xapi: Add 2 signatures for read/write name to drive letter

Added: - XMUNameFromDriveLetter (3911) - XMUWriteNameToDriveLetter (3911)
Cxbx-Reloaded · Sep 22, 2022 · 79fc458 · 79fc458
1 parent 0738e87
commit 79fc458
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 1 deletion.
diff --git a/include/xref/xapilib.def b/include/xref/xapilib.def
@@ -100,6 +100,8 @@ XREF_SYMBOL(XMountAlternateTitleA)
 XREF_SYMBOL(XMountMUA)
 XREF_SYMBOL(XMountMURootA)
 XREF_SYMBOL(XMountUtilityDrive)
+XREF_SYMBOL(XMUNameFromDriveLetter)
+XREF_SYMBOL(XMUWriteNameToDriveLetter)
 XREF_SYMBOL(XReadMUMetaData)
 XREF_SYMBOL(XRegisterThreadNotifyRoutine)
 XREF_SYMBOL(XSetProcessQuantumLength)

diff --git a/src/OOVPADatabase/Xapi/3911.inl b/src/OOVPADatabase/Xapi/3911.inl
@@ -1825,3 +1825,71 @@ OOVPA_SIG_MATCH(
     OV_MATCH(0x4C, 0xE8),
     //
 );
+
+// ******************************************************************
+// * XMUNameFromDriveLetter
+// ******************************************************************
+OOVPA_SIG_HEADER_XREF(XMUNameFromDriveLetter,
+                      3911,
+                      XRefThree)
+OOVPA_SIG_MATCH(
+
+    // test [g_XapiMountedMUs], edx
+    XREF_ENTRY(0x14, XREF_g_XapiMountedMUs),
+
+    // call NtOpenFile
+    XREF_ENTRY(0x6C, XREF_KT_FUNC_NtOpenFile),
+
+    // call NtFsControlFile
+    XREF_ENTRY(0xA0, XREF_KT_FUNC_NtFsControlFile),
+
+    // push ebp
+    OV_MATCH(0x00, 0x55),
+
+    // sub esp, 0x74
+    OV_MATCH(0x03, 0x83, 0xEC, 0x74),
+
+    // push 0x80100000 // GENERIC_READ | SYNCHRONIZE
+    OV_MATCH(0x59, 0x68, 0x00, 0x00, 0x10, 0x80),
+
+    // call NtOpenFile
+    OV_MATCH(0x6A, 0xFF, 0x15),
+
+    // call NtFsControlFile
+    OV_MATCH(0x9E, 0xFF, 0x15),
+    //
+);
+
+// ******************************************************************
+// * XMUWriteNameToDriveLetter
+// ******************************************************************
+    OOVPA_SIG_HEADER_XREF(XMUWriteNameToDriveLetter,
+                          3911,
+                          XRefThree)
+OOVPA_SIG_MATCH(
+
+    // test [g_XapiMountedMUs], edx
+    XREF_ENTRY(0x14, XREF_g_XapiMountedMUs),
+
+    // call NtOpenFile
+    XREF_ENTRY(0x6C, XREF_KT_FUNC_NtOpenFile),
+
+    // call NtFsControlFile
+    XREF_ENTRY(0xAE, XREF_KT_FUNC_NtFsControlFile),
+
+    // push ebp
+    OV_MATCH(0x00, 0x55),
+
+    // sub esp, 0x74
+    OV_MATCH(0x03, 0x83, 0xEC, 0x74),
+
+    // push 0x40100000 // GENERIC_WRITE | SYNCHRONIZE
+    OV_MATCH(0x59, 0x68, 0x00, 0x00, 0x10, 0x40),
+
+    // call NtOpenFile
+    OV_MATCH(0x6A, 0xFF, 0x15),
+
+    // call NtFsControlFile
+    OV_MATCH(0xAC, 0xFF, 0x15),
+    //
+);
diff --git a/src/OOVPADatabase/Xapi_OOVPA.inl b/src/OOVPADatabase/Xapi_OOVPA.inl
@@ -366,7 +366,6 @@
 //   * XID_RemoveDevice
 //   * XLoadSectionA
 //   * XLoadSectionByHandle
-//   * XMUNameFromDriveLetter
 //   * XMUPortFromDriveLetterA
 //   * XMUSlotFromDriveLetterA
 //   * XOpenSoundtrackSong
@@ -484,6 +483,8 @@ OOVPATable XAPILIB_OOVPA[] = {
     REGISTER_OOVPAS(XMountMUA, 3911, 4242),
     REGISTER_OOVPAS(XMountMURootA, 3911, 4242),
     REGISTER_OOVPAS(XMountUtilityDrive, 3911), // Final generic OOVPA: 3911; Removed: 0
+    REGISTER_OOVPAS(XMUNameFromDriveLetter, 3911), // Final generic OOVPA: 3911; Removed: 0
+    REGISTER_OOVPAS(XMUWriteNameToDriveLetter, 3911), // Final generic OOVPA: 3911; Removed: 0
     REGISTER_OOVPAS(XReadMUMetaData, 4242),
     REGISTER_OOVPAS(XRegisterThreadNotifyRoutine, 3911),
     REGISTER_OOVPAS(XSetProcessQuantumLength, 4134),