[OSy] Pomoc pri disassemblovane
Jozef Misutka
misutkajunior at hotmail.com
Fri Apr 8 13:02:20 CEST 2005
Caute ,
mam mensi problem, mam tu nejaky assemblerovsky vypis, je tonejaka
procedura, ktora ma 2 parametry, na konci tohoto vypisu sa vola funkcia
NTSTATUS
IoCallDriver(
IN PDEVICE_OBJECT DeviceObject,
IN OUT PIRP Irp
);
(resp. jej ekvivalent, aspon to si myslim, taka je konvencia vo windowsoch
exportovat trosku ine nazvy, ktore hovoria este dalsie info o tych
funkciach,...(SendMessageA,SendMessageW..))
ktora ma 2 parametre. Ako sa divam, tak sa divam, nemozem tam tie 2
parametre najst. Podla mna na stacku nie su, ked sa tam IP dostane, tak na
stacku su len ulozene hodnoty registrov, ktore sa ulozili na zaciatku
procedury. Tie poznamky pri tych instrukciach si velmi nevsimajte, pretoze
niektore nemusia byt spravne, najme po adrese .text:0001FEAA.
.text:0001FE5B sub_1FE5B proc near ; CODE XREF:
sub_1FC4E+6Ep
.text:0001FE5B ; sub_1FF66+64p ...
.text:0001FE5B
.text:0001FE5B var_1C = byte ptr -1Ch
.text:0001FE5B var_C = dword ptr -0Ch
.text:0001FE5B var_8 = dword ptr -8
.text:0001FE5B var_4 = dword ptr -4
.text:0001FE5B arg_0 = dword ptr 8
.text:0001FE5B arg_4 = dword ptr 0Ch
.text:0001FE5B
.text:0001FE5B push ebp ; (IN OUT
HdeviceExt/status,buf)
.text:0001FE5C mov ebp, esp
.text:0001FE5E sub esp, 1Ch ; 2 inty, 1
strukturu, 1 bool (byte)?
.text:0001FE61 push ebx
.text:0001FE62 push esi
.text:0001FE63 mov esi, [ebp+arg_0]
.text:0001FE66 push edi
.text:0001FE67 xor edi, edi
.text:0001FE69 push edi
.text:0001FE6A push edi
.text:0001FE6B lea eax, [esi+6Ch]
.text:0001FE6E push edi
.text:0001FE6F push edi
.text:0001FE70 push eax
.text:0001FE71 mov [ebp+var_4], eax
.text:0001FE74 call ds:KeWaitForSingleObject ;
(eax,0,0,0,0)
.text:0001FE7A push edi
.text:0001FE7B lea eax, [ebp+var_1C]
.text:0001FE7E push 1
.text:0001FE80 push eax
.text:0001FE81 call ds:KeInitializeEvent ; (,1,0)
.text:0001FE87 mov eax, [esi+90h]
.text:0001FE8D push edi
.text:0001FE8E mov al, [eax+30h]
.text:0001FE91 push eax
.text:0001FE92 call ds:IoAllocateIrp ; (CCHAR,FALSE)
.text:0001FE98 mov ebx, eax
.text:0001FE9A cmp ebx, edi
.text:0001FE9C jnz short loc_1FEAA ; jump if IRP was
allocated
.text:0001FE9E mov [ebp+arg_0], 0C0000001h ;
STATUS_UNSUCCESSFULL
.text:0001FEA5 jmp loc_1FF4E
.text:0001FEAA ;
---------------------------------------------------------------------------
.text:0001FEAA
.text:0001FEAA loc_1FEAA: ; CODE XREF:
sub_1FE5B+41j
.text:0001FEAA mov eax, [ebx+60h] ; ebx =
PIRP->_IO_STACK_LOCATION ??? nejake makro? nemalo by sa takto "direct"
pouzivat
.text:0001FEAD mov ecx, [ebp+arg_4]
.text:0001FEB0 sub eax, 24h ; ??ak je to na
stacku, tak tie parametre su od spodu nahor
.text:0001FEB3 mov byte ptr [eax], 0Fh ; MajorFunction =
IRP_MJ_INTERNAL_DEVICE_CONTROL
.text:0001FEB6 mov dword ptr [eax+0Ch], 220003h ;
IoControlCode FILE_DEVICE_UNKNOWN
(USB),fileanyaccess,IOCTL_INTERNAL_USB_SUBMIT_URB,METHOD_NEITHER
.text:0001FEBD mov [eax+4], ecx ;
OutputBufferLEngth=buf?
.text:0001FEC0 mov eax, [ebx+60h]
.text:0001FEC3 sub eax, 24h
.text:0001FEC6 lea ecx, [ebp+var_1C]
.text:0001FEC9 mov dword ptr [eax+1Ch], offset loc_1FE45
.text:0001FED0 mov [eax+20h], ecx
.text:0001FED3 mov byte ptr [eax+3], 0E0h ; Control =
0E0??? drivers have read only access.....>???
.text:0001FED7 cmp [esi+84h], edi
.text:0001FEDD jz short loc_1FEF2
.text:0001FEDF mov ecx, [esi+90h]
.text:0001FEE5 mov edx, ebx
.text:0001FEE7 call ds:IofCallDriver
.text:0001FEED mov [ebp+arg_0], eax
.text:0001FEF0 jmp short loc_1FEF9
Za kazdu pomoc dakujem, jozo
_________________________________________________________________
MSN Pocasie vam umozni naplanovat si den a tyzden. http://www.msn.sk/weather
More information about the NSWI004
mailing list