[Tigzy]

I need help again...

This is the entry point of my driver:

Code: Select all

INIT:0002B88B                 public GsDriverEntry
INIT:0002B88B GsDriverEntry   proc near
INIT:0002B88B                 mov     edi, edi
INIT:0002B88D                 push    ebp
INIT:0002B88E                 mov     ebp, esp
INIT:0002B890                 call    __security_init_cookie
INIT:0002B895                 pop     ebp
INIT:0002B896                 jmp     DriverEntry
INIT:0002B896 GsDriverEntry   endp

The last line is jmp DriverEntry with OPCODE : E9 EB FE FF FF
In IDA, it jumps to :

Code: Select all

INIT:0002B786 DriverEntry     proc near               ; CODE XREF: GsDriverEntry+Bj
INIT:0002B786
INIT:0002B786 var_24          = dword ptr -24h
INIT:0002B786 var_14          = dword ptr -14h
INIT:0002B786 var_C           = dword ptr -0Ch
INIT:0002B786 var_4           = dword ptr -4
INIT:0002B786 arg_0           = dword ptr  8
INIT:0002B786
INIT:0002B786                 mov     edi, edi
INIT:0002B788                 push    ebp
INIT:0002B789                 mov     ebp, esp
INIT:0002B78B                 sub     esp, 14h
INIT:0002B78E                 push    ebx
INIT:0002B78F                 push    esi
...

I tried to know how with an offset of 0xFFFFFEEB I could jump
from INIT:0002B896 to INIT:0002B786
But I'm not able to...

0xFFFFFEEB = -115h = -227d
and 0002B896 - 115 = 0002B781, not 0002B786

So I'm confused on how I can jump here...

[rkhunter]

FYI: you can setup IDA for displaying opcodes, go to Optins->General->Number of opcode bytes.

0x0002B896 + 5 (jmp len) - 0x115 (+ 0xFFFFFEEB) = 0x2B786

[Tigzy]

ok, so the jump begin at the next opcode, thanks :)

[Tigzy]

There is no windows API to load a PE in the virtual memory?
I need to parse by hand and so on?

[rkhunter]

So you want make it (loads disk port-driver) at user mode? What your end purpose?

[Tigzy]

I want to load it, cause I suspect some parts of the code to modify itself.
I got a big difference between IDA opcodes and raw opcodes on the disk:

Capture.PNG (76.99 KiB) Viewed 251 times

My final aim is to get original major functions adresses to be able either to restore them in the kernel or to use them to bypass some filters (don't know if an MJ_DEVICE_IO adress can be use directly to send some DeviceIOControl to atapi.sys

[rkhunter]

For search original dispatch handlers you can scan INIT-section, for example, on corresponding opcodes and offsets. It's more simple that using disasm from DriverEntry.