一个驱动的调用代码和C#

易语言灬魅影 · 发表于 2021-9-29 23:18:22

本帖最后由易语言灬魅影于 2021-9-29 23:20 编辑

{本人不是什么大佬，会用代码的自己研究，不会的别来问我，我只管发布出来}{麻烦给个好评}

__int64 __fastcall sub_140001530(char *a1, char a2)
{
  __int64 *v3; // [rsp+30h] [rbp-128h]
  PIMAGE_NT_HEADERS v4; // [rsp+38h] [rbp-120h]
  int *v5; // [rsp+40h] [rbp-118h]
  int v6; // [rsp+48h] [rbp-110h]
  int v7; // [rsp+4Ch] [rbp-10Ch]
  __int64 v8; // [rsp+50h] [rbp-108h]
  int v9; // [rsp+58h] [rbp-100h]
  __int64 v10; // [rsp+60h] [rbp-F8h] BYREF
  char *v11; // [rsp+68h] [rbp-F0h]
  ULONG Size; // [rsp+70h] [rbp-E8h] BYREF
  unsigned __int64 v13; // [rsp+78h] [rbp-E0h]
  struct _UNICODE_STRING UnicodeString; // [rsp+80h] [rbp-D8h] BYREF
  __int64 v16; // [rsp+98h] [rbp-C0h]
  unsigned __int64 v17; // [rsp+A0h] [rbp-B8h]
  unsigned __int64 v18; // [rsp+A8h] [rbp-B0h]
  __int64 v19; // [rsp+B0h] [rbp-A8h]
  __int64 v20; // [rsp+B8h] [rbp-A0h]
  unsigned __int64 v21; // [rsp+C0h] [rbp-98h]
  unsigned __int64 v22; // [rsp+C8h] [rbp-90h]
  __int64 v23; // [rsp+D0h] [rbp-88h]
  __int64 v24; // [rsp+D8h] [rbp-80h]
  __int64 v25; // [rsp+E0h] [rbp-78h]
  __int64 v26; // [rsp+E8h] [rbp-70h]
  __int64 v27; // [rsp+F0h] [rbp-68h]
  struct _UNICODE_STRING v28; // [rsp+F8h] [rbp-60h] BYREF
  struct _STRING DestinationString; // [rsp+108h] [rbp-50h] BYREF
  char v30[16]; // [rsp+120h] [rbp-38h] BYREF
  char v31[40]; // [rsp+130h] [rbp-28h] BYREF

  v7 = 0;
  Size = 0;
  v4 = RtlImageNtHeader(a1);
  v5 = (int *)RtlImageDirectoryEntryToData(a1, 1u, 1u, &Size);
  if ( !v5 )
return 0i64;
  while ( v5[3] && v7 >= 0 )
  {
if ( *v5 )
   v9 = *v5;
else
   v9 = v5[4];
v3 = (__int64 *)&a1[v9];
memset(&UnicodeString, 0, sizeof(UnicodeString));
memset(&v28, 0, sizeof(v28));
memset(&DestinationString, 0, sizeof(DestinationString));
v6 = 0;
v13 = 0i64;
memset(&v10, 0, sizeof(v10));
RtlInitAnsiString(&DestinationString, &a1[v5[3]]);
RtlAnsiStringToUnicodeString(&UnicodeString, &DestinationString, 1u);
sub_140001C10(&v28, &UnicodeString);
v10 = sub_140001D50(&UnicodeString, 0i64);
if ( !v10 )
{
   RtlFreeUnicodeString(&UnicodeString);
   RtlFreeUnicodeString(&v28);
   return 3221226021i64;
}
while ( v4->OptionalHeader.Magic == 523 ? *v3 : *(unsigned int *)v3 )
{
   if ( v4->OptionalHeader.Magic == 523 )
      v16 = *v3;
   else
      v16 = *(unsigned int *)v3;
   v11 = &a1[v16];
   if ( v4->OptionalHeader.Magic == 523 )
      v18 = *v3;
   else
      v18 = *(unsigned int *)v3;
   if ( v4->OptionalHeader.Magic == 523 )
      v17 = 0x8000000000000000ui64;
   else
      v17 = 0x80000000i64;
   if ( v18 < v17 && v11[2] )
   {
      v13 = (unsigned __int64)(v11 + 2);
   }
   else
   {
      if ( v4->OptionalHeader.Magic == 523 )
      v19 = *v3;
      else
      v19 = *(unsigned int *)v3;
      v13 = (unsigned __int16)v19;
   }
   if ( a2 )
      v20 = *(_QWORD *)(v10 + 48);
   else
      v20 = v10;
   v8 = sub_140001EA0(v20, v13, 0i64, &v28);
   if ( !v8 )
   {
      if ( v4->OptionalHeader.Magic == 523 )
      v22 = *v3;
      else
      v22 = *(unsigned int *)v3;
      if ( v4->OptionalHeader.Magic == 523 )
      v21 = 0x8000000000000000ui64;
      else
      v21 = 0x80000000i64;
      if ( v22 < v21 && v11[2] )
      {
      qmemcpy(v30, &UnicodeString, sizeof(v30));
      DbgPrintEx(
         0x4Du,
         0,
         "LoadDriver: %s: Failed to resolve import '%wZ' : '%s'\n",
         "LeiLeiResolveImageRefs",
         v30,
         v11 + 2);
      }
      else
      {
      if ( v4->OptionalHeader.Magic == 523 )
         v23 = *v3;
      else
         v23 = *(unsigned int *)v3;
      qmemcpy(v31, &UnicodeString, 0x10ui64);
      DbgPrintEx(
         0x4Du,
         0,
         "LoadDriver: %s: Failed to resolve import '%wZ' : '%d'\n",
         "LeiLeiResolveImageRefs",
         v31,
         (unsigned __int16)v23);
      }
      v7 = -1073741275;
      break;
   }
   if ( v4->OptionalHeader.Magic == 523 )
   {
      if ( v5[4] )
      {
      *(_QWORD *)&a1[v5[4] + v6] = v8;
      }
      else
      {
      if ( v4->OptionalHeader.Magic == 523 )
         v24 = *v3;
      else
         v24 = *(unsigned int *)v3;
      *(_QWORD *)&a1[v24] = v8;
      }
   }
   else if ( v5[4] )
   {
      *(_DWORD *)&a1[v5[4] + v6] = v8;
   }
   else
   {
      if ( v4->OptionalHeader.Magic == 523 )
      v25 = *v3;
      else
      v25 = *(unsigned int *)v3;
      *(_DWORD *)&a1[v25] = v8;
   }
   if ( v4->OptionalHeader.Magic == 523 )
      v26 = 8i64;
   else
      v26 = 4i64;
   v3 = (__int64 *)((char *)v3 + v26);
   if ( v4->OptionalHeader.Magic == 523 )
      v27 = 8i64;
   else
      v27 = 4i64;
   v6 += v27;
}
RtlFreeUnicodeString(&UnicodeString);
RtlFreeUnicodeString(&v28);
v5 += 5;
  }
  return (unsigned int)v7;
}

5069813 · 发表于 2021-9-30 08:07:30

IDA反出来的伪代码没啥用参考一下还行

kangning521 · 发表于 2021-9-30 03:11:07

__int64 __fastcall sub_140001C10(__int64 a1, unsigned __int16 *a2)
{
  if ( !a1 || !a2 )
RtlAssert(
   "result != NULL && source != NULL",
   "c:\\users\\nice\\desktop\\bx\\bufferloaddriver\\bufferloaddriver\\bufferload.c",
   0xE4u,
   0i64);
  if ( !a1 || !a2 || !*((_QWORD *)a2 + 1) )
return 3221225485i64;
  if ( *a2 )
  {
*(_QWORD *)(a1 + 8) = ExAllocatePoolWithTag(PagedPool, a2[1], 0x78787878u);
*(_WORD *)a1 = *a2;
*(_WORD *)(a1 + 2) = a2[1];
qmemcpy(*(void **)(a1 + 8), *((const void **)a2 + 1), *a2);
  }
  else
  {
*(_WORD *)(a1 + 2) = 0;
*(_WORD *)a1 = 0;
*(_QWORD *)(a1 + 8) = 0i64;
  }
  return 0i64;
}

a1242165831 · 发表于 2021-9-29 23:38:36

感谢大佬的驱动的调用代码

易语言灬魅影 · 发表于 2021-9-29 23:19:22

__int64 __fastcall sub_140001C10(__int64 a1, unsigned __int16 *a2)
{
  if ( !a1 || !a2 )
RtlAssert(
   "result != NULL && source != NULL",
   "c:\\users\\nice\\desktop\\bx\\bufferloaddriver\\bufferloaddriver\\bufferload.c",
   0xE4u,
   0i64);
  if ( !a1 || !a2 || !*((_QWORD *)a2 + 1) )
return 3221225485i64;
  if ( *a2 )
  {
*(_QWORD *)(a1 + 8) = ExAllocatePoolWithTag(PagedPool, a2[1], 0x78787878u);
*(_WORD *)a1 = *a2;
*(_WORD *)(a1 + 2) = a2[1];
qmemcpy(*(void **)(a1 + 8), *((const void **)a2 + 1), *a2);
  }
  else
  {
*(_WORD *)(a1 + 2) = 0;
*(_WORD *)a1 = 0;
*(_QWORD *)(a1 + 8) = 0i64;
  }
  return 0i64;
}

		自动登录	找回密码
密码			立即注册

玩游戏来117游戏网(H5不下载也能玩手游传奇，吃鸡，竞技都有)	不懂社区·好资源不错过·各位资源站大佬欢迎来采集搬运	IOS签名/udid证书出售/送证书加群1040456405	██【我要租此广告位】██
.	.	.	.

[其他] 一个驱动的调用代码和C#

免责声明：

浏览过的版块

最佳新人

热心会员

推广达人

宣传达人

在线王

签到达人

开荒者