对AntiRK的逆向

元始天尊 · 发表于 2015-9-3 21:37:30

欢迎访问技术宅的结界，请注册或者登录吧。

您需要登录才可以下载或查看，没有账号？立即注册→加入我们

×

简单的分析了，所以很多地方比较草，有兴趣的可以细化：

函数标记如下：
wsprintfW                   .text 00010CD6 0000005A 00000004 0000000D R . . . B T .
nop8                         .text 00013500 00000003                R . . . . . .
nop7                         .text 000134B8 00000012                R . . . . . .
nop6                         .text 000134E4 00000017 00000004 00000008 R . . . . . .
nop5                         .text 000134CA 0000001A 00000010 00000000 R . . . B . .
nop4                         .text 000134A1 00000017 00000010 00000000 R . . . . . .
nop3                         .text 0001343F 00000046 00000000 00000010 R . . . . . .
nop2                         .text 000133BC 00000083 00000020 0000000C R . . . . . .
nop                         .text 00013200 00000154 00000024 0000000C R . . . B . .
memset                      .text 0001210C 00000006                R . . . . T .
memcpy                      .text 00012100 00000006                R . . . . T .
md5_encrypt9                .text 0001399A 00000022 00000004 00000008 R . . . . . .
md5_encrypt8                .text 00012F79 00000081 0000001C 00000008 R . . . B T .
md5_encrypt7                .text 00012ECA 000000AA 00000010 0000000C R . . . B . .
md5_encrypt6                .text 000127BE 0000002F 00000004 00000004 R . . . B . .
md5_encrypt5                .text 00013598 00000058 0000000C 0000000C R . . . . . .
md5_encrypt4                .text 000135F5 000000F7 00000014 00000010 R . . . B . .
md5_encrypt3                .text 000136F1 0000004A 00000010 0000000C R . . . B . .
md5_encrypt25                .text 000127F2 00000031                R . . . . . .
md5_encrypt24                .text 00012828 0000069D 00000058 00000004 R . . . B . .
md5_encrypt23                .text 0001386C 0000005A 00000018 00000008 R . . . B . .
md5_encrypt22                .text 000138CB 00000022 00000000 00000008 R . . . . . .
md5_encrypt21                .text 00013809 0000005E 00000000 00000008 R . . . . . .
md5_encrypt20                .text 00013D75 0000008F 00000018 00000008 R . . . B . .
md5_encrypt2                .text 00012117 0000004A 00000068 0000000C R . . . B . .
md5_encrypt19                .text 000138F2 0000004B 00000004 00000008 R . . . . . .
md5_encrypt18                .text 00013E09 00000085 0000001C 00000008 R . . . B . .
md5_encrypt17                .text 00013C4B 0000009B 00000014 00000010 R . . . B . .
md5_encrypt16                .text 00013740 00000056 00000008 00000008 R . . . . . .
md5_encrypt15                .text 0001395A 00000010 00000000 00000004 R . . . . . .
md5_encrypt14                .text 0001396F 00000026 00000004 00000008 R . . . . . .
md5_encrypt13                .text 000139C1 00000285 00000048 00000010 R . . . B . .
md5_encrypt12                .text 00013CEB 00000085 00000014 0000000C R . . . B . .
md5_encrypt11                .text 00013942 00000013                R . . . . . .
md5_encrypt10                .text 0001379B 00000069 00000010 00000008 R . . . B . .
md5_encrypt1                .text 00013513 00000080 00000010 00000010 R . . . B . .
init_security_cookie       INIT  00015B85 00000034                R . . . . . .
freebuf                      .text 00011B36 0000001D 00000004 00000004 R . . . B T .
_aullshr                   .text 00013EA0 00000006                R . . . . . .
_aulldiv                   .text 00013EAC 00000006                R . . . . . .
_allshl                      .text 00013E94 00000006                R . . . . . .
_allmul                      .text 00013EB8 00000006                R . . . . . .
__security_check_cookie(x) .text 000120B4 0000003A                R . L . . . .
__SEH_prolog4_GS             .text 0001319C 00000048 00000000 00000008 R . L . . . .
__SEH_prolog4                .text 0001335C 00000045 00000000 00000008 R . L . . . .
__SEH_epilog4_GS             .text 000131E4 0000000F                R . L . . . .
__SEH_epilog4                .text 000133A1 00000014                R . L . . . .
UnRegisterShutdown          .text 0001088C 0000002C 00000004 00000004 R . . . B T .
UnInitPowerCallback          .text 00010C12 00000038                R . . . . . .
UnInitCmFunc                .text 00011FC4 0000002A                R . . . . . .
UnInit                      .text 000110C4 00000022 00000004 00000004 R . . . B T .
TranVerseDeleteReg          .text 00011888 000001E1 00000044 0000000C R . . . B T .
ShutdownDispatch             .text 0001078C 0000001F 00000004 00000008 R . . . B T .
ShowDenyServices             .text 00010EF4 00000015                R . . . . . .
ShowDenyFiles                .text 00010632 00000015                R . . . . . .
ShowDemandServices          .text 00010666 00000015                R . . . . . .
SetServices                .text 000110B2 0000000D 00000000 00000004 R . . . . T .
SetRegVal                   .text 00011CE2 00000145 0000003C 00000014 R . . . B T .
SetDenyService             .text 0001064C 00000015                R . . . . . .
SetDemandServices          .text 00010F0E 00000015                R . . . . . .
SetDeleteFiles             .text 0001144C 00000015                R . . . . . .
RtlUnwind                   .text 00013508 00000006 00000000 00000000 R . . . . . .
ResetDenyServices          .text 00010EDA 00000015                R . . . . . .
ReadFile                   .text 000122F9 00000114 00000050 00000014 R . . . B T .
PowerCallbackFunction       .text 0001162E 00000059 00000004 0000000C R . . . B T .
IsSameDir                   .text 00012412 000001DF 00000054 00000004 R . . . B T .
IsDirCorrect                .text 00010AFE 000000DD 00000020 00000004 R . . . B T .
IsAbsolutePath             .text 00010BE0 0000002C 00000004 00000004 R . . . B T .
InitShutdown                .text 00010854 00000033 00000008 00000004 R . . . B T .
InitServiceList             .text 00011246 00000201 0000003C 00000000 R . . . B . .
InitReg                      .text 0001168C 0000008C 00000014 00000000 R . . . B . .
InitPowerCallback          .text 0001171E 000000A9 0000002C 00000000 R . . . B . .
InitInitialRoutine          .text 00011804 00000021 00000004 00000004 R . . . B T .
InitCmFuncs                .text 00012034 0000007B 00000008 00000008 R . . . B T .
Init                         .text 0001182A 00000058 00000008 0000000C R . . . B T .
GetSectionBaseAddress       .text 00012FFF 0000006A 00000004 00000000 R . . . . . .
GetRegValue                .text 000121E5 0000010F 00000040 00000010 R . . . B T .
GetRegServicePath          .text 00010D36 0000019F 00000250 00000000 R . . . B . .
GetObjectName                .text 00011B58 000000C7 00000224 0000000C R . . . B T .
GetNtProcAddress             .text 00011FF4 0000003B 00000010 00000004 R . . . B T .
GetFileObjectFromProcess    .text 0001306E 0000008E 0000000C 00000008 R . . . B T .
GetFileNameFromProcess       .text 00013101 00000095 00000014 00000004 R . . . B T .
GetAntiRKRegVal             .text 00011E2C 0000011D 00000040 0000000C R . . . B T .
FindService                .text 000110EC 00000154 00000018 00000004 R . . . B T .
FindRegDirDepth_0          .text 00010AAC 0000004C 00000008 00000010 R . . . B T .
ExecFunc                   .text 00010A08 0000009F 0000000C 0000000C R . . . B T .
DriverReinitializationRoutine .text 000117CC 00000033 00000008 0000000C R . . . B T .
DriverEntry_0                .text 000107B0 0000009E 00000008 00000008 R . . . B T .
DriverEntry                INIT  00015BBE 00000010 00000004 00000008 R . . . B T .
DoDeleteFile                .text 00011F4E 00000071 0000002C 00000004 R . . . B T .
DeviceIoControlDispatch    .text 000106F4 00000092 0000000C 00000008 R . . . B T .
DeleteService1             .text 00010966 0000009D 00000010 0000000C R . . . B T .
DeleteService                .text 00011C24 000000B9 0000003C 00000004 R . . . B T .
DelRegKey                   .text 00011A6E 000000C3 0000003C 00000008 R . . . B T .
DbgPrint                   .text 000120F4 00000006                R . . . . T .
CreateDeviceAndSymbol       .text 00010486 000000AA 00000020 0000000C R . . . B T .
CreateCloseDispatch          .text 00010680 0000006E 0000000C 00000008 R . . . B T .
CompleteRequest             .text 00010536 0000002D 00000004 0000000C R . . . B T .
CmCallBackFunc             .text 00011466 000001B9 00000450 0000000C R . . . B T .
ClearList                   .text 00010C50 00000080 0000000C 00000000 R . . . . . .
CheckRegKeyValid             .text 00010FD8 000000D5 0000022C 00000008 R . . . B T .
CheckPrcoessValid          .text 000125F6 000001C3 000000CC 00000008 R . . . B T .
CheckNtImageValid          .text 00012166 0000007A 00000030 00000004 R . . . B T .
CallbackService             .text 000108BE 000000A3 00000010 0000000C R . . . B T .
CallbackDelete             .text 00010F28 000000AA 0000000C 0000000C R . . . B T .
CallBackShowInfo             .text 00010568 000000C5 00000004 0000000C R . . . B T .

char __stdcall UnRegisterShutdown(PDEVICE_OBJECT DeviceObject)
{
char result; // al@1
result = 0;
if ( DeviceObject )
{
if ( IsRegisterShutdown == 1 )
{
IoUnregisterShutdownNotification(DeviceObject);
IsRegisterShutdown = 0;
}
result = 1;
}
return result;
}
char UnInitPowerCallback()
{
if ( CallbackObject )
{
ObfDereferenceObject((PVOID)CallbackObject);
CallbackObject = 0;
}
if ( CallbackRegistration )
{
ExUnregisterCallback(CallbackRegistration);
CallbackRegistration = 0;
}
IsPowerCallbackInit = 0;
return 1;
}
char UnInitCmFunc()
{
if ( IsCmFuncInit == 1 && CmUnRegisterCallback )
CmUnRegisterCallback(Cookie.LowPart, Cookie.HighPart);
IsCmFuncInit = 0;
return 1;
}
char __stdcall sub_110C4(PDEVICE_OBJECT DeviceObject)
{
UnRegisterShutdown(DeviceObject);
UnInitPowerCallback();
UnInitCmFunc();
ClearList();
return 1;
}
int __stdcall TranVerseDeleteReg(PUNICODE_STRING KeyName, int Depth, HANDLE RootHandle)
{
LSA_UNICODE_STRING *ValueName; // edi@1
struct _KEY_BASIC_INFORMATION *v4; // eax@6
WCHAR *v5; // eax@7
unsigned int v6; // edi@8
unsigned int v7; // edi@8
NTSTATUS v8; // eax@12
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+Ch] [bp-34h]@4
UNICODE_STRING v11; // [sp+24h] [bp-1Ch]@1
unsigned __int32 LowLimit; // [sp+2Ch] [bp-14h]@3
int v13; // [sp+30h] [bp-10h]@1
ULONG ResultLength; // [sp+34h] [bp-Ch]@1
HANDLE KeyHandle; // [sp+38h] [bp-8h]@1
PKEY_BASIC_INFORMATION KeyInformation; // [sp+3Ch] [bp-4h]@1
v11.Length = 0;
*(_DWORD *)&v11.MaximumLength = 0;
HIWORD(v11.Buffer) = 0;
ValueName = KeyName;
v13 = -1073741823;
KeyHandle = 0;
KeyInformation = 0;
ResultLength = 0;
if ( KeyName )
{
if ( (KeyName->Length & 0xFFFEu) < 0x208 )
{
IoGetStackLimits(&LowLimit, (PULONG_PTR)&KeyName);
if ( (unsigned int)((char *)&KeyName - LowLimit) >= 0xE00 )
{
ObjectAttributes.RootDirectory = RootHandle;
ObjectAttributes.Length = 24;
ObjectAttributes.Attributes = 832;
ObjectAttributes.ObjectName = ValueName;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
if ( ZwOpenKey(&KeyHandle, 0xF003Fu, &ObjectAttributes) >= 0
|| (ObjectAttributes.RootDirectory = RootHandle,
ObjectAttributes.Length = 24,
ObjectAttributes.Attributes = 576,
ObjectAttributes.ObjectName = ValueName,
ObjectAttributes.SecurityDescriptor = 0,
ObjectAttributes.SecurityQualityOfService = 0,
ZwOpenKey(&KeyHandle, 0xF003Fu, &ObjectAttributes) >= 0) )
{
v4 = (struct _KEY_BASIC_INFORMATION *)ExAllocatePoolWithTag(0, 0x300u, 0x5441524Bu);
KeyInformation = v4;
if ( v4 )
{
memset(v4, 0, 0x300u);
v5 = (WCHAR *)ExAllocatePoolWithTag(0, 0x300u, 0x5441524Bu);
v11.Buffer = v5;
if ( !v5 )
goto LABEL_17;
memset(v5, 0, 0x300u);
v6 = ValueName->Length;
v11.MaximumLength = 768;
v7 = v6 >> 1;
while ( 1 )
{
v8 = ZwEnumerateKey(KeyHandle, 0, 0, KeyInformation, 0x300u, &ResultLength);
if ( v8 == 0x8000001A )
break;
if ( v8 >= 0 && (KeyInformation->NameLength >> 1) + v7 + 2 <= 0x300 )
{
wcsncpy(v11.Buffer, KeyInformation->Name, KeyInformation->NameLength >> 1);
v11.Length = LOWORD(KeyInformation->NameLength);
if ( TranVerseDeleteReg(&v11, Depth + 1, KeyHandle) >= 0 )
continue;
}
goto LABEL_15;
}
if ( ZwDeleteKey(KeyHandle) >= 0 )
v13 = 0;
}
}
}
}
}
LABEL_15:
if ( v11.Buffer )
{
ExFreePoolWithTag(v11.Buffer, 'TARK');
v11.Buffer = 0;
}
LABEL_17:
if ( KeyInformation )
ExFreePoolWithTag(KeyInformation, 'TARK');
if ( KeyHandle )
ZwClose(KeyHandle);
return v13;
}
int __stdcall ShutdownDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
SetServices(DeviceObject);
CompleteRequest(Irp, 0, 0);
return 0;
}
char ShowDenyServices()
{
return ExecFunc('DKs', L"DenyServices", (FARPROC)CallbackService);
}
char ShowDenyFiles()
{
return ExecFunc('DFs', L"DenyFiles", (FARPROC)CallBackShowInfo);
}
char ShowDemandServices()
{
return ExecFunc('DemK', L"DemandServices", (FARPROC)CallBackShowInfo);
}
// 0 引导 1 系统 2 自动 3 手动 4 禁用
int __stdcall SetServices(PDEVICE_OBJECT DeviceObject)
{
int result; // eax@1
ShowDenyServices();
LOBYTE(result) = SetDemandServices();
return result;
}
char __stdcall SetRegVal(WCHAR *serviceName, PCWSTR SourceString, PVOID Data, ULONG DataSize, ULONG Type)
{
WCHAR *v5; // eax@1
WCHAR v6; // cx@4
int v7; // eax@5
unsigned int v8; // esi@6
PVOID v9; // eax@6
wchar_t *v10; // edi@6
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+8h] [bp-30h]@1
UNICODE_STRING ValueName; // [sp+20h] [bp-18h]@1
UNICODE_STRING DestinationString; // [sp+28h] [bp-10h]@1
HANDLE KeyHandle; // [sp+30h] [bp-8h]@1
char v16; // [sp+37h] [bp-1h]@1
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
ValueName.Length = 0;
*(_DWORD *)&ValueName.MaximumLength = 0;
HIWORD(ValueName.Buffer) = 0;
ObjectAttributes.Length = 0;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
v5 = serviceName;
v16 = 0;
KeyHandle = 0;
if ( serviceName && SourceString && Data )
{
do
{
v6 = *v5;
++v5;
}
while ( v6 );
v7 = v5 - (serviceName + 1);
if ( v7 )
{
v8 = 2 * v7 + 520;
v9 = ExAllocatePoolWithTag(0, v8, 0x5441524Bu);
v10 = (wchar_t *)v9;
if ( v9 )
{
memset(v9, 0, v8);
wsprintfW(v10, v8 >> 1, L"%s\\%s", L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\services", serviceName);
RtlInitUnicodeString(&DestinationString, v10);
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
ZwOpenKey(&KeyHandle, 3u, &ObjectAttributes);
if ( KeyHandle )
{
RtlInitUnicodeString(&ValueName, SourceString);
if ( ZwSetValueKey(KeyHandle, &ValueName, 0, Type, Data, DataSize) >= 0 )
v16 = 1;
}
ExFreePoolWithTag(v10, 0x5441524Bu);
}
if ( KeyHandle )
{
if ( v16 == 1 )
ZwFlushKey(KeyHandle);
ZwClose(KeyHandle);
}
}
}
return v16;
}
char SetDenyService()
{
return ExecFunc('DKs', L"DenyServices", (FARPROC)CallBackShowInfo);
}
char setDemandServices()
{
return ExecFunc('DemK', L"DemandServices", (FARPROC)CallbackService);
}
char SetDeleteFiles()
{
return ExecFunc('DFs', L"DenyFiles", (FARPROC)CallbackDelete);
}
char ResetDenyServices()
{
return ExecFunc('DKs', L"DenyServices", (FARPROC)DeleteService1);
}
BOOL __stdcall ReadFile(int a1, int lpBuffer)
{
PVOID v2; // eax@4
int FileInformation; // [sp+8h] [bp-44h]@1
int v5; // [sp+Ch] [bp-40h]@1
SIZE_T NumberOfBytes; // [sp+10h] [bp-3Ch]@1
int v7; // [sp+14h] [bp-38h]@1
int v8; // [sp+18h] [bp-34h]@1
int v9; // [sp+1Ch] [bp-30h]@1
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+20h] [bp-2Ch]@1
struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+38h] [bp-14h]@1
int v12; // [sp+40h] [bp-Ch]@1
PVOID P; // [sp+44h] [bp-8h]@1
HANDLE FileHandle; // [sp+48h] [bp-4h]@1
FileInformation = 0;
IoStatusBlock.Status = 0;
IoStatusBlock.Information = 0;
v5 = 0;
NumberOfBytes = 0;
v7 = 0;
v8 = 0;
v9 = 0;
ObjectAttributes.ObjectName = (PUNICODE_STRING)a1;
v12 = 0;
P = 0;
FileHandle = 0;
*(_DWORD *)lpBuffer = 0;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
if ( IoCreateFile(
&FileHandle,
0x80100000,
&ObjectAttributes,
&IoStatusBlock,
0,
0x80u,
1u,
1u,
0x60u,
0,
0,
0,
0,
0x100u) >= 0
&& ZwQueryInformationFile(FileHandle, &IoStatusBlock, &FileInformation, 0x18u, FileStandardInformation) >= 0
&& NumberOfBytes < 0xA00000 )
{
v2 = ExAllocatePoolWithTag(0, NumberOfBytes, 0x21545645u);
P = v2;
if ( v2 )
{
if ( ZwReadFile(FileHandle, 0, 0, 0, &IoStatusBlock, v2, NumberOfBytes, 0, 0) >= 0 )
{
*(_DWORD *)lpBuffer = NumberOfBytes;
v12 = 1;
}
}
}
if ( FileHandle )
{
ZwClose(FileHandle);
FileHandle = 0;
}
if ( !v12 && P )
{
ExFreePoolWithTag(P, 0);
P = 0;
}
return (BOOL)P;
}
void __stdcall PowerCallbackFunction(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
{
char v3; // bl@5
char v4; // al@5
signed __int32 v5; // eax@7
if ( PowerCallbackEnable && Argument1 == (PVOID)3 )// PO_CB_SYSTEM_STATE_LOCK
{
if ( Argument2 )
{
if ( Argument2 != (PVOID)1 )
return;
v5 = 0;
goto LABEL_10;
}
if ( !KeGetCurrentIrql() )
{
v3 = InitCmFuncs((FARPROC)CmCallBackFunc, 0);
v4 = InitServiceList();
if ( v3 )
{
if ( v4 )
{
v5 = 1;
LABEL_10:
_InterlockedExchange((volatile signed __int32 *)&dword_14814, v5);
return;
}
}
}
}
}
int __stdcall IsSameDir(PCUNICODE_STRING String2)
{
POBJECT_NAME_INFORMATION v1; // edi@1
const WCHAR *v2; // eax@1
PVOID v3; // eax@6
PWSTR v4; // ecx@8
unsigned __int16 v5; // ax@11
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+Ch] [bp-44h]@1
struct _OBJECT_HANDLE_INFORMATION HandleInformation; // [sp+24h] [bp-2Ch]@1
struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+2Ch] [bp-24h]@1
UNICODE_STRING DestinationString; // [sp+34h] [bp-1Ch]@1
int v11; // [sp+3Ch] [bp-14h]@1
PVOID Object; // [sp+40h] [bp-10h]@1
int v13; // [sp+44h] [bp-Ch]@1
PCWSTR SourceString; // [sp+48h] [bp-8h]@1
HANDLE FileHandle; // [sp+4Ch] [bp-4h]@1
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
ObjectAttributes.Length = 0;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
IoStatusBlock.Status = 0;
IoStatusBlock.Information = 0;
HandleInformation.HandleAttributes = 0;
HandleInformation.GrantedAccess = 0;
v11 = 0;
v13 = 0;
FileHandle = 0;
Object = 0;
v1 = 0;
v2 = (const WCHAR *)ExAllocatePoolWithTag(0, 522u, 0x70617468u);
SourceString = v2;
if ( v2 )
{
memset((void *)v2, 0, 522u);
v13 = 520;
if ( GetRegValue(
L"\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\TSKSP",
L"ImagePath",
(void *)SourceString,
(int)&v13) >= 0 )
{
v13 = wcslen(SourceString);
if ( (unsigned int)v13 < 0x104 )
{
RtlInitUnicodeString(&DestinationString, SourceString);
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
if ( IoCreateFile(
&FileHandle,
0x100080u,
&ObjectAttributes,
&IoStatusBlock,
0,
0x80u,
1u,
1u,
0x60u,
0,
0,
0,
0,
0x100u) >= 0
&& ObReferenceObjectByHandle(FileHandle, 0, 0, 0, &Object, &HandleInformation) >= 0 )
{
v3 = ExAllocatePoolWithTag(0, 0x400u, 0x21545645u);
v1 = (POBJECT_NAME_INFORMATION)v3;
if ( v3 )
{
memset(v3, 0, 0x400u);
if ( ObQueryNameString(Object, v1, 1024, &v13) >= 0 )
{
v4 = v1->Name.Buffer;
if ( v4 )
{
if ( v1->Name.Length > 0u )
{
do
{
if ( v4[((unsigned int)v1->Name.Length >> 1) - 1] == 92 )
break;
v5 = v1->Name.Length - 2;
v1->Name.Length = v5;
}
while ( v5 > 0u );
}
if ( RtlPrefixUnicodeString(&v1->Name, String2, 1u) )
v11 = 1;
}
}
}
}
}
}
}
if ( Object )
{
ObfDereferenceObject(Object);
Object = 0;
}
if ( FileHandle )
{
ZwClose(FileHandle);
FileHandle = 0;
}
if ( v1 )
ExFreePoolWithTag(v1, 0);
if ( SourceString )
ExFreePoolWithTag((PVOID)SourceString, 0);
return v11;
}
char __stdcall IsDirDepth1(PUNICODE_STRING CurKeyPath)
{
WCHAR *v1; // ecx@3
WCHAR *v2; // ecx@6
UNICODE_STRING DestinationString; // [sp+8h] [bp-14h]@1
UNICODE_STRING String1; // [sp+10h] [bp-Ch]@1
char v6; // [sp+1Bh] [bp-1h]@1
String1.Length = 0;
*(_DWORD *)&String1.MaximumLength = 0;
HIWORD(String1.Buffer) = 0;
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
v6 = 0;
HIWORD(DestinationString.Buffer) = 0;
if ( CurKeyPath )
{
if ( (RtlInitUnicodeString(&DestinationString, L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\services"),
CurKeyPath->Length > DestinationString.Length)
&& (*(_DWORD *)&String1.Length = *(_DWORD *)&CurKeyPath->Length,
v1 = CurKeyPath->Buffer,
String1.Length = DestinationString.Length,
String1.Buffer = v1,
RtlEqualUnicodeString(&String1, &DestinationString, 1u) == 1)
&& FindRegDirDepth_0(
CurKeyPath,
'\\',
(unsigned int)DestinationString.Length >> 1,
(unsigned int)CurKeyPath->Length >> 1) == 1
|| CurKeyPath->Length > URegServicePath.Length
&& (*(_DWORD *)&String1.Length = *(_DWORD *)&CurKeyPath->Length,
v2 = CurKeyPath->Buffer,
String1.Length = URegServicePath.Length,
String1.Buffer = v2,
RtlEqualUnicodeString(&String1, &URegServicePath, 1u) == 1)
&& FindRegDirDepth_0(
CurKeyPath,
'\\',
(unsigned int)URegServicePath.Length >> 1,
(unsigned int)CurKeyPath->Length >> 1) == 1 )
v6 = 1;
}
return v6;
}
char __stdcall IfBeginwithSlash(PUNICODE_STRING *a1)
{
char result; // al@1
PUNICODE_STRING v2; // ecx@2
PWSTR v3; // edx@3
result = 0;
if ( a1 )
{
v2 = *a1;
if ( *a1 )
{
v3 = v2->Buffer;
if ( v3 )
{
if ( v2->Length )
{
if ( *v3 == '\\' )
result = 1;
}
}
}
}
return result;
}
char __stdcall InitShutdown(PDEVICE_OBJECT DeviceObject)
{
char v1; // bl@1
v1 = 0;
if ( DeviceObject )
{
if ( IsRegisterShutdown == 1 )
return 1;
if ( !IoRegisterShutdownNotification(DeviceObject) )
{
IsRegisterShutdown = 1;
return 1;
}
}
return v1;
}
char InitServiceList()
{
char v0; // bl@1
PVOID v1; // eax@6
PKEY_BASIC_INFORMATION keyinfo; // ebx@6
NTSTATUS v3; // eax@7
PVOID v4; // eax@11
PVOID v5; // esi@11
PVOID v6; // eax@12
int v7; // eax@13
NTSTATUS v8; // eax@15
ULONG i; // [sp-14h] [bp-4Ch]@2
KEY_INFORMATION_CLASS v11; // [sp-10h] [bp-48h]@2
SIZE_T *v12; // [sp-Ch] [bp-44h]@2
ULONG v13; // [sp-8h] [bp-40h]@2
SIZE_T *v14; // [sp-4h] [bp-3Ch]@2
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+Ch] [bp-2Ch]@1
UNICODE_STRING DestinationString; // [sp+24h] [bp-14h]@1
ULONG Index; // [sp+2Ch] [bp-Ch]@1
HANDLE KeyHandle; // [sp+30h] [bp-8h]@1
SIZE_T NumberOfBytes; // [sp+34h] [bp-4h]@2
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
v0 = 0;
KeyHandle = 0;
Index = 0;
ClearList();
RtlInitUnicodeString(&DestinationString, L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\services");
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
ZwOpenKey(&KeyHandle, 0x20019u, &ObjectAttributes);
if ( KeyHandle )
{
v14 = &NumberOfBytes;
v13 = 0;
v12 = &NumberOfBytes;
v11 = 0;
for ( i = 0; ; i = Index )
{
NumberOfBytes = 0;
v8 = ZwEnumerateKey(KeyHandle, i, v11, v12, v13, v14);
if ( v8 == -2147483622 || v8 != -2147483643 && v8 != -1073741789 )
break;
if ( !NumberOfBytes )
break;
v1 = ExAllocatePoolWithTag(0, NumberOfBytes, 'TARK');
keyinfo = (PKEY_BASIC_INFORMATION)v1;
if ( !v1 )
break;
memset(v1, 0, NumberOfBytes);
v3 = ZwEnumerateKey(KeyHandle, Index, 0, keyinfo, NumberOfBytes, &NumberOfBytes);
if ( v3 == -2147483622 || v3 < 0 )
{
ExFreePoolWithTag(keyinfo, 'TARK');
break;
}
++Index;
if ( keyinfo->NameLength < 520 )
{
v4 = ExAllocatePoolWithTag(0, 0xCu, 'TARK');
v5 = v4;
if ( !v4 )
{
ExFreePoolWithTag(keyinfo, 'TARK');
break;
}
*(_DWORD *)v4 = 0;
*((_DWORD *)v4 + 1) = 0;
*((_DWORD *)v4 + 2) = 0;
v6 = ExAllocatePoolWithTag(0, keyinfo->NameLength + 2, 'TARK');
*((_DWORD *)v5 + 2) = v6;
if ( !v6 )
{
ExFreePoolWithTag(keyinfo, 'TARK');
ExFreePoolWithTag(v5, 'TARK');
break;
}
memset(v6, 0, keyinfo->NameLength + 2);
memcpy(*((void **)v5 + 2), keyinfo->Name, keyinfo->NameLength);
KeWaitForSingleObject(&ServiceNameListLock, 0, 0, 0, 0);
v7 = (int)*(&ServiceList + 1);
*(_DWORD *)v5 = &ServiceList;
*((_DWORD *)v5 + 1) = v7;
*(_DWORD *)v7 = v5;
*(&ServiceList + 1) = v5;
KeSetEvent(&ServiceNameListLock, 1, 0);
ExFreePoolWithTag(keyinfo, 'TARK');
}
else
{
ExFreePoolWithTag(keyinfo, 'TARK');
}
v14 = &NumberOfBytes;
v13 = 0;
v12 = &NumberOfBytes;
v11 = 0;
}
v0 = 1;
if ( KeyHandle )
ZwClose(KeyHandle);
}
return v0;
}
char __stdcall InitReg(int a1, int a2)
{
int Data; // [sp+Ch] [bp-4h]@1
Data = 0;
ResetDenyServices();
SetDeleteFiles();
SetDemandServices();
if ( !DelRegKey(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\services\\AntiRK", L"DenyServices") )
SetRegVal(L"AntiRK", L"DenyServices", &Data, 0, 3u);
if ( !DelRegKey(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\services\\AntiRK", L"DenyFiles") )
SetRegVal(L"AntiRK", L"DenyFiles", &Data, 0, 3u);
if ( !DelRegKey(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\services\\AntiRK", L"DemandServices") )
SetRegVal(L"AntiRK", L"DemandServices", &Data, 0, 3u);
return 1;
}
char InitPowerCallback()
{
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+8h] [bp-20h]@1
UNICODE_STRING DestinationString; // [sp+20h] [bp-8h]@1
ObjectAttributes.Length = 0;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
if ( IsPowerCallbackInit != 1 )
{
if ( !KeGetCurrentIrql()
&& (RtlInitUnicodeString(&DestinationString, L"\\Callback\\PowerState"),
ObjectAttributes.ObjectName = &DestinationString,
ObjectAttributes.Length = 24,
ObjectAttributes.RootDirectory = 0,
ObjectAttributes.Attributes = 576,
ObjectAttributes.SecurityDescriptor = 0,
ObjectAttributes.SecurityQualityOfService = 0,
ExCreateCallback(&CallbackObject, &ObjectAttributes, 0, 1u),
CallbackObject)
&& (CallbackRegistration = ExRegisterCallback(CallbackObject, PowerCallbackFunction, 0)) != 0 )
IsPowerCallbackInit = 1;
else
UnInitPowerCallback();
}
return 1;
}
char __stdcall InitInitialRoutine(PDRIVER_OBJECT DriverObject)
{
char result; // al@1
result = 0;
if ( DriverObject )
{
IoRegisterBootDriverReinitialization(DriverObject, DriverReinitializationRoutine, 0);
result = 1;
}
return result;
}
char __stdcall InitCmFuncs(FARPROC Function, PVOID Context)
{
char v2; // bl@1
v2 = 0;
if ( Function )
{
if ( IsCmFuncInit == 1 )
return 1;
if ( CmRegisterCallback
|| (CmRegisterCallback = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))GetNtProcAddress(L"CmRegisterCallback")) != 0 )
{
if ( CmUnRegisterCallback
|| (CmUnRegisterCallback = (int (__stdcall *)(_DWORD, _DWORD))GetNtProcAddress(L"CmUnRegisterCallback")) != 0 )
{
if ( KeGetCurrentIrql() <= 1u && CmRegisterCallback(Function, Context, &Cookie) >= 0 )
{
IsCmFuncInit = 1;
return 1;
}
}
}
}
return v2;
}
int __stdcall Init(PDRIVER_OBJECT DriverObject, PDEVICE_OBJECT DeviceObject, PUNICODE_STRING RegistryPath)
{
char v3; // bl@1
int result; // eax@2
*(&ServiceList + 1) = &ServiceList;
ServiceList = &ServiceList;
KeInitializeEvent(&ServiceNameListLock, SynchronizationEvent, 1u);
GetRegServicePath();
v3 = InitInitialRoutine(DriverObject);
if ( v3 && (v3 = InitShutdown(DeviceObject)) != 0 )
v3 = 1;
else
UnInit(DeviceObject);
LOBYTE(result) = v3;
return result;
}
signed int GetSectionObjectAddress()
{
signed int v0; // ebx@1
PVOID v1; // eax@3
PVOID v2; // esi@3
unsigned int v3; // esi@7
v0 = 0;
if ( SectionObjectOffset )
{
v0 = 1;
}
else
{
v1 = MmGetSystemRoutineAddress(&stru_14754);
v2 = v1;
if ( v1 )
{
if ( MmIsAddressValid(v1) )
{
if ( MmIsAddressValid((char *)v2 + 14) )
{
if ( RtlCompareMemory(&loc_14748, v2, 0xAu) == 10 )
{
v3 = *(_DWORD *)((char *)v2 + 10);
if ( v3 >= 0x114 )
{
SectionObjectOffset = v3 - 4;
v0 = 1;
}
}
}
}
}
}
return v0;
}
NTSTATUS __stdcall sub_121E5(PCWSTR a1, PCWSTR SourceString, void *a3, int a4)
{
PVOID v4; // edi@1
ULONG v5; // eax@3
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+Ch] [bp-30h]@1
UNICODE_STRING v8; // [sp+24h] [bp-18h]@1
UNICODE_STRING DestinationString; // [sp+2Ch] [bp-10h]@1
ULONG ResultLength; // [sp+34h] [bp-8h]@1
HANDLE KeyHandle; // [sp+38h] [bp-4h]@1
NTSTATUS SourceStringa; // [sp+48h] [bp+Ch]@1
KeyHandle = 0;
v4 = 0;
ResultLength = 0;
RtlInitUnicodeString(&DestinationString, SourceString);
RtlInitUnicodeString(&v8, a1);
ObjectAttributes.ObjectName = &v8;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
SourceStringa = ZwOpenKey(&KeyHandle, 0x20019u, &ObjectAttributes);
if ( SourceStringa >= 0 )
{
SourceStringa = ZwQueryValueKey(KeyHandle, &DestinationString, KeyValuePartialInformation, 0, 0, &ResultLength);
if ( SourceStringa == -1073741789 )
{
v5 = ResultLength;
if ( !a3 || *(_DWORD *)a4 < ResultLength )
goto LABEL_8;
v4 = ExAllocatePoolWithTag(0, ResultLength, 0x214B4954u);
if ( v4 )
{
SourceStringa = ZwQueryValueKey(
KeyHandle,
&DestinationString,
KeyValuePartialInformation,
v4,
ResultLength,
&ResultLength);
if ( SourceStringa >= 0 )
{
memcpy(a3, (char *)v4 + 12, *((_DWORD *)v4 + 2));
v5 = *((_DWORD *)v4 + 2);
LABEL_8:
*(_DWORD *)a4 = v5;
goto LABEL_9;
}
}
}
}
LABEL_9:
if ( KeyHandle )
{
ZwClose(KeyHandle);
KeyHandle = 0;
}
if ( v4 )
ExFreePoolWithTag(v4, 0);
return SourceStringa;
}
char GetRegServicePath()
{
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+Ch] [bp-240h]@1
UNICODE_STRING ValueName; // [sp+24h] [bp-228h]@1
ULONG ResultLength; // [sp+2Ch] [bp-220h]@1
UNICODE_STRING DestinationString; // [sp+30h] [bp-21Ch]@1
HANDLE KeyHandle; // [sp+38h] [bp-214h]@1
char v6; // [sp+3Fh] [bp-20Dh]@1
KEY_VALUE_PARTIAL_INFORMATION KeyValueInformation; // [sp+40h] [bp-20Ch]@1
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
ValueName.Length = 0;
*(_DWORD *)&ValueName.MaximumLength = 0;
HIWORD(ValueName.Buffer) = 0;
LOWORD(KeyValueInformation.TitleIndex) = 0;
v6 = 0;
KeyHandle = 0;
memset((char *)&KeyValueInformation.TitleIndex + 2, 0, 518u);
ResultLength = 0;
RtlInitUnicodeString(&DestinationString, L"\\Registry\\Machine\\SYSTEM\\Select");
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
ZwOpenKey(&KeyHandle, 0x20019u, &ObjectAttributes);
if ( !KeyHandle )
goto LABEL_12;
RtlInitUnicodeString(&ValueName, L"Current");
if ( ZwQueryValueKey(KeyHandle, &ValueName, KeyValuePartialInformation, &KeyValueInformation, 520u, &ResultLength) >= 0
&& KeyValueInformation.DataLength == 4 )
{
wsprintfW(
(wchar_t *)RegServicePath,
259,
L"\\Registry\\Machine\\SYSTEM\\ControlSet%03u\\services",
*(_DWORD *)&KeyValueInformation.Data[0]);
RtlInitUnicodeString(&URegServicePath, RegServicePath);
v6 = 1;
}
if ( KeyHandle )
{
ZwClose(KeyHandle);
KeyHandle = 0;
}
if ( !v6 )
LABEL_12:
RtlInitUnicodeString(&URegServicePath, L"\\Registry\\Machine\\SYSTEM\\ControlSet001\\services");
return v6;
}
char __stdcall sub_11B58(int a1, void *a2, int a3)
{
int v3; // edi@6
int v5; // [sp+Ch] [bp-214h]@1
char v6; // [sp+13h] [bp-20Dh]@1
unsigned __int16 v7; // [sp+14h] [bp-20Ch]@1
void *v8; // [sp+18h] [bp-208h]@5
v6 = 0;
LOBYTE(v7) = 0;
memset((char *)&v7 + 1, 0, 0x207u);
v5 = 0;
if ( a1 )
{
if ( a2 )
{
if ( a3 )
{
memset(a2, 0, *(_DWORD *)a3);
if ( ObQueryNameString(a1, &v7, 520, &v5) >= 0 )
{
if ( v8 )
{
v3 = v7;
if ( (unsigned int)v7 < *(_DWORD *)a3 )
{
memcpy(a2, v8, v7);
*(_DWORD *)a3 = v3;
v6 = 1;
}
}
}
}
}
}
return v6;
}
PVOID __stdcall GetNtProcAddress(PCWSTR SourceString)
{
PVOID v1; // ecx@1
UNICODE_STRING DestinationString; // [sp+4h] [bp-8h]@1
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
v1 = 0;
HIWORD(DestinationString.Buffer) = 0;
if ( SourceString )
{
RtlInitUnicodeString(&DestinationString, SourceString);
v1 = MmGetSystemRoutineAddress(&DestinationString);
}
return v1;
}
int __stdcall GetFileObjectFromProcess(PEPROCESS Process, PVOID *pFilePointer)
{
int v2; // ebx@1
int v3; // eax@3
int v4; // eax@9
int v5; // eax@10
void *v6; // esi@10
v2 = 0xC0000001;
if ( pFilePointer )
{
if ( MajorVersion <= 5 )
{
if ( (MinorVersion == 1 || MinorVersion == 2) && GetSectionObjectAddress() == 1 )
{
v4 = *(_DWORD *)((char *)Process + SectionObjectOffset);
if ( v4 )
{
v5 = **(_DWORD **)(v4 + 20);
v6 = *(void **)(v5 + 36);
if ( v6 )
{
ObfReferenceObject(*(PVOID *)(v5 + 36));
*pFilePointer = v6;
v2 = 0;
}
}
}
}
else
{
v3 = PsReferenceProcessFilePointer;
if ( PsReferenceProcessFilePointer
|| (v3 = (int)MmGetSystemRoutineAddress(&UPsReferenceProcessFilePointer),
(PsReferenceProcessFilePointer = v3) != 0) )
v2 = ((int (__stdcall *)(PEPROCESS, PVOID *))v3)(Process, pFilePointer);
}
}
return v2;
}
POBJECT_NAME_INFORMATION __stdcall sub_13101(LPVOID Process)
{
POBJECT_NAME_INFORMATION v1; // edi@1
struct _OBJECT_NAME_INFORMATION *v2; // eax@5
int v4; // [sp+8h] [bp-8h]@1
PVOID Object; // [sp+Ch] [bp-4h]@1
v1 = 0;
v4 = 0;
Object = 0;
if ( MajorVersion != 5 || MinorVersion )
{
if ( GetFileObjectFromProcess((PEPROCESS)Process, &Object) >= 0 )
{
if ( !Object )
return v1;
v2 = (struct _OBJECT_NAME_INFORMATION *)ExAllocatePoolWithTag(0, 0x400u, '!TVE');
v1 = v2;
if ( v2 )
{
memset(v2, 0, 0x400u);
if ( ObQueryNameString(Object, v1, 1024, &v4) < 0 || !v1->Name.Buffer )
{
ExFreePoolWithTag(v1, 0);
v1 = 0;
}
}
}
if ( Object )
ObfDereferenceObject(Object);
}
return v1;
}
void *__stdcall GetAntiRKRegVal(PCWSTR KeyPath, PCWSTR ValueName, PDWORD plen)
{
PVOID v3; // eax@6
void *infobuf; // edi@6
OBJECT_ATTRIBUTES ObjectAttributes; // [sp+Ch] [bp-30h]@1
UNICODE_STRING DestinationString; // [sp+24h] [bp-18h]@1
UNICODE_STRING ValueNamea; // [sp+2Ch] [bp-10h]@1
HANDLE KeyHandle; // [sp+34h] [bp-8h]@1
SIZE_T infolen; // [sp+38h] [bp-4h]@1
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
ValueNamea.Length = 0;
*(_DWORD *)&ValueNamea.MaximumLength = 0;
HIWORD(ValueNamea.Buffer) = 0;
ObjectAttributes.Length = 0;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = 0;
ObjectAttributes.Attributes = 0;
ObjectAttributes.SecurityDescriptor = 0;
KeyHandle = 0;
ObjectAttributes.SecurityQualityOfService = 0;
infolen = 0;
if ( !KeyPath )
goto LABEL_11;
if ( !ValueName )
goto LABEL_11;
RtlInitUnicodeString(&DestinationString, KeyPath);
ObjectAttributes.ObjectName = &DestinationString;
ObjectAttributes.Length = 24;
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.Attributes = 576;
ObjectAttributes.SecurityDescriptor = 0;
ObjectAttributes.SecurityQualityOfService = 0;
ZwOpenKey(&KeyHandle, 1u, &ObjectAttributes);
if ( !KeyHandle )
goto LABEL_11;
RtlInitUnicodeString(&ValueNamea, ValueName);
if ( ZwQueryValueKey(KeyHandle, &ValueNamea, KeyValuePartialInformation, &infolen, 0, &infolen) != -1073741789 )
goto LABEL_11;
if ( !infolen )
goto LABEL_11;
v3 = ExAllocatePoolWithTag(0, infolen, 'TARK');
infobuf = v3;
if ( !v3 )
goto LABEL_11;
memset(v3, 0, infolen);
if ( ZwQueryValueKey(KeyHandle, &ValueNamea, KeyValuePartialInformation, infobuf, infolen, &infolen) < 0 )
{
freebuf(infobuf);
LABEL_11:
infobuf = 0;
goto LABEL_12;
}
if ( plen )
*plen = infolen;
LABEL_12:
if ( KeyHandle )
ZwClose(KeyHandle);
return infobuf;
}
bool __stdcall sub_110EC(PCUNICODE_STRING tofind)
{
PVOID v1; // esi@3
LSA_UNICODE_STRING DestinationString; // [sp+4h] [bp-10h]@6
PCWSTR SourceString; // [sp+Ch] [bp-8h]@2
bool v5; // [sp+12h] [bp-2h]@1
char v6; // [sp+13h] [bp-1h]@1
v5 = 1;
v6 = 0;
if ( tofind )
{
SourceString = (PCWSTR)ExAllocatePoolWithTag(0, 0x410u, 0x5441524Bu);
if ( SourceString )
{
KeWaitForSingleObject(&ServiceNameListLock, 0, 0, 0, 0);
v1 = ServiceList;
if ( ServiceList && ServiceList != &ServiceList )
{
while ( 1 )
{
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
if ( *((_DWORD *)v1 + 2) )
{
memset((void *)SourceString, 0, 0x410u);
wsprintfW(
(wchar_t *)SourceString,
520,
L"%s\\%s",
L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\services",
*((_DWORD *)v1 + 2));
RtlInitUnicodeString(&DestinationString, SourceString);
if ( RtlEqualUnicodeString(&DestinationString, tofind, 1u) == 1 )
break;
memset((void *)SourceString, 0, 0x410u);
wsprintfW((wchar_t *)SourceString, 520, L"%s\\%s", RegServicePath, *((_DWORD *)v1 + 2));
RtlInitUnicodeString(&DestinationString, SourceString);
if ( RtlEqualUnicodeString(&DestinationString, tofind, 1u) == 1 )
break;
}
v1 = *(PVOID *)v1;
if ( v1 == &ServiceList )
goto LABEL_12;
}
v6 = 1;
LABEL_12:
KeSetEvent(&ServiceNameListLock, 1, 0);
v5 = v6 == 1;
}
else
{
KeSetEvent(&ServiceNameListLock, 1, 0);
}
ExFreePoolWithTag((PVOID)SourceString, 0x5441524Bu);
}
}
return v5;
}
int __stdcall sub_10AAC(PUNICODE_STRING ustr, WCHAR ch, DWORD strlen, unsigned int a4)
{
int result; // eax@1
unsigned int v5; // edi@3
WCHAR *v6; // esi@6
DWORD v7; // ecx@6
result = 0;
if ( ustr )
{
if ( ustr->Length )
{
v5 = (unsigned int)ustr->Length >> 1;
if ( strlen < v5 && a4 <= v5 && strlen < a4 )
{
v6 = &ustr->Buffer[strlen];
v7 = a4 - strlen;
do
{
if ( *v6 == ch )
++result;
++v6;
--v7;
}
while ( v7 );
}
}
}
return result;
}
PDEVICE_OBJECT __stdcall CreateDeviceAndSymbol(PDRIVER_OBJECT DriverObject, PCWSTR SourceString, PCWSTR a3)
{
UNICODE_STRING SymbolicLinkName; // [sp+8h] [bp-14h]@1
UNICODE_STRING DestinationString; // [sp+10h] [bp-Ch]@1
PDEVICE_OBJECT DeviceObject; // [sp+18h] [bp-4h]@1
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
SymbolicLinkName.Length = 0;
*(_DWORD *)&SymbolicLinkName.MaximumLength = 0;
DeviceObject = 0;
HIWORD(SymbolicLinkName.Buffer) = 0;
if ( DriverObject )
{
if ( SourceString )
{
if ( a3 )
{
RtlInitUnicodeString(&DestinationString, SourceString);
RtlInitUnicodeString(&SymbolicLinkName, a3);
IoCreateDevice(DriverObject, 0, &DestinationString, 0x22u, 0x100u, 0, &DeviceObject);
if ( DeviceObject )
{
if ( IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString) >= 0 )
{
if ( DeviceObject )
return DeviceObject;
IoDeleteSymbolicLink(&SymbolicLinkName);
}
if ( DeviceObject )
{
IoDeleteDevice(DeviceObject);
DeviceObject = 0;
}
}
}
}
}
return DeviceObject;
}
int __stdcall CreateCloseDispatch(int a1, PIRP Irp)
{
PIO_STACK_LOCATION v2; // eax@1
int v3; // esi@1
PEPROCESS Process; // eax@4
v2 = (PIO_STACK_LOCATION)Irp->Tail.Overlay.CurrentStackLocation;
v3 = -1073741823;
if ( v2 )
{
if ( v2->MajorFunction )
{
v3 = 0;
}
else
{
KeWaitForSingleObject(&CreateDispatchLock, 0, 0, 0, 0);
Process = IoGetCurrentProcess();
v3 = CheckPrcoessValid((LPVOID)Process, 1) != 0 ? 0 : STATUS_ACCESS_DENIED;
KeSetEvent(&CreateDispatchLock, 1, 0);
}
}
CompleteRequest(Irp, v3, 0);
return v3;
}
int __stdcall CompleteRequest(PIRP Irp, int a2, int a3)
{
int result; // eax@2
if ( Irp )
{
Irp->IoStatus.Status = a2;
Irp->IoStatus.Information = a3;
IofCompleteRequest(Irp, 0);
result = 0;
}
else
{
result = -1073741823;
}
return result;
}
void __stdcall CmCallBackFunc(int a1, int notifytype, _REG_CREATE_KEY_INFORMATION *notifydata)
{
PUNICODE_STRING v3; // eax@8
unsigned int v4; // ecx@11
PUNICODE_STRING v5; // esi@12
const void *v6; // ecx@13
bool v7; // al@18
bool v8; // zf@19
LSA_UNICODE_STRING DestinationString; // [sp+10h] [bp-43Ch]@5
int v10; // [sp+18h] [bp-434h]@5
int v11; // [sp+1Ch] [bp-430h]@1
WCHAR SourceString; // [sp+20h] [bp-42Ch]@5
char v13; // [sp+22h] [bp-42Ah]@5
CPPEH_RECORD ms_exc; // [sp+434h] [bp-18h]@1
_SEH_prolog4_GS(stru_14688, 1068);
v11 = 0;
JUMPOUT(notifydata, 0, &unk_1161F);
JUMPOUT(dword_14814, 0, &unk_1161F);
ms_exc.registration.TryLevel = 0;
if ( notifytype != 1 )
{
if ( notifytype == 4 ) // RegNtRenameKey
{
v8 = CheckRegKeyValid(notifydata->CompleteName, 0) == 0;
LABEL_23:
if ( !v8 )
v11 = -1073741790;
goto LABEL_25;
}
if ( notifytype == 10 ) // RegNtPreCreateKey
{
if ( !IsDirCorrect(notifydata->CompleteName) )
goto LABEL_25;
v7 = FindService(notifydata->CompleteName);
goto LABEL_19;
}
if ( notifytype != 26 )
goto LABEL_25;
DestinationString.Length = 0; // RegNtPreCreateKeyEx
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
SourceString = 0;
memset(&v13, 0, 0x40Eu);
v10 = 1040;
if ( IsAbsolutePath(&notifydata->CompleteName) )
{
v5 = notifydata->CompleteName;
if ( notifydata->CompleteName )
{
v6 = v5->Buffer;
if ( v6 )
{
if ( (unsigned int)v5->Length >= 0x410 )
goto LABEL_25;
memcpy(&SourceString, v6, v5->Length);
}
}
}
else
{
GetObjectName((int)notifydata->RootObject, &SourceString, (int)&v10);
if ( !SourceString || (unsigned int)v10 >= 0x410 )
goto LABEL_25;
v3 = notifydata->CompleteName;
if ( notifydata->CompleteName && v3->Buffer )
{
if ( (unsigned int)v3->Length + v10 + 4 >= 0x410 )
goto LABEL_25;
v4 = (unsigned int)v10 >> 1;
*(&SourceString + v4) = 92;
v10 = v4 + 1;
memcpy(&SourceString + v4 + 1, v3->Buffer, v3->Length);
}
}
if ( SourceString )
{
RtlInitUnicodeString(&DestinationString, &SourceString);
if ( IsDirCorrect(&DestinationString) )
{
v7 = FindService(&DestinationString);
LABEL_19:
v8 = v7 == 1;
goto LABEL_23;
}
}
}
LABEL_25:
ms_exc.registration.TryLevel = -2;
JUMPOUT(&unk_11621);
}
char ClearList()
{
struct _KEVENT *v0; // ebx@1
PVOID v1; // esi@1
int v2; // eax@4
void *v3; // eax@4
v0 = &ServiceNameListLock;
KeWaitForSingleObject(&ServiceNameListLock, 0, 0, 0, 0);
v1 = ServiceList;
if ( ServiceList && *(&ServiceList + 1) )
{
if ( ServiceList != &ServiceList )
{
do
{
v2 = *(_DWORD *)v1;
ServiceList = (PVOID)v2;
*(_DWORD *)(v2 + 4) = &ServiceList;
v3 = (void *)*((_DWORD *)v1 + 2);
if ( v3 )
{
ExFreePoolWithTag(v3, 0x5441524Bu);
*((_DWORD *)v1 + 2) = 0;
}
ExFreePoolWithTag(v1, 0x5441524Bu);
v1 = ServiceList;
}
while ( ServiceList != &ServiceList );
v0 = &ServiceNameListLock;
}
KeSetEvent(v0, 1, 0);
}
else
{
KeSetEvent(&ServiceNameListLock, 1, 0);
}
return 1;
}
char __stdcall sub_10FD8(HANDLE KeyObj, PCUNICODE_STRING KeyName)
{
LSA_UNICODE_STRING DestinationString; // [sp+Ch] [bp-21Ch]@1
int v4; // [sp+14h] [bp-214h]@1
char v5; // [sp+1Bh] [bp-20Dh]@1
OBJECT_NAME_INFORMATION nameinfo; // [sp+1Ch] [bp-20Ch]@1
v5 = 0;
LOBYTE(nameinfo.Name.Length) = 0;
memset((char *)&nameinfo.Name.Length + 1, 0, 519u);
v4 = 0;
DestinationString.Length = 0;
*(_DWORD *)&DestinationString.MaximumLength = 0;
HIWORD(DestinationString.Buffer) = 0;
if ( KeyObj )
{
if ( ObQueryNameString(KeyObj, &nameinfo, 520, &v4) >= 0 )
{
if ( IsDirCorrect(&nameinfo.Name) )
{
if ( !KeyName
|| (RtlInitUnicodeString(&DestinationString, L"ImagePath"),
RtlEqualUnicodeString(KeyName, &DestinationString, 1u)) )
v5 = 1;
}
}
}
return v5;
}
signed int __stdcall CheckPrcoessValid(LPVOID Process, int a2)
{
BOOL v2; // ebx@1
PUNICODE_STRING v3; // eax@3
int v4; // edi@3
BOOL v5; // eax@6
unsigned int v6; // edi@7
unsigned int v7; // eax@9
signed int v9; // [sp+Ch] [bp-BCh]@1
int v10; // [sp+10h] [bp-B8h]@1
PVOID Process1; // [sp+14h] [bp-B4h]@1
unsigned int Buffer; // [sp+18h] [bp-B0h]@1
int v13; // [sp+1Ch] [bp-ACh]@1
int v14; // [sp+20h] [bp-A8h]@1
int Source2; // [sp+24h] [bp-A4h]@1
int v16; // [sp+28h] [bp-A0h]@1
int v17; // [sp+2Ch] [bp-9Ch]@1
int v18; // [sp+30h] [bp-98h]@1
int v19; // [sp+34h] [bp-94h]@1
int v20; // [sp+38h] [bp-90h]@12
char Source1; // [sp+B4h] [bp-14h]@1
int v22; // [sp+B5h] [bp-13h]@1
int v23; // [sp+B9h] [bp-Fh]@1
int v24; // [sp+BDh] [bp-Bh]@1
__int16 v25; // [sp+C1h] [bp-7h]@1
char v26; // [sp+C3h] [bp-5h]@1
Process1 = Process;
v13 = 0;
v14 = 0;
Source2 = 0;
v16 = 0;
v17 = 0;
v18 = 0;
v2 = 0;
Source1 = 0;
v22 = 0;
v23 = 0;
v24 = 0;
v25 = 0;
v26 = 0;
v9 = 0;
Buffer = 0;
v10 = 0;
LOBYTE(v19) = 0;
memset((char *)&v19 + 1, 0, 0x7Fu);
if ( !MajorVersion )
PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, 0);
v3 = (PUNICODE_STRING)GetFileNameFromProcess(Process1);
v4 = (int)v3;
Process1 = v3;
if ( v3 )
{
if ( !a2 || IsSameDir(v3) )
{
v5 = ReadFile(v4, (int)&Buffer);
v2 = v5;
if ( v5 )
{
v6 = Buffer;
if ( Buffer > 0x40 )
{
if ( CheckNtImageValid((PVOID)v5) )
{
v7 = *(_DWORD *)(v2 + 40);
if ( v7 )
{
if ( v7 <= v6 - 128 )
{
v10 = 24;
if ( md5_encrypt1(v2 + v7, 128, (int)&v19, (int)&v10) )
{
qmemcpy(&v13, &v19, 0x18u);
if ( v20 )
{
if ( v20 <= Buffer && v19 + v20 <= Buffer )
{
md5_encrypt2((int)&Source1, v2 + v19, v20);
if ( RtlCompareMemory(&Source1, &Source2, 0x10u) == 16 )
v9 = 1;
}
}
}
}
}
}
}
}
}
ExFreePoolWithTag(Process1, 0);
if ( v2 )
ExFreePoolWithTag((PVOID)v2, 0);
}
return v9;
}
int __stdcall CheckNtImageValid(PVOID VirtualAddress)
{
char *v1; // esi@5
signed int v3; // [sp+10h] [bp-1Ch]@1
v3 = 0;
if ( VirtualAddress )
{
if ( MmIsAddressValid(VirtualAddress) )
{
if ( MmIsAddressValid((char *)VirtualAddress + 60) )
{
if ( *(_WORD *)VirtualAddress == 23117 )
{
v1 = (char *)VirtualAddress + *((_DWORD *)VirtualAddress + 15);
if ( v1 )
{
if ( MmIsAddressValid(v1) && *(_DWORD *)v1 == 17744 )
v3 = 1;
}
}
}
}
}
return v3;
}
char __stdcall ResetRegInfo1(int Data, void *a2, size_t a3)
{
size_t v3; // ebx@1
PVOID v4; // eax@5
void *v5; // edi@5
int v7; // [sp+8h] [bp-4h]@1
v3 = a3 + 520;
v7 = 0;
if ( Data == 'DKs' || Data == 'DemK' )
{
if ( a2 )
{
if ( a3 )
{
Data = (Data == 'DKs') + 3;
v4 = ExAllocatePoolWithTag(0, a3 + 520, 0x5441524Bu);
v5 = v4;
if ( v4 )
{
memset(v4, 0, v3);
memcpy(v5, a2, a3);
SetRegVal((WCHAR *)v5, L"Start", &Data, 4u, 4u);
SetRegVal((WCHAR *)v5, L"ErrorControl", &v7, 4u, 4u);
ExFreePoolWithTag(v5, 0x5441524Bu);
}
}
}
}
return 1;
}
char __stdcall regset8(PVOID P, void *a2, size_t a3)
{
unsigned int v3; // ebx@1
PVOID v4; // eax@4
PVOID Pa; // [sp+10h] [bp+8h]@4
v3 = a3 + 520;
if ( P == (PVOID)'DFs' )
{
if ( a2 )
{
if ( a3 )
{
v4 = ExAllocatePoolWithTag(0, a3 + 520, 'TARK');
Pa = v4;
if ( v4 )
{
memset(v4, 0, v3);
if ( a3 >= 8 && !memcmp(a2, L"\\??\", 8u) )
memcpy(Pa, a2, a3);
else
wsprintfW((wchar_t *)Pa, v3 >> 1, L"%s%s", L"\\??\", a2);
DoDeleteFile((PCWSTR)Pa);
ExFreePoolWithTag(Pa, 'TARK');
}
}
}
}
return 1;
}
char __stdcall func(int a1, void *a2, size_t a3)
{
PVOID v3; // edi@6
if ( a2 && a3 && (a1 == 'DFs' || a1 == 'DKs' || a1 == 'DemK') )
{
v3 = ExAllocatePoolWithTag(0, a3 + 520, 0x5441524Bu);
if ( v3 )
{
memset(v3, 0, a3 + 520);
memcpy(v3, a2, a3);
switch ( a1 )
{
case 'DFs':
DbgPrint("[[AntiRK]][PrintDenyInfo] Deny Files Path = %ws\n", v3);
break;
case 'DKs':
DbgPrint("[[AntiRK]][PrintDenyInfo] Deny Keys Path = %ws\n", v3);
break;
case 'DemK':
DbgPrint("[[AntiRK]][PrintDenyInfo] Disable Keys Path = %ws\n", v3);
break;
default:
DbgPrint("[[AntiRK]][PrintDenyInfo] Type not Match,Unknow Error\n");
break;
}
ExFreePoolWithTag(v3, 0x5441524Bu);
}
}
return 1;
}

复制代码

账号		自动登录	找回密码
密码			立即注册→加入我们

对AntiRK的逆向

欢迎访问技术宅的结界，请注册或者登录吧。

浏览过的版块