Analysis of undocumented Windows function NhGetInterfaceNameFromDeviceGuid
2012-04-11 18:59
627 查看
The function NhGetInterfaceNameFromDeviceGuid is derived from the DLL IPHLPAPI. Its effect is to obtain device interface name according corresponding GUID. Such as the network interface card GUID for "94 C913BF-EFA9-419-B-8506-BB88B0F3B34F", and the corresponding
device interface name as "local connection". However, Microsoft does not publish . Dynamic debuging with Ollydbg, I have got the use method of this functionu. Here, I'd like to share it with you.
Firstly, provide the function prototype and parameter explanation:
Examples:
Code of function GUIDFormString:
Analysis process:
Load taskmgr. exe by Ollydbg, set break point on function NhGetInterfaceNameFromDeviceGuid. Press F9 to run it, it will break when calls < JMP. And IPHLPAPI. NhGetInterfaceNameFromDeviceGuid >. The Assembly codes are as following:
device interface name as "local connection". However, Microsoft does not publish . Dynamic debuging with Ollydbg, I have got the use method of this functionu. Here, I'd like to share it with you.
Firstly, provide the function prototype and parameter explanation:
DWORD __stdcall NhGetInterfaceNameFromDeviceGuid(GUID* guid, // device GUID char* buf, // buffer for abtain the name of device interface DWORD* buflen, // length of buffer in byte DWORD unknown1/*=0*/, // unknown,pass 0 DWORD unknown2/*=1*/) // unknown,pass 1
Examples:
typedef DWORD (__stdcall *type_NhGetInterfaceNameFromDeviceGuid)(GUID* guid, char* buf, DWORD* buflen, DWORD unknown1/*=0*/, DWORD unknown2/*=1*/); HMODULE hDll = LoadLibrary(_T("Iphlpapi.dll")); type_NhGetInterfaceNameFromDeviceGuid NhGetInterfaceNameFromDeviceGuid = (type_NhGetInterfaceNameFromDeviceGuid)GetProcAddress(hDll,"NhGetInterfaceNameFromDeviceGuid"); GUID guid; GUIDFormString("94C913BF-EFA9-419B-8506-BB88B0F3B34F",guid); TCHAR buf[100] = {0}; DWORD len = sizeof(buf); DWORD ret = NhGetInterfaceNameFromDeviceGuid(&guid, (char*)buf, &len, 0, 1); if(ret == 0) { // success,string "local connection" is stored in buf. } FreeLibrary(hDll);
Code of function GUIDFormString:
void GUIDFormString(const char*pszGuid,GUID &guid) { int temp[3]; sscanf(pszGuid,"%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x",&(guid.Data1),&(guid.Data2), &(guid.Data3),&guid.Data4[0],&guid.Data4[1],&guid.Data4[2],&guid.Data4[3],&guid.Data4[4], &temp[0],&temp[1],&temp[2]); guid.Data4[5] = (unsigned char)temp[0]; guid.Data4[6] = (unsigned char)temp[1]; guid.Data4[7] = (unsigned char)temp[2]; }
Analysis process:
Load taskmgr. exe by Ollydbg, set break point on function NhGetInterfaceNameFromDeviceGuid. Press F9 to run it, it will break when calls < JMP. And IPHLPAPI. NhGetInterfaceNameFromDeviceGuid >. The Assembly codes are as following:
<pre class="cpp" name="code">0082166D /$ 8BFF mov edi, edi 0082166F |. 55 push ebp 00821670 |. 8BEC mov ebp, esp 00821672 |. 81EC 0C020000 sub esp, 20C 00821678 |. A1 8CE08200 mov eax, dword ptr [82E08C] 0082167D |. 33C5 xor eax, ebp 0082167F |. 8945 FC mov dword ptr [ebp-4], eax 00821682 |. 8B45 08 mov eax, dword ptr [ebp+8] 00821685 |. 56 push esi 00821686 |. 8B75 0C mov esi, dword ptr [ebp+C] 00821689 |. 85C0 test eax, eax 0082168B |. 75 07 jnz short 00821694 0082168D |. B8 57000780 mov eax, 80070057 00821692 |. EB 44 jmp short 008216D8 00821694 |> 33C9 xor ecx, ecx ; ecx清零 00821696 |. 6A 01 push 1 ; 第五个参数,固定传1 00821698 |. 51 push ecx ; 第四个参数,固定传0 00821699 |. 66:894D F8 mov word ptr [ebp-8], cx 0082169D |. 8D8D F4FDFFFF lea ecx, dword ptr [ebp-20C] ; 第三个参数,某局部变量的地址 008216A3 |. 51 push ecx 008216A4 |. 8D8D F8FDFFFF lea ecx, dword ptr [ebp-208] ; 第二个参数,某局部变量的地址 008216AA |. 51 push ecx 008216AB |. 50 push eax ; 第一个参数,观察eax对应的内存,发现是GUID变量的地址 008216AC |. C785 F4FDFFFF>mov dword ptr [ebp-20C], 200 ; 给第三参数对应的局部变量赋值为200 008216B6 |. E8 3D9C0000 call <jmp.&IPHLPAPI.NhGetInterfaceNameFromDeviceGuid> ; 调用函数 008216BB |. 85C0 test eax, eax ; 检测函数返回值,0为成功 008216BD |. 75 14 jnz short 008216D3 008216BF |. 8D85 F8FDFFFF lea eax, dword ptr [ebp-208] ; 观察内存,确定第二个参数为对应内存中保存了函数获取的接口名称 008216C5 |. 50 push eax 008216C6 |. FF75 10 push dword ptr [ebp+10] 008216C9 |. 56 push esi 008216CA |. E8 4C03FFFF call 00811A1B 008216CF |. 33C0 xor eax, eax 008216D1 |. EB 05 jmp short 008216D8 008216D3 |> B8 05400080 mov eax, 80004005 008216D8 |> 8B4D FC mov ecx, dword ptr [ebp-4] 008216DB |. 33CD xor ecx, ebp 008216DD |. 5E pop esi 008216DE |. E8 96FFFEFF call 00811679 008216E3 |. C9 leave 008216E4 \. C2 0C00 retn 0C
相关文章推荐
- gcc下编译出现warning:implicit declaration of function 'strdup'和warning:implicit declaration of function 'gethostname'
- Get ip address from an interface name
- drivers/target/iscsi/iscsi_target_nodeattrib.c:73: error: implicit declaration of function 'iscsi_na_get_initiatorname'
- windows下设备的Setup ClassGuid/Device Interface ClassGUID
- How can I get the IPv4 address of an interface in linux from C code ?
- Track change of IInterface::asBinder from instance method to static method
- OpenCV Error: Unspecified error (The function is not implemented. Rebuild the library with Windows,
- Exception while invoking getStats of class ClientNamenodeProtocolTranslatorPB over 故障分析
- Get Android stack trace from device using Debug Bridge
- Is the type of “pointer-to-member-function” different from “pointer-to-function”?
- device team0 -failure to get interface.....
- Example of Get_File_Name Function in Oracle Forms
- [转贴]Ultimate List of Free Windows Software from Microsoft
- Undocumented Windows 2000 Secrets: A Programmer's Cookbook
- GetWindowsName如何得到当前操作系统的名字及版本
- Data Structure Linked List: Write a function to get the intersection point of two Linked Lists.
- docker报错-->Error response from daemon: Get xxx: unauthorized: incorrect username or password
- after cudaFuncGetAttributes: invalid device function如何解决
- Hint: This may be the result of an unspecified view, due to default view name generation.)]