【IDA】分析 Windows CE 事件日志服务(一)
来源:互联网 发布:阿里布达年代txt百度云 编辑:程序博客网 时间:2024/04/27 17:04
笔者在开始使用 Windows CE 事件日志服务时,由于自身条件限制未能获得 Microsoft 的技术支持,故只能使用 IDA Pro 对 eventlog.dll 进行分析。
笔者感觉事件日志服务相关的注册表设置可能对嵌入式系统软件工程师比较有用,所以注重分析 StartAllLoggers、InitFormattersAndOutputters、CLogEventLog::Initialize 和 CLogHandle::AssociateEventLog 等函数/方法。
StartAllLoggers 函数
eventlog.dll 的导出函数 EventLogStart 在 .text:10001B3A 调用函数 EventLogWorkerThread;然后,函数 EventLogWorkerThread 在 .text:100030FA 调用本函数。
.text:10002CC8 ; int __cdecl StartAllLoggers(void)
.text:10002CC8 ?StartAllLoggers@@YAHXZ proc near ; CODE XREF: EventLogWorkerThread(void *)+15
.text:10002CC8
.text:10002CC8 szName = word ptr -218h
.text:10002CC8 pReg = dword ptr -10h
.text:10002CC8
.text:10002CC8 push ebp
.text:10002CC9 mov ebp, esp
.text:10002CCB sub esp, 218h
.text:10002CD1 push ebx
.text:10002CD2 push esi
.text:10002CD3 push edi
.text:10002CD4 push offset ??_C@_1EE@DKEDOPGO@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo@ ; "SYSTEM/CurrentControlSet/EventLog"
.text:10002CD9 push HKEY_LOCAL_MACHINE
.text:10002CDE lea ecx, [ebp+pReg]
.text:10002CE1 call ??0CReg@@QAE@PAUHKEY__@@PBG@Z ; CReg::CReg(HKEY__ *,ushort const *)
.text:10002CE6 xor ebx, ebx
.text:10002CE8 cmp [ebp+pReg], ebx
.text:10002CEB jz loc_10002E7A
.text:10002CF1 push g_pvAllocData ; pvData
.text:10002CF7 push 20
.text:10002CF9 pop esi
.text:10002CFA push esi ; iSize
.text:10002CFB call g_funcAlloc
.text:10002D01 cmp eax, ebx
.text:10002D03 pop ecx
.text:10002D04 pop ecx
.text:10002D05 jz short loc_10002D1D
.text:10002D07 push esi
.text:10002D08 push offset ?DeleteEntry@CLogEventLog@@SAXPAX@Z ; CLogEventLog::DeleteEntry(void *)
.text:10002D0D push 52
.text:10002D0F mov ecx, eax
.text:10002D11 call ??0SVSLinkManager@@QAE@KP6AXPAX@ZK@Z ; SVSLinkManager::SVSLinkManager(ulong,void (*)(void *),ulong)
.text:10002D16 mov ?g_pEventLogList@@3PAVSVSLinkManager@@A, eax ; SVSLinkManager * g_pEventLogList
.text:10002D1B jmp short loc_10002D23
.text:10002D1D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002D1D
.text:10002D1D loc_10002D1D: ; CODE XREF: StartAllLoggers(void)+3D
.text:10002D1D mov ?g_pEventLogList@@3PAVSVSLinkManager@@A, ebx ; SVSLinkManager * g_pEventLogList
.text:10002D23
.text:10002D23 loc_10002D23: ; CODE XREF: StartAllLoggers(void)+53
.text:10002D23 push g_pvAllocData ; pvData
.text:10002D29 push esi ; iSize
.text:10002D2A call g_funcAlloc
.text:10002D30 cmp eax, ebx
.text:10002D32 pop ecx
.text:10002D33 pop ecx
.text:10002D34 jz short loc_10002D47
.text:10002D36 push esi
.text:10002D37 push offset ?DeleteEntry@CLogHandle@@SAXPAX@Z ; CLogHandle::DeleteEntry(void *)
.text:10002D3C push 32
.text:10002D3E mov ecx, eax
.text:10002D40 call ??0SVSLinkManager@@QAE@KP6AXPAX@ZK@Z ; SVSLinkManager::SVSLinkManager(ulong,void (*)(void *),ulong)
.text:10002D45 jmp short loc_10002D49
.text:10002D47 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002D47
.text:10002D47 loc_10002D47: ; CODE XREF: StartAllLoggers(void)+6C
.text:10002D47 xor eax, eax
.text:10002D49
.text:10002D49 loc_10002D49: ; CODE XREF: StartAllLoggers(void)+7D
.text:10002D49 cmp eax, ebx
.text:10002D4B mov ?g_pLogHandleList@@3PAVSVSLinkManager@@A, eax ; SVSLinkManager * g_pLogHandleList
.text:10002D50 jz loc_10002E7A
.text:10002D56 cmp ?g_pEventLogList@@3PAVSVSLinkManager@@A, ebx ; SVSLinkManager * g_pEventLogList
.text:10002D5C jz loc_10002E7A
.text:10002D62 call ?InitFormattersAndOutputters@@YAHXZ ; InitFormattersAndOutputters(void)
.text:10002D67 test eax, eax
.text:10002D69 jz loc_10002E7A
.text:10002D6F mov edi, 103h
.text:10002D74 jmp short loc_10002DF4
.text:10002D76 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002D76
.text:10002D76 loc_10002D76: ; CODE XREF: StartAllLoggers(void)+13E
.text:10002D76 lea eax, [ebp+szName]
.text:10002D7C push offset ??_C@_1BG@COBCHLCA@?$AAF?$AAo?$AAr?$AAm?$AAa?$AAt?$AAt?$AAe?$AAr?$AAs?$AA?$AA@ ; "Formatters"
.text:10002D81 push eax ; wchar_t *
.text:10002D82 call wcscmp
.text:10002D87 test eax, eax
.text:10002D89 pop ecx
.text:10002D8A pop ecx
.text:10002D8B jz short loc_10002DF4
.text:10002D8D lea eax, [ebp+szName]
.text:10002D93 push offset ??_C@_1BG@KJKFEBMO@?$AAO?$AAu?$AAt?$AAp?$AAu?$AAt?$AAt?$AAe?$AAr?$AAs?$AA?$AA@ ; "Outputters"
.text:10002D98 push eax ; wchar_t *
.text:10002D99 call wcscmp
.text:10002D9E test eax, eax
.text:10002DA0 pop ecx
.text:10002DA1 pop ecx
.text:10002DA2 jz short loc_10002DF4
.text:10002DA4 mov ecx, ?g_pEventLogList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pEventLogList
.text:10002DAA call ?AllocEntry@SVSLinkManager@@QAEPAXXZ ; SVSLinkManager::AllocEntry(void)
.text:10002DAF mov esi, eax
.text:10002DB1 cmp esi, ebx
.text:10002DB3 jz loc_10002E7A
.text:10002DB9 lea eax, [ebp+szName]
.text:10002DBF push eax
.text:10002DC0 lea eax, [ebp+pReg]
.text:10002DC3 push eax
.text:10002DC4 mov ecx, esi
.text:10002DC6 call ?Initialize@CLogEventLog@@QAEHPAVCReg@@PBG@Z ; CLogEventLog::Initialize(CReg *,ushort const *)
.text:10002DCB test eax, eax
.text:10002DCD jnz short loc_10002DDD
.text:10002DCF mov ecx, ?g_pEventLogList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pEventLogList
.text:10002DD5 push esi
.text:10002DD6 call ?RemoveEntry@SVSLinkManager@@QAEHPAX@Z ; SVSLinkManager::RemoveEntry(void *)
.text:10002DDB jmp short loc_10002DF4
.text:10002DDD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002DDD
.text:10002DDD loc_10002DDD: ; CODE XREF: StartAllLoggers(void)+105
.text:10002DDD lea eax, [ebp+szName]
.text:10002DE3 push eax ; wchar_t *
.text:10002DE4 call ?IsDefaultLog@@YAHPBG@Z ; IsDefaultLog(ushort const *)
.text:10002DE9 test eax, eax
.text:10002DEB pop ecx
.text:10002DEC jz short loc_10002DF4
.text:10002DEE mov ?g_pDefaultEventLog@@3PAVCLogEventLog@@A, esi ; CLogEventLog * g_pDefaultEventLog
.text:10002DF4
.text:10002DF4 loc_10002DF4: ; CODE XREF: StartAllLoggers(void)+AC
.text:10002DF4 ; StartAllLoggers(void)+C3...
.text:10002DF4 lea eax, [ebp+szName]
.text:10002DFA push edi ; cbName
.text:10002DFB lea ecx, [ebp+pReg]
.text:10002DFE push eax ; lpName
.text:10002DFF call ?EnumKey@CReg@@QAEHPAGK@Z ; CReg::EnumKey(ushort *,ulong)
.text:10002E04 test eax, eax
.text:10002E06 jnz loc_10002D76
.text:10002E0C mov eax, ?g_pEventLogList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pEventLogList
.text:10002E11 cmp [eax], ebx
.text:10002E13 jz short loc_10002E7A
.text:10002E15 cmp ?g_pDefaultEventLog@@3PAVCLogEventLog@@A, ebx ; CLogEventLog * g_pDefaultEventLog
.text:10002E1B jz short loc_10002E7A
.text:10002E1D call ?GetHandleToEventLog@@YAHXZ ; GetHandleToEventLog(void)
.text:10002E22 test eax, eax
.text:10002E24 jz short loc_10002E7A
.text:10002E26
.text:10002E26 loc_10002E26: ; CODE XREF: StartAllLoggers(void)+191
.text:10002E26 mov eax, ?g_pLogHandleList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pLogHandleList
.text:10002E2B mov edx, [eax]
.text:10002E2D lea ecx, [eax+8]
.text:10002E30 mov [ecx], edx
.text:10002E32 cmp edx, ebx
.text:10002E34 jz short loc_10002E5B
.text:10002E36 mov esi, [eax]
.text:10002E38 add esi, 4
.text:10002E3B jmp short loc_10002E6C
.text:10002E3D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002E3D
.text:10002E3D loc_10002E3D: ; CODE XREF: StartAllLoggers(void)+1A6
.text:10002E3D cmp [esi+10h], ebx
.text:10002E40 jnz short loc_10002E5F
.text:10002E42 mov ecx, esi
.text:10002E44 call ?AssociateEventLog@CLogHandle@@QAEHXZ ; CLogHandle::AssociateEventLog(void)
.text:10002E49 test eax, eax
.text:10002E4B jnz short loc_10002E5F
.text:10002E4D mov ecx, ?g_pLogHandleList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pLogHandleList
.text:10002E53 push esi
.text:10002E54 call ?RemoveEntry@SVSLinkManager@@QAEHPAX@Z ; SVSLinkManager::RemoveEntry(void *)
.text:10002E59 jmp short loc_10002E26
.text:10002E5B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002E5B
.text:10002E5B loc_10002E5B: ; CODE XREF: StartAllLoggers(void)+16C
.text:10002E5B xor esi, esi
.text:10002E5D jmp short loc_10002E6C
.text:10002E5F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002E5F
.text:10002E5F loc_10002E5F: ; CODE XREF: StartAllLoggers(void)+178
.text:10002E5F ; StartAllLoggers(void)+183
.text:10002E5F mov ecx, ?g_pLogHandleList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pLogHandleList
.text:10002E65 call ?GetNext@SVSLinkManager@@QAEPAXXZ ; SVSLinkManager::GetNext(void)
.text:10002E6A mov esi, eax
.text:10002E6C
.text:10002E6C loc_10002E6C: ; CODE XREF: StartAllLoggers(void)+173
.text:10002E6C ; StartAllLoggers(void)+195
.text:10002E6C cmp esi, ebx
.text:10002E6E jnz short loc_10002E3D
.text:10002E70 call ?PrintInitialMessagesToEventLog@@YAHXZ ; PrintInitialMessagesToEventLog(void)
.text:10002E75 xor esi, esi
.text:10002E77 inc esi
.text:10002E78 jmp short loc_10002E7C
.text:10002E7A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002E7A
.text:10002E7A loc_10002E7A: ; CODE XREF: StartAllLoggers(void)+23
.text:10002E7A ; StartAllLoggers(void)+88 ...
.text:10002E7A xor esi, esi
.text:10002E7C
.text:10002E7C loc_10002E7C: ; CODE XREF: StartAllLoggers(void)+1B0
.text:10002E7C lea ecx, [ebp+pReg]
.text:10002E7F call ??1CReg@@QAE@XZ ; CReg::~CReg(void)
.text:10002E84 pop edi
.text:10002E85 mov eax, esi
.text:10002E87 pop esi
.text:10002E88 pop ebx
.text:10002E89 leave
.text:10002E8A retn
.text:10002E8A ?StartAllLoggers@@YAHXZ endp
.text:10002CC8 ?StartAllLoggers@@YAHXZ proc near ; CODE XREF: EventLogWorkerThread(void *)+15
.text:10002CC8
.text:10002CC8 szName = word ptr -218h
.text:10002CC8 pReg = dword ptr -10h
.text:10002CC8
.text:10002CC8 push ebp
.text:10002CC9 mov ebp, esp
.text:10002CCB sub esp, 218h
.text:10002CD1 push ebx
.text:10002CD2 push esi
.text:10002CD3 push edi
.text:10002CD4 push offset ??_C@_1EE@DKEDOPGO@?$AAS?$AAY?$AAS?$AAT?$AAE?$AAM?$AA?2?$AAC?$AAu?$AAr?$AAr?$AAe?$AAn?$AAt?$AAC?$AAo?$AAn?$AAt?$AAr?$AAo@ ; "SYSTEM/CurrentControlSet/EventLog"
.text:10002CD9 push HKEY_LOCAL_MACHINE
.text:10002CDE lea ecx, [ebp+pReg]
.text:10002CE1 call ??0CReg@@QAE@PAUHKEY__@@PBG@Z ; CReg::CReg(HKEY__ *,ushort const *)
.text:10002CE6 xor ebx, ebx
.text:10002CE8 cmp [ebp+pReg], ebx
.text:10002CEB jz loc_10002E7A
.text:10002CF1 push g_pvAllocData ; pvData
.text:10002CF7 push 20
.text:10002CF9 pop esi
.text:10002CFA push esi ; iSize
.text:10002CFB call g_funcAlloc
.text:10002D01 cmp eax, ebx
.text:10002D03 pop ecx
.text:10002D04 pop ecx
.text:10002D05 jz short loc_10002D1D
.text:10002D07 push esi
.text:10002D08 push offset ?DeleteEntry@CLogEventLog@@SAXPAX@Z ; CLogEventLog::DeleteEntry(void *)
.text:10002D0D push 52
.text:10002D0F mov ecx, eax
.text:10002D11 call ??0SVSLinkManager@@QAE@KP6AXPAX@ZK@Z ; SVSLinkManager::SVSLinkManager(ulong,void (*)(void *),ulong)
.text:10002D16 mov ?g_pEventLogList@@3PAVSVSLinkManager@@A, eax ; SVSLinkManager * g_pEventLogList
.text:10002D1B jmp short loc_10002D23
.text:10002D1D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002D1D
.text:10002D1D loc_10002D1D: ; CODE XREF: StartAllLoggers(void)+3D
.text:10002D1D mov ?g_pEventLogList@@3PAVSVSLinkManager@@A, ebx ; SVSLinkManager * g_pEventLogList
.text:10002D23
.text:10002D23 loc_10002D23: ; CODE XREF: StartAllLoggers(void)+53
.text:10002D23 push g_pvAllocData ; pvData
.text:10002D29 push esi ; iSize
.text:10002D2A call g_funcAlloc
.text:10002D30 cmp eax, ebx
.text:10002D32 pop ecx
.text:10002D33 pop ecx
.text:10002D34 jz short loc_10002D47
.text:10002D36 push esi
.text:10002D37 push offset ?DeleteEntry@CLogHandle@@SAXPAX@Z ; CLogHandle::DeleteEntry(void *)
.text:10002D3C push 32
.text:10002D3E mov ecx, eax
.text:10002D40 call ??0SVSLinkManager@@QAE@KP6AXPAX@ZK@Z ; SVSLinkManager::SVSLinkManager(ulong,void (*)(void *),ulong)
.text:10002D45 jmp short loc_10002D49
.text:10002D47 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002D47
.text:10002D47 loc_10002D47: ; CODE XREF: StartAllLoggers(void)+6C
.text:10002D47 xor eax, eax
.text:10002D49
.text:10002D49 loc_10002D49: ; CODE XREF: StartAllLoggers(void)+7D
.text:10002D49 cmp eax, ebx
.text:10002D4B mov ?g_pLogHandleList@@3PAVSVSLinkManager@@A, eax ; SVSLinkManager * g_pLogHandleList
.text:10002D50 jz loc_10002E7A
.text:10002D56 cmp ?g_pEventLogList@@3PAVSVSLinkManager@@A, ebx ; SVSLinkManager * g_pEventLogList
.text:10002D5C jz loc_10002E7A
.text:10002D62 call ?InitFormattersAndOutputters@@YAHXZ ; InitFormattersAndOutputters(void)
.text:10002D67 test eax, eax
.text:10002D69 jz loc_10002E7A
.text:10002D6F mov edi, 103h
.text:10002D74 jmp short loc_10002DF4
.text:10002D76 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002D76
.text:10002D76 loc_10002D76: ; CODE XREF: StartAllLoggers(void)+13E
.text:10002D76 lea eax, [ebp+szName]
.text:10002D7C push offset ??_C@_1BG@COBCHLCA@?$AAF?$AAo?$AAr?$AAm?$AAa?$AAt?$AAt?$AAe?$AAr?$AAs?$AA?$AA@ ; "Formatters"
.text:10002D81 push eax ; wchar_t *
.text:10002D82 call wcscmp
.text:10002D87 test eax, eax
.text:10002D89 pop ecx
.text:10002D8A pop ecx
.text:10002D8B jz short loc_10002DF4
.text:10002D8D lea eax, [ebp+szName]
.text:10002D93 push offset ??_C@_1BG@KJKFEBMO@?$AAO?$AAu?$AAt?$AAp?$AAu?$AAt?$AAt?$AAe?$AAr?$AAs?$AA?$AA@ ; "Outputters"
.text:10002D98 push eax ; wchar_t *
.text:10002D99 call wcscmp
.text:10002D9E test eax, eax
.text:10002DA0 pop ecx
.text:10002DA1 pop ecx
.text:10002DA2 jz short loc_10002DF4
.text:10002DA4 mov ecx, ?g_pEventLogList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pEventLogList
.text:10002DAA call ?AllocEntry@SVSLinkManager@@QAEPAXXZ ; SVSLinkManager::AllocEntry(void)
.text:10002DAF mov esi, eax
.text:10002DB1 cmp esi, ebx
.text:10002DB3 jz loc_10002E7A
.text:10002DB9 lea eax, [ebp+szName]
.text:10002DBF push eax
.text:10002DC0 lea eax, [ebp+pReg]
.text:10002DC3 push eax
.text:10002DC4 mov ecx, esi
.text:10002DC6 call ?Initialize@CLogEventLog@@QAEHPAVCReg@@PBG@Z ; CLogEventLog::Initialize(CReg *,ushort const *)
.text:10002DCB test eax, eax
.text:10002DCD jnz short loc_10002DDD
.text:10002DCF mov ecx, ?g_pEventLogList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pEventLogList
.text:10002DD5 push esi
.text:10002DD6 call ?RemoveEntry@SVSLinkManager@@QAEHPAX@Z ; SVSLinkManager::RemoveEntry(void *)
.text:10002DDB jmp short loc_10002DF4
.text:10002DDD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002DDD
.text:10002DDD loc_10002DDD: ; CODE XREF: StartAllLoggers(void)+105
.text:10002DDD lea eax, [ebp+szName]
.text:10002DE3 push eax ; wchar_t *
.text:10002DE4 call ?IsDefaultLog@@YAHPBG@Z ; IsDefaultLog(ushort const *)
.text:10002DE9 test eax, eax
.text:10002DEB pop ecx
.text:10002DEC jz short loc_10002DF4
.text:10002DEE mov ?g_pDefaultEventLog@@3PAVCLogEventLog@@A, esi ; CLogEventLog * g_pDefaultEventLog
.text:10002DF4
.text:10002DF4 loc_10002DF4: ; CODE XREF: StartAllLoggers(void)+AC
.text:10002DF4 ; StartAllLoggers(void)+C3...
.text:10002DF4 lea eax, [ebp+szName]
.text:10002DFA push edi ; cbName
.text:10002DFB lea ecx, [ebp+pReg]
.text:10002DFE push eax ; lpName
.text:10002DFF call ?EnumKey@CReg@@QAEHPAGK@Z ; CReg::EnumKey(ushort *,ulong)
.text:10002E04 test eax, eax
.text:10002E06 jnz loc_10002D76
.text:10002E0C mov eax, ?g_pEventLogList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pEventLogList
.text:10002E11 cmp [eax], ebx
.text:10002E13 jz short loc_10002E7A
.text:10002E15 cmp ?g_pDefaultEventLog@@3PAVCLogEventLog@@A, ebx ; CLogEventLog * g_pDefaultEventLog
.text:10002E1B jz short loc_10002E7A
.text:10002E1D call ?GetHandleToEventLog@@YAHXZ ; GetHandleToEventLog(void)
.text:10002E22 test eax, eax
.text:10002E24 jz short loc_10002E7A
.text:10002E26
.text:10002E26 loc_10002E26: ; CODE XREF: StartAllLoggers(void)+191
.text:10002E26 mov eax, ?g_pLogHandleList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pLogHandleList
.text:10002E2B mov edx, [eax]
.text:10002E2D lea ecx, [eax+8]
.text:10002E30 mov [ecx], edx
.text:10002E32 cmp edx, ebx
.text:10002E34 jz short loc_10002E5B
.text:10002E36 mov esi, [eax]
.text:10002E38 add esi, 4
.text:10002E3B jmp short loc_10002E6C
.text:10002E3D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002E3D
.text:10002E3D loc_10002E3D: ; CODE XREF: StartAllLoggers(void)+1A6
.text:10002E3D cmp [esi+10h], ebx
.text:10002E40 jnz short loc_10002E5F
.text:10002E42 mov ecx, esi
.text:10002E44 call ?AssociateEventLog@CLogHandle@@QAEHXZ ; CLogHandle::AssociateEventLog(void)
.text:10002E49 test eax, eax
.text:10002E4B jnz short loc_10002E5F
.text:10002E4D mov ecx, ?g_pLogHandleList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pLogHandleList
.text:10002E53 push esi
.text:10002E54 call ?RemoveEntry@SVSLinkManager@@QAEHPAX@Z ; SVSLinkManager::RemoveEntry(void *)
.text:10002E59 jmp short loc_10002E26
.text:10002E5B ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002E5B
.text:10002E5B loc_10002E5B: ; CODE XREF: StartAllLoggers(void)+16C
.text:10002E5B xor esi, esi
.text:10002E5D jmp short loc_10002E6C
.text:10002E5F ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002E5F
.text:10002E5F loc_10002E5F: ; CODE XREF: StartAllLoggers(void)+178
.text:10002E5F ; StartAllLoggers(void)+183
.text:10002E5F mov ecx, ?g_pLogHandleList@@3PAVSVSLinkManager@@A ; SVSLinkManager * g_pLogHandleList
.text:10002E65 call ?GetNext@SVSLinkManager@@QAEPAXXZ ; SVSLinkManager::GetNext(void)
.text:10002E6A mov esi, eax
.text:10002E6C
.text:10002E6C loc_10002E6C: ; CODE XREF: StartAllLoggers(void)+173
.text:10002E6C ; StartAllLoggers(void)+195
.text:10002E6C cmp esi, ebx
.text:10002E6E jnz short loc_10002E3D
.text:10002E70 call ?PrintInitialMessagesToEventLog@@YAHXZ ; PrintInitialMessagesToEventLog(void)
.text:10002E75 xor esi, esi
.text:10002E77 inc esi
.text:10002E78 jmp short loc_10002E7C
.text:10002E7A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:10002E7A
.text:10002E7A loc_10002E7A: ; CODE XREF: StartAllLoggers(void)+23
.text:10002E7A ; StartAllLoggers(void)+88 ...
.text:10002E7A xor esi, esi
.text:10002E7C
.text:10002E7C loc_10002E7C: ; CODE XREF: StartAllLoggers(void)+1B0
.text:10002E7C lea ecx, [ebp+pReg]
.text:10002E7F call ??1CReg@@QAE@XZ ; CReg::~CReg(void)
.text:10002E84 pop edi
.text:10002E85 mov eax, esi
.text:10002E87 pop esi
.text:10002E88 pop ebx
.text:10002E89 leave
.text:10002E8A retn
.text:10002E8A ?StartAllLoggers@@YAHXZ endp
代码注释:
- 地址 .text:10002CD4 - 10002CEB,初始化注册表读取类 CReg,用于读取 HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/EventLog 下的键值。
- 地址 .text:10002CF1 - 10002D1D,初始化事件日志列表 SVSLinkManager * g_pEventLogList。
- 地址 .text:10002D23 - 10002D50,初始化日志句柄列表 SVSLinkManager * g_pLogHandleList。
- 地址 .text:10002D62 - 10002D69,初始化 formatter 和 outputter。
- 地址 .text:10002D76 - 10002E06,循环枚举并初始化各事件日志,其中:
- 地址 .text:10002D76 - 10002DA2,用来跳过 Formatter 和 Outputter 键值。
- 地址 .text:10002DA4 - 10002DDB,用来初始化事件日志,并将其加入事件日志列表 g_pEventLogList。
- 地址 .text:10002DDD - 10002DEE,判断枚举的当前日志是否是缺省日志 (System 日志),若是则赋予缺省日志变量 g_pDefaultEventLog。
- 地址 .text:10002E1D,函数 GetHandleToEventLog 将事件源 EventLog 与事件日志 System 关联。
- 地址 .text:10002E26 - 10002E6E,循环枚举事件源并将其与事件日志关联。
- 【IDA】分析 Windows CE 事件日志服务(一)
- 【WCE】使用事件日志服务(一)
- windows CE下的USB设备驱动程序分析(一)
- windows CE下的USB设备驱动程序分析(一)
- Windows CE内核启动分析
- Windows CE内核启动分析
- Windows CE内核启动分析
- Windows CE内核启动分析
- Windows CE内核启动分析
- Windows CE显示驱动分析
- windows ce触摸驱动分析
- Windows CE内核启动分析
- Windows CE内核启动分析
- Windows CE内核启动分析
- Windows CE内核启动分析
- Windows CE系统级日志设计
- Windows日志服务
- 查看Windows事件日志
- 利用SQLServer备份文件创建数据库(针对C/S系统)
- Seam Note
- [翻译]Genesis UDP 服务端 和 客户端
- 8月17日 晴
- Power up C++ with STL: Part I (introduction, vector)
- 【IDA】分析 Windows CE 事件日志服务(一)
- pligg9.7beta的后HTML编辑器插件的安装(tinymce_2_1_1_1)(以及使用中遇到的点滴问题解决办法)
- Roller3.1的安装及“Roller遇到一个意外错误”的解决[00原创]
- 抓狂..
- 常见包依赖问题及解决
- Informix HDR Setting in WebSphere Application Server
- P2P之UDP穿透NAT的原理与实现(附源代码)
- JSF Logic: Dymanically display images and change text style
- P2P之NAT类型检测方法
