IDA Structure Definitions [Archive] - RCE Messageboard's Regroupment

View Full Version : IDA Structure Definitions

blabberer

December 28th, 2012, 04:38

SPLIT THREAD

way off topic

hey k cant find the rom file isn't it there are trillions of datasheets in Google but not a bin file for nec v40 isnt it ?

anyway i ended up downloading roms and bins of bbc / microbee / atari / zilog / z80 /and whatnot due to this thread

btw way more offtopic but on ida

i thought let me try ida (nothing fancy the free 5.0 one

) on a driver which seemed to crash on me so i could learn a trick or two
but i cant seem to fathom the mighty yeti

can you see the pic below and tell me how to make it legible
no i can understand the opcodes/ mnemonic crap i want ida to tell me hey b
this is driver_object
now ebx takes the Driver_Object->MajorFunction[IRP_MJ_DEVICE_CONTROL] and shoots it down to
KiIntrap01 and plays hell with interrupt 1 single stepping on its own kind of thing
not stare back at me with mov ebx,[eax+70]

2696

and the crashing Handler

Code:



.text:00010A5C ; ---------------------------------------------------------------------------

.text:00010A5C

.text:00010A5C loc_10A5C:                              ; DATA XREF: start-91Fo

.text:00010A5C                 mov     edi, edi

.text:00010A5E                 push    ebp

.text:00010A5F                 mov     ebp, esp

.text:00010A61                 push    ebx

.text:00010A62                 push    esi

.text:00010A63                 push    edi

.text:00010A64                 xor     esi, esi

.text:00010A66                 xor     eax, eax

.text:00010A68                 push    edx

.text:00010A69                 sidt    fword ptr [esp-2]

.text:00010A6E                 pop     edx

.text:00010A6F                 add     edx, 0Ch        ; kiIntTrap01 ?

.text:00010A72                 mov     ebx, [edx]

.text:00010A74                 mov     bx, [edx-4]

.text:00010A78                 mov     ebx, dword_10EB0

.text:00010A7E                 cmp     ebx, 0

.text:00010A81                 jnz     short loc_10A8E

.text:00010A83                 mov     bx, [edx+2]

.text:00010A87                 ror     ebx, 10h

.text:00010A8A                 mov     bx, [edx-4]

.text:00010A8E

.text:00010A8E loc_10A8E:                              ; CODE XREF: .text:00010A81j

.text:00010A8E                 mov     dword_10EB0, ebx

.text:00010A94                 mov     edi, offset word_109AA

.text:00010A99                 mov     [edx-4], di

.text:00010A9D                 ror     edi, 10h

.text:00010AA0                 mov     [edx+2], di     ; seems to crash here ?

.text:00010AA4                 mov     ecx, [ebp+0Ch]

.text:00010AA7                 mov     edi, [ecx+60h]

.text:00010AAA                 mov     edx, [edi+0Ch]

.text:00010AAD                 cmp     edx, 0C07FE000h ; ioctlcode

.text:00010AB3                 jz      loc_10C8D

.text:00010AB9                 cmp     edx, 0C07FE004h 

                                                              ; CALL    NEAR DWORD PTR DS:[EAX]          ; getproc(Devictl)

.text:00010AB9                                         ; PUSH    0                                ; ioOverLapped

.text:00010AB9                                         ; MOV     DWORD PTR SS:[EBP+354], 0

.text:00010AB9                                         ; MOV     EBX, EBP

.text:00010AB9                                         ; ADD     EBX, 354

.text:00010AB9                                         ; PUSH    EBX                              ; LpBytesRet

.text:00010AB9                                         ; PUSH    4                                ; OutBuffSize

.text:00010AB9                                         ; MOV     EBX, EBP

.text:00010AB9                                         ; ADD     EBX, 348

.text:00010AB9                                         ; PUSH    EBX                              ; OutBuff

.text:00010AB9                                         ; PUSH    20                               ; InBuffSize

.text:00010AB9                                         ; MOV     EBX, EBP

.text:00010AB9                                         ; ADD     EBX, 9E4

.text:00010AB9                                         ; PUSH    EBX                              ; inBuff

.text:00010AB9                                         ; MOV     EBX, C07FE000

.text:00010AB9                                         ; PUSH    EBX                              ; ioCtlCode

.text:00010AB9                                         ; PUSH    DWORD PTR SS:[EBP+A08]           ; hdevice

.text:00010AB9                                         ; CALL    NEAR EAX                         ; devictl()

.text:00010AB9                                         ;

.text:00010AB9                                         ;

.text:00010ABF                 jz      loc_10C2C

.text:00010AC5                 cmp     edx, 0C07FE018h

.text:00010ACB                 jz      loc_10BC2

.text:00010AD1                 cmp     edx, 0C07FE020h

.text:00010AD7                 jz      loc_10B5F

.text:00010ADD                 cmp     edx, 0C07FE024h

.text:00010AE3                 jz      short loc_10AEF

.text:00010AE5                 mov     esi, 0C000000Dh

.text:00010AEA                 jmp     loc_10D10

.text:00010AEF ; ---------------------------------------------------------------------------

.text:00010AEF

.text:00010AEF loc_10AEF:                              ; CODE XREF: .text:00010AE3j

Kayaker

December 28th, 2012, 08:04

I was looking for a rom file split over segments too, to see if one could derive the segment sections just from the code itself, which I'm sure isn't the easiest thing to do.

A wee bit off topic yes, sorry for the thread hijacking, but to answer the question, what I do is create a custom DRIVER_OBJECT header file where the IRP MajorFunction definition is a structure within itself, so IDA can easily recognize what [eax+70h] stands for. IDA has its own standard DRIVER_OBJECT structure definition, but that won't get you the individual IRP defs.

Here is the header file I use, modified from wdm.h, loaded into IDA with Load File/Parse C header file, then added in the Structures window and now recognized as a Standard Structure (generally added to the very end of the list).

Code:



typedef struct _myDRIVER_DISPATCH {



// Define the major function codes for IRPs.

 

ULONG IRP_MJ_CREATE                   ; // 0x00

ULONG IRP_MJ_CREATE_NAMED_PIPE        ; // 0x01

ULONG IRP_MJ_CLOSE                    ; // 0x02

ULONG IRP_MJ_READ                     ; // 0x03

ULONG IRP_MJ_WRITE                    ; // 0x04

ULONG IRP_MJ_QUERY_INFORMATION        ; // 0x05

ULONG IRP_MJ_SET_INFORMATION          ; // 0x06

ULONG IRP_MJ_QUERY_EA                 ; // 0x07

ULONG IRP_MJ_SET_EA                   ; // 0x08

ULONG IRP_MJ_FLUSH_BUFFERS            ; // 0x09

ULONG IRP_MJ_QUERY_VOLUME_INFORMATION ; // 0x0a

ULONG IRP_MJ_SET_VOLUME_INFORMATION   ; // 0x0b

ULONG IRP_MJ_DIRECTORY_CONTROL        ; // 0x0c

ULONG IRP_MJ_FILE_SYSTEM_CONTROL      ; // 0x0d

ULONG IRP_MJ_DEVICE_CONTROL           ; // 0x0e

ULONG IRP_MJ_INTERNAL_DEVICE_CONTROL  ; // 0x0f

ULONG IRP_MJ_SHUTDOWN                 ; // 0x10

ULONG IRP_MJ_LOCK_CONTROL             ; // 0x11

ULONG IRP_MJ_CLEANUP                  ; // 0x12

ULONG IRP_MJ_CREATE_MAILSLOT          ; // 0x13

ULONG IRP_MJ_QUERY_SECURITY           ; // 0x14

ULONG IRP_MJ_SET_SECURITY             ; // 0x15

ULONG IRP_MJ_POWER                    ; // 0x16

ULONG IRP_MJ_SYSTEM_CONTROL           ; // 0x17

ULONG IRP_MJ_DEVICE_CHANGE            ; // 0x18

ULONG IRP_MJ_QUERY_QUOTA              ; // 0x19

ULONG IRP_MJ_SET_QUOTA                ; // 0x1a

ULONG IRP_MJ_PNP                      ; // 0x1b

// ULONG IRP_MJ_PNP_POWER                IRP_MJ_PNP      // Obsolete....

// ULONG IRP_MJ_MAXIMUM_FUNCTION           0x1b

    

} myDRIVER_DISPATCH, *PmyDRIVER_DISPATCH;





typedef struct _myDRIVER_OBJECT {

    CSHORT Type;

    CSHORT Size;

    PDEVICE_OBJECT DeviceObject;

    ULONG Flags;

    PVOID DriverStart;

    ULONG DriverSize;

    PVOID DriverSection;

    PDRIVER_EXTENSION DriverExtension;

    UNICODE_STRING DriverName;

    PUNICODE_STRING HardwareDatabase;

    PFAST_IO_DISPATCH FastIoDispatch;

    PDRIVER_INITIALIZE DriverInit;

    PDRIVER_STARTIO DriverStartIo;

    PDRIVER_UNLOAD DriverUnload;



    // PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];

    myDRIVER_DISPATCH MajorFunction;



} myDRIVER_OBJECT;

typedef struct _myDRIVER_OBJECT *PmyDRIVER_OBJECT;

Using beep.sys as an example, this

Code:



.text:00011389                 mov     eax, [ebp+DriverObject]

.text:0001138C                 mov     dword ptr [eax+30h], offset sub_11248

.text:00011393                 mov     dword ptr [eax+34h], offset sub_112C6

.text:0001139A                 mov     dword ptr [eax+38h], offset sub_111AC

.text:000113A1                 mov     dword ptr [eax+40h], offset sub_111FE

.text:000113A8                 mov     dword ptr [eax+70h], offset sub_11116

.text:000113AF                 mov     dword ptr [eax+80h], offset sub_11060

becomes this.

Code:



.text:00011389                 mov     eax, [ebp+DriverObject]

.text:0001138C                 mov     [eax+DRIVER_OBJECT.DriverStartIo], offset sub_11248

.text:00011393                 mov     [eax+DRIVER_OBJECT.DriverUnload], offset sub_112C6

.text:0001139A                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CREATE], offset sub_111AC

.text:000113A1                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CLOSE], offset sub_111FE

.text:000113A8                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_DEVICE_CONTROL], offset sub_11116

.text:000113AF                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CLEANUP], offset sub_11060

I use a similar custom C header file for IRP and IO_STACK_LOCATION structure definitions as I had mentioned in this thread. This would be the next step to sleuthing IRP_MJ_DEVICE_CONTROL. In your case you easily found the IOCTL_CODE without it, but further structure definitions can also point out the usermode buffers which can clarify the full disassembly if that's what you're going for.

http://www.woodmann.com/forum/showthread.php?14561-Had-to-say-(Driver-Debugging-Basics)&p=91470#post91470

blabberer

December 29th, 2012, 00:47

i think the lady thinks that i want to buy her a sip of orange juice

didn't you say that paste was what you use (explicitly implying i ought not meddle with it ? )

the beautiful inebriated lady refuses to dance and wants to drink nine more errors

Code:



The initial autoanalysis has been finished.

Command "LoadHeaderFile" failed              

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,5: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,6: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,7: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,8: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,9: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,10: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,11: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,12: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,13: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,14: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,15: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,16: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,17: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,18: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,19: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,20: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,21: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,22: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,23: Syntax error near: ULONG

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,24: Syntax error near: ULONG

Total 20 errors      <---------------- need to setup compiler <------opt->compil->vc++->done

Plan  FLIRT signature: Microsoft VisualC 2-8/net runtime

autoload.cfg: vc32rtf.sig autoloads vc6win.til

Using FLIRT signature: Microsoft VisualC 2-8/net runtime

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,40: Syntax error near: CSHORT  <--- ? need USHORT works 

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,41: Syntax error near: CSHORT

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,42: Syntax error near: PDEVICE_OBJECT        ? need PULONG works for 

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,47: Syntax error near: PDRIVER_EXTENSION  ]b]   all below [/B]

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,50: Syntax error near: PFAST_IO_DISPATCH

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,51: Syntax error near: PDRIVER_INITIALIZE

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,52: Syntax error near: PDRIVER_STARTIO

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,53: Syntax error near: PDRIVER_UNLOAD

Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,58: Syntax error near: }

Total 9 errors







C:\Documents and Settings\Admin\My Documents\\Driver>fc origdrvobjstrct.h d

rvobjstrct.h

Comparing files origdrvobjstrct.h and DRVOBJSTRCT.H

***** origdrvobjstrct.h

typedef struct _myDRIVER_OBJECT {

    CSHORT Type;

    CSHORT Size;

    PDEVICE_OBJECT DeviceObject;

    ULONG Flags;

***** DRVOBJSTRCT.H

typedef struct _myDRIVER_OBJECT {

    USHORT Type;

    USHORT Size;

    PULONG DeviceObject;

    ULONG Flags;

*****



***** origdrvobjstrct.h

    PVOID DriverSection;

    PDRIVER_EXTENSION DriverExtension;

    UNICODE_STRING DriverName;

***** DRVOBJSTRCT.H

    PVOID DriverSection;

    PULONG DriverExtension;

    UNICODE_STRING DriverName;

*****



***** origdrvobjstrct.h

    PUNICODE_STRING HardwareDatabase;

    PFAST_IO_DISPATCH FastIoDispatch;

    PDRIVER_INITIALIZE DriverInit;

    PDRIVER_STARTIO DriverStartIo;

    PDRIVER_UNLOAD DriverUnload;



***** DRVOBJSTRCT.H

    PUNICODE_STRING HardwareDatabase;

    PULONG FastIoDispatch;

    PULONG DriverInit;

    PULONG DriverStartIo;

    PULONG DriverUnload;



*****



***** origdrvobjstrct.h



typedef struct DEVICE_OBJECT *PDEVICE_OBJECT;

***** DRVOBJSTRCT.H

*****



C:\Documents and Settings\Admin\My Documents\Driver\drvobjstrct.h: successfully compiled

btw maybe we should cut paste this into a separate thread what do you say

Kayaker

December 29th, 2012, 14:30

She has a limp, you built her a crutch, good on ya. The more expensive ladies don't limp

blabberer

December 29th, 2012, 14:57

i can live with her holding the pulong crutch at least i can cut the long into a short
but what about Cshort ? how can i u@#$%^s shorts

also after i select one +70 wont 68 6c etc get the other IoCtl defs ? ( i mean do i have to find 28 places and set each of them with XXX.YYY[zzz]

also if mov [ebx+70] , 0xXXXXXXX this dword which is a handler and does have a standard function definition like

RetWhatever DoSomething ( Do1 this , Do2 that ,DoNot What) ;

so is automatic propogation possible

like mov [ebx+70],0xXXXXXXXX becomes

mov [ebx+Driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL] , _DispatchXXX ( PDEVICE_OBJECT DeviceObject, PIRP Irp)

and at

XXXXXXXX

it becomes a function its arg_0 transformed into *devobj and arg_1 transformed to *irp

and

you also posted ida has its own definition of DRIVER_OBJECT how to load it ?

and thanks for splitting the thread

Kayaker

December 29th, 2012, 19:31

IDA Free doesn't have a Type Library (*.til) for ntddk.h, thus no driver defs or useful function type propagation. As for some of the other stuff to fancy up the disassembly, there's a lot you can do with IDC scripts as well.

Try this format instead for the header file.

Code:



struct UNICODE_STRING

{

  __int16 Length;

  __int16 MaximumLength;

  void *Buffer;

};



struct DRIVER_OBJECT

{

  __int16 Type;

  __int16 Size;

  void *DeviceObject;

  int Flags;

  void *DriverStart;

  int DriverSize;

  void *DriverSection;

  void *DriverExtension;

  UNICODE_STRING DriverName;

  void *HardwareDatabase;

  void *FastIoDispatch;

  void *DriverInit;

  void *DriverStartIo;

  void *DriverUnload;

  void *MajorFunction[28];

};

blabberer

January 4th, 2013, 04:43

Quote:

[Originally Posted by Kayaker;93948]IDA Free doesn't have a Type Library (*.til) for ntddk.h

well it seems too much is left out of fre 5

i compile and driver and disassemble it and it seems 5 cant even understand the arguments

even with full typeinfo

VOID
ProcCreateMon(
IN HANDLE ParentId,
IN HANDLE ProcessId,
IN BOOLEAN Create
)

it disassembles it as XXXX(HANDLE,HANDLE,BOOL)
and leaves out the arg_0 and _arg_4 as it is

and only if i set function type and add the args like handle parid, handle pid,bool craet

it renames the arg_0 and arg_4

too much manual work required to make a noob understand

Kayaker

January 5th, 2013, 02:21

Quote:

......? Rrrrrrubber biscuit?

Parse the rest of that typeinfo, brother

IDA doesn't define args that aren't used in the function. Granted, that's always annoyed me a bit too, especially where the number of arguments are known, as in that defined callback, but that's just the way it is. Nor does it automatically add the arg names to the function string unless you specify them, just the data types.

Even without a type library, IDA free will parse that example correctly with the following header file definition.

Code:



typedef int HANDLE;

typedef int BOOLEAN;

typedef int NTSTATUS;



typedef void __stdcall(*PCREATE_PROCESS_NOTIFY_ROUTINE)(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create);



NTSTATUS __stdcall PsSetCreateProcessNotifyRoutine(PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, BOOLEAN Remove);

blabberer

January 5th, 2013, 16:22

wanna see whatdyi get for nuttin

Code:



CPU Disasm

Command                                                                 Source

MOV     EDI, EDI                                                        ; {

PUSH    EBP

MOV     EBP, ESP

SUB     ESP, 8

MOV     DWORD PTR SS:[LOCAL.2], 0                                       ; PEPROCESS eproc =NULL;

MOVZX   EAX, BYTE PTR SS:[Create]                                       ; if(Create){

TEST    EAX, EAX

JZ      SHORT proccreatemon1.000104AE

LEA     ECX, [LOCAL.2]                                                  ; PsLookupProcessByProcessId(ProcessId,&eproc);

PUSH    ECX

MOV     EDX, DWORD PTR SS:[ProcessId]

PUSH    EDX

CALL    NEAR DWORD PTR DS:[<&ntoskrnl_exe.PsLookupProcessByProcessId>]

MOV     EAX, DWORD PTR SS:[LOCAL.2]                                     ; foo = (PCHAR)eproc+0x174;					

ADD     EAX, 174

MOV     DWORD PTR SS:[LOCAL.1], EAX

MOV     ECX, DWORD PTR SS:[LOCAL.1]                                     ; DbgPrint("PID %X Process Name %s\n",ProcessId,foo);

PUSH    ECX

MOV     EDX, DWORD PTR SS:[ProcessId]

PUSH    EDX

PUSH    proccreatemon1.000104C0

CALL    proccreatemon1.DbgPrint

ADD     ESP, 0C

MOV     ECX, DWORD PTR SS:[LOCAL.2]                                     ; ObDereferenceObject(eproc);

CALL    NEAR DWORD PTR DS:[<&ntoskrnl_exe.ObfDereferenceObject>]

MOV     ESP, EBP                                                        ; }

POP     EBP

RETN    0C

bow bow ooohhh ooohhh ooohhh

Code:



.text:00010460 ProcCreateMon   proc near               ; DATA XREF: DriverUnload+7o

.text:00010460                                         ; DriverEntry+11o

.text:00010460

.text:00010460 var_8           = dword ptr -8

.text:00010460 var_4           = dword ptr -4

.text:00010460 arg_4           = dword ptr  0Ch

.text:00010460 arg_8           = byte ptr  10h

.text:00010460

.text:00010460                 mov     edi, edi

.text:00010462                 push    ebp

.text:00010463                 mov     ebp, esp

.text:00010465                 sub     esp, 8

.text:00010468                 mov     [ebp+var_8], 0

.text:0001046F                 movzx   eax, [ebp+arg_8]

.text:00010473                 test    eax, eax

.text:00010475                 jz      short loc_104AE

.text:00010477                 lea     ecx, [ebp+var_8]

.text:0001047A                 push    ecx

.text:0001047B                 mov     edx, [ebp+arg_4]

.text:0001047E                 push    edx

.text:0001047F                 call    ds:__imp__PsLookupProcessByProcessId@8 ; PsLookupProcessByProcessId(x,x)

.text:00010485                 mov     eax, [ebp+var_8]

.text:00010488                 add     eax, 174h

.text:0001048D                 mov     [ebp+var_4], eax

.text:00010490                 mov     ecx, [ebp+var_4]

.text:00010493                 push    ecx

.text:00010494                 mov     edx, [ebp+arg_4]

.text:00010497                 push    edx

.text:00010498                 push    offset ??_C@_0BI@HPAHKJOK@PID?5?$CFX?5Process?5Name?5?$CFs?6?$AA@FNODOBFM@ ; "PID %X Process Name %s\n"

.text:0001049D                 call    _DbgPrint

.text:000104A2                 add     esp, 0Ch

.text:000104A5                 mov     ecx, [ebp+var_8]

.text:000104A8                 call    ds:__imp_@ObfDereferenceObject@4 ; ObfDereferenceObject(x)

.text:000104AE

.text:000104AE loc_104AE:                              ; CODE XREF: ProcCreateMon+15j

.text:000104AE                 mov     esp, ebp

.text:000104B0                 pop     ebp

.text:000104B1                 retn    0Ch

.text:000104B1 ProcCreateMon   endp

rubber biscuits cost more time than real biscuits

Code:



.text:00010460 ; int __stdcall ProcCreateMon(HANDLE parid,HANDLE pid,BOOL Create)

.text:00010460 ProcCreateMon   proc near               ; DATA XREF: DriverUnload+7o

.text:00010460                                         ; DriverEntry+11o

.text:00010460

.text:00010460 var_8           = dword ptr -8

.text:00010460 var_4           = dword ptr -4

.text:00010460 parid           = dword ptr  8

.text:00010460 pid             = dword ptr  0Ch

.text:00010460 Create          = dword ptr  10h

.text:00010460

.text:00010460                 mov     edi, edi

.text:00010462                 push    ebp

.text:00010463                 mov     ebp, esp

.text:00010465                 sub     esp, 8

.text:00010468                 mov     [ebp+var_8], 0

.text:0001046F                 movzx   eax, byte ptr [ebp+Create]