阅读:4295回复:5
能不能通过反编译程序看.sys文件的源代码!
各位网友大家好,好久没来了。原来这里还这么热闹。
我想请教大家一个问题,有没有可能通过反编译程序看.sys文件的源代码!如有工具是什么?谢谢大家了! |
|
|
沙发#
发布于:2002-03-04 15:16
最多能看到汇编吧。。。
|
|
|
板凳#
发布于:2002-03-04 15:25
yang2000说的是。
听说过,如果你对汇编和驱动都很熟悉,也许弄一个反汇编可以。 |
|
|
地板#
发布于:2002-03-04 17:05
可以!
所用的工具为IDA 4.15就可以了。 方法如下: 下面是我自己写的driver的反编译经过适当优化,能得到c语言的源代码。 driver入口:(DriverEntry) .text:00010A1C public _DriverEntry@8 .text:00010A1C _DriverEntry@8 proc near .text:00010A1C .text:00010A1C arg_0 = dword ptr 4 .text:00010A1C .text:00010A1C mov eax, [esp+arg_0] .text:00010A20 mov ecx, [eax+18h] .text:00010A23 mov dword ptr [ecx+4], offset _Avalanch_AddDevice@8 .text:00010A2A mov dword ptr [eax+30h], offset _Avalanch_StartIo@8 .text:00010A31 mov dword ptr [eax+38h], offset _Avalanch_CreateDispatch@8 .text:00010A38 mov dword ptr [eax+40h], offset _Avalanch_CloseDispatch@8 .text:00010A3F mov dword ptr [eax+44h], offset _Avalanch_Read@8 .text:00010A46 mov dword ptr [eax+48h], offset _Avalanch_Write@8 .text:00010A4D mov dword ptr [eax+80h], offset _Avalanch_CleanupDispatch@8 .text:00010A57 mov dword ptr [eax+90h], offset _Avalanch_PowerDispatch@8 .text:00010A61 mov dword ptr [eax+94h], offset _Avalanch_SystemControlDispatch@8 .text:00010A6B mov dword ptr [eax+0A4h], offset _Avalanch_PnpDispatch@8 .text:00010A75 xor eax, eax .text:00010A77 retn 8 由于程序带有调试信息,所以反汇编的结果比不带调试信息的好读! 你的汇编语言水平高的话能得到如下近似的c代码: NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryPath ) { DriverObject->DriverExtension->AddDevice = Avalanch_AddDevice; DriverObject->DriverStartIo = Avalanch_StartIo; DriverObject->MajorFunction[IRP_MJ_CREATE] = Avalanch_CreateDispatch; DriverObject->MajorFunction[IRP_MJ_CLOSE] = Avalanch_CloseDispatch; DriverObject->MajorFunction[IRP_MJ_READ] = Avalanch_Read; DriverObject->MajorFunction[IRP_MJ_WRITE] = Avalanch_Write; DriverObject->MajorFunction[IRP_MJ_CLEANUP] = Avalanch_CleanupDispatch; DriverObject->MajorFunction[IRP_MJ_POWER] = Avalanch_PowerDispatch; DriverObject->MajorFunction[IRP_MJ_SYSTEM_CONTROL] = Avalanch_SystemControlDispatch; DriverObject->MajorFunction[IRP_MJ_PNP] = Avalanch_PnpDispatch; return STATUS_SUCCESS; } 继续反汇编如下代码: 用鼠标双击函数_Avalanch_Write@8进入_Avalanch_Write@8的函数体: .text:000119C8 public _Avalanch_Write@8 .text:000119C8 _Avalanch_Write@8 proc near ; DATA XREF: _DriverEntry@8+2Ao .text:000119C8 .text:000119C8 var_4 = dword ptr -4 .text:000119C8 arg_0 = dword ptr 8 .text:000119C8 arg_4 = dword ptr 0Ch .text:000119C8 .text:000119C8 push ebp .text:000119C9 mov ebp, esp .text:000119CB push ecx .text:000119CC mov eax, [ebp+arg_0] .text:000119CF and [ebp+var_4], 0 .text:000119D3 push ebx .text:000119D4 push esi .text:000119D5 mov ebx, [eax+28h] .text:000119D8 mov esi, [ebp+arg_4] .text:000119DB lea eax, [ebp+var_4] .text:000119DE push edi .text:000119DF mov edi, [esi+60h] .text:000119E2 push eax .text:000119E3 push esi .text:000119E4 push ebx .text:000119E5 call _Avalanch_IrpPrologue@12 .text:000119EA test al, al .text:000119EC jz short loc_11A16 .text:000119EE xor eax, eax .text:000119F0 mov [ebp+var_4], 0C0000002h .text:000119F7 mov [esi+1Ch], eax .text:000119FA cmp byte ptr [edi], 4 .text:000119FD jnz short loc_11A0B .text:000119FF cmp [edi+4], eax .text:00011A02 jnz short loc_11A20 .text:00011A04 mov [ebp+var_4], 0C000000Dh .text:00011A0B .text:00011A0B loc_11A0B: ; CODE XREF: _Avalanch_Write@8+35j .text:00011A0B push eax .text:00011A0C push [ebp+var_4] .text:00011A0F push esi .text:00011A10 push ebx .text:00011A11 call _Avalanch_CompleteIrpRequest@16 .text:00011A16 .text:00011A16 loc_11A16: ; CODE XREF: _Avalanch_Write@8+24j .text:00011A16 ; _Avalanch_Write@8+6Bj .text:00011A16 mov eax, [ebp+var_4] .text:00011A19 pop edi .text:00011A1A pop esi .text:00011A1B pop ebx .text:00011A1C leave .text:00011A1D retn 8 .text:00011A20 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? .text:00011A20 .text:00011A20 loc_11A20: ; CODE XREF: _Avalanch_Write@8+3Aj .text:00011A20 push offset _Avalanch_IrpCancelRoutine@8 .text:00011A25 push esi .text:00011A26 push ebx .text:00011A27 call _Avalanch_QueueIrp@12 .text:00011A2C mov [ebp+var_4], 103h .text:00011A33 jmp short loc_11A16 .text:00011A33 _Avalanch_Write@8 endp 如果你的汇编语言过硬,你能知道[ebp+arg_0]为PDEVICE_OBJECT, [ebp+arg_4]为PIRP,那么,mov eax, [ebp+arg_0]就取得了PDEVICE_OBJECT,而mov ebx, [eax+28h]就取得了DeviceObject->DeviceExtension; 而mov esi, [ebp+arg_4]取得了PIRP, 而mov edi, [esi+60h]就是IoGetCurrentIrpStackLocation(Irp); _Avalanch_IrpPrologue@12压栈三个参数 ................................ 详细写下来太麻烦了! 在分析反汇编代码时,一定要参照ddk对应的头文件 |
|
地下室#
发布于:2002-03-05 19:36
谢谢大家了,我试一下。给分:)
|
|
|
5楼#
发布于:2004-06-29 11:58
反编译只能得到汇编,但是没有DriverEntry的部分啊。
[编辑 - 6/29/04 by ysoni] |
|