You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
8.3 KiB

5 years ago
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>IDA - driver.sys.i64 (driver.sys) C:\Users\xerox\Desktop\amlegit.com\driver.sys.i64</title>
</head>
<body bgcolor="#ffffff">
<span style="white-space: pre; font-family: Consolas; color: blue; background: #ffffff">
<span style="color:gray">__int64 __fastcall ioctl_hook_setup(__int64 DRIVER_OBJECT)
</span><span style="color:navy">{
</span><span style="color:gray">// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-&quot;+&quot; TO EXPAND]
</span><span style="color:#8080ff">device_name </span><span style="color:navy">= (</span><span style="color:gray">const UNICODE_STRING *</span><span style="color:navy">)(</span><span style="color:#8080ff">DRIVER_OBJECT </span><span style="color:navy">+ 0x38);
</span><span style="color:#8080ff">pdriver_object </span><span style="color:navy">= (</span><span style="color:gray">struct _DRIVER_OBJECT *</span><span style="color:navy">)</span><span style="color:#8080ff">DRIVER_OBJECT</span><span style="color:navy">;
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)&quot;</span><span style="color:green">Going to %wZ @ 0x%p\n&quot;</span><span style="color:navy">, </span><span style="color:#8080ff">DRIVER_OBJECT </span><span style="color:navy">+ 0x38, </span><span style="color:#8080ff">DRIVER_OBJECT</span><span style="color:navy">);
if ( !</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DeviceObject )
{
</span><span style="color:#8080ff">register_result </span><span style="color:navy">= </span>register_device<span style="color:navy">(</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">, (</span><span style="color:gray">PDEVICE_OBJECT *</span><span style="color:navy">)&amp;</span>qword_140006180<span style="color:navy">);
if ( (</span><span style="color:#8080ff">register_result &amp; </span><span style="color:navy">0xC0000000) == 0xC0000000 )
{
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)&quot;</span><span style="color:green">Failed to create Device!\n&quot;</span><span style="color:navy">);
return </span><span style="color:#8080ff">register_result</span><span style="color:navy">;
</span><span style="background:#8080ff"></span><span style="color:navy">}
</span><span style="color:#8080ff">v5 </span><span style="color:navy">= 1;
goto LABEL_11;
</span><span style="background:navy"></span><span style="color:navy">}
if ( !</span><span style="color:#ff00ff">ObQueryNameInfo</span><span style="color:navy">() )
{
</span><span style="color:#8080ff">print_string </span><span style="color:navy">= &quot;</span><span style="color:green">Unnamed device. Skipping.\n&quot;</span><span style="color:navy">;
LABEL_7:
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">print_string</span><span style="color:navy">);
return 0xC0000002i64; </span><span style="color:green">// STATUS_NOT_IMPLEMENTED
</span><span style="background:navy"></span><span style="color:navy">}
</span><span style="color:#ff00ff">RtlInitUnicodeString</span><span style="color:navy">(&amp;</span><span style="color:#8080ff">gpu_energy_drv_str</span><span style="color:navy">, </span><span style="color:#8080ff">L&quot;</span><span style="color:green">\\Driver\\GpuEnergyDrv&quot;</span><span style="color:navy">);
if ( !</span><span style="color:#ff00ff">RtlEqualUnicodeString</span><span style="color:navy">(&amp;</span><span style="color:#8080ff">gpu_energy_drv_str</span><span style="color:navy">, </span><span style="color:#8080ff">device_name</span><span style="color:navy">, 0) )
{
</span><span style="color:#8080ff">print_string </span><span style="color:navy">= &quot;</span><span style="color:green">Not our target driver. Skipping.\n&quot;</span><span style="color:navy">;
goto LABEL_7;
</span><span style="background:navy"></span><span style="color:navy">}
</span>original_ioctl <span style="color:navy">= </span>install_ioctl_hook<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">, (</span><span style="color:gray">__int64</span><span style="color:navy">)</span>ioctl_inline_hook<span style="color:navy">);
</span><span style="color:#8080ff">v5 </span><span style="color:navy">= 0;
LABEL_11:
</span>byte_140006188 <span style="color:navy">= </span><span style="color:#8080ff">v5</span><span style="color:navy">;
</span>qword_140006180 <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DeviceObject;
if ( (</span>sub_1400044CC<span style="color:navy">(</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;MajorFunction, </span>qword_1400060A0<span style="color:navy">, 28i64) &amp; 0xC0000000) == 0xC0000000 )
{
if ( </span>byte_140006188 <span style="color:navy">== 1 )
</span>sub_140001544<span style="color:navy">(&amp;</span>qword_140006180<span style="color:navy">);
</span>byte_140006188 <span style="color:navy">= 0;
</span><span style="color:#8080ff">result </span><span style="color:navy">= 0xC0000305i64;
</span><span style="background:navy"></span><span style="color:navy">}
else
{
</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;MajorFunction[0] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IRP_MJ_CREATE<span style="color:navy">;
</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;MajorFunction[2] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IRP_MJ_CLOSE<span style="color:navy">;
</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;MajorFunction[14] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IOCTL_HOOK_FUNCTION<span style="color:navy">;
</span>pdriver_obj <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">;
if ( (</span><span style="color:gray">int</span><span style="color:navy">)</span>sub_140001438<span style="color:navy">(</span>qword_140006180<span style="color:navy">) &lt; 0 )
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)&quot;</span><span style="color:green">Failed to create symlink\n&quot;</span><span style="color:navy">);
if ( </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DriverUnload )
{
</span>driver_unload_orig <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DriverUnload;
</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DriverUnload = (</span><span style="color:gray">PDRIVER_UNLOAD</span><span style="color:navy">)</span>new_driver_unload<span style="color:navy">;
</span><span style="background:blue"></span><span style="color:navy">}
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)&quot;</span><span style="color:green">Successfully hooked %wZ @ 0x%p\n&quot;</span><span style="color:navy">, </span><span style="color:#8080ff">device_name</span><span style="color:navy">, </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">);
</span><span style="color:#8080ff">result </span><span style="color:navy">= 0i64;
</span><span style="background:navy"></span><span style="color:navy">}
return </span><span style="color:#8080ff">result</span><span style="color:navy">;
</span><span style="background:#8080ff"></span><span style="color:navy">}
</span></body></html>