News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

What assembler uses this ?

Started by Magnum, January 21, 2013, 01:56:46 AM

Previous topic - Next topic

Magnum

Does someone recognize the program that assembles this ?



; Ñáðîñ TF ïîñðåäñòâîì KiCallbackReturn.
;
;
;
comment '
XPFN_PROC():
[Esp]:
IP_TO_PFN_GATE
[XPFN_PROC_ARG]
[LOCALS/REGS]
[Ebp]:
rEBP
IP_TO_KiUserCallbackDispatcher
pInputBuffer
InputLength
[GATE_ARGS/XPFN_PROC]

; VOID
; KiUserCallbackDispatcher (
;    IN ULONG ApiNumber,
;    IN PVOID InputBuffer,
;    IN ULONG InputLength
;    )
;
; NTSTATUS
; NtCallbackReturn (
;    IN PVOID OutputBuffer OPTIONAL,
;    IN ULONG OutputLength,
;    IN NTSTATUS Status
;    )

1. Íåîáõîäèìî âîññòàíîâèòü ñòåê è RGP.
2. Äëÿ âîññòàíîâëåíèÿ ñòåêà íåîáõîäèìî íàéòè ôðåéì äèñïåò÷åðà(KiUserCallbackDispatcher()), èçâëå÷ü èç íåãî rEbp è ñêîððåêòèðîâàòü rEsp íà InputLength.
3. Ñìåùåíèÿ Ebx/Esi/Edi â ôðåéìå PFN_GATE ôèêñèðîâàíû.
4. Èç PFN_GATE óïðàâëåíèå âîçâðàùàåòñÿ íå â äèñïåò÷åð, à â ñåðâèñ(XyCallbackReturn: KiCallbackReturn/NtCallbackReturn).
5. Åñëè ñìåùåíèå RGP â ôðåéìå PFN_GATE íå ôèêñèðîâàíû, òî íåîáõîäèìî âûïîëíèòü ñòåêîâóþ ìàðøðóòèçàöèþ íà èçìåí¸ííûé PFN_GATE(çàãëóøêà íà XyCallbackReturn()).
6. Åñëè NL XPFN_PROC > 1, òî íåîáõîäèìî âûïîëíèòü ñòåêîâóþ ìàðøðóòèçàöèþ èç XPFN_PROC â PFN_GATE.
7. Äëÿ ìàðøðóòèçàöèè íåîáõîäèìî çíàòü NL, ëèáî îïðåäåëèòü åãî äèíàìè÷åñêè, âûïîëíèâ áåêòðåéñ äî ôðåéìà äèñïåò÷åðà.
8. Èäåíòèôèêàöèÿ ôðåéìà äèñïåò÷åðà âûïîëíÿåòñÿ ïî àäðåñó âîçâðàòà â äèñïåò÷åð.
9. Àäðåñ âîçâðàòà â äèñïåò÷åð ìîæåò áûòü îïðåäåë¸í äèíàìè÷åñêè, âûçîâîì êîëáåêà.
*  Ðåêóðñèâíûå âûçîâû èç XyCallbackReturn() íå äîïóñòèìû.
*  Âñåãäà STATUS_SUCCESS.

Frame = CONTEXT.rEbp
Frame:PSTACK_FRAME
Do
if Frame.Next.Ip ~ [KiUserCallbackDispatcher()]
> Route
fi
Frame = Frame.Next
Loop
End

Route:
; NL(XPFN_PROC) = NL(Ki) + 1
Ip = Frame.Ip
Do
if OPCODE(Ip) = "Retn 4"
End
fi
if OPCODE(Ip) = "Call near rel" ; !~ ClientThreadSetup().
X = D[Ip + 1] + Ip + 5 ; XyCallbackReturn() ?
if X ~ [User32.dll]
if D[X + 2] = 0x2BCD0424

Take care,
                   Andy

Ubuntu-mate-18.04-desktop-amd64

http://www.goodnewsnetwork.org

dedndave

nothing i recognize - that doesn't mean much - lol
maybe a debug script or plug-in or something ?

qWord

from what dubious site did you get this script?
MREAL macros - when you need floating point arithmetic while assembling!