内核反编译学习笔记6 passthru静态分析 - iniwf - C++博客 iniwf 风是温柔的，雨是伤心的，云是快乐的，月是多情的，爱是迷失的，恋是醉人的，情是难忘的，天是长久的，地是永恒的 内核反编译学习笔记6 passthru静态分析 内核反编译学习笔记6 passthru静态分析 来源：passthru.sys反汇编和源代码 一，导入的模块二，模块要使用的函数三，函数原型四，文件中函数列表 有源代码，反汇编比源代码更简洁，特别是总揽方面，有优势。有兴趣的话，可以把汇编和代码对应。我已经把函数内调用函数都罗列了。 //////////////////////////////////////////////// 一，导入三个模块：import Module:ntoskrnl.exe HAL.dll NDIS.SYS ////////////////////////////////////////////// 二，每个模块导出函数：我们有函数名，就可以bp 模块！函数 下断了。有的函数是被宏调用的，具体可以查看ndis.h中宏的定义。 ntoskrnl.exe:KeBugCheckExKeTickCountIoGetDevicePropertyRtlCopyUnicodeStringRtlAppendUnicodeToStringIoCreateDevice_vsnprint fMmMapLockedPagesSpecifyCacheIoDeleteDevicememcpyIofCompleteRequestmemsetRtlInitUnicodeStringDbgPringRtlAssertRtlUnwind HAL.dll:KfReleaseSpinLockKfAcquireSpinLock 接下来是重点了，ndis专用函数NDIS.SYS: NdisIMNotifyPnPEventNdisGetReceivedPacketNdisDprAllocatePacketNdisDprFreePacketNdisDeregisterProtocolNdisIMCancelInitializeDeviceInstanceNdisReEnumerateProtocolBindingsNdisFreeMemoryNdisOpenProtocolConfigurationNdisReadConfigurationNdisAllocateMemoryWithTagNdisInitializeEventNdisAllocatePacketPoolExNdisPacketPoolUsageNdisIMDeInitializeDeviceInstanceNdisCloseAdapterNdisSetEventNdisMSetAttributesExNdisIMGetDeviceContextNdisFreePacketNdisIMCopySendCompletePerPacketInfoNdisIMCopySendPerPacketInfoNdisAllocatePacketNdisIMGetCurrentPacketStackNdisRequestNdisMIndicateStatusCompleteNdisMIndicateStatusNdisReturnPacketsNdisGetPoolFromPacketNdisWaitEventNdisResetEventNdisCancelSendPacketsNdisFreePacketPoolNdisTerminateWrapperNdisIMAssociateMiniportNdisIMDeregisterLayeredMiniportNdisRegisterProtocolNdisMRegisterUnloadHandlerNdisIMRegisterLayeredMiniportNdisInitializeWrapperNdisMRegisterDeviceNdisMSleepNdisMDeregisterDeviceNdisCloseConfigurationNdisIMInitializeDeviceInstanceExNdisOpenAdapter /////////////////////////////////////三，函数原型：呵呵 NDIS_STATUS NdisIMNotifyPnPEvent( IN NDIS_HANDLE MiniportHandle, IN PNET_PNP_EVENT NetPnPEvent ); PNDIS_PACKET NdisGetReceivedPacket( IN PNDIS_HANDLE NdisBindingHandle, IN PNDIS_HANDLE MacContext ); VOID NdisDprAllocatePacket( OUT PNDIS_STATUS Status, OUT PNDIS_PACKET *Packet, IN NDIS_HANDLE PoolHandle ); VOID NdisDprFreePacket( IN PNDIS_PACKET Packet ); NDIS_STATUS NdisIMCancelInitializeDeviceInstance( IN NDIS_HANDLE DriverHandle, IN PNDIS_STRING DeviceInstance ); VOID NdisReEnumerateProtocolBindings( IN NDIS_HANDLE NdisProtocolHandle ); VOID NdisFreeMemory( IN PVOID VirtualAddress, IN UINT Length, IN UINT MemoryFlags ); VOID NdisOpenProtocolConfiguration( OUT PNDIS_STATUS Status, OUT PNDIS_HANDLE ConfigurationHandle, IN PNDIS_STRING ProtocolSection ); VOID NdisReadConfiguration( OUT PNDIS_STATUS Status, OUT PNDIS_CONFIGURATION_PARAMETER *ParameterValue, IN NDIS_HANDLE ConfigurationHandle, IN PNDIS_STRING Keyword, IN NDIS_PARAMETER_TYPE ParameterType ); NDIS_STATUS NdisAllocateMemoryWithTag( OUT PVOID *VirtualAddress, IN UINT Length, IN ULONG Tag ); VOID NdisInitializeEvent( IN PNDIS_EVENT Event ); VOID NdisAllocatePacketPoolEx( OUT PNDIS_STATUS Status, OUT PNDIS_HANDLE PoolHandle, IN UINT NumberOfDescriptors, IN UINT NumberOfOverflowDescriptors, IN UINT ProtocolReservedLength ); UINT NdisPacketPoolUsage( IN NDIS_HANDLE PoolHandle ); NDIS_STATUS NdisIMDeInitializeDeviceInstance( IN NDIS_HANDLE NdisMiniportHandle ); VOID NdisCloseAdapter( OUT PNDIS_STATUS Status, IN NDIS_HANDLE NdisBindingHandle ); VOID NdisSetEvent( IN PNDIS_EVENT Event ); VOID NdisMSetAttributesEx( IN NDIS_HANDLE MiniportAdapterHandle, IN NDIS_HANDLE MiniportAdapterContext, IN UINT CheckForHangTimeInSeconds OPTIONAL, IN ULONG AttributeFlags, IN NDIS_INTERFACE_TYPE AdapterType ); NDIS_HANDLE NdisIMGetDeviceContext( IN NDIS_HANDLE MiniportAdapterHandle ); VOID NdisFreePacket( IN PNDIS_PACKET Packet ); VOID NdisIMCopySendCompletePerPacketInfo( IN PNDIS_PACKET DstPacket, IN PNDIS_PACKET SrcPacket ); VOID NdisIMCopySendPerPacketInfo( IN PNDIS_PACKET DstPacket, IN PNDIS_PACKET SrcPacket ); VOID NdisAllocatePacket( OUT PNDIS_STATUS Status, OUT PNDIS_PACKET *Packet, IN NDIS_HANDLE PoolHandle ); PNDIS_PACKET_STACK NdisIMGetCurrentPacketStack( IN PNDIS_PACKET Packet OUT BOOLEAN *StacksRemaining ); VOID NdisRequest( OUT PNDIS_STATUS Status, IN NDIS_HANDLE NdisBindingHandle, IN PNDIS_REQUEST NdisRequest ); VOID NdisMIndicateStatusComplete( IN NDIS_HANDLE MiniportAdapterHandle ); VOID NdisMIndicateStatus( IN NDIS_HANDLE MiniportAdapterHandle, IN NDIS_STATUS GeneralStatus, IN PVOID StatusBuffer, IN UINT StatusBufferSize ); VOID NdisReturnPackets( IN PNDIS_PACKET *PacketsToReturn, IN UINT NumberOfPackets ); NDIS_Handle NdisGetPoolFromPacket( IN PNDIS_PACKET Packet ); BOOLEAN NdisWaitEvent( IN PNDIS_EVENT Event, IN UINT MsToWait ); VOID NdisResetEvent( IN PNDIS_EVENT Event ); VOID NdisCancelSendPackets( IN NDIS_HANDLE NdisBindingHandle IN PVOID CancelId ); VOID NdisFreePacketPool( IN NDIS_HANDLE PoolHandle ); VOID NdisTerminateWrapper( IN NDIS_HANDLE NdisWrapperHandle, IN PVOID SystemSpecific ); VOID NdisIMAssociateMiniport( IN NDIS_HANDLE DriverHandle, IN NDIS_HANDLE ProtocolHandle ); VOID NdisIMDeregisterLayeredMiniport( IN NDIS_HANDLE DriverHandle ); VOID NdisRegisterProtocol( OUT PNDIS_STATUS Status, OUT PNDIS_HANDLE NdisProtocolHandle, IN PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics, IN UINT CharacteristicsLength ); VOID NdisMRegisterUnloadHandler( IN NDIS_HANDLE NdisWrapperHandle, IN PDRIVER_UNLOAD UnloadHandler ); NDIS_STATUS NdisIMRegisterLayeredMiniport( IN NDIS_HANDLE NdisWrapperHandle, IN PNDIS_MINIPORT_CHARACTERISTICS MiniportCharacteristics, IN UINT CharacteristicsLength, OUT PNDIS_HANDLE DriverHandle ); NDIS_STATUS NdisMRegisterDevice( IN NDIS_HANDLE NdisWrapperHandle, IN PNDIS_STRING DeviceName, IN PNDIS_STRING SymbolicName, IN PDRIVER_DISPATCH MajorFunctions[], OUT PDEVICE_OBJECT *pDeviceObject, OUT NDIS_HANDLE *NdisDeviceHandle ); VOID NdisMSleep( IN ULONG MicrosecondsToSleep ); NDIS_STATUS NdisMDeregisterDevice( IN NDIS_HANDLE NdisDeviceHandle ); VOID NdisCloseConfiguration( IN NDIS_HANDLE ConfigurationHandle ); NDIS_STATUS NdisIMInitializeDeviceInstanceEx( IN NDIS_HANDLE DriverHandle, IN PNDIS_STRING DriverInstance, IN NDIS_HANDLE DeviceContext OPTIONAL ); VOID NdisOpenAdapter( OUT PNDIS_STATUS Status, OUT PNDIS_STATUS OpenErrorStatus, OUT PNDIS_HANDLE NdisBindingHandle, OUT PUINT SelectedMediumIndex, IN PNDIS_MEDIUM MediumArray, IN UINT MediumArraySize, IN NDIS_HANDLE NdisProtocolHandle, IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_STRING AdapterName, IN UINT OpenOptions, IN PSTRING AddressingInformation OPTIONAL, ); /////////////////////////////////////// 四，文件中函数列表常用的就不在函数内罗列了NdisZeroMemoryNdisMoveMemoryNdisFreeMemoryNdisMSleepNdisInitUnicodeStringNdisAcquireSpinLockNdisReleaseSpinLockNdisFreeSpinLock 1，passthru.c: DriverEntry 其中大概用了下面这些： NdisAllocateSpinLock NdisMInitializeWrapper NdisIMRegisterLayeredMiniport NdisRegisterProtocol NdisIMAssociateMiniport PtRegisterDevice NdisMRegisterDevice PtDispatch IoGetCurrentIrpStackLocation IoCompleteRequest PtDeregisterDevice PtUnload PtUnloadProtocol NdisIMDeregisterLayeredMiniport 2，miniport.c MPInitialize NdisMSetAttributesEx PtRegisterDevice NdisSetEvent MPSend NdisIMGetCurrentPacketStack NdisSend NdisAllocatePacket NdisFreePacket MPSendPackets NdisMSendComplete NdisIMGetCurrentPacketStack NdisSend NdisAllocatePacket NdisGetPacketFlags NdisIMCopySendPerPacketInfo MPQueryInformation NdisRequest PtRequestComplete MPQueryPNPCapabilities MPSetInformation MPProcessSetPowerOid MPProcessSetPowerOid NdisMIndicateStatus NdisMIndicateStatusComplete MPReturnPacket NdisGetPoolFromPacket NdisReturnPackets NdisFreePacket MPTransferData IsIMDeviceStateOn NdisTransferData PtDeregisterDevice NdisResetEvent PtDereferenceAdapt MPCancelSendPackets NdisCancelSendPackets MPDevicePnPEvent MPAdapterShutdown MPFreeAllPacketPools NdisFreePacketPool 3，protocol.c PtBindAdapter NdisOpenProtocolConfiguration NdisReadConfiguration NdisAllocateMemoryWithTag NdisInitializeEvent NdisAllocatePacketPoolEx NdisOpenAdapter NdisWaitEvent PtReferenceAdapt NdisInitializeEvent NdisIMInitializeDeviceInstanceEx PtDereferenceAdapt NdisCloseConfiguration NdisCloseAdapter PtOpenAdapterComplete NdisSetEvent PtUnbindAdapter PtRequestComplete NdisIMCancelInitializeDeviceInstance NdisWaitEvent NdisIMDeInitializeDeviceInstance NdisResetEvent NdisCloseAdapter NdisWaitEvent MPFreeAllPacketPools PtUnloadProtocol NdisDeregisterProtocol IoDeleteDevice PtCloseAdapterComplete NdisSetEvent PtResetComplete PtRequestComplete NdisMQueryInformationComplete NdisMSetInformationComplete PtStatus NdisMIndicateStatus PtStatusComplete NdisMIndicateStatusComplete PtSendComplete NdisGetPoolFromPacket NdisMSendComplete NdisDprFreePacket PtTransferDataComplete NdisMTransferDataComplete PtReceive NdisGetReceivedPacket NdisDprAllocatePacket NdisMIndicateReceivePacket NdisDprFreePacket NdisMEthIndicateReceive NdisMTrIndicateReceive NdisMFddiIndicateReceive PtReceiveComplete KeGetCurrentProcessorNumber NdisMTrIndicateReceiveComplete NdisMFddiIndicateReceiveComplete PtReceivePacket NdisIMGetCurrentPacketStack NdisMIndicateReceivePacket NdisDprFreePacket PtPNPHandler PtPnPNetEventSetPower PtPnPNetEventReconfigure NdisIMNotifyPnPEvent PtPnPNetEventReconfigure NdisReEnumerateProtocolBindings NdisIMNotifyPnPEvent PtPnPNetEventSetPower NdisIMNotifyPnPEvent PtRequestComplete NdisPacketPoolUsage NdisRequest PtRequestComplete PtReferenceAdapt MPFreeAllPacketPools posted on 2010-04-18 19:26 iniwf 阅读(777) 评论(0) 编辑 收藏 引用 所属分类: 驱动 、反汇编 --> 阿里数据平台事业部诚聘web开发工程师 博客园 博问 IT新闻 C++程序员招聘 标题 请输入标题 姓名 请输入你的姓名 主页 请输入验证码 验证码 * 内容(提交失败后,可以通过“恢复上次提交”恢复刚刚提交的内容) 请输入评论内容 Remember Me? 登录 使用高级评论 新用户注册 返回页首 恢复上次提交 [使用Ctrl+Enter键可以直接提交] 相关文章: 内核反编译学习笔记6 passthru静态分析 内核反编译学习笔记5 内核反编译学习笔记4 内核反编译学习笔记2 内核驱动反编译笔记1 驱动和应用层的三种通信方式 File System Filter Driver Tutorial WDM驱动程序入门 PCI设备驱动开发 在NT中直接访问物理内存 网站导航: 博客园 IT新闻 BlogJava 知识库 程序员招聘 管理 导航 首页 新随笔 联系 聚合 管理 统计 随笔 - 148 文章 - 0 评论 - 15 引用 - 0 常用链接 我的随笔 我的评论 我参与的随笔 留言簿(2) 给我留言 查看公开留言 查看私人留言 随笔分类 API应用(9) (rss) Boost(1) (rss) C&C++(14) (rss) DirectX (rss) Hook(3) (rss) Linux(3) (rss) PE文件结构(1) (rss) STL(4) (rss) VNC(5) (rss) 笔试面试(1) (rss) 操作系统(5) (rss) 调试技术(1) (rss) 反汇编(6) (rss) 开源库(3) (rss) 嵌入式(11) (rss) 驱动(69) (rss) 软件打包(6) (rss) 图形图像多媒体(14) (rss) 网络通信(8) (rss) 心之情(1) (rss) 压缩解压 (rss) 随笔档案 2010年6月 (1) 2010年4月 (11) 2010年3月 (2) 2009年8月 (6) 2009年7月 (1) 2009年6月 (9) 2009年5月 (5) 2009年4月 (34) 2009年3月 (79) 收藏夹 iniwf (rss) 云风的blog (rss) IT技术 codeproject codersource Man手册中心 Qt参考文档 sourceforge VC知识库 WinDbg 中文在线帮助文档 大坡3D软件开发 看雪学院 驱动开发网 吾爱破解 论坛 邪恶八进制社区 一切从C开始 积分与排名 积分 - 73801 排名 - 176 最新评论 1.?re: 虚拟打印的实现-安装 评论内容较长,点击标题查看 --custom essays 2.?re: snort源码分析 在这里求上面的snort.c的源码，急需，有的话请发到我的邮箱，yan92583391@sina.com，谢谢啦~！ --yanxue 3.?re: RDP协议简要分析 希望联系你QQ421301146 --WANGYANG818 4.?re: 编写一个STL 中的CString类[未登录] 评论内容较长,点击标题查看 --jack 5.?re: 编写一个STL 中的CString类[未登录] 评论内容较长,点击标题查看 --jack 阅读排行榜 1.?NSIS教程之提高篇(3708) 2.?高效屏幕录制(3681) 3.?RDP协议简要分析(3557) 4.?snort源码分析(3083) 5.?使用Visual Leak Detector检测内存泄漏(2481) 6.?Boost 中文站(2448) 7.?获取操作系统版本和系统位数(1728) 8.?VC++中的图像类型转换--使用开源CxImage类库(1558) 9.?NSIS 的 Modern UI 教程(1429) 10.?虚拟打印的实现-安装(1292) 11.?CxImage(1261) 12.?虚拟打印的实现-DDK部分(1208) 13.?虚拟打印的实现-SPL转换成EMF(1205) 14.?NDIS sample - 6.0 miniport driver for realtek 8168/8169/8111/8110 (1047) 15.?PCI设备驱动开发(1045) 16.?TDI 过滤驱动开发指南 by 楚狂人(1038) 17.?TightVNC分析文档 (1016) 18.?远程监控 vnc(1014) 19.?VNC的Hextile编码原理及实现(1013) 20.?Driver to Hide Processes and Files(963) 21.?winVNC 源代码分析(923) 22.?虚拟打印的实现-EMF转换成BMP(830) 23.?spcaview.spcaserver源码详解(809) 24.?Windows系统下的多显示器模式开发日记(792) 25.?File System Filter Driver Tutorial(783) 26.?内核反编译学习笔记6 passthru静态分析(777) 27.?提供修复界面的NSIS安装包(760) 28.?最优秀的STL使用学习网站(716) 29.?linux下基于jrtplib库的实时传送实现(700) 30.?Various methods for capturing the screen(662) 31.?编写一个STL 中的CString类(661) 32.?Driver Development Part 6: Introduction to Display Drivers(647) 33.?Windows程序调试系列文章——Windbg轻松上路(616) 34.?Linux下的实时流媒体编程/jrtplib介绍(600) 35.?Windbg内核调试之一: Vista Boot Config设置(595) 36.?构造IRP 直接读写磁盘扇区内容(584) 37.?Windows文件过滤驱动开发教程（第二版）电子书(575) 38.?snort源代码情形分析(562) 39.?实战DeviceIoControl 之四：获取硬盘的详细信息(542) 40.?使用WinDBG进行双机内核调试(531) 评论排行榜 1.?虚拟打印的实现-安装(10) 2.?编写一个STL 中的CString类(3) 3.?snort源码分析(1) 4.?虚拟打印的实现-DDK部分(1) 5.?TDI 过滤驱动开发指南 by 楚狂人(1) 6.?RDP协议简要分析(1) 7.?NDIS sample - 6.0 miniport driver for realtek 8168/8169/8111/8110 (1) 8.?Windows驱动编程基础教程(1) 9.?Windows系统编程(0) 10.?驱动和应用层的异步通信(0) Powered by: C++博客 Copyright © iniwf