|
阅读:3111回复:3
大牛帮忙看看驱动的入口汇编代码
INIT:00013605
INIT:00013605 INIT:00013605 public start INIT:00013605 start proc near INIT:00013605 INIT:00013605 ; FUNCTION CHUNK AT .text:00011830 SIZE 000000DC BYTES INIT:00013605 INIT:00013605 mov eax, dword_13580 INIT:0001360A test eax, eax INIT:0001360C mov ecx, 0BB40E64Eh INIT:00013611 jz short loc_13617 INIT:00013613 cmp eax, ecx INIT:00013615 jnz short loc_13630 INIT:00013617 INIT:00013617 loc_13617: ; CODE XREF: start+Cj INIT:00013617 mov eax, ds:KeTickCount INIT:0001361C mov eax, [eax] INIT:0001361E xor eax, offset dword_13580 INIT:00013623 mov dword_13580, eax INIT:00013628 jnz short loc_13630 INIT:0001362A mov dword_13580, ecx INIT:00013630 INIT:00013630 loc_13630: ; CODE XREF: start+10j INIT:00013630 ; start+23j INIT:00013630 jmp loc_11830 INIT:00013630 start endp INIT:00013630 |
|
|
沙发#
发布于:2009-03-19 11:08
这是设置Cookie的代码(/Gs),最后的jmp就跳到你写的DriverEntry处了。
0BB40E64Eh这个数字很显眼,3141592654 |
|
|
板凳#
发布于:2009-03-19 14:32
谢谢!
.text:00011830 loc_11830: ; CODE XREF: start:loc_13630j .text:00011830 mov edi, edi .text:00011832 push ebp .text:00011833 mov ebp, esp .text:00011835 sub esp, 14h .text:00011838 push ebx .text:00011839 mov ebx, ds:RtlInitUnicodeString .text:0001183F push offset aDevice ; .text:00011844 lea eax, [ebp-0Ch] .text:00011847 push eax .text:00011848 call ebx ; RtlInitUnicodeString .text:0001184A lea eax, [ebp-4] .text:0001184D push eax .text:0001184E push 0 .text:00011850 push 0 .text:00011852 push 22h .text:00011854 lea eax, [ebp-0Ch] .text:00011857 push eax .text:00011858 push 8Ch .text:0001185D push dword ptr [ebp+8] .text:00011860 call ds:IoCreateDevice .text:00011866 test eax, eax .text:00011868 jnz loc_11907 .text:0001186E mov eax, [ebp-4] .text:00011871 push esi .text:00011872 mov esi, [eax+28h] .text:00011875 push edi .text:00011876 push 23h .text:00011878 pop ecx .text:00011879 xor eax, eax .text:0001187B mov edi, esi .text:0001187D rep stosd .text:0001187F mov edi, ds:KeInitializeMutex .text:00011885 lea eax, [esi+58h] .text:00011888 mov [esi+5Ch], eax .text:0001188B mov [eax], eax .text:0001188D push 0 .text:0001188F lea eax, [esi+38h] .text:00011892 push eax .text:00011893 call edi ; KeInitializeMutex .text:00011895 push 0 .text:00011897 lea eax, [esi+60h] .text:0001189A push eax .text:0001189B call edi ; KeInitializeMutex .text:0001189D lea eax, [esi+80h] .text:000118A3 mov [esi+84h], eax .text:000118A9 mov [eax], eax .text:000118AB mov eax, esi .text:000118AD call sub_10BF2 .text:000118B2 mov esi, eax .text:000118B4 test esi, esi .text:000118B6 jge short loc_118C5 .text:000118B8 .text:000118B8 loc_118B8: ; CODE XREF: start-1D23j .text:000118B8 push dword ptr [ebp-4] .text:000118BB call ds:IoDeleteDevice .text:000118C1 mov eax, esi .text:000118C3 jmp short loc_11905 .text:000118C5 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? .text:000118C5 .text:000118C5 loc_118C5: ; CODE XREF: start-1D4Fj .text:000118C5 push offset aDosdevices .text:000118CA lea eax, [ebp-14h] .text:000118CD push eax .text:000118CE call ebx ; RtlInitUnicodeString .text:000118D0 lea eax, [ebp-0Ch] .text:000118D3 push eax .text:000118D4 lea eax, [ebp-14h] .text:000118D7 push eax .text:000118D8 call ds:IoCreateSymbolicLink .text:000118DE mov esi, eax .text:000118E0 test esi, esi .text:000118E2 jnz short loc_118B8 .text:000118E4 mov eax, [ebp+8] .text:000118E7 mov dword ptr [eax+34h], offset loc_10FA0 .text:000118EE mov dword ptr [eax+38h], offset loc_10D14 .text:000118F5 mov dword ptr [eax+40h], offset loc_11242 .text:000118FC mov dword ptr [eax+70h], offset loc_112F6 .text:00011903 xor eax, eax .text:00011905 .text:00011905 loc_11905: ; CODE XREF: start-1D42j .text:00011905 pop edi .text:00011906 pop esi .text:00011907 .text:00011907 loc_11907: ; CODE XREF: start-1D9Dj .text:00011907 pop ebx .text:00011908 leave .text:00011909 retn 8 .text:00011909 ; END OF FUNCTION CHUNK FOR start 以上代码就是驱动做初始化的代码 一般的还能看懂 创建设备等 请问调度的回调函数整样才能知道呢 text:000118E7 mov dword ptr [eax+34h], offset loc_10FA0 .text:000118EE mov dword ptr [eax+38h], offset loc_10D14 .text:000118F5 mov dword ptr [eax+40h], offset loc_11242 .text:000118FC mov dword ptr [eax+70h], offset loc_112F6 这几个估计就是调度的回调吧 |
|
|
地板#
发布于:2009-03-20 17:00
看一下入口函数有几个参数 比如mian函数有3个参数,那么找3个push ,下面有个call 进call就是OEP
|
|