.
{文章未完成} 原因: 给评委组一周时间自行公布 我先贴个分析的附录出来 {/文章未完成}
+-------+
[ 附 录 ]
+-------+
冰刃 (IceSword 1.22v) 环三在初始化过程中会和驱动通信 46 次 ( 最后一次控制码 A8730100 为循环获取变量 ),下面是这 46 次通信的逆向分析 / 体力活。
本文所关注的是第 32 次、第 33 次控制码:
(32) A8730114 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x045, METHOD_BUFFERED, FILE_ANY_ACCESS )
(33) A8730118 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x046, METHOD_BUFFERED, FILE_ANY_ACCESS )
由于冰刃会加密通信数据,下面的输出均为解密后的结果。
#define FILE_DEVICE_ICESWORD 0x0000A873
-----------------------------------------------------------------------------------------
(01) A8730038 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x00E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 2
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA8730038
[OUT BUFFER]
1: kd> dw 818d6398 L1
818d6398 0A28 ; 获取 nt!NtBuildNumber 变量
-----------------------------------------------------------------------------------------
(02) A8730074 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01D, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x18
+0x004 InputBufferLength : 0x3C
+0x008 IoControlCode : 0xA8730074
[IN BUFFER]
1: kd> db 819bce28 L3C
819bce28 4f 43 45 53 00 00 00 80-01 00 00 00 03 00 00 00 OCES............
819bce38 80 00 00 00 43 3a 5c 57-49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s
819bce48 79 73 74 65 6d 33 32 5c-64 72 69 76 65 72 73 5c ystem32\drivers\
819bce58 6e 74 66 73 2e 73 79 73-00 4f 57 53 ntfs.sys.OWS
-----------------------------------------------------------------------------------------
(03) A8730084 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x021, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x10
+0x004 InputBufferLength : 0x10
+0x008 IoControlCode : 0xA8730084
[OUT BUFFER]
1: kd> dd 816c5548 L4
816c5548 0000008c bb02b71e 0008c480 00000000 ; 获取 ntfs.sys 文件大小等
-----------------------------------------------------------------------------------------
(04) A8730078 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x8c48c
+0x004 InputBufferLength : 0x8c48c
+0x008 IoControlCode : 0xA8730078
[OUT BUFFER]
0: kd> db 81373000+c
8137300c 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
8137301c b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
8137302c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8137303c 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
8137304c 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
8137305c 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
8137306c 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
........
-----------------------------------------------------------------------------------------
(05) A8730178 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x05E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0
+0x004 InputBufferLength : 4
+0x008 IoControlCode : 0xA8730178
[IN BUFFER]
0: kd> dd 818da7a0 L1
818da7a0 00017b10 ; 环3搜索后得 Ntfs!_imp__MmFlushImageSection 偏移 ( IAT Hook )
-----------------------------------------------------------------------------------------
(06) A8730074 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01D, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x18
+0x004 InputBufferLength : 0x3F
+0x008 IoControlCode : 0xA8730074
[IN BUFFER]
1: kd> db 8181fbc8 L3F
8181fbc8 8c 00 00 00 00 00 00 80-01 00 00 00 03 00 00 00 ................
8181fbd8 80 00 00 00 43 3a 5c 57-49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s
8181fbe8 79 73 74 65 6d 33 32 5c-64 72 69 76 65 72 73 5c ystem32\drivers\
8181fbf8 66 61 73 74 66 61 74 2e-73 79 73 00 00 00 00 fastfat.sys....
-----------------------------------------------------------------------------------------
(07) A8730084 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x021, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x10
+0x004 InputBufferLength : 0x10
+0x008 IoControlCode : 0xA8730084
[OUT BUFFER]
1: kd> dd 816c5548 L4
816c5548 0000008c e60fa556 00023000 00000000 ; 获取 fastfat.sys 文件大小等
-----------------------------------------------------------------------------------------
(08) A8730078 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x2300c
+0x004 InputBufferLength : 0x2300c
+0x008 IoControlCode : 0xA8730078
[OUT BUFFER]
1: kd> db 814af000+c
814af00c 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
814af01c b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
814af02c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
814af03c 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
814af04c 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
814af05c 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
814af06c 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
........
-----------------------------------------------------------------------------------------
(09) A873017C : CTL_CODE( FILE_DEVICE_ICESWORD, 0x05F, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0
+0x004 InputBufferLength : 4
+0x008 IoControlCode : 0xA873017C
[IN BUFFER]
0: kd> dd 818d6dc0 L1
818d6dc0 00002748 ; 环3搜索后得 Fastfat!_imp__MmFlushImageSection 偏移 ( IAT Hook )
-----------------------------------------------------------------------------------------
(10) A8730074 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01D, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x18
+0x004 InputBufferLength : 0x40
+0x008 IoControlCode : 0xA8730074
[IN BUFFER]
1: kd> db 8181fbc8 L40
8181fbc8 8c 00 00 00 00 00 00 80-01 00 00 00 03 00 00 00 ................
8181fbd8 80 00 00 00 43 3a 5c 57-49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s
8181fbe8 79 73 74 65 6d 33 32 5c-64 72 69 76 65 72 73 5c ystem32\drivers\
8181fbf8 63 6c 61 73 73 70 6e 70-2e 73 79 73 00 00 00 00 classpnp.sys....
-----------------------------------------------------------------------------------------
(11) A8730084 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x021, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x10
+0x004 InputBufferLength : 0x10
+0x008 IoControlCode : 0xA8730084
[OUT BUFFER]
1: kd> dd 816c5548 L4
816c5548 0000008c b815b443 0000c200 00000000 ; 获取 classpnp.sys 文件大小等
-----------------------------------------------------------------------------------------
(12) A8730078 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0xc20c
+0x004 InputBufferLength : 0xc20c
+0x008 IoControlCode : 0xA8730078
[OUT BUFFER]
0: kd> db 81506000+c
8150600c 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
8150601c b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
8150602c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8150603c 00 00 00 00 00 00 00 00-00 00 00 00 d8 00 00 00 ................
8150604c 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
8150605c 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
8150606c 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
........
-----------------------------------------------------------------------------------------
(13) A873C822 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x208, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0
+0x004 InputBufferLength : 8
+0x008 IoControlCode : 0xA873C822
[IN BUFFER]
1: kd> dd 818d76f0 L2
818d76f0 0000000e 0000144d ; 环3搜索后得 CLASSPNP!ClassDeviceControlDispatch 偏移
-----------------------------------------------------------------------------------------
(14) A873C822 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x208, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0
+0x004 InputBufferLength : 8
+0x008 IoControlCode : 0xA873C822
[IN BUFFER]
1: kd> dd 818d76f0 L2
818d76f0 00000003 00000d9b ; 环3搜索后得 CLASSPNP!ClassReadWrite 偏移
-----------------------------------------------------------------------------------------
(15) A8730074 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01D, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x18
+0x004 InputBufferLength : 0x40
+0x008 IoControlCode : 0xA8730074
[IN BUFFER]
1: kd> db 8181fbc8 L3C
8181fbc8 8c 00 00 00 00 00 00 80-01 00 00 00 03 00 00 00 ................
8181fbd8 80 00 00 00 43 3a 5c 57-49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s
8181fbe8 79 73 74 65 6d 33 32 5c-64 72 69 76 65 72 73 5c ystem32\drivers\
8181fbf8 43 6c 61 73 73 70 6e 70-2e 73 79 73 00 00 00 00 Classpnp.sys....
-----------------------------------------------------------------------------------------
(16) A8730084 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x021, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x10
+0x004 InputBufferLength : 0x10
+0x008 IoControlCode : 0xA8730084
[OUT BUFFER]
1: kd> dd 816c5548 L4
816c5548 0000008c b815b443 0000c200 00000000 ; 获取 Classpnp.sys 文件大小等
-----------------------------------------------------------------------------------------
(17) A8730078 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0xc20c
+0x004 InputBufferLength : 0xc20c
+0x008 IoControlCode : 0xA8730078
[OUT BUFFER]
0: kd> db 81908000+c
8190800c 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
8190801c b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
8190802c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8190803c 00 00 00 00 00 00 00 00-00 00 00 00 d8 00 00 00 ................
8190804c 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
8190805c 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
8190806c 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
........
-----------------------------------------------------------------------------------------
(18) A8730074 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01D, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x18
+0x004 InputBufferLength : 0x3C
+0x008 IoControlCode : 0xA8730074
[IN BUFFER]
1: kd> db 818c8e58 L3C
818c8e58 8c 00 00 00 00 00 00 80-01 00 00 00 03 00 00 00 ................
818c8e68 80 00 00 00 43 3a 5c 57-49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s
818c8e78 79 73 74 65 6d 33 32 5c-64 72 69 76 65 72 73 5c ystem32\drivers\
818c8e88 4e 74 66 73 2e 73 79 73-00 c2 00 00 Ntfs.sys....
-----------------------------------------------------------------------------------------
(19) A8730084 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x021, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x10
+0x004 InputBufferLength : 0x10
+0x008 IoControlCode : 0xA8730084
[OUT BUFFER]
1: kd> dd 816c5548 L4
816c5548 0000008c bb02b71e 0008c480 00000000 ; 获取 Ntfs.sys 文件大小等
-----------------------------------------------------------------------------------------
(20) A8730078 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x8c48c
+0x004 InputBufferLength : 0x8c48c
+0x008 IoControlCode : 0xA8730078
[OUT BUFFER]
0: kd> db 815bf000+c
815bf00c 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
815bf01c b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
815bf02c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
815bf03c 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
815bf04c 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
815bf05c 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
815bf06c 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
........
-----------------------------------------------------------------------------------------
(21) A8730074 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01D, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x18
+0x004 InputBufferLength : 0x3F
+0x008 IoControlCode : 0xA8730074
[IN BUFFER]
0: kd> db 817bd310 L3F
817bd310 8c 00 00 00 00 00 00 80-01 00 00 00 03 00 00 00 ................
817bd320 80 00 00 00 43 3a 5c 57-49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s
817bd330 79 73 74 65 6d 33 32 5c-64 72 69 76 65 72 73 5c ystem32\drivers\
817bd340 46 61 73 74 66 61 74 2e-73 79 73 00 00 00 00 Fastfat.sys....
-----------------------------------------------------------------------------------------
(22) A8730084 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x021, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x10
+0x004 InputBufferLength : 0x10
+0x008 IoControlCode : 0xA8730084
[OUT BUFFER]
1: kd> dd 816c5548 L4
816c5548 0000008c e60fa556 00023000 00000000 ; 获取 Fastfat.sys 文件大小等
-----------------------------------------------------------------------------------------
(23) A8730078 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x2300c
+0x004 InputBufferLength : 0x2300c
+0x008 IoControlCode : 0xA8730078
[OUT BUFFER]
1: kd> db 813dc000+c
813dc00c 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
813dc01c b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
813dc02c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
813dc03c 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
813dc04c 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
813dc05c 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
813dc06c 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
........
-----------------------------------------------------------------------------------------
(24) A873013C : CTL_CODE( FILE_DEVICE_ICESWORD, 0x04F, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x280
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA873013C
[OUT BUFFER]
0: kd> ln poi(81914008+00)
(805d2170) nt!NtTerminateProcess
0: kd> ln poi(81914008+14)
(805d236a) nt!NtTerminateThread
0: kd> ln poi(81914008+28)
(805cac46) nt!NtOpenProcess
0: kd> ln poi(81914008+3C)
(805caed2) nt!NtOpenThread
0: kd> ln poi(81914008+50)
(805d0966) nt!NtCreateProcessEx
0: kd> ln poi(81914008+64)
(805d0804) nt!NtCreateThread
0: kd> ln poi(81914008+78)
(804fac1c) nt!KeBugCheckEx
; 获取 IceSword 驱动钩子点及 Inline Hook 的前 0x10 字节 ( Win-XP )
-----------------------------------------------------------------------------------------
(25) A8730108 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x042, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x44
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA8730108
[OUT BUFFER]
0: kd> db 817f5258 L44
817f5258 5c 53 79 73 74 65 6d 52-6f 6f 74 5c 73 79 73 74 \SystemRoot\syst
817f5268 65 6d 33 32 5c 4e 54 4b-52 4e 4c 50 41 2e 45 58 em32\NTKRNLPA.EX
817f5278 45 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 E...............
817f5288 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
817f5298 00 80 4d 80 ..M.
; 获取内核路径及基址
-----------------------------------------------------------------------------------------
(26) A8730074 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01D, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x18
+0x004 InputBufferLength : 0x38
+0x008 IoControlCode : 0xA8730074
[IN BUFFER]
0: kd> db 817aaae8 L38
817aaae8 80 00 00 00 00 00 00 80-01 00 00 00 03 00 00 00 ................
817aaaf8 80 00 00 00 43 3a 5c 57-49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s
817aab08 79 73 74 65 6d 33 32 5c-4e 54 4b 52 4e 4c 50 41 ystem32\NTKRNLPA
817aab18 2e 45 58 45 00 57 53 5c .EXE.WS\
-----------------------------------------------------------------------------------------
(27) A8730084 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x021, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x10
+0x004 InputBufferLength : 0x10
+0x008 IoControlCode : 0xA8730084
[OUT BUFFER]
1: kd> dd 81738ef0 L4
81738ef0 0000008c a2a7a4f9 001ebe00 00000000 ; 获取 NTKRNLPA.EXE 文件大小等
-----------------------------------------------------------------------------------------
(28) A8730078 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x1ebe0c
+0x004 InputBufferLength : 0x1ebe0c
+0x008 IoControlCode : 0xA8730078
[OUT BUFFER]
0: kd> db 81214000+c
8121400c 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
8121401c b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
8121402c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8121403c 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
8121404c 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
8121405c 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
8121406c 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
........
-----------------------------------------------------------------------------------------
(29) A873006C : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01B, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x1000
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA873006C
[OUT BUFFER]
1: kd> dd 8164b000 8164b000+000008e4
8164b000 805a4054 805f02d8 805f3b0e 805f030a
8164b010 805f3b48 805f0340 805f3b8c 805f3bd0
8164b020 80614adc 8061581e 805eb67a 805eb2d2
........
; 获取 SSDT 例程地址 * 2
-----------------------------------------------------------------------------------------
(30) A873011C : CTL_CODE( FILE_DEVICE_ICESWORD, 0x047, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 4
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA873011C
[OUT BUFFER]
1: kd> ln poi(818c6078)
(80616ea8) nt!NtSystemDebugControl
; 获取 nt!NtSystemDebugControl 例程地址
-----------------------------------------------------------------------------------------
(31) A8730120 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x048, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0
+0x004 InputBufferLength : 4
+0x008 IoControlCode : 0xA8730120
[IN BUFFER]
1: kd> ln poi(818c6078)
(8066a888) nt!KdpCopyMemoryChunks
; 环3搜索后得 nt!KdpCopyMemoryChunks 例程地址
-----------------------------------------------------------------------------------------
(32) A8730114 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x045, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 4
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA8730114
[OUT BUFFER]
1: kd> ln poi(818c6078)
(80544498) nt!KiTrap0E
; 获取 nt!KiTrap0E 例程地址
-----------------------------------------------------------------------------------------
(33) A8730118 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x046, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0
+0x004 InputBufferLength : 8
+0x008 IoControlCode : 0xA8730118
[IN BUFFER]
1: kd> ln poi(818c6078+0)
(80561ba0) nt!MmSystemLockOwner
1: kd> ln poi(818c6078+4)
(80561bc0) nt!MmSystemWsLock
; 环3搜索后得 nt!MmSystemLockOwner 及 nt!MmSystemWsLock 变量地址 ( 仅针对 Win-XP 有效 )
-----------------------------------------------------------------------------------------
(34) A8730124 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x049, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x20
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA8730124
[OUT BUFFER]
1: kd> dd 81782410 81782410+20-1
81782410 00000000 80623888 80623af2 80624702
81782420 80621102 80621708 806234d8 806236a8
; 获取 nt!NtEnumerateKey \
nt!NtEnumerateValueKey \
nt!NtQueryKey \
nt!NtQueryValueKey \
nt!NtSetValueKey \
nt!NtDeleteKey \
nt!NtDeleteValueKey 例程地址
-----------------------------------------------------------------------------------------
(35) A8730128 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x04A, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0
+0x004 InputBufferLength : 0x20
+0x008 IoControlCode : 0xA8730128
[IN BUFFER]
1: kd> dd 81782410 81782410+20-1
81782410 8067c3b0 806304a8 80630580 806306f6
81782420 80630882 80631dc8 80634f1a 806302ce
; 环3搜索后得 nt!CmpKeyObjectType \
nt!CmEnumerateKey \
nt!CmEnumerateValueKey \
nt!CmQueryKey \
nt!CmQueryValueKey \
nt!CmSetValueKey \
nt!CmDeleteKey \
nt!CmDeleteValueKey 例程地址
-----------------------------------------------------------------------------------------
(36) A8730074 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01D, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x18
+0x004 InputBufferLength : 0x38
+0x008 IoControlCode : 0xA8730074
[IN BUFFER]
0: kd> db 8184a870 L38
8184a870 8c 00 00 00 00 00 00 80-01 00 00 00 03 00 00 00 ................
8184a880 80 00 00 00 43 3a 5c 57-49 4e 44 4f 57 53 5c 73 ....C:\WINDOWS\s
8184a890 79 73 74 65 6d 33 32 5c-4e 54 4b 52 4e 4c 50 41 ystem32\NTKRNLPA
8184a8a0 2e 45 58 45 00 93 28 94 .EXE..(.
-----------------------------------------------------------------------------------------
(37) A8730084 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x021, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x10
+0x004 InputBufferLength : 0x10
+0x008 IoControlCode : 0xA8730084
[OUT BUFFER]
0: kd> dd 817416d0 L4
817416d0 0000008c a2a7a4f9 001ebe00 00000000 ; 获取 NTKRNLPA.EXE 文件大小等
-----------------------------------------------------------------------------------------
(38) A8730078 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x01E, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x1ebe0c
+0x004 InputBufferLength : 0x1ebe0c
+0x008 IoControlCode : 0xA8730078
[OUT BUFFER]
0: kd> db 81214000+c
8121400c 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
8121401c b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
8121402c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
8121403c 00 00 00 00 00 00 00 00-00 00 00 00 e0 00 00 00 ................
8121404c 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
8121405c 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
8121406c 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
........
-----------------------------------------------------------------------------------------
(39) A873010C : CTL_CODE( FILE_DEVICE_ICESWORD, 0x043, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0
+0x004 InputBufferLength : 0xe0
+0x008 IoControlCode : 0xA873010C
[IN BUFFER]
0: kd> dd 81870a68 81870a68+e0-1
81870a68 0007d784 0001a340 00017f48 00017b20
81870a78 00002708 0000680c
8b55ff8b 10ec83ec
81870a88 f18b5653 89234e8a 568af855 fedb3322
81870a98 57ca3ac2 0ff45d89 00029a8f 3e836600
81870aa8 90850f06 8b000002 c1fe607e 478dca3a
81870ab8 234e8824 0f604689 0000ab8f 03c78300
81870ac8 e280178a 185e3901 88ff5588 178a2156
81870ad8 c2f6077c eb107540 78d28404 245e380a
81870ae8 c2f64474 883f7420 5f88fe5f 891f88ff
81870af8 5f89015f 095f8905 890d5f89 468a155f
81870b08 38c0fe22 04752346 06ebc033 8b60468b
81870b18 77ff1440 ff50561d 163d1957 75c00000
81870b28 5b5e5f2a 5d38c3c9 3a0974ff 047f224e
81870b38 01034880 88fe5f88 1f88ff5f 89015f89
0: kd> ln 804d8000+0007d784
(80555784) nt!pIofCompleteRequest
0: kd> ln 804d8000+0001a340
(804f2340) nt!IopfCompleteRequest
0: kd> ln 804d8000+00017f48
(804eff48) nt!IofCompleteRequest
0: kd> ln f73ce000+00017b20
(f73e5b20) Ntfs!_imp_IofCompleteRequest
0: kd> ln f73ce000+00002708
(f50ee708) Fastfat!Fastfat!_imp_IofCompleteRequest
0: kd> ln f7698000+0000680c
(f769e80c) CLASSPNP!_imp_IofCompleteRequest
-----------------------------------------------------------------------------------------
(40) A873016C : CTL_CODE( FILE_DEVICE_ICESWORD, 0x05B, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 8
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA873016C
; 获取文件系统等初始化标志位
-----------------------------------------------------------------------------------------
(41) A8730058 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x016, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x20
+0x004 InputBufferLength : 0x64
+0x008 IoControlCode : 0xA8730058
[IN BUFFER]
1: kd> db 817a1320 L64
817a1320 00 00 00 00 08 00 00 00-00 00 00 00 00 00 00 00 ................
817a1330 00 00 00 00 00 00 00 00-5c 00 52 00 65 00 67 00 ........\.R.e.g.
817a1340 69 00 73 00 74 00 72 00-79 00 5c 00 4d 00 61 00 i.s.t.r.y.\.M.a.
817a1350 63 00 68 00 69 00 6e 00-65 00 5c 00 53 00 4f 00 c.h.i.n.e.\.S.O.
817a1360 46 00 54 00 57 00 41 00-52 00 45 00 5c 00 43 00 F.T.W.A.R.E.\.C.
817a1370 6c 00 61 00 73 00 73 00-65 00 73 00 00 00 00 00 l.a.s.s.e.s.....
817a1380 00 00 00 00 ....
-----------------------------------------------------------------------------------------
(42) A8730058 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x016, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x20
+0x004 InputBufferLength : 0x96
+0x008 IoControlCode : 0xA8730058
[IN BUFFER]
1: kd> db 817d3e30 L96
817d3e30 00 00 00 00 08 00 00 00-00 00 00 00 00 00 00 00 ................
817d3e40 00 00 00 00 00 00 00 00-5c 00 52 00 45 00 47 00 ........\.R.E.G.
817d3e50 49 00 53 00 54 00 52 00-59 00 5c 00 55 00 53 00 I.S.T.R.Y.\.U.S.
817d3e60 45 00 52 00 5c 00 53 00-2d 00 31 00 2d 00 35 00 E.R.\.S.-.1.-.5.
817d3e70 2d 00 32 00 31 00 2d 00-35 00 38 00 33 00 39 00 -.2.1.-.5.8.3.9.
817d3e80 30 00 37 00 32 00 35 00-32 00 2d 00 32 00 36 00 0.7.2.5.2.-.2.6.
817d3e90 31 00 39 00 30 00 33 00-37 00 39 00 33 00 2d 00 1.9.0.3.7.9.3.-.
817d3ea0 31 00 31 00 37 00 37 00-32 00 33 00 38 00 39 00 1.1.7.7.2.3.8.9.
817d3eb0 31 00 35 00 2d 00 31 00-30 00 30 00 33 00 00 00 1.5.-.1.0.0.3...
817d3ec0 7d 83 be 27 00 00 }..'..
-----------------------------------------------------------------------------------------
(43) A8730058 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x016, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x20
+0x004 InputBufferLength : 0x42
+0x008 IoControlCode : 0xA8730058
[IN BUFFER]
1: kd> db 81895430 L42
81895430 0f 94 2d 91 08 00 00 00-6b 38 51 3b 60 05 e4 d2 ..-.....k8Q;`...
81895440 4c 83 87 27 00 00 00 00-5c 00 52 00 65 00 67 00 L..'....\.R.e.g.
81895450 69 00 73 00 74 00 72 00-79 00 5c 00 4d 00 61 00 i.s.t.r.y.\.M.a.
81895460 63 00 68 00 69 00 6e 00-65 00 00 00 e5 be 49 a3 c.h.i.n.e.....I.
81895470 42 17 B.
-----------------------------------------------------------------------------------------
(44) A8730058 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x016, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x20
+0x004 InputBufferLength : 0x3c
+0x008 IoControlCode : 0xA8730058
[IN BUFFER]
0: kd> db 818e2c18 L3c
818e2c18 10 08 00 80 08 00 00 00-6b 38 51 3b 60 05 e4 d2 ........k8Q;`...
818e2c28 4c 83 87 27 00 00 00 00-5c 00 52 00 65 00 67 00 L..'....\.R.e.g.
818e2c38 69 00 73 00 74 00 72 00-79 00 5c 00 55 00 73 00 i.s.t.r.y.\.U.s.
818e2c48 65 00 72 00 00 00 15 c8-3c 38 7c 3b e.r.....<8|;
-----------------------------------------------------------------------------------------
(45) A8730058 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x016, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 0x20
+0x004 InputBufferLength : 0xa8
+0x008 IoControlCode : 0xA8730058
[IN BUFFER]
1: kd> db 81828e18 La8
81828e18 00 00 00 00 08 00 00 00-d0 08 00 00 a1 00 00 00 ................
81828e28 80 08 00 80 00 00 00 00-5c 00 52 00 65 00 67 00 ........\.R.e.g.
81828e38 69 00 73 00 74 00 72 00-79 00 5c 00 4d 00 61 00 i.s.t.r.y.\.M.a.
81828e48 63 00 68 00 69 00 6e 00-65 00 5c 00 53 00 59 00 c.h.i.n.e.\.S.Y.
81828e58 53 00 54 00 45 00 4d 00-5c 00 43 00 75 00 72 00 S.T.E.M.\.C.u.r.
81828e68 72 00 65 00 6e 00 74 00-43 00 6f 00 6e 00 74 00 r.e.n.t.C.o.n.t.
81828e78 72 00 6f 00 6c 00 53 00-65 00 74 00 5c 00 48 00 r.o.l.S.e.t.\.H.
81828e88 61 00 72 00 64 00 77 00-61 00 72 00 65 00 20 00 a.r.d.w.a.r.e. .
81828e98 50 00 72 00 6f 00 66 00-69 00 6c 00 65 00 73 00 P.r.o.f.i.l.e.s.
81828ea8 5c 00 43 00 75 00 72 00-72 00 65 00 6e 00 74 00 \.C.u.r.r.e.n.t.
81828eb8 00 00 a4 b6 30 c4 00 00 ....0...
-----------------------------------------------------------------------------------------
(46) A8730100 : CTL_CODE( FILE_DEVICE_ICESWORD, 0x040, METHOD_BUFFERED, FILE_ANY_ACCESS )
+0x000 OutputBufferLength : 4
+0x004 InputBufferLength : 0
+0x008 IoControlCode : 0xA8730100
; 循环取标志位 byte_3A770 ^_^
WANGYU aka. keenjoy95