Reply To: Hooking adapter functions on XP sp2

Home Forums Discussions General Hooking adapter functions on XP sp2 Reply To: Hooking adapter functions on XP sp2

#6101
s0larian
Participant

    @SerpentFly wrote:

    If miniport driver was compiled with BINARY_COMPATIBLE flag set (allows having same binary for Windows 9x and NT) then NdisMSendComplete called as NDIS export not as macro. May be this is the reason…

    Hmmm…. I don’t think this this is the case. Here is the function from vmxnet.sys which implements their network adapter. This is a v5 miniport according to the DriverEntry function…

    The call instruction at 00010CAF invokes ndisMSendCompleteX() which generates the crash. The code seems to dereference arg0+4 and then invoke a function from a structure. The offset is 0xEC.

    Shit, I don’t think this structure is documented in ndis.h…. I think I might have to go back to hooks using NDIS_OPEN_BLOCK….

    What do you think?


    .text:00010C7E sub_10C7E proc near ; CODE XREF: sub_10CD8+16p
    .text:00010C7E ; sub_10CFA+62p ...
    .text:00010C7E
    .text:00010C7E arg_0 = dword ptr 8
    .text:00010C7E arg_4 = byte ptr 0Ch
    .text:00010C7E
    .text:00010C7E push ebp
    .text:00010C7F mov ebp, esp
    .text:00010C81 push ebx
    .text:00010C82 xor ebx, ebx
    .text:00010C84 cmp [esi], ebx
    .text:00010C86 jle short loc_10CD3
    .text:00010C88 cmp [ebp+arg_4], bl
    .text:00010C8B push edi
    .text:00010C8C mov edi, [ebp+arg_0]
    .text:00010C8F jz short loc_10C9D
    .text:00010C91 mov dl, [edi+10h] ; NewIrql
    .text:00010C94 lea ecx, [edi+0Ch] ; SpinLock
    .text:00010C97 call ds:KfReleaseSpinLock
    .text:00010C9D
    .text:00010C9D loc_10C9D: ; CODE XREF: sub_10C7E+11j
    .text:00010C9D cmp [esi], ebx
    .text:00010C9F jle short loc_10CC0
    .text:00010CA1 lea edi, [esi+4]
    .text:00010CA4
    .text:00010CA4 loc_10CA4: ; CODE XREF: sub_10C7E+3Dj
    .text:00010CA4 mov eax, [ebp+arg_0]
    .text:00010CA7 mov eax, [eax+4]
    .text:00010CAA push 0
    .text:00010CAC push dword ptr [edi]
    .text:00010CAE push eax
    .text:00010CAF call dword ptr [eax+0ECh] ; This instruction calls
    .text:00010CAF ; NDIS!ndisMSendCompleteX
    .text:00010CB5 inc ebx
    .text:00010CB6 add edi, 4
    .text:00010CB9 cmp ebx, [esi]
    .text:00010CBB jl short loc_10CA4
    .text:00010CBD mov edi, [ebp+arg_0]
    .text:00010CC0
    .text:00010CC0 loc_10CC0: ; CODE XREF: sub_10C7E+21j
    .text:00010CC0 cmp [ebp+arg_4], 0
    .text:00010CC4 jz short loc_10CD2
    .text:00010CC6 lea ecx, [edi+0Ch] ; SpinLock
    .text:00010CC9 call ds:KfAcquireSpinLock
    .text:00010CCF mov [edi+10h], al
    .text:00010CD2
    .text:00010CD2 loc_10CD2: ; CODE XREF: sub_10C7E+46j
    .text:00010CD2 pop edi
    .text:00010CD3
    .text:00010CD3 loc_10CD3: ; CODE XREF: sub_10C7E+8j
    .text:00010CD3 pop ebx
    .text:00010CD4 pop ebp
    .text:00010CD5 retn 8
    .text:00010CD5 sub_10C7E endp