четверг, 5 июля 2012 г.

rdbss registered devices

In exported function rdbss!RxRegisterMinirdr there is such code:

    mov esi, offset mutex
    mov ecx, esi
    call ds:__imp_@ExAcquireFastMutexUnsafe@4
    mov eax, [ebp+DeviceObject]
    mov ecx, dword_23B50
    add eax, 0D4h
    mov dword ptr [eax], offset minidrd_list
    mov [eax+4], ecx
    mov [ecx], eax
    inc minidrd_cnt

Freshly created device object was inserted in some unnamed LIST_ENTRY minidrd_list at offset 0xd4 and before was obtained fast mutex (also unnamed). All this data can be obtained with static analysis

Sample on w7 32bit:
rbdss registered devs count: 3
 [0] DevObj 85248020 DrvObj 8524F458 - \SystemRoot\system32\drivers\csc.sys
 [1] DevObj 851D3A68 DrvObj 85C3D740 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
 [2] DevObj 851D2A68 DrvObj 85C3D740 - \SystemRoot\system32\DRIVERS\mrxsmb.sys

Комментариев нет:

Отправить комментарий