YJX_DRIVER_020_JMP Address Translation Formula derivation

1.

Write code to the specified address

A, JMP address translation formula derivation

B, calculate the actual address function realjmp_addr

C, testing

"240" JMP Instruction-Machine code--0XE9

"260" instruction "JMP 88881234"--translated into machine code--"E9 88881234"

"328" open OD See if the JMP instructions are translated as we guessed above.

"440" We changed our own instructions (to change them to jmp instructions) and found that the number of immediately following the machine code was different:

The next 3 bytes are the same, and the value of the 1th byte is different

ZC: Should the JMP instructions jump to a relative position?

"645" Hex 0x88881234

The "695" command is located at the address of: 0X010073BB

Their difference is: 0x87879e79

"815" 0x87879e79-0x5 ==> 0x87879e74 ==> This is the address shown in OD

ZC: In fact, the immediate number behind E9 is the difference between the 0x88881234 and the next instruction address, and its relative address is calculated by the next instruction. (Imagine such a scenario, sometimes using OD to break down (memory breakpoints?) , we observe the above instruction of the EIP at this time, should this be the same reason? When the CPU executes the a instruction, the EIP actually points to the next instruction? What does the EIP actually point to is the instruction that is going to be executed now? A little bit of a look like this. So the offset in the paragraph should be relative to the address that the EIP points to calculate?)

"825" The high position of the immediate number in OD is inverted

"905" look at "dd 10073bb+1", here "+1" is to skip the byte "E9"

"1035" "DB 10073bb+1"

ZC: Spare half a day, even the CPU small end storage format/big-endian storage format can not speak out ...

"1185"

Defining the JMP structure

typedef struct _JMPCODE

{

BYTE E9;

ULONG jmpaddr;

} Jmpcode,*pjmpcode;

ZC: (x86) formula should be: Machine code relative address = Absolute address within paragraph-the address of the next instruction in JMP

"1720" Copy the code from lesson 19th.

"1910"

NTSTATUS DriverEntry (Pdriver_object _pdrvierobject, punicode_string B)
{

ULONG cur, old;

cur = getnt_curaddr ();

Old = Getnt_oldaddr ();

if (cur! = old)

{

"2830" write to our JMP instructions

Kdprint (("Ntopenprocess was Hook"));

}

Else

Kdprint (("Ntopenprocess not been Hook"));

_pdrvierobject->driverunload = Ddk_unload;
return 1;
}

A B C

C-a-5=b//actual address to write to

5 B DC

if (cur!=old)

{

Jcode.e9=0xe9;

jcode.jmpaddr=cur-old-5;

Kdprint ("Address required to write is%x", jcode.jmpaddr));

_asm

{

MOV ebx,cur

Lea Ecx,jcode

mov ax,byte ptr [ecx]

mov byte ptr[ebx],ax//jmp

MOV eax,[ecx+1]//b

mov [ebx+1],eax

}

Writing to JMP

Kdprint (("Ntopenprocess was Hook"));

}

2.

YJX_DRIVER_020_JMP Address Translation Formula derivation