The function NhGetInterfaceNameFromDeviceGuid is derived from the DLL IPHLPAPI. Its effect is to obtain device interface name according corresponding GUID. Such as the network interface card GUID for "94 C913BF-EFA9-419-B-8506-BB88B0F3B34F", and the corresponding device interface name as "local connection". However, Microsoft does not publish . Dynamic debuging with Ollydbg, I have got the use method of this functionu. Here, I'd like to share it with you.
Firstly, provide the function prototype and parameter explanation:
DWORD __stdcall NhGetInterfaceNameFromDeviceGuid(GUID* guid, // device GUID char* buf, // buffer for abtain the name of device interface DWORD* buflen, // length of buffer in byte DWORD unknown1/*=0*/, // unknown,pass 0 DWORD unknown2/*=1*/) // unknown,pass 1
Examples:
typedef DWORD (__stdcall *type_NhGetInterfaceNameFromDeviceGuid)(GUID* guid, char* buf, DWORD* buflen, DWORD unknown1/*=0*/, DWORD unknown2/*=1*/); HMODULE hDll = LoadLibrary(_T("Iphlpapi.dll")); type_NhGetInterfaceNameFromDeviceGuid NhGetInterfaceNameFromDeviceGuid = (type_NhGetInterfaceNameFromDeviceGuid)GetProcAddress(hDll,"NhGetInterfaceNameFromDeviceGuid"); GUID guid; GUIDFormString("94C913BF-EFA9-419B-8506-BB88B0F3B34F",guid); TCHAR buf[100] = {0}; DWORD len = sizeof(buf); DWORD ret = NhGetInterfaceNameFromDeviceGuid(&guid, (char*)buf, &len, 0, 1); if(ret == 0) { // success,string "local connection" is stored in buf. } FreeLibrary(hDll);
Code of function GUIDFormString:
void GUIDFormString(const char*pszGuid,GUID &guid) { int temp[3]; sscanf(pszGuid,"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",&(guid.Data1),&(guid.Data2), &(guid.Data3),&guid.Data4[0],&guid.Data4[1],&guid.Data4[2],&guid.Data4[3],&guid.Data4[4], &temp[0],&temp[1],&temp[2]); guid.Data4[5] = (unsigned char)temp[0]; guid.Data4[6] = (unsigned char)temp[1]; guid.Data4[7] = (unsigned char)temp[2]; }
Analysis process:
Load taskmgr. exe by Ollydbg, set break point on function NhGetInterfaceNameFromDeviceGuid. Press F9 to run it, it will break when calls < JMP. And IPHLPAPI. NhGetInterfaceNameFromDeviceGuid >. The Assembly codes are as following:
<pre class="cpp" name="code">0082166D /$ 8BFF mov edi, edi 0082166F |. 55 push ebp 00821670 |. 8BEC mov ebp, esp 00821672 |. 81EC 0C020000 sub esp, 20C 00821678 |. A1 8CE08200 mov eax, dword ptr [82E08C] 0082167D |. 33C5 xor eax, ebp 0082167F |. 8945 FC mov dword ptr [ebp-4], eax 00821682 |. 8B45 08 mov eax, dword ptr [ebp+8] 00821685 |. 56 push esi 00821686 |. 8B75 0C mov esi, dword ptr [ebp+C] 00821689 |. 85C0 test eax, eax 0082168B |. 75 07 jnz short 00821694 0082168D |. B8 57000780 mov eax, 80070057 00821692 |. EB 44 jmp short 008216D8 00821694 |> 33C9 xor ecx, ecx ; ecx清零 00821696 |. 6A 01 push 1 ; 第五个参数,固定传1 00821698 |. 51 push ecx ; 第四个参数,固定传0 00821699 |. 66:894D F8 mov word ptr [ebp-8], cx 0082169D |. 8D8D F4FDFFFF lea ecx, dword ptr [ebp-20C] ; 第三个参数,某局部变量的地址 008216A3 |. 51 push ecx 008216A4 |. 8D8D F8FDFFFF lea ecx, dword ptr [ebp-208] ; 第二个参数,某局部变量的地址 008216AA |. 51 push ecx 008216AB |. 50 push eax ; 第一个参数,观察eax对应的内存,发现是GUID变量的地址 008216AC |. C785 F4FDFFFF>mov dword ptr [ebp-20C], 200 ; 给第三参数对应的局部变量赋值为200 008216B6 |. E8 3D9C0000 call <jmp.&IPHLPAPI.NhGetInterfaceNameFromDeviceGuid> ; 调用函数 008216BB |. 85C0 test eax, eax ; 检测函数返回值,0为成功 008216BD |. 75 14 jnz short 008216D3 008216BF |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] ; 观察内存,确定第二个参数为对应内存中保存了函数获取的接口名称 008216C5 |. 50 push eax 008216C6 |. FF75 10 push dword ptr [ebp+10] 008216C9 |. 56 push esi 008216CA |. E8 4C03FFFF call 00811A1B 008216CF |. 33C0 xor eax, eax 008216D1 |. EB 05 jmp short 008216D8 008216D3 |> B8 05400080 mov eax, 80004005 008216D8 |> 8B4D FC mov ecx, dword ptr [ebp-4] 008216DB |. 33CD xor ecx, ebp 008216DD |. 5E pop esi 008216DE |. E8 96FFFEFF call 00811679 008216E3 |. C9 leave 008216E4 \. C2 0C00 retn 0C