mov edi, _gWfpGlobal
xor edx, edx
lea ecx, [edi+2B8h]
lea esp, [esp+0Ch+var_C]
loc_32314:
cmp dword ptr [ecx], 0
jnz short loc_32397
mov eax, [ebp+callback]
lea ecx, [edx+edx*2] ; * 3
mov [edi+ecx*4+2B8h], eax ; * 12
movzx ecx, [ebp+arg_4]
mov eax, _gWfpGlobal
lea edx, [edx+edx*2]
add edx, edx
add edx, edx
mov [edx+eax+2B4h], ecx
mov ecx, [ebp+arg_0]
mov eax, _gWfpGlobal
mov [edx+eax+2B0h], ecx
... inc edx
add ecx, 0Ch
cmp edx, 5
jb loc_32314
We can see here that gWfpGlobal contains at offset 0x2B8 5 elements with size 0xC (0x10 on x64) where stored pointer to callback function. Both gWfpGlobal and offset can be obtained with static analysis
Sample output from w8 release preview:
netio!gWfpGlobal.LayerEventNotify:
[0] 8683AD2D \SystemRoot\System32\drivers\tcpip.sys
[1] 869EB005 \SystemRoot\system32\DRIVERS\wfplwfs.sys
[2] 8B33A84D \SystemRoot\system32\drivers\HTTP.sys
Комментариев нет:
Отправить комментарий