Does someone recognize the program that assembles this ?
; Ñáðîñ TF ïîñðåäñòâîì KiCallbackReturn.
;
;
;
comment '
XPFN_PROC():
[Esp]:
IP_TO_PFN_GATE
[XPFN_PROC_ARG]
[LOCALS/REGS]
[Ebp]:
rEBP
IP_TO_KiUserCallbackDispatcher
pInputBuffer
InputLength
[GATE_ARGS/XPFN_PROC]
; VOID
; KiUserCallbackDispatcher (
; IN ULONG ApiNumber,
; IN PVOID InputBuffer,
; IN ULONG InputLength
; )
;
; NTSTATUS
; NtCallbackReturn (
; IN PVOID OutputBuffer OPTIONAL,
; IN ULONG OutputLength,
; IN NTSTATUS Status
; )
1. Íåîáõîäèìî âîññòàíîâèòü ñòåê è RGP.
2. Äëÿ âîññòàíîâëåíèÿ ñòåêà íåîáõîäèìî íàéòè ôðåéì äèñïåò÷åðà(KiUserCallbackDispatcher()), èçâëå÷ü èç íåãî rEbp è ñêîððåêòèðîâàòü rEsp íà InputLength.
3. Ñìåùåíèÿ Ebx/Esi/Edi â ôðåéìå PFN_GATE ôèêñèðîâàíû.
4. Èç PFN_GATE óïðàâëåíèå âîçâðàùàåòñÿ íå â äèñïåò÷åð, à â ñåðâèñ(XyCallbackReturn: KiCallbackReturn/NtCallbackReturn).
5. Åñëè ñìåùåíèå RGP â ôðåéìå PFN_GATE íå ôèêñèðîâàíû, òî íåîáõîäèìî âûïîëíèòü ñòåêîâóþ ìàðøðóòèçàöèþ íà èçìåí¸ííûé PFN_GATE(çàãëóøêà íà XyCallbackReturn()).
6. Åñëè NL XPFN_PROC > 1, òî íåîáõîäèìî âûïîëíèòü ñòåêîâóþ ìàðøðóòèçàöèþ èç XPFN_PROC â PFN_GATE.
7. Äëÿ ìàðøðóòèçàöèè íåîáõîäèìî çíàòü NL, ëèáî îïðåäåëèòü åãî äèíàìè÷åñêè, âûïîëíèâ áåêòðåéñ äî ôðåéìà äèñïåò÷åðà.
8. Èäåíòèôèêàöèÿ ôðåéìà äèñïåò÷åðà âûïîëíÿåòñÿ ïî àäðåñó âîçâðàòà â äèñïåò÷åð.
9. Àäðåñ âîçâðàòà â äèñïåò÷åð ìîæåò áûòü îïðåäåë¸í äèíàìè÷åñêè, âûçîâîì êîëáåêà.
* Ðåêóðñèâíûå âûçîâû èç XyCallbackReturn() íå äîïóñòèìû.
* Âñåãäà STATUS_SUCCESS.
Frame = CONTEXT.rEbp
Frame:PSTACK_FRAME
Do
if Frame.Next.Ip ~ [KiUserCallbackDispatcher()]
> Route
fi
Frame = Frame.Next
Loop
End
Route:
; NL(XPFN_PROC) = NL(Ki) + 1
Ip = Frame.Ip
Do
if OPCODE(Ip) = "Retn 4"
End
fi
if OPCODE(Ip) = "Call near rel" ; !~ ClientThreadSetup().
X = D[Ip + 1] + Ip + 5 ; XyCallbackReturn() ?
if X ~ [User32.dll]
if D[X + 2] = 0x2BCD0424
nothing i recognize - that doesn't mean much - lol
maybe a debug script or plug-in or something ?
from what dubious site did you get this script?