/
dispatchhook.c
89 lines (88 loc) · 2.17 KB
/
dispatchhook.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
char __usercall CheckDriverDispatch@<al>(DRIVER_OBJECT *driverObject@<rcx>, _DWORD *detectionData@<r8>, _DWORD *outStatus@<r9>, signed int a4@<r14d>)
{
char v4; // bp
PDRIVER_DISPATCH addr; // rdi
SYSTEM_MODULE_INFORMATION *moduleInformation; // rax MAPDST
ULONG moduleIndex; // ecx
PVOID *cur; // r12
_BYTE *fileName; // rdx
unsigned __int64 nameLength; // rax
size_t nameLength2; // rdi
v4 = 0;
if ( !driverObject )
{
if ( outStatus )
*outStatus = 2;
return 0;
}
addr = driverObject->MajorFunction[14];
if ( !addr )
{
if ( outStatus )
*outStatus = 4;
return 0;
}
moduleInformation = (SYSTEM_MODULE_INFORMATION *)QuerySystemModuleInformation(a4);
if ( !moduleInformation )
{
if ( outStatus )
*outStatus = 5;
return 0;
}
moduleIndex = 0;
if ( moduleInformation->Count )
{
cur = &moduleInformation->Module[0].ImageBase;
while ( (unsigned __int64)*cur < MmSystemRangeStart
|| (char *)addr < *cur
|| (char *)addr > (char *)*cur + *((unsigned int *)cur + 2) )
{
++moduleIndex;
cur += 37;
if ( moduleIndex >= moduleInformation->Count )
goto LABEL_29;
}
v4 = 1;
if ( detectionData )
{
fileName = cur + 3;
nameLength = 0i64;
*detectionData = (_DWORD)addr - *(_DWORD *)cur;
if ( cur == (PVOID *)0xFFFFFFFFFFFFFFE8i64 )
goto LABEL_35;
do
{
if ( !fileName[nameLength] )
break;
++nameLength;
}
while ( nameLength < 256 );
nameLength2 = 255i64;
if ( nameLength < 255 )
{
LABEL_35:
nameLength2 = 0i64;
if ( cur != (PVOID *)0xFFFFFFFFFFFFFFE8i64 )
{
do
{
if ( !fileName[nameLength2] )
break;
++nameLength2;
}
while ( nameLength2 < 256 );
}
}
memmove(detectionData + 2, fileName, nameLength2);
*((_BYTE *)detectionData + nameLength2 + 8) = 0;
detectionData[1] = *((_DWORD *)cur + 2);
}
if ( outStatus )
*outStatus = 7;
}
LABEL_29:
FreePool((__int64)moduleInformation);
if ( !v4 && outStatus )
*outStatus = 6;
return v4;
}