在IDA中是可以这样的:
NTSTATUS __stdcall FltRegisterFilter(PDRIVER_OBJECT Driver, _FLT_REGISTRATION *Registration, _FLT_FILTER **RetFilter)
{
NTSTATUS result; // eax@2
_FLT_REGISTRATION *v4; // esi@3
int v5; // eax@10
_FLT_OPERATION_REGISTRATION *v6; // ecx@10
_FLT_FILTER *Ret_Filter; // ebx@14
_LIST_ENTRY *InstanceList_rList; // ST2C_4@16
_FLT_MUTEX_LIST_HEAD *ActiveOpens; // ST28_4@16
_LIST_ENTRY *ActiveOpens_mList; // ST24_4@16
_FLT_MUTEX_LIST_HEAD *PortList; // ST20_4@16
_LIST_ENTRY *PortList_mList; // ST1C_4@16
_FLT_OPERATION_REGISTRATION *i; // eax@19
char MajorFunction; // cl@20
int temp; // ST44_4@28
unsigned int OperationRegistration_length; // [sp+30h] [bp-24h]@14
_FLT_OPERATION_REGISTRATION *v17; // [sp+34h] [bp-20h]@16
NTSTATUS result_2; // [sp+38h] [bp-1Ch]@17
*RetFilter = 0;
if ( !(g_dword_XXX & 1) )
return 0xC01C0007; // 见ntstatus.h的定义。
v4 = Registration;
if ( (Registration->Version & 0xFF00) != 512 )
goto LABEL_46;
result = FltpRestoreFltMgrsPageableState();
if ( result < 0 )
return result;
if ( (Registration->GenerateFileNameCallback || !Registration->NormalizeNameComponentCallback)
&& (Registration->NormalizeNameComponentCallback || !Registration->NormalizeContextCleanupCallback) )
{
v5 = 0;
v6 = Registration->OperationRegistration;
if ( v6 )
{
while ( 1 )
{
++v5;
if ( v6->MajorFunction == -128 )
break;
++v6;
}
}
OperationRegistration_length = 20 * v5;
Ret_Filter = (_FLT_FILTER *)ExAllocatePoolWithTag(
0,
20 * v5 + Driver->DriverExtension->ServiceKeyName.Length + 288,
0x6C664D46u);
if ( Ret_Filter )
{
memset(Ret_Filter, 0, 0x120u);
Ret_Filter->FilterUnload = Registration->FilterUnloadCallback;
Ret_Filter->InstanceSetup = Registration->InstanceSetupCallback;
Ret_Filter->InstanceQueryTeardown = Registration->InstanceQueryTeardownCallback;
Ret_Filter->InstanceTeardownStart = Registration->InstanceTeardownStartCallback;
Ret_Filter->InstanceTeardownComplete = Registration->InstanceTeardownCompleteCallback;
Ret_Filter->GenerateFileName = Registration->GenerateFileNameCallback;
Ret_Filter->NormalizeNameComponent = Registration->NormalizeNameComponentCallback;
Ret_Filter->NormalizeContextCleanup = Registration->NormalizeContextCleanupCallback;
v17 = (_FLT_OPERATION_REGISTRATION *)&Ret_Filter[1];
Ret_Filter->Base.Flags = 0x2000000;
Ret_Filter->Base.PointerCount = 1;
FltpExInitializeRundownProtection(&Ret_Filter->Base.RundownRef);
Ret_Filter->Base.PrimaryLink.Flink = 0;
FltObjectReference((int)Ret_Filter);
Ret_Filter->DriverObject = Driver;
Ret_Filter->InstanceList.rCount = 0;
ExInitializeResourceLite(&Ret_Filter->InstanceList.rLock);
InstanceList_rList = &Ret_Filter->InstanceList.rList;
InstanceList_rList->Blink = InstanceList_rList;
InstanceList_rList->Flink = InstanceList_rList;
ActiveOpens = &Ret_Filter->ActiveOpens;
ActiveOpens->mCount = 0;
ActiveOpens->mLock.Count = 1;
ActiveOpens->mLock.Owner = 0;
ActiveOpens->mLock.Contention = 0;
KeInitializeEvent(&Ret_Filter->ActiveOpens.mLock.Event, SynchronizationEvent, 0);
ActiveOpens_mList = &Ret_Filter->ActiveOpens.mList;
ActiveOpens_mList->Blink = ActiveOpens_mList;
ActiveOpens_mList->Flink = ActiveOpens_mList;
PortList = &Ret_Filter->PortList;
PortList->mCount = 0;
PortList->mLock.Count = 1;
PortList->mLock.Owner = 0;
PortList->mLock.Contention = 0;
KeInitializeEvent(&Ret_Filter->PortList.mLock.Event, SynchronizationEvent, 0);
PortList_mList = &Ret_Filter->PortList.mList;
PortList_mList->Blink = PortList_mList;
PortList_mList->Flink = PortList_mList;
Ret_Filter->PortLock.Value = 0;
if ( !Registration->ContextRegistration
|| (result_2 = FltpProcessContextRegistration((int)Ret_Filter, &Registration->ContextRegistration->ContextType),
result_2 >= 0) )
{
if ( Registration->OperationRegistration )
{
Ret_Filter->Operations = v17;
v17 = (_FLT_OPERATION_REGISTRATION *)((char *)v17 + OperationRegistration_length);
qmemcpy(&Ret_Filter[1], Registration->OperationRegistration, OperationRegistration_length);
for ( i = Ret_Filter->Operations; ; ++i )
{
MajorFunction = i->MajorFunction;
if ( i->MajorFunction == -128 )
break;
if ( MajorFunction == -19 )
{
Ret_Filter->PreVolumeMount = i->PreOperation;
Ret_Filter->PostVolumeMount = i->PostOperation;
}
else if ( MajorFunction != -20 && MajorFunction == 16 )
{
i->PostOperation = 0;
}
}
v4 = Registration;
}
Ret_Filter->Name.Buffer = (unsigned __int16 *)v17;
Ret_Filter->Name.Length = 0;
Ret_Filter->Name.MaximumLength = Driver->DriverExtension->ServiceKeyName.Length;
temp = (int)(&v17->MajorFunction + Driver->DriverExtension->ServiceKeyName.Length);
RtlCopyUnicodeString(
(PUNICODE_STRING)&Ret_Filter->Name,
(PCUNICODE_STRING)&Driver->DriverExtension->ServiceKeyName);
result_2 = FltpInitializeFilterVerifier(Ret_Filter);
if ( result_2 >= 0 )
{
result_2 = FltpGetInstanceAltitude(Ret_Filter, 0, 0, (PUNICODE_STRING)&Ret_Filter->DefaultAltitude);
if ( result_2 >= 0 )
{
result_2 = FltpFindFrameForFilter(Ret_Filter, &Ret_Filter->DefaultAltitude);
if ( result_2 >= 0 )
{
result_2 = FltpLinkFilterIntoFrame(Ret_Filter);
if ( result_2 >= 0 )
{
Ret_Filter->OldDriverUnload = Driver->DriverUnload;
if ( !v4->FilterUnloadCallback || v4->Flags & 1 )
{
Driver->DriverUnload = 0;
DriverObject->DriverUnload = 0;
}
else
{
Driver->DriverUnload = (void (__stdcall *)(_DRIVER_OBJECT *))FltpMiniFilterDriverUnload;
}
if ( !(g_dword_XXX & 0x20) )
g_dword_XXX |= 0x20u;
*RetFilter = Ret_Filter;
}
}
}
}
}
if ( result_2 < 0 )
{
ExDeleteResourceLite(&Ret_Filter->InstanceList.rLock);
FltpCleanupContextRegistration(Ret_Filter);
FltpCleanupFilterVerifier(Ret_Filter);
FltpFreeUnicodeString(&Ret_Filter->DefaultAltitude);
ExFreePoolWithTag(Ret_Filter, 0);
}
result = result_2;
}
else
{
result = 0xC000009A; // 见ntstatus.h的定义。
}
}
else
{
LABEL_46:
result = 0xC000000D; // 见ntstatus.h的定义。
}
return result;
}
这主要是导入/创建几个结构,修改下变量的名字和类型就可以了。
再次认识到:程序就是数据和指令的含义。
WINDBG辅助分析如下:
0: kd> dt fltmgr!_FLT_REGISTRATION
+0x000 Size : Uint2B
+0x002 Version : Uint2B
+0x004 Flags : Uint4B
+0x008 ContextRegistration : Ptr32 _FLT_CONTEXT_REGISTRATION
+0x00c OperationRegistration : Ptr32 _FLT_OPERATION_REGISTRATION
+0x010 FilterUnloadCallback : Ptr32 long
+0x014 InstanceSetupCallback : Ptr32 long
+0x018 InstanceQueryTeardownCallback : Ptr32 long
+0x01c InstanceTeardownStartCallback : Ptr32 void
+0x020 InstanceTeardownCompleteCallback : Ptr32 void
+0x024 GenerateFileNameCallback : Ptr32 long
+0x028 NormalizeNameComponentCallback : Ptr32 long
+0x02c NormalizeContextCleanupCallback : Ptr32 void
1: kd> dd gFilterHandle
ba08b558 81f84390
1: kd> dt _FLT_FILTER 81f84390
fltMgr!_FLT_FILTER
+0x000 Base : _FLT_OBJECT
+0x014 Frame : 0x81c62000 _FLTP_FRAME
+0x018 Name : _UNICODE_STRING "ahsh"
+0x020 DefaultAltitude : _UNICODE_STRING "370030"
+0x028 Flags : 0 (No matching name)
+0x02c DriverObject : 0x81d9ff38 _DRIVER_OBJECT
+0x030 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x074 VerifierExtension : 0x81f855e8 _FLT_VERIFIER_EXTENSION
+0x078 FilterUnload : 0xba08b810 long ahsh!FltUnload+0
+0x07c InstanceSetup : 0xba607790 long fltMgr!FltvInstanceSetup+0
+0x080 InstanceQueryTeardown : 0xba6077b4 long fltMgr!FltvInstanceQueryTeardown+0
+0x084 InstanceTeardownStart : (null)
+0x088 InstanceTeardownComplete : (null)
+0x08c SupportedContextsListHead : (null)
+0x090 SupportedContexts : [6] (null)
+0x0a8 PreVolumeMount : (null)
+0x0ac PostVolumeMount : (null)
+0x0b0 GenerateFileName : 0xba072800 long ahsh!GenerateFileName+0
+0x0b4 NormalizeNameComponent : 0xba072c30 long ahsh!NormalizeNameComponent+0
+0x0b8 NormalizeContextCleanup : (null)
+0x0bc Operations : 0x81f844b0 _FLT_OPERATION_REGISTRATION
+0x0c0 OldDriverUnload : (null)
+0x0c4 ActiveOpens : _FLT_MUTEX_LIST_HEAD
+0x0f0 PortList : _FLT_MUTEX_LIST_HEAD
+0x11c PortLock : _EX_PUSH_LOCK
0: kd> !drvobj \filesystem\ahsh 7
Driver object (81ff6750) is for:
\FileSystem\ahsh
Driver Extension List: (id , addr)
Device Object list:
DriverEntry: ba0c1e80 ahsh!GsDriverEntry
DriverStartIo: 00000000
DriverUnload: 00000000
AddDevice: 00000000
Dispatch routines:
[00] IRP_MJ_CREATE 804f55ce nt!IopInvalidDeviceRequest
[01] IRP_MJ_CREATE_NAMED_PIPE 804f55ce nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE 804f55ce nt!IopInvalidDeviceRequest
[03] IRP_MJ_READ 804f55ce nt!IopInvalidDeviceRequest
[04] IRP_MJ_WRITE 804f55ce nt!IopInvalidDeviceRequest
[05] IRP_MJ_QUERY_INFORMATION 804f55ce nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION 804f55ce nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA 804f55ce nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA 804f55ce nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS 804f55ce nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION 804f55ce nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION 804f55ce nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL 804f55ce nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL 804f55ce nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL 804f55ce nt!IopInvalidDeviceRequest
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL 804f55ce nt!IopInvalidDeviceRequest
[10] IRP_MJ_SHUTDOWN 804f55ce nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL 804f55ce nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP 804f55ce nt!IopInvalidDeviceRequest
[13] IRP_MJ_CREATE_MAILSLOT 804f55ce nt!IopInvalidDeviceRequest
[14] IRP_MJ_QUERY_SECURITY 804f55ce nt!IopInvalidDeviceRequest
[15] IRP_MJ_SET_SECURITY 804f55ce nt!IopInvalidDeviceRequest
[16] IRP_MJ_POWER 804f55ce nt!IopInvalidDeviceRequest
[17] IRP_MJ_SYSTEM_CONTROL 804f55ce nt!IopInvalidDeviceRequest
[18] IRP_MJ_DEVICE_CHANGE 804f55ce nt!IopInvalidDeviceRequest
[19] IRP_MJ_QUERY_QUOTA 804f55ce nt!IopInvalidDeviceRequest
[1a] IRP_MJ_SET_QUOTA 804f55ce nt!IopInvalidDeviceRequest
[1b] IRP_MJ_PNP 804f55ce nt!IopInvalidDeviceRequest
0: kd> dt _FLT_FILTER 81f84390 -b
fltMgr!_FLT_FILTER
+0x000 Base : _FLT_OBJECT
+0x000 Flags : 0xb000b (No matching name)
+0x004 PointerCount : 0x200028
+0x008 RundownRef : _EX_RUNDOWN_REF
+0x000 Count : 0x200048
+0x000 Ptr : 0x00200048
+0x00c PrimaryLink : _LIST_ENTRY [ 0x10018 - 0x108 ]
+0x000 Flink : 0x00010018
+0x004 Blink : 0x00000108
+0x014 Frame : 0x00000002
+0x018 Name : _UNICODE_STRING ""
+0x000 Length : 0xb47
+0x002 MaximumLength : 0
+0x004 Buffer : (null)
+0x020 DefaultAltitude : _UNICODE_STRING ""
+0x000 Length : 0xb47
+0x002 MaximumLength : 0xc
+0x004 Buffer : (null)
+0x028 Flags : 0x79d0000 (No matching name)
+0x02c DriverObject : (null)
+0x030 InstanceList : _FLT_RESOURCE_LIST_HEAD
+0x000 rLock : _ERESOURCE
+0x000 SystemResourcesList : _LIST_ENTRY [ 0x7997a78 - 0x0 ]
+0x000 Flink : 0x07997a78
+0x004 Blink : (null)
+0x008 OwnerTable : 0x07997a78
+0x00c ActiveCount : 0n0
+0x00e Flag : 0
+0x010 SharedWaiters : 0x008d0000
+0x014 ExclusiveWaiters : (null)
+0x018 OwnerThreads :
[00] _OWNER_ENTRY
+0x000 OwnerThread : 0x79d0000
+0x004 OwnerCount : 0n0
+0x004 TableSize : 0
[01]
+0x000 OwnerThread : 0x7997a10
+0x004 OwnerCount : 0n0
+0x004 TableSize : 0
+0x028 ContentionCount : 0x7997a78
+0x02c NumberOfSharedWaiters : 0
+0x02e NumberOfExclusiveWaiters : 0
+0x030 Address : 0x008d0000
+0x030 CreatorBackTraceIndex : 0x8d0000
+0x034 SpinLock : 0
+0x038 rList : _LIST_ENTRY [ 0x7c2e8c7f - 0x67260000 ]
+0x000 Flink : 0x7c2e8c7f
+0x004 Blink : 0x67260000
+0x040 rCount : 0x7c2e8c6c
+0x074 VerifierExtension : (null)
+0x078 FilterUnload : (null)
+0x07c InstanceSetup : (null)
+0x080 InstanceQueryTeardown : 0x00000028
+0x084 InstanceTeardownStart : (null)
+0x088 InstanceTeardownComplete : 0x00000001
+0x08c SupportedContextsListHead : 0x00000018
+0x090 SupportedContexts :
[00] (null)
[01] (null)
[02] 0x0001001b
[03] 0x00000028
[04] 0x00080028
[05] 0x00000018
+0x0a8 PreVolumeMount : (null)
+0x0ac PostVolumeMount : (null)
+0x0b0 GenerateFileName : (null)
+0x0b4 NormalizeNameComponent : (null)
+0x0b8 NormalizeContextCleanup : 0x07997a78
+0x0bc Operations : (null)
+0x0c0 OldDriverUnload : 0x7c2e8c8a
+0x0c4 ActiveOpens : _FLT_MUTEX_LIST_HEAD
+0x000 mLock : _FAST_MUTEX
+0x000 Count : 0n0
+0x004 Owner : (null)
+0x008 Contention : 0
+0x00c Event : _KEVENT
+0x000 Header : _DISPATCHER_HEADER
+0x000 Type : 0 ''
+0x001 Absolute : 0 ''
+0x002 Size : 0 ''
+0x003 Inserted : 0 ''
+0x004 SignalState : 0n0
+0x008 WaitListHead : _LIST_ENTRY [ 0x68 - 0x0 ]
+0x000 Flink : 0x00000068
+0x004 Blink : (null)
+0x01c OldIrql : 1
+0x020 mList : _LIST_ENTRY [ 0x18 - 0x0 ]
+0x000 Flink : 0x00000018
+0x004 Blink : (null)
+0x028 mCount : 0
+0x028 mInvalid : 0y0
+0x0f0 PortList : _FLT_MUTEX_LIST_HEAD
+0x000 mLock : _FAST_MUTEX
+0x000 Count : 0n720907
+0x004 Owner : 0x00200028
+0x008 Contention : 0x200048
+0x00c Event : _KEVENT
+0x000 Header : _DISPATCHER_HEADER
+0x000 Type : 0x18 ''
+0x001 Absolute : 0 ''
+0x002 Size : 0x1 ''
+0x003 Inserted : 0 ''
+0x004 SignalState : 0n264
+0x008 WaitListHead : _LIST_ENTRY [ 0x2 - 0xb47 ]
+0x000 Flink : 0x00000002
+0x004 Blink : 0x00000b47
+0x01c OldIrql : 0
+0x020 mList : _LIST_ENTRY [ 0xc0b47 - 0x0 ]
+0x000 Flink : 0x000c0b47
+0x004 Blink : (null)
+0x028 mCount : 0x79d0000
+0x028 mInvalid : 0y0
+0x11c PortLock : _EX_PUSH_LOCK
+0x000 Waiting : 0y0
+0x000 Exclusive : 0y0
+0x000 Shared : 0y000000000000000000000000000000 (0)
+0x000 Value : 0
+0x000 Ptr : (null)
0: kd> dt 0x81f844b0 _FLT_OPERATION_REGISTRATION
ahsh!_FLT_OPERATION_REGISTRATION
+0x000 MajorFunction : 0x78 'x'
+0x004 Flags : 0
+0x008 PreOperation : 0x07997ae0 _FLT_PREOP_CALLBACK_STATUS +7997ae0
+0x00c PostOperation : (null)
+0x010 Reserved1 : 0x008d0000 Void
没有评论:
发表评论