C++博客-iniwf-随笔分类-反汇编

内核反编译学习笔记6 passthru静态分析

iniwf — Sun, 18 Apr 2010 11:26:00 GMT

内核反编译学习笔记6

passthru静态分析

来源：passthru.sys反汇编和源代码

一，导入的模块
二，模块要使用的函数
三，函数原型
四，文件中函数列表

有源代码，反汇编比源代码更简洁，特别是总揽方面，有优势。
有兴趣的话，可以把汇编和代码对应。我已经把函数内调用函数都罗列了。

////////////////////////////////////////////////

一，导入三个模块：
import Module:ntoskrnl.exe
HAL.dll
NDIS.SYS

//////////////////////////////////////////////

二，每个模块导出函数：
我们有函数名，就可以bp 模块！函数下断了。
有的函数是被宏调用的，具体可以查看ndis.h中宏的定义。

ntoskrnl.exe:
KeBugCheckEx
KeTickCount
IoGetDeviceProperty
RtlCopyUnicodeString
RtlAppendUnicodeToString
IoCreateDevice
_vsnprint f
MmMapLockedPagesSpecifyCache
IoDeleteDevice
memcpy
IofCompleteRequest
memset
RtlInitUnicodeString
DbgPring
RtlAssert
RtlUnwind

HAL.dll:
KfReleaseSpinLock
KfAcquireSpinLock

接下来是重点了，ndis专用函数
NDIS.SYS:

NdisIMNotifyPnPEvent
NdisGetReceivedPacket
NdisDprAllocatePacket
NdisDprFreePacket
NdisDeregisterProtocol
NdisIMCancelInitializeDeviceInstance
NdisReEnumerateProtocolBindings
NdisFreeMemory
NdisOpenProtocolConfiguration
NdisReadConfiguration
NdisAllocateMemoryWithTag
NdisInitializeEvent
NdisAllocatePacketPoolEx
NdisPacketPoolUsage
NdisIMDeInitializeDeviceInstance
NdisCloseAdapter
NdisSetEvent
NdisMSetAttributesEx
NdisIMGetDeviceContext
NdisFreePacket
NdisIMCopySendCompletePerPacketInfo
NdisIMCopySendPerPacketInfo
NdisAllocatePacket
NdisIMGetCurrentPacketStack
NdisRequest
NdisMIndicateStatusComplete
NdisMIndicateStatus
NdisReturnPackets
NdisGetPoolFromPacket
NdisWaitEvent
NdisResetEvent
NdisCancelSendPackets
NdisFreePacketPool
NdisTerminateWrapper
NdisIMAssociateMiniport
NdisIMDeregisterLayeredMiniport
NdisRegisterProtocol
NdisMRegisterUnloadHandler
NdisIMRegisterLayeredMiniport
NdisInitializeWrapper
NdisMRegisterDevice
NdisMSleep
NdisMDeregisterDevice
NdisCloseConfiguration
NdisIMInitializeDeviceInstanceEx
NdisOpenAdapter

/////////////////////////////////////
三，函数原型：呵呵

NDIS_STATUS NdisIMNotifyPnPEvent( IN NDIS_HANDLE MiniportHandle, IN PNET_PNP_EVENT NetPnPEvent );

PNDIS_PACKET NdisGetReceivedPacket( IN PNDIS_HANDLE NdisBindingHandle, IN PNDIS_HANDLE MacContext );

VOID NdisDprAllocatePacket( OUT PNDIS_STATUS Status, OUT PNDIS_PACKET *Packet, IN NDIS_HANDLE PoolHandle );

VOID NdisDprFreePacket( IN PNDIS_PACKET Packet );

NDIS_STATUS NdisIMCancelInitializeDeviceInstance( IN NDIS_HANDLE DriverHandle, IN PNDIS_STRING DeviceInstance );

VOID NdisReEnumerateProtocolBindings( IN NDIS_HANDLE NdisProtocolHandle );

VOID NdisFreeMemory( IN PVOID VirtualAddress, IN UINT Length, IN UINT MemoryFlags );

VOID NdisOpenProtocolConfiguration( OUT PNDIS_STATUS Status, OUT PNDIS_HANDLE ConfigurationHandle, IN PNDIS_STRING ProtocolSection );

VOID NdisReadConfiguration( OUT PNDIS_STATUS Status, OUT PNDIS_CONFIGURATION_PARAMETER *ParameterValue, IN NDIS_HANDLE ConfigurationHandle, IN PNDIS_STRING Keyword, IN NDIS_PARAMETER_TYPE ParameterType );

NDIS_STATUS NdisAllocateMemoryWithTag( OUT PVOID *VirtualAddress, IN UINT Length, IN ULONG Tag );

VOID NdisInitializeEvent( IN PNDIS_EVENT Event );

VOID NdisAllocatePacketPoolEx( OUT PNDIS_STATUS Status, OUT PNDIS_HANDLE PoolHandle, IN UINT NumberOfDescriptors, IN UINT NumberOfOverflowDescriptors, IN UINT ProtocolReservedLength );

UINT NdisPacketPoolUsage( IN NDIS_HANDLE PoolHandle );

NDIS_STATUS NdisIMDeInitializeDeviceInstance( IN NDIS_HANDLE NdisMiniportHandle );

VOID NdisCloseAdapter( OUT PNDIS_STATUS Status, IN NDIS_HANDLE NdisBindingHandle );

VOID NdisSetEvent( IN PNDIS_EVENT Event );

VOID NdisMSetAttributesEx( IN NDIS_HANDLE MiniportAdapterHandle, IN NDIS_HANDLE MiniportAdapterContext, IN UINT CheckForHangTimeInSeconds OPTIONAL, IN ULONG AttributeFlags, IN NDIS_INTERFACE_TYPE AdapterType );

NDIS_HANDLE NdisIMGetDeviceContext( IN NDIS_HANDLE MiniportAdapterHandle );

VOID NdisFreePacket( IN PNDIS_PACKET Packet );

VOID NdisIMCopySendCompletePerPacketInfo( IN PNDIS_PACKET DstPacket, IN PNDIS_PACKET SrcPacket );

VOID NdisIMCopySendPerPacketInfo( IN PNDIS_PACKET DstPacket, IN PNDIS_PACKET SrcPacket );

VOID NdisAllocatePacket( OUT PNDIS_STATUS Status, OUT PNDIS_PACKET *Packet, IN NDIS_HANDLE PoolHandle );

PNDIS_PACKET_STACK NdisIMGetCurrentPacketStack( IN PNDIS_PACKET Packet OUT BOOLEAN *StacksRemaining );

VOID NdisRequest( OUT PNDIS_STATUS Status, IN NDIS_HANDLE NdisBindingHandle, IN PNDIS_REQUEST NdisRequest );

VOID NdisMIndicateStatusComplete( IN NDIS_HANDLE MiniportAdapterHandle );

VOID NdisMIndicateStatus( IN NDIS_HANDLE MiniportAdapterHandle, IN NDIS_STATUS GeneralStatus, IN PVOID StatusBuffer, IN UINT StatusBufferSize );

VOID NdisReturnPackets( IN PNDIS_PACKET *PacketsToReturn, IN UINT NumberOfPackets );

NDIS_Handle NdisGetPoolFromPacket( IN PNDIS_PACKET Packet );

BOOLEAN NdisWaitEvent( IN PNDIS_EVENT Event, IN UINT MsToWait );

VOID NdisResetEvent( IN PNDIS_EVENT Event );

VOID NdisCancelSendPackets( IN NDIS_HANDLE NdisBindingHandle IN PVOID CancelId );

VOID NdisFreePacketPool( IN NDIS_HANDLE PoolHandle );

VOID NdisTerminateWrapper( IN NDIS_HANDLE NdisWrapperHandle, IN PVOID SystemSpecific );

VOID NdisIMAssociateMiniport( IN NDIS_HANDLE DriverHandle, IN NDIS_HANDLE ProtocolHandle );

VOID NdisIMDeregisterLayeredMiniport( IN NDIS_HANDLE DriverHandle );

VOID NdisRegisterProtocol( OUT PNDIS_STATUS Status, OUT PNDIS_HANDLE NdisProtocolHandle, IN PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics, IN UINT CharacteristicsLength );

VOID NdisMRegisterUnloadHandler( IN NDIS_HANDLE NdisWrapperHandle, IN PDRIVER_UNLOAD UnloadHandler );

NDIS_STATUS NdisIMRegisterLayeredMiniport( IN NDIS_HANDLE NdisWrapperHandle, IN PNDIS_MINIPORT_CHARACTERISTICS MiniportCharacteristics, IN UINT CharacteristicsLength, OUT PNDIS_HANDLE DriverHandle );

NDIS_STATUS NdisMRegisterDevice( IN NDIS_HANDLE NdisWrapperHandle, IN PNDIS_STRING DeviceName, IN PNDIS_STRING SymbolicName, IN PDRIVER_DISPATCH MajorFunctions[], OUT PDEVICE_OBJECT *pDeviceObject, OUT NDIS_HANDLE *NdisDeviceHandle );

VOID NdisMSleep( IN ULONG MicrosecondsToSleep );

NDIS_STATUS NdisMDeregisterDevice( IN NDIS_HANDLE NdisDeviceHandle );

VOID NdisCloseConfiguration( IN NDIS_HANDLE ConfigurationHandle );

NDIS_STATUS NdisIMInitializeDeviceInstanceEx( IN NDIS_HANDLE DriverHandle, IN PNDIS_STRING DriverInstance, IN NDIS_HANDLE DeviceContext OPTIONAL );

VOID NdisOpenAdapter( OUT PNDIS_STATUS Status, OUT PNDIS_STATUS OpenErrorStatus, OUT PNDIS_HANDLE NdisBindingHandle, OUT PUINT SelectedMediumIndex, IN PNDIS_MEDIUM MediumArray, IN UINT MediumArraySize, IN NDIS_HANDLE NdisProtocolHandle, IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_STRING AdapterName, IN UINT OpenOptions, IN PSTRING AddressingInformation OPTIONAL, );

///////////////////////////////////////

四，文件中函数列表
常用的就不在函数内罗列了
NdisZeroMemory
NdisMoveMemory
NdisFreeMemory
NdisMSleep
NdisInitUnicodeString
NdisAcquireSpinLock
NdisReleaseSpinLock
NdisFreeSpinLock

1，passthru.c:
   DriverEntry
     其中大概用了下面这些：
     NdisAllocateSpinLock
     NdisMInitializeWrapper
     NdisIMRegisterLayeredMiniport
     NdisRegisterProtocol
     NdisIMAssociateMiniport

PtRegisterDevice

     NdisMRegisterDevice

   PtDispatch
     IoGetCurrentIrpStackLocation
     IoCompleteRequest

   PtDeregisterDevice

   PtUnload
     PtUnloadProtocol
     NdisIMDeregisterLayeredMiniport

2，miniport.c
   MPInitialize
     NdisMSetAttributesEx
     PtRegisterDevice
     NdisSetEvent

   MPSend
     NdisIMGetCurrentPacketStack
     NdisSend
     NdisAllocatePacket
     NdisFreePacket

   MPSendPackets
     NdisMSendComplete
     NdisIMGetCurrentPacketStack
     NdisSend
     NdisAllocatePacket
     NdisGetPacketFlags
     NdisIMCopySendPerPacketInfo

   MPQueryInformation
     NdisRequest
     PtRequestComplete

   MPQueryPNPCapabilities

   MPSetInformation
     MPProcessSetPowerOid

   MPProcessSetPowerOid
     NdisMIndicateStatus
     NdisMIndicateStatusComplete

   MPReturnPacket
     NdisGetPoolFromPacket
     NdisReturnPackets
     NdisFreePacket

   MPTransferData
     IsIMDeviceStateOn
     NdisTransferData
     PtDeregisterDevice
     NdisResetEvent
     PtDereferenceAdapt

   MPCancelSendPackets
     NdisCancelSendPackets

   MPDevicePnPEvent

   MPAdapterShutdown

   MPFreeAllPacketPools
     NdisFreePacketPool

3，protocol.c
   PtBindAdapter
     NdisOpenProtocolConfiguration
     NdisReadConfiguration
     NdisAllocateMemoryWithTag
     NdisInitializeEvent
     NdisAllocatePacketPoolEx
     NdisOpenAdapter
     NdisWaitEvent
     PtReferenceAdapt
     NdisInitializeEvent
     NdisIMInitializeDeviceInstanceEx
     PtDereferenceAdapt
     NdisCloseConfiguration
     NdisCloseAdapter

   PtOpenAdapterComplete
     NdisSetEvent

   PtUnbindAdapter
     PtRequestComplete
     NdisIMCancelInitializeDeviceInstance
     NdisWaitEvent
     NdisIMDeInitializeDeviceInstance
     NdisResetEvent
     NdisCloseAdapter
     NdisWaitEvent
     MPFreeAllPacketPools

   PtUnloadProtocol
     NdisDeregisterProtocol
     IoDeleteDevice

   PtCloseAdapterComplete
     NdisSetEvent

   PtResetComplete

   PtRequestComplete
     NdisMQueryInformationComplete
     NdisMSetInformationComplete

   PtStatus
     NdisMIndicateStatus

   PtStatusComplete
     NdisMIndicateStatusComplete

   PtSendComplete
     NdisGetPoolFromPacket
     NdisMSendComplete
     NdisDprFreePacket

   PtTransferDataComplete
     NdisMTransferDataComplete

   PtReceive
     NdisGetReceivedPacket
     NdisDprAllocatePacket
     NdisMIndicateReceivePacket
     NdisDprFreePacket
     NdisMEthIndicateReceive
     NdisMTrIndicateReceive
     NdisMFddiIndicateReceive


   PtReceiveComplete
     KeGetCurrentProcessorNumber
     NdisMTrIndicateReceiveComplete
     NdisMFddiIndicateReceiveComplete


   PtReceivePacket
     NdisIMGetCurrentPacketStack
     NdisMIndicateReceivePacket
     NdisDprFreePacket

   PtPNPHandler
     PtPnPNetEventSetPower
     PtPnPNetEventReconfigure
     NdisIMNotifyPnPEvent

   PtPnPNetEventReconfigure
     NdisReEnumerateProtocolBindings
     NdisIMNotifyPnPEvent

   PtPnPNetEventSetPower
     NdisIMNotifyPnPEvent
     PtRequestComplete
     NdisPacketPoolUsage
     NdisRequest
     PtRequestComplete


   PtReferenceAdapt
     MPFreeAllPacketPools

iniwf 2010-04-18 19:26 发表评论

内核反编译学习笔记5

iniwf — Sun, 18 Apr 2010 11:25:00 GMT

其实这是以前内容的复习，另外再通过dt 数据来获取结构和偏移量，手工在windbg中查看信息

程序：bz6

以前的驱动程序简直毫无驱动的样子，现在用个稍微健全的例子：

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
NTSTATUS status;

#if DBG
_asm int 3
#endif

driver->DriverUnload = DriverUnload;

status = CreateDevice(driver);

Dump(driver);

return status;
}

CreateDevice(driver)是自定义函数，用来真正建立一个驱动设备。返回一个status，猜猜看，我们能不能在eax中读取返回值。

反汇编先：
kd> uf bz6!driverentry
bz6!DriverEntry [d:\mydriver\bz6\bz6.c @ 110]:
110 f8428680 8bff            mov     edi,edi
110 f8428682 55              push    ebp
110 f8428683 8bec            mov     ebp,esp
110 f8428685 51              push    ecx
114 f8428686 cc              int     3
121 f8428687 8b4508          mov     eax,dword ptr [ebp+8]
121 f842868a c74034d08442f8 mov     dword ptr [eax+34h],offset bz6!DriverUnload (f84284d0)
123 f8428691 8b4d08          mov     ecx,dword ptr [ebp+8]
123 f8428694 51              push    ecx
123 f8428695 e876fdffff      call    bz6!CreateDevice (f8428410)
123 f842869a 8945fc          mov     dword ptr [ebp-4],eax
125 f842869d 8b5508          mov     edx,dword ptr [ebp+8]
125 f84286a0 52              push    edx
125 f84286a1 e8aafeffff      call    bz6!Dump (f8428550)
127 f84286a6 8b45fc          mov     eax,dword ptr [ebp-4]
128 f84286a9 8be5            mov     esp,ebp
128 f84286ab 5d              pop     ebp
128 f84286ac c20800          ret     8

我们在源程序或Disassembly窗口在调用处F9下断，按g运行：

kd> g
Breakpoint 0 hit
bz6!DriverEntry+0x15:
f8428695 e876fdffff call bz6!CreateDevice (f8428410)
kd> d eax
81e64f38 04 00 a8 00 00 00 00 00-02 00 00 00 00 80 42 f8 ..............B.
81e64f48 00 0c 00 00 b8 f3 d5 81-e0 4f e6 81 16 00 16 00

没错，返回值是04。

Dump(driver)是显示driver和device的一个函数，里面有个循环。
我们看看非玩具状态（呵呵，以前的函数毫无实用价值）下反汇编以后是什么样子。

void Dump(IN PDRIVER_OBJECT pDriverObject)
{
ULONG i=1;
PDEVICE_OBJECT pDevice = pDriverObject->DeviceObject;
KdPrint(("----------------------------------------------\n"));
KdPrint(("Begin Dump...\n"));
KdPrint(("Driver Address:0X%08X\n",pDriverObject));
KdPrint(("Driver name:%wZ\n",&pDriverObject->DriverName));
KdPrint(("Driver HardwareDatabase:%wZ\n",pDriverObject->HardwareDatabase));
KdPrint(("Driver first device:0X%08X\n",pDriverObject->DeviceObject));

for (;pDevice!=NULL;pDevice = pDevice->NextDevice)
{
  KdPrint(("The %d device\n",i++));
  KdPrint(("Device AttachedDevice:0X%08X\n",pDevice->AttachedDevice));
  KdPrint(("Device NextDevice:0X%08X\n",pDevice->NextDevice));
  KdPrint(("Device StackSize:%d\n",pDevice->StackSize));
  KdPrint(("Device's DriverObject:0X%08X\n",pDevice->DriverObject));
}

KdPrint(("Dump over!\n"));
KdPrint(("----------------------------------------------\n"));
}

////////////////////////////////////
反汇编：
kd> uf bz6!dump
bz6!Dump [d:\mydriver\bz6\bz6.c @ 82]:
   82 f8428550 8bff            mov     edi,edi
   82 f8428552 55              push    ebp
   82 f8428553 8bec            mov     ebp,esp
   82 f8428555 83ec0c          sub     esp,0Ch
   83 f8428558 c745f801000000 mov     dword ptr [ebp-8],1
   84 f842855f 8b4508          mov     eax,dword ptr [ebp+8]
   84 f8428562 8b4804          mov     ecx,dword ptr [eax+4]
   84 f8428565 894dfc          mov     dword ptr [ebp-4],ecx
   85 f8428568 68608842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428860)
   85 f842856d e842010000      call    bz6!DbgPrint (f84286b4)
   85 f8428572 83c404          add     esp,4
   86 f8428575 68508842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428850)
   86 f842857a e835010000      call    bz6!DbgPrint (f84286b4)
   86 f842857f 83c404          add     esp,4
   87 f8428582 8b5508          mov     edx,dword ptr [ebp+8]
   87 f8428585 52              push    edx
   87 f8428586 68308842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428830)
   87 f842858b e824010000      call    bz6!DbgPrint (f84286b4)
   87 f8428590 83c408          add     esp,8
   88 f8428593 8b4508          mov     eax,dword ptr [ebp+8]
   88 f8428596 83c01c          add     eax,1Ch
   88 f8428599 50              push    eax
   88 f842859a 68108842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428810)
   88 f842859f e810010000      call    bz6!DbgPrint (f84286b4)
   88 f84285a4 83c408          add     esp,8
   89 f84285a7 8b4d08          mov     ecx,dword ptr [ebp+8]
   89 f84285aa 8b5124          mov     edx,dword ptr [ecx+24h]
   89 f84285ad 52              push    edx
   89 f84285ae 68f08742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f84287f0)
   89 f84285b3 e8fc000000      call    bz6!DbgPrint (f84286b4)
   89 f84285b8 83c408          add     esp,8
   90 f84285bb 8b4508          mov     eax,dword ptr [ebp+8]
   90 f84285be 8b4804          mov     ecx,dword ptr [eax+4]
   90 f84285c1 51              push    ecx
   90 f84285c2 68d08742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f84287d0)
   90 f84285c7 e8e8000000      call    bz6!DbgPrint (f84286b4)
   90 f84285cc 83c408          add     esp,8
   90 f84285cf eb09            jmp     bz6!Dump+0x8a (f84285da)

bz6!Dump+0x81 [d:\mydriver\bz6\bz6.c @ 94]:
   94 f84285d1 8b55fc          mov     edx,dword ptr [ebp-4]
   94 f84285d4 8b420c          mov     eax,dword ptr [edx+0Ch]
   94 f84285d7 8945fc          mov     dword ptr [ebp-4],eax

bz6!Dump+0x8a [d:\mydriver\bz6\bz6.c @ 94]:
94 f84285da 837dfc00 cmp dword ptr [ebp-4],0
94 f84285de 7476 je bz6!Dump+0x106 (f8428656)

bz6!Dump+0x90 [d:\mydriver\bz6\bz6.c @ 96]:
   96 f84285e0 8b4df8          mov     ecx,dword ptr [ebp-8]
   96 f84285e3 894df4          mov     dword ptr [ebp-0Ch],ecx
   96 f84285e6 8b55f4          mov     edx,dword ptr [ebp-0Ch]
   96 f84285e9 52              push    edx
   96 f84285ea 68c08742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f84287c0)
   96 f84285ef e8c0000000      call    bz6!DbgPrint (f84286b4)
   96 f84285f4 83c408          add     esp,8
   96 f84285f7 8b45f8          mov     eax,dword ptr [ebp-8]
   96 f84285fa 83c001          add     eax,1
   96 f84285fd 8945f8          mov     dword ptr [ebp-8],eax
   97 f8428600 8b4dfc          mov     ecx,dword ptr [ebp-4]
   97 f8428603 8b5110          mov     edx,dword ptr [ecx+10h]
   97 f8428606 52              push    edx
   97 f8428607 68a08742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f84287a0)
   97 f842860c e8a3000000      call    bz6!DbgPrint (f84286b4)
   97 f8428611 83c408          add     esp,8
   98 f8428614 8b45fc          mov     eax,dword ptr [ebp-4]
   98 f8428617 8b480c          mov     ecx,dword ptr [eax+0Ch]
   98 f842861a 51              push    ecx
   98 f842861b 68808742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428780)
   98 f8428620 e88f000000      call    bz6!DbgPrint (f84286b4)
   98 f8428625 83c408          add     esp,8
   99 f8428628 8b55fc          mov     edx,dword ptr [ebp-4]
   99 f842862b 0fbe4230        movsx   eax,byte ptr [edx+30h]
   99 f842862f 50              push    eax
   99 f8428630 68608742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428760)
   99 f8428635 e87a000000      call    bz6!DbgPrint (f84286b4)
   99 f842863a 83c408          add     esp,8
100 f842863d 8b4dfc          mov     ecx,dword ptr [ebp-4]
100 f8428640 8b5108          mov     edx,dword ptr [ecx+8]
100 f8428643 52              push    edx
100 f8428644 68408742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428740)
100 f8428649 e866000000      call    bz6!DbgPrint (f84286b4)
100 f842864e 83c408          add     esp,8
101 f8428651 e97bffffff      jmp     bz6!Dump+0x81 (f84285d1)

bz6!Dump+0x106 [d:\mydriver\bz6\bz6.c @ 103]:
103 f8428656 68308742f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428730)
103 f842865b e854000000      call    bz6!DbgPrint (f84286b4)
103 f8428660 83c404          add     esp,4
104 f8428663 68608842f8      push    offset bz6! ?? ::FNODOBFM::`string' (f8428860)
104 f8428668 e847000000      call    bz6!DbgPrint (f84286b4)
104 f842866d 83c404          add     esp,4
105 f8428670 8be5            mov     esp,ebp
105 f8428672 5d              pop     ebp
105 f8428673 c20400          ret     4

/////////////
我们简单数下源程序中的KdPrint，再比较call，6个call以后开始循环：
   94 f84285da 837dfc00        cmp     dword ptr [ebp-4],0
   94 f84285de 7476            je      bz6!Dump+0x106 (f8428656)
   ........


//////
开始手工看数据啦~~~

   我们可以dt _driver_object来看数据结构

   kd> dt _driver_object
ntdll!_DRIVER_OBJECT
   +0x000 Type             : Int2B
   +0x002 Size             : Int2B
   +0x004 DeviceObject     : Ptr32 _DEVICE_OBJECT
   +0x008 Flags            : Uint4B
   +0x00c DriverStart      : Ptr32 Void
   +0x010 DriverSize       : Uint4B
   +0x014 DriverSection    : Ptr32 Void
   +0x018 DriverExtension : Ptr32 _DRIVER_EXTENSION
   +0x01c DriverName       : _UNICODE_STRING
   +0x024 HardwareDatabase : Ptr32 _UNICODE_STRING
   +0x028 FastIoDispatch   : Ptr32 _FAST_IO_DISPATCH
   +0x02c DriverInit       : Ptr32     long
   +0x030 DriverStartIo    : Ptr32     void
   +0x034 DriverUnload     : Ptr32     void
   +0x038 MajorFunction    : [28] Ptr32     long

显然是driver_object+10会得到DriverSize，那我们手工查看一下。

从反汇编窗口其实已经在代码后有提示了。
我们dd ebp+8可以获得driver_object的地址，在这个地址上+10（dd driver_object地址+10就可以了，当然也可以直接dd 算好的地址）：
kd> dd 81e64f38+10
81e64f48 00000c00 81d5f3b8 81e64fe0 00160016

我们还可以进循环，看device_object的具体情况，先看下结构：

kd> dt _device_object
ntdll!_DEVICE_OBJECT
   +0x000 Type             : Int2B
   +0x002 Size             : Uint2B
   +0x004 ReferenceCount   : Int4B
   +0x008 DriverObject     : Ptr32 _DRIVER_OBJECT
   +0x00c NextDevice       : Ptr32 _DEVICE_OBJECT
   +0x010 AttachedDevice   : Ptr32 _DEVICE_OBJECT
   +0x014 CurrentIrp       : Ptr32 _IRP
   +0x018 Timer            : Ptr32 _IO_TIMER
   +0x01c Flags            : Uint4B
   +0x020 Characteristics : Uint4B
   +0x024 Vpb              : Ptr32 _VPB
   +0x028 DeviceExtension : Ptr32 Void
   +0x02c DeviceType       : Uint4B
   +0x030 StackSize        : Char
   +0x034 Queue            : __unnamed
   +0x05c AlignmentRequirement : Uint4B
   +0x060 DeviceQueue      : _KDEVICE_QUEUE
   +0x074 Dpc              : _KDPC
   +0x094 ActiveThreadCount : Uint4B
   +0x098 SecurityDescriptor : Ptr32 Void
   +0x09c DeviceLock       : _KEVENT
   +0x0ac SectorSize       : Uint2B
   +0x0ae Spare1           : Uint2B
   +0x0b0 DeviceObjectExtension : Ptr32 _DEVOBJ_EXTENSION
   +0x0b4 Reserved         : Ptr32 Void

在循环中下断，进去看数据：
kd> dd 81d23b28
81d23b28 00cc0003 00000000 81e64f38 00000000

对照看看：
+0x000 Type : Int2B 00cc0003中的03
+0x002 Size : Uint2B 00cc0003中的cc

一般来说，如果内存中涉及堆栈，那么堆中放数据，栈中放数据指针......反正就这么慢慢看吧。

iniwf 2010-04-18 19:25 发表评论

内核反编译学习笔记4

iniwf — Sun, 18 Apr 2010 11:24:00 GMT

内核驱动反编译笔记4
if else啦

需要掌握：
if else在程序反汇编中的状态，用16进制编辑器修改程序

cmp 比较
jbe 小于等于
jmp 无条件转移
shl 数值左移：左移一位（shl ecx,1）等于乘2，左移2位等于乘4
add 加

需要了解：
jg,jl,jgl 大于，小于，大于等于
PUSH 入栈同时esp-4
POP 出栈同时esp+4
用16进制编辑器修改程序

命令(16进制代码)
JA/JNBE (77)　
JAE/JNB (73)
JB/JNAE (72)
JBE/JNA (76)
JG/JNLE (7F)
JGE/JNL (7D)
JL/JNGE (7C)
JLE/JNG (7E)

无需了解
call与ret对esp的影响
右移shr

正确的来说左移和右移操作是操作数乘于（或除于）2的平方（（SHL）n * 2 ^ 2、（SHR）n / 2 ^ 2)。
即操作数每向左或右移动一次都乘于或除于2一次。

文件校验和

/////////////

ULONG MyAdd1(ULONG u1,ULONG u2)
{
ULONG u3;
if (u1>u2)
  u3=u1*2;
else
  u3=u2*4;

  return u3+100;

}

使用：
MyAdd1(5,8)
////////////

kd> uf bz5!myadd1
bz5!MyAdd1 [d:\mydriver\bz5\bz5.c @ 7]:
    7 f8513490 8bff            mov     edi,edi
    7 f8513492 55              push    ebp
    7 f8513493 8bec            mov     ebp,esp
    7 f8513495 51              push    ecx
    //这里开始
    9 f8513496 8b4508          mov     eax,dword ptr [ebp+8]       ;5
    9 f8513499 3b450c          cmp     eax,dword ptr [ebp+0Ch]     ;将5与8比较
    9 f851349c 760a            jbe     bz5!MyAdd1+0x18 (f85134a8) ;小于等于就跳转到f85134a8运行

bz5!MyAdd1+0xe [d:\mydriver\bz5\bz5.c @ 10]:
   10 f851349e 8b4d08          mov     ecx,dword ptr [ebp+8]
   10 f85134a1 d1e1            shl     ecx,1
   10 f85134a3 894dfc          mov     dword ptr [ebp-4],ecx
   11 f85134a6 eb09            jmp     bz5!MyAdd1+0x21 (f85134b1)

bz5!MyAdd1+0x18 [d:\mydriver\bz5\bz5.c @ 12]:
   12 f85134a8 8b550c          mov     edx,dword ptr [ebp+0Ch]    ;8
   12 f85134ab c1e202          shl     edx,2                      ;8*4
   12 f85134ae 8955fc          mov     dword ptr [ebp-4],edx      ;32

bz5!MyAdd1+0x21 [d:\mydriver\bz5\bz5.c @ 14]:
   14 f85134b1 8b45fc          mov     eax,dword ptr [ebp-4]      ;32
   14 f85134b4 83c064          add     eax,64h                    ;32+100 准备返回
   //赋值给eax作为返回值结束
   16 f85134b7 8be5            mov     esp,ebp
   16 f85134b9 5d              pop     ebp
   16 f85134ba c20800          ret     8

最后运行结果：
kd> g
x3 Result:132
!
当我把
if (u1>u2)
改为
if (u1

反汇编以后：
    9 f8567499 3b450c          cmp     eax,dword ptr [ebp+0Ch]
    9 f856749c 730a            jae     bz5!MyAdd1+0x18 (f85674a8)

运行结果:
kd> g
x3 Result:110
!

内核反编译学习笔记4(下)附windbg常用命令

那么我们能否把原来的730a改为7f0a这样的手段，修改驱动的判断呢？

当然可以，我们可以用ultraedit等编辑器，打开bz5.sys，搜索"3b450c"，下面的73改为自己需要的：
命令(16进制代码)
JA/JNBE (77)　
JAE/JNB (73)
JB/JNAE (72)
JBE/JNA (76)
JG/JNLE (7F)
JGE/JNL (7D)
JL/JNGE (7C)
JLE/JNG (7E)

比如7F，保存，然后注册运行。没错，你会发现不能运行。

////////////////////////
解决方法：重新计算校验和并保存。
用loadPe就可以了，里面有校验和，旁边有个问号，重新计算以后别忘了保存，再确定，然后，阿弥陀佛。

1.基本调试控制
运行程序(Run): 快捷键:F5 命令:g
单步步入(Step In)：快捷键:F8 命令:p
单步步过(Step Over): 快捷键:F10
运行到光标所在行：快捷键:F7
执行到返回：gu
执行到指定地址：g [Address]
重新运行调试程序: 快捷键:Ctrl+Shift+F5(这个对驱动一般用不到)

2.断点
断点之于调试当然是非常重要的
常用命令：
bp [Address]or[Symbol] 在指定地址下断
可以使用地址或符号，如
    bp 80561259(Windbg默认使用16进制)
    bp MyDriver!GetKernelPath
    bp MyDriver!GetKernelPath+0x12
bp [Address] /p eprocess 仅当当前进程为eprocess时才中断
这个很常用，比如你bp nt!NtTerminateProcess,但是只想在某一进程触发此断点时才断下来，那就加上这个参数吧，因为内核中的代码是各个进程共用的，所以此命令很实用
bp [Address] /t ethread 仅当当前线程为ethread时才中断，用法跟/p参数类似
bu [Address]or[Symbol] 下一个未解析的断点(就是说这个断点需要延迟解析)
这个也很常用，比如我们的驱动名为MyDriver.sys,那么在驱动加载之前下断bu MyDriver!DriverEntry，
然后加载这个驱动时就可以断在驱动入口，并且这个是不需要调试符号支持的
bl 列出所有断点,L=List
bc[id] 清除断点，c=Clear,id是bl查看时的断点编号
bd[id] 禁用断点，d=Disable,id即断点编号
be[id] 启用断点，e=Enable,id为断点编号

3.查看和修改数据
调试中不可避免的要查看和修改数据
查看内存：
db/dw/dd/dq [Address] 字节/字/双字/四字方式查看数据
da/du [Address] ASCII字符串/Unicode字符串方式查看指定地址
其它常用的如查看结构
dt nt!_EPROCESS
dt nt!_EPROCESS 89330da0 (把0x89330da0作为对象指针)
修改内存：
eb/ew/ed/eq/ef/ep Address [Values]
字节/字/双字/四字/浮点数/指针/
ea/eu/eza/ezu Address [Values]
ASCII字符串/Unicode字符串/以NULL结尾的ASCII字符串/以NULL结尾的Unicode字符串
搜索内存：
s -[b/w/d/q/a/u] Range Target
搜索字节/字/双字/四字/ASCII字符串/Unicode字符串

4.寄存器
在用Windbg调试时可以Alt+4直接调出寄存器窗口，然后拖放到合适的位置就可以。
要修改呢就直接双击相应的项就可以了。
把命令的方式也说一下，比较简单：
r 显示所有寄存器的值
r eax 显示eax的值
r eax=1 修改eax的值为1

5.辅助命令
!process 显示当前进程信息
!process 0 0 显示当前所有进程(会有僵尸进程)
!process 1f4 显示pid为1f4的进程信息，后面也可以跟eprocess的值
!thread 显示当前线程信息
!thread
!process 1f4 显示tid为768的线程信息，后面也可以跟ethread的值
栈相关:
k 显示调用栈
kb 显示ebp和前3个参数
kp 以函数调用形式显示栈

iniwf 2010-04-18 19:24 发表评论

内核反编译学习笔记3

iniwf — Sun, 18 Apr 2010 11:22:00 GMT

本节主要看全局变量和局部变量，程序越来越长，可以跳开查看。

全局变量在程序开始定义赋值的话，存放在Data块，Data块可以通过静态反汇编获得。
局部变量定义在函数内部，使用的时候需要类似sub esp,10h，开辟空间存放

需要掌握：
静态反汇编工具
变量存放地点
sub

简单了解：
读取全局变量的方法：1，获取全局变量存放地址。2，偏移量与实际内存地址关系。

不需了解：
w32asm反汇编以后，需要复制其中内容的，先保存为alf文件，再用文本读取程序打开。

所用程序：bz4

#include

ULONG au1,au2;
ULONG au3 = 7;
ULONG au4 = 9;

ULONG MyAdd1(ULONG u1,ULONG u2)
{
return u1+u2;

}

ULONG MyAdd2(ULONG u1,ULONG u2)
{
   ULONG u3;
   u3 = u1+u2;
   return u3;

}

ULONG MyAdd3(ULONG u1,ULONG u2)
{
   ULONG u3,u4,u5,u6;
   u3 = u1+u2;
   u4 = u3+u1;
   u5 = u1;
   u6 = u1+u3;
   return u3+u4+u5+u6;

}

VOID DriverUnload(PDRIVER_OBJECT driver)
{

DbgPrint("unload…\r\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
ULONG x1 = 5;
ULONG x2 = 8;
ULONG x3 ;

#if DBG
_asm int 3
#endif

au1 = MyAdd1(x1,x2); //使用自定义函数，反汇编看看结果

DbgPrint("au1 Result:%d\n!",au1);

au2 = MyAdd2(x1,x2); //使用自定义函数，反汇编看看结果

DbgPrint("au2 Result:%d\n!",au2);

x3 = MyAdd3(x1,x2); //使用自定义函数，反汇编看看结果

DbgPrint("Result:%d\n!",x3);

DbgPrint("au3 Result:%d\n!",au3);
DbgPrint("au4 Result:%d\n!",au4);

driver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}

接下来要用w32asm和windbg反汇编，看其中对应关系，都是从55F到5B1，显然一一对应，只是前面地址有偏移。
我们知道，Data Offset是Data数据段，存放的是全局变量。本程序全局变量是：
ULONG au3 = 7;
ULONG au4 = 9;
显然我们dd 00000700是看不到数据的，要dd f84f7700，等我们运行起来的时候，看看是不是

w32asm反汇编：

Code Offset = 00000480, Code Size = 00000200
Data Offset = 00000700, Data Size = 00000080
...............

:0001055F 52 push edx

* Possible StringData Ref from Code Obj ->"au1 Result:%d
!"
|
:00010560 6850060100 push 00010650

* Reference To: ntoskrnl.DbgPrint, Ord:0030h
                                  |
:00010565 E888000000              Call 000105F2
:0001056A 83C408                  add esp, 00000008
:0001056D 8B45FC                  mov eax, dword ptr [ebp-04]
:00010570 50                      push eax
:00010571 8B4DF8                  mov ecx, dword ptr [ebp-08]
:00010574 51                      push ecx
:00010575 E836FFFFFF              call 000104B0
:0001057A A310070100              mov dword ptr [00010710], eax
:0001057F 8B1510070100            mov edx, dword ptr [00010710]
:00010585 52                      push edx
:00010586 6840060100              push 00010640

* Reference To: ntoskrnl.DbgPrint, Ord:0030h
                                  |
:0001058B E862000000              Call 000105F2
:00010590 83C408                  add esp, 00000008
:00010593 8B45FC                  mov eax, dword ptr [ebp-04]
:00010596 50                      push eax
:00010597 8B4DF8                  mov ecx, dword ptr [ebp-08]
:0001059A 51                      push ecx
:0001059B E830FFFFFF              call 000104D0
:000105A0 8945F4                  mov dword ptr [ebp-0C], eax
:000105A3 8B55F4                  mov edx, dword ptr [ebp-0C]
:000105A6 52                      push edx

* Possible StringData Ref from Code Obj ->"Result:%d
!"
|
:000105A7 6830060100 push 00010630

* Reference To: ntoskrnl.DbgPrint, Ord:0030h
                                  |
:000105AC E841000000              Call 000105F2
:000105B1 83C408                  add esp, 00000008

主函数中主要反汇编代码，也就是调用几个自定义函数的部分：

   57 f84f755f 52              push    edx
   57 f84f7560 6850764ff8      push    offset bz4! ?? ::FNODOBFM::`string' (f84f7650)
   57 f84f7565 e888000000      call    bz4!DbgPrint (f84f75f2)
   57 f84f756a 83c408          add     esp,8
   59 f84f756d 8b45fc          mov     eax,dword ptr [ebp-4]
   59 f84f7570 50              push    eax
   59 f84f7571 8b4df8          mov     ecx,dword ptr [ebp-8]
   59 f84f7574 51              push    ecx
   59 f84f7575 e836ffffff      call    bz4!MyAdd2 (f84f74b0)
   59 f84f757a a310774ff8      mov     dword ptr [bz4!au2 (f84f7710)],eax
   61 f84f757f 8b1510774ff8    mov     edx,dword ptr [bz4!au2 (f84f7710)]
   61 f84f7585 52              push    edx
   61 f84f7586 6840764ff8      push    offset bz4! ?? ::FNODOBFM::`string' (f84f7640)
   61 f84f758b e862000000      call    bz4!DbgPrint (f84f75f2)
   61 f84f7590 83c408          add     esp,8
   63 f84f7593 8b45fc          mov     eax,dword ptr [ebp-4]
   63 f84f7596 50              push    eax
   63 f84f7597 8b4df8          mov     ecx,dword ptr [ebp-8]
   63 f84f759a 51              push    ecx
   63 f84f759b e830ffffff      call    bz4!MyAdd3 (f84f74d0)
   63 f84f75a0 8945f4          mov     dword ptr [ebp-0Ch],eax
   65 f84f75a3 8b55f4          mov     edx,dword ptr [ebp-0Ch]
   65 f84f75a6 52              push    edx
   65 f84f75a7 6830764ff8      push    offset bz4! ?? ::FNODOBFM::`string' (f84f7630)
   65 f84f75ac e841000000      call    bz4!DbgPrint (f84f75f2)
   65 f84f75b1 83c408          add     esp,8

三个自定义函数

kd> uf bz4!myadd1
bz4!MyAdd1 [d:\mydriver\bz4\bz4.c @ 9]:
    9 f84f7490 8bff            mov     edi,edi
    9 f84f7492 55              push    ebp
    9 f84f7493 8bec            mov     ebp,esp
   10 f84f7495 8b4508          mov     eax,dword ptr [ebp+8]
   10 f84f7498 03450c          add     eax,dword ptr [ebp+0Ch]
   12 f84f749b 5d              pop     ebp
   12 f84f749c c20800          ret     8
kd> uf bz4!myadd2
bz4!MyAdd2 [d:\mydriver\bz4\bz4.c @ 15]:
   15 f84f74b0 8bff            mov     edi,edi
   15 f84f74b2 55              push    ebp
   15 f84f74b3 8bec            mov     ebp,esp
   15 f84f74b5 51              push    ecx
   17 f84f74b6 8b4508          mov     eax,dword ptr [ebp+8]
   17 f84f74b9 03450c          add     eax,dword ptr [ebp+0Ch]
   17 f84f74bc 8945fc          mov     dword ptr [ebp-4],eax
   18 f84f74bf 8b45fc          mov     eax,dword ptr [ebp-4]
   21 f84f74c2 8be5            mov     esp,ebp
   21 f84f74c4 5d              pop     ebp
   21 f84f74c5 c20800          ret     8
kd> uf bz4!myadd3
bz4!MyAdd3 [d:\mydriver\bz4\bz4.c @ 24]:
   24 f84f74d0 8bff            mov     edi,edi
   24 f84f74d2 55              push    ebp
   24 f84f74d3 8bec            mov     ebp,esp
   24 f84f74d5 83ec10          sub     esp,10h
   26 f84f74d8 8b4508          mov     eax,dword ptr [ebp+8]
   26 f84f74db 03450c          add     eax,dword ptr [ebp+0Ch]
   26 f84f74de 8945f8          mov     dword ptr [ebp-8],eax
   27 f84f74e1 8b4df8          mov     ecx,dword ptr [ebp-8]
   27 f84f74e4 034d08          add     ecx,dword ptr [ebp+8]
   27 f84f74e7 894dfc          mov     dword ptr [ebp-4],ecx
   28 f84f74ea 8b5508          mov     edx,dword ptr [ebp+8]
   28 f84f74ed 8955f0          mov     dword ptr [ebp-10h],edx
   29 f84f74f0 8b4508          mov     eax,dword ptr [ebp+8]
   29 f84f74f3 0345f8          add     eax,dword ptr [ebp-8]
   29 f84f74f6 8945f4          mov     dword ptr [ebp-0Ch],eax
   30 f84f74f9 8b45f8          mov     eax,dword ptr [ebp-8]
   30 f84f74fc 0345fc          add     eax,dword ptr [ebp-4]
   30 f84f74ff 0345f0          add     eax,dword ptr [ebp-10h]
   30 f84f7502 0345f4          add     eax,dword ptr [ebp-0Ch]
   33 f84f7505 8be5            mov     esp,ebp
   33 f84f7507 5d              pop     ebp
   33 f84f7508 c20800          ret     8

///////////////////////////////////////////

//终于等到分析了
先看下全局变量：
ULONG au3 = 7;
ULONG au4 = 9;

看程序中Data存放的:

kd> dd f84f7700
f84f7700 00000007 00000009 f84de439 07b21bc6

没错，以后要查看全局变量的值，先反汇编，获得Data的偏移量，dd 地址就可以看见了。

/////////////////////

kd> uf bz4!myadd3
bz4!MyAdd3 [d:\mydriver\bz4\bz4.c @ 24]:
.......
   24 f84f74d5 83ec10          sub     esp,10h
.......
   局部变量开辟空间。


好了，简单赋值，调用就玩到这里，接下来是.....

iniwf 2010-04-18 19:22 发表评论

内核反编译学习笔记2

iniwf — Sun, 18 Apr 2010 11:02:00 GMT

内核反编译学习笔记2（上）

本节任务：通过具有不同数量参数的函数调用，看其中区别
所用程序bz3
需要掌握：
windbg命令：
uf 反汇编
dd 查看内容

调用的时候：
mov     给参数赋值
push   eax 供函数使用的参数
被调用函数内部
push    ebp         保存ebp，用来保存调用前运行的代码地址
mov     ebp,esp     将esp赋值给ebp，现在有新的ebp指针了,指向栈顶

pop ebp 恢复ebp，取得地址，准备跳到那地址的代码，继续运行程序

需要了解
JMP 无条件跳转，去运行跳转后地址的代码
ret 8 返回，注意,调用前每push一个参数，esp就-4，两个参数就-8，ret的时候，需要+8返回

无需了解：
call=push+JMP
ret = pop+JMP 将在后面继续说明

//先贴代码，仔细看其实很简单

VOID MyP0()
{
DbgPrint("no arg...\r\n");
}

VOID MyP1(ULONG u1)
{
DbgPrint("One arg:%d\n!",u1);
}

VOID MyP2(ULONG u1,ULONG u2)
{
   ULONG u3;
   u3 = u1+u2;
   DbgPrint("two arg:%d\n!",u3);

}

VOID DriverUnload(PDRIVER_OBJECT driver)
{

DbgPrint("unload…\r\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
ULONG x1 = 5;
ULONG x2 = 8;

#if DBG
_asm int 3
#endif

MyP0();
MyP1(x1);
MyP2(x1,x2);

driver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}

//////代码结束

以下分别为Entry主函数和3个自定义函数的反汇编。
汇编完了先放那，具体解析在下面。

kd> uf bz3!driverentry
bz3!DriverEntry [d:\mydriver\bz3\bz3.c @ 31]:
   31 f8451520 8bff            mov     edi,edi
   31 f8451522 55              push    ebp
   31 f8451523 8bec            mov     ebp,esp
   31 f8451525 83ec08          sub     esp,8
   32 f8451528 c745f805000000 mov     dword ptr [ebp-8],5
   33 f845152f c745fc08000000 mov     dword ptr [ebp-4],8
   38 f8451536 cc              int     3
   41 f8451537 e854ffffff      call    bz3!MyP0 (f8451490)
   42 f845153c 8b45f8          mov     eax,dword ptr [ebp-8]
   42 f845153f 50              push    eax
   42 f8451540 e86bffffff      call    bz3!MyP1 (f84514b0)
   43 f8451545 8b4dfc          mov     ecx,dword ptr [ebp-4]
   43 f8451548 51              push    ecx
   43 f8451549 8b55f8          mov     edx,dword ptr [ebp-8]
   43 f845154c 52              push    edx
   43 f845154d e87effffff      call    bz3!MyP2 (f84514d0)
   47 f8451552 8b4508          mov     eax,dword ptr [ebp+8]
   47 f8451555 c74034001545f8 mov     dword ptr [eax+34h],offset bz3!DriverUnload (f8451500)
   48 f845155c 33c0            xor     eax,eax
   49 f845155e 8be5            mov     esp,ebp
   49 f8451560 5d              pop     ebp
   49 f8451561 c20800          ret     8

内核反编译学习笔记2（下）

三个自定义：
kd> uf bz3!myp0
bz3!MyP0 [d:\mydriver\bz3\bz3.c @ 5]:
    5 f8451490 8bff            mov     edi,edi
    5 f8451492 55              push    ebp
    5 f8451493 8bec            mov     ebp,esp
    6 f8451495 68701545f8      push    offset bz3! ?? ::FNODOBFM::`string' (f8451570)
    6 f845149a e8cb000000      call    bz3!DbgPrint (f845156a)
    6 f845149f 83c404          add     esp,4
    7 f84514a2 5d              pop     ebp
    7 f84514a3 c3              ret
kd> uf bz3!myp1
bz3!MyP1 [d:\mydriver\bz3\bz3.c @ 10]:
   10 f84514b0 8bff            mov     edi,edi
   10 f84514b2 55              push    ebp
   10 f84514b3 8bec            mov     ebp,esp
   11 f84514b5 8b4508          mov     eax,dword ptr [ebp+8]
   11 f84514b8 50              push    eax
   11 f84514b9 68801545f8      push    offset bz3! ?? ::FNODOBFM::`string' (f8451580)
   11 f84514be e8a7000000      call    bz3!DbgPrint (f845156a)
   11 f84514c3 83c408          add     esp,8
   12 f84514c6 5d              pop     ebp
   12 f84514c7 c20400          ret     4
kd> uf bz3!myp2
bz3!MyP2 [d:\mydriver\bz3\bz3.c @ 15]:
   15 f84514d0 8bff            mov     edi,edi
   15 f84514d2 55              push    ebp
   15 f84514d3 8bec            mov     ebp,esp
   15 f84514d5 51              push    ecx
   17 f84514d6 8b4508          mov     eax,dword ptr [ebp+8]
   17 f84514d9 03450c          add     eax,dword ptr [ebp+0Ch]
   17 f84514dc 8945fc          mov     dword ptr [ebp-4],eax
   18 f84514df 8b4dfc          mov     ecx,dword ptr [ebp-4]
   18 f84514e2 51              push    ecx
   18 f84514e3 68901545f8      push    offset bz3! ?? ::FNODOBFM::`string' (f8451590)
   18 f84514e8 e87d000000      call    bz3!DbgPrint (f845156a)
   18 f84514ed 83c408          add     esp,8
   20 f84514f0 8be5            mov     esp,ebp
   20 f84514f2 5d              pop     ebp
   20 f84514f3 c20800          ret     8


   正式开始我们的任务
   ////////////
   以下为Entry中调用函数的反汇编代码

         call    bz3!MyP0 (f8451490)     ;无参数

         mov     eax,dword ptr [ebp-8]   ;1个参数
         push    eax
         call    bz3!MyP1 (f84514b0)

         mov     ecx,dword ptr [ebp-4]   ;2个参数
         push    ecx
         mov     edx,dword ptr [ebp-8]
         push    edx
         call    bz3!MyP2 (f84514d0)

   显然我们可以得出结论：
   在调用函数的时候，无参数，直接call，
   有参数，有几个要push几个，把eax等寄存器内的数据入栈:push exx
   eax,edx等寄存器内的数据哪里来的呢？通过mov，从存放地点移动过来赋值。


//接下来我们进入函数内部，要动态追踪下面代码。以后每次看见这样代码，明白道理，就直接忽略：
push    ebp         保存ebp
mov     ebp,esp     保存esp

pop     ebp         获得ebp
ret     8           返回，注意，后面为什么是8

我们先看一下Entry调用MyP0处的地址：
   38 f8451536 cc              int     3
   41 f8451537 e854ffffff      call    bz3!MyP0 (f8451490)
   42 f845153c 8b45f8          mov     eax,dword ptr [ebp-8]

   显然调用MyP0后，要运行f845153c的代码。然后我们到函数内部看
     push    ebp         中ebp的内容，是不是f845153c

进入windbg:
//////////////////////////
kd> t
bz3!DriverEntry+0x17:
f8451537 e854ffffff      call    bz3!MyP0 (f8451490)
kd> t
bz3!MyP0:
f8451490 8bff            mov     edi,edi
kd> p
bz3!MyP0+0x5:
f8451495 68701545f8      push    offset bz3! ?? ::FNODOBFM::`string' (f8451570)
kd> dd ebp
f8282c6c f8282c7c f845153c 00000005 00000008
//////////////////
呵呵，没错，f845153c,5,8,都是要用的。
下面两个地址也应该出现在下面两个函数的ebp中,不然程序返回后不知道继续运行哪里的代码。
f8451545 f8451552

顺便看下类似下面命令是什么意思
mov     eax,dword ptr [ebp+8]

我们要知道 ebp+8，要先看下ebp:

kd> dd ebp
f8282c64： f8282c7c f8451552 00000005 00000008

可以看到，ebp+4就是f8451552，返回后继续运行的地址，ebp+8当然是5了,ebp+12(哦，要16进制:ebp+c)是8。
那我们直接看下dd ebp+8：
kd> dd ebp+8
f8282c6c: 00000005 00000008 00000005 00000008
kd> dd ebp+c
f8282c70： 00000008 00000005 00000008 f8282d4c

应该没疑问了。

//////////////
以后看汇编代码的时候，可以忽略：
push    ebp         保存返回地址
mov     ebp,esp     设置新的ebp指针，指向栈顶
中间是具体实现
pop     ebp         获得返回地址
ret     8           返回

只看这些代码中间的代码就可以了，以后直接贴这些代码中间的实现。

iniwf 2010-04-18 19:02 发表评论

内核驱动反编译笔记1

iniwf — Sun, 18 Apr 2010 10:53:00 GMT

摘要: 转自：http://blog.sina.com.cn/s/blog_541329b40100eyrt.html 内核驱动反编译笔记1 所用程序:bz1,bz2内核驱动反编译后，看看是什么样子，函数调用，全局局部变量，各种循环，数组，数据结构，各种算法都什么样子。没什么捷径，一个个编写了反编译比对吧。比对么，先要有个最简单的程序来做标本，所以以下有一个最原始最简单的程序，和一个添加了自定... 阅读全文

iniwf 2010-04-18 18:53 发表评论