Reverse Analysis and source code restructuring process

He gave in again to goldberg's lust. Paralyzing: I am very interested when I mention this person. Maybe he gave me some strength. After talking to him, he was pregnant with this article. It can be seen that goldberg has a strong ability. Without talking nonsense, the article began to give birth.
. Text: 0001045A
. Text: 0001045A; Attributes: bp-based frame
. Text: 0001045A
. Text: 0001045A public start
. Text: 0001045A start proc near
. Text: 0001045A push ebp; in many cases, we push a data as
Function parameters. However, push can also save temporary values.

. Text: 0001045B mov ebp, esp; save esp to ebp and start entering the function body
. Text: 0001045D push offset s_PI; "Driver entry"
. Text: 00010462 call dbuplint; format the output
. Text: 00010462
. Text: 00010467 add esp, 4; the stack is cleared by the function.
. Text: 0001046A call sub_10260; call a subfunction
. Text: 0001046A
. Text: 0001046F call sub_10309; call a subfunction
. Text: 0001046F
. Text: 00010474 call sub_10397; call a subfunction
. Text: 00010474
. Text: 00010479 push offset asc_1068C; "exit after execution"
. Text: 0001047E call dbuplint; function execution completed
. Text: 0001047E
. Text: 00010483 add esp, 4; here, the C rule is the same as above, and the function clears the stack by itself. Both assembly and C Use stdcall.
. Text: 00010486 mov eax, 0C0000182h; here is the driver's return, that is, mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
. Text: 0001048B leave
. Text: 0001048C retn 8
. Text: 0001048C
. Text: 0001048C start endp

Here, we have constructed the entire program structure. That is: Format and print the information ----- call the three sub-functions ------- respectively to return the program. In this way, we can reorganize the framework of this Code:

. 386
. Model flat, stdcall
Option casemap: none
;
The header file and library are included here. Which function does the program have?

. Data?
.
. Data
.
. Const

. Code
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
DriverEntry proc pDriverObject: PDRIVER_OBJECT, pusRegistryPath: PUNICODE_STRING

Invoke dbuplint, CTXT ("Driver entry ")

Call sub_10260; call the first subfunction.
Call sub_10309
Call sub_10397

Invoke dbuplint, CTXT ("program ended ")
Mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
Ret
DriverEntry endp
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
End DriverEntry

It is like building a building. It is now the turn to build the trunk. First look at the first sub-function sub_10260. The call is called directly, so no parameter is passed.

. Text: 00010260 sub_10260 proc near
. Text: 00010260
. Text: 00010260 Handle = dword ptr-24 h; Parameter definition. If it is positive, it is a local variable.
. Text: 00010260 IoStatusBlock = _ IO_STATUS_BLOCK ptr-20 h; parameter. IDA also provides the structure here.
. Text: 00010260 ObjectAttributes = OBJECT_ATTRIBUTES ptr-18 h
. Text: 00010260
. Text: 00010260 push ebp
. Text: 00010261 mov ebp, esp
. Text: 00010263 add esp, 0 FFFFFFDCh
. Text: 00010266 push ds: off_10538
. Text: 0001026C push offset Format; "create directory: % ws"
. Text: 00010271 call dbuplint; % ws is Unicode and Unicode is used in the kernel.
. Text: 00010271
. Text: 00010276 add esp, 8
. Text: 00010279 lea ecx, [ebp + ObjectAttributes]; initialize OBJ_CASE_INSENSITIV
. Text: 0001027C mov dword ptr [ecx], 18 h
. Text: 00010282 and dword ptr [ecx + 4], 0
. Text: 00010286 mov dword ptr [ecx + 0 CH], 240 h
. Text: 0001028D and dword ptr [ecx + 10 h], 0
. Text: 00010291 mov dword ptr [ecx + 8], offset asc_10534 ;"""
. Text: 00010298 and dword ptr [ecx + 14 h], 0
. Text: 0001029C push 0; EaLength
. Text: 0001029E push 0; EaBuffer
. Text: 000102A0 push 21 h; CreateOptions
. Text: 000102A2 push 3; CreateDisposition
. Text: 000102A4 push 0; your access
. Text: 000102A6 push 80 h; FileAttributes
. Text: 000102AB push 0; AllocationSize
. Text: 000102AD lea eax, [ebp + IoStatusBlock]
. Text: 000102B0 push eax; IoStatusBlock
. Text: 000102B1 lea eax, [ebp + ObjectAttributes]
. Text: 000102B4 push eax; ObjectAttributes
. Text: 000102B5 pushed 100000 h; DesiredAccess
. Text: 000102BA lea eax, [ebp + Handle]
. Text: 000102BD push eax; FileHandle
. Text: 000102BE call ZwCreateFile; open. Create a directory in the kernel,
This function is used to create files.
. Text: 000102BE
. Text: 000102C3 or eax, eax; whether the return value is successful
. Text: 000102C5 jnz short loc_102F9; Skip here if the call fails,
The formatted code already prompts us,
; Directory creation failed
. Text: 000102C5
. Text: 000102C7 cmp [ebp + IoStatusBlock. Information], 2; view the file attributes here.
; 2 represents FILE_CREATED
. Text: 000102CB jnz short loc_102DC; jump to loc_102DC
. Text: 000102CB
. Text: 000102CD push offset s_ I; "Directory Creation"
. Text: 000102D2 call dbuplint
. Text: 000102D2
. Text: 000102D7 add esp, 4; restore Stack
. Text: 000102DA jmp short loc_102EF; close the handle after the directory is created.
. Text: 000102DA
. Text: 000102DC ;---------------------------------------------------------------------------
. Text: 000102DC
. Text: 000102DC loc_102DC:
. Text: 000102DC cmp [ebp + IoStatusBlock. Information], 1; FILE_OPENED attribute of the test file. Obviously, it is the structure of. if --;-. elseif --. endif.
. Text: 000102E0 jnz short loc_102EF
. Text: 000102E0
. Text: 000102E2 push offset s_KJ; "directory sharing"
. Text: 000102E7 call dbuplint
. Text: 000102E7
. Text: 000102EC add esp, 4
. Text: 000102EC
. Text: 000102EF
. Text: 000102EF loc_102EF:
. Text: 000102EF
. Text: 000102EF push [ebp + Handle]; Handle
. Text: 000102F2 call ZwClose; the directory is successfully created only after the two attributes are tested ~!
. Text: 000102F2
. Text: 000102F7 jmp short locret_10307; function return
. Text: 000102F7
. Text: 000102F9 ;---------------------------------------------------------------------------
. Text: 000102F9
. Text: 000102F9 loc_102F9:
. Text: 000102F9 push eax
. Text: 000102FA push offset s_IIAI08x; "the directory cannot be created. Error code % 08X"
. Text: 000102FF call dbuplint
. Text: 000102FF
. Text: 00010304 add esp, 8
. Text: 00010304
. Text: 00010307
. Text: 00010307 locret_10307:
. Text: 00010307 leave; the program returns
. Text: 00010308 retn
. Text: 00010308
. Text: 00010308 sub_10260 endp

First, this subfunction initializes the OBJ_CASE_INSENSITIV structure. The structure is as follows:
ObjectAttributes OBJECT_ATTRIBUTES <?>. Then print the name of the directory to be created. Code:

. Const
CCOUNTED_UNICODE_STRING "\?? \ C: \ fuck ", g_usDirName, 4
.
.
Invoke dbuplint, $ CTA0 ("create directory: % ws"), g_usDirName.Buffer

After creating a directory, test its properties and print them separately. The code for restructuring is as follows:

CreateDirectory proc
Local oa: OBJECT_ATTRIBUTES
Local iosb: IO_STATUS_BLOCK
Local hDirectory: HANDLE
;------------------------------------------------------------
Unicode format output directory name. Use Unicode in the kernel
;------------------------------------------------------------
Invoke dbuplint, $ CTA0 ("create directory: % ws"), g_usDirName.Buffer
;------------------------------------------------------------
; Initialize OBJ_CASE_INSENSITIVE. oa is passed to ZwCreateFile as a parameter.
;------------------------------------------------------------
InitializeObjectAtt