分类: WINDOWS
2009-05-18 14:41:20
;===================================================================================
; code by laomms 2007.4.25
;===================================================================================
.386
.model flat, stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include w2k\ntstatus.inc
include w2k\ntddk.inc
include w2k\ntoskrnl.inc
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include Strings.mac
include dog.inc
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
dogdate db 00,00,00,00,00,00,00,00,00,00
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
db 4Ah,31h,30h,00,00,00,00,00,00,31h,30h,00,00,32h,31h,2Eh,30h,33h,2Eh,32h,30h,30h,35h,00,30h,31h,00,32h,30h,35h,00,0C0h,0EEh,0D3h,0C2h
;Flag:MH Addr:0D Bytes:55 PWD:0001563E Result: 4A31300000000000003130000032312E30332E323030350030310032303500C0EED3C2
;Flag:MH Addr:0D Bytes:55 PWD:0001563E Result: 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
db 67h,72h,61h,64h,65h,2Eh,6Dh,64h,62h ;grade.mdb
;006 DT:1 Read FuncID:02 Ret:0000 Flag:MH Addr:62 Bytes:09 PWD:0001563E Result: 67726164652E6D6462
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
db 6Ah,6Fh,62h ;job
;008 DT:1 Read FuncID:02 Ret:0000 Flag:MH Addr:6B Bytes:03 PWD:0001563E Result: 6A6F62
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
db 65h,78h,67h ;exg
;009 DT:1 Read FuncID:02 Ret:0000 Flag:MH Addr:6E Bytes:03 PWD:0001563E Result: 657867
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
db 66h,78h,6Ah,68h,2Eh,6Dh,64h,62h ;fxjh.mdb
;00A DT:1 Read FuncID:02 Ret:0000 Flag:MH Addr:71 Bytes:08 PWD:0001563E Result: 66786A682E6D6462
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
db 1Dh,36h,0F3h,41h
;005 DT:1 Read FuncID:02 Ret:0000 Flag:MH Addr:C4 Bytes:04 PWD:0001563E Result: 1D36F341,DogPassword=490140481
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
DogSeed1 dd 2FFDAFD2h ;84F553E2h
DogSeed2 dd 0C17AB618h ;3C2127C8h
db 00,00,00,00
NewPassword dd 0
sz0 db 0
sz1 db 0
sz2 db 0
str1 dd 0
str2 dd 0
buffer1 dw 0
buffer2 dw 0
db 0
db 0
DogResult dw 0
dogid db '883929',0 ;D7CD9
.const
CCOUNTED_UNICODE_STRING " ;设备名称
CCOUNTED_UNICODE_STRING " ;符号连接
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
DriverEntry proc pDriverObject:PDRIVER_OBJECT,RegistryPath:PUNICODE_STRING ;驱动入口
LOCAL deviceNameUnicodeString,deviceLinkUnicodeString:UNICODE_STRING
LOCAL status:NTSTATUS
LOCAL pDeviceObject:PVOID
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr DONGLE_DEVICE_NAME, FILE_DEVICE_UNKNOWN, \ ;创建虚拟设备
0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS ;使用NT_SUCCESS宏检测函数调用是否成功
invoke IoCreateSymbolicLink, addr SymbolicLinkName, addr DONGLE_DEVICE_NAME ;创建符号连接
.if eax == STATUS_SUCCESS ;检测函数调用是否成功
mov eax, pDriverObject
assume eax:PTR DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose ;设置IRP派遣例程和卸载例程
mov [eax].MajorFunction[IRP_MJ_CLEANUP*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing
fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke IoDeleteSymbolicLink, addr SymbolicLinkName
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
DispatchControl proc
var_340 = dword ptr -340h
var_228 = dword ptr -228h
var_221 = dword ptr -221h
var_21D = dword ptr -21Dh
var_120 = dword ptr -120h
var_11C = dword ptr -11Ch
var_114 = byte ptr -114h
var_112 = byte ptr -112h
var_110 = dword ptr -110h
var_10A = byte ptr -10Ah
var_10 = dword ptr -10h
var_8 = dword ptr -8
var_4 = dword ptr -4
pIrp = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 340h
and byte ptr [ebp+var_228], 0 ;and dwBytesReturned, 0, var_228=dwBytesReturned
push esi ;压入ESI准备用来放pIrp
push edi ;压入EDI
push 41h
pop ecx
xor eax, eax
lea edi, [ebp+var_228+1]
rep stosd ;将EAX中的值存入ES:EDI所指目标串中
stosw ;继续操作一字节
mov edi, [ebp+pIrp] ;mov edi, pIrp
mov eax, [edi+60h] ;eax=IoGetCurrentIrpStackLocation edi
mov esi, [edi+0Ch] ;esi=AssociatedIrp.SystemBuffer
mov [ebp+var_4], esi ;ebp+var_4=AssociatedIrp.SystemBuffer
mov ecx, [eax+0Ch] ;ecx = IrpStack->Parameters.DeviceIoControl.IoControlCode
cmp ecx, 860021B0h ;dwControlCode == 860021B0h, if eax==IOCTL_READ_DOG
jz IOCTLSTART
cmp ecx, 860021B4h ;dwControlCode == 860021B0h, else ,mov status, STATUS_BUFFER_TOO_SMALL
jnz @@CompleteIrp
IOCTLSTART:
cmp dword ptr [eax+8], 115h ; outBufLength
jnz @@CompleteIrp
push ebx
push 45h
pop ecx ;IoControlCode
lea edi, [ebp+var_340] ;命令码
rep movsd
lea eax, [ebp+var_120]
push eax
lea eax, [ebp+var_340]
push eax
movsb
call fuc1
mov al, byte ptr [ebp+var_120]
mov edx, [ebp+var_10]
mov bl, byte ptr [ebp+var_120+2]
mov sz0, al
mov al, byte ptr [ebp+var_120+1]
mov str2, edx
movzx cx, [ebp+var_112]
mov sz1, al
mov eax, [ebp+var_11C]
mov str1, eax
mov sz2, bl
movzx ax, [ebp+var_114]
nop
movzx edx, bl ; edx=Command
cmp edx, 40h ; InputBufferLength ==
mov buffer1, ax
mov buffer2, cx
jg @8 ;大于40H
jz Getdogid ;流水号
cmp edx, 7 ;InputBufferLength == 7 ,DisableShare
jg @7
jz @8
dec edx ;EnableShare
jz @8
dec edx ;GetCurrentNo
jz DogData1
dec edx ;DogConvert
jz DogData2
dec edx ;WriteDog
jz Getdogid
jmp @8
DogData1:
movzx edi, ax
movzx ecx, cx
lea esi, [ebp+var_110]
add edi, offset dogdate ;200字节数据
@send:
mov eax, ecx
shr ecx, 2
rep movsd ;传送双字
mov ecx, eax
and ecx, 3
rep movsb
jmp @8
DogData2:
movzx esi, ax
movzx ecx, cx
add esi, offset dogdate ;200字节数据
lea edi, [ebp+var_221]
jmp @send
@7:
sub edx, 8
jz @8
sub edx, 3
jz @sub3
sub edx, 9
jz @sub9
dec edx
jmp @8
@sub9:
mov eax, DogSeed1
and DogResult, 0
mov [ebp+var_221], eax
mov eax, DogSeed2
mov [ebp+var_21D], eax
jmp @status
@sub3:
mov [ebp+var_221], 1103369Ah ;285423258
jmp @8
Getdogid:
and [ebp+var_10A], 0
push 7
mov edi, offset dogid ; "883929"
lea esi, [ebp+var_110]
pop ecx
xor eax, eax
repe cmpsb
jz @number
sbb eax, eax
sbb eax, 0FFFFFFFFh
@number:
mov [ebp+var_8], eax
mov [ebp+var_221], 1BEB060h ;29274208
@8:
and DogResult, 0
@status:
mov al, byte ptr [ebp+var_120]
;mov [esi].IoStatus.Status,STATUS_SUCCESS
and word ptr [ebp+var_228+3], 0
;and [esi].IoStatus.Information,0
mov byte ptr [ebp+var_228], al
mov al, byte ptr [ebp+var_120+1]
mov byte ptr [ebp+var_228+1], al
lea eax, [ebp+var_340]
push eax
lea eax, [ebp+var_228]
push eax
mov byte ptr [ebp+var_228+2], bl
call fuc2
mov edi, [ebp+var_4]
push 41h
pop ecx
lea esi, [ebp+var_340]
rep movsd
movsw
movsb
mov edi, [ebp+pIrp]
pop ebx
@@CompleteIrp:
and dword ptr [edi+18h], 0
xor dl, dl ; PriorityBoost
mov ecx, edi ; Irp
mov dword ptr [edi+1Ch], 107h
call ds:IofCompleteRequest ;fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
pop edi
xor eax, eax
pop esi
leave
retn 8
DispatchControl endp
fuc1 proc near
arg_0 = dword ptr 8
arg_4 = dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_0]
mov ecx, 10000h
mov ebx, [ebp+arg_4]
push edi
mov eax, [esi+8]
push 45h
mov NewPassword, eax
mov eax, [esi+8]
add eax, 646C6F47h ;1684827975
mov edi, ebx
mov [ebp+arg_0], eax
movzx eax, ax
cdq
idiv ecx
pop ecx
rep movsd
mov ecx, [ebp+arg_0]
push 40h
movzx eax, cl
movsb
mov esi, 100h
xor [ebx+110h], ecx
xor [ebx+0Ch], dx
xor [ebx+0Eh], dx
cdq
idiv esi
pop eax
xor [ebx+114h], dl
add ebx, 10h
@@:
xor [ebx], ecx
add ebx, 4
dec eax
jnz @b
pop edi
pop esi
pop ebx
pop ebp
retn 8
fuc1 endp
fuc2 proc near
arg_0 = dword ptr 4
arg_4 = dword ptr 8
mov eax, NewPassword
push esi
mov esi, [esp+4+arg_0]
push edi
lea edx, [eax+646C6F47h] ;1684827975
mov eax, [esp+8+arg_4]
push 41h
mov edi, eax
pop ecx
add eax, 7
rep movsd
movsw
push 40h
movsb
pop ecx
pop edi
pop esi
@@:
xor [eax], edx
add eax, 4
dec ecx
jnz @b
retn 8
fuc2 endp
end DriverEntry
