mov esi, offset mutex
mov ecx, esi
call ds:__imp_@ExAcquireFastMutexUnsafe@4
mov eax, [ebp+DeviceObject]
mov ecx, dword_23B50
add eax, 0D4h
mov dword ptr [eax], offset minidrd_list
mov [eax+4], ecx
mov [ecx], eax
inc minidrd_cnt
Freshly created device object was inserted in some unnamed LIST_ENTRY minidrd_list at offset 0xd4 and before was obtained fast mutex (also unnamed). All this data can be obtained with static analysis
Sample on w7 32bit:
rbdss registered devs count: 3
[0] DevObj 85248020 DrvObj 8524F458 - \SystemRoot\system32\drivers\csc.sys
[1] DevObj 851D3A68 DrvObj 85C3D740 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
[2] DevObj 851D2A68 DrvObj 85C3D740 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
Комментариев нет:
Отправить комментарий