понедельник, 27 апреля 2015 г.

tcpip6!ADDRESS_OBJECT

try to recover offsets of ADDRESS_OBJECT fields for tcpip6
code from CopyAO_TCPConn function:
  cmp   byte ptr [edx+3Ah], 6       ; protocol - 0x3a
  jnz   loc_12425
  mov   ecx, [ebp+arg_8]
  mov   eax, 0C8h
  cmp   [ebp+arg_4], eax
  jb    short loc_1235C
  mov   dword ptr [ecx+34h], 2
  jmp   short loc_12363

loc_1235C:
  mov   dword ptr [ecx+30h], 2
loc_12363:
  cmp   [ebp+arg_4], eax
  push  esi
  push  edi
  lea   esi, [edx+24h]              ; local_ip - 0x24, size 16 bytes
  jb    short loc_123EC
  mov   [ecx], eax
  lea   edi, [ecx+4]
  movsd
  movsd
  movsd
  movsd
  mov   eax, [edx+34h]
  mov   [ecx+14h], eax
  movzx eax, word ptr [edx+38h]     ; local_port - 0x38

code from TdiOpenAddress function:  
  call  _PsGetCurrentProcessId
  mov   [ebx+0C8h], eax   ; pid - 0xc8
  lea   eax, [ebx+0D8h]   ; CreateTime - 0xd8
  push  eax
  call  ds:__imp__KeQuerySystemTime@4

So structure ADDRESS6_OBJECT looks like:
'_ADDRESS6_OBJECT' : [ 0x68, {
'Next' : [ 0x0, ['pointer', ['_ADDRESS6_OBJECT']]],
'LocalIpAddress' : [ 0x24, ['Ip6Address']],
'LocalPort' : [ 0x38, ['unsigned be short']],
'Protocol' : [ 0x3a, ['unsigned short']],
'Pid' : [ 0xc8, ['unsigned long']],
'CreateTime' : [ 0xd8, ['WinTimeStamp', dict(is_utc = True)]],
}],
for 64bit tcpip6.sys:

code from CopyAO_TCPConn function:
  cmp   byte ptr [rcx+5Eh], 6    ; protocol - 0x5e
  jnz   loc_12F3A
  cmp   edx, 0C8h
  jb    short loc_12E76
  mov   dword ptr [r8+34h], 2
  jmp   short loc_12E7E

loc_12E76:
  mov   dword ptr [r8+30h], 2
loc_12E7E:
  cmp   edx, 0C8h
  jb    short loc_12EEB
  mov   dword ptr [r8], 0C8h
  mov   rax, [rcx+48h]           ; local_ip - 0x48
  mov   [r8+4], rax
  mov   rax, [rcx+50h]
  mov   [r8+0Ch], rax
  mov   eax, [rcx+58h]
  mov   [r8+14h], eax
  movzx eax, word ptr [rcx+5Ch]  ; local_port - 0x5c
  mov   [r8+18h], eax

code from TdiOpenAddress function:   
  call  cs:__imp_PsGetCurrentProcessId
  mov   [rdi+154h], eax   ; pid - 0x154
  mov   rax, [rsp+0C8h+var_68]
  mov   [rdi+170h], rax
  mov   rax, ds:0FFFFF78000000014h  ; KUSER_SHARED_DATA.SystemTime
  mov   [rdi+168h], rax   ; CreateTime - 0x168

 so for x64
'_ADDRESS6_OBJECT' : [ None, {
'Next' : [ 0x0, ['pointer', ['_ADDRESS6_OBJECT']]],
'LocalIpAddress' : [ 0x48, ['Ip6Address']],
'LocalPort' : [ 0x5c, ['unsigned be short']],
'Protocol' : [ 0x5e, ['unsigned short']],
'Pid' : [ 0x154, ['unsigned long']],
'CreateTime' : [ 0x168, ['WinTimeStamp', dict(is_utc = True)]],
}],
Автор: redp на 18:25
Ярлыки: , ,

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)