逆向:Ucoresys.sys (一)
来源:互联网 发布:棋牌数据库搭建 编辑:程序博客网 时间:2024/06/04 18:55
刚开始练习逆向才粗学浅,大牛见之,请提点提点... ...
::000119A6:: 55 PUSH EBP
::000119A7:: 8BEC MOV EBP, ESP
::000119A9:: 8B45 08 MOV EAX, DWORD PTR [EBP+8]
::000119AC:: 53 PUSH EBX
::000119AD:: 8B58 28 MOV EBX, DWORD PTR [EAX+28]
::000119B0:: 56 PUSH ESI
::000119B1:: 33C9 XOR ECX, ECX
::000119B3:: 57 PUSH EDI
::000119B4:: 8B7D 0C MOV EDI, DWORD PTR [EBP+C]
::000119B7:: 8B77 60 MOV ESI, DWORD PTR [EDI+60]
::000119BA:: 894F 18 MOV DWORD PTR [EDI+18], ECX
::000119BD:: 894F 1C MOV DWORD PTR [EDI+1C], ECX
::000119C0:: 0FB606 MOVZX EAX, BYTE PTR [ESI]
::000119C3:: 2BC1 SUB EAX, ECX
::000119C5:: 894D 08 MOV DWORD PTR [EBP+8], ECX
::000119C8:: 74 59 JE SHORT 00011A23 /:JMPDOWN
::000119CA:: 48 DEC EAX
::000119CB:: 48 DEC EAX
::000119CC:: 74 4E JE SHORT 00011A1C /:JMPDOWN
::000119CE:: 48 DEC EAX
::000119CF:: 74 44 JE SHORT 00011A15 /:JMPDOWN
::000119D1:: 48 DEC EAX
::000119D2:: 74 3A JE SHORT 00011A0E /:JMPDOWN
::000119D4:: 83E8 0A SUB EAX, A
::000119D7:: 75 55 JNZ SHORT 00011A2E /:JMPDOWN
::000119D9:: 68 FE180100 PUSH 118FE /->: GenericDrv.SYS: IRP_MJ_DEVICE_CONTROL/x0A
::000119DE:: E8 DD010000 CALL 00011BC0 /:JMPDOWN >>>: NTOSKRNL.EXE:DbgPrint
::000119E3:: 8B56 04 MOV EDX, DWORD PTR [ESI+4]
::000119E6:: 8B47 0C MOV EAX, DWORD PTR [EDI+C]
::000119E9:: 8365 0C 00 AND DWORD PTR [EBP+C], 0
::000119ED:: 59 POP ECX
::000119EE:: 8B4E 08 MOV ECX, DWORD PTR [ESI+8]
::000119F1:: 8B76 0C MOV ESI, DWORD PTR [ESI+C]
::000119F4:: 53 PUSH EBX
::000119F5:: 8D5D 0C LEA EBX, DWORD PTR [EBP+C]
::000119F8:: 53 PUSH EBX
::000119F9:: 52 PUSH EDX
::000119FA:: 50 PUSH EAX
::000119FB:: 51 PUSH ECX
::000119FC:: 50 PUSH EAX
::000119FD:: 56 PUSH ESI
::000119FE:: E8 25FBFFFF CALL 00011528 /:JMPUP
::00011A03:: 8945 08 MOV DWORD PTR [EBP+8], EAX
::00011A06:: 8B45 0C MOV EAX, DWORD PTR [EBP+C]
::00011A09:: 8947 1C MOV DWORD PTR [EDI+1C], EAX
::00011A0C:: EB 20 JMP SHORT 00011A2E /:JMPDOWN
::00011A0E:: 68 26190100 PUSH 11926 /:BYJMP JmpBy:000119D2, /->: GenericDrv.SYS: IRP_MJ_WRITE/x0A
::00011A13:: EB 13 JMP SHORT 00011A28 /:JMPDOWN
::00011A15:: 68 46190100 PUSH 11946 /:BYJMP JmpBy:000119CF, /->: GenericDrv.SYS: IRP_MJ_READ/x0A
::00011A1A:: EB 0C JMP SHORT 00011A28 /:JMPDOWN
::00011A1C:: 68 66190100 PUSH 11966 /:BYJMP JmpBy:000119CC, /->: GenericDrv.SYS: IRP_MJ_CLOSE/x0A
::00011A21:: EB 05 JMP SHORT 00011A28 /:JMPDOWN
::00011A23:: 68 86190100 PUSH 11986 /:BYJMP JmpBy:000119C8, /->: GenericDrv.SYS: IRP_MJ_CREATE/x0A
::00011A28:: E8 93010000 CALL 00011BC0 /:JMPDOWN/:BYJMP JmpBy:00011A13,00011A1A,00011A21, >>>: NTOSKRNL.EXE:DbgPrint
::00011A2D:: 59 POP ECX
::00011A2E:: 8B45 08 MOV EAX, DWORD PTR [EBP+8] /:BYJMP JmpBy:000119D7,00011A0C,
::00011A31:: 32D2 XOR DL, DL
::00011A33:: 8BCF MOV ECX, EDI
::00011A35:: 8947 18 MOV DWORD PTR [EDI+18], EAX
::00011A38:: FF15 E0020100 CALL NEAR DWORD PTR [102E0] >>>: NTOSKRNL.EXE:IofCompleteRequest
::00011A3E:: 8B45 08 MOV EAX, DWORD PTR [EBP+8]
::00011A41:: 5F POP EDI
::00011A42:: 5E POP ESI
::00011A43:: 5B POP EBX
::00011A44:: 5D POP EBP
::00011A45:: C2 0800 RETN 8
NTSTATUS __stdcall fun1(...);
NTSTATUS DisplayDispatchWrite( PDEVICE_OBJECT DeviceObj, PIRP pIrp)
{
PIRP pIrp1=PIrp;
PDEVICE_OBJECT DeviceObj1=DeviceObj;
irp->IoStatus.Status=0;
irp->IoStatus.Pointer=0;
PVOID DeviceExtension=DeviceObj->DeviceExtension;
DeviceObj=NULL;
PIO_STACK_LOCATION Irpsp=IoGetCurrentIrpStackLocation(pIrp);
switch(Irpsp->MajorFunction)
{
case IRP_MJ_CREATE:
{
DbgPrint("GenericDrv.SYS: IRP_MJ_CREATE");
break;
}
case IRP_MJ_CLOSE:
{
DbgPrint("GenericDrv.SYS: IRP_MJ_CLOSE");
break;
}
case IRP_MJ_READ:
{
DbgPrint("GenericDrv.SYS: IRP_MJ_READ");
break;
}
case IRP_MJ_WRITE:
{
DbgPrint("GenericDrv.SYS: IRP_MJ_WRITE");
break;
}
case IRP_MJ_DEVICE_CONTROL:
{
DbgPrint("GenericDrv.SYS: IRP_MJ_DEVICE_CONTROL");
PIrp=NULL;
DeviceObj=(PDEVICE_OBJECT)fun1( //call:0x11528
Irpsp->Parameters.DeviceIoControl.IoControlCode,
PIrp1->AssociatedIrp.SystemBuffer,
Irpsp->Parameters.DeviceIoControl.InputBufferLength,
PIrp1->AssociatedIrp.SystemBuffer,
Irpsp->Parameters.DeviceIoControl.OutputBufferLength,
&PIrp,
DeviceExtension
);
pIrp1->IoStatus.Pointer=PIrp;
}
default:{
DeviceObj=NULL;
break;
}
}
PIrp1->IoStatus.Status=DeviceObj;
IofCompleteRequest(PIrp1,0);
return (NTSTATUS)DeviceObj;
}
- 逆向:Ucoresys.sys (一)
- 逆向:Ucoresys.sys (二)
- 逆向TesSafe.sys
- 逆向入门(一)
- Rtvcan.sys的不完全逆向
- powerdesigner15 逆向工程(一)
- c/c++逆向(一)
- Android逆向实例(一)
- 安卓逆向(一)
- 逆向学习笔记(一)
- 逆向工程(一):汇编、逆向工程基础篇
- 逆向工程(一):汇编、逆向工程基础篇
- 【逆向】逆向工厂(一):从hello world开始
- 【android逆向笔记】(一)简单登录逆向
- 逆向未知dhook.sys驱动源代码
- NMFilter.sys(4.3.2.2485)逆向源代码
- NMFilter.sys(4.3.2.2485)逆向源代码
- NMFilter.sys(4.3.2.2485) 逆向源代码
- varnish with cdn
- 遍历JavaScript对象的所有属性
- sql server cte语法
- 解决WPF引用无法识别的问题
- 哈哈
- 逆向:Ucoresys.sys (一)
- LINUX挂载U盘
- sql语句执行时间和性能
- CDialog动态创建无资源工具条方法
- C# 四则运算表达式解析器分析
- C++测试题2
- 使用C#做类似MFC中的菜单、工具命令管理工具。
- 记一次保存UIWebView的缓存经历(一)
- Solaris10 配置DNS
