The function NhGetInterfaceNameFromDeviceGuid is derived from the DLL IPHLPAPI. Its effect is to obtain device interface name according corresponding GUID. Such as the network interface card GUID for "94 C913BF-EFA9-419-B-8506-BB88B0F3B34F", and the corresponding device interface name as "local connection". However, Microsoft does not publish . Dynamic debuging with Ollydbg, I have got the use method of this functionu. Here, I'd like to share it with you.
Firstly, provide the function prototype and parameter explanation:
DWORD __stdcall NhGetInterfaceNameFromDeviceGuid(GUID* guid, // device GUID
char* buf, // buffer for abtain the name of device interface
DWORD* buflen, // length of buffer in byte
DWORD unknown1/*=0*/, // unknown,pass 0
DWORD unknown2/*=1*/) // unknown,pass 1
Examples:
typedef DWORD (__stdcall *type_NhGetInterfaceNameFromDeviceGuid)(GUID* guid, char* buf, DWORD* buflen, DWORD unknown1/*=0*/, DWORD unknown2/*=1*/);
HMODULE hDll = LoadLibrary(_T("Iphlpapi.dll"));
type_NhGetInterfaceNameFromDeviceGuid NhGetInterfaceNameFromDeviceGuid = (type_NhGetInterfaceNameFromDeviceGuid)GetProcAddress(hDll,"NhGetInterfaceNameFromDeviceGuid");
GUID guid;
GUIDFormString("94C913BF-EFA9-419B-8506-BB88B0F3B34F",guid);
TCHAR buf[100] = {0};
DWORD len = sizeof(buf);
DWORD ret = NhGetInterfaceNameFromDeviceGuid(&guid, (char*)buf, &len, 0, 1);
if(ret == 0)
{
// success,string "local connection" is stored in buf.
}
FreeLibrary(hDll);
Code of function GUIDFormString:
void GUIDFormString(const char*pszGuid,GUID &guid)
{
int temp[3];
sscanf(pszGuid,"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",&(guid.Data1),&(guid.Data2),
&(guid.Data3),&guid.Data4[0],&guid.Data4[1],&guid.Data4[2],&guid.Data4[3],&guid.Data4[4],
&temp[0],&temp[1],&temp[2]);
guid.Data4[5] = (unsigned char)temp[0];
guid.Data4[6] = (unsigned char)temp[1];
guid.Data4[7] = (unsigned char)temp[2];
}
Analysis process:
Load taskmgr. exe by Ollydbg, set break point on function NhGetInterfaceNameFromDeviceGuid. Press F9 to run it, it will break when calls < JMP. And IPHLPAPI. NhGetInterfaceNameFromDeviceGuid >. The Assembly codes are as following:
<pre class="cpp" name="code">0082166D /$ 8BFF mov edi, edi
0082166F |. 55 push ebp
00821670 |. 8BEC mov ebp, esp
00821672 |. 81EC 0C020000 sub esp, 20C
00821678 |. A1 8CE08200 mov eax, dword ptr [82E08C]
0082167D |. 33C5 xor eax, ebp
0082167F |. 8945 FC mov dword ptr [ebp-4], eax
00821682 |. 8B45 08 mov eax, dword ptr [ebp+8]
00821685 |. 56 push esi
00821686 |. 8B75 0C mov esi, dword ptr [ebp+C]
00821689 |. 85C0 test eax, eax
0082168B |. 75 07 jnz short 00821694
0082168D |. B8 57000780 mov eax, 80070057
00821692 |. EB 44 jmp short 008216D8
00821694 |> 33C9 xor ecx, ecx ; ecx清零
00821696 |. 6A 01 push 1 ; 第五个参数,固定传1
00821698 |. 51 push ecx ; 第四个参数,固定传0
00821699 |. 66:894D F8 mov word ptr [ebp-8], cx
0082169D |. 8D8D F4FDFFFF lea ecx, dword ptr [ebp-20C] ; 第三个参数,某局部变量的地址
008216A3 |. 51 push ecx
008216A4 |. 8D8D F8FDFFFF lea ecx, dword ptr [ebp-208] ; 第二个参数,某局部变量的地址
008216AA |. 51 push ecx
008216AB |. 50 push eax ; 第一个参数,观察eax对应的内存,发现是GUID变量的地址
008216AC |. C785 F4FDFFFF>mov dword ptr [ebp-20C], 200 ; 给第三参数对应的局部变量赋值为200
008216B6 |. E8 3D9C0000 call <jmp.&IPHLPAPI.NhGetInterfaceNameFromDeviceGuid> ; 调用函数
008216BB |. 85C0 test eax, eax ; 检测函数返回值,0为成功
008216BD |. 75 14 jnz short 008216D3
008216BF |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] ; 观察内存,确定第二个参数为对应内存中保存了函数获取的接口名称
008216C5 |. 50 push eax
008216C6 |. FF75 10 push dword ptr [ebp+10]
008216C9 |. 56 push esi
008216CA |. E8 4C03FFFF call 00811A1B
008216CF |. 33C0 xor eax, eax
008216D1 |. EB 05 jmp short 008216D8
008216D3 |> B8 05400080 mov eax, 80004005
008216D8 |> 8B4D FC mov ecx, dword ptr [ebp-4]
008216DB |. 33CD xor ecx, ebp
008216DD |. 5E pop esi
008216DE |. E8 96FFFEFF call 00811679
008216E3 |. C9 leave
008216E4 \. C2 0C00 retn 0C
1555
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
