Who can give me a demo code OR tell me the idea?
A forum for reverse engineering, OS internals and malware analysis
Can you be a little more specific? What fsd you looking?
Ring0 - the source of inspiration
EP_X0FF wrote:Can you be a little more specific? What fsd you looking?How to get dispatch function original address of NTFS.SYS or FASTFAT.SYS?
EP_X0FF wrote:Can you be a little more specific? What fsd you looking?Take the example of NTFS.SYS, I know:
Driver->MajorFunction[IRP_MJ_CREATE]=NtfsFsdCreate
But, how to get original address of NtfsFsdCreate?
myid wrote:Extract it from DriverEntry, what is the problem?EP_X0FF wrote:Can you be a little more specific? What fsd you looking?Take the example of NTFS.SYS, I know:
Driver->MajorFunction[IRP_MJ_CREATE]=NtfsFsdCreate
But, how to get original address of NtfsFsdCreate?
Code: Select all
INIT:0009547E mov dword ptr [esi+7Ch], offset _NtfsFsdLockControl@8 ; NtfsFsdLockControl(x,x)
INIT:00095485 mov dword ptr [esi+68h], offset _NtfsFsdDirectoryControl@8 ; NtfsFsdDirectoryControl(x,x)
INIT:0009548C mov dword ptr [esi+50h], offset _NtfsFsdSetInformation@8 ; NtfsFsdSetInformation(x,x)
INIT:00095493 mov dword ptr [esi+38h], offset _NtfsFsdCreate@8 ; NtfsFsdCreate(x,x)
INIT:0009549A mov dword ptr [esi+40h], offset _NtfsFsdClose@8 ; NtfsFsdClose(x,x)
INIT:000954A1 mov dword ptr [esi+44h], offset _NtfsFsdRead@8 ; NtfsFsdRead(x,x)
INIT:000954A8 mov dword ptr [esi+48h], offset _NtfsFsdWrite@8 ; NtfsFsdWrite(x,x)
INIT:000954AF mov dword ptr [esi+5Ch], offset _NtfsFsdFlushBuffers@8 ; NtfsFsdFlushBuffers(x,x)
INIT:000954B6 mov dword ptr [esi+6Ch], offset _NtfsFsdFileSystemControl@8 ; NtfsFsdFileSystemControl(x,x)
INIT:000954BD mov dword ptr [esi+80h], offset _NtfsFsdCleanup@8 ; NtfsFsdCleanup(x,x)
INIT:000954C7 mov dword ptr [esi+78h], offset _NtfsFsdShutdown@8 ; NtfsFsdShutdown(x,x)
INIT:000954CE mov dword ptr [esi+0A4h], offset _NtfsFsdPnp@8 ; NtfsFsdPnp(x,x)
INIT:000954D8 mov dword ptr [esi+28h], offset _NtfsFastIoDispatch
INIT:000954DF mov eax, offset _NtfsFsdDispatchWait@8 ; NtfsFsdDispatchWait(x,x)Ring0 - the source of inspiration
EP_X0FF wrote:Thanks. But, how to use WINDBG to disasm DriverEntry of NTFS.SYS?myid wrote:Extract it from DriverEntry, what is the problem?EP_X0FF wrote:Can you be a little more specific? What fsd you looking?Take the example of NTFS.SYS, I know:
Driver->MajorFunction[IRP_MJ_CREATE]=NtfsFsdCreate
But, how to get original address of NtfsFsdCreate?
Code: Select allINIT:0009547E mov dword ptr [esi+7Ch], offset _NtfsFsdLockControl@8 ; NtfsFsdLockControl(x,x) INIT:00095485 mov dword ptr [esi+68h], offset _NtfsFsdDirectoryControl@8 ; NtfsFsdDirectoryControl(x,x) INIT:0009548C mov dword ptr [esi+50h], offset _NtfsFsdSetInformation@8 ; NtfsFsdSetInformation(x,x) INIT:00095493 mov dword ptr [esi+38h], offset _NtfsFsdCreate@8 ; NtfsFsdCreate(x,x) INIT:0009549A mov dword ptr [esi+40h], offset _NtfsFsdClose@8 ; NtfsFsdClose(x,x) INIT:000954A1 mov dword ptr [esi+44h], offset _NtfsFsdRead@8 ; NtfsFsdRead(x,x) INIT:000954A8 mov dword ptr [esi+48h], offset _NtfsFsdWrite@8 ; NtfsFsdWrite(x,x) INIT:000954AF mov dword ptr [esi+5Ch], offset _NtfsFsdFlushBuffers@8 ; NtfsFsdFlushBuffers(x,x) INIT:000954B6 mov dword ptr [esi+6Ch], offset _NtfsFsdFileSystemControl@8 ; NtfsFsdFileSystemControl(x,x) INIT:000954BD mov dword ptr [esi+80h], offset _NtfsFsdCleanup@8 ; NtfsFsdCleanup(x,x) INIT:000954C7 mov dword ptr [esi+78h], offset _NtfsFsdShutdown@8 ; NtfsFsdShutdown(x,x) INIT:000954CE mov dword ptr [esi+0A4h], offset _NtfsFsdPnp@8 ; NtfsFsdPnp(x,x) INIT:000954D8 mov dword ptr [esi+28h], offset _NtfsFastIoDispatch INIT:000954DF mov eax, offset _NtfsFsdDispatchWait@8 ; NtfsFsdDispatchWait(x,x)
I mean how to get address of DriverEntry of NTFS.SYS by WINDBG.
Code: Select all
lkd> !object \FileSystem\ntfs
Object: 81fc9e20 Type: (81fb2ad0) Driver
ObjectHeader: 81fc9e08 (old version)
HandleCount: 0 PointerCount: 5
Directory Object: e1023368 Name: Ntfs
lkd> dt _DRIVER_OBJECT 81fc9e20 -b
ntdll!_DRIVER_OBJECT
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : 0x81e5d770
+0x008 Flags : 0x92
+0x00c DriverStart : 0xf83cf000
+0x010 DriverSize : 0x8c600
+0x014 DriverSection : 0x81feda08
+0x018 DriverExtension : 0x81fc9ec8
+0x01c DriverName : _UNICODE_STRING "\FileSystem\Ntfs"
+0x000 Length : 0x20
+0x002 MaximumLength : 0x20
+0x004 Buffer : 0xe101ce80 "\FileSystem\Ntfs"
+0x024 HardwareDatabase : 0x8068fa90
+0x028 FastIoDispatch : 0xf83ee9a0
+0x02c DriverInit : 0xf8454384
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction :
[00] 0xf83f4e01
[01] 0x804fa87e
[02] 0xf83f42ea
[03] 0xf83d1f2f
[04] 0xf83d0b4b
[05] 0xf83f54b9
[06] 0xf83d2abb
[07] 0xf83f54b9
[08] 0xf83f54b9
[09] 0xf840f0e5
[10] 0xf83f5604
[11] 0xf83f5604
[12] 0xf83f71bd
[13] 0xf83f9958
[14] 0xf83f5604
[15] 0x804fa87e
[16] 0xf83e37f2
[17] 0xf8448ce9
[18] 0xf83f4cb8
[19] 0x804fa87e
[20] 0xf83f5604
[21] 0xf83f5604
[22] 0x804fa87e
[23] 0x804fa87e
[24] 0x804fa87e
[25] 0xf83f54b9
[26] 0xf83f54b9
[27] 0xf8411a0e
lkd> lkd> u Ntfs!DriverEntry l60
Ntfs!DriverEntry:
f84543c8 8bff mov edi,edi
f84543ca 55 push ebp
f84543cb 8bec mov ebp,esp
f84543cd 81ecc8000000 sub esp,0C8h
f84543d3 a1d8e73ef8 mov eax,dword ptr [Ntfs!__security_cookie (f83ee7d8)]
f84543d8 53 push ebx
f84543d9 56 push esi
f84543da 8b7508 mov esi,dword ptr [ebp+8]
f84543dd 57 push edi
f84543de 684e746630 push 3066744Eh
f84543e3 bf00000100 mov edi,10000h
f84543e8 57 push edi
f84543e9 33db xor ebx,ebx
f84543eb 53 push ebx
f84543ec 8945fc mov dword ptr [ebp-4],eax
f84543ef c705d0f03ef80068c461 mov dword ptr [Ntfs!NtfsLastAccess (f83ef0d0)],61C46800h
f84543f9 c705d4f03ef808000000 mov dword ptr [Ntfs!NtfsLastAccess+0x4 (f83ef0d4)],8
f8454403 ff1514703ef8 call dword ptr [Ntfs!_imp__ExAllocatePoolWithTag (f83e7014)]
f8454409 3bc3 cmp eax,ebx
f845440b a36ce83ef8 mov dword ptr [Ntfs!NtfsReserved1 (f83ee86c)],eax
f8454410 0f84400e0000 je Ntfs!DriverEntry+0x9d (f8455256)
f8454416 684e746630 push 3066744Eh
f845441b 57 push edi
f845441c 53 push ebx
f845441d ff1514703ef8 call dword ptr [Ntfs!_imp__ExAllocatePoolWithTag (f83e7014)]
f8454423 3bc3 cmp eax,ebx
f8454425 a370e83ef8 mov dword ptr [Ntfs!NtfsReserved2 (f83ee870)],eax
f845442a 0f84ff0d0000 je Ntfs!DriverEntry+0x60 (f845522f)
f8454430 684e746630 push 3066744Eh
f8454435 57 push edi
f8454436 53 push ebx
f8454437 ff1514703ef8 call dword ptr [Ntfs!_imp__ExAllocatePoolWithTag (f83e7014)]
f845443d 3bc3 cmp eax,ebx
f845443f a378e83ef8 mov dword ptr [Ntfs!NtfsReserved3 (f83ee878)],eax
f8454444 0f84f40d0000 je Ntfs!DriverEntry+0x85 (f845523e)
f845444a 68884a45f8 push offset Ntfs!EFSAesDec <PERF> (Ntfs+0x85a88) (f8454a88)
f845444f 8d8538ffffff lea eax,[ebp-0C8h]
f8454455 50 push eax
f8454456 ff15d06b3ef8 call dword ptr [Ntfs!_imp__RtlInitUnicodeString (f83e6bd0)]
f845445c 8d8540ffffff lea eax,[ebp-0C0h]
f8454462 50 push eax
f8454463 53 push ebx
f8454464 53 push ebx
f8454465 6a08 push 8
f8454467 8d8538ffffff lea eax,[ebp-0C8h]
f845446d 50 push eax
f845446e 53 push ebx
f845446f 56 push esi
f8454470 ff154c6e3ef8 call dword ptr [Ntfs!_imp__IoCreateDevice (f83e6e4c)]
f8454476 3bc3 cmp eax,ebx
f8454478 0f8cfb050000 jl Ntfs!DriverEntry+0x854 (f8454a79)
f845447e c7467ce98c44f8 mov dword ptr [esi+7Ch],offset Ntfs!NtfsFsdLockControl (f8448ce9)
f8454485 c74668bd713ff8 mov dword ptr [esi+68h],offset Ntfs!NtfsFsdDirectoryControl (f83f71bd)
f845448c c74650bb2a3df8 mov dword ptr [esi+50h],offset Ntfs!NtfsFsdSetInformation (f83d2abb)
f8454493 c74638014e3ff8 mov dword ptr [esi+38h],offset Ntfs!NtfsFsdCreate (f83f4e01)
f845449a c74640ea423ff8 mov dword ptr [esi+40h],offset Ntfs!NtfsFsdClose (f83f42ea)
f84544a1 c746442f1f3df8 mov dword ptr [esi+44h],offset Ntfs!NtfsFsdRead (f83d1f2f)
f84544a8 c746484b0b3df8 mov dword ptr [esi+48h],offset Ntfs!NtfsFsdWrite (f83d0b4b)
f84544af c7465ce5f040f8 mov dword ptr [esi+5Ch],offset Ntfs!NtfsFsdFlushBuffers (f840f0e5)
f84544b6 c7466c58993ff8 mov dword ptr [esi+6Ch],offset Ntfs!NtfsFsdFileSystemControl (f83f9958)
f84544bd c78680000000b84c3ff8 mov dword ptr [esi+80h],offset Ntfs!NtfsFsdCleanup (f83f4cb8)
f84544c7 c74678f2373ef8 mov dword ptr [esi+78h],offset Ntfs!NtfsFsdShutdown (f83e37f2)
f84544ce c786a40000000e1a41f8 mov dword ptr [esi+0A4h],offset Ntfs!NtfsFsdPnp (f8411a0e)
f84544d8 c74628a0e93ef8 mov dword ptr [esi+28h],offset Ntfs!NtfsFastIoDispatch (f83ee9a0)
f84544df b8b9543ff8 mov eax,offset Ntfs!NtfsFsdDispatchWait (f83f54b9)
Ring0 - the source of inspiration
EP_X0FF wrote:Thanks a lot.Code: Select alllkd> !object \FileSystem\ntfs Object: 81fc9e20 Type: (81fb2ad0) Driver ObjectHeader: 81fc9e08 (old version) HandleCount: 0 PointerCount: 5 Directory Object: e1023368 Name: Ntfs lkd> dt _DRIVER_OBJECT 81fc9e20 -b ntdll!_DRIVER_OBJECT +0x000 Type : 0n4 +0x002 Size : 0n168 +0x004 DeviceObject : 0x81e5d770 +0x008 Flags : 0x92 +0x00c DriverStart : 0xf83cf000 +0x010 DriverSize : 0x8c600 +0x014 DriverSection : 0x81feda08 +0x018 DriverExtension : 0x81fc9ec8 +0x01c DriverName : _UNICODE_STRING "\FileSystem\Ntfs" +0x000 Length : 0x20 +0x002 MaximumLength : 0x20 +0x004 Buffer : 0xe101ce80 "\FileSystem\Ntfs" +0x024 HardwareDatabase : 0x8068fa90 +0x028 FastIoDispatch : 0xf83ee9a0 +0x02c DriverInit : 0xf8454384 +0x030 DriverStartIo : (null) +0x034 DriverUnload : (null) +0x038 MajorFunction : [00] 0xf83f4e01 [01] 0x804fa87e [02] 0xf83f42ea [03] 0xf83d1f2f [04] 0xf83d0b4b [05] 0xf83f54b9 [06] 0xf83d2abb [07] 0xf83f54b9 [08] 0xf83f54b9 [09] 0xf840f0e5 [10] 0xf83f5604 [11] 0xf83f5604 [12] 0xf83f71bd [13] 0xf83f9958 [14] 0xf83f5604 [15] 0x804fa87e [16] 0xf83e37f2 [17] 0xf8448ce9 [18] 0xf83f4cb8 [19] 0x804fa87e [20] 0xf83f5604 [21] 0xf83f5604 [22] 0x804fa87e [23] 0x804fa87e [24] 0x804fa87e [25] 0xf83f54b9 [26] 0xf83f54b9 [27] 0xf8411a0e lkd> lkd> u Ntfs!DriverEntry l60 Ntfs!DriverEntry: f84543c8 8bff mov edi,edi f84543ca 55 push ebp f84543cb 8bec mov ebp,esp f84543cd 81ecc8000000 sub esp,0C8h f84543d3 a1d8e73ef8 mov eax,dword ptr [Ntfs!__security_cookie (f83ee7d8)] f84543d8 53 push ebx f84543d9 56 push esi f84543da 8b7508 mov esi,dword ptr [ebp+8] f84543dd 57 push edi f84543de 684e746630 push 3066744Eh f84543e3 bf00000100 mov edi,10000h f84543e8 57 push edi f84543e9 33db xor ebx,ebx f84543eb 53 push ebx f84543ec 8945fc mov dword ptr [ebp-4],eax f84543ef c705d0f03ef80068c461 mov dword ptr [Ntfs!NtfsLastAccess (f83ef0d0)],61C46800h f84543f9 c705d4f03ef808000000 mov dword ptr [Ntfs!NtfsLastAccess+0x4 (f83ef0d4)],8 f8454403 ff1514703ef8 call dword ptr [Ntfs!_imp__ExAllocatePoolWithTag (f83e7014)] f8454409 3bc3 cmp eax,ebx f845440b a36ce83ef8 mov dword ptr [Ntfs!NtfsReserved1 (f83ee86c)],eax f8454410 0f84400e0000 je Ntfs!DriverEntry+0x9d (f8455256) f8454416 684e746630 push 3066744Eh f845441b 57 push edi f845441c 53 push ebx f845441d ff1514703ef8 call dword ptr [Ntfs!_imp__ExAllocatePoolWithTag (f83e7014)] f8454423 3bc3 cmp eax,ebx f8454425 a370e83ef8 mov dword ptr [Ntfs!NtfsReserved2 (f83ee870)],eax f845442a 0f84ff0d0000 je Ntfs!DriverEntry+0x60 (f845522f) f8454430 684e746630 push 3066744Eh f8454435 57 push edi f8454436 53 push ebx f8454437 ff1514703ef8 call dword ptr [Ntfs!_imp__ExAllocatePoolWithTag (f83e7014)] f845443d 3bc3 cmp eax,ebx f845443f a378e83ef8 mov dword ptr [Ntfs!NtfsReserved3 (f83ee878)],eax f8454444 0f84f40d0000 je Ntfs!DriverEntry+0x85 (f845523e) f845444a 68884a45f8 push offset Ntfs!EFSAesDec <PERF> (Ntfs+0x85a88) (f8454a88) f845444f 8d8538ffffff lea eax,[ebp-0C8h] f8454455 50 push eax f8454456 ff15d06b3ef8 call dword ptr [Ntfs!_imp__RtlInitUnicodeString (f83e6bd0)] f845445c 8d8540ffffff lea eax,[ebp-0C0h] f8454462 50 push eax f8454463 53 push ebx f8454464 53 push ebx f8454465 6a08 push 8 f8454467 8d8538ffffff lea eax,[ebp-0C8h] f845446d 50 push eax f845446e 53 push ebx f845446f 56 push esi f8454470 ff154c6e3ef8 call dword ptr [Ntfs!_imp__IoCreateDevice (f83e6e4c)] f8454476 3bc3 cmp eax,ebx f8454478 0f8cfb050000 jl Ntfs!DriverEntry+0x854 (f8454a79) f845447e c7467ce98c44f8 mov dword ptr [esi+7Ch],offset Ntfs!NtfsFsdLockControl (f8448ce9) f8454485 c74668bd713ff8 mov dword ptr [esi+68h],offset Ntfs!NtfsFsdDirectoryControl (f83f71bd) f845448c c74650bb2a3df8 mov dword ptr [esi+50h],offset Ntfs!NtfsFsdSetInformation (f83d2abb) f8454493 c74638014e3ff8 mov dword ptr [esi+38h],offset Ntfs!NtfsFsdCreate (f83f4e01) f845449a c74640ea423ff8 mov dword ptr [esi+40h],offset Ntfs!NtfsFsdClose (f83f42ea) f84544a1 c746442f1f3df8 mov dword ptr [esi+44h],offset Ntfs!NtfsFsdRead (f83d1f2f) f84544a8 c746484b0b3df8 mov dword ptr [esi+48h],offset Ntfs!NtfsFsdWrite (f83d0b4b) f84544af c7465ce5f040f8 mov dword ptr [esi+5Ch],offset Ntfs!NtfsFsdFlushBuffers (f840f0e5) f84544b6 c7466c58993ff8 mov dword ptr [esi+6Ch],offset Ntfs!NtfsFsdFileSystemControl (f83f9958) f84544bd c78680000000b84c3ff8 mov dword ptr [esi+80h],offset Ntfs!NtfsFsdCleanup (f83f4cb8) f84544c7 c74678f2373ef8 mov dword ptr [esi+78h],offset Ntfs!NtfsFsdShutdown (f83e37f2) f84544ce c786a40000000e1a41f8 mov dword ptr [esi+0A4h],offset Ntfs!NtfsFsdPnp (f8411a0e) f84544d8 c74628a0e93ef8 mov dword ptr [esi+28h],offset Ntfs!NtfsFastIoDispatch (f83ee9a0) f84544df b8b9543ff8 mov eax,offset Ntfs!NtfsFsdDispatchWait (f83f54b9)