小弟菜虫一只 也做一次笔记试试 .内容如题.
定位方法,先从入口DriverEntry开始搜索0xC7 ? 0x58 和0x89 ? 0x58
找到位置后再根据重定位表内信息修正结果
额.大致就是这样吧.
代码:
proc __GetFsd locals @hMem rd 1 endl i ExpandEnvironmentStrings,'%WinDir%\system32\drivers\ntfs.sys',esi=strBuffer,strBuffer.size i ImageLoad,esi,ebx=0 push eax mov esi,[eax+4*2] mov [@hMem],esi mov eax,[esi+0x3C] add esi,[esi+eax+0x28] .reloop: lodsb cmp al,0xC7 je @F cmp al,0x89 jne .reloop @@: cmp byte[esi+1],0x58 ;IRP_MJ_SET_EA jne .reloop lea ebx,[esi+2] mov esi,[@hMem] sub ebx,esi mov eax,[esi+0x3C] add esi,[esi+eax+0xA0] @@: add esi,[esi+4] mov ecx,ebx sub ecx,[esi] cmp ecx,0x1000 ja @B lodsd lodsd mov edx,ebx and edx,0x0FFF @@: lodsw and eax,0x0FFF cmp edx,eax ja @B je @F mov dx,word[esi-4] and dx,0x0FFF @@: and ebx,0xFFFFF000 add ebx,edx add ebx,[@hMem] mov ebx,[ebx] ;ebx = rva i ImageUnload, int3 endp