Lets see
xp/w2k3/vista
From exported function IoPnPDeliverServicePowerNotification:
lea eax, [esp+38h+Object]
push eax ; Object
call _KeWaitForSingleObject@20 cmp [esp+28h+var_20], ebx
jge short loc_64963A
lea eax, [esp+28h+var_18]
push eax
push [esp+2Ch+var_1C]
mov eax, _IopRootDeviceNode
push dword ptr [eax+0B8h]
push [ebp+arg_0]
call _PnpSetPowerVetoEvent@24
KeWaitForSingleObject called only one time in whole code graph of this function
w7/w8
Don`t contain function IoPnPDeliverServicePowerNotification in exports anymore. So we need to use other exported function IoTranslateBusAddress:
mov edi, edi
push ebp
mov ebp, esp
and esp, 0FFFFFFF8h
sub esp, 34h
push ebx
push esi
push edi
call ds:__imp__KeGetCurrentIrql@0 test al, al
jbe short loc_4D9BCC
loc_4D9BB7: mov ecx, [ebp+arg_8]
mov eax, [ebp+arg_14]
mov [eax], ecx
mov ecx, [ebp+arg_C]
loc_4D9BC2: mov [eax+4], ecx
mov al, 1
jmp loc_4D9D54
loc_4D9BCC: xor edi, edi
cmp _IopRootDeviceNode, edi
jz short loc_4D9BB7
This requires to build graph on jmps after KeGetCurrentIrql call and analyse it's edges.
On w8 pattern the same but instruction to compare value of IopRootDeviceNode looks like
cmp _IopRootDeviceNode, 0
Комментариев нет:
Отправить комментарий