临近期末要考试,目前只逆了一个函数,BOOL CryptCATAdminAcquireContext(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags),待有时间后再一一逆完。没什么技术含量,高手飘过。
BYTE guidtowstr[] = {0x3,0x2,0x1,0x0,0x2d,0x5,0x4,0x2d,0x7,0x6,0x2d,0x8,0x9,0x2d,0xa,0xb,0xc,0xd,0xe,0xf}; WCHAR UnicodeNumber[] = L"0123456789ABCDEF"; //FIX ME:THE PATH BELOW SHOULD BE PRODUCED ACCORDING TO YOUR OWN MACHINE! WCHAR OrigPath[] = L"C:\\WINDOWS\\system32\\CatRoot\\"; WCHAR OrigPath2[] = L"C:\\WINDOWS\\system32\\CatRoot2\\"; WCHAR Slash[] = L"\\"; typedef struct _CAT_CONTEXT { int cbSize; BOOL UseDefaultGUID; PWCHAR pwGUID; PWCHAR pwDirectoryPath; PWCHAR pwDirectoryPath2; int _20; PVOID list1; PVOID list2; PVOID list3; int _36; CRITICAL_SECTION CriticalSection; int _64; int _68; HANDLE hWakeEventHandle; HANDLE hCleanWaitObject; int _80; int _84; }CAT_CONTEXT,*PCAT_CONTEXT; BOOL CryptCATAdminAcquireContext(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags); BOOL CryptCATAdminAcquireContext_Internal(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags,int arg); VOID LIST_Initialize(PVOID pBegin); BOOL guid2wstr(GUID *guid,PWCHAR pwguid); PWCHAR _CatAdminCreatePath(PWCHAR OrigPath,PWCHAR pwGUID,BOOL UseDefaultGUID); BOOL _CatAdminRecursiveCreateDirectory(PWCHAR pwDirectoryPath,LPSECURITY_ATTRIBUTES lpSecurityAttributes); VOID CALLBACK _CatAdminWaitOrTimerCallback(PVOID lpParameter,BOOLEAN TimerOrWaitFired);; BOOL CryptCATAdminAcquireContext(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags) { return CryptCATAdminAcquireContext_Internal(phCatAdmin,pgSubsystem,dwFlags,0); } BOOL CryptCATAdminAcquireContext_Internal(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags,int arg) { WCHAR wGUID[0x100]; GUID DefaultGUID = {0x127d0a1d,0x4ef2,0x11d1,{0x86,0x8,0x0,0xc0,0x4f,0xc2,0x95,0xee}}; BOOL ReturnValue; GUID *pGUIDToUse; HCATADMIN *_phCatAdmin; GUID *_pgSubsystem; PCAT_CONTEXT pCatContext; BOOL UseDefaultGUID; _phCatAdmin = phCatAdmin; _pgSubsystem = pgSubsystem; pGUIDToUse = &DefaultGUID; ReturnValue = 1; UseDefaultGUID = TRUE; //FIX ME: CHECK WHEN phCatAdmin == NULL! *phCatAdmin = 0; pCatContext = (PCAT_CONTEXT)LocalAlloc(LMEM_ZEROINIT,0x54); memset((PVOID)pCatContext,0,0x54); //FIX ME: CHECK WHEN pCatAdmin == NULL! pCatContext->cbSize = 0x54; LIST_Initialize(&(pCatContext->list1)); if(_pgSubsystem == NULL) { pCatContext->UseDefaultGUID = UseDefaultGUID; } else { UseDefaultGUID = FALSE; pGUIDToUse = _pgSubsystem; } guid2wstr(pGUIDToUse,wGUID); InitializeCriticalSection(&(pCatContext->CriticalSection)); pCatContext->_64 = UseDefaultGUID; pCatContext->_68 = 0; //FIX ME:WHEN NULL RETURNED! pCatContext->pwGUID = (PWCHAR)LocalAlloc(LMEM_ZEROINIT,2 * lstrlenW(wGUID) + 2); wcscpy(pCatContext->pwGUID,wGUID); //FIX ME:WHEN NULL RETURNED! pCatContext->pwDirectoryPath = _CatAdminCreatePath(OrigPath,wGUID,TRUE); //FIX ME:WHEN NULL RETURNED! pCatContext->pwDirectoryPath2 = _CatAdminCreatePath(OrigPath2,wGUID,TRUE); //FIX ME:WHEN FALSE RETURNED! if(_CatAdminRecursiveCreateDirectory(pCatContext->pwDirectoryPath,NULL)) { //FIX ME:WHEN FALSE RETURNED! if(_CatAdminRecursiveCreateDirectory(pCatContext->pwDirectoryPath2,NULL)) { //FIX ME:WHEN NULL RETURNED! pCatContext->hWakeEventHandle = CreateEvent(NULL,FALSE,FALSE,NULL); if(pCatContext->hWakeEventHandle) { //FIX ME:WHEN 0 RETURNED! //if(RegisterWaitForSingleObject(&(pCatContext->hCleanWaitObject),pCatContext->hWakeEventHandle,(WAITORTIMERCALLBACK)_CatAdminWaitOrTimerCallback,pCatContext,INFINITE,WT_EXECUTEDEFAULT)) //{ *_phCatAdmin = (HCATADMIN *)pCatContext; //} } } } return ReturnValue; } VOID LIST_Initialize(PVOID pBegin) { *(DWORD *)pBegin = 0; *(DWORD *)((BYTE *)pBegin + 4) = 0; *(DWORD *)((BYTE *)pBegin + 8) = 0; } BOOL guid2wstr(GUID *guid,PWCHAR pwguid) { int i = 0; //FIX ME:WHEN guid OR pwguid == NULL! *pwguid = L'{'; pwguid += 1; for(;i < 0x14;i++,pwguid++) { if(guidtowstr[i] != '-') { *pwguid = UnicodeNumber[((DWORD)(*((BYTE *)guid + guidtowstr[i]))) / 16]; pwguid++; *pwguid = UnicodeNumber[((DWORD)(*((BYTE *)guid + guidtowstr[i]))) & 0xf]; } else { *pwguid = L'-'; } } *pwguid = L'}'; *(pwguid + 1) = 0; return TRUE; } PWCHAR _CatAdminCreatePath(PWCHAR OrigPath,PWCHAR pwGUID,BOOL UseDefaultGUID) { int length = 0; PWCHAR pwFinalPath; length += lstrlenW(OrigPath); length += lstrlenW(pwGUID); length += 2; if(UseDefaultGUID) { length += 1; } //FIX ME:WHEN NULL RETURNED! pwFinalPath = (PWCHAR)LocalAlloc(LMEM_ZEROINIT,2 * length); wcscpy(pwFinalPath,OrigPath); if(OrigPath[lstrlenW(OrigPath) - 1] != L'\\') { wcscat(pwFinalPath,Slash); } wcscat(pwFinalPath,pwGUID); if(UseDefaultGUID) { wcscat(pwFinalPath,Slash); } return pwFinalPath; } BOOL _CatAdminRecursiveCreateDirectory(PWCHAR pwDirectoryPath,LPSECURITY_ATTRIBUTES lpSecurityAttributes) { PWCHAR pwPath = NULL; BOOL ret; if(pwDirectoryPath[lstrlenW(pwDirectoryPath) - 1] == L'\\') { //FIX ME:WHEN NULL RETURNED! pwPath = (PWCHAR)LocalAlloc(LMEM_ZEROINIT,2 * lstrlenW(pwDirectoryPath)); memcpy((PVOID)pwPath,(PVOID)pwDirectoryPath,2 * lstrlenW(pwDirectoryPath) - 2); pwPath[lstrlenW(pwDirectoryPath) - 1] = 0; ret = _CatAdminRecursiveCreateDirectory(pwPath,lpSecurityAttributes); } else { //FIX ME:CHECK WHETHER IT'S WINNT FIRST! if(GetFileAttributesW(pwDirectoryPath) != 0xffffffff) //INVALID_FILE_ATTRIBUTES { //FIX ME:WHEN NOT! if(GetFileAttributesW(pwDirectoryPath) & FILE_ATTRIBUTE_DIRECTORY) { ret = TRUE; } } else { //FIX ME:WHEN ERROR CODE IS OTHERS! if(GetLastError() == ERROR_PATH_NOT_FOUND || GetLastError() == ERROR_FILE_NOT_FOUND) { //FIX ME:CHECK WHETHER IT'S WINNT FIRST! CreateDirectoryW(pwDirectoryPath,lpSecurityAttributes); SetFileAttributesW(pwDirectoryPath,FILE_ATTRIBUTE_NORMAL); ret = TRUE; } } } if(pwPath) { LocalFree(pwPath); } return ret; } VOID CALLBACK _CatAdminWaitOrTimerCallback(PVOID lpParameter,BOOLEAN TimerOrWaitFired) { }