понедельник, 16 июля 2012 г.


In windows 8 there is some another undocumented function to set callback inside netio.sys. Check it in disasm:

    mov edi, _gWfpGlobal
    xor edx, edx
    lea ecx, [edi+2B8h]
    lea esp, [esp+0Ch+var_C]
    cmp dword ptr [ecx], 0
    jnz short loc_32397
    mov eax, [ebp+callback]
    lea ecx, [edx+edx*2] ; * 3
    mov [edi+ecx*4+2B8h], eax ; * 12
    movzx ecx, [ebp+arg_4]
    mov eax, _gWfpGlobal
    lea edx, [edx+edx*2]
    add edx, edx
    add edx, edx
    mov [edx+eax+2B4h], ecx
    mov ecx, [ebp+arg_0]
    mov eax, _gWfpGlobal
    mov [edx+eax+2B0h], ecx

    inc edx
    add ecx, 0Ch
    cmp edx, 5
    jb  loc_32314

We can see here that gWfpGlobal contains at offset 0x2B8 5 elements with size 0xC (0x10 on x64) where stored pointer to callback function. Both gWfpGlobal and offset can be obtained with static analysis

Sample output from w8 release preview:
 [0] 8683AD2D \SystemRoot\System32\drivers\tcpip.sys
 [1] 869EB005 \SystemRoot\system32\DRIVERS\wfplwfs.sys
 [2] 8B33A84D \SystemRoot\system32\drivers\HTTP.sys

Комментариев нет:

Отправить комментарий