Author Topic: What assembler uses this ?  (Read 4036 times)

Magnum

  • Member
  • *****
  • Posts: 2390
What assembler uses this ?
« on: January 21, 2013, 01:56:46 AM »
Does someone recognize the program that assembles this ?


Code: [Select]
; Ñáðîñ TF ïîñðåäñòâîì KiCallbackReturn.
;
;
;
comment '
XPFN_PROC():
[Esp]:
IP_TO_PFN_GATE
[XPFN_PROC_ARG]
[LOCALS/REGS]
[Ebp]:
rEBP
IP_TO_KiUserCallbackDispatcher
pInputBuffer
InputLength
[GATE_ARGS/XPFN_PROC]

; VOID
; KiUserCallbackDispatcher (
;    IN ULONG ApiNumber,
;    IN PVOID InputBuffer,
;    IN ULONG InputLength
;    )
;
; NTSTATUS
; NtCallbackReturn (
;    IN PVOID OutputBuffer OPTIONAL,
;    IN ULONG OutputLength,
;    IN NTSTATUS Status
;    )

1. Íåîáõîäèìî âîññòàíîâèòü ñòåê è RGP.
2. Äëÿ âîññòàíîâëåíèÿ ñòåêà íåîáõîäèìî íàéòè ôðåéì äèñïåò÷åðà(KiUserCallbackDispatcher()), èçâëå÷ü èç íåãî rEbp è ñêîððåêòèðîâàòü rEsp íà InputLength.
3. Ñìåùåíèÿ Ebx/Esi/Edi â ôðåéìå PFN_GATE ôèêñèðîâàíû.
4. Èç PFN_GATE óïðàâëåíèå âîçâðàùàåòñÿ íå â äèñïåò÷åð, à â ñåðâèñ(XyCallbackReturn: KiCallbackReturn/NtCallbackReturn).
5. Åñëè ñìåùåíèå RGP â ôðåéìå PFN_GATE íå ôèêñèðîâàíû, òî íåîáõîäèìî âûïîëíèòü ñòåêîâóþ ìàðøðóòèçàöèþ íà èçìåí¸ííûé PFN_GATE(çàãëóøêà íà XyCallbackReturn()).
6. Åñëè NL XPFN_PROC > 1, òî íåîáõîäèìî âûïîëíèòü ñòåêîâóþ ìàðøðóòèçàöèþ èç XPFN_PROC â PFN_GATE.
7. Äëÿ ìàðøðóòèçàöèè íåîáõîäèìî çíàòü NL, ëèáî îïðåäåëèòü åãî äèíàìè÷åñêè, âûïîëíèâ áåêòðåéñ äî ôðåéìà äèñïåò÷åðà.
8. Èäåíòèôèêàöèÿ ôðåéìà äèñïåò÷åðà âûïîëíÿåòñÿ ïî àäðåñó âîçâðàòà â äèñïåò÷åð.
9. Àäðåñ âîçâðàòà â äèñïåò÷åð ìîæåò áûòü îïðåäåë¸í äèíàìè÷åñêè, âûçîâîì êîëáåêà.
*  Ðåêóðñèâíûå âûçîâû èç XyCallbackReturn() íå äîïóñòèìû.
*  Âñåãäà STATUS_SUCCESS.
 
Frame = CONTEXT.rEbp
Frame:PSTACK_FRAME
Do
if Frame.Next.Ip ~ [KiUserCallbackDispatcher()]
> Route
fi
Frame = Frame.Next
Loop
End

Route:
; NL(XPFN_PROC) = NL(Ki) + 1
Ip = Frame.Ip
Do
if OPCODE(Ip) = "Retn 4"
End
fi
if OPCODE(Ip) = "Call near rel" ; !~ ClientThreadSetup().
X = D[Ip + 1] + Ip + 5 ; XyCallbackReturn() ?
if X ~ [User32.dll]
if D[X + 2] = 0x2BCD0424

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

  • Member
  • *****
  • Posts: 8828
  • Still using Abacus 2.0
    • DednDave
Re: What assembler uses this ?
« Reply #1 on: January 21, 2013, 04:43:21 AM »
nothing i recognize - that doesn't mean much - lol
maybe a debug script or plug-in or something ?

qWord

  • Member
  • *****
  • Posts: 1475
  • The base type of a type is the type itself
    • SmplMath macros
Re: What assembler uses this ?
« Reply #2 on: January 21, 2013, 05:49:38 AM »
from what dubious site did you get this script?
MREAL macros - when you need floating point arithmetic while assembling!