本节主要看全局变量和局部变量,程序越来越长,可以跳开查看。
全局变量在程序开始定义赋值的话,存放在Data块,Data块可以通过静态反汇编获得。
局部变量定义在函数内部,使用的时候需要类似sub esp,10h,开辟空间存放
需要掌握:
静态反汇编工具
变量存放地点
sub
简单了解:
读取全局变量的方法:1,获取全局变量存放地址。2,偏移量与实际内存地址关系。
不需了解:
w32asm反汇编以后,需要复制其中内容的,先保存为alf文件,再用文本读取程序打开。
所用程序:bz4
#include <ntddk.h>
ULONG au1,au2;
ULONG au3 = 7;
ULONG au4 = 9;
ULONG MyAdd1(ULONG u1,ULONG u2)
{
return u1+u2;
}
ULONG MyAdd2(ULONG u1,ULONG u2)
{
ULONG u3;
u3 = u1+u2;
return u3;
}
ULONG MyAdd3(ULONG u1,ULONG u2)
{
ULONG u3,u4,u5,u6;
u3 = u1+u2;
u4 = u3+u1;
u5 = u1;
u6 = u1+u3;
return u3+u4+u5+u6;
}
VOID DriverUnload(PDRIVER_OBJECT driver)
{
DbgPrint("unload…\r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
ULONG x1 = 5;
ULONG x2 = 8;
ULONG x3 ;
#if DBG
_asm int 3
#endif
au1 = MyAdd1(x1,x2); //使用自定义函数,反汇编看看结果
DbgPrint("au1 Result:%d\n!",au1);
au2 = MyAdd2(x1,x2); //使用自定义函数,反汇编看看结果
DbgPrint("au2 Result:%d\n!",au2);
x3 = MyAdd3(x1,x2); //使用自定义函数,反汇编看看结果
DbgPrint("Result:%d\n!",x3);
DbgPrint("au3 Result:%d\n!",au3);
DbgPrint("au4 Result:%d\n!",au4);
driver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
接下来要用w32asm和windbg反汇编,看其中对应关系,都是从55F到5B1,显然一一对应,只是前面地址有偏移。
我们知道,Data Offset是Data数据段,存放的是全局变量。本程序全局变量是:
ULONG au3 = 7;
ULONG au4 = 9;
显然我们dd 00000700是看不到数据的,要dd f84f7700,等我们运行起来的时候,看看是不是
w32asm反汇编:
Code Offset = 00000480, Code Size = 00000200
Data Offset = 00000700, Data Size = 00000080
...............
:0001055F 52 push edx
* Possible StringData Ref from Code Obj ->"au1 Result:%d
!"
|
:00010560 6850060100 push 00010650
* Reference To: ntoskrnl.DbgPrint, Ord:0030h
|
:00010565 E888000000 Call 000105F2
:0001056A 83C408 add esp, 00000008
:0001056D 8B45FC mov eax, dword ptr [ebp-04]
:00010570 50 push eax
:00010571 8B4DF8 mov ecx, dword ptr [ebp-08]
:00010574 51 push ecx
:00010575 E836FFFFFF call 000104B0
:0001057A A310070100 mov dword ptr [00010710], eax
:0001057F 8B1510070100 mov edx, dword ptr [00010710]
:00010585 52 push edx
:00010586 6840060100 push 00010640
* Reference To: ntoskrnl.DbgPrint, Ord:0030h
|
:0001058B E862000000 Call 000105F2
:00010590 83C408 add esp, 00000008
:00010593 8B45FC mov eax, dword ptr [ebp-04]
:00010596 50 push eax
:00010597 8B4DF8 mov ecx, dword ptr [ebp-08]
:0001059A 51 push ecx
:0001059B E830FFFFFF call 000104D0
:000105A0 8945F4 mov dword ptr [ebp-0C], eax
:000105A3 8B55F4 mov edx, dword ptr [ebp-0C]
:000105A6 52 push edx
* Possible StringData Ref from Code Obj ->"Result:%d
!"
|
:000105A7 6830060100 push 00010630
* Reference To: ntoskrnl.DbgPrint, Ord:0030h
|
:000105AC E841000000 Call 000105F2
:000105B1 83C408 add esp, 00000008
主函数中主要反汇编代码,也就是调用几个自定义函数的部分:
57 f84f755f 52 push edx
57 f84f7560 6850764ff8 push offset bz4! ?? ::FNODOBFM::`string' (f84f7650)
57 f84f7565 e888000000 call bz4!DbgPrint (f84f75f2)
57 f84f756a 83c408 add esp,8
59 f84f756d 8b45fc mov eax,dword ptr [ebp-4]
59 f84f7570 50 push eax
59 f84f7571 8b4df8 mov ecx,dword ptr [ebp-8]
59 f84f7574 51 push ecx
59 f84f7575 e836ffffff call bz4!MyAdd2 (f84f74b0)
59 f84f757a a310774ff8 mov dword ptr [bz4!au2 (f84f7710)],eax
61 f84f757f 8b1510774ff8 mov edx,dword ptr [bz4!au2 (f84f7710)]
61 f84f7585 52 push edx
61 f84f7586 6840764ff8 push offset bz4! ?? ::FNODOBFM::`string' (f84f7640)
61 f84f758b e862000000 call bz4!DbgPrint (f84f75f2)
61 f84f7590 83c408 add esp,8
63 f84f7593 8b45fc mov eax,dword ptr [ebp-4]
63 f84f7596 50 push eax
63 f84f7597 8b4df8 mov ecx,dword ptr [ebp-8]