Check for example FwpsTcpIpDispatchTableAndGlobalsSet0 in disasm:
mov edi, edi
push ebp
mov ebp, esp
mov eax, [ebp+arg_4]
push esi
mov esi, [ebp+arg_0]
push edi
mov edi, TcpIpDispatchTable
push 2Ah
pop ecx
rep movsd
We see here that arg_0 are copied to some variable which I named as TcpIpDispatchTable. It can easy be obtained with static analysis. FwpsL2DispatchTableAndGlobalsSet0 looks identical
Sample of output from w8 release preview:
fwpkclnt!TcpIpDispatchTable:
[0] 86824654 \SystemRoot\System32\drivers\tcpip.sys
[1] 868B85C7 \SystemRoot\System32\drivers\tcpip.sys
[2] 868ED594 \SystemRoot\System32\drivers\tcpip.sys
[3] 868ED5E9 \SystemRoot\System32\drivers\tcpip.sys
[4] 868ED743 \SystemRoot\System32\drivers\tcpip.sys
[5] 86831090 \SystemRoot\System32\drivers\tcpip.sys
[6] 86903C54 \SystemRoot\System32\drivers\tcpip.sys
[7] 868EDD32 \SystemRoot\System32\drivers\tcpip.sys
[8] 868EE9B6 \SystemRoot\System32\drivers\tcpip.sys
[9] 868EF41B \SystemRoot\System32\drivers\tcpip.sys
[10] 868DE75D \SystemRoot\System32\drivers\tcpip.sys
[11] 868DE8B7 \SystemRoot\System32\drivers\tcpip.sys
[12] 868D9828 \SystemRoot\System32\drivers\tcpip.sys
[13] 868D9873 \SystemRoot\System32\drivers\tcpip.sys
[14] 868D98B1 \SystemRoot\System32\drivers\tcpip.sys
[15] 868D9966 \SystemRoot\System32\drivers\tcpip.sys
[16] 868D9A99 \SystemRoot\System32\drivers\tcpip.sys
[17] 868B5362 \SystemRoot\System32\drivers\tcpip.sys
[18] 8171D309 \SystemRoot\system32\drivers\NETIO.SYS
[19] 8171D254 \SystemRoot\system32\drivers\NETIO.SYS
[20] 8171D18F \SystemRoot\system32\drivers\NETIO.SYS
[21] 8171D17F \SystemRoot\system32\drivers\NETIO.SYS
[22] 8171D12F \SystemRoot\system32\drivers\NETIO.SYS
[23] 868DD545 \SystemRoot\System32\drivers\tcpip.sys
[24] 868DB6C7 \SystemRoot\System32\drivers\tcpip.sys
[25] 868D9B6F \SystemRoot\System32\drivers\tcpip.sys
[26] 868D9C20 \SystemRoot\System32\drivers\tcpip.sys
[27] 868D9C3A \SystemRoot\System32\drivers\tcpip.sys
[28] 868A7AAE \SystemRoot\System32\drivers\tcpip.sys
[29] 868EFDEF \SystemRoot\System32\drivers\tcpip.sys
[30] 868DD573 \SystemRoot\System32\drivers\tcpip.sys
[31] 868DB469 \SystemRoot\System32\drivers\tcpip.sys
[32] 868DB4CA \SystemRoot\System32\drivers\tcpip.sys
[33] 868DB55A \SystemRoot\System32\drivers\tcpip.sys
[34] 868DB5B5 \SystemRoot\System32\drivers\tcpip.sys
[35] 868DB5EC \SystemRoot\System32\drivers\tcpip.sys
[36] 8684E9EC \SystemRoot\System32\drivers\tcpip.sys
[37] 868DB623 \SystemRoot\System32\drivers\tcpip.sys
[38] 868DB664 \SystemRoot\System32\drivers\tcpip.sys
[39] 868DB6A3 \SystemRoot\System32\drivers\tcpip.sys
[40] 868DB6C7 \SystemRoot\System32\drivers\tcpip.sys
[41] 868D7756 \SystemRoot\System32\drivers\tcpip.sys
fwpkclnt!L2DispatchTable:
[0] 869E821E \SystemRoot\system32\DRIVERS\wfplwfs.sys
[1] 869E54C5 \SystemRoot\system32\DRIVERS\wfplwfs.sys
[2] 869E83EA \SystemRoot\system32\DRIVERS\wfplwfs.sys
[3] 869E84D6 \SystemRoot\system32\DRIVERS\wfplwfs.sys
[4] 869E8634 \SystemRoot\system32\DRIVERS\wfplwfs.sys
[5] 869E858F \SystemRoot\system32\DRIVERS\wfplwfs.sys
[6] 869E8569 \SystemRoot\system32\DRIVERS\wfplwfs.sys
Комментариев нет:
Отправить комментарий