Results 1 to 9 of 9

Thread: IDA Structure Definitions

  1. #1
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15

    IDA Structure Definitions

    SPLIT THREAD

    way off topic

    hey k cant find the rom file isn't it there are trillions of datasheets in Google but not a bin file for nec v40 isnt it ?

    anyway i ended up downloading roms and bins of bbc / microbee / atari / zilog / z80 /and whatnot due to this thread

    btw way more offtopic but on ida

    i thought let me try ida (nothing fancy the free 5.0 one ) on a driver which seemed to crash on me so i could learn a trick or two
    but i cant seem to fathom the mighty yeti can you see the pic below and tell me how to make it legible
    no i can understand the opcodes/ mnemonic crap i want ida to tell me hey b
    this is driver_object
    now ebx takes the Driver_Object->MajorFunction[IRP_MJ_DEVICE_CONTROL] and shoots it down to
    KiIntrap01 and plays hell with interrupt 1 single stepping on its own kind of thing
    not stare back at me with mov ebx,[eax+70]

    Name:  idarename.JPG
Views: 4324
Size:  77.9 KB

    and the crashing Handler

    Code:
    .text:00010A5C ; ---------------------------------------------------------------------------
    .text:00010A5C
    .text:00010A5C loc_10A5C:                              ; DATA XREF: start-91Fo
    .text:00010A5C                 mov     edi, edi
    .text:00010A5E                 push    ebp
    .text:00010A5F                 mov     ebp, esp
    .text:00010A61                 push    ebx
    .text:00010A62                 push    esi
    .text:00010A63                 push    edi
    .text:00010A64                 xor     esi, esi
    .text:00010A66                 xor     eax, eax
    .text:00010A68                 push    edx
    .text:00010A69                 sidt    fword ptr [esp-2]
    .text:00010A6E                 pop     edx
    .text:00010A6F                 add     edx, 0Ch        ; kiIntTrap01 ?
    .text:00010A72                 mov     ebx, [edx]
    .text:00010A74                 mov     bx, [edx-4]
    .text:00010A78                 mov     ebx, dword_10EB0
    .text:00010A7E                 cmp     ebx, 0
    .text:00010A81                 jnz     short loc_10A8E
    .text:00010A83                 mov     bx, [edx+2]
    .text:00010A87                 ror     ebx, 10h
    .text:00010A8A                 mov     bx, [edx-4]
    .text:00010A8E
    .text:00010A8E loc_10A8E:                              ; CODE XREF: .text:00010A81j
    .text:00010A8E                 mov     dword_10EB0, ebx
    .text:00010A94                 mov     edi, offset word_109AA
    .text:00010A99                 mov     [edx-4], di
    .text:00010A9D                 ror     edi, 10h
    .text:00010AA0                 mov     [edx+2], di     ; seems to crash here ?
    .text:00010AA4                 mov     ecx, [ebp+0Ch]
    .text:00010AA7                 mov     edi, [ecx+60h]
    .text:00010AAA                 mov     edx, [edi+0Ch]
    .text:00010AAD                 cmp     edx, 0C07FE000h ; ioctlcode
    .text:00010AB3                 jz      loc_10C8D
    .text:00010AB9                 cmp     edx, 0C07FE004h 
                                                                  ; CALL    NEAR DWORD PTR DS:[EAX]          ; getproc(Devictl)
    .text:00010AB9                                         ; PUSH    0                                ; ioOverLapped
    .text:00010AB9                                         ; MOV     DWORD PTR SS:[EBP+354], 0
    .text:00010AB9                                         ; MOV     EBX, EBP
    .text:00010AB9                                         ; ADD     EBX, 354
    .text:00010AB9                                         ; PUSH    EBX                              ; LpBytesRet
    .text:00010AB9                                         ; PUSH    4                                ; OutBuffSize
    .text:00010AB9                                         ; MOV     EBX, EBP
    .text:00010AB9                                         ; ADD     EBX, 348
    .text:00010AB9                                         ; PUSH    EBX                              ; OutBuff
    .text:00010AB9                                         ; PUSH    20                               ; InBuffSize
    .text:00010AB9                                         ; MOV     EBX, EBP
    .text:00010AB9                                         ; ADD     EBX, 9E4
    .text:00010AB9                                         ; PUSH    EBX                              ; inBuff
    .text:00010AB9                                         ; MOV     EBX, C07FE000
    .text:00010AB9                                         ; PUSH    EBX                              ; ioCtlCode
    .text:00010AB9                                         ; PUSH    DWORD PTR SS:[EBP+A08]           ; hdevice
    .text:00010AB9                                         ; CALL    NEAR EAX                         ; devictl()
    .text:00010AB9                                         ;
    .text:00010AB9                                         ;
    .text:00010ABF                 jz      loc_10C2C
    .text:00010AC5                 cmp     edx, 0C07FE018h
    .text:00010ACB                 jz      loc_10BC2
    .text:00010AD1                 cmp     edx, 0C07FE020h
    .text:00010AD7                 jz      loc_10B5F
    .text:00010ADD                 cmp     edx, 0C07FE024h
    .text:00010AE3                 jz      short loc_10AEF
    .text:00010AE5                 mov     esi, 0C000000Dh
    .text:00010AEA                 jmp     loc_10D10
    .text:00010AEF ; ---------------------------------------------------------------------------
    .text:00010AEF
    .text:00010AEF loc_10AEF:                              ; CODE XREF: .text:00010AE3j

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    I was looking for a rom file split over segments too, to see if one could derive the segment sections just from the code itself, which I'm sure isn't the easiest thing to do.

    A wee bit off topic yes, sorry for the thread hijacking, but to answer the question, what I do is create a custom DRIVER_OBJECT header file where the IRP MajorFunction definition is a structure within itself, so IDA can easily recognize what [eax+70h] stands for. IDA has its own standard DRIVER_OBJECT structure definition, but that won't get you the individual IRP defs.

    Here is the header file I use, modified from wdm.h, loaded into IDA with Load File/Parse C header file, then added in the Structures window and now recognized as a Standard Structure (generally added to the very end of the list).

    Code:
    typedef struct _myDRIVER_DISPATCH {
    
    // Define the major function codes for IRPs.
     
    ULONG IRP_MJ_CREATE                   ; // 0x00
    ULONG IRP_MJ_CREATE_NAMED_PIPE        ; // 0x01
    ULONG IRP_MJ_CLOSE                    ; // 0x02
    ULONG IRP_MJ_READ                     ; // 0x03
    ULONG IRP_MJ_WRITE                    ; // 0x04
    ULONG IRP_MJ_QUERY_INFORMATION        ; // 0x05
    ULONG IRP_MJ_SET_INFORMATION          ; // 0x06
    ULONG IRP_MJ_QUERY_EA                 ; // 0x07
    ULONG IRP_MJ_SET_EA                   ; // 0x08
    ULONG IRP_MJ_FLUSH_BUFFERS            ; // 0x09
    ULONG IRP_MJ_QUERY_VOLUME_INFORMATION ; // 0x0a
    ULONG IRP_MJ_SET_VOLUME_INFORMATION   ; // 0x0b
    ULONG IRP_MJ_DIRECTORY_CONTROL        ; // 0x0c
    ULONG IRP_MJ_FILE_SYSTEM_CONTROL      ; // 0x0d
    ULONG IRP_MJ_DEVICE_CONTROL           ; // 0x0e
    ULONG IRP_MJ_INTERNAL_DEVICE_CONTROL  ; // 0x0f
    ULONG IRP_MJ_SHUTDOWN                 ; // 0x10
    ULONG IRP_MJ_LOCK_CONTROL             ; // 0x11
    ULONG IRP_MJ_CLEANUP                  ; // 0x12
    ULONG IRP_MJ_CREATE_MAILSLOT          ; // 0x13
    ULONG IRP_MJ_QUERY_SECURITY           ; // 0x14
    ULONG IRP_MJ_SET_SECURITY             ; // 0x15
    ULONG IRP_MJ_POWER                    ; // 0x16
    ULONG IRP_MJ_SYSTEM_CONTROL           ; // 0x17
    ULONG IRP_MJ_DEVICE_CHANGE            ; // 0x18
    ULONG IRP_MJ_QUERY_QUOTA              ; // 0x19
    ULONG IRP_MJ_SET_QUOTA                ; // 0x1a
    ULONG IRP_MJ_PNP                      ; // 0x1b
    // ULONG IRP_MJ_PNP_POWER                IRP_MJ_PNP      // Obsolete....
    // ULONG IRP_MJ_MAXIMUM_FUNCTION           0x1b
        
    } myDRIVER_DISPATCH, *PmyDRIVER_DISPATCH;
    
    
    typedef struct _myDRIVER_OBJECT {
        CSHORT Type;
        CSHORT Size;
        PDEVICE_OBJECT DeviceObject;
        ULONG Flags;
        PVOID DriverStart;
        ULONG DriverSize;
        PVOID DriverSection;
        PDRIVER_EXTENSION DriverExtension;
        UNICODE_STRING DriverName;
        PUNICODE_STRING HardwareDatabase;
        PFAST_IO_DISPATCH FastIoDispatch;
        PDRIVER_INITIALIZE DriverInit;
        PDRIVER_STARTIO DriverStartIo;
        PDRIVER_UNLOAD DriverUnload;
    
        // PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
        myDRIVER_DISPATCH MajorFunction;
    
    } myDRIVER_OBJECT;
    typedef struct _myDRIVER_OBJECT *PmyDRIVER_OBJECT;

    Using beep.sys as an example, this

    Code:
    .text:00011389                 mov     eax, [ebp+DriverObject]
    .text:0001138C                 mov     dword ptr [eax+30h], offset sub_11248
    .text:00011393                 mov     dword ptr [eax+34h], offset sub_112C6
    .text:0001139A                 mov     dword ptr [eax+38h], offset sub_111AC
    .text:000113A1                 mov     dword ptr [eax+40h], offset sub_111FE
    .text:000113A8                 mov     dword ptr [eax+70h], offset sub_11116
    .text:000113AF                 mov     dword ptr [eax+80h], offset sub_11060
    becomes this.

    Code:
    .text:00011389                 mov     eax, [ebp+DriverObject]
    .text:0001138C                 mov     [eax+DRIVER_OBJECT.DriverStartIo], offset sub_11248
    .text:00011393                 mov     [eax+DRIVER_OBJECT.DriverUnload], offset sub_112C6
    .text:0001139A                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CREATE], offset sub_111AC
    .text:000113A1                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CLOSE], offset sub_111FE
    .text:000113A8                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_DEVICE_CONTROL], offset sub_11116
    .text:000113AF                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CLEANUP], offset sub_11060
    I use a similar custom C header file for IRP and IO_STACK_LOCATION structure definitions as I had mentioned in this thread. This would be the next step to sleuthing IRP_MJ_DEVICE_CONTROL. In your case you easily found the IOCTL_CODE without it, but further structure definitions can also point out the usermode buffers which can clarify the full disassembly if that's what you're going for.

    http://www.woodmann.com/forum/showthread.php?14561-Had-to-say-(Driver-Debugging-Basics)&p=91470#post91470

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    i think the lady thinks that i want to buy her a sip of orange juice

    didn't you say that paste was what you use (explicitly implying i ought not meddle with it ? )

    the beautiful inebriated lady refuses to dance and wants to drink nine more errors

    Code:
    The initial autoanalysis has been finished.
    Command "LoadHeaderFile" failed              
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,5: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,6: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,7: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,8: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,9: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,10: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,11: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,12: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,13: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,14: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,15: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,16: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,17: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,18: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,19: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,20: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,21: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,22: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,23: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,24: Syntax error near: ULONG
    Total 20 errors      <---------------- need to setup compiler <------opt->compil->vc++->done
    Plan  FLIRT signature: Microsoft VisualC 2-8/net runtime
    autoload.cfg: vc32rtf.sig autoloads vc6win.til
    Using FLIRT signature: Microsoft VisualC 2-8/net runtime
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,40: Syntax error near: CSHORT  <--- ? need USHORT works 
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,41: Syntax error near: CSHORT
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,42: Syntax error near: PDEVICE_OBJECT        ? need PULONG works for 
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,47: Syntax error near: PDRIVER_EXTENSION  ]b]   all below [/b]
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,50: Syntax error near: PFAST_IO_DISPATCH
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,51: Syntax error near: PDRIVER_INITIALIZE
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,52: Syntax error near: PDRIVER_STARTIO
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,53: Syntax error near: PDRIVER_UNLOAD
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,58: Syntax error near: }
    Total 9 errors
    
    
    
    C:\Documents and Settings\Admin\My Documents\\Driver>fc origdrvobjstrct.h d
    rvobjstrct.h
    Comparing files origdrvobjstrct.h and DRVOBJSTRCT.H
    ***** origdrvobjstrct.h
    typedef struct _myDRIVER_OBJECT {
        CSHORT Type;
        CSHORT Size;
        PDEVICE_OBJECT DeviceObject;
        ULONG Flags;
    ***** DRVOBJSTRCT.H
    typedef struct _myDRIVER_OBJECT {
        USHORT Type;
        USHORT Size;
        PULONG DeviceObject;
        ULONG Flags;
    *****
    
    ***** origdrvobjstrct.h
        PVOID DriverSection;
        PDRIVER_EXTENSION DriverExtension;
        UNICODE_STRING DriverName;
    ***** DRVOBJSTRCT.H
        PVOID DriverSection;
        PULONG DriverExtension;
        UNICODE_STRING DriverName;
    *****
    
    ***** origdrvobjstrct.h
        PUNICODE_STRING HardwareDatabase;
        PFAST_IO_DISPATCH FastIoDispatch;
        PDRIVER_INITIALIZE DriverInit;
        PDRIVER_STARTIO DriverStartIo;
        PDRIVER_UNLOAD DriverUnload;
    
    ***** DRVOBJSTRCT.H
        PUNICODE_STRING HardwareDatabase;
        PULONG FastIoDispatch;
        PULONG DriverInit;
        PULONG DriverStartIo;
        PULONG DriverUnload;
    
    *****
    
    ***** origdrvobjstrct.h
    
    typedef struct DEVICE_OBJECT *PDEVICE_OBJECT;
    ***** DRVOBJSTRCT.H
    *****
    
    C:\Documents and Settings\Admin\My Documents\Driver\drvobjstrct.h: successfully compiled

    btw maybe we should cut paste this into a separate thread what do you say

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    She has a limp, you built her a crutch, good on ya. The more expensive ladies don't limp

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    i can live with her holding the pulong crutch at least i can cut the long into a short
    but what about Cshort ? how can i u@#$%^s shorts

    also after i select one +70 wont 68 6c etc get the other IoCtl defs ? ( i mean do i have to find 28 places and set each of them with XXX.YYY[zzz]

    also if mov [ebx+70] , 0xXXXXXXX this dword which is a handler and does have a standard function definition like

    RetWhatever DoSomething ( Do1 this , Do2 that ,DoNot What) ;

    so is automatic propogation possible

    like mov [ebx+70],0xXXXXXXXX becomes

    mov [ebx+Driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL] , _DispatchXXX ( PDEVICE_OBJECT DeviceObject, PIRP Irp)


    and at

    XXXXXXXX

    it becomes a function its arg_0 transformed into *devobj and arg_1 transformed to *irp

    and

    you also posted ida has its own definition of DRIVER_OBJECT how to load it ?

    and thanks for splitting the thread

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    IDA Free doesn't have a Type Library (*.til) for ntddk.h, thus no driver defs or useful function type propagation. As for some of the other stuff to fancy up the disassembly, there's a lot you can do with IDC scripts as well.

    Try this format instead for the header file.

    Code:
    struct UNICODE_STRING
    {
      __int16 Length;
      __int16 MaximumLength;
      void *Buffer;
    };
    
    struct DRIVER_OBJECT
    {
      __int16 Type;
      __int16 Size;
      void *DeviceObject;
      int Flags;
      void *DriverStart;
      int DriverSize;
      void *DriverSection;
      void *DriverExtension;
      UNICODE_STRING DriverName;
      void *HardwareDatabase;
      void *FastIoDispatch;
      void *DriverInit;
      void *DriverStartIo;
      void *DriverUnload;
      void *MajorFunction[28];
    };

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    Quote Originally Posted by Kayaker View Post
    IDA Free doesn't have a Type Library (*.til) for ntddk.h
    well it seems too much is left out of fre 5

    i compile and driver and disassemble it and it seems 5 cant even understand the arguments even with full typeinfo

    VOID
    ProcCreateMon(
    IN HANDLE ParentId,
    IN HANDLE ProcessId,
    IN BOOLEAN Create
    )

    it disassembles it as XXXX(HANDLE,HANDLE,BOOL)
    and leaves out the arg_0 and _arg_4 as it is

    and only if i set function type and add the args like handle parid, handle pid,bool craet

    it renames the arg_0 and arg_4

    too much manual work required to make a noob understand

  8. #8
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,048
    Blog Entries
    5
    ......? Rrrrrrubber biscuit?
    Parse the rest of that typeinfo, brother


    IDA doesn't define args that aren't used in the function. Granted, that's always annoyed me a bit too, especially where the number of arguments are known, as in that defined callback, but that's just the way it is. Nor does it automatically add the arg names to the function string unless you specify them, just the data types.

    Even without a type library, IDA free will parse that example correctly with the following header file definition.

    Code:
    typedef int HANDLE;
    typedef int BOOLEAN;
    typedef int NTSTATUS;
    
    typedef void __stdcall(*PCREATE_PROCESS_NOTIFY_ROUTINE)(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create);
    
    NTSTATUS __stdcall PsSetCreateProcessNotifyRoutine(PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, BOOLEAN Remove);

  9. #9
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,456
    Blog Entries
    15
    wanna see whatdyi get for nuttin

    Code:
    CPU Disasm
    Command                                                                 Source
    MOV     EDI, EDI                                                        ; {
    PUSH    EBP
    MOV     EBP, ESP
    SUB     ESP, 8
    MOV     DWORD PTR SS:[LOCAL.2], 0                                       ; PEPROCESS eproc =NULL;
    MOVZX   EAX, BYTE PTR SS:[Create]                                       ; if(Create){
    TEST    EAX, EAX
    JZ      SHORT proccreatemon1.000104AE
    LEA     ECX, [LOCAL.2]                                                  ; PsLookupProcessByProcessId(ProcessId,&eproc);
    PUSH    ECX
    MOV     EDX, DWORD PTR SS:[ProcessId]
    PUSH    EDX
    CALL    NEAR DWORD PTR DS:[<&ntoskrnl_exe.PsLookupProcessByProcessId>]
    MOV     EAX, DWORD PTR SS:[LOCAL.2]                                     ; foo = (PCHAR)eproc+0x174;					
    ADD     EAX, 174
    MOV     DWORD PTR SS:[LOCAL.1], EAX
    MOV     ECX, DWORD PTR SS:[LOCAL.1]                                     ; DbgPrint("PID %X Process Name %s\n",ProcessId,foo);
    PUSH    ECX
    MOV     EDX, DWORD PTR SS:[ProcessId]
    PUSH    EDX
    PUSH    proccreatemon1.000104C0
    CALL    proccreatemon1.DbgPrint
    ADD     ESP, 0C
    MOV     ECX, DWORD PTR SS:[LOCAL.2]                                     ; ObDereferenceObject(eproc);
    CALL    NEAR DWORD PTR DS:[<&ntoskrnl_exe.ObfDereferenceObject>]
    MOV     ESP, EBP                                                        ; }
    POP     EBP
    RETN    0C
    bow bow ooohhh ooohhh ooohhh

    Code:
    .text:00010460 ProcCreateMon   proc near               ; DATA XREF: DriverUnload+7o
    .text:00010460                                         ; DriverEntry+11o
    .text:00010460
    .text:00010460 var_8           = dword ptr -8
    .text:00010460 var_4           = dword ptr -4
    .text:00010460 arg_4           = dword ptr  0Ch
    .text:00010460 arg_8           = byte ptr  10h
    .text:00010460
    .text:00010460                 mov     edi, edi
    .text:00010462                 push    ebp
    .text:00010463                 mov     ebp, esp
    .text:00010465                 sub     esp, 8
    .text:00010468                 mov     [ebp+var_8], 0
    .text:0001046F                 movzx   eax, [ebp+arg_8]
    .text:00010473                 test    eax, eax
    .text:00010475                 jz      short loc_104AE
    .text:00010477                 lea     ecx, [ebp+var_8]
    .text:0001047A                 push    ecx
    .text:0001047B                 mov     edx, [ebp+arg_4]
    .text:0001047E                 push    edx
    .text:0001047F                 call    ds:__imp__PsLookupProcessByProcessId@8 ; PsLookupProcessByProcessId(x,x)
    .text:00010485                 mov     eax, [ebp+var_8]
    .text:00010488                 add     eax, 174h
    .text:0001048D                 mov     [ebp+var_4], eax
    .text:00010490                 mov     ecx, [ebp+var_4]
    .text:00010493                 push    ecx
    .text:00010494                 mov     edx, [ebp+arg_4]
    .text:00010497                 push    edx
    .text:00010498                 push    offset ??_C@_0BI@HPAHKJOK@PID?5?$CFX?5Process?5Name?5?$CFs?6?$AA@FNODOBFM@ ; "PID %X Process Name %s\n"
    .text:0001049D                 call    _DbgPrint
    .text:000104A2                 add     esp, 0Ch
    .text:000104A5                 mov     ecx, [ebp+var_8]
    .text:000104A8                 call    ds:__imp_@ObfDereferenceObject@4 ; ObfDereferenceObject(x)
    .text:000104AE
    .text:000104AE loc_104AE:                              ; CODE XREF: ProcCreateMon+15j
    .text:000104AE                 mov     esp, ebp
    .text:000104B0                 pop     ebp
    .text:000104B1                 retn    0Ch
    .text:000104B1 ProcCreateMon   endp
    rubber biscuits cost more time than real biscuits

    Code:
    .text:00010460 ; int __stdcall ProcCreateMon(HANDLE parid,HANDLE pid,BOOL Create)
    .text:00010460 ProcCreateMon   proc near               ; DATA XREF: DriverUnload+7o
    .text:00010460                                         ; DriverEntry+11o
    .text:00010460
    .text:00010460 var_8           = dword ptr -8
    .text:00010460 var_4           = dword ptr -4
    .text:00010460 parid           = dword ptr  8
    .text:00010460 pid             = dword ptr  0Ch
    .text:00010460 Create          = dword ptr  10h
    .text:00010460
    .text:00010460                 mov     edi, edi
    .text:00010462                 push    ebp
    .text:00010463                 mov     ebp, esp
    .text:00010465                 sub     esp, 8
    .text:00010468                 mov     [ebp+var_8], 0
    .text:0001046F                 movzx   eax, byte ptr [ebp+Create]

Similar Threads

  1. Find Structure
    By Behdadsoft in forum The Newbie Forum
    Replies: 0
    Last Post: March 4th, 2013, 05:43
  2. System Structure Tools
    By Kayaker in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: February 19th, 2013, 00:26
  3. Replies: 0
    Last Post: April 24th, 2008, 09:42
  4. Replies: 0
    Last Post: October 19th, 2007, 20:27
  5. SoftIce Breakpoint Table Structure
    By naides in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: October 15th, 2004, 02:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •