Log in

View Full Version : 【Help】Please analyze the code


linhan
October 5th, 2007, 23:03
I can't understand.
Please give me a hand, thanks.

enter 18, 0
push ebx
push esi
push edi
mov edx, dword ptr [ebp+8]
mov dword ptr [ebp-6], EE000028
mov word ptr [ebp-8], dx
shr edx, 10
mov word ptr [ebp-2], dx
lea edx, dword ptr [ebp-18]
sidt fword ptr [edx]
mov ebx, dword ptr [ebp-16]
add ebx, 48
lea edi, dword ptr [ebp-10]
mov esi, ebx
movs dword ptr es:[edi], dword ptr [esi]
......

LLXX
October 5th, 2007, 23:54
Analyze it yourself.

Another one of your little half-attempts at SEH?

One word, the obligatory use of Google, thread over.

blabberer
October 6th, 2007, 12:18
linhan

what are you analysing (is it a driver possibly) if it is in user mode this could be an antidebugging trick some where down the line it could check for (trap flag) sidt returns interruptbase address which normally would be 0x8003f400

Code:

lkd> dt nt!_KPCR ffdff000
+0x000 NtTib : _NT_TIB
+0x01c SelfPcr : 0xffdff000 _KPCR
+0x020 Prcb : 0xffdff120 _KPRCB
+0x024 Irql : 0 ''
+0x028 IRR : 0
+0x02c IrrActive : 0
+0x030 IDR : 0xffffffff
+0x034 KdVersionBlock : 0x8054c738
+0x038 IDT : 0x8003f400 _KIDTENTRY

lkd> dt nt!_kidtentry 8003f400
nt!_KIDTENTRY
+0x000 Offset : 0xfbff
+0x002 Selector : 8
+0x004 Access : 0x8e00
+0x006 ExtendedOffset : 0x804d

so the first interrupt int 0 is located at 804dfbff

lkd> u 804dfbff
nt!KiTrap00:
804dfbff 6a00 push 0
804dfc01 66c74424020000 mov word ptr [esp+2],0
804dfc08 55 push ebp
804dfc09 53 push ebx
804dfc0a 56 push esi
804dfc0b 57 push edi
804dfc0c 0fa0 push fs
804dfc0e bb30000000 mov ebx,30h

lkd> !idt 0

Dumping IDT:

00: 804dfbff nt!KiTrap00

lkd>



and your code seems to be copying the contents from truncated r0 address viz 3f448 to stack

if this is some malware this code could be used to detect the presence of vm (look for redpill bluepill bluechicken greenfish war stories for details about how vms cant and can return different sidt )

edit
i leeched this paper from a link in joannas site some time back (describes problems faced with developing vms handling non priviliged mnemonics which return sensitive information )
putting here for archival purpose