内核反编译学习笔记3
本节主要看全局变量和局部变量,程序越来越长,可以跳开查看。
全局变量在程序开始定义赋值的话,存放在Data块,Data块可以通过静态反汇编获得。
局部变量定义在函数内部,使用的时候需要类似sub esp,10h,开辟空间存放
需要掌握:
静态反汇编工具
变量存放地点
sub
简单了解:
读取全局变量的方法:1,获取全局变量存放地址。2,偏移量与实际内存地址关系。
不需了解:
w32asm反汇编以后,需要复制其中内容的,先保存为alf文件,再用文本读取程序打开。
所用程序:bz4
#include <ntddk.h>
ULONG au1,au2;
ULONG au3 = 7;
ULONG au4 = 9;
ULONG MyAdd1(ULONG u1,ULONG u2)
{
return u1+u2;
}
ULONG MyAdd2(ULONG u1,ULONG u2)
{
ULONG u3;
u3 = u1+u2;
return u3;
}
ULONG MyAdd3(ULONG u1,ULONG u2)
{
ULONG u3,u4,u5,u6;
u3 = u1+u2;
u4 = u3+u1;
u5 = u1;
u6 = u1+u3;
return u3+u4+u5+u6;
}
VOID DriverUnload(PDRIVER_OBJECT driver)
{
DbgPrint("unload…\r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
ULONG x1 = 5;
ULONG x2 = 8;
ULONG x3 ;
#if DBG
_asm int 3
#endif
au1 = MyAdd1(x1,x2); //使用自定义函数,反汇编看看结果
DbgPrint("au1 Result:%d\n!",au1);
au2 = MyAdd2(x1,x2); //使用自定义函数,反汇编看看结果
DbgPrint("au2 Result:%d\n!",au2);
x3 = MyAdd3(x1,x2); //使用自定义函数,反汇编看看结果
DbgPrint("Result:%d\n!",x3);
DbgPrint("au3 Result:%d\n!",au3);
DbgPrint("au4 Result:%d\n!",au4);
driver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
接下来要用w32asm和windbg反汇编,看其中对应关系,都是从55F到5B1,显然一一对应,只是前面地址有偏移。
我们知道,Data Offset是Data数据段,存放的是全局变量。本程序全局变量是:
ULONG au3 = 7;
ULONG au4 = 9;
显然我们dd 00000700是看不到数据的,要dd f84f7700,等我们运行起来的时候,看看是不是
w32asm反汇编:
Code Offset = 00000480, Code Size = 00000200
Data Offset = 00000700, Data Size = 00000080
...............
:0001055F 52 push edx
* Possible StringData Ref from Code Obj ->"au1 Result:%d
!"
|
:00010560 6850060100 push 00010650
* Reference To: ntoskrnl.DbgPrint, Ord:0030h
|
:00010565 E888000000 Call 000105F2
:0001056A 83C408 add esp, 00000008
:0001056D 8B45FC mov eax, dword ptr [ebp-04]
:00010570 50 push eax
:00010571 8B4DF8 mov ecx, dword ptr [ebp-08]
:00010574 51 push ecx
:00010575 E836FFFFFF call 000104B0
:0001057A A310070100 mov dword ptr [00010710], eax
:0001057F 8B1510070100 mov edx, dword ptr [00010710]
:00010585 52 push edx
:00010586 6840060100 push 00010640
* Reference To: ntoskrnl.DbgPrint, Ord:0030h
|
:0001058B E862000000 Call 000105F2
:00010590 83C408 add esp, 00000008
:00010593 8B45FC mov eax, dword ptr [ebp-04]
:00010596 50 push eax
:00010597 8B4DF8 mov ecx, dword ptr [ebp-08]
:0001059A 51 push ecx
:0001059B E830FFFFFF call 000104D0
:000105A0 8945F4 mov dword ptr [ebp-0C], eax
:000105A3 8B55F4 mov edx, dword ptr [ebp-0C]
:000105A6 52 push edx
* Possible StringData Ref from Code Obj ->"Result:%d
!"
|
:000105A7 6830060100 push 00010630
* Reference To: ntoskrnl.DbgPrint, Ord:0030h
|
:000105AC E841000000 Call 000105F2
:000105B1 83C408 add esp, 00000008
主函数中主要反汇编代码,也就是调用几个自定义函数的部分:
57 f84f755f 52 push edx
57 f84f7560 6850764ff8 push offset bz4! ?? ::FNODOBFM::`string' (f84f7650)
57 f84f7565 e888000000 call bz4!DbgPrint (f84f75f2)
57 f84f756a 83c408 add esp,8
59 f84f756d 8b45fc mov eax,dword ptr [ebp-4]
59 f84f7570 50 push eax
59 f84f7571 8b4df8 mov ecx,dword ptr [ebp-8]
59 f84f7574 51 push ecx
59 f84f7575 e836ffffff call bz4!MyAdd2 (f84f74b0)
59 f84f757a a310774ff8 mov dword ptr [bz4!au2 (f84f7710)],eax
61 f84f757f 8b1510774ff8 mov edx,dword ptr [bz4!au2 (f84f7710)]
61 f84f7585 52 push edx
61 f84f7586 6840764ff8 push offset bz4! ?? ::FNODOBFM::`string' (f84f7640)
61 f84f758b e862000000 call bz4!DbgPrint (f84f75f2)
61 f84f7590 83c408 add esp,8
63 f84f7593 8b45fc mov eax,dword ptr [ebp-4]
63 f84f7596 50 push eax
63 f84f7597 8b4df8 mov ecx,dword ptr [ebp-8]
63 f84f759a 51 push ecx
63 f84f759b e830ffffff call bz4!MyAdd3 (f84f74d0)
63 f84f75a0 8945f4 mov dword ptr [ebp-0Ch],eax
65 f84f75a3 8b55f4 mov edx,dword ptr [ebp-0Ch]
65 f84f75a6 52 push edx
65 f84f75a7 6830764ff8 push offset bz4! ?? ::FNODOBFM::`string' (f84f7630)
65 f84f75ac e841000000 call bz4!DbgPrint (f84f75f2)
65 f84f75b1 83c408 add esp,8
三个自定义函数
kd> uf bz4!myadd1
bz4!MyAdd1 [d:\mydriver\bz4\bz4.c @ 9]:
9 f84f7490 8bff mov edi,edi
9 f84f7492 55 push ebp
9 f84f7493 8bec mov ebp,esp
10 f84f7495 8b4508 mov eax,dword ptr [ebp+8]
10 f84f7498 03450c add eax,dword ptr [ebp+0Ch]
12 f84f749b 5d pop ebp
12 f84f749c c20800 ret 8
kd> uf bz4!myadd2
bz4!MyAdd2 [d:\mydriver\bz4\bz4.c @ 15]:
15 f84f74b0 8bff mov edi,edi
15 f84f74b2 55 push ebp
15 f84f74b3 8bec mov ebp,esp
15 f84f74b5 51 push ecx
17 f84f74b6 8b4508 mov eax,dword ptr [ebp+8]
17 f84f74b9 03450c add eax,dword ptr [ebp+0Ch]
17 f84f74bc 8945fc mov dword ptr [ebp-4],eax
18 f84f74bf 8b45fc mov eax,dword ptr [ebp-4]
21 f84f74c2 8be5 mov esp,ebp
21 f84f74c4 5d pop ebp
21 f84f74c5 c20800 ret 8
kd> uf bz4!myadd3
bz4!MyAdd3 [d:\mydriver\bz4\bz4.c @ 24]:
24 f84f74d0 8bff mov edi,edi
24 f84f74d2 55 push ebp
24 f84f74d3 8bec mov ebp,esp
24 f84f74d5 83ec10 sub esp,10h
26 f84f74d8 8b4508 mov eax,dword ptr [ebp+8]
26 f84f74db 03450c add eax,dword ptr [ebp+0Ch]
26 f84f74de 8945f8 mov dword ptr [ebp-8],eax
27 f84f74e1 8b4df8 mov ecx,dword ptr [ebp-8]
27 f84f74e4 034d08 add ecx,dword ptr [ebp+8]
27 f84f74e7 894dfc mov dword ptr [ebp-4],ecx
28 f84f74ea 8b5508 mov edx,dword ptr [ebp+8]
28 f84f74ed 8955f0 mov dword ptr [ebp-10h],edx
29 f84f74f0 8b4508 mov eax,dword ptr [ebp+8]
29 f84f74f3 0345f8 add eax,dword ptr [ebp-8]
29 f84f74f6 8945f4 mov dword ptr [ebp-0Ch],eax
30 f84f74f9 8b45f8 mov eax,dword ptr [ebp-8]
30 f84f74fc 0345fc add eax,dword ptr [ebp-4]
30 f84f74ff 0345f0 add eax,dword ptr [ebp-10h]
30 f84f7502 0345f4 add eax,dword ptr [ebp-0Ch]
33 f84f7505 8be5 mov esp,ebp
33 f84f7507 5d pop ebp
33 f84f7508 c20800 ret 8
///////////////////////////////////////////
//终于等到分析了
先看下全局变量 :
ULONG au3 = 7;
ULONG au4 = 9;
看程序中Data存放的:
kd> dd f84f7700
f84f7700 00000007 00000009 f84de439 07b21bc6
没错,以后要查看全局变量的值,先反汇编,获得Data的偏移量,dd 地址 就可以看见了。
/////////////////////
kd> uf bz4!myadd3
bz4!MyAdd3 [d:\mydriver\bz4\bz4.c @ 24]:
.......
24 f84f74d5 83ec10 sub esp,10h
.......
局部变量开辟空间。
好了,简单赋值,调用就玩到这里,接下来是.....