CommitSize
.text:00010F2E push ebx ; ZeroBits
.text:00010F2F lea eax, [ebp+BaseAddress]
.text:00010F32 push eax ; BaseAddress
.text:00010F33 push 0FFFFFFFFh ; ProcessHandle
.text:00010F35 push [ebp+SectionHandle] ; SectionHandle
.text:00010F38 call ds:ZwMapViewOfSection ; 从这个文件的开始处,映射4KB大小的内容
.text:00010F38 ; 自身进程空间中指定的位置处
.text:00010F3E cmp eax, ebx
.text:00010F40 jl FailedToMap
.text:00010F46 mov eax, [ebp+BaseAddress]
.text:00010F49 cmp eax, ebx
.text:00010F4B jz FailedToMap
.text:00010F51 mov [ebp+ms_exc.disabled], ebx
.text:00010F54 mov edx, [eax+3Ch]
.text:00010F57 add edx, eax ; edx = NT_HEADER
.text:00010F59 mov [ebp+Ntheader_adr], edx
.text:00010F5C cmp dword ptr [edx], 4550h
.text:00010F62 jnz NotPE
.text:00010F68 lea eax, [edx+0F8h]
.text:00010F6E mov [ebp+SectionTableAddress], eax ; eax 到了节表了
.text:00010F71 xor esi, esi
.text:00010F73
.text:00010F73 while_section: ; CODE XREF: MyFindValue+1C7j
.text:00010F73 mov [ebp+count], esi ; esi递增
.text:00010F76 movzx eax, word ptr [edx+6] ; NumberOfSection 节数
.text:00010F7A cmp esi, eax ; 若节表遍历完了,就结束
.text:00010F7C jnb NotPE ;
.text:00010F7C ;
.text:00010F82 lea eax, [esi+esi*4]
.text:00010F85 mov ecx, [ebp+SectionTableAddress]
.text:00010F88 lea eax, [ecx+eax*8] ; eax保存的是每个节表的RVA
.text:00010F8B mov ecx, [edx+80h] ; ecx = 引入表的RVA
.text:00010F91 mov edi, [eax+0Ch] ; edi = +0x00c VirtualAddress; 相对于ImageBase的RVA
.text:00010F91 ;
.text:00010F94 cmp ecx, edi
.text:00010F96 jb Next_section
.text:00010F9C mov ebx, [eax+8] ; ebx保存的是该节对齐前的长度
.text:00010F9F add ebx, edi ; ebx保存该节结束的RVA
.text:00010FA1 cmp ecx, ebx
.text:00010FA3 jnb Next_section
.text:00010FA9 mov esi, [eax+14h] ; +0x014 PointerToRawData 节基于文件的偏移量
.text:00010FAC sub esi, edi
.text:00010FAE add esi, [ebp+BaseAddress] ;下面这些就有点儿糊涂了. 麻烦帮忙分析下啊=。-!
.text:00010FB1 mov [ebp+var_54], esi
.text:00010FB4 lea edi, [ecx+esi]
.text:00010FB7 mov [ebp+var_4C], edi
.text:00010FBA and [ebp+count], 0
.text:00010FBE
.text:00010FBE loc_10FBE: ; CODE XREF: MyFindValue+1B2j
.text:00010FBE cmp dword ptr [edi+0Ch], 0
.text:00010FC2 jz NotPE
.text:00010FC8 push edi ; VirtualAddress
.text:00010FC9 call ds:MmIsAddressValid
.text:00010FCF test al, al
.text:00010FD1 jz short loc_11037
.text:00010FD3 mov eax, [edi]
.text:00010FD5 test eax, eax
.text:00010FD7 jnz short loc_10FDC
.text:00010FD9 mov eax, [edi+10h]
.text:00010FDC
.text:00010FDC loc_10FDC: ; CODE XREF: MyFindValue+149j
.text:00010FDC add eax, esi
.text:00010FDE mov [ebp+var_20], eax
.text:00010FE1 mov ebx, [edi+10h]
.text:00010FE4 add ebx, esi
.text:00010FE6 mov [ebp+var_48], ebx
.text:00010FE9 and [ebp+var_2C], 0
.text:00010FED
.text:00010FED loc_10FED: ; CODE XREF: MyFindValue+1C4j
.text:00010FED mov eax, [ebp+var_20]
.text:00010FF0 mov eax, [eax]
.text:00010FF2 test eax, eax
.text:00010FF4 jz short loc_11037
.text:00010FF6 js short loc_11045
.text:00010FF8 add eax, esi
.text:00010FFA mov [ebp+var_40], eax
.text:00010FFD push eax ; VirtualAddress
.text:00010FFE call ds:MmIsAddressValid
.text:00011004 test al, al
.text:00011006 jz short loc_11045
.text:00011008 mov eax, [ebp+var_40]
.text:0001100B add eax, 2
.text:0001100E mov [ebp+var_44], eax
.text:00011011 push eax ; VirtualAddress
.text:00011012 call ds:MmIsAddressValid
.text:00011018 test al, al
.text:0001101A jz short loc_11045
.text:0001101C push 18h ; size_t
.text:0001101E push offset aKeservicedes_0 ; "KeServiceDescriptorTable"
.text:00011023 push [ebp+var_44] ; char *
.text:00011026 call ds:strncmp
.text:0001102C add esp, 0Ch
.text:0001102F test eax, eax
.text:00011031 jnz short loc_11045
.text:00011033 mov [ebp+var_19], 1
.text:00011037
.text:00011037 loc_11037: ; CODE XREF: MyFindValue+143j
.text:00011037 ; MyFindValue+166j
.text:00011037 add edi, 14h
.text:0001103A mov [ebp+var_4C], edi
.text:0001103D inc [ebp+count]
.text:00011040 jmp loc_10FBE
.text:00011045 ; ---------------------------------------------------------------------------
.text:00011045
.text:00011045 loc_11045: ; CODE XREF: MyFindValue+168j
.text:00011045 ; MyFindValue+178j ...
.text:00011045 add [ebp+var_20], 4
.text:00011049 inc [ebp+var_2C]
.text:0001104C add ebx, 4
.text:0001104F mov [ebp+var_48], ebx
.text:00011052 jmp short loc_10FED
.text:00011054 ; ---------------------------------------------------------------------------
.text:00011054
.text:00011054 Next_section: ; CODE XREF: MyFindValue+108j
.text:00011054 ; MyFindValue+115j
.text:00011054 inc esi
.text:00011055 jmp while_section ; esi递增
.text:0001105A ; ---------------------------------------------------------------------------
.text:0001105A
.text:0001105A loc_1105A: ; DATA XREF: .rdata:stru_12F80o
.text:0001105A xor eax, eax
.text:0001105C inc eax
.text:0001105D retn
.text:0001105E ; ---------------------------------------------------------------------------
.text:0001105E
.text:0001105E loc_1105E: ; DATA XREF: .rdata:stru_12F80o
.text:0001105E mov esp, [ebp+ms_exc.old_esp]
.text:00011061
.text:00011061 NotPE: ; CODE XREF: MyFindValue+D4j
.text:00011061 ; MyFindValue+EEj ...
.text:00011061 or [ebp+ms_exc.disabled], 0FFFFFFFFh
.text:00011065
.text:00011065 FailedToMap: ; CODE XREF: MyFindValue+B2j
.text:00011065 ; MyFindValue+BDj
.text:00011065 push [ebp+SectionHandle] ; Handle
.text:00011068 call ds:ZwClose
.text:0001106E
.text:0001106E loc_1106E: ; CODE XREF: MyFindValue+87j
.text:0001106E push [ebp+FileHandle] ; Handle
.text:00011071 call ds:ZwClose
.text:00011077
.text:00011077 Failed: ; CODE XREF: MyFindValue+5Ej
.text:00011077 mov al, [ebp+var_19]
.text:0001107A call __SEH_epilog
.text:0001107F retn 4
.text:0001107F MyFindValue endp
下面是sys中的一个函数。俺在其中的一个循环那里卡住了,分析了半天看不明白,就差这里没逆出来了。
函数的思路如下:
此sys hook了 ZwLoadDriver。在fake_ZwLoadDriver中处理了很多东西,比如防止IS驱动的加载等.
然后调用了下面这个函数MyFindValue. 它的参数就一个 FullPath. 为它传递的是其他驱动在注册表中
的ImagePath里面的内容.也就是sys的全路径.
而这个函数就是按照 FullPath打开文件.映射4KB的内容到自己进程空间.然后遍历里面的节表和引入表.
然后后面俺就有些糊涂了,不知道它到底要干么~~~
.text:00010E8E ; int __stdcall MyFindValue(PCWSTR FullPath)
.text:00010E8E MyFindValue proc near ; CODE XREF: fake_ZwLoadDriver+18Ap
.text:00010E8E
.text:00010E8E ObjectAttributes= OBJECT_ATTRIBUTES ptr -7Ch
.text:00010E8E IoStatusBlock = _IO_STATUS_BLOCK ptr -64h
.text:00010E8E p_wcFullPath = LSA_UNICODE_STRING ptr -5Ch
.text:00010E8E var_54 = dword ptr -54h
.text:00010E8E Ntheader_adr = dword ptr -50h
.text:00010E8E var_4C = dword ptr -4Ch
.text:00010E8E var_48 = dword ptr -48h
.text:00010E8E var_44 = dword ptr -44h
.text:00010E8E var_40 = dword ptr -40h
.text:00010E8E SectionTableAddress= dword ptr -3Ch
.text:00010E8E ViewSize = dword ptr -38h
.text:00010E8E FileHandle = dword ptr -34h
.text:00010E8E SectionHandle = dword ptr -30h
.text:00010E8E var_2C = dword ptr -2Ch
.text:00010E8E BaseAddress = dword ptr -28h
.text:00010E8E count = dword ptr -24h
.text:00010E8E var_20 = dword ptr -20h
.text:00010E8E var_19 = byte ptr -19h
.text:00010E8E ms_exc = CPPEH_RECORD ptr -18h
.text:00010E8E FullPath = dword ptr 8
.text:00010E8E
.text:00010E8E push 6Ch
.text:00010E90 push offset stru_12F80
.text:00010E95 call __SEH_prolog
.text:00010E9A xor ebx, ebx
.text:00010E9C mov [ebp+BaseAddress], ebx
.text:00010E9F mov [ebp+var_19], bl
.text:00010EA2 mov [ebp+ViewSize], ebx ; 初始化3个局部变量
.text:00010EA2 ;
.text:00010EA5 push [ebp+FullPath] ; SourceString
.text:00010EA8 lea eax, [ebp+p_wcFullPath]
.text:00010EAB push eax ; DestinationString
.text:00010EAC call ds:RtlInitUnicodeString
.text:00010EB2 mov [ebp+ObjectAttributes.Length], 18h
.text:00010EB9 mov [ebp+ObjectAttributes.RootDirectory], ebx
.text:00010EBC mov [ebp+ObjectAttributes.Attributes], 240h
.text:00010EC3 lea eax, [ebp+p_wcFullPath]
.text:00010EC6 mov [ebp+ObjectAttributes.ObjectName], eax
.text:00010EC9 mov [ebp+ObjectAttributes.SecurityDescriptor], ebx
.text:00010ECC mov [ebp+ObjectAttributes.SecurityQualityOfService], ebx
.text:00010ECF push 20h ; OpenOptions
.text:00010ED1 push 1 ; ShareAccess
.text:00010ED3 lea eax, [ebp+IoStatusBlock]
.text:00010ED6 push eax ; IoStatusBlock
.text:00010ED7 lea eax, [ebp+ObjectAttributes]
.text:00010EDA push eax ; ObjectAttributes
.text:00010EDB push 100020h ; DesiredAccess
.text:00010EE0 lea eax, [ebp+FileHandle]
.text:00010EE3 push eax ; FileHandle
.text:00010EE4 call ds:ZwOpenFile
.text:00010EEA test eax, eax
.text:00010EEC jl Failed
.text:00010EF2 mov [ebp+ObjectAttributes.ObjectName], ebx
.text:00010EF5 push [ebp+FileHandle] ; FileHandle
.text:00010EF8 push 1000000h ; Attributes
.text:00010EFD push 10h ; Protect
.text:00010EFF push ebx ; SectionSize
.text:00010F00 lea eax, [ebp+ObjectAttributes]
.text:00010F03 push eax ; ObjectAttributes
.text:00010F04 push 0F001Fh ; DesiredAccess
.text:00010F09 lea eax, [ebp+SectionHandle]
.text:00010F0C push eax ; SectionHandle
.text:00010F0D call ds:ZwCreateSection
.text:00010F13 test eax, eax
.text:00010F15 jl loc_1106E
.text:00010F1B push 4 ; Protect
.text:00010F1D push 100000h ; AllocationType
.text:00010F22 push 1 ; InheritDisposition
.text:00010F24 lea eax, [ebp+ViewSize]
.text:00010F27 push eax ; ViewSize
.text:00010F28 push ebx ; SectionOffset
.text:00010F29 push 1000h ; CommitSize
.text:00010F2E push ebx ; ZeroBits
.text:00010F2F lea eax, [ebp+BaseAddress]
.text:00010F32 push eax ; BaseAddress
.text:00010F33 push 0FFFFFFFFh ; ProcessHandle
.text:00010F35 push [ebp+SectionHandle] ; SectionHandle
.text:00010F38 call ds:ZwMapViewOfSection ; 从这个文件的开始处,映射4KB大小的内容
.text:00010F38 ; 自身进程空间中指定的位置处
.text:00010F3E cmp eax, ebx
.text:00010F40 jl FailedToMap
.text:00010F46 mov eax, [ebp+BaseAddress]
.text:00010F49 cmp eax, ebx
.text:00010F4B jz FailedToMap
.text:00010F51 mov [ebp+ms_exc.disabled], ebx
.text:00010F54 mov edx, [eax+3Ch]
.text:00010F57 add edx, eax ; edx = NT_HEADER
.text:00010F59 mov [ebp+Ntheader_adr], edx
.text:00010F5C cmp dword ptr [edx], 4550h
.text:00010F62 jnz NotPE
.text:00010F68 lea eax, [edx+0F8h]
.text:00010F6E mov [ebp+SectionTableAddress], eax ; eax 到了节表了
.text:00010F71 xor esi, esi
.text:00010F73
.text:00010F73 while_section: ; CODE XREF: MyFindValue+1C7j
.text:00010F73 mov [ebp+count], esi ; esi递增
.text:00010F76 movzx eax, word ptr [edx+6] ; NumberOfSection 节数
.text:00010F7A cmp esi, eax ; 若节表遍历完了,就结束
.text:00010F7C jnb NotPE ;
.text:00010F7C ;
.text:00010F82 lea eax, [esi+esi*4]
.text:00010F85 mov ecx, [ebp+SectionTableAddress]
.text:00010F88 lea eax, [ecx+eax*8] ; eax保存的是每个节表的RVA
.text:00010F8B mov ecx, [edx+80h] ; ecx = 引入表的RVA
.text:00010F91 mov edi, [eax+0Ch] ; edi = +0x00c VirtualAddress; 相对于ImageBase的RVA
.text:00010F91 ;
.text:00010F94 cmp ecx, edi
.text:00010F96 jb Next_section
.text:00010F9C mov ebx, [eax+8] ; ebx保存的是该节对齐前的长度
.text:00010F9F add ebx, edi ; ebx保存该节结束的RVA
.text:00010FA1 cmp ecx, ebx
.text:00010FA3 jnb Next_section
.text:00010FA9 mov esi, [eax+14h] ; +0x014 PointerToRawData 节基于文件的偏移量
.text:00010FAC sub esi, edi
.text:00010FAE add esi, [ebp+BaseAddress] ;下面这些就有点儿糊涂了. 麻烦帮忙分析下啊=。-!
.text:00010FB1 mov [ebp+var_54], esi
.text:00010FB4 lea edi, [ecx+esi]
.text:00010FB7 mov [ebp+var_4C], edi
.text:00010FBA and [ebp+count], 0
.text:00010FBE
.text:00010FBE loc_10FBE: ; CODE XREF: MyFindValue+1B2j
.text:00010FBE cmp dword ptr [edi+0Ch], 0
.text:00010FC2 jz NotPE
.text:00010FC8 push edi ; VirtualAddress
.text:00010FC9 call ds:MmIsAddressValid
.text:00010FCF test al, al
.text:00010FD1 jz short loc_11037
.text:00010FD3 mov eax, [edi]
.text:00010FD5 test eax, eax
.text:00010FD7 jnz short loc_10FDC
.text:00010FD9 mov eax, [edi+10h]
.text:00010FDC
.text:00010FDC loc_10FDC: ; CODE XREF: MyFindValue+149j
.text:00010FDC add eax, esi
.text:00010FDE mov [ebp+var_20], eax
.text:00010FE1 mov ebx, [edi+10h]
.text:00010FE4 add ebx, esi
.text:00010FE6 mov [ebp+var_48], ebx
.text:00010FE9 and [ebp+var_2C], 0
.text:00010FED
.text:00010FED loc_10FED: ; CODE XREF: MyFindValue+1C4j
.text:00010FED mov eax, [ebp+var_20]
.text:00010FF0 mov eax, [eax]
.text:00010FF2 test eax, eax
.text:00010FF4 jz short loc_11037
.text:00010FF6 js short loc_11045
.text:00010FF8 add eax, esi
.text:00010FFA mov [ebp+var_40], eax
.text:00010FFD push eax ; VirtualAddress
.text:00010FFE call ds:MmIsAddressValid
.text:00011004 test al, al
.text:00011006 jz short loc_11045
.text:00011008 mov eax, [ebp+var_40]
.text:0001100B add eax, 2
.text:0001100E mov [ebp+var_44], eax
.text:00011011 push eax ; VirtualAddress
.text:00011012 call ds:MmIsAddressValid
.text:00011018 test al, al
.text:0001101A jz short loc_11045
.text:0001101C push 18h ; size_t
.text:0001101E push offset aKeservicedes_0 ; "KeServiceDescriptorTable"
.text:00011023 push [ebp+var_44] ; char *
.text:00011026 call ds:strncmp
.text:0001102C add esp, 0Ch
.text:0001102F test eax, eax
.text:00011031 jnz short loc_11045
.text:00011033 mov [ebp+var_19], 1
.text:00011037
.text:00011037 loc_11037: ; CODE XREF: MyFindValue+143j
.text:00011037 ; MyFindValue+166j
.text:00011037 add edi, 14h
.text:0001103A mov [ebp+var_4C], edi
.text:0001103D inc [ebp+count]
.text:00011040 jmp loc_10FBE
.text:00011045 ; ---------------------------------------------------------------------------
.text:00011045
.text:00011045 loc_11045: ; CODE XREF: MyFindValue+168j
.text:00011045 ; MyFindValue+178j ...
.text:00011045 add [ebp+var_20], 4
.text:00011049 inc [ebp+var_2C]
.text:0001104C add ebx, 4
.text:0001104F mov [ebp+var_48], ebx
.text:00011052 jmp short loc_10FED
.text:00011054 ; ---------------------------------------------------------------------------
.text:00011054
.text:00011054 Next_section: ; CODE XREF: MyFindValue+108j
.text:00011054 ; MyFindValue+115j
.text:00011054 inc esi
.text:00011055 jmp while_section ; esi递增
.text:0001105A ; ---------------------------------------------------------------------------
.text:0001105A
.text:0001105A loc_1105A: ; DATA XREF: .rdata:stru_12F80o
.text:0001105A xor eax, eax
.text:0001105C inc eax
.text:0001105D retn
.text:0001105E ; ---------------------------------------------------------------------------
.text:0001105E
.text:0001105E loc_1105E: ; DATA XREF: .rdata:stru_12F80o
.text:0001105E mov esp, [ebp+ms_exc.old_esp]
.text:00011061
.text:00011061 NotPE: ; CODE XREF: MyFindValue+D4j
.text:00011061 ; MyFindValue+EEj ...
.text:00011061 or [ebp+ms_exc.disabled], 0FFFFFFFFh
.text:00011065
.text:00011065 FailedToMap: ; CODE XREF: MyFindValue+B2j
.text:00011065 ; MyFindValue+BDj
.text:00011065 push [ebp+SectionHandle] ; Handle
.text:00011068 call ds:ZwClose
.text:0001106E
.text:0001106E loc_1106E: ; CODE XREF: MyFindValue+87j
.text:0001106E push [ebp+FileHandle] ; Handle
.text:00011071 call ds:ZwClose
.text:00011077
.text:00011077 Failed: ; CODE XREF: MyFindValue+5Ej
.text:00011077 mov al, [ebp+var_19]
.text:0001107A call __SEH_epilog
.text:0001107F retn 4
.text:0001107F MyFindValue endp
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
也就是说,nvmini.sys把所有含有KeServiceDescriptorTable的sys都当成嫌疑犯.不让其加载.
嘿嘿,明白了.  感谢forgot牛~~ |
|
|
不错,
|
|
|
|
|
|
|
|
|
不流行F5 了?
又见腰好的人,火星人。
|
