daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-17 00:09:23 +00:00
Code Issues Projects Releases Wiki Activity

updates and moves

Browse Source 
n/a
This commit is contained in:
vxunderground
2022-04-11 20:00:13 -05:00
parent 1275ea2e03
commit 900263ea6f
809 changed files with 149115 additions and 1594 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile.sln
+26
View File
@@ -0,0 +1,26 @@
Microsoft Visual Studio Solution File, Format Version 10.00
# Visual Studio 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookDeviceIoControlFile", "HookDeviceIoControlFile\HookDeviceIoControlFile.vcproj", "{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Debug|Win32.ActiveCfg = Debug|Win32
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Debug|Win32.Build.0 = Debug|Win32
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Debug|x64.ActiveCfg = Debug|x64
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Debug|x64.Build.0 = Debug|x64
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Release|Win32.ActiveCfg = Release|Win32
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Release|Win32.Build.0 = Release|Win32
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Release|x64.ActiveCfg = Release|x64
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile.vcproj
+441
View File
@@ -0,0 +1,441 @@
<?xml version="1.0" encoding="gb2312"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="HookDeviceIoControlFile"
ProjectGUID="{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}"
RootNamespace="HookDeviceIoControlFile"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;_X86_"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateManifest="false"
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;_AMD64_"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateManifest="false"
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;_X86_"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="1"
GenerateManifest="false"
EnableUAC="true"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;_AMD64_"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="1"
GenerateManifest="false"
EnableUAC="true"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\analyzer.cpp"
>
</File>
<File
RelativePath=".\analyzer.h"
>
</File>
<File
RelativePath=".\binres.rc"
>
</File>
<File
RelativePath=".\common.cpp"
>
</File>
<File
RelativePath=".\common.h"
>
</File>
<File
RelativePath=".\debug.cpp"
>
</File>
<File
RelativePath=".\debug.h"
>
</File>
<File
RelativePath=".\default.manifest"
>
</File>
<File
RelativePath=".\drvcomm.h"
>
</File>
<File
RelativePath=".\ioctlfuzzer.cpp"
>
</File>
<File
RelativePath=".\ioctlfuzzer.rc"
>
</File>
<File
RelativePath=".\ntdll_defs.h"
>
</File>
<File
RelativePath=".\options.h"
>
</File>
<File
RelativePath=".\resource.h"
>
</File>
<File
RelativePath=".\service.cpp"
>
</File>
<File
RelativePath=".\service.h"
>
</File>
<File
RelativePath=".\stdafx.h"
>
</File>
<File
RelativePath=".\symbols.cpp"
>
</File>
<File
RelativePath=".\symbols.h"
>
</File>
<File
RelativePath=".\TlHelp32.h"
>
</File>
<File
RelativePath=".\undocnt.h"
>
</File>
<File
RelativePath=".\xml.cpp"
>
</File>
<File
RelativePath=".\xml.h"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
</Filter>
<File
RelativePath="..\driver_amd64.sys"
>
</File>
</Files>
<Globals>
</Globals>
</VisualStudioProject>
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/TlHelp32.h
+316
View File
@@ -0,0 +1,316 @@
/*****************************************************************************\
* *
* tlhelp32.h - WIN32 tool help functions, types, and definitions *
* *
* Version 1.0 *
* *
* NOTE: windows.h/winbase.h must be #included first *
* *
* Copyright (c) Microsoft Corp. All rights reserved. *
* *
\*****************************************************************************/
#ifndef _INC_TOOLHELP32
#define _INC_TOOLHELP32
#if _MSC_VER > 1000
#pragma once
#endif
#ifdef __cplusplus
extern "C" { /* Assume C declarations for C++ */
#endif /* __cplusplus */
#define MAX_MODULE_NAME32 255
/****** Shapshot function **********************************************/
HANDLE
WINAPI
CreateToolhelp32Snapshot(
DWORD dwFlags,
DWORD th32ProcessID
);
//
// The th32ProcessID argument is only used if TH32CS_SNAPHEAPLIST or
// TH32CS_SNAPMODULE is specified. th32ProcessID == 0 means the current
// process.
//
// NOTE that all of the snapshots are global except for the heap and module
// lists which are process specific. To enumerate the heap or module
// state for all WIN32 processes call with TH32CS_SNAPALL and the
// current process. Then for each process in the TH32CS_SNAPPROCESS
// list that isn't the current process, do a call with just
// TH32CS_SNAPHEAPLIST and/or TH32CS_SNAPMODULE.
//
// dwFlags
//
#define TH32CS_SNAPHEAPLIST 0x00000001
#define TH32CS_SNAPPROCESS 0x00000002
#define TH32CS_SNAPTHREAD 0x00000004
#define TH32CS_SNAPMODULE 0x00000008
#define TH32CS_SNAPMODULE32 0x00000010
#define TH32CS_SNAPALL (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE)
#define TH32CS_INHERIT 0x80000000
//
// Use CloseHandle to destroy the snapshot
//
/****** heap walking ***************************************************/
typedef struct tagHEAPLIST32
{
SIZE_T dwSize;
DWORD th32ProcessID; // owning process
ULONG_PTR th32HeapID; // heap (in owning process's context!)
DWORD dwFlags;
} HEAPLIST32;
typedef HEAPLIST32 * PHEAPLIST32;
typedef HEAPLIST32 * LPHEAPLIST32;
//
// dwFlags
//
#define HF32_DEFAULT 1 // process's default heap
#define HF32_SHARED 2 // is shared heap
BOOL
WINAPI
Heap32ListFirst(
HANDLE hSnapshot,
LPHEAPLIST32 lphl
);
BOOL
WINAPI
Heap32ListNext(
HANDLE hSnapshot,
LPHEAPLIST32 lphl
);
typedef struct tagHEAPENTRY32
{
SIZE_T dwSize;
HANDLE hHandle; // Handle of this heap block
ULONG_PTR dwAddress; // Linear address of start of block
SIZE_T dwBlockSize; // Size of block in bytes
DWORD dwFlags;
DWORD dwLockCount;
DWORD dwResvd;
DWORD th32ProcessID; // owning process
ULONG_PTR th32HeapID; // heap block is in
} HEAPENTRY32;
typedef HEAPENTRY32 * PHEAPENTRY32;
typedef HEAPENTRY32 * LPHEAPENTRY32;
//
// dwFlags
//
#define LF32_FIXED 0x00000001
#define LF32_FREE 0x00000002
#define LF32_MOVEABLE 0x00000004
BOOL
WINAPI
Heap32First(
LPHEAPENTRY32 lphe,
DWORD th32ProcessID,
ULONG_PTR th32HeapID
);
BOOL
WINAPI
Heap32Next(
LPHEAPENTRY32 lphe
);
BOOL
WINAPI
Toolhelp32ReadProcessMemory(
DWORD th32ProcessID,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
SIZE_T cbRead,
SIZE_T *lpNumberOfBytesRead
);
/***** Process walking *************************************************/
typedef struct tagPROCESSENTRY32W
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID; // this process
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID; // associated exe
DWORD cntThreads;
DWORD th32ParentProcessID; // this process's parent process
LONG pcPriClassBase; // Base priority of process's threads
DWORD dwFlags;
WCHAR szExeFile[MAX_PATH]; // Path
} PROCESSENTRY32W;
typedef PROCESSENTRY32W * PPROCESSENTRY32W;
typedef PROCESSENTRY32W * LPPROCESSENTRY32W;
BOOL
WINAPI
Process32FirstW(
HANDLE hSnapshot,
LPPROCESSENTRY32W lppe
);
BOOL
WINAPI
Process32NextW(
HANDLE hSnapshot,
LPPROCESSENTRY32W lppe
);
typedef struct tagPROCESSENTRY32
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID; // this process
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID; // associated exe
DWORD cntThreads;
DWORD th32ParentProcessID; // this process's parent process
LONG pcPriClassBase; // Base priority of process's threads
DWORD dwFlags;
CHAR szExeFile[MAX_PATH]; // Path
} PROCESSENTRY32;
typedef PROCESSENTRY32 * PPROCESSENTRY32;
typedef PROCESSENTRY32 * LPPROCESSENTRY32;
BOOL
WINAPI
Process32First(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
BOOL
WINAPI
Process32Next(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
#ifdef UNICODE
#define Process32First Process32FirstW
#define Process32Next Process32NextW
#define PROCESSENTRY32 PROCESSENTRY32W
#define PPROCESSENTRY32 PPROCESSENTRY32W
#define LPPROCESSENTRY32 LPPROCESSENTRY32W
#endif // !UNICODE
/***** Thread walking **************************************************/
typedef struct tagTHREADENTRY32
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ThreadID; // this thread
DWORD th32OwnerProcessID; // Process this thread is associated with
LONG tpBasePri;
LONG tpDeltaPri;
DWORD dwFlags;
} THREADENTRY32;
typedef THREADENTRY32 * PTHREADENTRY32;
typedef THREADENTRY32 * LPTHREADENTRY32;
BOOL
WINAPI
Thread32First(
HANDLE hSnapshot,
LPTHREADENTRY32 lpte
);
BOOL
WINAPI
Thread32Next(
HANDLE hSnapshot,
LPTHREADENTRY32 lpte
);
/***** Module walking *************************************************/
typedef struct tagMODULEENTRY32W
{
DWORD dwSize;
DWORD th32ModuleID; // This module
DWORD th32ProcessID; // owning process
DWORD GlblcntUsage; // Global usage count on the module
DWORD ProccntUsage; // Module usage count in th32ProcessID's context
BYTE * modBaseAddr; // Base address of module in th32ProcessID's context
DWORD modBaseSize; // Size in bytes of module starting at modBaseAddr
HMODULE hModule; // The hModule of this module in th32ProcessID's context
WCHAR szModule[MAX_MODULE_NAME32 + 1];
WCHAR szExePath[MAX_PATH];
} MODULEENTRY32W;
typedef MODULEENTRY32W * PMODULEENTRY32W;
typedef MODULEENTRY32W * LPMODULEENTRY32W;
BOOL
WINAPI
Module32FirstW(
HANDLE hSnapshot,
LPMODULEENTRY32W lpme
);
BOOL
WINAPI
Module32NextW(
HANDLE hSnapshot,
LPMODULEENTRY32W lpme
);
typedef struct tagMODULEENTRY32
{
DWORD dwSize;
DWORD th32ModuleID; // This module
DWORD th32ProcessID; // owning process
DWORD GlblcntUsage; // Global usage count on the module
DWORD ProccntUsage; // Module usage count in th32ProcessID's context
BYTE * modBaseAddr; // Base address of module in th32ProcessID's context
DWORD modBaseSize; // Size in bytes of module starting at modBaseAddr
HMODULE hModule; // The hModule of this module in th32ProcessID's context
char szModule[MAX_MODULE_NAME32 + 1];
char szExePath[MAX_PATH];
} MODULEENTRY32;
typedef MODULEENTRY32 * PMODULEENTRY32;
typedef MODULEENTRY32 * LPMODULEENTRY32;
//
// NOTE CAREFULLY that the modBaseAddr and hModule fields are valid ONLY
// in th32ProcessID's process context.
//
BOOL
WINAPI
Module32First(
HANDLE hSnapshot,
LPMODULEENTRY32 lpme
);
BOOL
WINAPI
Module32Next(
HANDLE hSnapshot,
LPMODULEENTRY32 lpme
);
#ifdef UNICODE
#define Module32First Module32FirstW
#define Module32Next Module32NextW
#define MODULEENTRY32 MODULEENTRY32W
#define PMODULEENTRY32 PMODULEENTRY32W
#define LPMODULEENTRY32 LPMODULEENTRY32W
#endif // !UNICODE
#ifdef __cplusplus
}
#endif
#endif // _INC_TOOLHELP32
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/analyzer.cpp
+1330
View File
File diff suppressed because it is too large Load Diff
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/analyzer.h
+3
View File
@@ -0,0 +1,3 @@
void CollectDeviceObjectsInfo(LPWSTR lpRoot);
void PrintDeviceObjectsInfo(char *lpszIoctlsLogPath);
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/binres.rc
+4
View File
@@ -0,0 +1,4 @@
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/common.cpp
+253
View File
@@ -0,0 +1,253 @@
#include "stdafx.h"
//--------------------------------------------------------------------------------------
BOOL LoadPrivileges(char *lpszName)
{
HANDLE hToken = NULL;
LUID Val;
TOKEN_PRIVILEGES tp;
BOOL bRet = FALSE;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
DbgMsg(__FILE__, __LINE__, "OpenProcessToken() fails: error %d\n", GetLastError());
goto end;
}
if (!LookupPrivilegeValue(NULL, lpszName, &Val))
{
DbgMsg(__FILE__, __LINE__, "LookupPrivilegeValue() fails: error %d\n", GetLastError());
goto end;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = Val;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL))
{
DbgMsg(__FILE__, __LINE__, "AdjustTokenPrivileges() fails: error %d\n", GetLastError());
goto end;
}
bRet = TRUE;
end:
if (hToken)
CloseHandle(hToken);
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL DumpToFile(char *lpszFileName, PVOID pData, ULONG DataSize)
{
HANDLE hFile = CreateFileA(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
DWORD dwWritten;
WriteFile(hFile, pData, DataSize, &dwWritten, NULL);
CloseHandle(hFile);
return TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "Error %d while creating '%s'\n", GetLastError(), lpszFileName);
}
return FALSE;
}
//--------------------------------------------------------------------------------------
BOOL ReadFromFile(LPCTSTR lpszFileName, PVOID *pData, PDWORD lpdwDataSize)
{
BOOL bRet = FALSE;
HANDLE hFile = CreateFile(
lpszFileName,
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hFile != INVALID_HANDLE_VALUE)
{
if (pData == NULL || lpdwDataSize == NULL)
{
// just check for existing file
bRet = TRUE;
goto close;
}
*lpdwDataSize = GetFileSize(hFile, NULL);
if (*pData = LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, *lpdwDataSize))
{
DWORD dwReaded = 0;
ReadFile(hFile, *pData, *lpdwDataSize, &dwReaded, NULL);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "LocalAlloc() ERROR %d\n", GetLastError());
*lpdwDataSize = 0;
}
close:
CloseHandle(hFile);
}
else
{
DbgMsg(__FILE__, __LINE__, "Error %d while reading '%s'\n", GetLastError(), lpszFileName);
}
return bRet;
}
//--------------------------------------------------------------------------------------
char *GetNameFromFullPath(char *lpszPath)
{
char *lpszName = lpszPath;
for (size_t i = 0; i < strlen(lpszPath); i++)
{
if (lpszPath[i] == '\\' || lpszPath[i] == '/')
{
lpszName = lpszPath + i + 1;
}
}
return lpszName;
}
//--------------------------------------------------------------------------------------
wchar_t *GetNameFromFullPathW(wchar_t *lpwcPath)
{
wchar_t *lpwcName = lpwcPath;
for (size_t i = 0; i < wcslen(lpwcPath); i++)
{
if (lpwcPath[i] == L'\\' || lpwcPath[i] == L'/')
{
lpwcName = lpwcPath + i + 1;
}
}
return lpwcName;
}
//--------------------------------------------------------------------------------------
BOOL IsFileExists(char *lpszFileName)
{
BOOL bRet = FALSE;
WIN32_FIND_DATA FindData;
// enumerate files
HANDLE hDir = FindFirstFileA(lpszFileName, &FindData);
if (hDir != INVALID_HANDLE_VALUE)
{
bRet = TRUE;
FindClose(hDir);
}
return bRet;
}
//--------------------------------------------------------------------------------------
PVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass)
{
NTSTATUS ns = 0;
ULONG RetSize = 0, Size = 0x100;
PVOID Info = NULL;
GET_NATIVE(NtQuerySystemInformation);
while (true)
{
// allocate memory for system information
if ((Info = M_ALLOC(Size)) == NULL)
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
return NULL;
}
// query information
RetSize = 0;
ns = f_NtQuerySystemInformation(InfoClass, Info, Size, &RetSize);
if (ns == STATUS_INFO_LENGTH_MISMATCH)
{
// buffer is too small
M_FREE(Info);
Info = NULL;
if (RetSize > 0)
{
// allocate more memory and try again
Size = RetSize + 0x100;
}
else
{
break;
}
}
else
{
break;
}
}
if (!NT_SUCCESS(ns))
{
DbgMsg(__FILE__, __LINE__, "NtQuerySystemInformation() fails; status: 0x%.8x\n", ns);
if (Info)
{
M_FREE(Info);
}
return NULL;
}
return Info;
}
//--------------------------------------------------------------------------------------
BOOL GetProcessNameById(DWORD dwProcessId, char *lpszName, size_t NameLen)
{
BOOL bRet = FALSE;
// enumerate processes
HANDLE hSnapProcs = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapProcs != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 Process = { 0 };
Process.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapProcs, &Process))
{
do
{
// match process id
if (Process.th32ProcessID == dwProcessId)
{
strlwr(Process.szExeFile);
lstrcpy(lpszName, Process.szExeFile);
bRet = TRUE;
break;
}
}
while (Process32Next(hSnapProcs, &Process));
}
else
{
DbgMsg(__FILE__, __LINE__, "Process32First() ERROR %d\n", GetLastError());
}
CloseHandle(hSnapProcs);
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateToolhelp32Snapshot() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
// EoF
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/common.h
+54
View File
@@ -0,0 +1,54 @@
#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_))
#define XALIGN_DOWN(x, align)(x &~ (align - 1))
#define XALIGN_UP(x, align)((x & (align - 1)) ? XALIGN_DOWN(x, align) + align : x)
#define M_ALLOC(_size_) LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, (ULONG)(_size_))
#define M_FREE(_addr_) LocalFree((_addr_))
#define GET_NATIVE(_name_) \
\
func_##_name_ f_##_name_ = (func_##_name_)GetProcAddress( \
GetModuleHandleA("ntdll.dll"), \
(#_name_) \
);
#define UNICODE_FROM_WCHAR(_us_, _str_) \
\
((PUNICODE_STRING)(_us_))->Buffer = (_str_); \
((PUNICODE_STRING)(_us_))->Length = \
((PUNICODE_STRING)(_us_))->MaximumLength = \
(USHORT)wcslen((_str_)) * sizeof(WCHAR);
#define IFMT32 "0x%.8x"
#define IFMT64 "0x%.16I64x"
#define IFMT32_W L"0x%.8x"
#define IFMT64_W L"0x%.16I64x"
#ifdef _X86_
#define IFMT IFMT32
#define IFMT_W IFMT32_W
#elif _AMD64_
#define IFMT IFMT64
#define IFMT_W IFMT64_W
#endif
#define MAX_STRING_SIZE 255
BOOL LoadPrivileges(char *lpszName);
BOOL DumpToFile(char *lpszFileName, PVOID pData, ULONG DataSize);
BOOL ReadFromFile(LPCTSTR lpszFileName, PVOID *pData, PDWORD lpdwDataSize);
char *GetNameFromFullPath(char *lpszPath);
wchar_t *GetNameFromFullPathW(wchar_t *lpwcPath);
BOOL IsFileExists(char *lpszFileName);
PVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass);
BOOL GetProcessNameById(DWORD dwProcessId, char *lpszName, size_t NameLen);
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/dbgeng.h
+16165
View File
File diff suppressed because it is too large Load Diff
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/dbghelp.h
+4593
View File
File diff suppressed because it is too large Load Diff
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/engextcpp.cpp
+4368
View File
File diff suppressed because it is too large Load Diff
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/engextcpp.hpp
+2513
View File
File diff suppressed because it is too large Load Diff
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/extsfns.h
+1732
View File
File diff suppressed because it is too large Load Diff
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/wdbgexts.h
+2804
View File
File diff suppressed because it is too large Load Diff
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/amd64/dbgeng.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/amd64/dbghelp.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/amd64/engextcpp.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/i386/dbgeng.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/i386/dbghelp.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/i386/engextcpp.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/ia64/dbgeng.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/ia64/dbghelp.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/ia64/engextcpp.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/debug.cpp
+302
View File
@@ -0,0 +1,302 @@
#include "stdafx.h"
#define DBG_PIPE_BUFFER_SIZE 0x1000
WCHAR m_wcDebugPipeName[MAX_PATH];
HANDLE hDbgMutex = NULL, hDbgLogfile = INVALID_HANDLE_VALUE;
//--------------------------------------------------------------------------------------
void DbgMsgLogWrite(char *lpszBuff)
{
if (hDbgLogfile != INVALID_HANDLE_VALUE && hDbgMutex)
{
DWORD dwWritten = 0;
char *s = lpszBuff;
size_t len = strlen(lpszBuff);
WaitForSingleObject(hDbgMutex, INFINITE);
SetFilePointer(hDbgLogfile, 0, NULL, FILE_END);
for (size_t i = 1; i < len; i++)
{
// divide source string by lines
if (lpszBuff[i] == '\n')
{
lpszBuff[i] = '\x00';
// write the current line
WriteFile(hDbgLogfile, s, (DWORD)strlen(s), &dwWritten, NULL);
if (lpszBuff[i - 1] != '\r')
{
// replace single '\n' with '\r\n'
WriteFile(hDbgLogfile, "\r\n", 2, &dwWritten, NULL);
}
else
{
WriteFile(hDbgLogfile, "\n", 1, &dwWritten, NULL);
}
s = lpszBuff + i + 1;
}
}
if (lpszBuff + len > s)
{
// write the rest of the string
WriteFile(hDbgLogfile, s, (DWORD)strlen(s), &dwWritten, NULL);
}
ReleaseMutex(hDbgMutex);
}
}
//--------------------------------------------------------------------------------------
void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...)
{
va_list mylist;
va_start(mylist, lpszMsg);
size_t len = _vscprintf(lpszMsg, mylist) + 0x100;
char *lpszBuff = (char *)M_ALLOC(len);
if (lpszBuff == NULL)
{
va_end(mylist);
return;
}
char *lpszOutBuff = (char *)M_ALLOC(len);
if (lpszOutBuff == NULL)
{
M_FREE(lpszBuff);
va_end(mylist);
return;
}
vsprintf_s(lpszBuff, len, lpszMsg, mylist);
va_end(mylist);
sprintf_s(
lpszOutBuff, len, "[%.5d] %s(%d) : %s",
GetCurrentProcessId(), GetNameFromFullPath(lpszFile), Line, lpszBuff
);
OutputDebugString(lpszOutBuff);
HANDLE hStd = GetStdHandle(STD_OUTPUT_HANDLE);
if (hStd != INVALID_HANDLE_VALUE)
{
DWORD dwWritten = 0;
WriteFile(hStd, lpszBuff, strlen(lpszBuff), &dwWritten, NULL);
}
sprintf_s(lpszOutBuff, len, "[%.5d] %s", GetCurrentProcessId(), lpszBuff);
DbgMsgLogWrite(lpszOutBuff);
M_FREE(lpszOutBuff);
M_FREE(lpszBuff);
}
//--------------------------------------------------------------------------------------
DWORD WINAPI PipeInstanceThread(LPVOID lpParam)
{
HANDLE hPipe = (HANDLE)lpParam;
DWORD dwReaded, dwWritten, dwLen = 0;
// read data length from pipe
while (ReadFile(hPipe, (PVOID)&dwLen, sizeof(dwLen), &dwReaded, NULL))
{
if (dwLen > 0)
{
// allocate memory for data
PUCHAR Data = (PUCHAR)M_ALLOC(dwLen);
if (Data)
{
PUCHAR DataPtr = Data;
DWORD dwTotalReaded = 0, dwReadLen = dwLen;
read_again:
if (ReadFile(hPipe, DataPtr, dwReadLen, &dwReaded, NULL))
{
dwTotalReaded += dwReaded;
if (dwLen > dwTotalReaded)
{
DataPtr += dwReaded;
dwReadLen -= dwReaded;
// not all data was readed
goto read_again;
}
// write message into the standart output
HANDLE hStd = GetStdHandle(STD_OUTPUT_HANDLE);
if (hStd != INVALID_HANDLE_VALUE)
{
char *s = strstr((char *)Data, " : ");
if (s)
{
s += 3;
WriteFile(hStd, s, lstrlen(s), &dwWritten, NULL);
}
else
{
WriteFile(hStd, Data, lstrlen((char *)Data), &dwWritten, NULL);
}
}
// write message into the log
DbgMsgLogWrite((char *)Data);
}
M_FREE(Data);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
}
dwLen = 0;
}
return 0;
}
//--------------------------------------------------------------------------------------
DWORD WINAPI PipeServerThread(LPVOID lpParam)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Listening on pipe '%ws'\n", m_wcDebugPipeName);
while (true)
{
// create pipe instance
HANDLE hPipe = CreateNamedPipeW(
m_wcDebugPipeName,
PIPE_ACCESS_DUPLEX,
PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES,
DBG_PIPE_BUFFER_SIZE,
DBG_PIPE_BUFFER_SIZE,
INFINITE,
NULL
);
if (hPipe == INVALID_HANDLE_VALUE)
{
DbgMsg(__FILE__, __LINE__, "CreateNamedPipe() ERROR %d\n", GetLastError());
return 0;
}
BOOL bConnected = ConnectNamedPipe(hPipe, NULL) ? TRUE : (GetLastError() == ERROR_PIPE_CONNECTED);
if (bConnected)
{
// Create a thread for this client.
HANDLE hThread = CreateThread(NULL, 0, PipeInstanceThread, (LPVOID)hPipe, 0, NULL);
if (hThread == NULL)
{
DbgMsg(__FILE__, __LINE__, "CreateThread() ERROR %d\n", GetLastError());
return 0;
}
else
{
CloseHandle(hThread);
}
}
else
{
// The client could not connect, so close the pipe.
CloseHandle(hPipe);
}
}
}
//--------------------------------------------------------------------------------------
void DbgInit(char *lpszDebugPipeName, char *lpszLogFileName)
{
hDbgMutex = CreateMutex(NULL, FALSE, NULL);
if (hDbgMutex == NULL)
{
DbgMsg(__FILE__, __LINE__, "CreateMutex() ERROR %d\n", GetLastError());
return;
}
if (lpszLogFileName)
{
// use logfile for debug messages
char szLogFilePath[MAX_PATH];
GetCurrentDirectory(sizeof(szLogFilePath), szLogFilePath);
strcat_s(szLogFilePath, MAX_PATH, "\\");
strcat_s(szLogFilePath, MAX_PATH, lpszLogFileName);
hDbgLogfile = CreateFile(
szLogFilePath,
GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDbgLogfile == INVALID_HANDLE_VALUE)
{
DbgMsg(__FILE__, __LINE__, "CreateFile() ERROR %d\n", GetLastError());
return;
}
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Log file '%s' created\n", szLogFilePath);
}
if (lpszDebugPipeName)
{
// pipe to receive messages from driver or other application
WCHAR wcDebugPipeName[MAX_PATH];
MultiByteToWideChar(CP_ACP, 0, lpszDebugPipeName, -1, wcDebugPipeName, MAX_PATH);
wcscpy_s(m_wcDebugPipeName, MAX_PATH, L"\\\\.\\pipe\\");
wcscat_s(m_wcDebugPipeName, MAX_PATH, wcDebugPipeName);
// start pipe server for debug messages from driver
HANDLE hThread = CreateThread(NULL, 0, PipeServerThread, NULL, 0, NULL);
if (hThread)
{
CloseHandle(hThread);
Sleep(2000);
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateThread() ERROR %d\n", GetLastError());
}
}
}
//--------------------------------------------------------------------------------------
WORD ccol(WORD wColor)
{
WORD c = 0;
if (wColor == 0)
{
return 0;
}
if (hDbgMutex)
{
WaitForSingleObject(hDbgMutex, INFINITE);
}
HANDLE hStd = GetStdHandle(STD_OUTPUT_HANDLE);
if (hStd != INVALID_HANDLE_VALUE)
{
CONSOLE_SCREEN_BUFFER_INFO Info;
ZeroMemory(&Info, sizeof(Info));
// get old console attributes
if (GetConsoleScreenBufferInfo(hStd, &Info))
{
// set new console attributes
SetConsoleTextAttribute(hStd, wColor);
c = Info.wAttributes;
}
}
if (hDbgMutex)
{
ReleaseMutex(hDbgMutex);
}
return c;
}
//--------------------------------------------------------------------------------------
// EoF
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/debug.h
+13
View File
@@ -0,0 +1,13 @@
void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...);
void DbgInit(char *lpszDebugPipeName, char *lpszLogFileName);
#define CCOL_BLUE (0x09)
#define CCOL_GREEN (0x0A)
#define CCOL_CYAN (0x0B)
#define CCOL_RED (0x0C)
#define CCOL_PURPLE (0x0D)
#define CCOL_YELLOW (0x0E)
#define CCOL_WHITE (0x0F)
WORD ccol(WORD wColor);
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/default.manifest
+14
View File
@@ -0,0 +1,14 @@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="FALSE"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/drvcomm.h
+117
View File
@@ -0,0 +1,117 @@
#define DEVICE_NAME L"IOCTLfuzzer"
#define DBG_PIPE_NAME L"IOCTLfuzzer"
#define DBG_PIPE_NAME_A "IOCTLfuzzer"
#define IOCTL_DRV_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x01, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define S_ERROR 0x00
#define S_SUCCESS 0x01
#define C_ADD_DEVICE 0x01
#define C_ADD_DRIVER 0x02
#define C_ADD_IOCTL 0x03
#define C_ADD_PROCESS 0x04
#define C_SET_OPTIONS 0x05
#define C_GET_DEVICE_INFO 0x06
#define C_CHECK_HOOKS 0x07
#define C_DEL_OPTIONS 0x08
#define C_GET_OBJECT_NAME 0x09
// fuzzing options
#define FUZZ_OPT_LOG_IOCTL 0x00000001
#define FUZZ_OPT_LOG_IOCTL_BUFFERS 0x00000002
#define FUZZ_OPT_LOG_IOCTL_GLOBAL 0x00000004
#define FUZZ_OPT_LOG_EXCEPTIONS 0x00000008
#define FUZZ_OPT_LOG_DEBUG 0x00000010
#define FUZZ_OPT_FUZZ 0x00000020
#define FUZZ_OPT_FUZZ_SIZE 0x00000040
#define FUZZ_OPT_FUZZ_FAIR 0x00000080
#define FUZZ_OPT_FUZZ_BOOT 0x00000100
#define FUZZ_OPT_NO_SDT_HOOKS 0x00000200
typedef ULONG FUZZING_TYPE;
#define FuzzingType_Random 0x00000001
#define FuzzingType_Dword 0x00000002
// area to store some variables, that must located in user mode
#pragma pack(push, 1)
typedef struct _USER_MODE_DATA
{
IO_STATUS_BLOCK IoStatus;
} USER_MODE_DATA,
*PUSER_MODE_DATA;
#pragma pack(pop)
#define MAX_REQUEST_STRING 0x100
#pragma pack(push, 1)
typedef struct _REQUEST_BUFFER
{
// operation status (see S_* definitions)
ULONG Status;
// operation code (see C_* definitions)
ULONG Code;
union
{
struct
{
ULONG Options;
ULONG FuzzThreadId;
FUZZING_TYPE FuzzingType;
PUSER_MODE_DATA UserModeData;
ULONG KiDispatchException_Offset;
} Options;
struct
{
PVOID DeviceObjectAddr;
PVOID DriverObjectAddr;
char szDriverObjectName[MAX_REQUEST_STRING];
char szDriverFilePath[MAX_REQUEST_STRING];
} DeviceInfo;
struct
{
// for C_ADD_IOCTL
ULONG IoctlCode;
// for all C_ADD_*
BOOLEAN bAllow;
// for C_ADD_DEVICE, C_ADD_DRIVER and C_ADD_PROCESS
char szObjectName[MAX_REQUEST_STRING];
/*
If TRUE -- debugger command, that stored in Buff[],
must be executed for every IOCTL, that has been matched
by this object.
*/
BOOLEAN bDbgcbAction;
} AddObject;
struct
{
HANDLE hObject;
char szObjectName[MAX_REQUEST_STRING];
} ObjectName;
struct
{
BOOLEAN bHooksInstalled;
} CheckHooks;
};
char Buff[1];
} REQUEST_BUFFER,
*PREQUEST_BUFFER;
#pragma pack(pop)
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.cpp
+940
View File
@@ -0,0 +1,940 @@
#include "stdafx.h"
//unresolved external symbol __imp__StrToIntExA@12
#pragma comment(lib, "Shlwapi.lib")
//unresolved external symbol _VerQueryValueA@16
#pragma comment(lib, "version.lib")
//unresolved external symbol __imp__InitCommonControls@0
#pragma comment(lib, "comctl32.lib")
#ifdef _AMD64_
#pragma comment(lib,"dbgsdk\\lib\\amd64\\dbghelp.lib")
#pragma comment(lib, "lib\\amd64\\comsupp.lib")
#else
#pragma comment(lib,"dbgsdk\\lib\\i386\\dbghelp.lib")
#pragma comment(lib, "lib\\comsupp.lib")
#endif
//
#define RESOURCE_NAME_DRIVER32 "DRIVER32"
#define RESOURCE_NAME_DRIVER64 "DRIVER64"
#define GLOBAL_MUTEX_NAME "Global\\" DRIVER_SERVICE_NAME "_Mutex"
USER_MODE_DATA m_UserModeData;
DWORD m_dwFuzzThreadId = 0;
HANDLE hDevice = NULL;
// fuzzing type and other actual options
FUZZING_TYPE m_FuzzingType = DEFAULT_FUZZING_TYPE;
DWORD m_dwOptions = 0;
// don't install any hooks (usefull for attack surface analysis feature)
BOOL m_bNoHooks = FALSE;
// TRUE if remote kernel debugger is not present
BOOL m_bDebuggerNotPresent = FALSE;
// defined in debug.cpp
extern HANDLE hDbgLogfile;
BOOL m_bBoot = FALSE;
/**
* kernel32!Get[Set]ConsoleScreenBufferInfoEx() functions prsent
* only on NT 6.x
*/
typedef BOOL (WINAPI * GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX)(
HANDLE hConsoleOutput,
PCONSOLE_SCREEN_BUFFER_INFOEX lpConsoleScreenBufferInfoEx
);
//--------------------------------------------------------------------------------------
BOOL GetOption(IXMLDOMNode *pIDOMNode, PWSTR lpwcName, PBOOL pbVal)
{
BOOL bRet = FALSE;
char *lpszVal = NULL;
if (ConfAllocGetTextByNameA(pIDOMNode, lpwcName, &lpszVal))
{
bRet = TRUE;
if (!strcmp(strlwr(lpszVal), "true"))
{
*pbVal = TRUE;
}
else if (!strcmp(strlwr(lpszVal), "false"))
{
*pbVal = FALSE;
}
else
{
DbgMsg(__FILE__, __LINE__, "WARNING: invalid value for option '%ws'\r\n", lpwcName);
bRet = FALSE;
}
M_FREE(lpszVal);
}
return bRet;
}
//--------------------------------------------------------------------------------------
void ParseAllowDenySection(IXMLDOMNode *pIDOMNode, BOOL bAllow, BOOL bDbgcbAction)
{
struct
{
LPCWSTR lpNodeName;
LPCWSTR lpObjectName;
ULONG Code;
} Objects[] = {
{ L"drivers", L"driver", C_ADD_DRIVER },
{ L"devices", L"device", C_ADD_DEVICE },
{ L"ioctls", L"ioctl", C_ADD_IOCTL },
{ L"processes", L"process", C_ADD_PROCESS },
{ NULL, NULL, 0 }
};
/*
Old-style allow/deny lists parsing:
--------------------------------------
<objects>
<object>SomeName_1</object>
<object>SomeName_2</object>
...
<object>SomeName_N</object>
</objects>
*/
for (int ob = 0; Objects[ob].lpNodeName != NULL; ob++)
{
// get objects list node
IXMLDOMNode *pIDOMObjectsNode = ConfGetNodeByName((BSTR)Objects[ob].lpNodeName, pIDOMNode);
if (pIDOMObjectsNode)
{
IXMLDOMNodeList *pIDOMNodeList = NULL;
// enumerate available object names
HRESULT hr = pIDOMObjectsNode->get_childNodes(&pIDOMNodeList);
if (SUCCEEDED(hr))
{
LONG len = 0;
pIDOMNodeList->get_length(&len);
DbgMsg(__FILE__, __LINE__, "\"%ws\":\r\n", Objects[ob].lpNodeName);
for (int i = 0; i < len; i++)
{
IXMLDOMNode *pIDOMChildNode = NULL;
// get single object name
hr = pIDOMNodeList->get_item(i, &pIDOMChildNode);
if (SUCCEEDED(hr))
{
char *lpszObjectName = NULL;
if (ConfGetNodeTextA(pIDOMChildNode, &lpszObjectName))
{
REQUEST_BUFFER Buff;
ZeroMemory(&Buff, sizeof(Buff));
Buff.Code = Objects[ob].Code;
Buff.AddObject.bAllow = bAllow;
if (Objects[ob].Code == C_ADD_IOCTL)
{
DWORD dwIoctlCode = 0;
// parse hexadecimal IOCTL code value
if (StrToIntEx(lpszObjectName, STIF_SUPPORT_HEX, (int *)&dwIoctlCode))
{
DbgMsg(__FILE__, __LINE__, " - 0x%.8x\r\n", dwIoctlCode);
Buff.AddObject.IoctlCode = dwIoctlCode;
DrvDeviceRequest(&Buff, sizeof(Buff));
}
else
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): StrToIntEx() ERROR %d\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, " - \"%s\"\r\n", lpszObjectName);
// object name is a string value (process/driver/device name)
lstrcpy(Buff.AddObject.szObjectName, lpszObjectName);
DrvDeviceRequest(&Buff, sizeof(Buff));
}
M_FREE(lpszObjectName);
}
pIDOMChildNode->Release();
}
}
pIDOMNodeList->Release();
}
pIDOMObjectsNode->Release();
}
}
/*
New allow/deny lists parsing:
--------------------------------------
<object_type val="SomeName_1" />
<object_type val="SomeName_2" />
...
<object_type val="SomeName_N" />
*/
// enumerate available objects
IXMLDOMNodeList *pIDOMNodeList = NULL;
HRESULT hr = pIDOMNode->get_childNodes(&pIDOMNodeList);
if (SUCCEEDED(hr))
{
LONG len = 0;
pIDOMNodeList->get_length(&len);
for (int i = 0; i < len; i++)
{
IXMLDOMNode *pIDOMChildNode = NULL;
// get single object node
hr = pIDOMNodeList->get_item(i, &pIDOMChildNode);
if (SUCCEEDED(hr))
{
// get node name (object type)
BSTR ChildNodeName = NULL;
hr = pIDOMChildNode->get_nodeName(&ChildNodeName);
if (SUCCEEDED(hr))
{
// lookup object type by name
for (int ob = 0; Objects[ob].lpObjectName != NULL; ob++)
{
if (!wcscmp(Objects[ob].lpObjectName, ChildNodeName))
{
DWORD dwOptionalBuffLen = 0;
char *lpszObjectName = NULL, *lpszOptionalBuff = NULL;
/*
Query node value: for dbgcb objects list it contains
debugger command, that must be executet for each IOCTL,
matched by this object.
*/
if (bDbgcbAction &&
ConfGetNodeTextA(pIDOMChildNode, &lpszOptionalBuff) &&
lpszOptionalBuff)
{
dwOptionalBuffLen = (DWORD)strlen(lpszOptionalBuff) + 1;
}
if (ConfGetNodeAttributeA(pIDOMChildNode, L"val", &lpszObjectName))
{
DWORD dwBuffSize = sizeof(REQUEST_BUFFER) + dwOptionalBuffLen;
PREQUEST_BUFFER Buff = (PREQUEST_BUFFER)M_ALLOC(dwBuffSize);
if (Buff)
{
ZeroMemory(Buff, dwBuffSize);
Buff->Code = Objects[ob].Code;
Buff->AddObject.bAllow = bAllow;
Buff->AddObject.bDbgcbAction = bDbgcbAction;
if (lpszOptionalBuff)
{
lstrcpy(Buff->Buff, lpszOptionalBuff);
}
if (Objects[ob].Code == C_ADD_IOCTL)
{
DWORD dwIoctlCode = 0;
// parse hexadecimal IOCTL code value
if (StrToIntEx(lpszObjectName, STIF_SUPPORT_HEX, (int *)&dwIoctlCode))
{
if (bDbgcbAction)
{
DbgMsg(
__FILE__, __LINE__, "Object=\"%ws\" Value=0x%.8x KdCommand=\"%s\"\r\n",
Objects[ob].lpObjectName, dwIoctlCode,
lpszOptionalBuff ? lpszOptionalBuff : "<BREAK>"
);
}
else
{
DbgMsg(
__FILE__, __LINE__, "Object=\"%ws\" Value=0x%.8x\r\n",
Objects[ob].lpObjectName, dwIoctlCode
);
}
Buff->AddObject.IoctlCode = dwIoctlCode;
DrvDeviceRequest(Buff, dwBuffSize);
}
else
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): StrToIntEx() ERROR %d\n", GetLastError());
}
}
else
{
if (bDbgcbAction)
{
DbgMsg(
__FILE__, __LINE__, "Object=\"%ws\" Value=\"%s\" KdCommand=\"%s\"\r\n",
Objects[ob].lpObjectName, lpszObjectName,
lpszOptionalBuff ? lpszOptionalBuff : "<BREAK>"
);
}
else
{
DbgMsg(
__FILE__, __LINE__, "Object=\"%ws\" Value=\"%s\"\r\n",
Objects[ob].lpObjectName, lpszObjectName
);
}
// object name is a string value (process/driver/device name)
lstrcpy(Buff->AddObject.szObjectName, lpszObjectName);
DrvDeviceRequest(Buff, dwBuffSize);
}
M_FREE(Buff);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\r\n", GetLastError());
}
M_FREE(lpszObjectName);
}
if (lpszOptionalBuff)
{
M_FREE(lpszOptionalBuff);
}
break;
}
}
}
if (ChildNodeName)
{
SysFreeString(ChildNodeName);
}
pIDOMChildNode->Release();
}
}
pIDOMNodeList->Release();
}
}
//--------------------------------------------------------------------------------------
BOOL SetOptions(DWORD dwOptions, FUZZING_TYPE FuzzingType)
{
REQUEST_BUFFER Buff;
ZeroMemory(&Buff, sizeof(Buff));
Buff.Code = C_SET_OPTIONS;
Buff.Options.Options = dwOptions;
Buff.Options.FuzzingType = FuzzingType;
Buff.Options.UserModeData = &m_UserModeData;
Buff.Options.FuzzThreadId = m_dwFuzzThreadId;
m_dwOptions = dwOptions;
m_FuzzingType = FuzzingType;
// send options to the driver
return DrvDeviceRequest(&Buff, sizeof(REQUEST_BUFFER));
}
//--------------------------------------------------------------------------------------
BOOL SetDefaultOptions(void)
{
DWORD dwOptions = FUZZ_OPT_LOG_DEBUG;
dwOptions |= FUZZ_OPT_LOG_IOCTL;
dwOptions |= FUZZ_OPT_LOG_IOCTL_GLOBAL;
if (m_bNoHooks)
{
dwOptions |= FUZZ_OPT_NO_SDT_HOOKS;
}
// send options to the driver
return SetOptions(dwOptions, DEFAULT_FUZZING_TYPE);
}
//--------------------------------------------------------------------------------------
BOOL ParseConfig(char *lpszCfgFileName)
{
PVOID Data = NULL;
DWORD dwDataSize = 0;
BOOL bRet = FALSE;
// read config file
if (ReadFromFile(lpszCfgFileName, &Data, &dwDataSize))
{
PWSTR lpwcData = (PWSTR)M_ALLOC((dwDataSize + 1) * sizeof(WCHAR));
if (lpwcData)
{
MultiByteToWideChar(CP_ACP, 0, (char *)Data, dwDataSize, lpwcData, dwDataSize);
IXMLDOMNode *pIDOMRootNode = NULL;
IXMLDOMDocument *pXMLDoc = NULL;
// load xml document
if (XmlLoad(lpwcData, &pXMLDoc, &pIDOMRootNode, L"cfg"))
{
// create logfile, if option is set
char *lpszLogFilePath = NULL;
if (ConfAllocGetTextByNameA(pIDOMRootNode, L"log_file", &lpszLogFilePath))
{
HANDLE hNewLogfile = CreateFile(
lpszLogFilePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hNewLogfile != INVALID_HANDLE_VALUE)
{
SetFilePointer(hNewLogfile, 0, NULL, FILE_END);
if (hDbgLogfile != INVALID_HANDLE_VALUE)
{
// close old debug log
CloseHandle(hDbgLogfile);
hDbgLogfile = hNewLogfile;
}
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateFile() ERROR %d\r\n", GetLastError());
DbgMsg(__FILE__, __LINE__, "Error while creating/opening logfile at '%s'.\r\n", lpszLogFilePath);
}
M_FREE(lpszLogFilePath);
}
// parse allowed objects list
IXMLDOMNode *pIDOMAllowNode = ConfGetNodeByName(L"allow", pIDOMRootNode);
if (pIDOMAllowNode)
{
ParseAllowDenySection(pIDOMAllowNode, TRUE, FALSE);
pIDOMAllowNode->Release();
}
// parse denied objects list
IXMLDOMNode *pIDOMDenyNode = ConfGetNodeByName(L"deny", pIDOMRootNode);
if (pIDOMDenyNode)
{
ParseAllowDenySection(pIDOMDenyNode, FALSE, FALSE);
pIDOMDenyNode->Release();
}
if (!m_bDebuggerNotPresent)
{
// parse debugger communication engine options
IXMLDOMNode *pIDOMDbgcbNode = ConfGetNodeByName(L"dbgcb", pIDOMRootNode);
if (pIDOMDbgcbNode)
{
ParseAllowDenySection(pIDOMDbgcbNode, FALSE, TRUE);
pIDOMDbgcbNode->Release();
}
}
// parse options
BOOL bLogRequests = TRUE, bDebugLogRequests = TRUE;
BOOL bHexDump = FALSE;
DWORD dwOptions = FUZZ_OPT_LOG_IOCTL_GLOBAL;
FUZZING_TYPE FuzzingType = DEFAULT_FUZZING_TYPE;
GetOption(pIDOMRootNode, L"hex_dump", &bHexDump);
GetOption(pIDOMRootNode, L"log_requests", &bLogRequests);
GetOption(pIDOMRootNode, L"debug_log_requests", &bDebugLogRequests);
GetOption(pIDOMRootNode, L"boot_log", &m_bBoot);
DbgMsg(__FILE__, __LINE__, "PROGRAM OPTIONS:\r\n");
#define STROPT(_x_) ((_x_) ? "Yes" : "No")
DbgMsg(__FILE__, __LINE__, " 'hex_dump': %s\r\n", STROPT(bHexDump));
DbgMsg(__FILE__, __LINE__, " 'log_requests': %s\r\n", STROPT(bLogRequests));
DbgMsg(__FILE__, __LINE__, " 'debug_log_requests': %s\r\n", STROPT(bDebugLogRequests));
DbgMsg(__FILE__, __LINE__, " 'bBoot': %s\r\n", STROPT(m_bBoot));
if (bHexDump)
{
dwOptions |= FUZZ_OPT_LOG_IOCTL_BUFFERS;
}
if (bLogRequests)
{
dwOptions |= FUZZ_OPT_LOG_IOCTL;
}
if (bDebugLogRequests)
{
dwOptions |= FUZZ_OPT_LOG_DEBUG;
}
if (m_bBoot)
{
dwOptions |= FUZZ_OPT_FUZZ_BOOT;
}
// send options to the driver
bRet = SetOptions(dwOptions, FuzzingType);
pIDOMRootNode->Release();
pXMLDoc->Release();
}
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\r\n", GetLastError());
}
M_FREE(Data);
}
if (!bRet)
{
SetDefaultOptions();
}
return bRet;
}
//--------------------------------------------------------------------------------------
DWORD WINAPI ApcThread(LPVOID lpParam)
{
while (true)
{
SleepEx(INFINITE, TRUE);
}
return 0;
}
//--------------------------------------------------------------------------------------
BOOL WINAPI CtrlHandler(DWORD fdwCtrlType)
{
if (fdwCtrlType == CTRL_C_EVENT ||
fdwCtrlType == CTRL_CLOSE_EVENT)
{
// Handle the CTRL-C signal.
DbgMsg(__FILE__, __LINE__, "Stopping application, please wait...\r\n");
ExitProcess(0);
return TRUE;
}
return FALSE;
}
//--------------------------------------------------------------------------------------
BOOL GetResPayload(HMODULE hModule, char *lpszResourceName, PVOID *Data, DWORD *dwDataSize)
{
HRSRC hRc = FindResource(hModule, lpszResourceName, "BINRES");
if (hRc)
{
HGLOBAL hResData = LoadResource(hModule, hRc);
if (hResData)
{
PVOID ResData = LockResource(hResData);
if (ResData)
{
*dwDataSize = SizeofResource(hModule, hRc);
if (*Data = M_ALLOC(*dwDataSize))
{
memcpy(*Data, ResData, *dwDataSize);
return TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\r\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, "LockResource() fails\r\n");
}
}
else
{
DbgMsg(__FILE__, __LINE__, "LoadResource() fails\r\n");
}
}
else
{
DbgMsg(__FILE__, __LINE__, "FindResource() fails\r\n");
}
return FALSE;
}
//--------------------------------------------------------------------------------------
#define CHECK_SET(_item_) SendMessage(GetDlgItem(hDlg, (_item_)), BM_SETCHECK, BST_CHECKED, 0)
#define CHECK_UNSET(_item_) SendMessage(GetDlgItem(hDlg, (_item_)), BM_SETCHECK, BST_UNCHECKED, 0)
#define CHECK_GET(_item_) (SendMessage(GetDlgItem(hDlg, (_item_)), BM_GETCHECK, BST_CHECKED, 0) == BST_CHECKED)
LRESULT CALLBACK MainDlg(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
DWORD dwOptions = FUZZ_OPT_LOG_IOCTL_GLOBAL;
FUZZING_TYPE FuzzingType = DEFAULT_FUZZING_TYPE;
switch (message)
{
case WM_INITDIALOG:
{
/**
* Initialize chekboxes for fuzzing options.
*/
if (m_dwOptions & FUZZ_OPT_LOG_IOCTL)
{
CHECK_SET(IDC_LOG_CONSOLE);
}
if (m_dwOptions & FUZZ_OPT_LOG_DEBUG)
{
CHECK_SET(IDC_LOG_DEBUGGER);
}
if (m_dwOptions & FUZZ_OPT_LOG_IOCTL_BUFFERS)
{
CHECK_SET(IDC_LOG_BUFFERS);
}
break;
}
case WM_COMMAND:
{
switch (wParam)
{
case IDC_HIDE:
ShowWindow(hDlg, SW_HIDE);
break;
case IDC_TERMINATE:
DestroyWindow(hDlg);
break;
case IDC_LOG_CONSOLE:
case IDC_LOG_DEBUGGER:
case IDC_LOG_BUFFERS:
/**
* Get controls state.
*/
if (CHECK_GET(IDC_LOG_CONSOLE))
{
dwOptions |= FUZZ_OPT_LOG_IOCTL;
}
if (CHECK_GET(IDC_LOG_DEBUGGER))
{
dwOptions |= FUZZ_OPT_LOG_DEBUG;
}
if (CHECK_GET(IDC_LOG_BUFFERS))
{
dwOptions |= FUZZ_OPT_LOG_IOCTL_BUFFERS;
}
// update fuzzing type and settings
SetOptions(dwOptions, FuzzingType);
break;
}
break;
}
case WM_CLOSE:
{
DestroyWindow(hDlg);
break;
}
}
return FALSE;
}
//--------------------------------------------------------------------------------------
int _tmain(int argc, _TCHAR* argv[])
{
char szDriverFileName[MAX_PATH] = {0};
char szServiceFileName[MAX_PATH] = {0};
BOOL bUninstall = FALSE, bShowExceptions = FALSE, bPrintDevices = FALSE;
InitCommonControls();
GetSystemDirectory(szDriverFileName, sizeof(szDriverFileName));
lstrcat(szDriverFileName, "\\drivers\\" DRIVER_FILE_NAME);
lstrcpy(szServiceFileName, "system32\\drivers\\" DRIVER_FILE_NAME);
HANDLE hGlobalMutex = CreateMutex(NULL, FALSE, GLOBAL_MUTEX_NAME);
char lpszConfigPath[MAX_PATH] = {0};
GetCurrentDirectory(sizeof(lpszConfigPath), lpszConfigPath);
lstrcat(lpszConfigPath, "\\ioctlfuzzer.xml");
// check for allready running application
if (GetLastError() == ERROR_ALREADY_EXISTS)
{
MessageBox(
0,
"One copy of program is allready running.\n",
"ERROR",
MB_ICONERROR
);
ExitProcess(0);
}
#if defined(_X86_)
BOOL bIs64 = FALSE;
typedef BOOL (WINAPI * func_IsWow64Process)(
HANDLE hProcess,
PBOOL Wow64Process
);
func_IsWow64Process f_IsWow64Process = (func_IsWow64Process)GetProcAddress(
GetModuleHandleA("kernel32.dll"),
"IsWow64Process"
);
if (f_IsWow64Process)
{
// check for WoW64 environment
if (f_IsWow64Process(GetCurrentProcess(), &bIs64) && bIs64)
{
MessageBoxA(
0,
"You should use x64 version of program on Windows x64.\n"
"<OK> to exit.",
"ERROR", MB_ICONWARNING
);
ExitProcess(0);
}
}
#endif // _X86_
DbgInit(DBG_PIPE_NAME_A, IOCTLFUZZER_LOG_FILE);
PSYSTEM_KERNEL_DEBUGGER_INFORMATION DebuggerInfo = (PSYSTEM_KERNEL_DEBUGGER_INFORMATION)
GetSysInf(SystemKernelDebuggerInformation);
if (DebuggerInfo)
{
// check for remote kernel debugger
if (!DebuggerInfo->DebuggerEnabled ||
DebuggerInfo->DebuggerNotPresent)
{
if (MessageBox(
0,
"Warning!\r\n"
"Kernel debugger is not present, IOCTL Fuzzer may cause a BSoD.\r\n"
"Continue execution?",
"Warning", MB_YESNO | MB_ICONWARNING | MB_TOPMOST) == IDNO)
{
ExitProcess(0);
}
}
M_FREE(DebuggerInfo);
}
GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX f_GetConsoleScreenBufferInfoEx =
(GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"GetConsoleScreenBufferInfoEx"
);
GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX f_SetConsoleScreenBufferInfoEx =
(GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"SetConsoleScreenBufferInfoEx"
);
if (f_GetConsoleScreenBufferInfoEx &&
f_SetConsoleScreenBufferInfoEx)
{
HANDLE hConsoleOutput = GetStdHandle(STD_OUTPUT_HANDLE);
CONSOLE_SCREEN_BUFFER_INFOEX ConsoleInfo;
ConsoleInfo.cbSize = sizeof(ConsoleInfo);
if (f_GetConsoleScreenBufferInfoEx(hConsoleOutput, &ConsoleInfo))
{
DbgMsg(
__FILE__, __LINE__, "[+] Changing console screen buffer height from %d to %d lines\n",
ConsoleInfo.dwSize.Y, CONSOLE_BUFFER_HEIGHT
);
ConsoleInfo.dwSize.Y = CONSOLE_BUFFER_HEIGHT;
// we don't need horizontal scroll bar
ConsoleInfo.dwSize.X -= 1;
if (!f_SetConsoleScreenBufferInfoEx(hConsoleOutput, &ConsoleInfo))
{
DbgMsg(__FILE__, __LINE__, "SetConsoleScreenBufferInfoEx() ERROR %d\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, "GetConsoleScreenBufferInfoEx() ERROR %d\n", GetLastError());
}
}
if (!LoadPrivileges(SE_LOAD_DRIVER_NAME))
{
DbgMsg(__FILE__, __LINE__, "Error while loading 'SeLoadDriverPrivilege'\r\n");
goto end;
}
PVOID DriverData = NULL;
DWORD dwDriverDataSize = 0;
// extract kernel driver from resources
#if defined(_X86_)
if (GetResPayload(GetModuleHandle(NULL), RESOURCE_NAME_DRIVER32, &DriverData, &dwDriverDataSize))
#else
if (GetResPayload(GetModuleHandle(NULL), RESOURCE_NAME_DRIVER64, &DriverData, &dwDriverDataSize))
#endif
{
// ... and dump it to the disk
if (!DumpToFile(szDriverFileName, DriverData, dwDriverDataSize))
{
DbgMsg(__FILE__, __LINE__, "Error while creating kernel driver file.\r\n");
goto end;
}
M_FREE(DriverData);
}
else
{
DbgMsg(__FILE__, __LINE__, "Error while extracting kernel driver from resources.\r\n");
goto end;
}
if (!DrvServiceStart(DRIVER_SERVICE_NAME, szDriverFileName, NULL))
{
DbgMsg(__FILE__, __LINE__, "Error while creating/starting system service for kernel driver.\r\n");
goto end;
}
if (m_bBoot)
{
if (!DrvServiceSetStartType(DRIVER_SERVICE_NAME, SERVICE_BOOT_START))
{
DbgMsg(__FILE__, __LINE__, "Error while changing service startup type.\r\n");
goto end;
}
DbgMsg(__FILE__, __LINE__, "Service startup type has been set to the SERVICE_BOOT_START.\r\n");
}
else
{
if (!DrvServiceSetStartType(DRIVER_SERVICE_NAME, SERVICE_DEMAND_START))
{
DbgMsg(__FILE__, __LINE__, "Error while changing service startup type.\r\n");
goto end;
}
}
// create thread for kernel mode APC's
HANDLE hThread = CreateThread(NULL, 0, ApcThread, NULL, 0, &m_dwFuzzThreadId);
if (hThread)
{
DbgMsg(__FILE__, __LINE__, "Thread for kernel mode APC's created (ID: %x)\r\n", m_dwFuzzThreadId);
CloseHandle(hThread);
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateThread() ERROR %d\r\n", GetLastError());
}
if (DrvOpenDevice(DEVICE_NAME, &hDevice))
{
/**
* Fuzzing or monitoring mode
*/
REQUEST_BUFFER Buff;
ZeroMemory(&Buff, sizeof(Buff));
Buff.Code = C_DEL_OPTIONS;
// delete previously saved fuzing/minitoring options
DrvDeviceRequest(&Buff, sizeof(REQUEST_BUFFER));
if (lpszConfigPath)
{
ParseConfig(lpszConfigPath);
}
else
{
SetDefaultOptions();
}
SetConsoleCtrlHandler(CtrlHandler, TRUE);
DialogBox(GetModuleHandle(NULL), MAKEINTRESOURCE(IDD_DIALOG), NULL, (DLGPROC)MainDlg);
BOOL bStopService = TRUE;
ZeroMemory(&Buff, sizeof(Buff));
Buff.Code = C_CHECK_HOOKS;
// check for installed hooks
if (DrvDeviceRequest(&Buff, sizeof(REQUEST_BUFFER)) &&
Buff.CheckHooks.bHooksInstalled)
{
bStopService = FALSE;
if (MessageBox(
0,
"Warning!\r\n"
"Unloading of a kernel driver may be unsafe.\r\n"
"Press <YES> to unload it, or <NO> for just a program termination.",
"Exit from program", MB_YESNO | MB_ICONWARNING | MB_TOPMOST) == IDYES)
{
bStopService = TRUE;
}
}
CloseHandle(hDevice);
if (bStopService)
{
DrvServiceStop(DRIVER_SERVICE_NAME);
}
if (bPrintDevices)
{
goto end;
}
ExitProcess(0);
}
else
{
DbgMsg(__FILE__, __LINE__, "Error while opening kernel driver communication device\r\n");
}
DrvServiceStop(DRIVER_SERVICE_NAME);
end:
printf("Press any key to quit...\r\n");
getch();
return 0;
}
//--------------------------------------------------------------------------------------
// EoF
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.log
+3
View File
@@ -0,0 +1,3 @@
[17792] DbgInit(): Log file 'c:\Users\minzhen\Desktop\8.3 Hook DeviceIoControlFile(x86 x64)\HookDeviceIoControlFile\HookDeviceIoControlFile\HookDeviceIoControlFile\ioctlfuzzer.log' created
[17792] PipeServerThread(): Listening on pipe '\\.\pipe\IOCTLfuzzer'
[17792] [+] Changing console screen buffer height from 300 to 4096 lines
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.rc
+165
View File
@@ -0,0 +1,165 @@
// Microsoft Visual C++ generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "afxres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// Russian resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_RUS)
#ifdef _WIN32
LANGUAGE LANG_RUSSIAN, SUBLANG_DEFAULT
#pragma code_page(1251)
#endif //_WIN32
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE
BEGIN
"#include ""afxres.h""\r\0"
END
3 TEXTINCLUDE
BEGIN
"\r\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// RT_MANIFEST
//
1 RT_MANIFEST "default.manifest"
/////////////////////////////////////////////////////////////////////////////
//
// Dialog
//
IDD_DIALOG DIALOGEX 0, 0, 258, 159
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION
CAPTION "IOCTL Fuzzer"
FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN
LTEXT "IOCTL Fuzzer control pannel",IDC_STATIC,55,24,92,8
ICON "IDI_ICON",IDC_STATIC,21,17,21,20
PUSHBUTTON "Hide Dialog",IDC_HIDE,15,128,101,14
PUSHBUTTON "Terminate Application",IDC_TERMINATE,127,128,113,14
GROUPBOX "",IDC_STATIC,7,0,238,152
CONTROL "Enable IOCTL Requests Monitoring",IDC_LOG_CONSOLE,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,26,65,127,10
CONTROL "Print Logs Into the Debugger Output",IDC_LOG_DEBUGGER,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,26,99,133,10
GROUPBOX "Logging Options",IDC_STATIC,15,48,221,68
CONTROL "Dump IOCTL Request Buffers (Max. Length: 0x1000)",IDC_LOG_BUFFERS,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,26,82,186,10
END
/////////////////////////////////////////////////////////////////////////////
//
// Icon
//
// Icon with lowest ID value placed first to ensure application icon
// remains consistent on all systems.
IDI_ICON ICON "resources\\icon.ico"
/////////////////////////////////////////////////////////////////////////////
//
// Version
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 1,3,0,0
PRODUCTVERSION 1,3,0,0
FILEFLAGSMASK 0x17L
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x4L
FILETYPE 0x1L
FILESUBTYPE 0x0L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "000004b0"
BEGIN
VALUE "CompanyName", "Esage Lab"
VALUE "FileDescription", "IOCTL fuzzer for kernel drivers"
VALUE "FileVersion", "1, 3, 0, 0"
VALUE "InternalName", "ioctlfuzzer.exe"
VALUE "LegalCopyright", "Copyright (C) 2011"
VALUE "OriginalFilename", "ioctlfuzzer.exe"
VALUE "ProductName", "IOCTLFuzzer"
VALUE "ProductVersion", "1, 3, 0, 0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x0, 1200
END
END
/////////////////////////////////////////////////////////////////////////////
//
// BINRES
//
DRIVER32 BINRES "..\\driver_i386.sys"
DRIVER64 BINRES "..\\driver_amd64.sys"
/////////////////////////////////////////////////////////////////////////////
//
// DESIGNINFO
//
#ifdef APSTUDIO_INVOKED
GUIDELINES DESIGNINFO
BEGIN
IDD_DIALOG, DIALOG
BEGIN
RIGHTMARGIN, 252
BOTTOMMARGIN, 152
END
END
#endif // APSTUDIO_INVOKED
#endif // Russian resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/lib/amd64/comsupp.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/lib/comsupp.lib
BIN
View File
Binary file not shown.
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ntdll_defs.h
+73
View File
@@ -0,0 +1,73 @@
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK,
*PIO_STATUS_BLOCK;
#undef UNICODE_STRING
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING,
*PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002
#define OBJ_PERMANENT 0x00000010
#define OBJ_EXCLUSIVE 0x00000020
#define OBJ_CASE_INSENSITIVE 0x00000040
#define OBJ_OPENIF 0x00000080
#define OBJ_OPENLINK 0x00000100
#define OBJ_VALID_ATTRIBUTES 0x000001F2
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES,
*POBJECT_ATTRIBUTES;
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
#define NT_SUCCESS(Status) ((LONG)(Status) >= 0)
#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3)
#define NtCurrentProcess() ((HANDLE)-1)
#ifndef STATUS_BUFFER_OVERFLOW
#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L)
#endif
#ifndef STATUS_NO_MORE_FILES
#define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L)
#endif
#ifndef STATUS_INFO_LENGTH_MISMATCH
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#endif
#ifndef STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
#endif
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/options.h
+44
View File
@@ -0,0 +1,44 @@
/**
* Program information, copyright, etc.
*/
#define PROGRAM_NAME "IOCTL Fuzzer"
#define PROGRAM_AUTHOR "by Oleksiuk Dmytro (aka Cr4sh) :: dmitry@esagelab.com"
#define PROGRAM_COPYRIGHT "(c) 2011 Esage Lab :: http://www.esagelab.com/"
/**
* Log file name to store all IOCTLs requests information.
*/
#define IOCTLS_LOG_NAME L"ioctls.log"
/**
* Main application log file name.
*/
#define IOCTLFUZZER_LOG_FILE "ioctlfuzzer.log"
/**
* File and service name for the kernel driver.
*/
#define DRIVER_SERVICE_NAME "IOCTL_fuzzer"
#define DRIVER_FILE_NAME "IOCTL_fuzzer.sys"
/**
* Directory name to store downloaded debug symbols.
*/
#define SYMBOLS_DIR_NAME "Symbols"
/**
* Default value for fuzzing type option.
*/
#define DEFAULT_FUZZING_TYPE FuzzingType_Random
/**
* IOCTL buffer length limit for dumping into the
* application log or debugger output.
*/
#define MAX_IOCTL_BUFFER_LEGTH 0x100
/**
* Maximum number of lines in console window.
*/
#define CONSOLE_BUFFER_HEIGHT 0x1000
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/resource.h
+501
View File
@@ -0,0 +1,501 @@
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by ioctlfuzzer.rc
//
#define ID_SEPARATOR 0
#define VS_VERSION_INFO 1
#define AFX_IDC_LISTBOX 100
#define AFX_IDC_CHANGE 101
#define IDD_DIALOG 101
#define AFX_IDC_BROWSER 102
#define AFX_IDC_PRINT_DOCNAME 201
#define AFX_IDC_PRINT_PRINTERNAME 202
#define AFX_IDC_PRINT_PORTNAME 203
#define AFX_IDC_PRINT_PAGENUM 204
#define ID_MFCLOC_MANIFEST 1000
#define AFX_IDC_FONTPROP 1000
#define IDC_HIDE 1000
#define AFX_IDC_FONTNAMES 1001
#define IDC_TERMINATE 1001
#define AFX_IDC_FONTSTYLES 1002
#define AFX_IDC_FONTSIZES 1003
#define AFX_IDC_STRIKEOUT 1004
#define AFX_IDC_UNDERLINE 1005
#define IDC_LOG_CONSOLE 1005
#define AFX_IDC_SAMPLEBOX 1006
#define IDC_FUZZ_SIZE2 1008
#define IDC_LOG_DEBUGGER 1008
#define IDC_LOG_BUFFERS 1009
#define IDC_CHECK2 1010
#define IDC_LOG_EXCEPTIONS 1010
#define AFX_IDC_COLOR_BLACK 1100
#define AFX_IDC_COLOR_WHITE 1101
#define AFX_IDC_COLOR_RED 1102
#define AFX_IDC_COLOR_GREEN 1103
#define AFX_IDC_COLOR_BLUE 1104
#define AFX_IDC_COLOR_YELLOW 1105
#define AFX_IDC_COLOR_MAGENTA 1106
#define AFX_IDC_COLOR_CYAN 1107
#define AFX_IDC_COLOR_GRAY 1108
#define AFX_IDC_COLOR_LIGHTGRAY 1109
#define AFX_IDC_COLOR_DARKRED 1110
#define AFX_IDC_COLOR_DARKGREEN 1111
#define AFX_IDC_COLOR_DARKBLUE 1112
#define AFX_IDC_COLOR_LIGHTBROWN 1113
#define AFX_IDC_COLOR_DARKMAGENTA 1114
#define AFX_IDC_COLOR_DARKCYAN 1115
#define AFX_IDC_COLORPROP 1116
#define AFX_IDC_SYSTEMCOLORS 1117
#define AFX_IDC_PROPNAME 1201
#define AFX_IDC_PICTURE 1202
#define AFX_IDC_BROWSE 1203
#define AFX_IDC_CLEAR 1204
#define AFX_IDC_TAB_CONTROL 0x3020
#define ID_APPLY_NOW 0x3021
#define ID_WIZBACK 0x3023
#define ID_WIZNEXT 0x3024
#define ID_WIZFINISH 0x3025
#define AFX_IDD_NEWTYPEDLG 30721
#define AFX_IDD_PRINTDLG 30722
#define AFX_IDD_PREVIEW_TOOLBAR 30723
#define AFX_IDD_INSERTOBJECT 30724
#define AFX_IDD_CHANGEICON 30725
#define AFX_IDD_CONVERT 30726
#define AFX_IDD_PASTESPECIAL 30727
#define AFX_IDD_EDITLINKS 30728
#define AFX_IDD_FILEBROWSE 30729
#define AFX_IDD_BUSY 30730
#define AFX_IDD_OBJECTPROPERTIES 30732
#define AFX_IDD_CHANGESOURCE 30733
#define AFX_IDD_EMPTYDIALOG 30734
#define AFX_IDC_CONTEXTHELP 30977
#define AFX_IDC_MAGNIFY 30978
#define AFX_IDC_SMALLARROWS 30979
#define AFX_IDC_HSPLITBAR 30980
#define AFX_IDC_VSPLITBAR 30981
#define AFX_IDC_NODROPCRSR 30982
#define AFX_IDC_TRACKNWSE 30983
#define AFX_IDC_TRACKNESW 30984
#define AFX_IDC_TRACKNS 30985
#define AFX_IDC_TRACKWE 30986
#define AFX_IDC_TRACK4WAY 30987
#define AFX_IDC_MOVE4WAY 30988
#define AFX_IDB_MINIFRAME_MENU 30994
#define AFX_IDB_CHECKLISTBOX_95 30996
#define AFX_IDR_PREVIEW_ACCEL 30997
#define AFX_IDC_MOUSE_PAN_NW 30998
#define AFX_IDC_MOUSE_PAN_N 30999
#define AFX_IDC_MOUSE_PAN_NE 31000
#define AFX_IDC_MOUSE_PAN_W 31001
#define AFX_IDC_MOUSE_PAN_HV 31002
#define AFX_IDC_MOUSE_PAN_E 31003
#define AFX_IDC_MOUSE_PAN_SW 31004
#define AFX_IDC_MOUSE_PAN_S 31005
#define AFX_IDC_MOUSE_PAN_SE 31006
#define AFX_IDC_MOUSE_PAN_HORZ 31007
#define AFX_IDC_MOUSE_PAN_VERT 31008
#define AFX_IDC_MOUSE_ORG_HORZ 31009
#define AFX_IDC_MOUSE_ORG_VERT 31010
#define AFX_IDC_MOUSE_ORG_HV 31011
#define AFX_IDC_MOUSE_MASK 31012
#define AFX_IDI_STD_MDIFRAME 31233
#define AFX_IDI_STD_FRAME 31234
#define AFX_IDD_PROPPAGE_COLOR 32257
#define AFX_IDD_PROPPAGE_FONT 32258
#define AFX_IDD_PROPPAGE_PICTURE 32259
#define AFX_IDB_TRUETYPE 32384
#define AFX_IDS_APP_TITLE 0xE000
#define AFX_IDS_IDLEMESSAGE 0xE001
#define AFX_IDS_HELPMODEMESSAGE 0xE002
#define AFX_IDS_APP_TITLE_EMBEDDING 0xE003
#define AFX_IDS_COMPANY_NAME 0xE004
#define AFX_IDS_OBJ_TITLE_INPLACE 0xE005
#define ID_FILE_NEW 0xE100
#define ID_FILE_OPEN 0xE101
#define ID_FILE_CLOSE 0xE102
#define ID_FILE_SAVE 0xE103
#define ID_FILE_SAVE_AS 0xE104
#define ID_FILE_PAGE_SETUP 0xE105
#define ID_FILE_PRINT_SETUP 0xE106
#define ID_FILE_PRINT 0xE107
#define ID_FILE_PRINT_DIRECT 0xE108
#define ID_FILE_PRINT_PREVIEW 0xE109
#define ID_FILE_UPDATE 0xE10A
#define ID_FILE_SAVE_COPY_AS 0xE10B
#define ID_FILE_SEND_MAIL 0xE10C
#define ID_FILE_NEW_FRAME 0xE10D
#define ID_FILE_MRU_FIRST 0xE110
#define ID_FILE_MRU_FILE1 0xE110
#define ID_FILE_MRU_FILE2 0xE111
#define ID_FILE_MRU_FILE3 0xE112
#define ID_FILE_MRU_FILE4 0xE113
#define ID_FILE_MRU_FILE5 0xE114
#define ID_FILE_MRU_FILE6 0xE115
#define ID_FILE_MRU_FILE7 0xE116
#define ID_FILE_MRU_FILE8 0xE117
#define ID_FILE_MRU_FILE9 0xE118
#define ID_FILE_MRU_FILE10 0xE119
#define ID_FILE_MRU_FILE11 0xE11A
#define ID_FILE_MRU_FILE12 0xE11B
#define ID_FILE_MRU_FILE13 0xE11C
#define ID_FILE_MRU_FILE14 0xE11D
#define ID_FILE_MRU_FILE15 0xE11E
#define ID_FILE_MRU_FILE16 0xE11F
#define ID_FILE_MRU_LAST 0xE11F
#define ID_EDIT_CLEAR 0xE120
#define ID_EDIT_CLEAR_ALL 0xE121
#define ID_EDIT_COPY 0xE122
#define ID_EDIT_CUT 0xE123
#define ID_EDIT_FIND 0xE124
#define ID_EDIT_PASTE 0xE125
#define ID_EDIT_PASTE_LINK 0xE126
#define ID_EDIT_PASTE_SPECIAL 0xE127
#define ID_EDIT_REPEAT 0xE128
#define ID_EDIT_REPLACE 0xE129
#define ID_EDIT_SELECT_ALL 0xE12A
#define ID_EDIT_UNDO 0xE12B
#define ID_EDIT_REDO 0xE12C
#define ID_WINDOW_NEW 0xE130
#define ID_WINDOW_ARRANGE 0xE131
#define ID_WINDOW_CASCADE 0xE132
#define ID_WINDOW_TILE_HORZ 0xE133
#define ID_WINDOW_TILE_VERT 0xE134
#define ID_WINDOW_SPLIT 0xE135
#define ID_APP_ABOUT 0xE140
#define ID_APP_EXIT 0xE141
#define ID_HELP_INDEX 0xE142
#define ID_HELP_FINDER 0xE143
#define ID_HELP_USING 0xE144
#define ID_CONTEXT_HELP 0xE145
#define ID_HELP 0xE146
#define ID_DEFAULT_HELP 0xE147
#define ID_NEXT_PANE 0xE150
#define ID_PREV_PANE 0xE151
#define ID_FORMAT_FONT 0xE160
#define ID_OLE_INSERT_NEW 0xE200
#define ID_OLE_EDIT_LINKS 0xE201
#define ID_OLE_EDIT_CONVERT 0xE202
#define ID_OLE_EDIT_CHANGE_ICON 0xE203
#define ID_OLE_EDIT_PROPERTIES 0xE204
#define ID_OLE_VERB_FIRST 0xE210
#define AFX_ID_PREVIEW_CLOSE 0xE300
#define AFX_ID_PREVIEW_NUMPAGE 0xE301
#define AFX_ID_PREVIEW_NEXT 0xE302
#define AFX_ID_PREVIEW_PREV 0xE303
#define AFX_ID_PREVIEW_PRINT 0xE304
#define AFX_ID_PREVIEW_ZOOMIN 0xE305
#define AFX_ID_PREVIEW_ZOOMOUT 0xE306
#define ID_INDICATOR_EXT 0xE700
#define ID_INDICATOR_CAPS 0xE701
#define ID_INDICATOR_NUM 0xE702
#define ID_INDICATOR_SCRL 0xE703
#define ID_INDICATOR_OVR 0xE704
#define ID_INDICATOR_REC 0xE705
#define ID_INDICATOR_KANA 0xE706
#define ID_VIEW_TOOLBAR 0xE800
#define ID_VIEW_STATUS_BAR 0xE801
#define ID_VIEW_REBAR 0xE804
#define ID_VIEW_AUTOARRANGE 0xE805
#define ID_VIEW_SMALLICON 0xE810
#define ID_VIEW_LARGEICON 0xE811
#define ID_VIEW_LIST 0xE812
#define ID_VIEW_DETAILS 0xE813
#define ID_VIEW_LINEUP 0xE814
#define ID_VIEW_BYNAME 0xE815
#define ID_RECORD_FIRST 0xE900
#define ID_RECORD_LAST 0xE901
#define ID_RECORD_NEXT 0xE902
#define ID_RECORD_PREV 0xE903
#define AFX_IDS_SCSIZE 0xEF00
#define AFX_IDS_SCMOVE 0xEF01
#define AFX_IDS_SCMINIMIZE 0xEF02
#define AFX_IDS_SCMAXIMIZE 0xEF03
#define AFX_IDS_SCNEXTWINDOW 0xEF04
#define AFX_IDS_SCPREVWINDOW 0xEF05
#define AFX_IDS_SCCLOSE 0xEF06
#define AFX_IDS_SCRESTORE 0xEF12
#define AFX_IDS_SCTASKLIST 0xEF13
#define AFX_IDS_MDICHILD 0xEF1F
#define AFX_IDS_DESKACCESSORY 0xEFDA
#define AFX_IDS_OPENFILE 0xF000
#define AFX_IDS_SAVEFILE 0xF001
#define AFX_IDS_ALLFILTER 0xF002
#define AFX_IDS_UNTITLED 0xF003
#define AFX_IDS_SAVEFILECOPY 0xF004
#define AFX_IDS_PREVIEW_CLOSE 0xF005
#define AFX_IDS_UNNAMED_FILE 0xF006
#define AFX_IDS_HIDE 0xF011
#define AFX_IDP_NO_ERROR_AVAILABLE 0xF020
#define AFX_IDS_NOT_SUPPORTED_EXCEPTION 0xF021
#define AFX_IDS_RESOURCE_EXCEPTION 0xF022
#define AFX_IDS_MEMORY_EXCEPTION 0xF023
#define AFX_IDS_USER_EXCEPTION 0xF024
#define AFX_IDS_INVALID_ARG_EXCEPTION 0xF025
#define AFX_IDS_PRINTONPORT 0xF040
#define AFX_IDS_ONEPAGE 0xF041
#define AFX_IDS_TWOPAGE 0xF042
#define AFX_IDS_PRINTPAGENUM 0xF043
#define AFX_IDS_PREVIEWPAGEDESC 0xF044
#define AFX_IDS_PRINTDEFAULTEXT 0xF045
#define AFX_IDS_PRINTDEFAULT 0xF046
#define AFX_IDS_PRINTFILTER 0xF047
#define AFX_IDS_PRINTCAPTION 0xF048
#define AFX_IDS_PRINTTOFILE 0xF049
#define AFX_IDS_OBJECT_MENUITEM 0xF080
#define AFX_IDS_EDIT_VERB 0xF081
#define AFX_IDS_ACTIVATE_VERB 0xF082
#define AFX_IDS_CHANGE_LINK 0xF083
#define AFX_IDS_AUTO 0xF084
#define AFX_IDS_MANUAL 0xF085
#define AFX_IDS_FROZEN 0xF086
#define AFX_IDS_ALL_FILES 0xF087
#define AFX_IDS_SAVE_MENU 0xF088
#define AFX_IDS_UPDATE_MENU 0xF089
#define AFX_IDS_SAVE_AS_MENU 0xF08A
#define AFX_IDS_SAVE_COPY_AS_MENU 0xF08B
#define AFX_IDS_EXIT_MENU 0xF08C
#define AFX_IDS_UPDATING_ITEMS 0xF08D
#define AFX_IDS_METAFILE_FORMAT 0xF08E
#define AFX_IDS_DIB_FORMAT 0xF08F
#define AFX_IDS_BITMAP_FORMAT 0xF090
#define AFX_IDS_LINKSOURCE_FORMAT 0xF091
#define AFX_IDS_EMBED_FORMAT 0xF092
#define AFX_IDS_PASTELINKEDTYPE 0xF094
#define AFX_IDS_UNKNOWNTYPE 0xF095
#define AFX_IDS_RTF_FORMAT 0xF096
#define AFX_IDS_TEXT_FORMAT 0xF097
#define AFX_IDS_INVALID_CURRENCY 0xF098
#define AFX_IDS_INVALID_DATETIME 0xF099
#define AFX_IDS_INVALID_DATETIMESPAN 0xF09A
#define AFX_IDP_INVALID_FILENAME 0xF100
#define AFX_IDP_FAILED_TO_OPEN_DOC 0xF101
#define AFX_IDP_FAILED_TO_SAVE_DOC 0xF102
#define AFX_IDP_ASK_TO_SAVE 0xF103
#define AFX_IDP_FAILED_TO_CREATE_DOC 0xF104
#define AFX_IDP_FILE_TOO_LARGE 0xF105
#define AFX_IDP_FAILED_TO_START_PRINT 0xF106
#define AFX_IDP_FAILED_TO_LAUNCH_HELP 0xF107
#define AFX_IDP_INTERNAL_FAILURE 0xF108
#define AFX_IDP_COMMAND_FAILURE 0xF109
#define AFX_IDP_FAILED_MEMORY_ALLOC 0xF10A
#define AFX_IDP_UNREG_DONE 0xF10B
#define AFX_IDP_UNREG_FAILURE 0xF10C
#define AFX_IDP_DLL_LOAD_FAILED 0xF10D
#define AFX_IDP_DLL_BAD_VERSION 0xF10E
#define AFX_IDP_PARSE_INT 0xF110
#define AFX_IDP_PARSE_REAL 0xF111
#define AFX_IDP_PARSE_INT_RANGE 0xF112
#define AFX_IDP_PARSE_REAL_RANGE 0xF113
#define AFX_IDP_PARSE_STRING_SIZE 0xF114
#define AFX_IDP_PARSE_RADIO_BUTTON 0xF115
#define AFX_IDP_PARSE_BYTE 0xF116
#define AFX_IDP_PARSE_UINT 0xF117
#define AFX_IDP_PARSE_DATETIME 0xF118
#define AFX_IDP_PARSE_CURRENCY 0xF119
#define AFX_IDP_PARSE_GUID 0xF11A
#define AFX_IDP_PARSE_TIME 0xF11B
#define AFX_IDP_PARSE_DATE 0xF11C
#define AFX_IDP_FAILED_INVALID_FORMAT 0xF120
#define AFX_IDP_FAILED_INVALID_PATH 0xF121
#define AFX_IDP_FAILED_DISK_FULL 0xF122
#define AFX_IDP_FAILED_ACCESS_READ 0xF123
#define AFX_IDP_FAILED_ACCESS_WRITE 0xF124
#define AFX_IDP_FAILED_IO_ERROR_READ 0xF125
#define AFX_IDP_FAILED_IO_ERROR_WRITE 0xF126
#define AFX_IDP_SCRIPT_ERROR 0xF130
#define AFX_IDP_SCRIPT_DISPATCH_EXCEPTION 0xF131
#define AFX_IDP_STATIC_OBJECT 0xF180
#define AFX_IDP_FAILED_TO_CONNECT 0xF181
#define AFX_IDP_SERVER_BUSY 0xF182
#define AFX_IDP_BAD_VERB 0xF183
#define AFX_IDS_NOT_DOCOBJECT 0xF184
#define AFX_IDP_FAILED_TO_NOTIFY 0xF185
#define AFX_IDP_FAILED_TO_LAUNCH 0xF186
#define AFX_IDP_ASK_TO_UPDATE 0xF187
#define AFX_IDP_FAILED_TO_UPDATE 0xF188
#define AFX_IDP_FAILED_TO_REGISTER 0xF189
#define AFX_IDP_FAILED_TO_AUTO_REGISTER 0xF18A
#define AFX_IDP_FAILED_TO_CONVERT 0xF18B
#define AFX_IDP_GET_NOT_SUPPORTED 0xF18C
#define AFX_IDP_SET_NOT_SUPPORTED 0xF18D
#define AFX_IDP_ASK_TO_DISCARD 0xF18E
#define AFX_IDP_FAILED_TO_CREATE 0xF18F
#define AFX_IDP_FAILED_MAPI_LOAD 0xF190
#define AFX_IDP_INVALID_MAPI_DLL 0xF191
#define AFX_IDP_FAILED_MAPI_SEND 0xF192
#define AFX_IDP_FILE_NONE 0xF1A0
#define AFX_IDP_FILE_GENERIC 0xF1A1
#define AFX_IDP_FILE_NOT_FOUND 0xF1A2
#define AFX_IDP_FILE_BAD_PATH 0xF1A3
#define AFX_IDP_FILE_TOO_MANY_OPEN 0xF1A4
#define AFX_IDP_FILE_ACCESS_DENIED 0xF1A5
#define AFX_IDP_FILE_INVALID_FILE 0xF1A6
#define AFX_IDP_FILE_REMOVE_CURRENT 0xF1A7
#define AFX_IDP_FILE_DIR_FULL 0xF1A8
#define AFX_IDP_FILE_BAD_SEEK 0xF1A9
#define AFX_IDP_FILE_HARD_IO 0xF1AA
#define AFX_IDP_FILE_SHARING 0xF1AB
#define AFX_IDP_FILE_LOCKING 0xF1AC
#define AFX_IDP_FILE_DISKFULL 0xF1AD
#define AFX_IDP_FILE_EOF 0xF1AE
#define AFX_IDP_ARCH_NONE 0xF1B0
#define AFX_IDP_ARCH_GENERIC 0xF1B1
#define AFX_IDP_ARCH_READONLY 0xF1B2
#define AFX_IDP_ARCH_ENDOFFILE 0xF1B3
#define AFX_IDP_ARCH_WRITEONLY 0xF1B4
#define AFX_IDP_ARCH_BADINDEX 0xF1B5
#define AFX_IDP_ARCH_BADCLASS 0xF1B6
#define AFX_IDP_ARCH_BADSCHEMA 0xF1B7
#define AFX_IDS_OCC_SCALEUNITS_PIXELS 0xF1C0
#define AFX_IDS_STATUS_FONT 0xF230
#define AFX_IDS_TOOLTIP_FONT 0xF231
#define AFX_IDS_UNICODE_FONT 0xF232
#define AFX_IDS_MINI_FONT 0xF233
#define AFX_IDP_SQL_CONNECT_FAIL 0xF281
#define AFX_IDP_SQL_RECORDSET_FORWARD_ONLY 0xF282
#define AFX_IDP_SQL_EMPTY_COLUMN_LIST 0xF283
#define AFX_IDP_SQL_FIELD_SCHEMA_MISMATCH 0xF284
#define AFX_IDP_SQL_ILLEGAL_MODE 0xF285
#define AFX_IDP_SQL_MULTIPLE_ROWS_AFFECTED 0xF286
#define AFX_IDP_SQL_NO_CURRENT_RECORD 0xF287
#define AFX_IDP_SQL_NO_ROWS_AFFECTED 0xF288
#define AFX_IDP_SQL_RECORDSET_READONLY 0xF289
#define AFX_IDP_SQL_SQL_NO_TOTAL 0xF28A
#define AFX_IDP_SQL_ODBC_LOAD_FAILED 0xF28B
#define AFX_IDP_SQL_DYNASET_NOT_SUPPORTED 0xF28C
#define AFX_IDP_SQL_SNAPSHOT_NOT_SUPPORTED 0xF28D
#define AFX_IDP_SQL_API_CONFORMANCE 0xF28E
#define AFX_IDP_SQL_SQL_CONFORMANCE 0xF28F
#define AFX_IDP_SQL_NO_DATA_FOUND 0xF290
#define AFX_IDP_SQL_ROW_UPDATE_NOT_SUPPORTED 0xF291
#define AFX_IDP_SQL_ODBC_V2_REQUIRED 0xF292
#define AFX_IDP_SQL_NO_POSITIONED_UPDATES 0xF293
#define AFX_IDP_SQL_LOCK_MODE_NOT_SUPPORTED 0xF294
#define AFX_IDP_SQL_DATA_TRUNCATED 0xF295
#define AFX_IDP_SQL_ROW_FETCH 0xF296
#define AFX_IDP_SQL_INCORRECT_ODBC 0xF297
#define AFX_IDP_SQL_UPDATE_DELETE_FAILED 0xF298
#define AFX_IDP_SQL_DYNAMIC_CURSOR_NOT_SUPPORTED 0xF299
#define AFX_IDP_SQL_FIELD_NOT_FOUND 0xF29A
#define AFX_IDP_SQL_BOOKMARKS_NOT_SUPPORTED 0xF29B
#define AFX_IDP_SQL_BOOKMARKS_NOT_ENABLED 0xF29C
#define AFX_IDS_DELETED 0xF29D
#define AFX_IDP_DAO_ENGINE_INITIALIZATION 0xF2B0
#define AFX_IDP_DAO_DFX_BIND 0xF2B1
#define AFX_IDP_DAO_OBJECT_NOT_OPEN 0xF2B2
#define AFX_IDP_DAO_ROWTOOSHORT 0xF2B3
#define AFX_IDP_DAO_BADBINDINFO 0xF2B4
#define AFX_IDP_DAO_COLUMNUNAVAILABLE 0xF2B5
#define AFX_IDS_HTTP_TITLE 0xF2D1
#define AFX_IDS_HTTP_NO_TEXT 0xF2D2
#define AFX_IDS_HTTP_BAD_REQUEST 0xF2D3
#define AFX_IDS_HTTP_AUTH_REQUIRED 0xF2D4
#define AFX_IDS_HTTP_FORBIDDEN 0xF2D5
#define AFX_IDS_HTTP_NOT_FOUND 0xF2D6
#define AFX_IDS_HTTP_SERVER_ERROR 0xF2D7
#define AFX_IDS_HTTP_NOT_IMPLEMENTED 0xF2D8
#define AFX_IDS_CHECKLISTBOX_UNCHECK 0xF2E1
#define AFX_IDS_CHECKLISTBOX_CHECK 0xF2E2
#define AFX_IDS_CHECKLISTBOX_MIXED 0xF2E3
#define AFX_IDS_PROPPAGE_UNKNOWN 0xFE01
#define AFX_IDS_COLOR_DESKTOP 0xFE04
#define AFX_IDS_COLOR_APPWORKSPACE 0xFE05
#define AFX_IDS_COLOR_WNDBACKGND 0xFE06
#define AFX_IDS_COLOR_WNDTEXT 0xFE07
#define AFX_IDS_COLOR_MENUBAR 0xFE08
#define AFX_IDS_COLOR_MENUTEXT 0xFE09
#define AFX_IDS_COLOR_ACTIVEBAR 0xFE0A
#define AFX_IDS_COLOR_INACTIVEBAR 0xFE0B
#define AFX_IDS_COLOR_ACTIVETEXT 0xFE0C
#define AFX_IDS_COLOR_INACTIVETEXT 0xFE0D
#define AFX_IDS_COLOR_ACTIVEBORDER 0xFE0E
#define AFX_IDS_COLOR_INACTIVEBORDER 0xFE0F
#define AFX_IDS_COLOR_WNDFRAME 0xFE10
#define AFX_IDS_COLOR_SCROLLBARS 0xFE11
#define AFX_IDS_COLOR_BTNFACE 0xFE12
#define AFX_IDS_COLOR_BTNSHADOW 0xFE13
#define AFX_IDS_COLOR_BTNTEXT 0xFE14
#define AFX_IDS_COLOR_BTNHIGHLIGHT 0xFE15
#define AFX_IDS_COLOR_DISABLEDTEXT 0xFE16
#define AFX_IDS_COLOR_HIGHLIGHT 0xFE17
#define AFX_IDS_COLOR_HIGHLIGHTTEXT 0xFE18
#define AFX_IDS_REGULAR 0xFE19
#define AFX_IDS_BOLD 0xFE1A
#define AFX_IDS_ITALIC 0xFE1B
#define AFX_IDS_BOLDITALIC 0xFE1C
#define AFX_IDS_SAMPLETEXT 0xFE1D
#define AFX_IDS_DISPLAYSTRING_FONT 0xFE1E
#define AFX_IDS_DISPLAYSTRING_COLOR 0xFE1F
#define AFX_IDS_DISPLAYSTRING_PICTURE 0xFE20
#define AFX_IDS_PICTUREFILTER 0xFE21
#define AFX_IDS_PICTYPE_UNKNOWN 0xFE22
#define AFX_IDS_PICTYPE_NONE 0xFE23
#define AFX_IDS_PICTYPE_BITMAP 0xFE24
#define AFX_IDS_PICTYPE_METAFILE 0xFE25
#define AFX_IDS_PICTYPE_ICON 0xFE26
#define AFX_IDS_COLOR_PPG 0xFE28
#define AFX_IDS_COLOR_PPG_CAPTION 0xFE29
#define AFX_IDS_FONT_PPG 0xFE2A
#define AFX_IDS_FONT_PPG_CAPTION 0xFE2B
#define AFX_IDS_PICTURE_PPG 0xFE2C
#define AFX_IDS_PICTURE_PPG_CAPTION 0xFE2D
#define AFX_IDS_PICTUREBROWSETITLE 0xFE30
#define AFX_IDS_BORDERSTYLE_0 0xFE31
#define AFX_IDS_BORDERSTYLE_1 0xFE32
#define AFX_IDS_VERB_EDIT 0xFE40
#define AFX_IDS_VERB_PROPERTIES 0xFE41
#define AFX_IDP_PICTURECANTOPEN 0xFE83
#define AFX_IDP_PICTURECANTLOAD 0xFE84
#define AFX_IDP_PICTURETOOLARGE 0xFE85
#define AFX_IDP_PICTUREREADFAILED 0xFE86
#define AFX_IDP_E_ILLEGALFUNCTIONCALL 0xFEA0
#define AFX_IDP_E_OVERFLOW 0xFEA1
#define AFX_IDP_E_OUTOFMEMORY 0xFEA2
#define AFX_IDP_E_DIVISIONBYZERO 0xFEA3
#define AFX_IDP_E_OUTOFSTRINGSPACE 0xFEA4
#define AFX_IDP_E_OUTOFSTACKSPACE 0xFEA5
#define AFX_IDP_E_BADFILENAMEORNUMBER 0xFEA6
#define AFX_IDP_E_FILENOTFOUND 0xFEA7
#define AFX_IDP_E_BADFILEMODE 0xFEA8
#define AFX_IDP_E_FILEALREADYOPEN 0xFEA9
#define AFX_IDP_E_DEVICEIOERROR 0xFEAA
#define AFX_IDP_E_FILEALREADYEXISTS 0xFEAB
#define AFX_IDP_E_BADRECORDLENGTH 0xFEAC
#define AFX_IDP_E_DISKFULL 0xFEAD
#define AFX_IDP_E_BADRECORDNUMBER 0xFEAE
#define AFX_IDP_E_BADFILENAME 0xFEAF
#define AFX_IDP_E_TOOMANYFILES 0xFEB0
#define AFX_IDP_E_DEVICEUNAVAILABLE 0xFEB1
#define AFX_IDP_E_PERMISSIONDENIED 0xFEB2
#define AFX_IDP_E_DISKNOTREADY 0xFEB3
#define AFX_IDP_E_PATHFILEACCESSERROR 0xFEB4
#define AFX_IDP_E_PATHNOTFOUND 0xFEB5
#define AFX_IDP_E_INVALIDPATTERNSTRING 0xFEB6
#define AFX_IDP_E_INVALIDUSEOFNULL 0xFEB7
#define AFX_IDP_E_INVALIDFILEFORMAT 0xFEB8
#define AFX_IDP_E_INVALIDPROPERTYVALUE 0xFEB9
#define AFX_IDP_E_INVALIDPROPERTYARRAYINDEX 0xFEBA
#define AFX_IDP_E_SETNOTSUPPORTEDATRUNTIME 0xFEBB
#define AFX_IDP_E_SETNOTSUPPORTED 0xFEBC
#define AFX_IDP_E_NEEDPROPERTYARRAYINDEX 0xFEBD
#define AFX_IDP_E_SETNOTPERMITTED 0xFEBE
#define AFX_IDP_E_GETNOTSUPPORTEDATRUNTIME 0xFEBF
#define AFX_IDP_E_GETNOTSUPPORTED 0xFEC0
#define AFX_IDP_E_PROPERTYNOTFOUND 0xFEC1
#define AFX_IDP_E_INVALIDCLIPBOARDFORMAT 0xFEC2
#define AFX_IDP_E_INVALIDPICTURE 0xFEC3
#define AFX_IDP_E_PRINTERERROR 0xFEC4
#define AFX_IDP_E_CANTSAVEFILETOTEMP 0xFEC5
#define AFX_IDP_E_SEARCHTEXTNOTFOUND 0xFEC6
#define AFX_IDP_E_REPLACEMENTSTOOLONG 0xFEC7
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 102
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1011
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/resources/icon.ico
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/resources/icon.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/service.cpp
+368
View File
@@ -0,0 +1,368 @@
#include "stdafx.h"
// defined if ioctlfuzzer.cpp
extern HANDLE hDevice;
//--------------------------------------------------------------------------------------
BOOL DrvOpenDevice(PWSTR DriverName, HANDLE *lphDevice)
{
WCHAR DeviceName[MAX_PATH];
HANDLE hDevice = NULL;
if ((GetVersion() & 0xFF) >= 5)
{
wcscpy(DeviceName, L"\\\\.\\Global\\");
}
else
{
wcscpy(DeviceName, L"\\\\.\\");
}
wcscat(DeviceName, DriverName);
DbgMsg(__FILE__, __LINE__, "Opening '%ws'...\n", DeviceName);
hDevice = CreateFileW(
DeviceName,
GENERIC_READ | GENERIC_WRITE,
0, NULL,
OPEN_EXISTING,
0, NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
{
DbgMsg(__FILE__, __LINE__, "CreateFile() ERROR %d\n", GetLastError());
return FALSE;
}
*lphDevice = hDevice;
return TRUE;
}
//--------------------------------------------------------------------------------------
BOOL DrvDeviceRequest(PREQUEST_BUFFER Request, DWORD dwRequestSize)
{
BOOL bRet = FALSE;
if (hDevice == NULL)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__ "() ERROR: Invalid device handle\n");
return FALSE;
}
PREQUEST_BUFFER Response = (PREQUEST_BUFFER)M_ALLOC(dwRequestSize);
if (Response)
{
DWORD dwBytes = 0;
ZeroMemory(Response, dwRequestSize);
// send request to driver
if (DeviceIoControl(
hDevice,
IOCTL_DRV_CONTROL,
Request,
dwRequestSize,
Response,
dwRequestSize,
&dwBytes, NULL))
{
#ifdef DBG_IO
DbgMsg(
__FILE__, __LINE__,
__FUNCTION__ "() %d bytes returned; status 0x%.8x\n",
dwBytes, Response->Status
);
#endif
memcpy(Request, Response, dwRequestSize);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "DeviceIoControl() ERROR %d\n", GetLastError());
}
M_FREE(Response);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL DrvServiceStart(char *lpszServiceName, char *lpszPath, PBOOL bAllreadyStarted)
{
BOOL bRet = FALSE;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
DbgMsg(__FILE__, __LINE__, "Creating service...\n");
// create service for kernel-mod driver
SC_HANDLE hService = CreateService(
hScm,
lpszServiceName,
lpszServiceName,
SERVICE_START | DELETE | SERVICE_STOP,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
lpszPath,
NULL, NULL, NULL, NULL, NULL
);
if (hService == NULL)
{
if (GetLastError() == ERROR_SERVICE_EXISTS)
{
// open existing service
if (hService = OpenService(hScm, lpszServiceName, SERVICE_START | DELETE | SERVICE_STOP))
{
DbgMsg(__FILE__, __LINE__, "Allready exists\n");
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateService() ERROR %d\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, "OK\n");
}
if (hService)
{
DbgMsg(__FILE__, __LINE__, "Starting service...\n");
// start service
if (StartService(hService, 0, NULL))
{
DbgMsg(__FILE__, __LINE__, "OK\n");
bRet = TRUE;
}
else
{
if (GetLastError() == ERROR_SERVICE_ALREADY_RUNNING)
{
// service is allready started
DbgMsg(__FILE__, __LINE__, "Allready running\n");
if (bAllreadyStarted)
{
*bAllreadyStarted = TRUE;
}
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "StartService() ERROR %d\n", GetLastError());
}
}
CloseServiceHandle(hService);
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL DrvServiceStop(char *lpszServiceName)
{
BOOL bRet = FALSE;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
DbgMsg(__FILE__, __LINE__, "Opening service...\n");
// open existing service
SC_HANDLE hService = OpenService(hScm, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
SERVICE_STATUS Status;
DbgMsg(__FILE__, __LINE__, "OK\n");
DbgMsg(__FILE__, __LINE__, "Stopping service...\n");
// stop service
if (ControlService(hService, SERVICE_CONTROL_STOP, &Status))
{
DbgMsg(__FILE__, __LINE__, "OK\n");
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "ControlService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hService);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL DrvServiceRemove(char *lpszServiceName)
{
BOOL bRet = FALSE;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
DbgMsg(__FILE__, __LINE__, "Opening service...\n");
// open existing service
SC_HANDLE hService = OpenService(hScm, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
SERVICE_STATUS Status;
DbgMsg(__FILE__, __LINE__, "OK\n");
DbgMsg(__FILE__, __LINE__, "Deleting service...\n");
// delete service
if (DeleteService(hService))
{
DbgMsg(__FILE__, __LINE__, "OK\n");
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "DeleteService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hService);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
DWORD DrvServiceGetStartType(char *lpszServiceName)
{
DWORD dwRet = (DWORD)-1;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
// open existing service
SC_HANDLE hService = OpenService(hScm, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
DWORD dwBytesNeeded = 0;
char szBuff[0x1000];
ZeroMemory(&szBuff, sizeof(szBuff));
LPQUERY_SERVICE_CONFIG Config = (LPQUERY_SERVICE_CONFIG)&szBuff;
// query service configuration
if (QueryServiceConfig(hService, Config, sizeof(szBuff), &dwBytesNeeded))
{
dwRet = Config->dwStartType;
}
else
{
DbgMsg(__FILE__, __LINE__, "QueryServiceConfig() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hService);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return dwRet;
}
//--------------------------------------------------------------------------------------
BOOL DrvServiceSetStartType(char *lpszServiceName, DWORD dwStartType)
{
BOOL bRet = FALSE;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
// open existing service
SC_HANDLE hService = OpenService(hScm, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
// set new service configuration
bRet = ChangeServiceConfig(
hService,
SERVICE_NO_CHANGE,
dwStartType,
SERVICE_NO_CHANGE,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
);
if (!bRet)
{
DbgMsg(__FILE__, __LINE__, "ChangeServiceConfig() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hService);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
// EoF
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/service.h
+7
View File
@@ -0,0 +1,7 @@
BOOL DrvOpenDevice(PWSTR DriverName, HANDLE *lphDevice);
BOOL DrvDeviceRequest(PREQUEST_BUFFER Request, DWORD dwRequestSize);
BOOL DrvServiceStart(char *lpszServiceName, char *lpszPath, PBOOL bAllreadyStarted);
BOOL DrvServiceStop(char *lpszServiceName);
BOOL DrvServiceRemove(char *lpszServiceName);
DWORD DrvServiceGetStartType(char *lpszServiceName);
BOOL DrvServiceSetStartType(char *lpszServiceName, DWORD dwStartType);
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/stdafx.h
+34
View File
@@ -0,0 +1,34 @@
#define _WIN32_WINNT 0x0501
#include <stdio.h>
#include <tchar.h>
#include <conio.h>
#include <windows.h>
#include <commctrl.h>
#include <commdlg.h>
#include <Shlwapi.h>
#include <sddl.h>
#include <AclAPI.h>
#include <comutil.h>
#include "TlHelp32.h"
#include "dbgsdk/inc/dbghelp.h"
#include <string>
#include <vector>
#include <list>
#include <map>
#include "resource.h"
#include "ntdll_defs.h"
#include "undocnt.h"
#include "options.h"
#include "drvcomm.h"
#include "common.h"
#include "debug.h"
#include "service.h"
#include "xml.h"
#include "analyzer.h"
#include "symbols.h"
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/symbols.cpp
+158
View File
@@ -0,0 +1,158 @@
#include "stdafx.h"
//--------------------------------------------------------------------------------------
BOOL GetNormalizedSymbolName(char *lpszName, char *lpszNormalizedName, int NameLen)
{
int StrLen;
char *lpszStr = lpszName;
if (!strncmp(lpszName, "??", min(lstrlen(lpszName), 2)) ||
!strncmp(lpszName, "__imp__", min(lstrlen(lpszName), 7)))
{
if (NameLen > lstrlen(lpszName))
{
strcpy(lpszNormalizedName, lpszName);
return TRUE;
}
return FALSE;
}
if (*lpszStr == '_' || *lpszStr == '@')
{
lpszStr++;
}
for (StrLen = 0; StrLen < lstrlen(lpszStr); StrLen++)
{
if (lpszStr[StrLen] == '@')
{
break;
}
}
if (NameLen > StrLen)
{
strncpy(lpszNormalizedName, lpszStr, StrLen);
lpszNormalizedName[StrLen] = 0;
return TRUE;
}
return FALSE;
}
//--------------------------------------------------------------------------------------
typedef struct _ENUM_SYM_PARAM
{
ULONGLONG Address;
char *lpszName;
} ENUM_SYM_PARAM,
*PENUM_SYM_PARAM;
BOOL CALLBACK EnumSymbolsProc(
PSYMBOL_INFO pSymInfo,
ULONG SymbolSize,
PVOID UserContext)
{
PENUM_SYM_PARAM Param = (PENUM_SYM_PARAM)UserContext;
char szName[0x100];
if (GetNormalizedSymbolName(pSymInfo->Name, szName, sizeof(szName)))
{
if (!lstrcmp(szName, Param->lpszName))
{
Param->Address = (ULONGLONG)pSymInfo->Address;
return FALSE;
}
}
return TRUE;
}
//--------------------------------------------------------------------------------------
ULONGLONG GetSymbolByName(char *lpszModuleName, HMODULE hModule, char *lpszName)
{
ULONGLONG Ret = 0;
// try to load debug symbols for module
if (SymLoadModuleEx(GetCurrentProcess(), NULL, lpszModuleName, NULL, (DWORD64)hModule, 0, NULL, 0))
{
ENUM_SYM_PARAM Param;
Param.Address = NULL;
Param.lpszName = lpszName;
// get specified symbol address by name
if (!SymEnumSymbols(
GetCurrentProcess(),
(DWORD64)hModule,
NULL,
EnumSymbolsProc,
&Param))
{
DbgMsg(__FILE__, __LINE__, "SymEnumSymbols() ERROR %d\n", GetLastError());
}
if (Param.Address == NULL)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() ERROR: Can't locate symbol\n");
}
else
{
Ret = Param.Address;
}
// unload symbols
SymUnloadModule64(GetCurrentProcess(), (DWORD64)hModule);
}
else
{
DbgMsg(__FILE__, __LINE__, "SymLoadModuleEx() ERROR %d\n", GetLastError());
}
return Ret;
}
//--------------------------------------------------------------------------------------
DWORD GetKernelSymbolOffset(char *lpszSymbolName)
{
DWORD Ret = 0;
// get system modules information
PRTL_PROCESS_MODULES Info = (PRTL_PROCESS_MODULES)GetSysInf(SystemModuleInformation);
if (Info)
{
char *lpszKernelName = (char *)Info->Modules[0].FullPathName + Info->Modules[0].OffsetToFileName;
char szKernelPath[MAX_PATH];
// get full kernel image path
GetSystemDirectory(szKernelPath, MAX_PATH);
lstrcat(szKernelPath, "\\");
lstrcat(szKernelPath, lpszKernelName);
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Using kernel binary '%s'\r\n", szKernelPath);
// load kernel module
HMODULE hModule = LoadLibraryEx(szKernelPath, NULL, DONT_RESOLVE_DLL_REFERENCES);
if (hModule)
{
// get symbol offset
LARGE_INTEGER Addr;
Addr.QuadPart = GetSymbolByName(szKernelPath, hModule, lpszSymbolName);
if (Addr.QuadPart > 0)
{
Addr.QuadPart -= (ULONGLONG)hModule;
Ret = Addr.LowPart;
}
FreeLibrary(hModule);
}
else
{
DbgMsg(__FILE__, __LINE__, "LoadLibraryEx() ERROR %d\r\n", GetLastError());
}
M_FREE(Info);
}
return Ret;
}
//--------------------------------------------------------------------------------------
// EoF
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/symbols.h
+2
View File
@@ -0,0 +1,2 @@
DWORD GetKernelSymbolOffset(char *lpszSymbolName);
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/undocnt.h
+291
View File
@@ -0,0 +1,291 @@
/************************************************************/
/* */
/* Some structures for native API functions */
/* */
/************************************************************/
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation, // obsolete...delete
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION,
*PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES,
*PRTL_PROCESS_MODULES;
typedef enum _SHUTDOWN_ACTION
{
ShutdownNoReboot,
ShutdownReboot,
ShutdownPowerOff
} SHUTDOWN_ACTION,
*PSHUTDOWN_ACTION;
typedef struct _DIRECTORY_BASIC_INFORMATION
{
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectTypeName;
} DIRECTORY_BASIC_INFORMATION,
*PDIRECTORY_BASIC_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO,
*PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ];
} SYSTEM_HANDLE_INFORMATION,
*PSYSTEM_HANDLE_INFORMATION;
typedef enum _FILE_INFORMATION_CLASS
{
FileDirectoryInformation = 1,
FileFullDirectoryInformation, // 2
FileBothDirectoryInformation, // 3
FileBasicInformation, // 4 wdm
FileStandardInformation, // 5 wdm
FileInternalInformation, // 6
FileEaInformation, // 7
FileAccessInformation, // 8
FileNameInformation, // 9
FileRenameInformation, // 10
FileLinkInformation, // 11
FileNamesInformation, // 12
FileDispositionInformation, // 13
FilePositionInformation, // 14 wdm
FileFullEaInformation, // 15
FileModeInformation, // 16
FileAlignmentInformation, // 17
FileAllInformation, // 18
FileAllocationInformation, // 19
FileEndOfFileInformation, // 20 wdm
FileAlternateNameInformation, // 21
FileStreamInformation, // 22
FilePipeInformation, // 23
FilePipeLocalInformation, // 24
FilePipeRemoteInformation, // 25
FileMailslotQueryInformation, // 26
FileMailslotSetInformation, // 27
FileCompressionInformation, // 28
FileObjectIdInformation, // 29
FileCompletionInformation, // 30
FileMoveClusterInformation, // 31
FileQuotaInformation, // 32
FileReparsePointInformation, // 33
FileNetworkOpenInformation, // 34
FileAttributeTagInformation, // 35
FileTrackingInformation, // 36
FileIdBothDirectoryInformation, // 37
FileIdFullDirectoryInformation, // 38
FileValidDataLengthInformation, // 39
FileShortNameInformation, // 40
FileMaximumInformation
} FILE_INFORMATION_CLASS,
*PFILE_INFORMATION_CLASS;
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
{
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION,
*PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
typedef struct _FILE_NAME_INFORMATION
{
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION,
*PFILE_NAME_INFORMATION;
/************************************************************/
/* */
/* Prototypes for native API functions */
/* */
/************************************************************/
typedef NTSTATUS (WINAPI * func_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS (WINAPI * func_NtOpenFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions
);
typedef NTSTATUS (WINAPI * func_NtDeviceIoControlFile)(
HANDLE FileHandle,
HANDLE Event,
PVOID ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength
);
typedef NTSTATUS (WINAPI * func_NtOpenDirectoryObject)(
PHANDLE DirectoryHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
typedef NTSTATUS (WINAPI * func_NtQueryDirectoryObject)(
HANDLE DirectoryHandle,
PVOID Buffer,
ULONG BufferLength,
BOOLEAN ReturnSingleEntry,
BOOLEAN RestartScan,
PULONG Context,
PULONG ReturnLength
);
typedef NTSTATUS (WINAPI * func_NtOpenSymbolicLinkObject)(
PHANDLE SymbolicLinkHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
typedef NTSTATUS (WINAPI * func_NtQuerySymbolicLinkObject)(
HANDLE SymbolicLinkHandle,
PUNICODE_STRING TargetName,
PULONG ReturnLength
);
typedef NTSTATUS (WINAPI * func_NtQueryInformationFile)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass
);
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/xml.cpp
+384
View File
@@ -0,0 +1,384 @@
#include "stdafx.h"
//--------------------------------------------------------------------------------------
/**
* çàãðóçêà è ïàðñèíã xml äîêóìåíòà
* @param data òåêñò çàãðóæàåìîãî xml äîêóììåíòà
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
*/
BOOL XmlLoad(PWSTR lpwcData, IXMLDOMDocument **pXMLDoc, IXMLDOMNode **pIDOMRootNode, PWSTR lpwcRootNodeName)
{
BOOL bOk = FALSE;
VARIANT_BOOL status;
// initialize COM
HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (FAILED(hr))
{
DbgMsg(__FILE__, __LINE__, "CoInitializeEx() ERROR 0x%.8x\n", hr);
return FALSE;
}
// create new msxml document instance
hr = CoCreateInstance(CLSID_DOMDocument, NULL, CLSCTX_INPROC_SERVER,
IID_IXMLDOMDocument, (void **)pXMLDoc);
if (FAILED(hr))
{
DbgMsg(__FILE__, __LINE__, "CoCreateInstance() ERROR 0x%.8x\n", hr);
return FALSE;
}
hr = (*pXMLDoc)->loadXML(lpwcData, &status);
if (status != VARIANT_TRUE)
{
DbgMsg(__FILE__, __LINE__, "pXMLDoc->load() ERROR 0x%.8x\n", hr);
goto end;
}
// åñëè xml çàãðóæåí, ïîëó÷àåì ñïèñîê êîðíåâûõ óçëîâ
// èç êîòîðîãî ïîëó÷àåì ãëàâíûé ïîäóçåë 'logger'
IXMLDOMNodeList *pIDOMRootNodeList;
hr = (*pXMLDoc)->get_childNodes(&pIDOMRootNodeList);
if (SUCCEEDED(hr))
{
*pIDOMRootNode = ConfGetListNodeByName(lpwcRootNodeName, pIDOMRootNodeList);
if (*pIDOMRootNode)
{
bOk = TRUE;
}
pIDOMRootNodeList->Release();
}
else
{
DbgMsg(__FILE__, __LINE__, "pXMLDoc->get_childNodes() ERROR 0x%.8x\n", hr);
}
end:
if (!bOk)
{
// ïðîèçîøëà îøèáêà
// îñâîáîæäàåì äåñêðèïòîð äîêóììåíòà
(*pXMLDoc)->Release();
*pXMLDoc = NULL;
}
return bOk;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå xml-óçëà èç ñïèñêà ïî åãî èìåíè
* @param NodeName èìÿ èñêîìîãî óçëà
* @param pIDOMNodeList äåñêðèïòîð ñïèñêà
* @return äåñêðèïòîð íóæíîãî óçëà, èëè NULL â ñëó÷àå íåóäà÷è
* @see ConfGetNodeByName()
* @see ConfGetNodeText()
* @see ConfGetTextByName()
*/
IXMLDOMNode * ConfGetListNodeByName(BSTR NodeName, IXMLDOMNodeList *pIDOMNodeList)
{
IXMLDOMNode *Ret = NULL;
LONG len = 0;
if (pIDOMNodeList == NULL)
{
return NULL;
}
HRESULT hr = pIDOMNodeList->get_length(&len);
if (SUCCEEDED(hr))
{
pIDOMNodeList->reset();
for (int i = 0; i < len; i++)
{
IXMLDOMNode *pIDOMChildNode = NULL;
hr = pIDOMNodeList->get_item(i, &pIDOMChildNode);
if (SUCCEEDED(hr))
{
BSTR ChildNodeName = NULL;
hr = pIDOMChildNode->get_nodeName(&ChildNodeName);
if (SUCCEEDED(hr))
{
if (!wcscmp(NodeName, ChildNodeName))
{
Ret = pIDOMChildNode;
}
}
if (ChildNodeName)
{
SysFreeString(ChildNodeName);
}
if (Ret)
{
return Ret;
}
pIDOMChildNode->Release();
pIDOMChildNode = NULL;
}
else
{
DbgMsg(__FILE__, __LINE__, "pIDOMNodeList->get_item() ERROR 0x%.8x\n", hr);
}
}
}
else
{
DbgMsg(__FILE__, __LINE__, "pIDOMNodeList->get_length() ERROR 0x%.8x\n", hr);
}
return NULL;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå ïîäóçëà ïî åãî èìåíè
* @param NodeName èìÿ èñêîìîãî óçëà
* @param pIDOMNode äåñêðèïòîð ðîäèòåëüñêîãî óçëà
* @return äåñêðèïòîð íóæíîãî óçëà, èëè NULL â ñëó÷àå íåóäà÷è
* @see ConfGetListNodeByName()
* @see ConfGetNodeText()
* @see ConfGetTextByName()
*/
IXMLDOMNode * ConfGetNodeByName(BSTR NodeName, IXMLDOMNode *pIDOMNode)
{
IXMLDOMNode *pIDOMRetNode = NULL;
IXMLDOMNodeList *pIDOMNodeList = NULL;
if (pIDOMNode == NULL)
{
return NULL;
}
HRESULT hr = pIDOMNode->get_childNodes(&pIDOMNodeList);
if (SUCCEEDED(hr) && pIDOMNodeList)
{
pIDOMRetNode = ConfGetListNodeByName(NodeName, pIDOMNodeList);
pIDOMNodeList->Release();
}
else
{
DbgMsg(__FILE__, __LINE__, "pIDOMNodeList->get_length() ERROR 0x%.8x\n", hr);
}
return pIDOMRetNode;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå çíà÷åíèÿ óçëà
* @param pIDOMNode äåñêðèïòîð óçëà
* @param str àäðåññ unicode-ñòðîêè, â êîòîðóþ áóäåò çàïèñàíî çíà÷åíèå
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
* @see ConfGetListNodeByName()
* @see ConfGetNodeByName()
* @see ConfGetTextByName()
*/
BOOL ConfGetNodeTextW(IXMLDOMNode *pIDOMNode, PWSTR *str)
{
BOOL bRet = FALSE;
BSTR val = NULL;
if (pIDOMNode == NULL)
{
return FALSE;
}
HRESULT hr = pIDOMNode->get_text(&val);
if (FAILED(hr))
{
DbgMsg(__FILE__, __LINE__, "pIDOMNode->get_text() ERROR 0x%.8x\n", hr);
return FALSE;
}
DWORD Len = (wcslen((PWSTR)val) + 1) * sizeof(WCHAR);
if (*str = (PWSTR)M_ALLOC(Len))
{
ZeroMemory(*str, Len);
wcscpy_s(*str, Len / sizeof(wchar_t), (PWSTR)val);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
if (val)
{
SysFreeString(val);
}
return bRet;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå çíà÷åíèÿ óçëà
* @param pIDOMNode äåñêðèïòîð óçëà
* @param str àäðåññ unicode-ñòðîêè, â êîòîðóþ áóäåò çàïèñàíî çíà÷åíèå
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
* @see ConfGetListNodeByName()
* @see ConfGetNodeByName()
* @see ConfGetTextByName()
*/
BOOL ConfGetNodeTextA(IXMLDOMNode *pIDOMNode, PCHAR *str)
{
BOOL bRet = FALSE;
PWSTR str_w;
if (ConfGetNodeTextW(pIDOMNode, &str_w))
{
int len = wcslen(str_w);
if (*str = (PCHAR)M_ALLOC(len + 1))
{
ZeroMemory(*str, len + 1);
WideCharToMultiByte(CP_ACP, 0, str_w, -1, *str, len, NULL, NULL);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
M_FREE(str_w);
}
return bRet;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå çíà÷åíèÿ ïîäóçëà ïî åãî èìåíè
* @param pIDOMNode äåñêðèïòîð ðîäèòåëüñêîãî óçëà
* @param name èìÿ äî÷åðíåãî óçëà, çíà÷åíèå êîòîðîãî íåîáõîäèìî ïîëó÷èòü
* @param val àäðåññ óêàçàòåëÿ íà unicode-ñòðîêó, â êîòîðóþ áóäåò çàïèñàíî çíà÷åíèå
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
* @see ConfGetListNodeByNameA()
* @see ConfGetListNodeByName()
* @see ConfGetNodeByName()
* @see ConfGetNodeText()
* @see ConfGetTextByName()
*/
BOOL ConfAllocGetTextByNameW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *value)
{
BOOL bRet = FALSE;
IXMLDOMNode *pIDOMChildNode = ConfGetNodeByName(name, pIDOMNode);
if (pIDOMChildNode)
{
bRet = ConfGetNodeTextW(pIDOMChildNode, value);
pIDOMChildNode->Release();
}
return bRet;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå çíà÷åíèÿ ïîäóçëà ïî åãî èìåíè
* @param pIDOMNode äåñêðèïòîð ðîäèòåëüñêîãî óçëà
* @param name èìÿ äî÷åðíåãî óçëà, çíà÷åíèå êîòîðîãî íåîáõîäèìî ïîëó÷èòü
* @param val àäðåññ óêàçàòåëÿ íà unicode-ñòðîêó, â êîòîðóþ áóäåò çàïèñàíî çíà÷åíèå
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
* @see ConfGetListNodeByNameW()
* @see ConfGetListNodeByName()
* @see ConfGetNodeByName()
* @see ConfGetNodeText()
* @see ConfGetTextByName()
*/
BOOL ConfAllocGetTextByNameA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *value)
{
BOOL bRet = FALSE;
PWSTR value_w;
if (ConfAllocGetTextByNameW(pIDOMNode, name, &value_w))
{
int len = wcslen(value_w);
if (*value = (PCHAR)M_ALLOC(len + 1))
{
ZeroMemory(*value, len + 1);
WideCharToMultiByte(CP_ACP, 0, value_w, -1, *value, len, NULL, NULL);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
M_FREE(value_w);
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL ConfGetNodeAttributeW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *value)
{
BOOL bRet = FALSE;
IXMLDOMNamedNodeMap *pIXMLDOMNamedNodeMap = NULL;
// query attributes map
HRESULT hr = pIDOMNode->get_attributes(&pIXMLDOMNamedNodeMap);
if (SUCCEEDED(hr) && pIXMLDOMNamedNodeMap)
{
IXMLDOMNode *pIDOMAttrNode = NULL;
// query attribute node
hr = pIXMLDOMNamedNodeMap->getNamedItem(name, &pIDOMAttrNode);
if (SUCCEEDED(hr) && pIDOMAttrNode)
{
VARIANT varValue;
hr = pIDOMAttrNode->get_nodeValue(&varValue);
if (FAILED(hr))
{
DbgMsg(__FILE__, __LINE__, "pIDOMAttrNode->get_nodeValue() ERROR 0x%.8x\n", hr);
goto free;
}
BSTR val = _bstr_t(varValue);
DWORD Len = (wcslen((PWSTR)val) + 1) * sizeof(WCHAR);
if (*value = (PWSTR)M_ALLOC(Len))
{
ZeroMemory(*value, Len);
wcscpy(*value, (PWSTR)val);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
free:
pIDOMAttrNode->Release();
pIDOMAttrNode = NULL;
}
pIXMLDOMNamedNodeMap->Release();
pIXMLDOMNamedNodeMap = NULL;
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL ConfGetNodeAttributeA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *value)
{
BOOL bRet = FALSE;
PWSTR value_w;
if (ConfGetNodeAttributeW(pIDOMNode, name, &value_w))
{
int len = wcslen(value_w);
if (*value = (PCHAR)M_ALLOC(len + 1))
{
ZeroMemory(*value, len + 1);
WideCharToMultiByte(CP_ACP, 0, value_w, -1, *value, len, NULL, NULL);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
M_FREE(value_w);
}
return bRet;
}
//--------------------------------------------------------------------------------------
// EoF
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/xml.h
+9
View File
@@ -0,0 +1,9 @@
BOOL XmlLoad(PWSTR lpwcData, IXMLDOMDocument **pXMLDoc, IXMLDOMNode **pIDOMRootNode, PWSTR lpwcRootNodeName);
IXMLDOMNode * ConfGetListNodeByName(BSTR NodeName, IXMLDOMNodeList *pIDOMNodeList);
IXMLDOMNode * ConfGetNodeByName(BSTR NodeName, IXMLDOMNode *pIDOMNode);
BOOL ConfGetNodeTextW(IXMLDOMNode *pIDOMNode, PWSTR *str);
BOOL ConfGetNodeTextA(IXMLDOMNode *pIDOMNode, PCHAR *str);
BOOL ConfAllocGetTextByNameW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *value);
BOOL ConfAllocGetTextByNameA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *value);
BOOL ConfGetNodeAttributeW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *value);
BOOL ConfGetNodeAttributeA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *value);
Win32/Proof of Concepts/HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.xml
+48
View File
@@ -0,0 +1,48 @@
<?xml version="1.0" encoding="windows-1251" ?>
<cfg>
<!-- Path to log file. -->
<log_file>C:\ioctlfuzzer.log</log_file>
<!-- If true, hex dumps of IOCTL buffers will be logged. -->
<hex_dump>true</hex_dump>
<!-- If true, will print logging output to console. -->
<log_requests>true</log_requests>
<!-- If true, will print logging output to kernel debugger. -->
<debug_log_requests>true</debug_log_requests>
<!-- If true, will log boot. -->
<boot_log>false</boot_log>
<!--
IOCTLs "allow" list.
The fuzzer will process (i.e. log and/or fuzz) any IOCTL request
containing at least one parameter from the <allow> list.
If the list is empty, each IRP will be processed.
-->
<allow>
</allow>
<!--
IOCTLs "deny" list, can be empty.
Identical in structure to "allow" list.
-->
<deny>
<!-- Don't fuzz default Windows drivers. -->
</deny>
<!--
Kernel Debugger Communication Engine configuration:
list of IOCTLs (by driver/device/process name or I/O Control Code)
and remote kernel debugger commands, that must be executed
when IOCTL Fuzzer cacthing these requests.
See README.TXT for more information.
-->
<dbgcb>
</dbgcb>
</cfg>