前言:
有不少的minifilter驱动是可以用IDA静态分析的,但是如何分析呢?
做过minifilter驱动的都知道FltRegisterFilter的第二个参数是关键。
如果分析呢?也就是如何定义这个参数的类型呢?
思路有三:
1.导入头文件,这个最省事,但是也容易出错。
2.那就自己写个头文件,然后导入,这也不少费事,但成功率比较高,还通用。
3.那就是自己在IDA中手动定义/添加结构,这个比较复杂,不通用,别的工程还得重复这样做。
其实还有一种办法,就是本文的,比较省事,但是不通用。
前提是你知道这些数据结构。
怎么做呢?
这就有用一个实例演示下。
怎么演示呢?
实际分析的SYS是没有符号的而且是经过优化的发行版。
这里以一个调试版,且有符号的和一个发行版且没有符号文件的对比做演示。
选用的工程是WDK的ctx工程,之所以选择这个,是因为它比较全,有上下文的处理。
下面正式开始:
--------------------------------------------------------------------------------------------------
首先找到驱动入口的FltRegisterFilter函数,点击第二个参数,进去是这样的:
.data:00000001400030A0 unk_1400030A0 db 70h ; p ; DATA XREF: sub_140006000+62↓o
.data:00000001400030A1 db 0
.data:00000001400030A2 db 3
.data:00000001400030A3 db 2
.data:00000001400030A4 db 0
.data:00000001400030A5 db 0
.data:00000001400030A6 db 0
.data:00000001400030A7 db 0
.data:00000001400030A8 dq offset unk_1400020F0
.data:00000001400030B0 dq offset unk_140003000
.data:00000001400030B8 dq offset sub_140005458
.data:00000001400030C0 dq offset sub_1400054F0
.data:00000001400030C8 dq offset sub_1400055E4
.data:00000001400030D0 dq offset nullsub_2
.data:00000001400030D8 dq offset sub_1400055EC
.data:00000001400030E0 db 0
.data:00000001400030E1 db 0
.data:00000001400030E2 db 0
.data:00000001400030E3 db 0
.data:00000001400030E4 db 0
.data:00000001400030E5 db 0
.data:00000001400030E6 db 0
.data:00000001400030E7 db 0
.data:00000001400030E8 db 0
.data:00000001400030E9 db 0
.data:00000001400030EA db 0
.data:00000001400030EB db 0
.data:00000001400030EC db 0
.data:00000001400030ED db 0
.data:00000001400030EE db 0
.data:00000001400030EF db 0
.data:00000001400030F0 db 0
.data:00000001400030F1 db 0
.data:00000001400030F2 db 0
.data:00000001400030F3 db 0
.data:00000001400030F4 db 0
.data:00000001400030F5 db 0
.data:00000001400030F6 db 0
.data:00000001400030F7 db 0
.data:00000001400030F8 db 0
.data:00000001400030F9 db 0
.data:00000001400030FA db 0
.data:00000001400030FB db 0
.data:00000001400030FC db 0
.data:00000001400030FD db 0
.data:00000001400030FE db 0
.data:00000001400030FF db 0
.data:0000000140003100 db 0
.data:0000000140003101 db 0
.data:0000000140003102 db 0
.data:0000000140003103 db 0
.data:0000000140003104 db 0
.data:0000000140003105 db 0
.data:0000000140003106 db 0
.data:0000000140003107 db 0
.data:0000000140003108 db 0
.data:0000000140003109 db 0
.data:000000014000310A db 0
.data:000000014000310B db 0
.data:000000014000310C db 0
.data:000000014000310D db 0
.data:000000014000310E db 0
.data:000000014000310F db 0
但是,你在debug版本且带有符号文件的情况下,你会看到变量的名字,点击这个变量,你会看到这个全局的数据结构变量的解释。
这就是差别啊!
无奈我们没有符号文件且不是调试版本,假定如此,所以我们只能苦逼继续。
此时,我们可以根据工程找到FLT_REGISTRATION的定义,根据这个定义,我们可以重新定义/修改上面的数据如下:
.data:00000001400030A0 word_1400030A0 dw 70h ; DATA XREF: sub_140006000+62↓o
.data:00000001400030A0 ; Size
.data:00000001400030A2 dw 203h ; Version 这个可以决定这个数据结构的大小,这个数据结构后面有几个扩展选项。
.data:00000001400030A4 dd 0 ; Flags 这个也有几个选项,不言了,你细看,深入探索。
.data:00000001400030A8 dq offset ContextRegistration ; 这里直接给这几个函数或成员改名。
.data:00000001400030B0 dq offset OperationRegistration
.data:00000001400030B8 dq offset FilterUnloadCallback
.data:00000001400030C0 dq offset InstanceSetupCallback
.data:00000001400030C8 dq offset InstanceQueryTeardownCallback
.data:00000001400030D0 dq offset InstanceTeardownStartCallback
.data:00000001400030D8 dq offset InstanceTeardownCompleteCallback
.data:00000001400030E0 dq 0 ; 这几个直接改变成员的类型/大小。
.data:00000001400030E8 dq 0
.data:00000001400030F0 dq 0
.data:00000001400030F8 dq 0
.data:0000000140003100 dq 0
.data:0000000140003108 dq 0
注意:
技巧:
1.点击一个数据,不停的按d直到切换到你选中的数据。
2.按;可以天机注释。
3.还可以给word_1400030A0这个变量改个名字,如:Registration 。
--------------------------------------------------------------------------------------------------
双击ContextRegistration,进入,得到如下界面:
.rdata:00000001400020F0 ContextRegistration db 2 ; DATA XREF: .data:00000001400030A8↓o
.rdata:00000001400020F1 db 0
.rdata:00000001400020F2 db 0
.rdata:00000001400020F3 db 0
.rdata:00000001400020F4 db 0
.rdata:00000001400020F5 db 0
.rdata:00000001400020F6 db 0
.rdata:00000001400020F7 db 0
.rdata:00000001400020F8 dq offset sub_140005478
.rdata:0000000140002100 db 20h
.rdata:0000000140002101 db 0
.rdata:0000000140002102 db 0
.rdata:0000000140002103 db 0
.rdata:0000000140002104 db 0
.rdata:0000000140002105 db 0
.rdata:0000000140002106 db 0
.rdata:0000000140002107 db 0
.rdata:0000000140002108 db 43h ; C
.rdata:0000000140002109 db 78h ; x
.rdata:000000014000210A db 49h ; I
.rdata:000000014000210B db 63h ; c
.rdata:000000014000210C db 0
.rdata:000000014000210D db 0
.rdata:000000014000210E db 0
.rdata:000000014000210F db 0
.rdata:0000000140002110 db 0
.rdata:0000000140002111 db 0
.rdata:0000000140002112 db 0
.rdata:0000000140002113 db 0
.rdata:0000000140002114 db 0
.rdata:0000000140002115 db 0
.rdata:0000000140002116 db 0
.rdata:0000000140002117 db 0
.rdata:0000000140002118 db 0
.rdata:0000000140002119 db 0
.rdata:000000014000211A db 0
.rdata:000000014000211B db 0
.rdata:000000014000211C db 0
.rdata:000000014000211D db 0
.rdata:000000014000211E db 0
.rdata:000000014000211F db 0
.rdata:0000000140002120 db 0
.rdata:0000000140002121 db 0
.rdata:0000000140002122 db 0
.rdata:0000000140002123 db 0
.rdata:0000000140002124 db 0
.rdata:0000000140002125 db 0
.rdata:0000000140002126 db 0
.rdata:0000000140002127 db 0
.rdata:0000000140002128 db 4
.rdata:0000000140002129 db 0
.rdata:000000014000212A db 0
.rdata:000000014000212B db 0
.rdata:000000014000212C db 0
.rdata:000000014000212D db 0
.rdata:000000014000212E db 0
.rdata:000000014000212F db 0
.rdata:0000000140002130 dq offset sub_140005478
.rdata:0000000140002138 db 10h
.rdata:0000000140002139 db 0
.rdata:000000014000213A db 0
.rdata:000000014000213B db 0
.rdata:000000014000213C db 0
.rdata:000000014000213D db 0
.rdata:000000014000213E db 0
.rdata:000000014000213F db 0
.rdata:0000000140002140 db 43h ; C
.rdata:0000000140002141 db 78h ; x
.rdata:0000000140002142 db 46h ; F
.rdata:0000000140002143 db 63h ; c
.rdata:0000000140002144 db 0
.rdata:0000000140002145 db 0
.rdata:0000000140002146 db 0
.rdata:0000000140002147 db 0
.rdata:0000000140002148 db 0
.rdata:0000000140002149 db 0
.rdata:000000014000214A db 0
.rdata:000000014000214B db 0
.rdata:000000014000214C db 0
.rdata:000000014000214D db 0
.rdata:000000014000214E db 0
.rdata:000000014000214F db 0
.rdata:0000000140002150 db 0
.rdata:0000000140002151 db 0
.rdata:0000000140002152 db 0
.rdata:0000000140002153 db 0
.rdata:0000000140002154 db 0
.rdata:0000000140002155 db 0
.rdata:0000000140002156 db 0
.rdata:0000000140002157 db 0
.rdata:0000000140002158 db 0
.rdata:0000000140002159 db 0
.rdata:000000014000215A db 0
.rdata:000000014000215B db 0
.rdata:000000014000215C db 0
.rdata:000000014000215D db 0
.rdata:000000014000215E db 0
.rdata:000000014000215F db 0
.rdata:0000000140002160 db 8
.rdata:0000000140002161 db 0
.rdata:0000000140002162 db 0
.rdata:0000000140002163 db 0
.rdata:0000000140002164 db 0
.rdata:0000000140002165 db 0
.rdata:0000000140002166 db 0
.rdata:0000000140002167 db 0
.rdata:0000000140002168 dq offset sub_140005478
.rdata:0000000140002170 db 28h ; (
.rdata:0000000140002171 db 0
.rdata:0000000140002172 db 0
.rdata:0000000140002173 db 0
.rdata:0000000140002174 db 0
.rdata:0000000140002175 db 0
.rdata:0000000140002176 db 0
.rdata:0000000140002177 db 0
.rdata:0000000140002178 db 43h ; C
.rdata:0000000140002179 db 78h ; x
.rdata:000000014000217A db 53h ; S
.rdata:000000014000217B db 63h ; c
.rdata:000000014000217C db 0
.rdata:000000014000217D db 0
.rdata:000000014000217E db 0
.rdata:000000014000217F db 0
.rdata:0000000140002180 db 0
.rdata:0000000140002181 db 0
.rdata:0000000140002182 db 0
.rdata:0000000140002183 db 0
.rdata:0000000140002184 db 0
.rdata:0000000140002185 db 0
.rdata:0000000140002186 db 0
.rdata:0000000140002187 db 0
.rdata:0000000140002188 db 0
.rdata:0000000140002189 db 0
.rdata:000000014000218A db 0
.rdata:000000014000218B db 0
.rdata:000000014000218C db 0
.rdata:000000014000218D db 0
.rdata:000000014000218E db 0
.rdata:000000014000218F db 0
.rdata:0000000140002190 db 0
.rdata:0000000140002191 db 0
.rdata:0000000140002192 db 0
.rdata:0000000140002193 db 0
.rdata:0000000140002194 db 0
.rdata:0000000140002195 db 0
.rdata:0000000140002196 db 0
.rdata:0000000140002197 db 0
.rdata:0000000140002198 db 10h
.rdata:0000000140002199 db 0
.rdata:000000014000219A db 0
.rdata:000000014000219B db 0
.rdata:000000014000219C db 0
.rdata:000000014000219D db 0
.rdata:000000014000219E db 0
.rdata:000000014000219F db 0
.rdata:00000001400021A0 dq offset sub_140005478
.rdata:00000001400021A8 db 18h
.rdata:00000001400021A9 db 0
.rdata:00000001400021AA db 0
.rdata:00000001400021AB db 0
.rdata:00000001400021AC db 0
.rdata:00000001400021AD db 0
.rdata:00000001400021AE db 0
.rdata:00000001400021AF db 0
.rdata:00000001400021B0 db 43h ; C
.rdata:00000001400021B1 db 78h ; x
.rdata:00000001400021B2 db 48h ; H
.rdata:00000001400021B3 db 63h ; c
.rdata:00000001400021B4 db 0
.rdata:00000001400021B5 db 0
.rdata:00000001400021B6 db 0
.rdata:00000001400021B7 db 0
.rdata:00000001400021B8 db 0
.rdata:00000001400021B9 db 0
.rdata:00000001400021BA db 0
.rdata:00000001400021BB db 0
.rdata:00000001400021BC db 0
.rdata:00000001400021BD db 0
.rdata:00000001400021BE db 0
.rdata:00000001400021BF db 0
.rdata:00000001400021C0 db 0
.rdata:00000001400021C1 db 0
.rdata:00000001400021C2 db 0
.rdata:00000001400021C3 db 0
.rdata:00000001400021C4 db 0
.rdata:00000001400021C5 db 0
.rdata:00000001400021C6 db 0
.rdata:00000001400021C7 db 0
.rdata:00000001400021C8 db 0
.rdata:00000001400021C9 db 0
.rdata:00000001400021CA db 0
.rdata:00000001400021CB db 0
.rdata:00000001400021CC db 0
.rdata:00000001400021CD db 0
.rdata:00000001400021CE db 0
.rdata:00000001400021CF db 0
.rdata:00000001400021D0 db 0FFh
.rdata:00000001400021D1 db 0FFh
.rdata:00000001400021D2 db 0
.rdata:00000001400021D3 db 0
.rdata:00000001400021D4 db 0
.rdata:00000001400021D5 db 0
.rdata:00000001400021D6 db 0
.rdata:00000001400021D7 db 0
.rdata:00000001400021D8 db 0
.rdata:00000001400021D9 db 0
.rdata:00000001400021DA db 0
.rdata:00000001400021DB db 0
.rdata:00000001400021DC db 0
.rdata:00000001400021DD db 0
.rdata:00000001400021DE db 0
.rdata:00000001400021DF db 0
.rdata:00000001400021E0 db 0
.rdata:00000001400021E1 db 0
.rdata:00000001400021E2 db 0
.rdata:00000001400021E3 db 0
.rdata:00000001400021E4 db 0
.rdata:00000001400021E5 db 0
.rdata:00000001400021E6 db 0
.rdata:00000001400021E7 db 0
.rdata:00000001400021E8 db 0
.rdata:00000001400021E9 db 0
.rdata:00000001400021EA db 0
.rdata:00000001400021EB db 0
.rdata:00000001400021EC db 0
.rdata:00000001400021ED db 0
.rdata:00000001400021EE db 0
.rdata:00000001400021EF db 0
.rdata:00000001400021F0 db 0
.rdata:00000001400021F1 db 0
.rdata:00000001400021F2 db 0
.rdata:00000001400021F3 db 0
.rdata:00000001400021F4 db 0
.rdata:00000001400021F5 db 0
.rdata:00000001400021F6 db 0
.rdata:00000001400021F7 db 0
.rdata:00000001400021F8 db 0
.rdata:00000001400021F9 db 0
.rdata:00000001400021FA db 0
.rdata:00000001400021FB db 0
.rdata:00000001400021FC db 0
.rdata:00000001400021FD db 0
.rdata:00000001400021FE db 0
.rdata:00000001400021FF db 0
.rdata:0000000140002200 db 0
.rdata:0000000140002201 db 0
.rdata:0000000140002202 db 0
.rdata:0000000140002203 db 0
.rdata:0000000140002204 db 0
.rdata:0000000140002205 db 0
.rdata:0000000140002206 db 0
.rdata:0000000140002207 db 0
.rdata:0000000140002208 db 0
.rdata:0000000140002209 db 0
.rdata:000000014000220A db 0
.rdata:000000014000220B db 0
.rdata:000000014000220C db 0
.rdata:000000014000220D db 0
.rdata:000000014000220E db 0
.rdata:000000014000220F db 0
熟悉minifilter编程的人都知道,这是一个FLT_CONTEXT_REGISTRATION的数组,数组的最后一个成员是FLT_CONTEXT_END。
这个结构有8个成员,而实际经常使用的有5个。认真和有留意的人是会发现的。
经过整理和分析后,可以变为下面的样子:
.rdata:00000001400020F0 ContextRegistration dw 2 ; DATA XREF: .data:00000001400030A8↓o
.rdata:00000001400020F0 ; ContextType == FLT_INSTANCE_CONTEXT
.rdata:00000001400020F2 dw 0 ; Flags
.rdata:00000001400020F4 db 0 ; 数据结构成员的内存地址的对齐/填充。
.rdata:00000001400020F5 db 0
.rdata:00000001400020F6 db 0
.rdata:00000001400020F7 db 0
.rdata:00000001400020F8 dq offset ContextCleanupCallback
.rdata:0000000140002100 dq 20h ; Size
.rdata:0000000140002108 dd 'cIxC' ; PoolTag
.rdata:000000014000210C db 0 ; 数据结构成员的内存地址的对齐/填充。
.rdata:000000014000210D db 0
.rdata:000000014000210E db 0
.rdata:000000014000210F db 0
.rdata:0000000140002110 dq 0 ; ContextAllocateCallback
.rdata:0000000140002118 dq 0 ; ContextFreeCallback
.rdata:0000000140002120 dq 0 ; Reserved1
.rdata:0000000140002128 dw 4 ; ContextType == FLT_FILE_CONTEXT
.rdata:000000014000212A dw 0
.rdata:000000014000212C db 0
.rdata:000000014000212D db 0
.rdata:000000014000212E db 0
.rdata:000000014000212F db 0
.rdata:0000000140002130 dq offset ContextCleanupCallback
.rdata:0000000140002138 dq 10h
.rdata:0000000140002140 dd 'cFxC'
.rdata:0000000140002144 db 0
.rdata:0000000140002145 db 0
.rdata:0000000140002146 db 0
.rdata:0000000140002147 db 0
.rdata:0000000140002148 dq 0
.rdata:0000000140002150 dq 0
.rdata:0000000140002158 dq 0
.rdata:0000000140002160 dw 8 ; ContextType == FLT_STREAM_CONTEXT
.rdata:0000000140002162 dw 0
.rdata:0000000140002164 db 0
.rdata:0000000140002165 db 0
.rdata:0000000140002166 db 0
.rdata:0000000140002167 db 0
.rdata:0000000140002168 dq offset ContextCleanupCallback
.rdata:0000000140002170 dq 28h
.rdata:0000000140002178 dd 'cSxC'
.rdata:000000014000217C db 0
.rdata:000000014000217D db 0
.rdata:000000014000217E db 0
.rdata:000000014000217F db 0
.rdata:0000000140002180 dq 0
.rdata:0000000140002188 dq 0
.rdata:0000000140002190 dq 0
.rdata:0000000140002198 dw 10h ; ContextType == FLT_STREAMHANDLE_CONTEXT
.rdata:000000014000219A dw 0
.rdata:000000014000219C db 0
.rdata:000000014000219D db 0
.rdata:000000014000219E db 0
.rdata:000000014000219F db 0
.rdata:00000001400021A0 dq offset ContextCleanupCallback
.rdata:00000001400021A8 dq 18h
.rdata:00000001400021B0 dd 'cHxC'
.rdata:00000001400021B4 db 0
.rdata:00000001400021B5 db 0
.rdata:00000001400021B6 db 0
.rdata:00000001400021B7 db 0
.rdata:00000001400021B8 dq 0
.rdata:00000001400021C0 dq 0
.rdata:00000001400021C8 dq 0
.rdata:00000001400021D0 dw 0FFFFh ; 结束标记:FLT_CONTEXT_END
.rdata:00000001400021D2 dw 0
.rdata:00000001400021D4 db 0
.rdata:00000001400021D5 db 0
.rdata:00000001400021D6 db 0
.rdata:00000001400021D7 db 0
.rdata:00000001400021D8 dq 0
.rdata:00000001400021E0 dq 0
.rdata:00000001400021E8 dd 0
.rdata:00000001400021EC db 0
.rdata:00000001400021ED db 0
.rdata:00000001400021EE db 0
.rdata:00000001400021EF db 0
.rdata:00000001400021F0 dq 0
.rdata:00000001400021F8 dq 0
.rdata:0000000140002200 dq 0
.rdata:0000000140002208 db 0 ; 结束,后面是多余的,对齐。
.rdata:0000000140002209 db 0
.rdata:000000014000220A db 0
.rdata:000000014000220B db 0
.rdata:000000014000220C db 0
.rdata:000000014000220D db 0
.rdata:000000014000220E db 0
.rdata:000000014000220F db 0
--------------------------------------------------------------------------------------------------
双击OperationRegistration,进入如下界面:
.data:0000000140003000 OperationRegistration db 0 ; DATA XREF: .data:00000001400030B0↓o
.data:0000000140003001 db 0
.data:0000000140003002 db 0
.data:0000000140003003 db 0
.data:0000000140003004 db 1
.data:0000000140003005 db 0
.data:0000000140003006 db 0
.data:0000000140003007 db 0
.data:0000000140003008 dq offset InstanceQueryTeardownCallback
.data:0000000140003010 dq offset sub_140005614
.data:0000000140003018 align 20h
.data:0000000140003020 db 12h
.data:0000000140003021 db 0
.data:0000000140003022 db 0
.data:0000000140003023 db 0
.data:0000000140003024 db 1
.data:0000000140003025 db 0
.data:0000000140003026 db 0
.data:0000000140003027 db 0
.data:0000000140003028 dq offset sub_140005940
.data:0000000140003030 align 20h
.data:0000000140003040 db 2
.data:0000000140003041 db 0
.data:0000000140003042 db 0
.data:0000000140003043 db 0
.data:0000000140003044 db 1
.data:0000000140003045 db 0
.data:0000000140003046 db 0
.data:0000000140003047 db 0
.data:0000000140003048 dq offset sub_1400059B4
.data:0000000140003050 align 20h
.data:0000000140003060 db 6
.data:0000000140003061 db 0
.data:0000000140003062 db 0
.data:0000000140003063 db 0
.data:0000000140003064 db 1
.data:0000000140003065 db 0
.data:0000000140003066 db 0
.data:0000000140003067 db 0
.data:0000000140003068 dq offset sub_140005A28
.data:0000000140003070 dq offset sub_1400057A8
.data:0000000140003078 align 20h
.data:0000000140003080 db 80h ; €
.data:0000000140003081 db 0
.data:0000000140003082 db 0
.data:0000000140003083 db 0
.data:0000000140003084 db 0
.data:0000000140003085 db 0
.data:0000000140003086 db 0
.data:0000000140003087 db 0
.data:0000000140003088 db 0
.data:0000000140003089 db 0
.data:000000014000308A db 0
.data:000000014000308B db 0
.data:000000014000308C db 0
.data:000000014000308D db 0
.data:000000014000308E db 0
.data:000000014000308F db 0
.data:0000000140003090 db 0
.data:0000000140003091 db 0
.data:0000000140003092 db 0
.data:0000000140003093 db 0
.data:0000000140003094 db 0
.data:0000000140003095 db 0
.data:0000000140003096 db 0
.data:0000000140003097 db 0
.data:0000000140003098 db 0
.data:0000000140003099 db 0
.data:000000014000309A db 0
.data:000000014000309B db 0
.data:000000014000309C db 0
.data:000000014000309D db 0
.data:000000014000309E db 0
.data:000000014000309F db 0
熟悉minifilter编程的人都知道,这是一个FLT_OPERATION_REGISTRATION的数组,最后一项是IRP_MJ_OPERATION_END。
经过整理和分析后,可以变为下面的样子:
.data:0000000140003000 OperationRegistration db 0 ; DATA XREF: .data:00000001400030B0↓o
.data:0000000140003000 ; MajorFunction == IRP_MJ_CREATE
.data:0000000140003001 dd 1000000h ; Flags
.data:0000000140003005 db 0 ; 数据结构成员的内存地址的对齐/填充。
.data:0000000140003006 db 0
.data:0000000140003007 db 0
.data:0000000140003008 dq offset PreCreate
.data:0000000140003010 dq offset PostCreate
.data:0000000140003018 align 20h
.data:0000000140003020 db 12h ; MajorFunction == IRP_MJ_CLEANUP
.data:0000000140003021 dd 1000000h
.data:0000000140003025 db 0
.data:0000000140003026 db 0
.data:0000000140003027 db 0
.data:0000000140003028 dq offset PreCleanUp
.data:0000000140003030 align 20h ; 这个隐藏了两个成员。
.data:0000000140003040 db 2 ; MajorFunction == IRP_MJ_CLOSE
.data:0000000140003041 dd 1000000h
.data:0000000140003045 db 0
.data:0000000140003046 db 0
.data:0000000140003047 db 0
.data:0000000140003048 dq offset PreClose
.data:0000000140003050 align 20h
.data:0000000140003060 db 6 ; MajorFunction == IRP_MJ_SET_INFORMATION
.data:0000000140003061 dd 1000000h
.data:0000000140003065 db 0
.data:0000000140003066 db 0
.data:0000000140003067 db 0
.data:0000000140003068 dq offset PreSetInfo
.data:0000000140003070 dq offset PostSetInfo
.data:0000000140003078 align 20h
.data:0000000140003080 db 80h ; € ; 结束标记:IRP_MJ_OPERATION_END
.data:0000000140003081 dd 0
.data:0000000140003085 db 0
.data:0000000140003086 db 0
.data:0000000140003087 db 0
.data:0000000140003088 dq 0
.data:0000000140003090 dq 0
.data:0000000140003098 dq 0
--------------------------------------------------------------------------------------------------
至此,可以告一个段落。
下一步就是根据这里分析出的函数,定义这些函数的类型,甚至是参数的个数(如IDA分析x64程序),特别是参数的类型。
因为发行版经常没有符号文件,有好些系统经常用的数据结构IDA没有解析出,如文件过滤驱动的minifilter和网络过滤驱动的WFP。
made by correy
made at 15:40 2018/4/28
http://correy.webs.com
有不少的minifilter驱动是可以用IDA静态分析的,但是如何分析呢?
做过minifilter驱动的都知道FltRegisterFilter的第二个参数是关键。
如果分析呢?也就是如何定义这个参数的类型呢?
思路有三:
1.导入头文件,这个最省事,但是也容易出错。
2.那就自己写个头文件,然后导入,这也不少费事,但成功率比较高,还通用。
3.那就是自己在IDA中手动定义/添加结构,这个比较复杂,不通用,别的工程还得重复这样做。
其实还有一种办法,就是本文的,比较省事,但是不通用。
前提是你知道这些数据结构。
怎么做呢?
这就有用一个实例演示下。
怎么演示呢?
实际分析的SYS是没有符号的而且是经过优化的发行版。
这里以一个调试版,且有符号的和一个发行版且没有符号文件的对比做演示。
选用的工程是WDK的ctx工程,之所以选择这个,是因为它比较全,有上下文的处理。
下面正式开始:
--------------------------------------------------------------------------------------------------
首先找到驱动入口的FltRegisterFilter函数,点击第二个参数,进去是这样的:
.data:00000001400030A0 unk_1400030A0 db 70h ; p ; DATA XREF: sub_140006000+62↓o
.data:00000001400030A1 db 0
.data:00000001400030A2 db 3
.data:00000001400030A3 db 2
.data:00000001400030A4 db 0
.data:00000001400030A5 db 0
.data:00000001400030A6 db 0
.data:00000001400030A7 db 0
.data:00000001400030A8 dq offset unk_1400020F0
.data:00000001400030B0 dq offset unk_140003000
.data:00000001400030B8 dq offset sub_140005458
.data:00000001400030C0 dq offset sub_1400054F0
.data:00000001400030C8 dq offset sub_1400055E4
.data:00000001400030D0 dq offset nullsub_2
.data:00000001400030D8 dq offset sub_1400055EC
.data:00000001400030E0 db 0
.data:00000001400030E1 db 0
.data:00000001400030E2 db 0
.data:00000001400030E3 db 0
.data:00000001400030E4 db 0
.data:00000001400030E5 db 0
.data:00000001400030E6 db 0
.data:00000001400030E7 db 0
.data:00000001400030E8 db 0
.data:00000001400030E9 db 0
.data:00000001400030EA db 0
.data:00000001400030EB db 0
.data:00000001400030EC db 0
.data:00000001400030ED db 0
.data:00000001400030EE db 0
.data:00000001400030EF db 0
.data:00000001400030F0 db 0
.data:00000001400030F1 db 0
.data:00000001400030F2 db 0
.data:00000001400030F3 db 0
.data:00000001400030F4 db 0
.data:00000001400030F5 db 0
.data:00000001400030F6 db 0
.data:00000001400030F7 db 0
.data:00000001400030F8 db 0
.data:00000001400030F9 db 0
.data:00000001400030FA db 0
.data:00000001400030FB db 0
.data:00000001400030FC db 0
.data:00000001400030FD db 0
.data:00000001400030FE db 0
.data:00000001400030FF db 0
.data:0000000140003100 db 0
.data:0000000140003101 db 0
.data:0000000140003102 db 0
.data:0000000140003103 db 0
.data:0000000140003104 db 0
.data:0000000140003105 db 0
.data:0000000140003106 db 0
.data:0000000140003107 db 0
.data:0000000140003108 db 0
.data:0000000140003109 db 0
.data:000000014000310A db 0
.data:000000014000310B db 0
.data:000000014000310C db 0
.data:000000014000310D db 0
.data:000000014000310E db 0
.data:000000014000310F db 0
但是,你在debug版本且带有符号文件的情况下,你会看到变量的名字,点击这个变量,你会看到这个全局的数据结构变量的解释。
这就是差别啊!
无奈我们没有符号文件且不是调试版本,假定如此,所以我们只能苦逼继续。
此时,我们可以根据工程找到FLT_REGISTRATION的定义,根据这个定义,我们可以重新定义/修改上面的数据如下:
.data:00000001400030A0 word_1400030A0 dw 70h ; DATA XREF: sub_140006000+62↓o
.data:00000001400030A0 ; Size
.data:00000001400030A2 dw 203h ; Version 这个可以决定这个数据结构的大小,这个数据结构后面有几个扩展选项。
.data:00000001400030A4 dd 0 ; Flags 这个也有几个选项,不言了,你细看,深入探索。
.data:00000001400030A8 dq offset ContextRegistration ; 这里直接给这几个函数或成员改名。
.data:00000001400030B0 dq offset OperationRegistration
.data:00000001400030B8 dq offset FilterUnloadCallback
.data:00000001400030C0 dq offset InstanceSetupCallback
.data:00000001400030C8 dq offset InstanceQueryTeardownCallback
.data:00000001400030D0 dq offset InstanceTeardownStartCallback
.data:00000001400030D8 dq offset InstanceTeardownCompleteCallback
.data:00000001400030E0 dq 0 ; 这几个直接改变成员的类型/大小。
.data:00000001400030E8 dq 0
.data:00000001400030F0 dq 0
.data:00000001400030F8 dq 0
.data:0000000140003100 dq 0
.data:0000000140003108 dq 0
注意:
技巧:
1.点击一个数据,不停的按d直到切换到你选中的数据。
2.按;可以天机注释。
3.还可以给word_1400030A0这个变量改个名字,如:Registration 。
--------------------------------------------------------------------------------------------------
双击ContextRegistration,进入,得到如下界面:
.rdata:00000001400020F0 ContextRegistration db 2 ; DATA XREF: .data:00000001400030A8↓o
.rdata:00000001400020F1 db 0
.rdata:00000001400020F2 db 0
.rdata:00000001400020F3 db 0
.rdata:00000001400020F4 db 0
.rdata:00000001400020F5 db 0
.rdata:00000001400020F6 db 0
.rdata:00000001400020F7 db 0
.rdata:00000001400020F8 dq offset sub_140005478
.rdata:0000000140002100 db 20h
.rdata:0000000140002101 db 0
.rdata:0000000140002102 db 0
.rdata:0000000140002103 db 0
.rdata:0000000140002104 db 0
.rdata:0000000140002105 db 0
.rdata:0000000140002106 db 0
.rdata:0000000140002107 db 0
.rdata:0000000140002108 db 43h ; C
.rdata:0000000140002109 db 78h ; x
.rdata:000000014000210A db 49h ; I
.rdata:000000014000210B db 63h ; c
.rdata:000000014000210C db 0
.rdata:000000014000210D db 0
.rdata:000000014000210E db 0
.rdata:000000014000210F db 0
.rdata:0000000140002110 db 0
.rdata:0000000140002111 db 0
.rdata:0000000140002112 db 0
.rdata:0000000140002113 db 0
.rdata:0000000140002114 db 0
.rdata:0000000140002115 db 0
.rdata:0000000140002116 db 0
.rdata:0000000140002117 db 0
.rdata:0000000140002118 db 0
.rdata:0000000140002119 db 0
.rdata:000000014000211A db 0
.rdata:000000014000211B db 0
.rdata:000000014000211C db 0
.rdata:000000014000211D db 0
.rdata:000000014000211E db 0
.rdata:000000014000211F db 0
.rdata:0000000140002120 db 0
.rdata:0000000140002121 db 0
.rdata:0000000140002122 db 0
.rdata:0000000140002123 db 0
.rdata:0000000140002124 db 0
.rdata:0000000140002125 db 0
.rdata:0000000140002126 db 0
.rdata:0000000140002127 db 0
.rdata:0000000140002128 db 4
.rdata:0000000140002129 db 0
.rdata:000000014000212A db 0
.rdata:000000014000212B db 0
.rdata:000000014000212C db 0
.rdata:000000014000212D db 0
.rdata:000000014000212E db 0
.rdata:000000014000212F db 0
.rdata:0000000140002130 dq offset sub_140005478
.rdata:0000000140002138 db 10h
.rdata:0000000140002139 db 0
.rdata:000000014000213A db 0
.rdata:000000014000213B db 0
.rdata:000000014000213C db 0
.rdata:000000014000213D db 0
.rdata:000000014000213E db 0
.rdata:000000014000213F db 0
.rdata:0000000140002140 db 43h ; C
.rdata:0000000140002141 db 78h ; x
.rdata:0000000140002142 db 46h ; F
.rdata:0000000140002143 db 63h ; c
.rdata:0000000140002144 db 0
.rdata:0000000140002145 db 0
.rdata:0000000140002146 db 0
.rdata:0000000140002147 db 0
.rdata:0000000140002148 db 0
.rdata:0000000140002149 db 0
.rdata:000000014000214A db 0
.rdata:000000014000214B db 0
.rdata:000000014000214C db 0
.rdata:000000014000214D db 0
.rdata:000000014000214E db 0
.rdata:000000014000214F db 0
.rdata:0000000140002150 db 0
.rdata:0000000140002151 db 0
.rdata:0000000140002152 db 0
.rdata:0000000140002153 db 0
.rdata:0000000140002154 db 0
.rdata:0000000140002155 db 0
.rdata:0000000140002156 db 0
.rdata:0000000140002157 db 0
.rdata:0000000140002158 db 0
.rdata:0000000140002159 db 0
.rdata:000000014000215A db 0
.rdata:000000014000215B db 0
.rdata:000000014000215C db 0
.rdata:000000014000215D db 0
.rdata:000000014000215E db 0
.rdata:000000014000215F db 0
.rdata:0000000140002160 db 8
.rdata:0000000140002161 db 0
.rdata:0000000140002162 db 0
.rdata:0000000140002163 db 0
.rdata:0000000140002164 db 0
.rdata:0000000140002165 db 0
.rdata:0000000140002166 db 0
.rdata:0000000140002167 db 0
.rdata:0000000140002168 dq offset sub_140005478
.rdata:0000000140002170 db 28h ; (
.rdata:0000000140002171 db 0
.rdata:0000000140002172 db 0
.rdata:0000000140002173 db 0
.rdata:0000000140002174 db 0
.rdata:0000000140002175 db 0
.rdata:0000000140002176 db 0
.rdata:0000000140002177 db 0
.rdata:0000000140002178 db 43h ; C
.rdata:0000000140002179 db 78h ; x
.rdata:000000014000217A db 53h ; S
.rdata:000000014000217B db 63h ; c
.rdata:000000014000217C db 0
.rdata:000000014000217D db 0
.rdata:000000014000217E db 0
.rdata:000000014000217F db 0
.rdata:0000000140002180 db 0
.rdata:0000000140002181 db 0
.rdata:0000000140002182 db 0
.rdata:0000000140002183 db 0
.rdata:0000000140002184 db 0
.rdata:0000000140002185 db 0
.rdata:0000000140002186 db 0
.rdata:0000000140002187 db 0
.rdata:0000000140002188 db 0
.rdata:0000000140002189 db 0
.rdata:000000014000218A db 0
.rdata:000000014000218B db 0
.rdata:000000014000218C db 0
.rdata:000000014000218D db 0
.rdata:000000014000218E db 0
.rdata:000000014000218F db 0
.rdata:0000000140002190 db 0
.rdata:0000000140002191 db 0
.rdata:0000000140002192 db 0
.rdata:0000000140002193 db 0
.rdata:0000000140002194 db 0
.rdata:0000000140002195 db 0
.rdata:0000000140002196 db 0
.rdata:0000000140002197 db 0
.rdata:0000000140002198 db 10h
.rdata:0000000140002199 db 0
.rdata:000000014000219A db 0
.rdata:000000014000219B db 0
.rdata:000000014000219C db 0
.rdata:000000014000219D db 0
.rdata:000000014000219E db 0
.rdata:000000014000219F db 0
.rdata:00000001400021A0 dq offset sub_140005478
.rdata:00000001400021A8 db 18h
.rdata:00000001400021A9 db 0
.rdata:00000001400021AA db 0
.rdata:00000001400021AB db 0
.rdata:00000001400021AC db 0
.rdata:00000001400021AD db 0
.rdata:00000001400021AE db 0
.rdata:00000001400021AF db 0
.rdata:00000001400021B0 db 43h ; C
.rdata:00000001400021B1 db 78h ; x
.rdata:00000001400021B2 db 48h ; H
.rdata:00000001400021B3 db 63h ; c
.rdata:00000001400021B4 db 0
.rdata:00000001400021B5 db 0
.rdata:00000001400021B6 db 0
.rdata:00000001400021B7 db 0
.rdata:00000001400021B8 db 0
.rdata:00000001400021B9 db 0
.rdata:00000001400021BA db 0
.rdata:00000001400021BB db 0
.rdata:00000001400021BC db 0
.rdata:00000001400021BD db 0
.rdata:00000001400021BE db 0
.rdata:00000001400021BF db 0
.rdata:00000001400021C0 db 0
.rdata:00000001400021C1 db 0
.rdata:00000001400021C2 db 0
.rdata:00000001400021C3 db 0
.rdata:00000001400021C4 db 0
.rdata:00000001400021C5 db 0
.rdata:00000001400021C6 db 0
.rdata:00000001400021C7 db 0
.rdata:00000001400021C8 db 0
.rdata:00000001400021C9 db 0
.rdata:00000001400021CA db 0
.rdata:00000001400021CB db 0
.rdata:00000001400021CC db 0
.rdata:00000001400021CD db 0
.rdata:00000001400021CE db 0
.rdata:00000001400021CF db 0
.rdata:00000001400021D0 db 0FFh
.rdata:00000001400021D1 db 0FFh
.rdata:00000001400021D2 db 0
.rdata:00000001400021D3 db 0
.rdata:00000001400021D4 db 0
.rdata:00000001400021D5 db 0
.rdata:00000001400021D6 db 0
.rdata:00000001400021D7 db 0
.rdata:00000001400021D8 db 0
.rdata:00000001400021D9 db 0
.rdata:00000001400021DA db 0
.rdata:00000001400021DB db 0
.rdata:00000001400021DC db 0
.rdata:00000001400021DD db 0
.rdata:00000001400021DE db 0
.rdata:00000001400021DF db 0
.rdata:00000001400021E0 db 0
.rdata:00000001400021E1 db 0
.rdata:00000001400021E2 db 0
.rdata:00000001400021E3 db 0
.rdata:00000001400021E4 db 0
.rdata:00000001400021E5 db 0
.rdata:00000001400021E6 db 0
.rdata:00000001400021E7 db 0
.rdata:00000001400021E8 db 0
.rdata:00000001400021E9 db 0
.rdata:00000001400021EA db 0
.rdata:00000001400021EB db 0
.rdata:00000001400021EC db 0
.rdata:00000001400021ED db 0
.rdata:00000001400021EE db 0
.rdata:00000001400021EF db 0
.rdata:00000001400021F0 db 0
.rdata:00000001400021F1 db 0
.rdata:00000001400021F2 db 0
.rdata:00000001400021F3 db 0
.rdata:00000001400021F4 db 0
.rdata:00000001400021F5 db 0
.rdata:00000001400021F6 db 0
.rdata:00000001400021F7 db 0
.rdata:00000001400021F8 db 0
.rdata:00000001400021F9 db 0
.rdata:00000001400021FA db 0
.rdata:00000001400021FB db 0
.rdata:00000001400021FC db 0
.rdata:00000001400021FD db 0
.rdata:00000001400021FE db 0
.rdata:00000001400021FF db 0
.rdata:0000000140002200 db 0
.rdata:0000000140002201 db 0
.rdata:0000000140002202 db 0
.rdata:0000000140002203 db 0
.rdata:0000000140002204 db 0
.rdata:0000000140002205 db 0
.rdata:0000000140002206 db 0
.rdata:0000000140002207 db 0
.rdata:0000000140002208 db 0
.rdata:0000000140002209 db 0
.rdata:000000014000220A db 0
.rdata:000000014000220B db 0
.rdata:000000014000220C db 0
.rdata:000000014000220D db 0
.rdata:000000014000220E db 0
.rdata:000000014000220F db 0
熟悉minifilter编程的人都知道,这是一个FLT_CONTEXT_REGISTRATION的数组,数组的最后一个成员是FLT_CONTEXT_END。
这个结构有8个成员,而实际经常使用的有5个。认真和有留意的人是会发现的。
经过整理和分析后,可以变为下面的样子:
.rdata:00000001400020F0 ContextRegistration dw 2 ; DATA XREF: .data:00000001400030A8↓o
.rdata:00000001400020F0 ; ContextType == FLT_INSTANCE_CONTEXT
.rdata:00000001400020F2 dw 0 ; Flags
.rdata:00000001400020F4 db 0 ; 数据结构成员的内存地址的对齐/填充。
.rdata:00000001400020F5 db 0
.rdata:00000001400020F6 db 0
.rdata:00000001400020F7 db 0
.rdata:00000001400020F8 dq offset ContextCleanupCallback
.rdata:0000000140002100 dq 20h ; Size
.rdata:0000000140002108 dd 'cIxC' ; PoolTag
.rdata:000000014000210C db 0 ; 数据结构成员的内存地址的对齐/填充。
.rdata:000000014000210D db 0
.rdata:000000014000210E db 0
.rdata:000000014000210F db 0
.rdata:0000000140002110 dq 0 ; ContextAllocateCallback
.rdata:0000000140002118 dq 0 ; ContextFreeCallback
.rdata:0000000140002120 dq 0 ; Reserved1
.rdata:0000000140002128 dw 4 ; ContextType == FLT_FILE_CONTEXT
.rdata:000000014000212A dw 0
.rdata:000000014000212C db 0
.rdata:000000014000212D db 0
.rdata:000000014000212E db 0
.rdata:000000014000212F db 0
.rdata:0000000140002130 dq offset ContextCleanupCallback
.rdata:0000000140002138 dq 10h
.rdata:0000000140002140 dd 'cFxC'
.rdata:0000000140002144 db 0
.rdata:0000000140002145 db 0
.rdata:0000000140002146 db 0
.rdata:0000000140002147 db 0
.rdata:0000000140002148 dq 0
.rdata:0000000140002150 dq 0
.rdata:0000000140002158 dq 0
.rdata:0000000140002160 dw 8 ; ContextType == FLT_STREAM_CONTEXT
.rdata:0000000140002162 dw 0
.rdata:0000000140002164 db 0
.rdata:0000000140002165 db 0
.rdata:0000000140002166 db 0
.rdata:0000000140002167 db 0
.rdata:0000000140002168 dq offset ContextCleanupCallback
.rdata:0000000140002170 dq 28h
.rdata:0000000140002178 dd 'cSxC'
.rdata:000000014000217C db 0
.rdata:000000014000217D db 0
.rdata:000000014000217E db 0
.rdata:000000014000217F db 0
.rdata:0000000140002180 dq 0
.rdata:0000000140002188 dq 0
.rdata:0000000140002190 dq 0
.rdata:0000000140002198 dw 10h ; ContextType == FLT_STREAMHANDLE_CONTEXT
.rdata:000000014000219A dw 0
.rdata:000000014000219C db 0
.rdata:000000014000219D db 0
.rdata:000000014000219E db 0
.rdata:000000014000219F db 0
.rdata:00000001400021A0 dq offset ContextCleanupCallback
.rdata:00000001400021A8 dq 18h
.rdata:00000001400021B0 dd 'cHxC'
.rdata:00000001400021B4 db 0
.rdata:00000001400021B5 db 0
.rdata:00000001400021B6 db 0
.rdata:00000001400021B7 db 0
.rdata:00000001400021B8 dq 0
.rdata:00000001400021C0 dq 0
.rdata:00000001400021C8 dq 0
.rdata:00000001400021D0 dw 0FFFFh ; 结束标记:FLT_CONTEXT_END
.rdata:00000001400021D2 dw 0
.rdata:00000001400021D4 db 0
.rdata:00000001400021D5 db 0
.rdata:00000001400021D6 db 0
.rdata:00000001400021D7 db 0
.rdata:00000001400021D8 dq 0
.rdata:00000001400021E0 dq 0
.rdata:00000001400021E8 dd 0
.rdata:00000001400021EC db 0
.rdata:00000001400021ED db 0
.rdata:00000001400021EE db 0
.rdata:00000001400021EF db 0
.rdata:00000001400021F0 dq 0
.rdata:00000001400021F8 dq 0
.rdata:0000000140002200 dq 0
.rdata:0000000140002208 db 0 ; 结束,后面是多余的,对齐。
.rdata:0000000140002209 db 0
.rdata:000000014000220A db 0
.rdata:000000014000220B db 0
.rdata:000000014000220C db 0
.rdata:000000014000220D db 0
.rdata:000000014000220E db 0
.rdata:000000014000220F db 0
--------------------------------------------------------------------------------------------------
双击OperationRegistration,进入如下界面:
.data:0000000140003000 OperationRegistration db 0 ; DATA XREF: .data:00000001400030B0↓o
.data:0000000140003001 db 0
.data:0000000140003002 db 0
.data:0000000140003003 db 0
.data:0000000140003004 db 1
.data:0000000140003005 db 0
.data:0000000140003006 db 0
.data:0000000140003007 db 0
.data:0000000140003008 dq offset InstanceQueryTeardownCallback
.data:0000000140003010 dq offset sub_140005614
.data:0000000140003018 align 20h
.data:0000000140003020 db 12h
.data:0000000140003021 db 0
.data:0000000140003022 db 0
.data:0000000140003023 db 0
.data:0000000140003024 db 1
.data:0000000140003025 db 0
.data:0000000140003026 db 0
.data:0000000140003027 db 0
.data:0000000140003028 dq offset sub_140005940
.data:0000000140003030 align 20h
.data:0000000140003040 db 2
.data:0000000140003041 db 0
.data:0000000140003042 db 0
.data:0000000140003043 db 0
.data:0000000140003044 db 1
.data:0000000140003045 db 0
.data:0000000140003046 db 0
.data:0000000140003047 db 0
.data:0000000140003048 dq offset sub_1400059B4
.data:0000000140003050 align 20h
.data:0000000140003060 db 6
.data:0000000140003061 db 0
.data:0000000140003062 db 0
.data:0000000140003063 db 0
.data:0000000140003064 db 1
.data:0000000140003065 db 0
.data:0000000140003066 db 0
.data:0000000140003067 db 0
.data:0000000140003068 dq offset sub_140005A28
.data:0000000140003070 dq offset sub_1400057A8
.data:0000000140003078 align 20h
.data:0000000140003080 db 80h ; €
.data:0000000140003081 db 0
.data:0000000140003082 db 0
.data:0000000140003083 db 0
.data:0000000140003084 db 0
.data:0000000140003085 db 0
.data:0000000140003086 db 0
.data:0000000140003087 db 0
.data:0000000140003088 db 0
.data:0000000140003089 db 0
.data:000000014000308A db 0
.data:000000014000308B db 0
.data:000000014000308C db 0
.data:000000014000308D db 0
.data:000000014000308E db 0
.data:000000014000308F db 0
.data:0000000140003090 db 0
.data:0000000140003091 db 0
.data:0000000140003092 db 0
.data:0000000140003093 db 0
.data:0000000140003094 db 0
.data:0000000140003095 db 0
.data:0000000140003096 db 0
.data:0000000140003097 db 0
.data:0000000140003098 db 0
.data:0000000140003099 db 0
.data:000000014000309A db 0
.data:000000014000309B db 0
.data:000000014000309C db 0
.data:000000014000309D db 0
.data:000000014000309E db 0
.data:000000014000309F db 0
熟悉minifilter编程的人都知道,这是一个FLT_OPERATION_REGISTRATION的数组,最后一项是IRP_MJ_OPERATION_END。
经过整理和分析后,可以变为下面的样子:
.data:0000000140003000 OperationRegistration db 0 ; DATA XREF: .data:00000001400030B0↓o
.data:0000000140003000 ; MajorFunction == IRP_MJ_CREATE
.data:0000000140003001 dd 1000000h ; Flags
.data:0000000140003005 db 0 ; 数据结构成员的内存地址的对齐/填充。
.data:0000000140003006 db 0
.data:0000000140003007 db 0
.data:0000000140003008 dq offset PreCreate
.data:0000000140003010 dq offset PostCreate
.data:0000000140003018 align 20h
.data:0000000140003020 db 12h ; MajorFunction == IRP_MJ_CLEANUP
.data:0000000140003021 dd 1000000h
.data:0000000140003025 db 0
.data:0000000140003026 db 0
.data:0000000140003027 db 0
.data:0000000140003028 dq offset PreCleanUp
.data:0000000140003030 align 20h ; 这个隐藏了两个成员。
.data:0000000140003040 db 2 ; MajorFunction == IRP_MJ_CLOSE
.data:0000000140003041 dd 1000000h
.data:0000000140003045 db 0
.data:0000000140003046 db 0
.data:0000000140003047 db 0
.data:0000000140003048 dq offset PreClose
.data:0000000140003050 align 20h
.data:0000000140003060 db 6 ; MajorFunction == IRP_MJ_SET_INFORMATION
.data:0000000140003061 dd 1000000h
.data:0000000140003065 db 0
.data:0000000140003066 db 0
.data:0000000140003067 db 0
.data:0000000140003068 dq offset PreSetInfo
.data:0000000140003070 dq offset PostSetInfo
.data:0000000140003078 align 20h
.data:0000000140003080 db 80h ; € ; 结束标记:IRP_MJ_OPERATION_END
.data:0000000140003081 dd 0
.data:0000000140003085 db 0
.data:0000000140003086 db 0
.data:0000000140003087 db 0
.data:0000000140003088 dq 0
.data:0000000140003090 dq 0
.data:0000000140003098 dq 0
--------------------------------------------------------------------------------------------------
至此,可以告一个段落。
下一步就是根据这里分析出的函数,定义这些函数的类型,甚至是参数的个数(如IDA分析x64程序),特别是参数的类型。
因为发行版经常没有符号文件,有好些系统经常用的数据结构IDA没有解析出,如文件过滤驱动的minifilter和网络过滤驱动的WFP。
made by correy
made at 15:40 2018/4/28
http://correy.webs.com
