You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
72 lines
8.3 KiB
72 lines
8.3 KiB
5 years ago
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||
|
<html>
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||
|
<title>IDA - driver.sys.i64 (driver.sys) C:\Users\xerox\Desktop\amlegit.com\driver.sys.i64</title>
|
||
|
</head>
|
||
|
<body bgcolor="#ffffff">
|
||
|
<span style="white-space: pre; font-family: Consolas; color: blue; background: #ffffff">
|
||
|
|
||
|
<span style="color:gray">__int64 __fastcall ioctl_hook_setup(__int64 DRIVER_OBJECT)
|
||
|
</span><span style="color:navy">{
|
||
|
</span><span style="color:gray">// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
|
||
|
|
||
|
</span><span style="color:#8080ff">device_name </span><span style="color:navy">= (</span><span style="color:gray">const UNICODE_STRING *</span><span style="color:navy">)(</span><span style="color:#8080ff">DRIVER_OBJECT </span><span style="color:navy">+ 0x38);
|
||
|
</span><span style="color:#8080ff">pdriver_object </span><span style="color:navy">= (</span><span style="color:gray">struct _DRIVER_OBJECT *</span><span style="color:navy">)</span><span style="color:#8080ff">DRIVER_OBJECT</span><span style="color:navy">;
|
||
|
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)"</span><span style="color:green">Going to %wZ @ 0x%p\n"</span><span style="color:navy">, </span><span style="color:#8080ff">DRIVER_OBJECT </span><span style="color:navy">+ 0x38, </span><span style="color:#8080ff">DRIVER_OBJECT</span><span style="color:navy">);
|
||
|
if ( !</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->DeviceObject )
|
||
|
{
|
||
|
</span><span style="color:#8080ff">register_result </span><span style="color:navy">= </span>register_device<span style="color:navy">(</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">, (</span><span style="color:gray">PDEVICE_OBJECT *</span><span style="color:navy">)&</span>qword_140006180<span style="color:navy">);
|
||
|
if ( (</span><span style="color:#8080ff">register_result & </span><span style="color:navy">0xC0000000) == 0xC0000000 )
|
||
|
{
|
||
|
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)"</span><span style="color:green">Failed to create Device!\n"</span><span style="color:navy">);
|
||
|
return </span><span style="color:#8080ff">register_result</span><span style="color:navy">;
|
||
|
</span><span style="background:#8080ff"></span><span style="color:navy">}
|
||
|
</span><span style="color:#8080ff">v5 </span><span style="color:navy">= 1;
|
||
|
goto LABEL_11;
|
||
|
</span><span style="background:navy"></span><span style="color:navy">}
|
||
|
if ( !</span><span style="color:#ff00ff">ObQueryNameInfo</span><span style="color:navy">() )
|
||
|
{
|
||
|
</span><span style="color:#8080ff">print_string </span><span style="color:navy">= "</span><span style="color:green">Unnamed device. Skipping.\n"</span><span style="color:navy">;
|
||
|
LABEL_7:
|
||
|
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">print_string</span><span style="color:navy">);
|
||
|
return 0xC0000002i64; </span><span style="color:green">// STATUS_NOT_IMPLEMENTED
|
||
|
</span><span style="background:navy"></span><span style="color:navy">}
|
||
|
</span><span style="color:#ff00ff">RtlInitUnicodeString</span><span style="color:navy">(&</span><span style="color:#8080ff">gpu_energy_drv_str</span><span style="color:navy">, </span><span style="color:#8080ff">L"</span><span style="color:green">\\Driver\\GpuEnergyDrv"</span><span style="color:navy">);
|
||
|
if ( !</span><span style="color:#ff00ff">RtlEqualUnicodeString</span><span style="color:navy">(&</span><span style="color:#8080ff">gpu_energy_drv_str</span><span style="color:navy">, </span><span style="color:#8080ff">device_name</span><span style="color:navy">, 0) )
|
||
|
{
|
||
|
</span><span style="color:#8080ff">print_string </span><span style="color:navy">= "</span><span style="color:green">Not our target driver. Skipping.\n"</span><span style="color:navy">;
|
||
|
goto LABEL_7;
|
||
|
</span><span style="background:navy"></span><span style="color:navy">}
|
||
|
</span>original_ioctl <span style="color:navy">= </span>install_ioctl_hook<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">, (</span><span style="color:gray">__int64</span><span style="color:navy">)</span>ioctl_inline_hook<span style="color:navy">);
|
||
|
</span><span style="color:#8080ff">v5 </span><span style="color:navy">= 0;
|
||
|
LABEL_11:
|
||
|
</span>byte_140006188 <span style="color:navy">= </span><span style="color:#8080ff">v5</span><span style="color:navy">;
|
||
|
</span>qword_140006180 <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->DeviceObject;
|
||
|
if ( (</span>sub_1400044CC<span style="color:navy">(</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->MajorFunction, </span>qword_1400060A0<span style="color:navy">, 28i64) & 0xC0000000) == 0xC0000000 )
|
||
|
{
|
||
|
if ( </span>byte_140006188 <span style="color:navy">== 1 )
|
||
|
</span>sub_140001544<span style="color:navy">(&</span>qword_140006180<span style="color:navy">);
|
||
|
</span>byte_140006188 <span style="color:navy">= 0;
|
||
|
</span><span style="color:#8080ff">result </span><span style="color:navy">= 0xC0000305i64;
|
||
|
</span><span style="background:navy"></span><span style="color:navy">}
|
||
|
else
|
||
|
{
|
||
|
</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->MajorFunction[0] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IRP_MJ_CREATE<span style="color:navy">;
|
||
|
</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->MajorFunction[2] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IRP_MJ_CLOSE<span style="color:navy">;
|
||
|
</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->MajorFunction[14] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IOCTL_HOOK_FUNCTION<span style="color:navy">;
|
||
|
</span>pdriver_obj <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">;
|
||
|
if ( (</span><span style="color:gray">int</span><span style="color:navy">)</span>sub_140001438<span style="color:navy">(</span>qword_140006180<span style="color:navy">) < 0 )
|
||
|
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)"</span><span style="color:green">Failed to create symlink\n"</span><span style="color:navy">);
|
||
|
if ( </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->DriverUnload )
|
||
|
{
|
||
|
</span>driver_unload_orig <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->DriverUnload;
|
||
|
</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">->DriverUnload = (</span><span style="color:gray">PDRIVER_UNLOAD</span><span style="color:navy">)</span>new_driver_unload<span style="color:navy">;
|
||
|
</span><span style="background:blue"></span><span style="color:navy">}
|
||
|
</span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)"</span><span style="color:green">Successfully hooked %wZ @ 0x%p\n"</span><span style="color:navy">, </span><span style="color:#8080ff">device_name</span><span style="color:navy">, </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">);
|
||
|
</span><span style="color:#8080ff">result </span><span style="color:navy">= 0i64;
|
||
|
</span><span style="background:navy"></span><span style="color:navy">}
|
||
|
return </span><span style="color:#8080ff">result</span><span style="color:navy">;
|
||
|
</span><span style="background:#8080ff"></span><span style="color:navy">}
|
||
|
</span></body></html>
|