对一段逆向代码的分析

最近在逆向一个驱动,其中有一段代码开始百思不得其解:

.....

.text:0001AD3C                 push    esi             ; DriverObject

....

.text:0001ADD3 mov eax, offset sub_1A602
.text:0001ADD8 mov [esi+38h], eax
.text:0001ADDB mov [esi+40h], eax
.text:0001ADDE mov dword ptr [esi+70h], offset sub_1AA04

看样子是给DriverObject中的某些字段,指定调用函数,以下的过程证实了这一点:

打开windbg,进入内核调试模式,

kd> !devnode 0 1 

...

DevNode 0x821a03a8 for PDO 0x821a04f0
InstancePath is "Root\VMWVMCIHOSTDEV\0000"
ServiceName is "vmci"
State = DeviceNodeStarted (0x308)
Previous State = DeviceNodeEnumerateCompletion (0x30d)

在此,仅仅列出最后一条,

kd> !devobj 0x821a04f0
Device object (821a04f0) is for:
0000003a \Driver\PnpManager DriverObject 821a52a8
Current Irp 00000000 RefCount 0 Type 00000004 Flags 00001040
Dacl e132c224 DevExt 821a05a8 DevObjExt 821a05b0 DevNode 821a03a8
ExtensionFlags (0000000000)
AttachedDevice (Upper) 81d0a030 \Driver\vmci
Device queue is not busy.

kd> dt _driver_object 821a52a8 -b -r
ntdll!_DRIVER_OBJECT
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : 0x821a04f0
+0x008 Flags : 4
+0x00c DriverStart : (null)
+0x010 DriverSize : 0
+0x014 DriverSection : (null)
+0x018 DriverExtension : 0x821a5350
+0x01c DriverName : _UNICODE_STRING "\Driver\PnpManager"
+0x000 Length : 0x24
+0x002 MaximumLength : 0x26
+0x004 Buffer : 0xe102e848 "\Driver\PnpManager"
+0x024 HardwareDatabase : (null)
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0x8068afa4
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction :
[00] 0x804f455a
[01] 0x804f455a
[02] 0x804f455a
[03] 0x804f455a
[04] 0x804f455a
[05] 0x804f455a
[06] 0x804f455a
[07] 0x804f455a
[08] 0x804f455a
[09] 0x804f455a
[10] 0x804f455a
[11] 0x804f455a
[12] 0x804f455a
[13] 0x804f455a
[14] 0x804f455a
[15] 0x804f455a
[16] 0x804f455a
[17] 0x804f455a
[18] 0x804f455a
[19] 0x804f455a
[20] 0x804f455a
[21] 0x804f455a
[22] 0x804f73ac
[23] 0x80592d28
[24] 0x804f455a
[25] 0x804f455a
[26] 0x804f455a
[27] 0x805935a2

kd> dd 0x821a52a8+0x38
821a52e0 804f455a 804f455a 804f455a 804f455a
821a52f0 804f455a 804f455a 804f455a 804f455a
821a5300 804f455a 804f455a 804f455a 804f455a
821a5310 804f455a 804f455a 804f455a 804f455a
821a5320 804f455a 804f455a 804f455a 804f455a
821a5330 804f455a 804f455a 804f73ac 80592d28
821a5340 804f455a 804f455a 804f455a 805935a2
821a5350 821a52a8 80614a62 00000000 00260024

可见,一个函数地址占用4个字节,因此粉色位置的代码,反汇编为C,

为:

DriverObject->DeviceObject.MajorFunction[0]= sub_1A602;

DriverObject->DeviceObject.MajorFunction[3]= sub_1A602;

而在wdm.h中

#define IRP_MJ_CREATE 0x00
#define IRP_MJ_CREATE_NAMED_PIPE 0x01
#define IRP_MJ_CLOSE 0x02
#define IRP_MJ_READ 0x03

此时,才恍然大悟。

 

 

 

 

posted @ 2013-04-08 22:48  monkeycd  阅读(299)  评论(0编辑  收藏  举报