?? softice.asm
字號:
;==============================================================================
;
; 作者:一塊三毛錢
; 郵箱:zhongts@163.com
; 日期:2005.4.30
;
; 查找 SoftICE 的內部函數
;
;==============================================================================
include img.inc
HeapReAlloc proto C:VARARG
.const
LoadKDE_Signs db 8Bh, 46h, 17h, ;mov eax, [esi+17h]
0A3h, 0, 0, 0, 0, ;mov dword_19AC00, eax
0FFh, 76h, 17h, ;push dword ptr [esi+17h]
0E8h, 0, 0, 0, 0, ;call _LoadKDE
83h, 4Eh, 23h, 2h, ;or dword ptr [esi+23h], 2
5Fh, ;pop edi
33h, 0C0h, ;xor eax,eax
5Eh, ;pop esi
0C2h, 8h, 0 ;ret 0008
BangFuncsArray_Ds32_Signs db 0Fh, 86h, 0, 0, 0, 0, ;jbe loc_9C692
0BFh, 0, 0, 0, 0, ;mov edi, offset bang_funcs_array
0BEh, 0, 0, 0, 0, ;mov esi, 10Ch
;loc_9C390:
db 0FFh, 0, 0, ;push dword ptr [edi-4]
57h, ;push edi
68h, 0, 0, 0, 0, ;push offset asc_9C148 ; "%-20s %08x"
0E8h, 0, 0, 0, 0, ;call pPrintErrorMessage2
83h, 0, 0, ;add esp, 0Ch
43h, ;inc ebx
3h, 0FEh, ;add edi, esi
3Bh, 1Dh, 0, 0, 0, 0 ;cmp ebx, KDEFuncNum
Expression2Integer_Signs db 0BEh, 0, 0, 0, 0, ;mov esi, offset si_CommandLine
0E8h, 0, 0, 0, 0, ;call pSkipWord
72h, 12h, ;jb short loc_44037
0E8h, 0, 0, 0, 0, ;call pExpression2Integer
72h, 10h, ;jb short loc_4403C
0BEh, 0, 0, 0, 0, ;mov esi, offset loc_44044
0E8h, 0, 0, 0, 0, ;call c_PHYS_
0C3h, ;retn
;loc_44037:
db 0B8h, 0, 0, 0, 0, ;mov eax, offset aParametersRequ ; "Parameters required"
;loc_4403C:
db 8Bh,0F0h, ;mov esi, eax
0E8h, 0, 0, 0, 0, ;call pSayESI
0C3h ;retn
.data
_si_LoadKDE pFuncProto1 0 ;加載我們實現的命令擴展模塊,參數是擴展模塊的內存地址
_si_Expression2Integer pFuncProto1 0 ;計算表達式
si_pKDEFuncNum dd 0 ;指向擴展命令數目
si_pBangFuncsArray dd 0 ;指向擴展命令結構
.code
;===================================================================
;
; 在一串字符里面查找子字符串,子字符串中的 0h 代表不確定的內容
;
; 返回值: 如果找到返回偏移量,如果沒有找到返回 0
;
;===================================================================
_InString proc lpszStr:DWORD, dwStrLen:DWORD, lpszSubStr:DWORD, dwSubStrLen:DWORD
LOCAL dwPos
pushad
mov eax, dwStrLen
.if eax < dwSubStrLen
jmp exit_0
.endif
sub eax, dwSubStrLen
mov dwStrLen, eax
mov esi, lpszStr
mov edi, lpszSubStr
xor edx, edx
Loop1:
cmp edx, dwStrLen
jz exit_0
xor ecx, ecx
mov al, byte ptr [edi+ecx]
mov bl, byte ptr [esi+edx]
cmp al, bl
jz Loop2
inc edx
jmp Loop1
Loop2:
inc ecx
inc edx
cmp ecx, dwSubStrLen
jz exit_1
mov al, byte ptr [edi+ecx]
mov bl, byte ptr [esi+edx]
cmp al, bl
jz Loop2
test al, al
jz Loop2
sub edx, ecx
inc edx
jmp Loop1
exit_1:
sub edx, ecx
mov dwPos, edx
popad
mov eax, dwPos
ret
exit_0:
popad
xor eax, eax
ret
_InString endp
;===================================================================
;
; 在 NTICE.sys 的代碼段里面查找一些有用的內部函數和結構
;
;===================================================================
_si_Init proc uses ebx
LOCAL _IceBase, _IceCodeBase, _IceCodeSize
mov eax, offset HeapReAlloc
mov eax, dword ptr [eax+2]
mov eax, [eax]
and eax, 0fffff000h
.while TRUE
cmp word ptr [eax], 'ZM'
.break .if ZERO?
sub eax, 4096
.endw
mov _IceBase, eax
invoke DbgPrint, $CTA0("NTice MZ-header found at %08X\n"), eax
mov eax, _IceBase
assume eax : ptr IMAGE_DOS_HEADER
mov ebx, [eax].e_lfanew
add eax, ebx
assume eax : ptr IMAGE_NT_HEADERS
mov ebx, [eax].OptionalHeader.BaseOfCode
add ebx, eax
mov _IceCodeBase, ebx
mov ebx, [eax].OptionalHeader.SizeOfCode
mov _IceCodeSize, ebx
invoke _InString, _IceCodeBase, _IceCodeSize, addr LoadKDE_Signs, 27
test eax, eax
jz exit_0
add eax, _IceCodeBase
add eax, 12
add eax, dword ptr [eax]
add eax, 4
mov _si_LoadKDE, eax
invoke DbgPrint, $CTA0("_si_LoadKDE found at %08X\n"), eax
invoke _InString, _IceCodeBase, _IceCodeSize, addr BangFuncsArray_Ds32_Signs, 42
test eax, eax
jz exit_0
add eax, _IceCodeBase
mov ebx, dword ptr [eax+38]
mov si_pKDEFuncNum, ebx
mov ebx, dword ptr [eax+7]
sub ebx, 4
mov si_pBangFuncsArray, ebx
invoke _InString, _IceCodeBase, _IceCodeSize, addr Expression2Integer_Signs, 43
test eax, eax
jz exit_0
add eax, _IceCodeBase
add eax, 13
add eax, dword ptr [eax]
add eax, 4
mov _si_Expression2Integer, eax
invoke DbgPrint, $CTA0("_si_Expression2Integer found at %08X\n"), eax
mov eax, 1
ret
exit_0:
sub eax, eax
ret
_si_Init endp
;===================================================================
;
; 清除添加的命令
;
;===================================================================
_si_ClearBangFuncsArray proc uses ebx ecx edx esi edi
LOCAL _ZtsICECodeBase, _ZtsICECodeEnd
lea eax, _si_Init
and eax, 0fffff000h
.while TRUE
cmp word ptr [eax], 'ZM'
.break .if ZERO?
sub eax, 4096
.endw
assume eax : ptr IMAGE_DOS_HEADER
mov ebx, [eax].e_lfanew
add eax, ebx
assume eax : ptr IMAGE_NT_HEADERS
mov ebx, [eax].OptionalHeader.BaseOfCode
add ebx, eax
mov _ZtsICECodeBase, ebx
mov eax, [eax].OptionalHeader.SizeOfCode
add eax, ebx
mov _ZtsICECodeEnd, eax
sub eax, eax
mov ebx, si_pKDEFuncNum
mov ebx, dword ptr [ebx]
mov edx, si_pBangFuncsArray
.while eax<ebx
;循環取出每一個命令的地址,判斷是不是 ZtsICE 添加的命令
mov ecx, [edx]
.if ecx>=_ZtsICECodeBase && ecx<=_ZtsICECodeEnd
;如果是,則把后面的所有命令往前移,覆蓋剛才的命令
dec ebx
mov edi, edx
mov esi, edx
add esi, 268 ;268 是每一條命令占用的字節
mov ecx, ebx
sub ecx, eax
imul ecx, 268/4
rep movsd
.else
inc eax
add edx, 268
.endif
.endw
mov eax, si_pKDEFuncNum
mov dword ptr [eax], ebx
ret
_si_ClearBangFuncsArray endp
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -