谈谈ntoskrnl alldiv函数
该函数为导出函数,今天在分析驱动时发现的,但是wdk,wrk,msdn均无说明,因此自己分析了一下:代码中数学运算较多,因此直接穷举法看规律:
for(LONGLONG i=1000;i<1010;i++)
{
for(LONG j=-10;j<=10;j++)
{
if(j==0)
j++;
for(LONG k=-10;k<=10;k++)
{
ULONGLONG ret=((LONGLONG (__stdcall*)(LONGLONG,LONG,LONG))(addr+0x12de0))(i,j,k);
if(ret)
DbgPrint("(%I64d,%d,%d)=%I64d\n",i,j,k,ret);
}
}
}
00000001 0.00000000 (1000,-10,-1)=-100
00000002 0.00000363 (1000,-9,-1)=-111
00000003 0.00000643 (1000,-8,-1)=-125
00000004 0.00000922 (1000,-7,-1)=-142
00000005 0.00001201 (1000,-6,-1)=-166
00000006 0.00001453 (1000,-5,-1)=-200
00000007 0.00001704 (1000,-4,-1)=-250
00000008 0.00001983 (1000,-3,-1)=-333
00000009 0.00002235 (1000,-2,-1)=-500
00000010 0.00002514 (1000,-1,-1)=-1000
00000011 0.00002794 (1000,1,0)=1000
00000012 0.00003101 (1000,2,0)=500
00000013 0.00003352 (1000,3,0)=333
00000014 0.00003604 (1000,4,0)=250
00000015 0.00003883 (1000,5,0)=200
00000016 0.00004135 (1000,6,0)=166
00000017 0.00004386 (1000,7,0)=142
00000018 0.00004637 (1000,8,0)=125
00000019 0.00004889 (1000,9,0)=111
00000020 0.00005168 (1000,10,0)=100
00000021 0.00005448 (1001,-10,-1)=-100
00000022 0.00005727 (1001,-9,-1)=-111
00000023 0.00005978 (1001,-8,-1)=-125
00000024 0.00006258 (1001,-7,-1)=-143
00000025 0.00006509 (1001,-6,-1)=-166
00000026 0.00006789 (1001,-5,-1)=-200
00000027 0.00007040 (1001,-4,-1)=-250
00000028 0.00007291 (1001,-3,-1)=-333
00000029 0.00007543 (1001,-2,-1)=-500
00000030 0.00007822 (1001,-1,-1)=-1001
00000031 0.00008102 (1001,1,0)=1001
00000032 0.00008353 (1001,2,0)=500
00000033 0.00008604 (1001,3,0)=333
00000034 0.00008884 (1001,4,0)=250
00000035 0.00009135 (1001,5,0)=200
00000036 0.00009387 (1001,6,0)=166
00000037 0.00009638 (1001,7,0)=143
00000038 0.00009917 (1001,8,0)=125
00000039 0.00010169 (1001,9,0)=111
00000040 0.00010420 (1001,10,0)=100
00000041 0.00010700 (1002,-10,-1)=-100
00000042 0.00010951 (1002,-9,-1)=-111
00000043 0.00011230 (1002,-8,-1)=-125
00000044 0.00011482 (1002,-7,-1)=-143
00000045 0.00011733 (1002,-6,-1)=-167
00000046 0.00011985 (1002,-5,-1)=-200
00000047 0.00012264 (1002,-4,-1)=-250
00000048 0.00012516 (1002,-3,-1)=-334
00000049 0.00012767 (1002,-2,-1)=-501
00000050 0.00013018 (1002,-1,-1)=-1002
00000051 0.00013298 (1002,1,0)=1002
00000052 0.00013549 (1002,2,0)=501
00000053 0.00013829 (1002,3,0)=334
00000054 0.00014080 (1002,4,0)=250
00000055 0.00014331 (1002,5,0)=200
00000056 0.00014583 (1002,6,0)=167
00000057 0.00014834 (1002,7,0)=143
00000058 0.00015114 (1002,8,0)=125
00000059 0.00015365 (1002,9,0)=111
00000060 0.00015617 (1002,10,0)=100
00000061 0.00015896 (1003,-10,-1)=-100
00000062 0.00016147 (1003,-9,-1)=-111
00000063 0.00016399 (1003,-8,-1)=-125
00000064 0.00016678 (1003,-7,-1)=-143
00000065 0.00016930 (1003,-6,-1)=-167
00000066 0.00017181 (1003,-5,-1)=-200
00000067 0.00017460 (1003,-4,-1)=-250
00000068 0.00017712 (1003,-3,-1)=-334
00000069 0.00017963 (1003,-2,-1)=-501
00000070 0.00018215 (1003,-1,-1)=-1003
00000071 0.00018494 (1003,1,0)=1003
00000072 0.00018745 (1003,2,0)=501
00000073 0.00018997 (1003,3,0)=334
00000074 0.00019276 (1003,4,0)=250
00000075 0.00019528 (1003,5,0)=200
00000076 0.00019779 (1003,6,0)=167
00000077 0.00020030 (1003,7,0)=143
00000078 0.00020282 (1003,8,0)=125
00000079 0.00020561 (1003,9,0)=111
00000080 0.00020813 (1003,10,0)=100
00000081 0.00021064 (1004,-10,-1)=-100
00000082 0.00021343 (1004,-9,-1)=-111
00000083 0.00021595 (1004,-8,-1)=-125
00000084 0.00021846 (1004,-7,-1)=-143
00000085 0.00022126 (1004,-6,-1)=-167
00000086 0.00022377 (1004,-5,-1)=-200
00000087 0.00022629 (1004,-4,-1)=-251
00000088 0.00022880 (1004,-3,-1)=-334
00000089 0.00023159 (1004,-2,-1)=-502
00000090 0.00023411 (1004,-1,-1)=-1004
00000091 0.00023662 (1004,1,0)=1004
00000092 0.00023942 (1004,2,0)=502
00000093 0.00024193 (1004,3,0)=334
00000094 0.00024444 (1004,4,0)=251
00000095 0.00024724 (1004,5,0)=200
00000096 0.00024975 (1004,6,0)=167
00000097 0.00025227 (1004,7,0)=143
00000098 0.00025478 (1004,8,0)=125
00000099 0.00025730 (1004,9,0)=111
00000100 0.00026009 (1004,10,0)=100
00000101 0.00026260 (1005,-10,-1)=-100
00000102 0.00026540 (1005,-9,-1)=-111
00000103 0.00026791 (1005,-8,-1)=-125
00000104 0.00027043 (1005,-7,-1)=-143
00000105 0.00027322 (1005,-6,-1)=-167
00000106 0.00027573 (1005,-5,-1)=-201
00000107 0.00027853 (1005,-4,-1)=-251
00000108 0.00028104 (1005,-3,-1)=-335
00000109 0.00028356 (1005,-2,-1)=-502
00000110 0.00028607 (1005,-1,-1)=-1005
00000111 0.00028886 (1005,1,0)=1005
00000112 0.00029138 (1005,2,0)=502
00000113 0.00029417 (1005,3,0)=335
00000114 0.00029669 (1005,4,0)=251
00000115 0.00029920 (1005,5,0)=201
00000116 0.00030171 (1005,6,0)=167
00000117 0.00030451 (1005,7,0)=143
00000118 0.00030702 (1005,8,0)=125
00000119 0.00030954 (1005,9,0)=111
00000120 0.00031205 (1005,10,0)=100
00000121 0.00031484 (1006,-10,-1)=-100
00000122 0.00031736 (1006,-9,-1)=-111
00000123 0.00031987 (1006,-8,-1)=-125
00000124 0.00032267 (1006,-7,-1)=-143
00000125 0.00032518 (1006,-6,-1)=-167
00000126 0.00032770 (1006,-5,-1)=-201
00000127 0.00033021 (1006,-4,-1)=-251
00000128 0.00033300 (1006,-3,-1)=-335
00000129 0.00033552 (1006,-2,-1)=-503
00000130 0.00033803 (1006,-1,-1)=-1006
00000131 0.00034083 (1006,1,0)=1006
00000132 0.00034334 (1006,2,0)=503
00000133 0.00034585 (1006,3,0)=335
00000134 0.00034865 (1006,4,0)=251
00000135 0.00035116 (1006,5,0)=201
00000136 0.00035368 (1006,6,0)=167
00000137 0.00035619 (1006,7,0)=143
00000138 0.00035870 (1006,8,0)=125
00000139 0.00036150 (1006,9,0)=111
00000140 0.00036401 (1006,10,0)=100
00000141 0.00036653 (1007,-10,-1)=-100
00000142 0.00036932 (1007,-9,-1)=-111
00000143 0.00037183 (1007,-8,-1)=-125
00000144 0.00037463 (1007,-7,-1)=-143
00000145 0.00037714 (1007,-6,-1)=-167
00000146 0.00037966 (1007,-5,-1)=-201
00000147 0.00038217 (1007,-4,-1)=-251
00000148 0.00038469 (1007,-3,-1)=-335
00000149 0.00038748 (1007,-2,-1)=-503
00000150 0.00038999 (1007,-1,-1)=-1007
00000151 0.00039251 (1007,1,0)=1007
00000152 0.00039530 (1007,2,0)=503
00000153 0.00039782 (1007,3,0)=335
00000154 0.00040033 (1007,4,0)=251
00000155 0.00040312 (1007,5,0)=201
00000156 0.00040564 (1007,6,0)=167
00000157 0.00040815 (1007,7,0)=143
00000158 0.00041067 (1007,8,0)=125
00000159 0.00041318 (1007,9,0)=111
00000160 0.00041597 (1007,10,0)=100
00000161 0.00041849 (1008,-10,-1)=-100
00000162 0.00042128 (1008,-9,-1)=-112
00000163 0.00042380 (1008,-8,-1)=-126
00000164 0.00042631 (1008,-7,-1)=-144
00000165 0.00042910 (1008,-6,-1)=-168
00000166 0.00043162 (1008,-5,-1)=-201
00000167 0.00043413 (1008,-4,-1)=-252
00000168 0.00043665 (1008,-3,-1)=-336
00000169 0.00043916 (1008,-2,-1)=-504
00000170 0.00044196 (1008,-1,-1)=-1008
00000171 0.00044447 (1008,1,0)=1008
00000172 0.00044726 (1008,2,0)=504
00000173 0.00044978 (1008,3,0)=336
00000174 0.00045229 (1008,4,0)=252
00000175 0.00045481 (1008,5,0)=201
00000176 0.00045732 (1008,6,0)=168
00000177 0.00046011 (1008,7,0)=144
00000178 0.00046263 (1008,8,0)=126
00000179 0.00046514 (1008,9,0)=112
00000180 0.00046766 (1008,10,0)=100
00000181 0.00047045 (1009,-10,-1)=-100
00000182 0.00047297 (1009,-9,-1)=-112
00000183 0.00047576 (1009,-8,-1)=-126
00000184 0.00047827 (1009,-7,-1)=-144
00000185 0.00048079 (1009,-6,-1)=-168
00000186 0.00048358 (1009,-5,-1)=-201
00000187 0.00048610 (1009,-4,-1)=-252
00000188 0.00048861 (1009,-3,-1)=-336
00000189 0.00049112 (1009,-2,-1)=-504
00000190 0.00049392 (1009,-1,-1)=-1009
00000191 0.00049643 (1009,1,0)=1009
00000192 0.00049923 (1009,2,0)=504
00000193 0.00050174 (1009,3,0)=336
00000194 0.00050425 (1009,4,0)=252
00000195 0.00050677 (1009,5,0)=201
00000196 0.00050956 (1009,6,0)=168
00000197 0.00051208 (1009,7,0)=144
00000198 0.00051459 (1009,8,0)=126
00000199 0.00051710 (1009,9,0)=112
00000200 0.00051962 (1009,10,0)=100
可以看出格式为:
LONGLONG __stdcall* alldiv(LONGLONG param1,LONG param2,LONG param3)
param1为a/b的aparam2为a/b的b param3为param2的符号,param2为正则为0,为﹣则为-1
参数错误则结果为0
param2为0则可能发生除零异常 #include <ntddk.h>
extern "C"
{
extern POBJECT_TYPE *IoDriverObjectType;
NTSTATUS __stdcall ObReferenceObjectByName(PUNICODE_STRING,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PVOID,PVOID);
NTSTATUS __stdcall IoGetDeviceObjectPointer(PUNICODE_STRING ,ACCESS_MASK,PFILE_OBJECT,PDEVICE_OBJECT);
NTSTATUS __stdcall ObOpenObjectByName(POBJECT_ATTRIBUTES,POBJECT_TYPE,KPROCESSOR_MODE,PACCESS_STATE,ACCESS_MASK,PVOID,PHANDLE);
NTSTATUS __stdcall ObOpenObjectByPointer(PVOID,ULONG,PACCESS_STATE,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE,PHANDLE);
NTSTATUS __stdcall ObReferenceObjectByPointer(PVOID,ACCESS_MASK,POBJECT_TYPE,KPROCESSOR_MODE);
};
void __stdcall unload(PDRIVER_OBJECT)
{
}
PWCHAR DriverName[]=
{
L"\\Device\\QMCuber",
L"\\Device\\QMUDisk",
L"\\Device\\TSDFStategy",
L"\\Device\\TAOAccelerator",
L"\\Device\\TsFltMgr",
L"\\Device\\TSKSP",
L"\\Device\\TSSK",
L"\\Device\\TSSysKit",
L"\\Device\\{2A9C5798-8D9E-4B8A-96F2-6EC5A5B40195}",
L"\\Device\\{3EEEDE5F-C832-4126-AA30-0DC8A81FA22E}",
L"\\Device\\{C881BF08-DA7F-4a47-8462-E111F3A90100}",
L"\\FileSystem\\Filters\\TFsFltControl",
}
extern "C"
{
NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT pdr,PUNICODE_STRING pus)
{
int ret=0;
pdr->DriverUnload=unload;
for(int i=0;i<sizeof(DriverName)/sizeof(DriverName);i++)
{
UNICODE_STRING uStr;
RtlInitUnicodeString(uStr,DriverName);
ObReferenceObjectByName
IoGetDeviceObjectPointer();
ObOpenObjectByName
ObOpenObjectByPointer
ObReferenceObjectByPointer
}
__debugbreak();
return STATUS_SUCCESS;
}
};
可以可以!!
页:
[1]