D
Dev10110110
Guest
I have the following code fragment in a kernel mode driver. The code itself is not ran in the driver. Instead, it is copied to a user mode program and ran from there as an APC "NormalRoutine".
typedef NTSTATUS (*PLDR_LOAD_DLL) ( PWSTR, PULONG, PUNICODE_STRING, PVOID* );
typedef struct
{
UNICODE_STRING DllName;
wchar_t Buffer[1024];
PLDR_LOAD_DLL LdrLoadDll;
PVOID DllBase;
ULONG Executed;
} *PKINJECT;
void NTAPI ApcRoutineTemplate ( PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2 )
{
PKINJECT pInjectionParameters = (PKINJECT) NormalContext;
pInjectionParameters->LdrLoadDll ( NULL, NULL, &pInjectionParameters->DllName, &pInjectionParameters->DllBase );
pInjectionParameters->Executed = TRUE;
}
The compiler produces the following machine code from the source:
000001e7`76780828 4c89442418 mov qword ptr [rsp+18h],r8
000001e7`7678082d 4889542410 mov qword ptr [rsp+10h],rdx
000001e7`76780832 48894c2408 mov qword ptr [rsp+8],rcx
000001e7`76780837 4883ec48 sub rsp,48h
000001e7`7678083b 488b442450 mov rax,qword ptr [rsp+50h]
000001e7`76780840 4889442430 mov qword ptr [rsp+30h],rax
000001e7`76780845 488b442430 mov rax,qword ptr [rsp+30h]
000001e7`7678084a 480518080000 add rax,818h
000001e7`76780850 488b4c2430 mov rcx,qword ptr [rsp+30h]
000001e7`76780855 488b542430 mov rdx,qword ptr [rsp+30h]
000001e7`7678085a 488b9210080000 mov rdx,qword ptr [rdx+810h]
000001e7`76780861 4889542438 mov qword ptr [rsp+38h],rdx
000001e7`76780866 4c8bc8 mov r9,rax
000001e7`76780869 4c8bc1 mov r8,rcx
000001e7`7678086c 33d2 xor edx,edx
000001e7`7678086e 33c9 xor ecx,ecx
000001e7`76780870 488b442438 mov rax,qword ptr [rsp+38h]
000001e7`76780875 ff1565100000 call qword ptr [000001e7`767818e0]
000001e7`7678087b 488b442430 mov rax,qword ptr [rsp+30h]
000001e7`76780880 c7802008000001000000 mov dword ptr [rax+820h],1
000001e7`7678088a 4883c448 add rsp,48h
000001e7`7678088e c3 ret
The problem with the machine code is "call qword ptr [000001e7`767818e0]". Although the memory address operand is valid in the driver process, it is invalid in the process that the code will run in.
My questions are: (1) why doesn't the "call" reference something on the stack since the address operand is passed to the code via a C++ function parameter? (2) is there anything I can do to influence the compiler in generating the "call" machine instruction? What the compiler is giving me now is not really suitable for my purpose. Thanks.
Continue reading...
typedef NTSTATUS (*PLDR_LOAD_DLL) ( PWSTR, PULONG, PUNICODE_STRING, PVOID* );
typedef struct
{
UNICODE_STRING DllName;
wchar_t Buffer[1024];
PLDR_LOAD_DLL LdrLoadDll;
PVOID DllBase;
ULONG Executed;
} *PKINJECT;
void NTAPI ApcRoutineTemplate ( PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2 )
{
PKINJECT pInjectionParameters = (PKINJECT) NormalContext;
pInjectionParameters->LdrLoadDll ( NULL, NULL, &pInjectionParameters->DllName, &pInjectionParameters->DllBase );
pInjectionParameters->Executed = TRUE;
}
The compiler produces the following machine code from the source:
000001e7`76780828 4c89442418 mov qword ptr [rsp+18h],r8
000001e7`7678082d 4889542410 mov qword ptr [rsp+10h],rdx
000001e7`76780832 48894c2408 mov qword ptr [rsp+8],rcx
000001e7`76780837 4883ec48 sub rsp,48h
000001e7`7678083b 488b442450 mov rax,qword ptr [rsp+50h]
000001e7`76780840 4889442430 mov qword ptr [rsp+30h],rax
000001e7`76780845 488b442430 mov rax,qword ptr [rsp+30h]
000001e7`7678084a 480518080000 add rax,818h
000001e7`76780850 488b4c2430 mov rcx,qword ptr [rsp+30h]
000001e7`76780855 488b542430 mov rdx,qword ptr [rsp+30h]
000001e7`7678085a 488b9210080000 mov rdx,qword ptr [rdx+810h]
000001e7`76780861 4889542438 mov qword ptr [rsp+38h],rdx
000001e7`76780866 4c8bc8 mov r9,rax
000001e7`76780869 4c8bc1 mov r8,rcx
000001e7`7678086c 33d2 xor edx,edx
000001e7`7678086e 33c9 xor ecx,ecx
000001e7`76780870 488b442438 mov rax,qword ptr [rsp+38h]
000001e7`76780875 ff1565100000 call qword ptr [000001e7`767818e0]
000001e7`7678087b 488b442430 mov rax,qword ptr [rsp+30h]
000001e7`76780880 c7802008000001000000 mov dword ptr [rax+820h],1
000001e7`7678088a 4883c448 add rsp,48h
000001e7`7678088e c3 ret
The problem with the machine code is "call qword ptr [000001e7`767818e0]". Although the memory address operand is valid in the driver process, it is invalid in the process that the code will run in.
My questions are: (1) why doesn't the "call" reference something on the stack since the address operand is passed to the code via a C++ function parameter? (2) is there anything I can do to influence the compiler in generating the "call" machine instruction? What the compiler is giving me now is not really suitable for my purpose. Thanks.
Continue reading...