Reply To: Hooking adapter functions on XP sp2

Home Forums Discussions General Discussion Hooking adapter functions on XP sp2 Reply To: Hooking adapter functions on XP sp2



@SerpentFly wrote:

If miniport driver was compiled with BINARY_COMPATIBLE flag set (allows having same binary for Windows 9x and NT) then NdisMSendComplete called as NDIS export not as macro. May be this is the reason…

Hmmm…. I don’t think this this is the case. Here is the function from vmxnet.sys which implements their network adapter. This is a v5 miniport according to the DriverEntry function…

The call instruction at 00010CAF invokes ndisMSendCompleteX() which generates the crash. The code seems to dereference arg0+4 and then invoke a function from a structure. The offset is 0xEC.

Shit, I don’t think this structure is documented in ndis.h…. I think I might have to go back to hooks using NDIS_OPEN_BLOCK….

What do you think?

.text:00010C7E sub_10C7E proc near ; CODE XREF: sub_10CD8+16p
.text:00010C7E ; sub_10CFA+62p ...
.text:00010C7E arg_0 = dword ptr 8
.text:00010C7E arg_4 = byte ptr 0Ch
.text:00010C7E push ebp
.text:00010C7F mov ebp, esp
.text:00010C81 push ebx
.text:00010C82 xor ebx, ebx
.text:00010C84 cmp [esi], ebx
.text:00010C86 jle short loc_10CD3
.text:00010C88 cmp [ebp+arg_4], bl
.text:00010C8B push edi
.text:00010C8C mov edi, [ebp+arg_0]
.text:00010C8F jz short loc_10C9D
.text:00010C91 mov dl, [edi+10h] ; NewIrql
.text:00010C94 lea ecx, [edi+0Ch] ; SpinLock
.text:00010C97 call ds:KfReleaseSpinLock
.text:00010C9D loc_10C9D: ; CODE XREF: sub_10C7E+11j
.text:00010C9D cmp [esi], ebx
.text:00010C9F jle short loc_10CC0
.text:00010CA1 lea edi, [esi+4]
.text:00010CA4 loc_10CA4: ; CODE XREF: sub_10C7E+3Dj
.text:00010CA4 mov eax, [ebp+arg_0]
.text:00010CA7 mov eax, [eax+4]
.text:00010CAA push 0
.text:00010CAC push dword ptr [edi]
.text:00010CAE push eax
.text:00010CAF call dword ptr [eax+0ECh] ; This instruction calls
.text:00010CAF ; NDIS!ndisMSendCompleteX
.text:00010CB5 inc ebx
.text:00010CB6 add edi, 4
.text:00010CB9 cmp ebx, [esi]
.text:00010CBB jl short loc_10CA4
.text:00010CBD mov edi, [ebp+arg_0]
.text:00010CC0 loc_10CC0: ; CODE XREF: sub_10C7E+21j
.text:00010CC0 cmp [ebp+arg_4], 0
.text:00010CC4 jz short loc_10CD2
.text:00010CC6 lea ecx, [edi+0Ch] ; SpinLock
.text:00010CC9 call ds:KfAcquireSpinLock
.text:00010CCF mov [edi+10h], al
.text:00010CD2 loc_10CD2: ; CODE XREF: sub_10C7E+46j
.text:00010CD2 pop edi
.text:00010CD3 loc_10CD3: ; CODE XREF: sub_10C7E+8j
.text:00010CD3 pop ebx
.text:00010CD4 pop ebp
.text:00010CD5 retn 8
.text:00010CD5 sub_10C7E endp