在安装驱动的过程中弹出如下的提示
使用Spy++发现是Odbcconf.exe
用ProcExp 发现
原来是安装包在调用
RunDll32 setupapi,InstallHinfSection DefaultInstall 132 C:\ProgramFiles\EstSandBox\EstBoxDrv.inf
时候调用了runonce.exe 然后runonce 调用了odbcconf.exe
baidu 一下发现
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
Configuring DataAccess Components
指向了C:\WINDOWS\system32\odbcconf.exe/E /F "C:\WINDOWS\system32\odbcconf.tmp
为什么setupapi 的 InstallHinfSection 会执行runonce 呢
使用windbg 运行 RunDll32 setupapi,InstallHinfSection DefaultInstall 132 C:\ProgramFiles\EstSandBox\EstBoxDrv.inf
在 CreateProcessA 和 CreateProcessW下断点
发现断在了
反汇编如下:
LSTATUS __userpurgepSetupInstallStopEx<eax>(char a1<dil>, int a2, char a3, int a4)
{
LSTATUS result; // eax@2
LSTATUS v5; // eax@11
int v6; // esi@18
DWORD v7; // eax@25
DWORD v8; // edi@32
const BYTE *v9; // [sp-10h] [bp-2A8h]@9
char v10; // [sp-8h] [bp-2A0h]@4
struct _STARTUPINFOW StartupInfo; // [sp+4h][bp-294h]@18
MSG Msg; // [sp+48h] [bp-250h]@30
struct _PROCESS_INFORMATIONProcessInformation; // [sp+64h] [bp-234h]@18
HKEY phkResult; // [sp+74h] [bp-224h]@5
int v15; // [sp+78h] [bp-220h]@1
DWORD dwMilliseconds; // [sp+7Ch][bp-21Ch]@23
LSTATUS v17; // [sp+80h] [bp-218h]@1
DWORD cValues; // [sp+84h] [bp-214h]@1
HKEY hKey; // [sp+88h] [bp-210h]@3
WCHAR CommandLine; // [sp+8Ch] [bp-20Ch]@18
v15 = a4;
v17 = 0;
cValues = 0;
if ( GlobalSetupFlags & 4 )
{
result = 0;
}
else
{
result = RegOpenKeyExW(HKEY_LOCAL_MACHINE,&pszPathRunOnce, 0, 0x2000000u, &hKey);
if ( !result )
{
v10 = a1;
if ( !(a3 & 2) )
{
if ( RegOpenKeyExW(hKey,(LPCWSTR)((char *)&loc_760689CD + 1), 0, 0x20019u, &phkResult) )
{
v17 = 0;
}
else
{
RegCloseKey(phkResult);
v17 = RegSetValueExW(hKey,L"Wrapper", 0, 1u, &pszRunOnceExe, 0x10u);
}
v9 = (const BYTE *)(a3 & 1 ?L"grpconv -u" : L"grpconv -o");
v5 = RegSetValueExW(hKey,L"GrpConv", 0, 1u, v9, 0x16u);
if ( v5 )
v17 = v5;
}
if ( !a2 || GlobalSetupFlags & 1 )
{
RegCloseKey(hKey);
}
else
{
if ( RegQueryInfoKeyW(hKey, 0, 0, 0, 0,0, 0, &cValues, 0, 0, 0, 0) )
cValues = 5;
else
cValues += 5;
RegCloseKey(hKey);
memset(&StartupInfo, 0,sizeof(StartupInfo));
ProcessInformation.hProcess = 0;
ProcessInformation.hThread = 0;
ProcessInformation.dwProcessId = 0;
ProcessInformation.dwThreadId = 0;
StartupInfo.cb = 68;
StartupInfo.dwFlags = 1;
StartupInfo.wShowWindow = 1;
lstrcpyW(&CommandLine,L"runonce -r");
v6 = v15;
if ( v15 )
pSetupWriteLogEntry(v15, 48, 0xEED2u,0, cValues);
if ( CreateProcessW(0,&CommandLine, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation))
{
if ( cValues > 0x14 || cValues<= 0 )
dwMilliseconds = 2400000;
else
dwMilliseconds = 120000 * cValues;
do
{
while ( 1 )
{
v7 =MsgWaitForMultipleObjectsEx(1u, &ProcessInformation.hProcess,dwMilliseconds, 0x4FFu, 6u);
if ( v7 != 1 )
break;
while ( PeekMessageW(&Msg, 0,0, 0, 1u) )
{
TranslateMessage(&Msg);
DispatchMessageW(&Msg);
}
}
}
while ( v7 == 192 );
if ( v7 == 258 )
pSetupWriteLogEntry(v15, 16,0xEED1u, 0, a1);
CloseHandle(ProcessInformation.hThread);
CloseHandle(ProcessInformation.hProcess);
}
else
{
v8 = GetLastError();
pSetupWriteLogEntry(v6, 536870928,0xEF36u, 0, v10);
pSetupWriteLogError(v6, 16, v8);
}
}
result = v17;
}
}
return result;
}
在
GlobalSetupFlags& 4 不成立的时候就执行它,那么如何让 GlobalSetupFlags = 4 呢?
查找 GlobalSetupFlags 引用 在函数
pSetupModifyGlobalFlags
中有其改动
int __stdcall pSetupModifyGlobalFlags(int a1, int a2)
{
int v2; // ebx@1
int result; // eax@4
v2 = ~GlobalSetupFlagsOverride & a1;
if ( v2 & 0x10 && !(a2 & 0x10) && GlobalSetupFlags & 0x10 )
*(_DWORD *)&Seed = GetSeed();
result = a2 & v2 | GlobalSetupFlags & ~v2;
GlobalSetupFlags = a2 & v2 | GlobalSetupFlags & ~v2;
return result;
}
而事实上
VOID pSetupSetGlobalFlags( _In_ DWORD Value );
Parameters
-
Value [in]
-
The flags used to disable user interface or automatic backup.
Value Meaning -
PSPGF_NONINTERACTIVE
0x004
Set to disable user interface.
-
PSPGF_NO_BACKUP
0x002
Set to disable automatic backup.
System::Call 'setupapi::InstallHinfSection(0,0,t "DefaultUninstall 132 $INSTDIR\EstBoxDrv.inf",0)'
466
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
