Reply To: Hooking adapter functions on XP sp2

Home Forums Discussions General Discussion Hooking adapter functions on XP sp2 Reply To: Hooking adapter functions on XP sp2

#6097

s0larian
Participant
00025BA0 ; __stdcall ndisMSendCompleteX(x, x, x)
00025BA0 _ndisMSendCompleteX@12 proc near ; CODE XREF: ndisMSendX(x,x)+2715p
00025BA0 ; ndisMSendPacketsX(x,x,x)+1DFp ...
00025BA0
00025BA0 var_2 = byte ptr -2
00025BA0 var_1 = byte ptr -1
00025BA0 mah = dword ptr 8
00025BA0 packet = dword ptr 0Ch
00025BA0 status = dword ptr 10h
00025BA0
00025BA0
00025BA0 mov edi, edi
00025BA2 push ebp
00025BA3 mov ebp, esp
00025BA5 push ecx
00025BA6 push ebx
00025BA7 push esi
00025BA8 push edi
00025BA9 mov cl, 2
00025BAB call ds:__imp_@KfRaiseIrql@4 ; KfRaiseIrql(x)
00025BB1 mov ebx, [ebp+mah]
00025BB4 test byte ptr [ebx+3Ch], 40h
00025BB8 mov esi, [ebp+packet]
00025BBB mov [ebp+var_1], al
00025BBE jz short loc_25BD4
00025BC0 movzx eax, word ptr [esi+1Eh]
00025BC4 cmp dword ptr [eax+esi+34h], 0
00025BC9 jz short loc_25BD4
00025BCB mov edx, esi
00025BCD mov ecx, ebx
00025BCF call @ndisMFreeSGList@8 ; ndisMFreeSGList(x,x)
00025BD4
00025BD4 loc_25BD4: ; CODE XREF: ndisMSendCompleteX(x,x,x)+1Ej
00025BD4 ; ndisMSendCompleteX(x,x,x)+29j
00025BD4 test byte ptr [ebx+1D4h], 4
00025BDB jnz loc_262FD
00025BE1
00025BE1 loc_25BE1: ; CODE XREF: ndisMSendCompleteX(x,x,x)+766j
00025BE1 ; ndisMSendCompleteX(x,x,x)+772j
00025BE1 mov ecx, _ndisPacketStackSize
00025BE7 lea edx, [esi-4]
00025BEA mov eax, [edx]
00025BEC cmp eax, ecx
00025BEE jnb short loc_25C43
00025BF0 sub eax, ecx
00025BF2 lea eax, [eax+eax*2]
00025BF5 lea eax, [esi+eax*8-8]
00025BF9
00025BF9 loc_25BF9: ; CODE XREF: ndisMSendCompleteX(x,x,x)+A5j
00025BF9 or ecx, 0FFFFFFFFh
00025BFC lock xadd [edx], ecx
00025C00 mov edi, [eax+8] ; < --- the crash occurs here