今天在看一驱动的时候发现了一段比较有用的代码,主要功能就是用来确定ImageFileName成员在EPROCESS结构中的偏移的,如下 :
FindNameOffset proc near ; CODE XREF: sub_10966+1Dp
.text:000107F0 push ebx
.text:000107F1 push esi ; size_t
.text:000107F2 push edi ; char *
.text:000107F3 call ds:IoGetCurrentProcess
.text:000107F9 mov ebx, eax ; EPROCESS
.text:000107FB xor edi, edi
.text:000107FD mov esi, offset aRxrsdl ; "System"
.text:00010802
.text:00010802 loc_10802: ; CODE XREF: FindNameOffset+32j
.text:00010802 push esi ; char * = "System"
.text:00010803 call strlen
.text:00010808 push eax ; size_t = 6
.text:00010809 lea eax, [edi+ebx]
.text:0001080C push eax ; char *
.text:0001080D push esi ; char *
.text:0001080E call ds:strncmp
.text:00010814 add esp, 10h
.text:00010817 test eax, eax
.text:00010819 jz short loc_1082A ; 找到
.text:0001081B inc edi
.text:0001081C cmp edi, 3000h
.text:00010822 jl short loc_10802 ; 未找到
.text:00010824 xor eax, eax
.text:00010826
.text:00010826 loc_10826: ; CODE XREF: FindNameOffset+3Cj
.text:00010826 pop edi
.text:00010827 pop esi
.text:00010828 pop ebx
.text:00010829 retn
.text:0001082A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? .text:0001082A
.text:0001082A loc_1082A: ; CODE XREF: FindNameOffset+29j
.text:0001082A mov eax, edi
.text:0001082C jmp short loc_10826
.text:0001082C FindNameOffset endp
之所以说它有用,是因为我平时在写的时候会switch case来区分操作系统的版本,然而用这段代码就可以省掉这些了。由于这段代码比较简单,就顺手用C还原了一下:
DWORD FindImageNameOffset()
{
char aRxrsdl[] = "System";
UINT unIndex = 0, unNameLength;
PVOID pEprocess = IoGetCurrentProcess();
unNameLength = strlen(aRxrsdl);
for (; unIndex < 0x3000; ++unIndex)
{
if (!strncmp(aRxrsdl, pEprocess[unIndex], unNameLength )
return unIndex;
}
return 0;
}
这段代码没有经过测试,不过应该是正确的!
4033
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
