Mirrors
/
Windows-Rootkits
mirror of https://github.com/ciyze0101/Windows-Rootkits
6
0
Fork 0
Code Issues Projects Releases Wiki Activity

hook DeviceIoControl to log buffer for 32 and 64 bit 

hook DeviceIoControl to log buffer for 32 and 64 bit
This commit is contained in:
LycorisGuard 2018-08-19 16:38:19 +08:00
parent 0ceb471205
commit 43c58d7f35
99 changed files with 53176 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile.sln Normal file
View File

@ -0,0 +1,26 @@

Microsoft Visual Studio Solution File, Format Version 10.00
# Visual Studio 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookDeviceIoControlFile", "HookDeviceIoControlFile\HookDeviceIoControlFile.vcproj", "{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Debug|Win32.ActiveCfg = Debug|Win32
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Debug|Win32.Build.0 = Debug|Win32
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Debug|x64.ActiveCfg = Debug|x64
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Debug|x64.Build.0 = Debug|x64
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Release|Win32.ActiveCfg = Release|Win32
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Release|Win32.Build.0 = Release|Win32
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Release|x64.ActiveCfg = Release|x64
{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

441
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile.vcproj Normal file
View File

@ -0,0 +1,441 @@
<?xml version="1.0" encoding="gb2312"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="HookDeviceIoControlFile"
ProjectGUID="{04CCC70C-821D-48FA-A6CD-9F0765A2D25C}"
RootNamespace="HookDeviceIoControlFile"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;_X86_"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateManifest="false"
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;_AMD64_"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateManifest="false"
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;_X86_"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="1"
GenerateManifest="false"
EnableUAC="true"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
TargetEnvironment="3"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;_AMD64_"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="1"
GenerateManifest="false"
EnableUAC="true"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\analyzer.cpp"
>
</File>
<File
RelativePath=".\analyzer.h"
>
</File>
<File
RelativePath=".\binres.rc"
>
</File>
<File
RelativePath=".\common.cpp"
>
</File>
<File
RelativePath=".\common.h"
>
</File>
<File
RelativePath=".\debug.cpp"
>
</File>
<File
RelativePath=".\debug.h"
>
</File>
<File
RelativePath=".\default.manifest"
>
</File>
<File
RelativePath=".\drvcomm.h"
>
</File>
<File
RelativePath=".\ioctlfuzzer.cpp"
>
</File>
<File
RelativePath=".\ioctlfuzzer.rc"
>
</File>
<File
RelativePath=".\ntdll_defs.h"
>
</File>
<File
RelativePath=".\options.h"
>
</File>
<File
RelativePath=".\resource.h"
>
</File>
<File
RelativePath=".\service.cpp"
>
</File>
<File
RelativePath=".\service.h"
>
</File>
<File
RelativePath=".\stdafx.h"
>
</File>
<File
RelativePath=".\symbols.cpp"
>
</File>
<File
RelativePath=".\symbols.h"
>
</File>
<File
RelativePath=".\TlHelp32.h"
>
</File>
<File
RelativePath=".\undocnt.h"
>
</File>
<File
RelativePath=".\xml.cpp"
>
</File>
<File
RelativePath=".\xml.h"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
</Filter>
<File
RelativePath="..\driver_amd64.sys"
>
</File>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

316
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/TlHelp32.h Normal file
View File

@ -0,0 +1,316 @@
/*****************************************************************************\
* *
* tlhelp32.h - WIN32 tool help functions, types, and definitions *
* *
* Version 1.0 *
* *
* NOTE: windows.h/winbase.h must be #included first *
* *
* Copyright (c) Microsoft Corp. All rights reserved. *
* *
\*****************************************************************************/
#ifndef _INC_TOOLHELP32
#define _INC_TOOLHELP32
#if _MSC_VER > 1000
#pragma once
#endif
#ifdef __cplusplus
extern "C" { /* Assume C declarations for C++ */
#endif /* __cplusplus */
#define MAX_MODULE_NAME32 255
/****** Shapshot function **********************************************/
HANDLE
WINAPI
CreateToolhelp32Snapshot(
DWORD dwFlags,
DWORD th32ProcessID
);
//
// The th32ProcessID argument is only used if TH32CS_SNAPHEAPLIST or
// TH32CS_SNAPMODULE is specified. th32ProcessID == 0 means the current
// process.
//
// NOTE that all of the snapshots are global except for the heap and module
// lists which are process specific. To enumerate the heap or module
// state for all WIN32 processes call with TH32CS_SNAPALL and the
// current process. Then for each process in the TH32CS_SNAPPROCESS
// list that isn't the current process, do a call with just
// TH32CS_SNAPHEAPLIST and/or TH32CS_SNAPMODULE.
//
// dwFlags
//
#define TH32CS_SNAPHEAPLIST 0x00000001
#define TH32CS_SNAPPROCESS 0x00000002
#define TH32CS_SNAPTHREAD 0x00000004
#define TH32CS_SNAPMODULE 0x00000008
#define TH32CS_SNAPMODULE32 0x00000010
#define TH32CS_SNAPALL (TH32CS_SNAPHEAPLIST | TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD | TH32CS_SNAPMODULE)
#define TH32CS_INHERIT 0x80000000
//
// Use CloseHandle to destroy the snapshot
//
/****** heap walking ***************************************************/
typedef struct tagHEAPLIST32
{
SIZE_T dwSize;
DWORD th32ProcessID; // owning process
ULONG_PTR th32HeapID; // heap (in owning process's context!)
DWORD dwFlags;
} HEAPLIST32;
typedef HEAPLIST32 * PHEAPLIST32;
typedef HEAPLIST32 * LPHEAPLIST32;
//
// dwFlags
//
#define HF32_DEFAULT 1 // process's default heap
#define HF32_SHARED 2 // is shared heap
BOOL
WINAPI
Heap32ListFirst(
HANDLE hSnapshot,
LPHEAPLIST32 lphl
);
BOOL
WINAPI
Heap32ListNext(
HANDLE hSnapshot,
LPHEAPLIST32 lphl
);
typedef struct tagHEAPENTRY32
{
SIZE_T dwSize;
HANDLE hHandle; // Handle of this heap block
ULONG_PTR dwAddress; // Linear address of start of block
SIZE_T dwBlockSize; // Size of block in bytes
DWORD dwFlags;
DWORD dwLockCount;
DWORD dwResvd;
DWORD th32ProcessID; // owning process
ULONG_PTR th32HeapID; // heap block is in
} HEAPENTRY32;
typedef HEAPENTRY32 * PHEAPENTRY32;
typedef HEAPENTRY32 * LPHEAPENTRY32;
//
// dwFlags
//
#define LF32_FIXED 0x00000001
#define LF32_FREE 0x00000002
#define LF32_MOVEABLE 0x00000004
BOOL
WINAPI
Heap32First(
LPHEAPENTRY32 lphe,
DWORD th32ProcessID,
ULONG_PTR th32HeapID
);
BOOL
WINAPI
Heap32Next(
LPHEAPENTRY32 lphe
);
BOOL
WINAPI
Toolhelp32ReadProcessMemory(
DWORD th32ProcessID,
LPCVOID lpBaseAddress,
LPVOID lpBuffer,
SIZE_T cbRead,
SIZE_T *lpNumberOfBytesRead
);
/***** Process walking *************************************************/
typedef struct tagPROCESSENTRY32W
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID; // this process
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID; // associated exe
DWORD cntThreads;
DWORD th32ParentProcessID; // this process's parent process
LONG pcPriClassBase; // Base priority of process's threads
DWORD dwFlags;
WCHAR szExeFile[MAX_PATH]; // Path
} PROCESSENTRY32W;
typedef PROCESSENTRY32W * PPROCESSENTRY32W;
typedef PROCESSENTRY32W * LPPROCESSENTRY32W;
BOOL
WINAPI
Process32FirstW(
HANDLE hSnapshot,
LPPROCESSENTRY32W lppe
);
BOOL
WINAPI
Process32NextW(
HANDLE hSnapshot,
LPPROCESSENTRY32W lppe
);
typedef struct tagPROCESSENTRY32
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ProcessID; // this process
ULONG_PTR th32DefaultHeapID;
DWORD th32ModuleID; // associated exe
DWORD cntThreads;
DWORD th32ParentProcessID; // this process's parent process
LONG pcPriClassBase; // Base priority of process's threads
DWORD dwFlags;
CHAR szExeFile[MAX_PATH]; // Path
} PROCESSENTRY32;
typedef PROCESSENTRY32 * PPROCESSENTRY32;
typedef PROCESSENTRY32 * LPPROCESSENTRY32;
BOOL
WINAPI
Process32First(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
BOOL
WINAPI
Process32Next(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
#ifdef UNICODE
#define Process32First Process32FirstW
#define Process32Next Process32NextW
#define PROCESSENTRY32 PROCESSENTRY32W
#define PPROCESSENTRY32 PPROCESSENTRY32W
#define LPPROCESSENTRY32 LPPROCESSENTRY32W
#endif // !UNICODE
/***** Thread walking **************************************************/
typedef struct tagTHREADENTRY32
{
DWORD dwSize;
DWORD cntUsage;
DWORD th32ThreadID; // this thread
DWORD th32OwnerProcessID; // Process this thread is associated with
LONG tpBasePri;
LONG tpDeltaPri;
DWORD dwFlags;
} THREADENTRY32;
typedef THREADENTRY32 * PTHREADENTRY32;
typedef THREADENTRY32 * LPTHREADENTRY32;
BOOL
WINAPI
Thread32First(
HANDLE hSnapshot,
LPTHREADENTRY32 lpte
);
BOOL
WINAPI
Thread32Next(
HANDLE hSnapshot,
LPTHREADENTRY32 lpte
);
/***** Module walking *************************************************/
typedef struct tagMODULEENTRY32W
{
DWORD dwSize;
DWORD th32ModuleID; // This module
DWORD th32ProcessID; // owning process
DWORD GlblcntUsage; // Global usage count on the module
DWORD ProccntUsage; // Module usage count in th32ProcessID's context
BYTE * modBaseAddr; // Base address of module in th32ProcessID's context
DWORD modBaseSize; // Size in bytes of module starting at modBaseAddr
HMODULE hModule; // The hModule of this module in th32ProcessID's context
WCHAR szModule[MAX_MODULE_NAME32 + 1];
WCHAR szExePath[MAX_PATH];
} MODULEENTRY32W;
typedef MODULEENTRY32W * PMODULEENTRY32W;
typedef MODULEENTRY32W * LPMODULEENTRY32W;
BOOL
WINAPI
Module32FirstW(
HANDLE hSnapshot,
LPMODULEENTRY32W lpme
);
BOOL
WINAPI
Module32NextW(
HANDLE hSnapshot,
LPMODULEENTRY32W lpme
);
typedef struct tagMODULEENTRY32
{
DWORD dwSize;
DWORD th32ModuleID; // This module
DWORD th32ProcessID; // owning process
DWORD GlblcntUsage; // Global usage count on the module
DWORD ProccntUsage; // Module usage count in th32ProcessID's context
BYTE * modBaseAddr; // Base address of module in th32ProcessID's context
DWORD modBaseSize; // Size in bytes of module starting at modBaseAddr
HMODULE hModule; // The hModule of this module in th32ProcessID's context
char szModule[MAX_MODULE_NAME32 + 1];
char szExePath[MAX_PATH];
} MODULEENTRY32;
typedef MODULEENTRY32 * PMODULEENTRY32;
typedef MODULEENTRY32 * LPMODULEENTRY32;
//
// NOTE CAREFULLY that the modBaseAddr and hModule fields are valid ONLY
// in th32ProcessID's process context.
//
BOOL
WINAPI
Module32First(
HANDLE hSnapshot,
LPMODULEENTRY32 lpme
);
BOOL
WINAPI
Module32Next(
HANDLE hSnapshot,
LPMODULEENTRY32 lpme
);
#ifdef UNICODE
#define Module32First Module32FirstW
#define Module32Next Module32NextW
#define MODULEENTRY32 MODULEENTRY32W
#define PMODULEENTRY32 PMODULEENTRY32W
#define LPMODULEENTRY32 LPMODULEENTRY32W
#endif // !UNICODE
#ifdef __cplusplus
}
#endif
#endif // _INC_TOOLHELP32

1330
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/analyzer.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

3
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/analyzer.h Normal file
View File

@ -0,0 +1,3 @@
void CollectDeviceObjectsInfo(LPWSTR lpRoot);
void PrintDeviceObjectsInfo(char *lpszIoctlsLogPath);

4
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/binres.rc Normal file
View File

@ -0,0 +1,4 @@

253
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/common.cpp Normal file
View File

@ -0,0 +1,253 @@
#include "stdafx.h"
//--------------------------------------------------------------------------------------
BOOL LoadPrivileges(char *lpszName)
{
HANDLE hToken = NULL;
LUID Val;
TOKEN_PRIVILEGES tp;
BOOL bRet = FALSE;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
DbgMsg(__FILE__, __LINE__, "OpenProcessToken() fails: error %d\n", GetLastError());
goto end;
}
if (!LookupPrivilegeValue(NULL, lpszName, &Val))
{
DbgMsg(__FILE__, __LINE__, "LookupPrivilegeValue() fails: error %d\n", GetLastError());
goto end;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = Val;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL))
{
DbgMsg(__FILE__, __LINE__, "AdjustTokenPrivileges() fails: error %d\n", GetLastError());
goto end;
}
bRet = TRUE;
end:
if (hToken)
CloseHandle(hToken);
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL DumpToFile(char *lpszFileName, PVOID pData, ULONG DataSize)
{
HANDLE hFile = CreateFileA(lpszFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
DWORD dwWritten;
WriteFile(hFile, pData, DataSize, &dwWritten, NULL);
CloseHandle(hFile);
return TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "Error %d while creating '%s'\n", GetLastError(), lpszFileName);
}
return FALSE;
}
//--------------------------------------------------------------------------------------
BOOL ReadFromFile(LPCTSTR lpszFileName, PVOID *pData, PDWORD lpdwDataSize)
{
BOOL bRet = FALSE;
HANDLE hFile = CreateFile(
lpszFileName,
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hFile != INVALID_HANDLE_VALUE)
{
if (pData == NULL || lpdwDataSize == NULL)
{
// just check for existing file
bRet = TRUE;
goto close;
}
*lpdwDataSize = GetFileSize(hFile, NULL);
if (*pData = LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, *lpdwDataSize))
{
DWORD dwReaded = 0;
ReadFile(hFile, *pData, *lpdwDataSize, &dwReaded, NULL);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "LocalAlloc() ERROR %d\n", GetLastError());
*lpdwDataSize = 0;
}
close:
CloseHandle(hFile);
}
else
{
DbgMsg(__FILE__, __LINE__, "Error %d while reading '%s'\n", GetLastError(), lpszFileName);
}
return bRet;
}
//--------------------------------------------------------------------------------------
char *GetNameFromFullPath(char *lpszPath)
{
char *lpszName = lpszPath;
for (size_t i = 0; i < strlen(lpszPath); i++)
{
if (lpszPath[i] == '\\' || lpszPath[i] == '/')
{
lpszName = lpszPath + i + 1;
}
}
return lpszName;
}
//--------------------------------------------------------------------------------------
wchar_t *GetNameFromFullPathW(wchar_t *lpwcPath)
{
wchar_t *lpwcName = lpwcPath;
for (size_t i = 0; i < wcslen(lpwcPath); i++)
{
if (lpwcPath[i] == L'\\' || lpwcPath[i] == L'/')
{
lpwcName = lpwcPath + i + 1;
}
}
return lpwcName;
}
//--------------------------------------------------------------------------------------
BOOL IsFileExists(char *lpszFileName)
{
BOOL bRet = FALSE;
WIN32_FIND_DATA FindData;
// enumerate files
HANDLE hDir = FindFirstFileA(lpszFileName, &FindData);
if (hDir != INVALID_HANDLE_VALUE)
{
bRet = TRUE;
FindClose(hDir);
}
return bRet;
}
//--------------------------------------------------------------------------------------
PVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass)
{
NTSTATUS ns = 0;
ULONG RetSize = 0, Size = 0x100;
PVOID Info = NULL;
GET_NATIVE(NtQuerySystemInformation);
while (true)
{
// allocate memory for system information
if ((Info = M_ALLOC(Size)) == NULL)
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
return NULL;
}
// query information
RetSize = 0;
ns = f_NtQuerySystemInformation(InfoClass, Info, Size, &RetSize);
if (ns == STATUS_INFO_LENGTH_MISMATCH)
{
// buffer is too small
M_FREE(Info);
Info = NULL;
if (RetSize > 0)
{
// allocate more memory and try again
Size = RetSize + 0x100;
}
else
{
break;
}
}
else
{
break;
}
}
if (!NT_SUCCESS(ns))
{
DbgMsg(__FILE__, __LINE__, "NtQuerySystemInformation() fails; status: 0x%.8x\n", ns);
if (Info)
{
M_FREE(Info);
}
return NULL;
}
return Info;
}
//--------------------------------------------------------------------------------------
BOOL GetProcessNameById(DWORD dwProcessId, char *lpszName, size_t NameLen)
{
BOOL bRet = FALSE;
// enumerate processes
HANDLE hSnapProcs = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapProcs != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 Process = { 0 };
Process.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapProcs, &Process))
{
do
{
// match process id
if (Process.th32ProcessID == dwProcessId)
{
strlwr(Process.szExeFile);
lstrcpy(lpszName, Process.szExeFile);
bRet = TRUE;
break;
}
}
while (Process32Next(hSnapProcs, &Process));
}
else
{
DbgMsg(__FILE__, __LINE__, "Process32First() ERROR %d\n", GetLastError());
}
CloseHandle(hSnapProcs);
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateToolhelp32Snapshot() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
// EoF

54
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/common.h Normal file
View File

@ -0,0 +1,54 @@
#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_))
#define XALIGN_DOWN(x, align)(x &~ (align - 1))
#define XALIGN_UP(x, align)((x & (align - 1)) ? XALIGN_DOWN(x, align) + align : x)
#define M_ALLOC(_size_) LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, (ULONG)(_size_))
#define M_FREE(_addr_) LocalFree((_addr_))
#define GET_NATIVE(_name_) \
\
func_##_name_ f_##_name_ = (func_##_name_)GetProcAddress( \
GetModuleHandleA("ntdll.dll"), \
(#_name_) \
);
#define UNICODE_FROM_WCHAR(_us_, _str_) \
\
((PUNICODE_STRING)(_us_))->Buffer = (_str_); \
((PUNICODE_STRING)(_us_))->Length = \
((PUNICODE_STRING)(_us_))->MaximumLength = \
(USHORT)wcslen((_str_)) * sizeof(WCHAR);
#define IFMT32 "0x%.8x"
#define IFMT64 "0x%.16I64x"
#define IFMT32_W L"0x%.8x"
#define IFMT64_W L"0x%.16I64x"
#ifdef _X86_
#define IFMT IFMT32
#define IFMT_W IFMT32_W
#elif _AMD64_
#define IFMT IFMT64
#define IFMT_W IFMT64_W
#endif
#define MAX_STRING_SIZE 255
BOOL LoadPrivileges(char *lpszName);
BOOL DumpToFile(char *lpszFileName, PVOID pData, ULONG DataSize);
BOOL ReadFromFile(LPCTSTR lpszFileName, PVOID *pData, PDWORD lpdwDataSize);
char *GetNameFromFullPath(char *lpszPath);
wchar_t *GetNameFromFullPathW(wchar_t *lpwcPath);
BOOL IsFileExists(char *lpszFileName);
PVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass);
BOOL GetProcessNameById(DWORD dwProcessId, char *lpszName, size_t NameLen);

16165
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/dbgeng.h Normal file
View File

File diff suppressed because it is too large Load Diff

4593
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/dbghelp.h Normal file
View File

File diff suppressed because it is too large Load Diff

4368
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/engextcpp.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

2513
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/engextcpp.hpp Normal file
View File

File diff suppressed because it is too large Load Diff

1732
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/extsfns.h Normal file
View File

File diff suppressed because it is too large Load Diff

2804
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/inc/wdbgexts.h Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/amd64/dbgeng.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/amd64/dbghelp.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/amd64/engextcpp.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/i386/dbgeng.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/i386/dbghelp.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/i386/engextcpp.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/ia64/dbgeng.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/ia64/dbghelp.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/dbgsdk/lib/ia64/engextcpp.lib Normal file
View File

Binary file not shown.

302
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/debug.cpp Normal file
View File

@ -0,0 +1,302 @@
#include "stdafx.h"
#define DBG_PIPE_BUFFER_SIZE 0x1000
WCHAR m_wcDebugPipeName[MAX_PATH];
HANDLE hDbgMutex = NULL, hDbgLogfile = INVALID_HANDLE_VALUE;
//--------------------------------------------------------------------------------------
void DbgMsgLogWrite(char *lpszBuff)
{
if (hDbgLogfile != INVALID_HANDLE_VALUE && hDbgMutex)
{
DWORD dwWritten = 0;
char *s = lpszBuff;
size_t len = strlen(lpszBuff);
WaitForSingleObject(hDbgMutex, INFINITE);
SetFilePointer(hDbgLogfile, 0, NULL, FILE_END);
for (size_t i = 1; i < len; i++)
{
// divide source string by lines
if (lpszBuff[i] == '\n')
{
lpszBuff[i] = '\x00';
// write the current line
WriteFile(hDbgLogfile, s, (DWORD)strlen(s), &dwWritten, NULL);
if (lpszBuff[i - 1] != '\r')
{
// replace single '\n' with '\r\n'
WriteFile(hDbgLogfile, "\r\n", 2, &dwWritten, NULL);
}
else
{
WriteFile(hDbgLogfile, "\n", 1, &dwWritten, NULL);
}
s = lpszBuff + i + 1;
}
}
if (lpszBuff + len > s)
{
// write the rest of the string
WriteFile(hDbgLogfile, s, (DWORD)strlen(s), &dwWritten, NULL);
}
ReleaseMutex(hDbgMutex);
}
}
//--------------------------------------------------------------------------------------
void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...)
{
va_list mylist;
va_start(mylist, lpszMsg);
size_t len = _vscprintf(lpszMsg, mylist) + 0x100;
char *lpszBuff = (char *)M_ALLOC(len);
if (lpszBuff == NULL)
{
va_end(mylist);
return;
}
char *lpszOutBuff = (char *)M_ALLOC(len);
if (lpszOutBuff == NULL)
{
M_FREE(lpszBuff);
va_end(mylist);
return;
}
vsprintf_s(lpszBuff, len, lpszMsg, mylist);
va_end(mylist);
sprintf_s(
lpszOutBuff, len, "[%.5d] %s(%d) : %s",
GetCurrentProcessId(), GetNameFromFullPath(lpszFile), Line, lpszBuff
);
OutputDebugString(lpszOutBuff);
HANDLE hStd = GetStdHandle(STD_OUTPUT_HANDLE);
if (hStd != INVALID_HANDLE_VALUE)
{
DWORD dwWritten = 0;
WriteFile(hStd, lpszBuff, strlen(lpszBuff), &dwWritten, NULL);
}
sprintf_s(lpszOutBuff, len, "[%.5d] %s", GetCurrentProcessId(), lpszBuff);
DbgMsgLogWrite(lpszOutBuff);
M_FREE(lpszOutBuff);
M_FREE(lpszBuff);
}
//--------------------------------------------------------------------------------------
DWORD WINAPI PipeInstanceThread(LPVOID lpParam)
{
HANDLE hPipe = (HANDLE)lpParam;
DWORD dwReaded, dwWritten, dwLen = 0;
// read data length from pipe
while (ReadFile(hPipe, (PVOID)&dwLen, sizeof(dwLen), &dwReaded, NULL))
{
if (dwLen > 0)
{
// allocate memory for data
PUCHAR Data = (PUCHAR)M_ALLOC(dwLen);
if (Data)
{
PUCHAR DataPtr = Data;
DWORD dwTotalReaded = 0, dwReadLen = dwLen;
read_again:
if (ReadFile(hPipe, DataPtr, dwReadLen, &dwReaded, NULL))
{
dwTotalReaded += dwReaded;
if (dwLen > dwTotalReaded)
{
DataPtr += dwReaded;
dwReadLen -= dwReaded;
// not all data was readed
goto read_again;
}
// write message into the standart output
HANDLE hStd = GetStdHandle(STD_OUTPUT_HANDLE);
if (hStd != INVALID_HANDLE_VALUE)
{
char *s = strstr((char *)Data, " : ");
if (s)
{
s += 3;
WriteFile(hStd, s, lstrlen(s), &dwWritten, NULL);
}
else
{
WriteFile(hStd, Data, lstrlen((char *)Data), &dwWritten, NULL);
}
}
// write message into the log
DbgMsgLogWrite((char *)Data);
}
M_FREE(Data);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
}
dwLen = 0;
}
return 0;
}
//--------------------------------------------------------------------------------------
DWORD WINAPI PipeServerThread(LPVOID lpParam)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Listening on pipe '%ws'\n", m_wcDebugPipeName);
while (true)
{
// create pipe instance
HANDLE hPipe = CreateNamedPipeW(
m_wcDebugPipeName,
PIPE_ACCESS_DUPLEX,
PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES,
DBG_PIPE_BUFFER_SIZE,
DBG_PIPE_BUFFER_SIZE,
INFINITE,
NULL
);
if (hPipe == INVALID_HANDLE_VALUE)
{
DbgMsg(__FILE__, __LINE__, "CreateNamedPipe() ERROR %d\n", GetLastError());
return 0;
}
BOOL bConnected = ConnectNamedPipe(hPipe, NULL) ? TRUE : (GetLastError() == ERROR_PIPE_CONNECTED);
if (bConnected)
{
// Create a thread for this client.
HANDLE hThread = CreateThread(NULL, 0, PipeInstanceThread, (LPVOID)hPipe, 0, NULL);
if (hThread == NULL)
{
DbgMsg(__FILE__, __LINE__, "CreateThread() ERROR %d\n", GetLastError());
return 0;
}
else
{
CloseHandle(hThread);
}
}
else
{
// The client could not connect, so close the pipe.
CloseHandle(hPipe);
}
}
}
//--------------------------------------------------------------------------------------
void DbgInit(char *lpszDebugPipeName, char *lpszLogFileName)
{
hDbgMutex = CreateMutex(NULL, FALSE, NULL);
if (hDbgMutex == NULL)
{
DbgMsg(__FILE__, __LINE__, "CreateMutex() ERROR %d\n", GetLastError());
return;
}
if (lpszLogFileName)
{
// use logfile for debug messages
char szLogFilePath[MAX_PATH];
GetCurrentDirectory(sizeof(szLogFilePath), szLogFilePath);
strcat_s(szLogFilePath, MAX_PATH, "\\");
strcat_s(szLogFilePath, MAX_PATH, lpszLogFileName);
hDbgLogfile = CreateFile(
szLogFilePath,
GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDbgLogfile == INVALID_HANDLE_VALUE)
{
DbgMsg(__FILE__, __LINE__, "CreateFile() ERROR %d\n", GetLastError());
return;
}
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Log file '%s' created\n", szLogFilePath);
}
if (lpszDebugPipeName)
{
// pipe to receive messages from driver or other application
WCHAR wcDebugPipeName[MAX_PATH];
MultiByteToWideChar(CP_ACP, 0, lpszDebugPipeName, -1, wcDebugPipeName, MAX_PATH);
wcscpy_s(m_wcDebugPipeName, MAX_PATH, L"\\\\.\\pipe\\");
wcscat_s(m_wcDebugPipeName, MAX_PATH, wcDebugPipeName);
// start pipe server for debug messages from driver
HANDLE hThread = CreateThread(NULL, 0, PipeServerThread, NULL, 0, NULL);
if (hThread)
{
CloseHandle(hThread);
Sleep(2000);
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateThread() ERROR %d\n", GetLastError());
}
}
}
//--------------------------------------------------------------------------------------
WORD ccol(WORD wColor)
{
WORD c = 0;
if (wColor == 0)
{
return 0;
}
if (hDbgMutex)
{
WaitForSingleObject(hDbgMutex, INFINITE);
}
HANDLE hStd = GetStdHandle(STD_OUTPUT_HANDLE);
if (hStd != INVALID_HANDLE_VALUE)
{
CONSOLE_SCREEN_BUFFER_INFO Info;
ZeroMemory(&Info, sizeof(Info));
// get old console attributes
if (GetConsoleScreenBufferInfo(hStd, &Info))
{
// set new console attributes
SetConsoleTextAttribute(hStd, wColor);
c = Info.wAttributes;
}
}
if (hDbgMutex)
{
ReleaseMutex(hDbgMutex);
}
return c;
}
//--------------------------------------------------------------------------------------
// EoF

13
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/debug.h Normal file
View File

@ -0,0 +1,13 @@
void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...);
void DbgInit(char *lpszDebugPipeName, char *lpszLogFileName);
#define CCOL_BLUE (0x09)
#define CCOL_GREEN (0x0A)
#define CCOL_CYAN (0x0B)
#define CCOL_RED (0x0C)
#define CCOL_PURPLE (0x0D)
#define CCOL_YELLOW (0x0E)
#define CCOL_WHITE (0x0F)
WORD ccol(WORD wColor);

14
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/default.manifest Normal file
View File

@ -0,0 +1,14 @@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="FALSE"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>

117
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/drvcomm.h Normal file
View File

@ -0,0 +1,117 @@
#define DEVICE_NAME L"IOCTLfuzzer"
#define DBG_PIPE_NAME L"IOCTLfuzzer"
#define DBG_PIPE_NAME_A "IOCTLfuzzer"
#define IOCTL_DRV_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x01, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define S_ERROR 0x00
#define S_SUCCESS 0x01
#define C_ADD_DEVICE 0x01
#define C_ADD_DRIVER 0x02
#define C_ADD_IOCTL 0x03
#define C_ADD_PROCESS 0x04
#define C_SET_OPTIONS 0x05
#define C_GET_DEVICE_INFO 0x06
#define C_CHECK_HOOKS 0x07
#define C_DEL_OPTIONS 0x08
#define C_GET_OBJECT_NAME 0x09
// fuzzing options
#define FUZZ_OPT_LOG_IOCTL 0x00000001
#define FUZZ_OPT_LOG_IOCTL_BUFFERS 0x00000002
#define FUZZ_OPT_LOG_IOCTL_GLOBAL 0x00000004
#define FUZZ_OPT_LOG_EXCEPTIONS 0x00000008
#define FUZZ_OPT_LOG_DEBUG 0x00000010
#define FUZZ_OPT_FUZZ 0x00000020
#define FUZZ_OPT_FUZZ_SIZE 0x00000040
#define FUZZ_OPT_FUZZ_FAIR 0x00000080
#define FUZZ_OPT_FUZZ_BOOT 0x00000100
#define FUZZ_OPT_NO_SDT_HOOKS 0x00000200
typedef ULONG FUZZING_TYPE;
#define FuzzingType_Random 0x00000001
#define FuzzingType_Dword 0x00000002
// area to store some variables, that must located in user mode
#pragma pack(push, 1)
typedef struct _USER_MODE_DATA
{
IO_STATUS_BLOCK IoStatus;
} USER_MODE_DATA,
*PUSER_MODE_DATA;
#pragma pack(pop)
#define MAX_REQUEST_STRING 0x100
#pragma pack(push, 1)
typedef struct _REQUEST_BUFFER
{
// operation status (see S_* definitions)
ULONG Status;
// operation code (see C_* definitions)
ULONG Code;
union
{
struct
{
ULONG Options;
ULONG FuzzThreadId;
FUZZING_TYPE FuzzingType;
PUSER_MODE_DATA UserModeData;
ULONG KiDispatchException_Offset;
} Options;
struct
{
PVOID DeviceObjectAddr;
PVOID DriverObjectAddr;
char szDriverObjectName[MAX_REQUEST_STRING];
char szDriverFilePath[MAX_REQUEST_STRING];
} DeviceInfo;
struct
{
// for C_ADD_IOCTL
ULONG IoctlCode;
// for all C_ADD_*
BOOLEAN bAllow;
// for C_ADD_DEVICE, C_ADD_DRIVER and C_ADD_PROCESS
char szObjectName[MAX_REQUEST_STRING];
/*
If TRUE -- debugger command, that stored in Buff[],
must be executed for every IOCTL, that has been matched
by this object.
*/
BOOLEAN bDbgcbAction;
} AddObject;
struct
{
HANDLE hObject;
char szObjectName[MAX_REQUEST_STRING];
} ObjectName;
struct
{
BOOLEAN bHooksInstalled;
} CheckHooks;
};
char Buff[1];
} REQUEST_BUFFER,
*PREQUEST_BUFFER;
#pragma pack(pop)

940
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.cpp Normal file
View File

@ -0,0 +1,940 @@
#include "stdafx.h"
//unresolved external symbol __imp__StrToIntExA@12
#pragma comment(lib, "Shlwapi.lib")
//unresolved external symbol _VerQueryValueA@16
#pragma comment(lib, "version.lib")
//unresolved external symbol __imp__InitCommonControls@0
#pragma comment(lib, "comctl32.lib")
#ifdef _AMD64_
#pragma comment(lib,"dbgsdk\\lib\\amd64\\dbghelp.lib")
#pragma comment(lib, "lib\\amd64\\comsupp.lib")
#else
#pragma comment(lib,"dbgsdk\\lib\\i386\\dbghelp.lib")
#pragma comment(lib, "lib\\comsupp.lib")
#endif
//
#define RESOURCE_NAME_DRIVER32 "DRIVER32"
#define RESOURCE_NAME_DRIVER64 "DRIVER64"
#define GLOBAL_MUTEX_NAME "Global\\" DRIVER_SERVICE_NAME "_Mutex"
USER_MODE_DATA m_UserModeData;
DWORD m_dwFuzzThreadId = 0;
HANDLE hDevice = NULL;
// fuzzing type and other actual options
FUZZING_TYPE m_FuzzingType = DEFAULT_FUZZING_TYPE;
DWORD m_dwOptions = 0;
// don't install any hooks (usefull for attack surface analysis feature)
BOOL m_bNoHooks = FALSE;
// TRUE if remote kernel debugger is not present
BOOL m_bDebuggerNotPresent = FALSE;
// defined in debug.cpp
extern HANDLE hDbgLogfile;
BOOL m_bBoot = FALSE;
/**
* kernel32!Get[Set]ConsoleScreenBufferInfoEx() functions prsent
* only on NT 6.x
*/
typedef BOOL (WINAPI * GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX)(
HANDLE hConsoleOutput,
PCONSOLE_SCREEN_BUFFER_INFOEX lpConsoleScreenBufferInfoEx
);
//--------------------------------------------------------------------------------------
BOOL GetOption(IXMLDOMNode *pIDOMNode, PWSTR lpwcName, PBOOL pbVal)
{
BOOL bRet = FALSE;
char *lpszVal = NULL;
if (ConfAllocGetTextByNameA(pIDOMNode, lpwcName, &lpszVal))
{
bRet = TRUE;
if (!strcmp(strlwr(lpszVal), "true"))
{
*pbVal = TRUE;
}
else if (!strcmp(strlwr(lpszVal), "false"))
{
*pbVal = FALSE;
}
else
{
DbgMsg(__FILE__, __LINE__, "WARNING: invalid value for option '%ws'\r\n", lpwcName);
bRet = FALSE;
}
M_FREE(lpszVal);
}
return bRet;
}
//--------------------------------------------------------------------------------------
void ParseAllowDenySection(IXMLDOMNode *pIDOMNode, BOOL bAllow, BOOL bDbgcbAction)
{
struct
{
LPCWSTR lpNodeName;
LPCWSTR lpObjectName;
ULONG Code;
} Objects[] = {
{ L"drivers", L"driver", C_ADD_DRIVER },
{ L"devices", L"device", C_ADD_DEVICE },
{ L"ioctls", L"ioctl", C_ADD_IOCTL },
{ L"processes", L"process", C_ADD_PROCESS },
{ NULL, NULL, 0 }
};
/*
Old-style allow/deny lists parsing:
--------------------------------------
<objects>
<object>SomeName_1</object>
<object>SomeName_2</object>
...
<object>SomeName_N</object>
</objects>
*/
for (int ob = 0; Objects[ob].lpNodeName != NULL; ob++)
{
// get objects list node
IXMLDOMNode *pIDOMObjectsNode = ConfGetNodeByName((BSTR)Objects[ob].lpNodeName, pIDOMNode);
if (pIDOMObjectsNode)
{
IXMLDOMNodeList *pIDOMNodeList = NULL;
// enumerate available object names
HRESULT hr = pIDOMObjectsNode->get_childNodes(&pIDOMNodeList);
if (SUCCEEDED(hr))
{
LONG len = 0;
pIDOMNodeList->get_length(&len);
DbgMsg(__FILE__, __LINE__, "\"%ws\":\r\n", Objects[ob].lpNodeName);
for (int i = 0; i < len; i++)
{
IXMLDOMNode *pIDOMChildNode = NULL;
// get single object name
hr = pIDOMNodeList->get_item(i, &pIDOMChildNode);
if (SUCCEEDED(hr))
{
char *lpszObjectName = NULL;
if (ConfGetNodeTextA(pIDOMChildNode, &lpszObjectName))
{
REQUEST_BUFFER Buff;
ZeroMemory(&Buff, sizeof(Buff));
Buff.Code = Objects[ob].Code;
Buff.AddObject.bAllow = bAllow;
if (Objects[ob].Code == C_ADD_IOCTL)
{
DWORD dwIoctlCode = 0;
// parse hexadecimal IOCTL code value
if (StrToIntEx(lpszObjectName, STIF_SUPPORT_HEX, (int *)&dwIoctlCode))
{
DbgMsg(__FILE__, __LINE__, " - 0x%.8x\r\n", dwIoctlCode);
Buff.AddObject.IoctlCode = dwIoctlCode;
DrvDeviceRequest(&Buff, sizeof(Buff));
}
else
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): StrToIntEx() ERROR %d\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, " - \"%s\"\r\n", lpszObjectName);
// object name is a string value (process/driver/device name)
lstrcpy(Buff.AddObject.szObjectName, lpszObjectName);
DrvDeviceRequest(&Buff, sizeof(Buff));
}
M_FREE(lpszObjectName);
}
pIDOMChildNode->Release();
}
}
pIDOMNodeList->Release();
}
pIDOMObjectsNode->Release();
}
}
/*
New allow/deny lists parsing:
--------------------------------------
<object_type val="SomeName_1" />
<object_type val="SomeName_2" />
...
<object_type val="SomeName_N" />
*/
// enumerate available objects
IXMLDOMNodeList *pIDOMNodeList = NULL;
HRESULT hr = pIDOMNode->get_childNodes(&pIDOMNodeList);
if (SUCCEEDED(hr))
{
LONG len = 0;
pIDOMNodeList->get_length(&len);
for (int i = 0; i < len; i++)
{
IXMLDOMNode *pIDOMChildNode = NULL;
// get single object node
hr = pIDOMNodeList->get_item(i, &pIDOMChildNode);
if (SUCCEEDED(hr))
{
// get node name (object type)
BSTR ChildNodeName = NULL;
hr = pIDOMChildNode->get_nodeName(&ChildNodeName);
if (SUCCEEDED(hr))
{
// lookup object type by name
for (int ob = 0; Objects[ob].lpObjectName != NULL; ob++)
{
if (!wcscmp(Objects[ob].lpObjectName, ChildNodeName))
{
DWORD dwOptionalBuffLen = 0;
char *lpszObjectName = NULL, *lpszOptionalBuff = NULL;
/*
Query node value: for dbgcb objects list it contains
debugger command, that must be executet for each IOCTL,
matched by this object.
*/
if (bDbgcbAction &&
ConfGetNodeTextA(pIDOMChildNode, &lpszOptionalBuff) &&
lpszOptionalBuff)
{
dwOptionalBuffLen = (DWORD)strlen(lpszOptionalBuff) + 1;
}
if (ConfGetNodeAttributeA(pIDOMChildNode, L"val", &lpszObjectName))
{
DWORD dwBuffSize = sizeof(REQUEST_BUFFER) + dwOptionalBuffLen;
PREQUEST_BUFFER Buff = (PREQUEST_BUFFER)M_ALLOC(dwBuffSize);
if (Buff)
{
ZeroMemory(Buff, dwBuffSize);
Buff->Code = Objects[ob].Code;
Buff->AddObject.bAllow = bAllow;
Buff->AddObject.bDbgcbAction = bDbgcbAction;
if (lpszOptionalBuff)
{
lstrcpy(Buff->Buff, lpszOptionalBuff);
}
if (Objects[ob].Code == C_ADD_IOCTL)
{
DWORD dwIoctlCode = 0;
// parse hexadecimal IOCTL code value
if (StrToIntEx(lpszObjectName, STIF_SUPPORT_HEX, (int *)&dwIoctlCode))
{
if (bDbgcbAction)
{
DbgMsg(
__FILE__, __LINE__, "Object=\"%ws\" Value=0x%.8x KdCommand=\"%s\"\r\n",
Objects[ob].lpObjectName, dwIoctlCode,
lpszOptionalBuff ? lpszOptionalBuff : "<BREAK>"
);
}
else
{
DbgMsg(
__FILE__, __LINE__, "Object=\"%ws\" Value=0x%.8x\r\n",
Objects[ob].lpObjectName, dwIoctlCode
);
}
Buff->AddObject.IoctlCode = dwIoctlCode;
DrvDeviceRequest(Buff, dwBuffSize);
}
else
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): StrToIntEx() ERROR %d\n", GetLastError());
}
}
else
{
if (bDbgcbAction)
{
DbgMsg(
__FILE__, __LINE__, "Object=\"%ws\" Value=\"%s\" KdCommand=\"%s\"\r\n",
Objects[ob].lpObjectName, lpszObjectName,
lpszOptionalBuff ? lpszOptionalBuff : "<BREAK>"
);
}
else
{
DbgMsg(
__FILE__, __LINE__, "Object=\"%ws\" Value=\"%s\"\r\n",
Objects[ob].lpObjectName, lpszObjectName
);
}
// object name is a string value (process/driver/device name)
lstrcpy(Buff->AddObject.szObjectName, lpszObjectName);
DrvDeviceRequest(Buff, dwBuffSize);
}
M_FREE(Buff);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\r\n", GetLastError());
}
M_FREE(lpszObjectName);
}
if (lpszOptionalBuff)
{
M_FREE(lpszOptionalBuff);
}
break;
}
}
}
if (ChildNodeName)
{
SysFreeString(ChildNodeName);
}
pIDOMChildNode->Release();
}
}
pIDOMNodeList->Release();
}
}
//--------------------------------------------------------------------------------------
BOOL SetOptions(DWORD dwOptions, FUZZING_TYPE FuzzingType)
{
REQUEST_BUFFER Buff;
ZeroMemory(&Buff, sizeof(Buff));
Buff.Code = C_SET_OPTIONS;
Buff.Options.Options = dwOptions;
Buff.Options.FuzzingType = FuzzingType;
Buff.Options.UserModeData = &m_UserModeData;
Buff.Options.FuzzThreadId = m_dwFuzzThreadId;
m_dwOptions = dwOptions;
m_FuzzingType = FuzzingType;
// send options to the driver
return DrvDeviceRequest(&Buff, sizeof(REQUEST_BUFFER));
}
//--------------------------------------------------------------------------------------
BOOL SetDefaultOptions(void)
{
DWORD dwOptions = FUZZ_OPT_LOG_DEBUG;
dwOptions |= FUZZ_OPT_LOG_IOCTL;
dwOptions |= FUZZ_OPT_LOG_IOCTL_GLOBAL;
if (m_bNoHooks)
{
dwOptions |= FUZZ_OPT_NO_SDT_HOOKS;
}
// send options to the driver
return SetOptions(dwOptions, DEFAULT_FUZZING_TYPE);
}
//--------------------------------------------------------------------------------------
BOOL ParseConfig(char *lpszCfgFileName)
{
PVOID Data = NULL;
DWORD dwDataSize = 0;
BOOL bRet = FALSE;
// read config file
if (ReadFromFile(lpszCfgFileName, &Data, &dwDataSize))
{
PWSTR lpwcData = (PWSTR)M_ALLOC((dwDataSize + 1) * sizeof(WCHAR));
if (lpwcData)
{
MultiByteToWideChar(CP_ACP, 0, (char *)Data, dwDataSize, lpwcData, dwDataSize);
IXMLDOMNode *pIDOMRootNode = NULL;
IXMLDOMDocument *pXMLDoc = NULL;
// load xml document
if (XmlLoad(lpwcData, &pXMLDoc, &pIDOMRootNode, L"cfg"))
{
// create logfile, if option is set
char *lpszLogFilePath = NULL;
if (ConfAllocGetTextByNameA(pIDOMRootNode, L"log_file", &lpszLogFilePath))
{
HANDLE hNewLogfile = CreateFile(
lpszLogFilePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hNewLogfile != INVALID_HANDLE_VALUE)
{
SetFilePointer(hNewLogfile, 0, NULL, FILE_END);
if (hDbgLogfile != INVALID_HANDLE_VALUE)
{
// close old debug log
CloseHandle(hDbgLogfile);
hDbgLogfile = hNewLogfile;
}
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateFile() ERROR %d\r\n", GetLastError());
DbgMsg(__FILE__, __LINE__, "Error while creating/opening logfile at '%s'.\r\n", lpszLogFilePath);
}
M_FREE(lpszLogFilePath);
}
// parse allowed objects list
IXMLDOMNode *pIDOMAllowNode = ConfGetNodeByName(L"allow", pIDOMRootNode);
if (pIDOMAllowNode)
{
ParseAllowDenySection(pIDOMAllowNode, TRUE, FALSE);
pIDOMAllowNode->Release();
}
// parse denied objects list
IXMLDOMNode *pIDOMDenyNode = ConfGetNodeByName(L"deny", pIDOMRootNode);
if (pIDOMDenyNode)
{
ParseAllowDenySection(pIDOMDenyNode, FALSE, FALSE);
pIDOMDenyNode->Release();
}
if (!m_bDebuggerNotPresent)
{
// parse debugger communication engine options
IXMLDOMNode *pIDOMDbgcbNode = ConfGetNodeByName(L"dbgcb", pIDOMRootNode);
if (pIDOMDbgcbNode)
{
ParseAllowDenySection(pIDOMDbgcbNode, FALSE, TRUE);
pIDOMDbgcbNode->Release();
}
}
// parse options
BOOL bLogRequests = TRUE, bDebugLogRequests = TRUE;
BOOL bHexDump = FALSE;
DWORD dwOptions = FUZZ_OPT_LOG_IOCTL_GLOBAL;
FUZZING_TYPE FuzzingType = DEFAULT_FUZZING_TYPE;
GetOption(pIDOMRootNode, L"hex_dump", &bHexDump);
GetOption(pIDOMRootNode, L"log_requests", &bLogRequests);
GetOption(pIDOMRootNode, L"debug_log_requests", &bDebugLogRequests);
GetOption(pIDOMRootNode, L"boot_log", &m_bBoot);
DbgMsg(__FILE__, __LINE__, "PROGRAM OPTIONS:\r\n");
#define STROPT(_x_) ((_x_) ? "Yes" : "No")
DbgMsg(__FILE__, __LINE__, " 'hex_dump': %s\r\n", STROPT(bHexDump));
DbgMsg(__FILE__, __LINE__, " 'log_requests': %s\r\n", STROPT(bLogRequests));
DbgMsg(__FILE__, __LINE__, " 'debug_log_requests': %s\r\n", STROPT(bDebugLogRequests));
DbgMsg(__FILE__, __LINE__, " 'bBoot': %s\r\n", STROPT(m_bBoot));
if (bHexDump)
{
dwOptions |= FUZZ_OPT_LOG_IOCTL_BUFFERS;
}
if (bLogRequests)
{
dwOptions |= FUZZ_OPT_LOG_IOCTL;
}
if (bDebugLogRequests)
{
dwOptions |= FUZZ_OPT_LOG_DEBUG;
}
if (m_bBoot)
{
dwOptions |= FUZZ_OPT_FUZZ_BOOT;
}
// send options to the driver
bRet = SetOptions(dwOptions, FuzzingType);
pIDOMRootNode->Release();
pXMLDoc->Release();
}
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\r\n", GetLastError());
}
M_FREE(Data);
}
if (!bRet)
{
SetDefaultOptions();
}
return bRet;
}
//--------------------------------------------------------------------------------------
DWORD WINAPI ApcThread(LPVOID lpParam)
{
while (true)
{
SleepEx(INFINITE, TRUE);
}
return 0;
}
//--------------------------------------------------------------------------------------
BOOL WINAPI CtrlHandler(DWORD fdwCtrlType)
{
if (fdwCtrlType == CTRL_C_EVENT ||
fdwCtrlType == CTRL_CLOSE_EVENT)
{
// Handle the CTRL-C signal.
DbgMsg(__FILE__, __LINE__, "Stopping application, please wait...\r\n");
ExitProcess(0);
return TRUE;
}
return FALSE;
}
//--------------------------------------------------------------------------------------
BOOL GetResPayload(HMODULE hModule, char *lpszResourceName, PVOID *Data, DWORD *dwDataSize)
{
HRSRC hRc = FindResource(hModule, lpszResourceName, "BINRES");
if (hRc)
{
HGLOBAL hResData = LoadResource(hModule, hRc);
if (hResData)
{
PVOID ResData = LockResource(hResData);
if (ResData)
{
*dwDataSize = SizeofResource(hModule, hRc);
if (*Data = M_ALLOC(*dwDataSize))
{
memcpy(*Data, ResData, *dwDataSize);
return TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\r\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, "LockResource() fails\r\n");
}
}
else
{
DbgMsg(__FILE__, __LINE__, "LoadResource() fails\r\n");
}
}
else
{
DbgMsg(__FILE__, __LINE__, "FindResource() fails\r\n");
}
return FALSE;
}
//--------------------------------------------------------------------------------------
#define CHECK_SET(_item_) SendMessage(GetDlgItem(hDlg, (_item_)), BM_SETCHECK, BST_CHECKED, 0)
#define CHECK_UNSET(_item_) SendMessage(GetDlgItem(hDlg, (_item_)), BM_SETCHECK, BST_UNCHECKED, 0)
#define CHECK_GET(_item_) (SendMessage(GetDlgItem(hDlg, (_item_)), BM_GETCHECK, BST_CHECKED, 0) == BST_CHECKED)
LRESULT CALLBACK MainDlg(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
DWORD dwOptions = FUZZ_OPT_LOG_IOCTL_GLOBAL;
FUZZING_TYPE FuzzingType = DEFAULT_FUZZING_TYPE;
switch (message)
{
case WM_INITDIALOG:
{
/**
* Initialize chekboxes for fuzzing options.
*/
if (m_dwOptions & FUZZ_OPT_LOG_IOCTL)
{
CHECK_SET(IDC_LOG_CONSOLE);
}
if (m_dwOptions & FUZZ_OPT_LOG_DEBUG)
{
CHECK_SET(IDC_LOG_DEBUGGER);
}
if (m_dwOptions & FUZZ_OPT_LOG_IOCTL_BUFFERS)
{
CHECK_SET(IDC_LOG_BUFFERS);
}
break;
}
case WM_COMMAND:
{
switch (wParam)
{
case IDC_HIDE:
ShowWindow(hDlg, SW_HIDE);
break;
case IDC_TERMINATE:
DestroyWindow(hDlg);
break;
case IDC_LOG_CONSOLE:
case IDC_LOG_DEBUGGER:
case IDC_LOG_BUFFERS:
/**
* Get controls state.
*/
if (CHECK_GET(IDC_LOG_CONSOLE))
{
dwOptions |= FUZZ_OPT_LOG_IOCTL;
}
if (CHECK_GET(IDC_LOG_DEBUGGER))
{
dwOptions |= FUZZ_OPT_LOG_DEBUG;
}
if (CHECK_GET(IDC_LOG_BUFFERS))
{
dwOptions |= FUZZ_OPT_LOG_IOCTL_BUFFERS;
}
// update fuzzing type and settings
SetOptions(dwOptions, FuzzingType);
break;
}
break;
}
case WM_CLOSE:
{
DestroyWindow(hDlg);
break;
}
}
return FALSE;
}
//--------------------------------------------------------------------------------------
int _tmain(int argc, _TCHAR* argv[])
{
char szDriverFileName[MAX_PATH] = {0};
char szServiceFileName[MAX_PATH] = {0};
BOOL bUninstall = FALSE, bShowExceptions = FALSE, bPrintDevices = FALSE;
InitCommonControls();
GetSystemDirectory(szDriverFileName, sizeof(szDriverFileName));
lstrcat(szDriverFileName, "\\drivers\\" DRIVER_FILE_NAME);
lstrcpy(szServiceFileName, "system32\\drivers\\" DRIVER_FILE_NAME);
HANDLE hGlobalMutex = CreateMutex(NULL, FALSE, GLOBAL_MUTEX_NAME);
char lpszConfigPath[MAX_PATH] = {0};
GetCurrentDirectory(sizeof(lpszConfigPath), lpszConfigPath);
lstrcat(lpszConfigPath, "\\ioctlfuzzer.xml");
// check for allready running application
if (GetLastError() == ERROR_ALREADY_EXISTS)
{
MessageBox(
0,
"One copy of program is allready running.\n",
"ERROR",
MB_ICONERROR
);
ExitProcess(0);
}
#if defined(_X86_)
BOOL bIs64 = FALSE;
typedef BOOL (WINAPI * func_IsWow64Process)(
HANDLE hProcess,
PBOOL Wow64Process
);
func_IsWow64Process f_IsWow64Process = (func_IsWow64Process)GetProcAddress(
GetModuleHandleA("kernel32.dll"),
"IsWow64Process"
);
if (f_IsWow64Process)
{
// check for WoW64 environment
if (f_IsWow64Process(GetCurrentProcess(), &bIs64) && bIs64)
{
MessageBoxA(
0,
"You should use x64 version of program on Windows x64.\n"
"<OK> to exit.",
"ERROR", MB_ICONWARNING
);
ExitProcess(0);
}
}
#endif // _X86_
DbgInit(DBG_PIPE_NAME_A, IOCTLFUZZER_LOG_FILE);
PSYSTEM_KERNEL_DEBUGGER_INFORMATION DebuggerInfo = (PSYSTEM_KERNEL_DEBUGGER_INFORMATION)
GetSysInf(SystemKernelDebuggerInformation);
if (DebuggerInfo)
{
// check for remote kernel debugger
if (!DebuggerInfo->DebuggerEnabled ||
DebuggerInfo->DebuggerNotPresent)
{
if (MessageBox(
0,
"Warning!\r\n"
"Kernel debugger is not present, IOCTL Fuzzer may cause a BSoD.\r\n"
"Continue execution?",
"Warning", MB_YESNO | MB_ICONWARNING | MB_TOPMOST) == IDNO)
{
ExitProcess(0);
}
}
M_FREE(DebuggerInfo);
}
GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX f_GetConsoleScreenBufferInfoEx =
(GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"GetConsoleScreenBufferInfoEx"
);
GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX f_SetConsoleScreenBufferInfoEx =
(GET_SET_CONSOLE_SCREEN_BUFFER_INFO_EX)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"SetConsoleScreenBufferInfoEx"
);
if (f_GetConsoleScreenBufferInfoEx &&
f_SetConsoleScreenBufferInfoEx)
{
HANDLE hConsoleOutput = GetStdHandle(STD_OUTPUT_HANDLE);
CONSOLE_SCREEN_BUFFER_INFOEX ConsoleInfo;
ConsoleInfo.cbSize = sizeof(ConsoleInfo);
if (f_GetConsoleScreenBufferInfoEx(hConsoleOutput, &ConsoleInfo))
{
DbgMsg(
__FILE__, __LINE__, "[+] Changing console screen buffer height from %d to %d lines\n",
ConsoleInfo.dwSize.Y, CONSOLE_BUFFER_HEIGHT
);
ConsoleInfo.dwSize.Y = CONSOLE_BUFFER_HEIGHT;
// we don't need horizontal scroll bar
ConsoleInfo.dwSize.X -= 1;
if (!f_SetConsoleScreenBufferInfoEx(hConsoleOutput, &ConsoleInfo))
{
DbgMsg(__FILE__, __LINE__, "SetConsoleScreenBufferInfoEx() ERROR %d\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, "GetConsoleScreenBufferInfoEx() ERROR %d\n", GetLastError());
}
}
if (!LoadPrivileges(SE_LOAD_DRIVER_NAME))
{
DbgMsg(__FILE__, __LINE__, "Error while loading 'SeLoadDriverPrivilege'\r\n");
goto end;
}
PVOID DriverData = NULL;
DWORD dwDriverDataSize = 0;
// extract kernel driver from resources
#if defined(_X86_)
if (GetResPayload(GetModuleHandle(NULL), RESOURCE_NAME_DRIVER32, &DriverData, &dwDriverDataSize))
#else
if (GetResPayload(GetModuleHandle(NULL), RESOURCE_NAME_DRIVER64, &DriverData, &dwDriverDataSize))
#endif
{
// ... and dump it to the disk
if (!DumpToFile(szDriverFileName, DriverData, dwDriverDataSize))
{
DbgMsg(__FILE__, __LINE__, "Error while creating kernel driver file.\r\n");
goto end;
}
M_FREE(DriverData);
}
else
{
DbgMsg(__FILE__, __LINE__, "Error while extracting kernel driver from resources.\r\n");
goto end;
}
if (!DrvServiceStart(DRIVER_SERVICE_NAME, szDriverFileName, NULL))
{
DbgMsg(__FILE__, __LINE__, "Error while creating/starting system service for kernel driver.\r\n");
goto end;
}
if (m_bBoot)
{
if (!DrvServiceSetStartType(DRIVER_SERVICE_NAME, SERVICE_BOOT_START))
{
DbgMsg(__FILE__, __LINE__, "Error while changing service startup type.\r\n");
goto end;
}
DbgMsg(__FILE__, __LINE__, "Service startup type has been set to the SERVICE_BOOT_START.\r\n");
}
else
{
if (!DrvServiceSetStartType(DRIVER_SERVICE_NAME, SERVICE_DEMAND_START))
{
DbgMsg(__FILE__, __LINE__, "Error while changing service startup type.\r\n");
goto end;
}
}
// create thread for kernel mode APC's
HANDLE hThread = CreateThread(NULL, 0, ApcThread, NULL, 0, &m_dwFuzzThreadId);
if (hThread)
{
DbgMsg(__FILE__, __LINE__, "Thread for kernel mode APC's created (ID: %x)\r\n", m_dwFuzzThreadId);
CloseHandle(hThread);
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateThread() ERROR %d\r\n", GetLastError());
}
if (DrvOpenDevice(DEVICE_NAME, &hDevice))
{
/**
* Fuzzing or monitoring mode
*/
REQUEST_BUFFER Buff;
ZeroMemory(&Buff, sizeof(Buff));
Buff.Code = C_DEL_OPTIONS;
// delete previously saved fuzing/minitoring options
DrvDeviceRequest(&Buff, sizeof(REQUEST_BUFFER));
if (lpszConfigPath)
{
ParseConfig(lpszConfigPath);
}
else
{
SetDefaultOptions();
}
SetConsoleCtrlHandler(CtrlHandler, TRUE);
DialogBox(GetModuleHandle(NULL), MAKEINTRESOURCE(IDD_DIALOG), NULL, (DLGPROC)MainDlg);
BOOL bStopService = TRUE;
ZeroMemory(&Buff, sizeof(Buff));
Buff.Code = C_CHECK_HOOKS;
// check for installed hooks
if (DrvDeviceRequest(&Buff, sizeof(REQUEST_BUFFER)) &&
Buff.CheckHooks.bHooksInstalled)
{
bStopService = FALSE;
if (MessageBox(
0,
"Warning!\r\n"
"Unloading of a kernel driver may be unsafe.\r\n"
"Press <YES> to unload it, or <NO> for just a program termination.",
"Exit from program", MB_YESNO | MB_ICONWARNING | MB_TOPMOST) == IDYES)
{
bStopService = TRUE;
}
}
CloseHandle(hDevice);
if (bStopService)
{
DrvServiceStop(DRIVER_SERVICE_NAME);
}
if (bPrintDevices)
{
goto end;
}
ExitProcess(0);
}
else
{
DbgMsg(__FILE__, __LINE__, "Error while opening kernel driver communication device\r\n");
}
DrvServiceStop(DRIVER_SERVICE_NAME);
end:
printf("Press any key to quit...\r\n");
getch();
return 0;
}
//--------------------------------------------------------------------------------------
// EoF

3
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.log Normal file
View File

@ -0,0 +1,3 @@
[17792] DbgInit(): Log file 'c:\Users\minzhen\Desktop\8.3 Hook DeviceIoControlFile(x86 x64)\HookDeviceIoControlFile\HookDeviceIoControlFile\HookDeviceIoControlFile\ioctlfuzzer.log' created
[17792] PipeServerThread(): Listening on pipe '\\.\pipe\IOCTLfuzzer'
[17792] [+] Changing console screen buffer height from 300 to 4096 lines

165
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.rc Normal file
View File

@ -0,0 +1,165 @@
// Microsoft Visual C++ generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "afxres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// Russian resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_RUS)
#ifdef _WIN32
LANGUAGE LANG_RUSSIAN, SUBLANG_DEFAULT
#pragma code_page(1251)
#endif //_WIN32
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE
BEGIN
"#include ""afxres.h""\r\0"
END
3 TEXTINCLUDE
BEGIN
"\r\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// RT_MANIFEST
//
1 RT_MANIFEST "default.manifest"
/////////////////////////////////////////////////////////////////////////////
//
// Dialog
//
IDD_DIALOG DIALOGEX 0, 0, 258, 159
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION
CAPTION "IOCTL Fuzzer"
FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN
LTEXT "IOCTL Fuzzer control pannel",IDC_STATIC,55,24,92,8
ICON "IDI_ICON",IDC_STATIC,21,17,21,20
PUSHBUTTON "Hide Dialog",IDC_HIDE,15,128,101,14
PUSHBUTTON "Terminate Application",IDC_TERMINATE,127,128,113,14
GROUPBOX "",IDC_STATIC,7,0,238,152
CONTROL "Enable IOCTL Requests Monitoring",IDC_LOG_CONSOLE,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,26,65,127,10
CONTROL "Print Logs Into the Debugger Output",IDC_LOG_DEBUGGER,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,26,99,133,10
GROUPBOX "Logging Options",IDC_STATIC,15,48,221,68
CONTROL "Dump IOCTL Request Buffers (Max. Length: 0x1000)",IDC_LOG_BUFFERS,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,26,82,186,10
END
/////////////////////////////////////////////////////////////////////////////
//
// Icon
//
// Icon with lowest ID value placed first to ensure application icon
// remains consistent on all systems.
IDI_ICON ICON "resources\\icon.ico"
/////////////////////////////////////////////////////////////////////////////
//
// Version
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 1,3,0,0
PRODUCTVERSION 1,3,0,0
FILEFLAGSMASK 0x17L
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x4L
FILETYPE 0x1L
FILESUBTYPE 0x0L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "000004b0"
BEGIN
VALUE "CompanyName", "Esage Lab"
VALUE "FileDescription", "IOCTL fuzzer for kernel drivers"
VALUE "FileVersion", "1, 3, 0, 0"
VALUE "InternalName", "ioctlfuzzer.exe"
VALUE "LegalCopyright", "Copyright (C) 2011"
VALUE "OriginalFilename", "ioctlfuzzer.exe"
VALUE "ProductName", "IOCTLFuzzer"
VALUE "ProductVersion", "1, 3, 0, 0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x0, 1200
END
END
/////////////////////////////////////////////////////////////////////////////
//
// BINRES
//
DRIVER32 BINRES "..\\driver_i386.sys"
DRIVER64 BINRES "..\\driver_amd64.sys"
/////////////////////////////////////////////////////////////////////////////
//
// DESIGNINFO
//
#ifdef APSTUDIO_INVOKED
GUIDELINES DESIGNINFO
BEGIN
IDD_DIALOG, DIALOG
BEGIN
RIGHTMARGIN, 252
BOTTOMMARGIN, 152
END
END
#endif // APSTUDIO_INVOKED
#endif // Russian resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/lib/amd64/comsupp.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/lib/comsupp.lib Normal file
View File

Binary file not shown.

73
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ntdll_defs.h Normal file
View File

@ -0,0 +1,73 @@
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK,
*PIO_STATUS_BLOCK;
#undef UNICODE_STRING
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING,
*PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002
#define OBJ_PERMANENT 0x00000010
#define OBJ_EXCLUSIVE 0x00000020
#define OBJ_CASE_INSENSITIVE 0x00000040
#define OBJ_OPENIF 0x00000080
#define OBJ_OPENLINK 0x00000100
#define OBJ_VALID_ATTRIBUTES 0x000001F2
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES,
*POBJECT_ATTRIBUTES;
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
#define NT_SUCCESS(Status) ((LONG)(Status) >= 0)
#define NT_ERROR(Status) ((ULONG)(Status) >> 30 == 3)
#define NtCurrentProcess() ((HANDLE)-1)
#ifndef STATUS_BUFFER_OVERFLOW
#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L)
#endif
#ifndef STATUS_NO_MORE_FILES
#define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L)
#endif
#ifndef STATUS_INFO_LENGTH_MISMATCH
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#endif
#ifndef STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
#endif

44
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/options.h Normal file
View File

@ -0,0 +1,44 @@
/**
* Program information, copyright, etc.
*/
#define PROGRAM_NAME "IOCTL Fuzzer"
#define PROGRAM_AUTHOR "by Oleksiuk Dmytro (aka Cr4sh) :: dmitry@esagelab.com"
#define PROGRAM_COPYRIGHT "(c) 2011 Esage Lab :: http://www.esagelab.com/"
/**
* Log file name to store all IOCTLs requests information.
*/
#define IOCTLS_LOG_NAME L"ioctls.log"
/**
* Main application log file name.
*/
#define IOCTLFUZZER_LOG_FILE "ioctlfuzzer.log"
/**
* File and service name for the kernel driver.
*/
#define DRIVER_SERVICE_NAME "IOCTL_fuzzer"
#define DRIVER_FILE_NAME "IOCTL_fuzzer.sys"
/**
* Directory name to store downloaded debug symbols.
*/
#define SYMBOLS_DIR_NAME "Symbols"
/**
* Default value for fuzzing type option.
*/
#define DEFAULT_FUZZING_TYPE FuzzingType_Random
/**
* IOCTL buffer length limit for dumping into the
* application log or debugger output.
*/
#define MAX_IOCTL_BUFFER_LEGTH 0x100
/**
* Maximum number of lines in console window.
*/
#define CONSOLE_BUFFER_HEIGHT 0x1000

501
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/resource.h Normal file
View File

@ -0,0 +1,501 @@
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by ioctlfuzzer.rc
//
#define ID_SEPARATOR 0
#define VS_VERSION_INFO 1
#define AFX_IDC_LISTBOX 100
#define AFX_IDC_CHANGE 101
#define IDD_DIALOG 101
#define AFX_IDC_BROWSER 102
#define AFX_IDC_PRINT_DOCNAME 201
#define AFX_IDC_PRINT_PRINTERNAME 202
#define AFX_IDC_PRINT_PORTNAME 203
#define AFX_IDC_PRINT_PAGENUM 204
#define ID_MFCLOC_MANIFEST 1000
#define AFX_IDC_FONTPROP 1000
#define IDC_HIDE 1000
#define AFX_IDC_FONTNAMES 1001
#define IDC_TERMINATE 1001
#define AFX_IDC_FONTSTYLES 1002
#define AFX_IDC_FONTSIZES 1003
#define AFX_IDC_STRIKEOUT 1004
#define AFX_IDC_UNDERLINE 1005
#define IDC_LOG_CONSOLE 1005
#define AFX_IDC_SAMPLEBOX 1006
#define IDC_FUZZ_SIZE2 1008
#define IDC_LOG_DEBUGGER 1008
#define IDC_LOG_BUFFERS 1009
#define IDC_CHECK2 1010
#define IDC_LOG_EXCEPTIONS 1010
#define AFX_IDC_COLOR_BLACK 1100
#define AFX_IDC_COLOR_WHITE 1101
#define AFX_IDC_COLOR_RED 1102
#define AFX_IDC_COLOR_GREEN 1103
#define AFX_IDC_COLOR_BLUE 1104
#define AFX_IDC_COLOR_YELLOW 1105
#define AFX_IDC_COLOR_MAGENTA 1106
#define AFX_IDC_COLOR_CYAN 1107
#define AFX_IDC_COLOR_GRAY 1108
#define AFX_IDC_COLOR_LIGHTGRAY 1109
#define AFX_IDC_COLOR_DARKRED 1110
#define AFX_IDC_COLOR_DARKGREEN 1111
#define AFX_IDC_COLOR_DARKBLUE 1112
#define AFX_IDC_COLOR_LIGHTBROWN 1113
#define AFX_IDC_COLOR_DARKMAGENTA 1114
#define AFX_IDC_COLOR_DARKCYAN 1115
#define AFX_IDC_COLORPROP 1116
#define AFX_IDC_SYSTEMCOLORS 1117
#define AFX_IDC_PROPNAME 1201
#define AFX_IDC_PICTURE 1202
#define AFX_IDC_BROWSE 1203
#define AFX_IDC_CLEAR 1204
#define AFX_IDC_TAB_CONTROL 0x3020
#define ID_APPLY_NOW 0x3021
#define ID_WIZBACK 0x3023
#define ID_WIZNEXT 0x3024
#define ID_WIZFINISH 0x3025
#define AFX_IDD_NEWTYPEDLG 30721
#define AFX_IDD_PRINTDLG 30722
#define AFX_IDD_PREVIEW_TOOLBAR 30723
#define AFX_IDD_INSERTOBJECT 30724
#define AFX_IDD_CHANGEICON 30725
#define AFX_IDD_CONVERT 30726
#define AFX_IDD_PASTESPECIAL 30727
#define AFX_IDD_EDITLINKS 30728
#define AFX_IDD_FILEBROWSE 30729
#define AFX_IDD_BUSY 30730
#define AFX_IDD_OBJECTPROPERTIES 30732
#define AFX_IDD_CHANGESOURCE 30733
#define AFX_IDD_EMPTYDIALOG 30734
#define AFX_IDC_CONTEXTHELP 30977
#define AFX_IDC_MAGNIFY 30978
#define AFX_IDC_SMALLARROWS 30979
#define AFX_IDC_HSPLITBAR 30980
#define AFX_IDC_VSPLITBAR 30981
#define AFX_IDC_NODROPCRSR 30982
#define AFX_IDC_TRACKNWSE 30983
#define AFX_IDC_TRACKNESW 30984
#define AFX_IDC_TRACKNS 30985
#define AFX_IDC_TRACKWE 30986
#define AFX_IDC_TRACK4WAY 30987
#define AFX_IDC_MOVE4WAY 30988
#define AFX_IDB_MINIFRAME_MENU 30994
#define AFX_IDB_CHECKLISTBOX_95 30996
#define AFX_IDR_PREVIEW_ACCEL 30997
#define AFX_IDC_MOUSE_PAN_NW 30998
#define AFX_IDC_MOUSE_PAN_N 30999
#define AFX_IDC_MOUSE_PAN_NE 31000
#define AFX_IDC_MOUSE_PAN_W 31001
#define AFX_IDC_MOUSE_PAN_HV 31002
#define AFX_IDC_MOUSE_PAN_E 31003
#define AFX_IDC_MOUSE_PAN_SW 31004
#define AFX_IDC_MOUSE_PAN_S 31005
#define AFX_IDC_MOUSE_PAN_SE 31006
#define AFX_IDC_MOUSE_PAN_HORZ 31007
#define AFX_IDC_MOUSE_PAN_VERT 31008
#define AFX_IDC_MOUSE_ORG_HORZ 31009
#define AFX_IDC_MOUSE_ORG_VERT 31010
#define AFX_IDC_MOUSE_ORG_HV 31011
#define AFX_IDC_MOUSE_MASK 31012
#define AFX_IDI_STD_MDIFRAME 31233
#define AFX_IDI_STD_FRAME 31234
#define AFX_IDD_PROPPAGE_COLOR 32257
#define AFX_IDD_PROPPAGE_FONT 32258
#define AFX_IDD_PROPPAGE_PICTURE 32259
#define AFX_IDB_TRUETYPE 32384
#define AFX_IDS_APP_TITLE 0xE000
#define AFX_IDS_IDLEMESSAGE 0xE001
#define AFX_IDS_HELPMODEMESSAGE 0xE002
#define AFX_IDS_APP_TITLE_EMBEDDING 0xE003
#define AFX_IDS_COMPANY_NAME 0xE004
#define AFX_IDS_OBJ_TITLE_INPLACE 0xE005
#define ID_FILE_NEW 0xE100
#define ID_FILE_OPEN 0xE101
#define ID_FILE_CLOSE 0xE102
#define ID_FILE_SAVE 0xE103
#define ID_FILE_SAVE_AS 0xE104
#define ID_FILE_PAGE_SETUP 0xE105
#define ID_FILE_PRINT_SETUP 0xE106
#define ID_FILE_PRINT 0xE107
#define ID_FILE_PRINT_DIRECT 0xE108
#define ID_FILE_PRINT_PREVIEW 0xE109
#define ID_FILE_UPDATE 0xE10A
#define ID_FILE_SAVE_COPY_AS 0xE10B
#define ID_FILE_SEND_MAIL 0xE10C
#define ID_FILE_NEW_FRAME 0xE10D
#define ID_FILE_MRU_FIRST 0xE110
#define ID_FILE_MRU_FILE1 0xE110
#define ID_FILE_MRU_FILE2 0xE111
#define ID_FILE_MRU_FILE3 0xE112
#define ID_FILE_MRU_FILE4 0xE113
#define ID_FILE_MRU_FILE5 0xE114
#define ID_FILE_MRU_FILE6 0xE115
#define ID_FILE_MRU_FILE7 0xE116
#define ID_FILE_MRU_FILE8 0xE117
#define ID_FILE_MRU_FILE9 0xE118
#define ID_FILE_MRU_FILE10 0xE119
#define ID_FILE_MRU_FILE11 0xE11A
#define ID_FILE_MRU_FILE12 0xE11B
#define ID_FILE_MRU_FILE13 0xE11C
#define ID_FILE_MRU_FILE14 0xE11D
#define ID_FILE_MRU_FILE15 0xE11E
#define ID_FILE_MRU_FILE16 0xE11F
#define ID_FILE_MRU_LAST 0xE11F
#define ID_EDIT_CLEAR 0xE120
#define ID_EDIT_CLEAR_ALL 0xE121
#define ID_EDIT_COPY 0xE122
#define ID_EDIT_CUT 0xE123
#define ID_EDIT_FIND 0xE124
#define ID_EDIT_PASTE 0xE125
#define ID_EDIT_PASTE_LINK 0xE126
#define ID_EDIT_PASTE_SPECIAL 0xE127
#define ID_EDIT_REPEAT 0xE128
#define ID_EDIT_REPLACE 0xE129
#define ID_EDIT_SELECT_ALL 0xE12A
#define ID_EDIT_UNDO 0xE12B
#define ID_EDIT_REDO 0xE12C
#define ID_WINDOW_NEW 0xE130
#define ID_WINDOW_ARRANGE 0xE131
#define ID_WINDOW_CASCADE 0xE132
#define ID_WINDOW_TILE_HORZ 0xE133
#define ID_WINDOW_TILE_VERT 0xE134
#define ID_WINDOW_SPLIT 0xE135
#define ID_APP_ABOUT 0xE140
#define ID_APP_EXIT 0xE141
#define ID_HELP_INDEX 0xE142
#define ID_HELP_FINDER 0xE143
#define ID_HELP_USING 0xE144
#define ID_CONTEXT_HELP 0xE145
#define ID_HELP 0xE146
#define ID_DEFAULT_HELP 0xE147
#define ID_NEXT_PANE 0xE150
#define ID_PREV_PANE 0xE151
#define ID_FORMAT_FONT 0xE160
#define ID_OLE_INSERT_NEW 0xE200
#define ID_OLE_EDIT_LINKS 0xE201
#define ID_OLE_EDIT_CONVERT 0xE202
#define ID_OLE_EDIT_CHANGE_ICON 0xE203
#define ID_OLE_EDIT_PROPERTIES 0xE204
#define ID_OLE_VERB_FIRST 0xE210
#define AFX_ID_PREVIEW_CLOSE 0xE300
#define AFX_ID_PREVIEW_NUMPAGE 0xE301
#define AFX_ID_PREVIEW_NEXT 0xE302
#define AFX_ID_PREVIEW_PREV 0xE303
#define AFX_ID_PREVIEW_PRINT 0xE304
#define AFX_ID_PREVIEW_ZOOMIN 0xE305
#define AFX_ID_PREVIEW_ZOOMOUT 0xE306
#define ID_INDICATOR_EXT 0xE700
#define ID_INDICATOR_CAPS 0xE701
#define ID_INDICATOR_NUM 0xE702
#define ID_INDICATOR_SCRL 0xE703
#define ID_INDICATOR_OVR 0xE704
#define ID_INDICATOR_REC 0xE705
#define ID_INDICATOR_KANA 0xE706
#define ID_VIEW_TOOLBAR 0xE800
#define ID_VIEW_STATUS_BAR 0xE801
#define ID_VIEW_REBAR 0xE804
#define ID_VIEW_AUTOARRANGE 0xE805
#define ID_VIEW_SMALLICON 0xE810
#define ID_VIEW_LARGEICON 0xE811
#define ID_VIEW_LIST 0xE812
#define ID_VIEW_DETAILS 0xE813
#define ID_VIEW_LINEUP 0xE814
#define ID_VIEW_BYNAME 0xE815
#define ID_RECORD_FIRST 0xE900
#define ID_RECORD_LAST 0xE901
#define ID_RECORD_NEXT 0xE902
#define ID_RECORD_PREV 0xE903
#define AFX_IDS_SCSIZE 0xEF00
#define AFX_IDS_SCMOVE 0xEF01
#define AFX_IDS_SCMINIMIZE 0xEF02
#define AFX_IDS_SCMAXIMIZE 0xEF03
#define AFX_IDS_SCNEXTWINDOW 0xEF04
#define AFX_IDS_SCPREVWINDOW 0xEF05
#define AFX_IDS_SCCLOSE 0xEF06
#define AFX_IDS_SCRESTORE 0xEF12
#define AFX_IDS_SCTASKLIST 0xEF13
#define AFX_IDS_MDICHILD 0xEF1F
#define AFX_IDS_DESKACCESSORY 0xEFDA
#define AFX_IDS_OPENFILE 0xF000
#define AFX_IDS_SAVEFILE 0xF001
#define AFX_IDS_ALLFILTER 0xF002
#define AFX_IDS_UNTITLED 0xF003
#define AFX_IDS_SAVEFILECOPY 0xF004
#define AFX_IDS_PREVIEW_CLOSE 0xF005
#define AFX_IDS_UNNAMED_FILE 0xF006
#define AFX_IDS_HIDE 0xF011
#define AFX_IDP_NO_ERROR_AVAILABLE 0xF020
#define AFX_IDS_NOT_SUPPORTED_EXCEPTION 0xF021
#define AFX_IDS_RESOURCE_EXCEPTION 0xF022
#define AFX_IDS_MEMORY_EXCEPTION 0xF023
#define AFX_IDS_USER_EXCEPTION 0xF024
#define AFX_IDS_INVALID_ARG_EXCEPTION 0xF025
#define AFX_IDS_PRINTONPORT 0xF040
#define AFX_IDS_ONEPAGE 0xF041
#define AFX_IDS_TWOPAGE 0xF042
#define AFX_IDS_PRINTPAGENUM 0xF043
#define AFX_IDS_PREVIEWPAGEDESC 0xF044
#define AFX_IDS_PRINTDEFAULTEXT 0xF045
#define AFX_IDS_PRINTDEFAULT 0xF046
#define AFX_IDS_PRINTFILTER 0xF047
#define AFX_IDS_PRINTCAPTION 0xF048
#define AFX_IDS_PRINTTOFILE 0xF049
#define AFX_IDS_OBJECT_MENUITEM 0xF080
#define AFX_IDS_EDIT_VERB 0xF081
#define AFX_IDS_ACTIVATE_VERB 0xF082
#define AFX_IDS_CHANGE_LINK 0xF083
#define AFX_IDS_AUTO 0xF084
#define AFX_IDS_MANUAL 0xF085
#define AFX_IDS_FROZEN 0xF086
#define AFX_IDS_ALL_FILES 0xF087
#define AFX_IDS_SAVE_MENU 0xF088
#define AFX_IDS_UPDATE_MENU 0xF089
#define AFX_IDS_SAVE_AS_MENU 0xF08A
#define AFX_IDS_SAVE_COPY_AS_MENU 0xF08B
#define AFX_IDS_EXIT_MENU 0xF08C
#define AFX_IDS_UPDATING_ITEMS 0xF08D
#define AFX_IDS_METAFILE_FORMAT 0xF08E
#define AFX_IDS_DIB_FORMAT 0xF08F
#define AFX_IDS_BITMAP_FORMAT 0xF090
#define AFX_IDS_LINKSOURCE_FORMAT 0xF091
#define AFX_IDS_EMBED_FORMAT 0xF092
#define AFX_IDS_PASTELINKEDTYPE 0xF094
#define AFX_IDS_UNKNOWNTYPE 0xF095
#define AFX_IDS_RTF_FORMAT 0xF096
#define AFX_IDS_TEXT_FORMAT 0xF097
#define AFX_IDS_INVALID_CURRENCY 0xF098
#define AFX_IDS_INVALID_DATETIME 0xF099
#define AFX_IDS_INVALID_DATETIMESPAN 0xF09A
#define AFX_IDP_INVALID_FILENAME 0xF100
#define AFX_IDP_FAILED_TO_OPEN_DOC 0xF101
#define AFX_IDP_FAILED_TO_SAVE_DOC 0xF102
#define AFX_IDP_ASK_TO_SAVE 0xF103
#define AFX_IDP_FAILED_TO_CREATE_DOC 0xF104
#define AFX_IDP_FILE_TOO_LARGE 0xF105
#define AFX_IDP_FAILED_TO_START_PRINT 0xF106
#define AFX_IDP_FAILED_TO_LAUNCH_HELP 0xF107
#define AFX_IDP_INTERNAL_FAILURE 0xF108
#define AFX_IDP_COMMAND_FAILURE 0xF109
#define AFX_IDP_FAILED_MEMORY_ALLOC 0xF10A
#define AFX_IDP_UNREG_DONE 0xF10B
#define AFX_IDP_UNREG_FAILURE 0xF10C
#define AFX_IDP_DLL_LOAD_FAILED 0xF10D
#define AFX_IDP_DLL_BAD_VERSION 0xF10E
#define AFX_IDP_PARSE_INT 0xF110
#define AFX_IDP_PARSE_REAL 0xF111
#define AFX_IDP_PARSE_INT_RANGE 0xF112
#define AFX_IDP_PARSE_REAL_RANGE 0xF113
#define AFX_IDP_PARSE_STRING_SIZE 0xF114
#define AFX_IDP_PARSE_RADIO_BUTTON 0xF115
#define AFX_IDP_PARSE_BYTE 0xF116
#define AFX_IDP_PARSE_UINT 0xF117
#define AFX_IDP_PARSE_DATETIME 0xF118
#define AFX_IDP_PARSE_CURRENCY 0xF119
#define AFX_IDP_PARSE_GUID 0xF11A
#define AFX_IDP_PARSE_TIME 0xF11B
#define AFX_IDP_PARSE_DATE 0xF11C
#define AFX_IDP_FAILED_INVALID_FORMAT 0xF120
#define AFX_IDP_FAILED_INVALID_PATH 0xF121
#define AFX_IDP_FAILED_DISK_FULL 0xF122
#define AFX_IDP_FAILED_ACCESS_READ 0xF123
#define AFX_IDP_FAILED_ACCESS_WRITE 0xF124
#define AFX_IDP_FAILED_IO_ERROR_READ 0xF125
#define AFX_IDP_FAILED_IO_ERROR_WRITE 0xF126
#define AFX_IDP_SCRIPT_ERROR 0xF130
#define AFX_IDP_SCRIPT_DISPATCH_EXCEPTION 0xF131
#define AFX_IDP_STATIC_OBJECT 0xF180
#define AFX_IDP_FAILED_TO_CONNECT 0xF181
#define AFX_IDP_SERVER_BUSY 0xF182
#define AFX_IDP_BAD_VERB 0xF183
#define AFX_IDS_NOT_DOCOBJECT 0xF184
#define AFX_IDP_FAILED_TO_NOTIFY 0xF185
#define AFX_IDP_FAILED_TO_LAUNCH 0xF186
#define AFX_IDP_ASK_TO_UPDATE 0xF187
#define AFX_IDP_FAILED_TO_UPDATE 0xF188
#define AFX_IDP_FAILED_TO_REGISTER 0xF189
#define AFX_IDP_FAILED_TO_AUTO_REGISTER 0xF18A
#define AFX_IDP_FAILED_TO_CONVERT 0xF18B
#define AFX_IDP_GET_NOT_SUPPORTED 0xF18C
#define AFX_IDP_SET_NOT_SUPPORTED 0xF18D
#define AFX_IDP_ASK_TO_DISCARD 0xF18E
#define AFX_IDP_FAILED_TO_CREATE 0xF18F
#define AFX_IDP_FAILED_MAPI_LOAD 0xF190
#define AFX_IDP_INVALID_MAPI_DLL 0xF191
#define AFX_IDP_FAILED_MAPI_SEND 0xF192
#define AFX_IDP_FILE_NONE 0xF1A0
#define AFX_IDP_FILE_GENERIC 0xF1A1
#define AFX_IDP_FILE_NOT_FOUND 0xF1A2
#define AFX_IDP_FILE_BAD_PATH 0xF1A3
#define AFX_IDP_FILE_TOO_MANY_OPEN 0xF1A4
#define AFX_IDP_FILE_ACCESS_DENIED 0xF1A5
#define AFX_IDP_FILE_INVALID_FILE 0xF1A6
#define AFX_IDP_FILE_REMOVE_CURRENT 0xF1A7
#define AFX_IDP_FILE_DIR_FULL 0xF1A8
#define AFX_IDP_FILE_BAD_SEEK 0xF1A9
#define AFX_IDP_FILE_HARD_IO 0xF1AA
#define AFX_IDP_FILE_SHARING 0xF1AB
#define AFX_IDP_FILE_LOCKING 0xF1AC
#define AFX_IDP_FILE_DISKFULL 0xF1AD
#define AFX_IDP_FILE_EOF 0xF1AE
#define AFX_IDP_ARCH_NONE 0xF1B0
#define AFX_IDP_ARCH_GENERIC 0xF1B1
#define AFX_IDP_ARCH_READONLY 0xF1B2
#define AFX_IDP_ARCH_ENDOFFILE 0xF1B3
#define AFX_IDP_ARCH_WRITEONLY 0xF1B4
#define AFX_IDP_ARCH_BADINDEX 0xF1B5
#define AFX_IDP_ARCH_BADCLASS 0xF1B6
#define AFX_IDP_ARCH_BADSCHEMA 0xF1B7
#define AFX_IDS_OCC_SCALEUNITS_PIXELS 0xF1C0
#define AFX_IDS_STATUS_FONT 0xF230
#define AFX_IDS_TOOLTIP_FONT 0xF231
#define AFX_IDS_UNICODE_FONT 0xF232
#define AFX_IDS_MINI_FONT 0xF233
#define AFX_IDP_SQL_CONNECT_FAIL 0xF281
#define AFX_IDP_SQL_RECORDSET_FORWARD_ONLY 0xF282
#define AFX_IDP_SQL_EMPTY_COLUMN_LIST 0xF283
#define AFX_IDP_SQL_FIELD_SCHEMA_MISMATCH 0xF284
#define AFX_IDP_SQL_ILLEGAL_MODE 0xF285
#define AFX_IDP_SQL_MULTIPLE_ROWS_AFFECTED 0xF286
#define AFX_IDP_SQL_NO_CURRENT_RECORD 0xF287
#define AFX_IDP_SQL_NO_ROWS_AFFECTED 0xF288
#define AFX_IDP_SQL_RECORDSET_READONLY 0xF289
#define AFX_IDP_SQL_SQL_NO_TOTAL 0xF28A
#define AFX_IDP_SQL_ODBC_LOAD_FAILED 0xF28B
#define AFX_IDP_SQL_DYNASET_NOT_SUPPORTED 0xF28C
#define AFX_IDP_SQL_SNAPSHOT_NOT_SUPPORTED 0xF28D
#define AFX_IDP_SQL_API_CONFORMANCE 0xF28E
#define AFX_IDP_SQL_SQL_CONFORMANCE 0xF28F
#define AFX_IDP_SQL_NO_DATA_FOUND 0xF290
#define AFX_IDP_SQL_ROW_UPDATE_NOT_SUPPORTED 0xF291
#define AFX_IDP_SQL_ODBC_V2_REQUIRED 0xF292
#define AFX_IDP_SQL_NO_POSITIONED_UPDATES 0xF293
#define AFX_IDP_SQL_LOCK_MODE_NOT_SUPPORTED 0xF294
#define AFX_IDP_SQL_DATA_TRUNCATED 0xF295
#define AFX_IDP_SQL_ROW_FETCH 0xF296
#define AFX_IDP_SQL_INCORRECT_ODBC 0xF297
#define AFX_IDP_SQL_UPDATE_DELETE_FAILED 0xF298
#define AFX_IDP_SQL_DYNAMIC_CURSOR_NOT_SUPPORTED 0xF299
#define AFX_IDP_SQL_FIELD_NOT_FOUND 0xF29A
#define AFX_IDP_SQL_BOOKMARKS_NOT_SUPPORTED 0xF29B
#define AFX_IDP_SQL_BOOKMARKS_NOT_ENABLED 0xF29C
#define AFX_IDS_DELETED 0xF29D
#define AFX_IDP_DAO_ENGINE_INITIALIZATION 0xF2B0
#define AFX_IDP_DAO_DFX_BIND 0xF2B1
#define AFX_IDP_DAO_OBJECT_NOT_OPEN 0xF2B2
#define AFX_IDP_DAO_ROWTOOSHORT 0xF2B3
#define AFX_IDP_DAO_BADBINDINFO 0xF2B4
#define AFX_IDP_DAO_COLUMNUNAVAILABLE 0xF2B5
#define AFX_IDS_HTTP_TITLE 0xF2D1
#define AFX_IDS_HTTP_NO_TEXT 0xF2D2
#define AFX_IDS_HTTP_BAD_REQUEST 0xF2D3
#define AFX_IDS_HTTP_AUTH_REQUIRED 0xF2D4
#define AFX_IDS_HTTP_FORBIDDEN 0xF2D5
#define AFX_IDS_HTTP_NOT_FOUND 0xF2D6
#define AFX_IDS_HTTP_SERVER_ERROR 0xF2D7
#define AFX_IDS_HTTP_NOT_IMPLEMENTED 0xF2D8
#define AFX_IDS_CHECKLISTBOX_UNCHECK 0xF2E1
#define AFX_IDS_CHECKLISTBOX_CHECK 0xF2E2
#define AFX_IDS_CHECKLISTBOX_MIXED 0xF2E3
#define AFX_IDS_PROPPAGE_UNKNOWN 0xFE01
#define AFX_IDS_COLOR_DESKTOP 0xFE04
#define AFX_IDS_COLOR_APPWORKSPACE 0xFE05
#define AFX_IDS_COLOR_WNDBACKGND 0xFE06
#define AFX_IDS_COLOR_WNDTEXT 0xFE07
#define AFX_IDS_COLOR_MENUBAR 0xFE08
#define AFX_IDS_COLOR_MENUTEXT 0xFE09
#define AFX_IDS_COLOR_ACTIVEBAR 0xFE0A
#define AFX_IDS_COLOR_INACTIVEBAR 0xFE0B
#define AFX_IDS_COLOR_ACTIVETEXT 0xFE0C
#define AFX_IDS_COLOR_INACTIVETEXT 0xFE0D
#define AFX_IDS_COLOR_ACTIVEBORDER 0xFE0E
#define AFX_IDS_COLOR_INACTIVEBORDER 0xFE0F
#define AFX_IDS_COLOR_WNDFRAME 0xFE10
#define AFX_IDS_COLOR_SCROLLBARS 0xFE11
#define AFX_IDS_COLOR_BTNFACE 0xFE12
#define AFX_IDS_COLOR_BTNSHADOW 0xFE13
#define AFX_IDS_COLOR_BTNTEXT 0xFE14
#define AFX_IDS_COLOR_BTNHIGHLIGHT 0xFE15
#define AFX_IDS_COLOR_DISABLEDTEXT 0xFE16
#define AFX_IDS_COLOR_HIGHLIGHT 0xFE17
#define AFX_IDS_COLOR_HIGHLIGHTTEXT 0xFE18
#define AFX_IDS_REGULAR 0xFE19
#define AFX_IDS_BOLD 0xFE1A
#define AFX_IDS_ITALIC 0xFE1B
#define AFX_IDS_BOLDITALIC 0xFE1C
#define AFX_IDS_SAMPLETEXT 0xFE1D
#define AFX_IDS_DISPLAYSTRING_FONT 0xFE1E
#define AFX_IDS_DISPLAYSTRING_COLOR 0xFE1F
#define AFX_IDS_DISPLAYSTRING_PICTURE 0xFE20
#define AFX_IDS_PICTUREFILTER 0xFE21
#define AFX_IDS_PICTYPE_UNKNOWN 0xFE22
#define AFX_IDS_PICTYPE_NONE 0xFE23
#define AFX_IDS_PICTYPE_BITMAP 0xFE24
#define AFX_IDS_PICTYPE_METAFILE 0xFE25
#define AFX_IDS_PICTYPE_ICON 0xFE26
#define AFX_IDS_COLOR_PPG 0xFE28
#define AFX_IDS_COLOR_PPG_CAPTION 0xFE29
#define AFX_IDS_FONT_PPG 0xFE2A
#define AFX_IDS_FONT_PPG_CAPTION 0xFE2B
#define AFX_IDS_PICTURE_PPG 0xFE2C
#define AFX_IDS_PICTURE_PPG_CAPTION 0xFE2D
#define AFX_IDS_PICTUREBROWSETITLE 0xFE30
#define AFX_IDS_BORDERSTYLE_0 0xFE31
#define AFX_IDS_BORDERSTYLE_1 0xFE32
#define AFX_IDS_VERB_EDIT 0xFE40
#define AFX_IDS_VERB_PROPERTIES 0xFE41
#define AFX_IDP_PICTURECANTOPEN 0xFE83
#define AFX_IDP_PICTURECANTLOAD 0xFE84
#define AFX_IDP_PICTURETOOLARGE 0xFE85
#define AFX_IDP_PICTUREREADFAILED 0xFE86
#define AFX_IDP_E_ILLEGALFUNCTIONCALL 0xFEA0
#define AFX_IDP_E_OVERFLOW 0xFEA1
#define AFX_IDP_E_OUTOFMEMORY 0xFEA2
#define AFX_IDP_E_DIVISIONBYZERO 0xFEA3
#define AFX_IDP_E_OUTOFSTRINGSPACE 0xFEA4
#define AFX_IDP_E_OUTOFSTACKSPACE 0xFEA5
#define AFX_IDP_E_BADFILENAMEORNUMBER 0xFEA6
#define AFX_IDP_E_FILENOTFOUND 0xFEA7
#define AFX_IDP_E_BADFILEMODE 0xFEA8
#define AFX_IDP_E_FILEALREADYOPEN 0xFEA9
#define AFX_IDP_E_DEVICEIOERROR 0xFEAA
#define AFX_IDP_E_FILEALREADYEXISTS 0xFEAB
#define AFX_IDP_E_BADRECORDLENGTH 0xFEAC
#define AFX_IDP_E_DISKFULL 0xFEAD
#define AFX_IDP_E_BADRECORDNUMBER 0xFEAE
#define AFX_IDP_E_BADFILENAME 0xFEAF
#define AFX_IDP_E_TOOMANYFILES 0xFEB0
#define AFX_IDP_E_DEVICEUNAVAILABLE 0xFEB1
#define AFX_IDP_E_PERMISSIONDENIED 0xFEB2
#define AFX_IDP_E_DISKNOTREADY 0xFEB3
#define AFX_IDP_E_PATHFILEACCESSERROR 0xFEB4
#define AFX_IDP_E_PATHNOTFOUND 0xFEB5
#define AFX_IDP_E_INVALIDPATTERNSTRING 0xFEB6
#define AFX_IDP_E_INVALIDUSEOFNULL 0xFEB7
#define AFX_IDP_E_INVALIDFILEFORMAT 0xFEB8
#define AFX_IDP_E_INVALIDPROPERTYVALUE 0xFEB9
#define AFX_IDP_E_INVALIDPROPERTYARRAYINDEX 0xFEBA
#define AFX_IDP_E_SETNOTSUPPORTEDATRUNTIME 0xFEBB
#define AFX_IDP_E_SETNOTSUPPORTED 0xFEBC
#define AFX_IDP_E_NEEDPROPERTYARRAYINDEX 0xFEBD
#define AFX_IDP_E_SETNOTPERMITTED 0xFEBE
#define AFX_IDP_E_GETNOTSUPPORTEDATRUNTIME 0xFEBF
#define AFX_IDP_E_GETNOTSUPPORTED 0xFEC0
#define AFX_IDP_E_PROPERTYNOTFOUND 0xFEC1
#define AFX_IDP_E_INVALIDCLIPBOARDFORMAT 0xFEC2
#define AFX_IDP_E_INVALIDPICTURE 0xFEC3
#define AFX_IDP_E_PRINTERERROR 0xFEC4
#define AFX_IDP_E_CANTSAVEFILETOTEMP 0xFEC5
#define AFX_IDP_E_SEARCHTEXTNOTFOUND 0xFEC6
#define AFX_IDP_E_REPLACEMENTSTOOLONG 0xFEC7
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 102
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1011
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/resources/icon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/resources/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

368
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/service.cpp Normal file
View File

@ -0,0 +1,368 @@
#include "stdafx.h"
// defined if ioctlfuzzer.cpp
extern HANDLE hDevice;
//--------------------------------------------------------------------------------------
BOOL DrvOpenDevice(PWSTR DriverName, HANDLE *lphDevice)
{
WCHAR DeviceName[MAX_PATH];
HANDLE hDevice = NULL;
if ((GetVersion() & 0xFF) >= 5)
{
wcscpy(DeviceName, L"\\\\.\\Global\\");
}
else
{
wcscpy(DeviceName, L"\\\\.\\");
}
wcscat(DeviceName, DriverName);
DbgMsg(__FILE__, __LINE__, "Opening '%ws'...\n", DeviceName);
hDevice = CreateFileW(
DeviceName,
GENERIC_READ | GENERIC_WRITE,
0, NULL,
OPEN_EXISTING,
0, NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
{
DbgMsg(__FILE__, __LINE__, "CreateFile() ERROR %d\n", GetLastError());
return FALSE;
}
*lphDevice = hDevice;
return TRUE;
}
//--------------------------------------------------------------------------------------
BOOL DrvDeviceRequest(PREQUEST_BUFFER Request, DWORD dwRequestSize)
{
BOOL bRet = FALSE;
if (hDevice == NULL)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__ "() ERROR: Invalid device handle\n");
return FALSE;
}
PREQUEST_BUFFER Response = (PREQUEST_BUFFER)M_ALLOC(dwRequestSize);
if (Response)
{
DWORD dwBytes = 0;
ZeroMemory(Response, dwRequestSize);
// send request to driver
if (DeviceIoControl(
hDevice,
IOCTL_DRV_CONTROL,
Request,
dwRequestSize,
Response,
dwRequestSize,
&dwBytes, NULL))
{
#ifdef DBG_IO
DbgMsg(
__FILE__, __LINE__,
__FUNCTION__ "() %d bytes returned; status 0x%.8x\n",
dwBytes, Response->Status
);
#endif
memcpy(Request, Response, dwRequestSize);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "DeviceIoControl() ERROR %d\n", GetLastError());
}
M_FREE(Response);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL DrvServiceStart(char *lpszServiceName, char *lpszPath, PBOOL bAllreadyStarted)
{
BOOL bRet = FALSE;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
DbgMsg(__FILE__, __LINE__, "Creating service...\n");
// create service for kernel-mod driver
SC_HANDLE hService = CreateService(
hScm,
lpszServiceName,
lpszServiceName,
SERVICE_START | DELETE | SERVICE_STOP,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
lpszPath,
NULL, NULL, NULL, NULL, NULL
);
if (hService == NULL)
{
if (GetLastError() == ERROR_SERVICE_EXISTS)
{
// open existing service
if (hService = OpenService(hScm, lpszServiceName, SERVICE_START | DELETE | SERVICE_STOP))
{
DbgMsg(__FILE__, __LINE__, "Allready exists\n");
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, "CreateService() ERROR %d\n", GetLastError());
}
}
else
{
DbgMsg(__FILE__, __LINE__, "OK\n");
}
if (hService)
{
DbgMsg(__FILE__, __LINE__, "Starting service...\n");
// start service
if (StartService(hService, 0, NULL))
{
DbgMsg(__FILE__, __LINE__, "OK\n");
bRet = TRUE;
}
else
{
if (GetLastError() == ERROR_SERVICE_ALREADY_RUNNING)
{
// service is allready started
DbgMsg(__FILE__, __LINE__, "Allready running\n");
if (bAllreadyStarted)
{
*bAllreadyStarted = TRUE;
}
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "StartService() ERROR %d\n", GetLastError());
}
}
CloseServiceHandle(hService);
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL DrvServiceStop(char *lpszServiceName)
{
BOOL bRet = FALSE;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
DbgMsg(__FILE__, __LINE__, "Opening service...\n");
// open existing service
SC_HANDLE hService = OpenService(hScm, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
SERVICE_STATUS Status;
DbgMsg(__FILE__, __LINE__, "OK\n");
DbgMsg(__FILE__, __LINE__, "Stopping service...\n");
// stop service
if (ControlService(hService, SERVICE_CONTROL_STOP, &Status))
{
DbgMsg(__FILE__, __LINE__, "OK\n");
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "ControlService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hService);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL DrvServiceRemove(char *lpszServiceName)
{
BOOL bRet = FALSE;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
DbgMsg(__FILE__, __LINE__, "Opening service...\n");
// open existing service
SC_HANDLE hService = OpenService(hScm, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
SERVICE_STATUS Status;
DbgMsg(__FILE__, __LINE__, "OK\n");
DbgMsg(__FILE__, __LINE__, "Deleting service...\n");
// delete service
if (DeleteService(hService))
{
DbgMsg(__FILE__, __LINE__, "OK\n");
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "DeleteService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hService);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
DWORD DrvServiceGetStartType(char *lpszServiceName)
{
DWORD dwRet = (DWORD)-1;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
// open existing service
SC_HANDLE hService = OpenService(hScm, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
DWORD dwBytesNeeded = 0;
char szBuff[0x1000];
ZeroMemory(&szBuff, sizeof(szBuff));
LPQUERY_SERVICE_CONFIG Config = (LPQUERY_SERVICE_CONFIG)&szBuff;
// query service configuration
if (QueryServiceConfig(hService, Config, sizeof(szBuff), &dwBytesNeeded))
{
dwRet = Config->dwStartType;
}
else
{
DbgMsg(__FILE__, __LINE__, "QueryServiceConfig() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hService);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return dwRet;
}
//--------------------------------------------------------------------------------------
BOOL DrvServiceSetStartType(char *lpszServiceName, DWORD dwStartType)
{
BOOL bRet = FALSE;
SC_HANDLE hScm = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hScm)
{
// open existing service
SC_HANDLE hService = OpenService(hScm, lpszServiceName, SERVICE_ALL_ACCESS);
if (hService)
{
// set new service configuration
bRet = ChangeServiceConfig(
hService,
SERVICE_NO_CHANGE,
dwStartType,
SERVICE_NO_CHANGE,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
);
if (!bRet)
{
DbgMsg(__FILE__, __LINE__, "ChangeServiceConfig() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hService);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenService() ERROR %d\n", GetLastError());
}
CloseServiceHandle(hScm);
}
else
{
DbgMsg(__FILE__, __LINE__, "OpenSCManager() ERROR %d\n", GetLastError());
}
return bRet;
}
//--------------------------------------------------------------------------------------
// EoF

7
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/service.h Normal file
View File

@ -0,0 +1,7 @@
BOOL DrvOpenDevice(PWSTR DriverName, HANDLE *lphDevice);
BOOL DrvDeviceRequest(PREQUEST_BUFFER Request, DWORD dwRequestSize);
BOOL DrvServiceStart(char *lpszServiceName, char *lpszPath, PBOOL bAllreadyStarted);
BOOL DrvServiceStop(char *lpszServiceName);
BOOL DrvServiceRemove(char *lpszServiceName);
DWORD DrvServiceGetStartType(char *lpszServiceName);
BOOL DrvServiceSetStartType(char *lpszServiceName, DWORD dwStartType);

34
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/stdafx.h Normal file
View File

@ -0,0 +1,34 @@
#define _WIN32_WINNT 0x0501
#include <stdio.h>
#include <tchar.h>
#include <conio.h>
#include <windows.h>
#include <commctrl.h>
#include <commdlg.h>
#include <Shlwapi.h>
#include <sddl.h>
#include <AclAPI.h>
#include <comutil.h>
#include "TlHelp32.h"
#include "dbgsdk/inc/dbghelp.h"
#include <string>
#include <vector>
#include <list>
#include <map>
#include "resource.h"
#include "ntdll_defs.h"
#include "undocnt.h"
#include "options.h"
#include "drvcomm.h"
#include "common.h"
#include "debug.h"
#include "service.h"
#include "xml.h"
#include "analyzer.h"
#include "symbols.h"

158
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/symbols.cpp Normal file
View File

@ -0,0 +1,158 @@
#include "stdafx.h"
//--------------------------------------------------------------------------------------
BOOL GetNormalizedSymbolName(char *lpszName, char *lpszNormalizedName, int NameLen)
{
int StrLen;
char *lpszStr = lpszName;
if (!strncmp(lpszName, "??", min(lstrlen(lpszName), 2)) ||
!strncmp(lpszName, "__imp__", min(lstrlen(lpszName), 7)))
{
if (NameLen > lstrlen(lpszName))
{
strcpy(lpszNormalizedName, lpszName);
return TRUE;
}
return FALSE;
}
if (*lpszStr == '_' || *lpszStr == '@')
{
lpszStr++;
}
for (StrLen = 0; StrLen < lstrlen(lpszStr); StrLen++)
{
if (lpszStr[StrLen] == '@')
{
break;
}
}
if (NameLen > StrLen)
{
strncpy(lpszNormalizedName, lpszStr, StrLen);
lpszNormalizedName[StrLen] = 0;
return TRUE;
}
return FALSE;
}
//--------------------------------------------------------------------------------------
typedef struct _ENUM_SYM_PARAM
{
ULONGLONG Address;
char *lpszName;
} ENUM_SYM_PARAM,
*PENUM_SYM_PARAM;
BOOL CALLBACK EnumSymbolsProc(
PSYMBOL_INFO pSymInfo,
ULONG SymbolSize,
PVOID UserContext)
{
PENUM_SYM_PARAM Param = (PENUM_SYM_PARAM)UserContext;
char szName[0x100];
if (GetNormalizedSymbolName(pSymInfo->Name, szName, sizeof(szName)))
{
if (!lstrcmp(szName, Param->lpszName))
{
Param->Address = (ULONGLONG)pSymInfo->Address;
return FALSE;
}
}
return TRUE;
}
//--------------------------------------------------------------------------------------
ULONGLONG GetSymbolByName(char *lpszModuleName, HMODULE hModule, char *lpszName)
{
ULONGLONG Ret = 0;
// try to load debug symbols for module
if (SymLoadModuleEx(GetCurrentProcess(), NULL, lpszModuleName, NULL, (DWORD64)hModule, 0, NULL, 0))
{
ENUM_SYM_PARAM Param;
Param.Address = NULL;
Param.lpszName = lpszName;
// get specified symbol address by name
if (!SymEnumSymbols(
GetCurrentProcess(),
(DWORD64)hModule,
NULL,
EnumSymbolsProc,
&Param))
{
DbgMsg(__FILE__, __LINE__, "SymEnumSymbols() ERROR %d\n", GetLastError());
}
if (Param.Address == NULL)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() ERROR: Can't locate symbol\n");
}
else
{
Ret = Param.Address;
}
// unload symbols
SymUnloadModule64(GetCurrentProcess(), (DWORD64)hModule);
}
else
{
DbgMsg(__FILE__, __LINE__, "SymLoadModuleEx() ERROR %d\n", GetLastError());
}
return Ret;
}
//--------------------------------------------------------------------------------------
DWORD GetKernelSymbolOffset(char *lpszSymbolName)
{
DWORD Ret = 0;
// get system modules information
PRTL_PROCESS_MODULES Info = (PRTL_PROCESS_MODULES)GetSysInf(SystemModuleInformation);
if (Info)
{
char *lpszKernelName = (char *)Info->Modules[0].FullPathName + Info->Modules[0].OffsetToFileName;
char szKernelPath[MAX_PATH];
// get full kernel image path
GetSystemDirectory(szKernelPath, MAX_PATH);
lstrcat(szKernelPath, "\\");
lstrcat(szKernelPath, lpszKernelName);
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Using kernel binary '%s'\r\n", szKernelPath);
// load kernel module
HMODULE hModule = LoadLibraryEx(szKernelPath, NULL, DONT_RESOLVE_DLL_REFERENCES);
if (hModule)
{
// get symbol offset
LARGE_INTEGER Addr;
Addr.QuadPart = GetSymbolByName(szKernelPath, hModule, lpszSymbolName);
if (Addr.QuadPart > 0)
{
Addr.QuadPart -= (ULONGLONG)hModule;
Ret = Addr.LowPart;
}
FreeLibrary(hModule);
}
else
{
DbgMsg(__FILE__, __LINE__, "LoadLibraryEx() ERROR %d\r\n", GetLastError());
}
M_FREE(Info);
}
return Ret;
}
//--------------------------------------------------------------------------------------
// EoF

2
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/symbols.h Normal file
View File

@ -0,0 +1,2 @@
DWORD GetKernelSymbolOffset(char *lpszSymbolName);

291
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/undocnt.h Normal file
View File

@ -0,0 +1,291 @@
/************************************************************/
/* */
/* Some structures for native API functions */
/* */
/************************************************************/
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation, // obsolete...delete
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION,
*PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES,
*PRTL_PROCESS_MODULES;
typedef enum _SHUTDOWN_ACTION
{
ShutdownNoReboot,
ShutdownReboot,
ShutdownPowerOff
} SHUTDOWN_ACTION,
*PSHUTDOWN_ACTION;
typedef struct _DIRECTORY_BASIC_INFORMATION
{
UNICODE_STRING ObjectName;
UNICODE_STRING ObjectTypeName;
} DIRECTORY_BASIC_INFORMATION,
*PDIRECTORY_BASIC_INFORMATION;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO,
*PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ];
} SYSTEM_HANDLE_INFORMATION,
*PSYSTEM_HANDLE_INFORMATION;
typedef enum _FILE_INFORMATION_CLASS
{
FileDirectoryInformation = 1,
FileFullDirectoryInformation, // 2
FileBothDirectoryInformation, // 3
FileBasicInformation, // 4 wdm
FileStandardInformation, // 5 wdm
FileInternalInformation, // 6
FileEaInformation, // 7
FileAccessInformation, // 8
FileNameInformation, // 9
FileRenameInformation, // 10
FileLinkInformation, // 11
FileNamesInformation, // 12
FileDispositionInformation, // 13
FilePositionInformation, // 14 wdm
FileFullEaInformation, // 15
FileModeInformation, // 16
FileAlignmentInformation, // 17
FileAllInformation, // 18
FileAllocationInformation, // 19
FileEndOfFileInformation, // 20 wdm
FileAlternateNameInformation, // 21
FileStreamInformation, // 22
FilePipeInformation, // 23
FilePipeLocalInformation, // 24
FilePipeRemoteInformation, // 25
FileMailslotQueryInformation, // 26
FileMailslotSetInformation, // 27
FileCompressionInformation, // 28
FileObjectIdInformation, // 29
FileCompletionInformation, // 30
FileMoveClusterInformation, // 31
FileQuotaInformation, // 32
FileReparsePointInformation, // 33
FileNetworkOpenInformation, // 34
FileAttributeTagInformation, // 35
FileTrackingInformation, // 36
FileIdBothDirectoryInformation, // 37
FileIdFullDirectoryInformation, // 38
FileValidDataLengthInformation, // 39
FileShortNameInformation, // 40
FileMaximumInformation
} FILE_INFORMATION_CLASS,
*PFILE_INFORMATION_CLASS;
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION
{
BOOLEAN DebuggerEnabled;
BOOLEAN DebuggerNotPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION,
*PSYSTEM_KERNEL_DEBUGGER_INFORMATION;
typedef struct _FILE_NAME_INFORMATION
{
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAME_INFORMATION,
*PFILE_NAME_INFORMATION;
/************************************************************/
/* */
/* Prototypes for native API functions */
/* */
/************************************************************/
typedef NTSTATUS (WINAPI * func_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS (WINAPI * func_NtOpenFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG ShareAccess,
ULONG OpenOptions
);
typedef NTSTATUS (WINAPI * func_NtDeviceIoControlFile)(
HANDLE FileHandle,
HANDLE Event,
PVOID ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength
);
typedef NTSTATUS (WINAPI * func_NtOpenDirectoryObject)(
PHANDLE DirectoryHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
typedef NTSTATUS (WINAPI * func_NtQueryDirectoryObject)(
HANDLE DirectoryHandle,
PVOID Buffer,
ULONG BufferLength,
BOOLEAN ReturnSingleEntry,
BOOLEAN RestartScan,
PULONG Context,
PULONG ReturnLength
);
typedef NTSTATUS (WINAPI * func_NtOpenSymbolicLinkObject)(
PHANDLE SymbolicLinkHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes
);
typedef NTSTATUS (WINAPI * func_NtQuerySymbolicLinkObject)(
HANDLE SymbolicLinkHandle,
PUNICODE_STRING TargetName,
PULONG ReturnLength
);
typedef NTSTATUS (WINAPI * func_NtQueryInformationFile)(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG Length,
FILE_INFORMATION_CLASS FileInformationClass
);

384
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/xml.cpp Normal file
View File

@ -0,0 +1,384 @@
#include "stdafx.h"
//--------------------------------------------------------------------------------------
/**
* çàãðóçêà è ïàðñèíã xml äîêóìåíòà
* @param data òåêñò çàãðóæàåìîãî xml äîêóììåíòà
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
*/
BOOL XmlLoad(PWSTR lpwcData, IXMLDOMDocument **pXMLDoc, IXMLDOMNode **pIDOMRootNode, PWSTR lpwcRootNodeName)
{
BOOL bOk = FALSE;
VARIANT_BOOL status;
// initialize COM
HRESULT hr = CoInitializeEx(NULL, COINIT_MULTITHREADED);
if (FAILED(hr))
{
DbgMsg(__FILE__, __LINE__, "CoInitializeEx() ERROR 0x%.8x\n", hr);
return FALSE;
}
// create new msxml document instance
hr = CoCreateInstance(CLSID_DOMDocument, NULL, CLSCTX_INPROC_SERVER,
IID_IXMLDOMDocument, (void **)pXMLDoc);
if (FAILED(hr))
{
DbgMsg(__FILE__, __LINE__, "CoCreateInstance() ERROR 0x%.8x\n", hr);
return FALSE;
}
hr = (*pXMLDoc)->loadXML(lpwcData, &status);
if (status != VARIANT_TRUE)
{
DbgMsg(__FILE__, __LINE__, "pXMLDoc->load() ERROR 0x%.8x\n", hr);
goto end;
}
// åñëè xml çàãðóæåí, ïîëó÷àåì ñïèñîê êîðíåâûõ óçëîâ
// èç êîòîðîãî ïîëó÷àåì ãëàâíûé ïîäóçåë 'logger'
IXMLDOMNodeList *pIDOMRootNodeList;
hr = (*pXMLDoc)->get_childNodes(&pIDOMRootNodeList);
if (SUCCEEDED(hr))
{
*pIDOMRootNode = ConfGetListNodeByName(lpwcRootNodeName, pIDOMRootNodeList);
if (*pIDOMRootNode)
{
bOk = TRUE;
}
pIDOMRootNodeList->Release();
}
else
{
DbgMsg(__FILE__, __LINE__, "pXMLDoc->get_childNodes() ERROR 0x%.8x\n", hr);
}
end:
if (!bOk)
{
// ïðîèçîøëà îøèáêà
// îñâîáîæäàåì äåñêðèïòîð äîêóììåíòà
(*pXMLDoc)->Release();
*pXMLDoc = NULL;
}
return bOk;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå xml-óçëà èç ñïèñêà ïî åãî èìåíè
* @param NodeName èìÿ èñêîìîãî óçëà
* @param pIDOMNodeList äåñêðèïòîð ñïèñêà
* @return äåñêðèïòîð íóæíîãî óçëà, èëè NULL â ñëó÷àå íåóäà÷è
* @see ConfGetNodeByName()
* @see ConfGetNodeText()
* @see ConfGetTextByName()
*/
IXMLDOMNode * ConfGetListNodeByName(BSTR NodeName, IXMLDOMNodeList *pIDOMNodeList)
{
IXMLDOMNode *Ret = NULL;
LONG len = 0;
if (pIDOMNodeList == NULL)
{
return NULL;
}
HRESULT hr = pIDOMNodeList->get_length(&len);
if (SUCCEEDED(hr))
{
pIDOMNodeList->reset();
for (int i = 0; i < len; i++)
{
IXMLDOMNode *pIDOMChildNode = NULL;
hr = pIDOMNodeList->get_item(i, &pIDOMChildNode);
if (SUCCEEDED(hr))
{
BSTR ChildNodeName = NULL;
hr = pIDOMChildNode->get_nodeName(&ChildNodeName);
if (SUCCEEDED(hr))
{
if (!wcscmp(NodeName, ChildNodeName))
{
Ret = pIDOMChildNode;
}
}
if (ChildNodeName)
{
SysFreeString(ChildNodeName);
}
if (Ret)
{
return Ret;
}
pIDOMChildNode->Release();
pIDOMChildNode = NULL;
}
else
{
DbgMsg(__FILE__, __LINE__, "pIDOMNodeList->get_item() ERROR 0x%.8x\n", hr);
}
}
}
else
{
DbgMsg(__FILE__, __LINE__, "pIDOMNodeList->get_length() ERROR 0x%.8x\n", hr);
}
return NULL;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå ïîäóçëà ïî åãî èìåíè
* @param NodeName èìÿ èñêîìîãî óçëà
* @param pIDOMNode äåñêðèïòîð ðîäèòåëüñêîãî óçëà
* @return äåñêðèïòîð íóæíîãî óçëà, èëè NULL â ñëó÷àå íåóäà÷è
* @see ConfGetListNodeByName()
* @see ConfGetNodeText()
* @see ConfGetTextByName()
*/
IXMLDOMNode * ConfGetNodeByName(BSTR NodeName, IXMLDOMNode *pIDOMNode)
{
IXMLDOMNode *pIDOMRetNode = NULL;
IXMLDOMNodeList *pIDOMNodeList = NULL;
if (pIDOMNode == NULL)
{
return NULL;
}
HRESULT hr = pIDOMNode->get_childNodes(&pIDOMNodeList);
if (SUCCEEDED(hr) && pIDOMNodeList)
{
pIDOMRetNode = ConfGetListNodeByName(NodeName, pIDOMNodeList);
pIDOMNodeList->Release();
}
else
{
DbgMsg(__FILE__, __LINE__, "pIDOMNodeList->get_length() ERROR 0x%.8x\n", hr);
}
return pIDOMRetNode;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå çíà÷åíèÿ óçëà
* @param pIDOMNode äåñêðèïòîð óçëà
* @param str àäðåññ unicode-ñòðîêè, â êîòîðóþ áóäåò çàïèñàíî çíà÷åíèå
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
* @see ConfGetListNodeByName()
* @see ConfGetNodeByName()
* @see ConfGetTextByName()
*/
BOOL ConfGetNodeTextW(IXMLDOMNode *pIDOMNode, PWSTR *str)
{
BOOL bRet = FALSE;
BSTR val = NULL;
if (pIDOMNode == NULL)
{
return FALSE;
}
HRESULT hr = pIDOMNode->get_text(&val);
if (FAILED(hr))
{
DbgMsg(__FILE__, __LINE__, "pIDOMNode->get_text() ERROR 0x%.8x\n", hr);
return FALSE;
}
DWORD Len = (wcslen((PWSTR)val) + 1) * sizeof(WCHAR);
if (*str = (PWSTR)M_ALLOC(Len))
{
ZeroMemory(*str, Len);
wcscpy_s(*str, Len / sizeof(wchar_t), (PWSTR)val);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
if (val)
{
SysFreeString(val);
}
return bRet;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå çíà÷åíèÿ óçëà
* @param pIDOMNode äåñêðèïòîð óçëà
* @param str àäðåññ unicode-ñòðîêè, â êîòîðóþ áóäåò çàïèñàíî çíà÷åíèå
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
* @see ConfGetListNodeByName()
* @see ConfGetNodeByName()
* @see ConfGetTextByName()
*/
BOOL ConfGetNodeTextA(IXMLDOMNode *pIDOMNode, PCHAR *str)
{
BOOL bRet = FALSE;
PWSTR str_w;
if (ConfGetNodeTextW(pIDOMNode, &str_w))
{
int len = wcslen(str_w);
if (*str = (PCHAR)M_ALLOC(len + 1))
{
ZeroMemory(*str, len + 1);
WideCharToMultiByte(CP_ACP, 0, str_w, -1, *str, len, NULL, NULL);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
M_FREE(str_w);
}
return bRet;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå çíà÷åíèÿ ïîäóçëà ïî åãî èìåíè
* @param pIDOMNode äåñêðèïòîð ðîäèòåëüñêîãî óçëà
* @param name èìÿ äî÷åðíåãî óçëà, çíà÷åíèå êîòîðîãî íåîáõîäèìî ïîëó÷èòü
* @param val àäðåññ óêàçàòåëÿ íà unicode-ñòðîêó, â êîòîðóþ áóäåò çàïèñàíî çíà÷åíèå
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
* @see ConfGetListNodeByNameA()
* @see ConfGetListNodeByName()
* @see ConfGetNodeByName()
* @see ConfGetNodeText()
* @see ConfGetTextByName()
*/
BOOL ConfAllocGetTextByNameW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *value)
{
BOOL bRet = FALSE;
IXMLDOMNode *pIDOMChildNode = ConfGetNodeByName(name, pIDOMNode);
if (pIDOMChildNode)
{
bRet = ConfGetNodeTextW(pIDOMChildNode, value);
pIDOMChildNode->Release();
}
return bRet;
}
//--------------------------------------------------------------------------------------
/**
* ïîëó÷åíèå çíà÷åíèÿ ïîäóçëà ïî åãî èìåíè
* @param pIDOMNode äåñêðèïòîð ðîäèòåëüñêîãî óçëà
* @param name èìÿ äî÷åðíåãî óçëà, çíà÷åíèå êîòîðîãî íåîáõîäèìî ïîëó÷èòü
* @param val àäðåññ óêàçàòåëÿ íà unicode-ñòðîêó, â êîòîðóþ áóäåò çàïèñàíî çíà÷åíèå
* @return TRUE åñëè âñ¸ ÎÊ, FALSE â ñëó÷àå îøèáêè
* @see ConfGetListNodeByNameW()
* @see ConfGetListNodeByName()
* @see ConfGetNodeByName()
* @see ConfGetNodeText()
* @see ConfGetTextByName()
*/
BOOL ConfAllocGetTextByNameA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *value)
{
BOOL bRet = FALSE;
PWSTR value_w;
if (ConfAllocGetTextByNameW(pIDOMNode, name, &value_w))
{
int len = wcslen(value_w);
if (*value = (PCHAR)M_ALLOC(len + 1))
{
ZeroMemory(*value, len + 1);
WideCharToMultiByte(CP_ACP, 0, value_w, -1, *value, len, NULL, NULL);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
M_FREE(value_w);
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL ConfGetNodeAttributeW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *value)
{
BOOL bRet = FALSE;
IXMLDOMNamedNodeMap *pIXMLDOMNamedNodeMap = NULL;
// query attributes map
HRESULT hr = pIDOMNode->get_attributes(&pIXMLDOMNamedNodeMap);
if (SUCCEEDED(hr) && pIXMLDOMNamedNodeMap)
{
IXMLDOMNode *pIDOMAttrNode = NULL;
// query attribute node
hr = pIXMLDOMNamedNodeMap->getNamedItem(name, &pIDOMAttrNode);
if (SUCCEEDED(hr) && pIDOMAttrNode)
{
VARIANT varValue;
hr = pIDOMAttrNode->get_nodeValue(&varValue);
if (FAILED(hr))
{
DbgMsg(__FILE__, __LINE__, "pIDOMAttrNode->get_nodeValue() ERROR 0x%.8x\n", hr);
goto free;
}
BSTR val = _bstr_t(varValue);
DWORD Len = (wcslen((PWSTR)val) + 1) * sizeof(WCHAR);
if (*value = (PWSTR)M_ALLOC(Len))
{
ZeroMemory(*value, Len);
wcscpy(*value, (PWSTR)val);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
free:
pIDOMAttrNode->Release();
pIDOMAttrNode = NULL;
}
pIXMLDOMNamedNodeMap->Release();
pIXMLDOMNamedNodeMap = NULL;
}
return bRet;
}
//--------------------------------------------------------------------------------------
BOOL ConfGetNodeAttributeA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *value)
{
BOOL bRet = FALSE;
PWSTR value_w;
if (ConfGetNodeAttributeW(pIDOMNode, name, &value_w))
{
int len = wcslen(value_w);
if (*value = (PCHAR)M_ALLOC(len + 1))
{
ZeroMemory(*value, len + 1);
WideCharToMultiByte(CP_ACP, 0, value_w, -1, *value, len, NULL, NULL);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() ERROR %d\n", GetLastError());
}
M_FREE(value_w);
}
return bRet;
}
//--------------------------------------------------------------------------------------
// EoF

9
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/xml.h Normal file
View File

@ -0,0 +1,9 @@
BOOL XmlLoad(PWSTR lpwcData, IXMLDOMDocument **pXMLDoc, IXMLDOMNode **pIDOMRootNode, PWSTR lpwcRootNodeName);
IXMLDOMNode * ConfGetListNodeByName(BSTR NodeName, IXMLDOMNodeList *pIDOMNodeList);
IXMLDOMNode * ConfGetNodeByName(BSTR NodeName, IXMLDOMNode *pIDOMNode);
BOOL ConfGetNodeTextW(IXMLDOMNode *pIDOMNode, PWSTR *str);
BOOL ConfGetNodeTextA(IXMLDOMNode *pIDOMNode, PCHAR *str);
BOOL ConfAllocGetTextByNameW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *value);
BOOL ConfAllocGetTextByNameA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *value);
BOOL ConfGetNodeAttributeW(IXMLDOMNode *pIDOMNode, PWSTR name, PWSTR *value);
BOOL ConfGetNodeAttributeA(IXMLDOMNode *pIDOMNode, PWSTR name, PCHAR *value);

48
HookDeviceIocontrlFile/HookDeviceIoControlFile/HookDeviceIoControlFile/ioctlfuzzer.xml Normal file
View File

@ -0,0 +1,48 @@
<?xml version="1.0" encoding="windows-1251" ?>
<cfg>
<!-- Path to log file. -->
<log_file>C:\ioctlfuzzer.log</log_file>
<!-- If true, hex dumps of IOCTL buffers will be logged. -->
<hex_dump>true</hex_dump>
<!-- If true, will print logging output to console. -->
<log_requests>true</log_requests>
<!-- If true, will print logging output to kernel debugger. -->
<debug_log_requests>true</debug_log_requests>
<!-- If true, will log boot. -->
<boot_log>false</boot_log>
<!--
IOCTLs "allow" list.
The fuzzer will process (i.e. log and/or fuzz) any IOCTL request
containing at least one parameter from the <allow> list.
If the list is empty, each IRP will be processed.
-->
<allow>
</allow>
<!--
IOCTLs "deny" list, can be empty.
Identical in structure to "allow" list.
-->
<deny>
<!-- Don't fuzz default Windows drivers. -->
</deny>
<!--
Kernel Debugger Communication Engine configuration:
list of IOCTLs (by driver/device/process name or I/O Control Code)
and remote kernel debugger commands, that must be executed
when IOCTL Fuzzer cacthing these requests.
See README.TXT for more information.
-->
<dbgcb>
</dbgcb>
</cfg>

20
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile.sln Normal file
View File

@ -0,0 +1,20 @@

Microsoft Visual Studio Solution File, Format Version 10.00
# Visual Studio 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HookDeviceIoControlFile", "HookDeviceIoControlFile\HookDeviceIoControlFile.vcproj", "{DD2262AA-B5AD-411D-99DF-DDD53F92830F}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{DD2262AA-B5AD-411D-99DF-DDD53F92830F}.Debug|Win32.ActiveCfg = Debug|Win32
{DD2262AA-B5AD-411D-99DF-DDD53F92830F}.Debug|Win32.Build.0 = Debug|Win32
{DD2262AA-B5AD-411D-99DF-DDD53F92830F}.Release|Win32.ActiveCfg = Release|Win32
{DD2262AA-B5AD-411D-99DF-DDD53F92830F}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

340
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/HookDeviceIoControlFile.vcproj Normal file
View File

@ -0,0 +1,340 @@
<?xml version="1.0" encoding="gb2312"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="HookDeviceIoControlFile"
ProjectGUID="{DD2262AA-B5AD-411D-99DF-DDD53F92830F}"
RootNamespace="HookDeviceIoControlFile"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="1"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
RuntimeLibrary="2"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
LinkIncremental="1"
GenerateDebugInformation="true"
SubSystem="2"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
<AssemblyReference
RelativePath="System.dll"
AssemblyName="System, Version=2.0.0.0, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL"
MinFrameworkVersion="131072"
/>
<AssemblyReference
RelativePath="System.Data.dll"
AssemblyName="System.Data, Version=2.0.0.0, PublicKeyToken=b77a5c561934e089, processorArchitecture=x86"
MinFrameworkVersion="131072"
/>
<AssemblyReference
RelativePath="System.Drawing.dll"
AssemblyName="System.Drawing, Version=2.0.0.0, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=MSIL"
MinFrameworkVersion="131072"
/>
<AssemblyReference
RelativePath="System.Windows.Forms.dll"
AssemblyName="System.Windows.Forms, Version=2.0.0.0, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL"
MinFrameworkVersion="131072"
/>
<AssemblyReference
RelativePath="System.XML.dll"
AssemblyName="System.Xml, Version=2.0.0.0, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL"
MinFrameworkVersion="131072"
/>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath=".\common.c"
>
</File>
<File
RelativePath=".\common.h"
>
</File>
<File
RelativePath=".\common_asm.h"
>
</File>
<File
RelativePath=".\common_change_asm.cpp"
>
<FileConfiguration
Name="Debug|Win32"
>
<Tool
Name="VCCLCompilerTool"
MinimalRebuild="false"
ExceptionHandling="2"
BasicRuntimeChecks="0"
UsePrecompiledHeader="0"
DebugInformationFormat="3"
CompileAsManaged="1"
/>
</FileConfiguration>
<FileConfiguration
Name="Release|Win32"
>
<Tool
Name="VCCLCompilerTool"
MinimalRebuild="false"
ExceptionHandling="2"
BasicRuntimeChecks="0"
UsePrecompiledHeader="0"
DebugInformationFormat="3"
CompileAsManaged="1"
/>
</FileConfiguration>
</File>
<File
RelativePath=".\debug.c"
>
</File>
<File
RelativePath=".\debug.h"
>
</File>
<File
RelativePath=".\driver.c"
>
</File>
<File
RelativePath=".\driver.h"
>
</File>
<File
RelativePath=".\drvcomm.h"
>
</File>
<File
RelativePath=".\udis86\extern.h"
>
</File>
<File
RelativePath=".\handlers.c"
>
</File>
<File
RelativePath=".\handlers.h"
>
</File>
<File
RelativePath=".\hook.c"
>
</File>
<File
RelativePath=".\hook.h"
>
</File>
<File
RelativePath=".\log.c"
>
</File>
<File
RelativePath=".\log.h"
>
</File>
<File
RelativePath=".\lst.c"
>
</File>
<File
RelativePath=".\lst.h"
>
</File>
<File
RelativePath=".\rng.c"
>
</File>
<File
RelativePath=".\rng.h"
>
</File>
<File
RelativePath=".\rules.c"
>
</File>
<File
RelativePath=".\rules.h"
>
</File>
<File
RelativePath=".\stdafx.h"
>
</File>
<File
RelativePath=".\udis86\types.h"
>
</File>
<File
RelativePath=".\undocnt.h"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

1495
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common.c Normal file
View File

File diff suppressed because it is too large Load Diff

82
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common.h Normal file
View File

@ -0,0 +1,82 @@
#include <ntifs.h>
#define XALIGN_DOWN(x, align)(x &~ (align - 1))
#define XALIGN_UP(x, align)((x & (align - 1))?XALIGN_DOWN(x, align) + align:x)
#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_))
#define M_ALLOC(_size_) ExAllocatePool(NonPagedPool, (_size_))
#define M_FREE(_addr_) ExFreePool((_addr_))
#define XLOWORD(_dw) ((USHORT)(((ULONG)(_dw)) & 0xffff))
#define XHIWORD(_dw) ((USHORT)((((ULONG)(_dw)) >> 16) & 0xffff))
#define ABSOLUTE(wait) (wait)
#define RELATIVE(wait) (-(wait))
#define NANOSECONDS(nanos) \
(((signed __int64)(nanos)) / 100L)
#define MICROSECONDS(micros) \
(((signed __int64)(micros)) * NANOSECONDS(1000L))
#define MILLISECONDS(milli) \
(((signed __int64)(milli)) * MICROSECONDS(1000L))
#define SECONDS(seconds) \
(((signed __int64)(seconds)) * MILLISECONDS(1000L))
#define IFMT32 "0x%.8x"
#define IFMT64 "0x%.16I64x"
#define IFMT32_W L"0x%.8x"
#define IFMT64_W L"0x%.16I64x"
#ifdef _X86_
#define IFMT IFMT32
#define IFMT_W IFMT32_W
#elif _AMD64_
#define IFMT IFMT64
#define IFMT_W IFMT64_W
#endif
BOOLEAN SetObjectSecurityWorld(HANDLE hObject, ACCESS_MASK AccessMask);
PVOID KernelGetModuleBase(char *ModuleName);
ULONG KernelGetExportAddress(PVOID Image, char *lpszFunctionName);
POBJECT_NAME_INFORMATION GetObjectName(PVOID pObject);
POBJECT_NAME_INFORMATION GetObjectNameByHandle(HANDLE hObject);
POBJECT_NAME_INFORMATION GetFullNtPath(PUNICODE_STRING Name);
BOOLEAN GetNormalizedModulePath(PANSI_STRING asPath, PANSI_STRING asNormalizedPath);
PVOID GetSysInf(SYSTEM_INFORMATION_CLASS InfoClass);
BOOLEAN AllocUnicodeString(PUNICODE_STRING us, USHORT MaximumLength);
BOOLEAN AppendUnicodeToString(PUNICODE_STRING Dest, PCWSTR Source, USHORT Len);
ULONG GetFileSize(HANDLE hFile, PULONG FileSizeHigh);
BOOLEAN ReadFromFile(PUNICODE_STRING FileName, PVOID *Data, PULONG DataSize);
BOOLEAN DumpToFile(PUNICODE_STRING FileName, PVOID Data, ULONG DataSize);
BOOLEAN DeleteFile(PUNICODE_STRING usFileName);
BOOLEAN LoadImageAsDataFile(PUNICODE_STRING usName, PVOID *Image, PULONG MappedImageSize);
void __stdcall ClearWp(PVOID Param);
void __stdcall SetWp(PVOID Param);
void ForEachProcessor(PKSTART_ROUTINE Routine, PVOID Param);
ULONG GetSyscallNumber(char *lpszName);
BOOLEAN RegQueryValueKey(HANDLE hKey, PWSTR lpwcName, ULONG Type, PVOID *Data, PULONG DataSize);
BOOLEAN RegSetValueKey(HANDLE hKey, PWSTR lpwcName, ULONG Type, PVOID Data, ULONG DataSize);
BOOLEAN GetProcessFullImagePath(PEPROCESS Process, PUNICODE_STRING ImagePath);
typedef struct _MAPPED_MDL
{
PMDL Mdl;
PVOID Buffer;
PVOID MappedBuffer;
} MAPPED_MDL,
*PMAPPED_MDL;
BOOLEAN AllocateUserMemory(ULONG Size, PMAPPED_MDL MdlInfo);
void FreeUserMemory(PMAPPED_MDL MdlInfo);
BOOLEAN IsWow64Process(PEPROCESS Process, BOOLEAN *bIsWow64);

21
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common_asm.h Normal file
View File

@ -0,0 +1,21 @@
#ifdef __cplusplus
extern "C"
{
#endif
void __stdcall _clear_wp(void);
void __stdcall _set_wp(void);
NTSTATUS
NTAPI
_ZwProtectVirtualMemory(
HANDLE ProcessHandle,
PVOID *BaseAddress,
PSIZE_T NumberOfBytesToProtect,
ULONG NewAccessProtection,
PULONG OldAccessProtection
);
#ifdef __cplusplus
}
#endif

2
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/common_change_asm.cpp Normal file
View File

@ -0,0 +1,2 @@
#include "common_change_asm.h"

278
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/debug.c Normal file
View File

@ -0,0 +1,278 @@
#include "stdafx.h"
#define DBGMSG_BUFF_SIZE 0x1000
HANDLE hDbgPipe = NULL, hDbgLogFile = NULL;
KMUTEX DbgMutex;
//--------------------------------------------------------------------------------------
char *GetNameFromFullPath(char *lpszPath)
{
char *lpszName = lpszPath;
size_t i = 0;
for (i = 0; i < strlen(lpszPath); i++)
{
if (lpszPath[i] == '\\' || lpszPath[i] == '/')
{
lpszName = lpszPath + i + 1;
}
}
return lpszName;
}
//--------------------------------------------------------------------------------------
#ifdef DBGMSG_FULL
//--------------------------------------------------------------------------------------
void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...)
{
va_list mylist;
char *lpszOutBuff = NULL;
char *lpszBuff = (char *)M_ALLOC(DBGMSG_BUFF_SIZE);
if (lpszBuff == NULL)
{
return;
}
lpszOutBuff = (char *)M_ALLOC(DBGMSG_BUFF_SIZE);
if (lpszOutBuff == NULL)
{
M_FREE(lpszBuff);
return;
}
va_start(mylist, lpszMsg);
vsprintf(lpszBuff, lpszMsg, mylist);
va_end(mylist);
sprintf(lpszOutBuff, "%s(%d) : %s", GetNameFromFullPath(lpszFile), Line, lpszBuff);
#ifdef DBGMSG
DbgPrint(lpszOutBuff);
#endif
#if defined(DBGPIPE) || defined(DBGLOGFILE)
if (KeGetCurrentIrql() == PASSIVE_LEVEL)
{
KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL);
if (hDbgPipe)
{
// write debug message into pipe
IO_STATUS_BLOCK IoStatusBlock;
ULONG Len = (ULONG)strlen(lpszOutBuff) + 1;
ZwWriteFile(hDbgPipe, 0, NULL, NULL, &IoStatusBlock, (PVOID)&Len, sizeof(Len), NULL, NULL);
ZwWriteFile(hDbgPipe, 0, NULL, NULL, &IoStatusBlock, lpszOutBuff, Len, NULL, NULL);
}
if (hDbgLogFile)
{
// write debug message into logfile
IO_STATUS_BLOCK IoStatusBlock;
ULONG Len = (ULONG)strlen(lpszOutBuff);
ZwWriteFile(hDbgLogFile, 0, NULL, NULL, &IoStatusBlock, lpszOutBuff, Len, NULL, NULL);
}
KeReleaseMutex(&DbgMutex, FALSE);
}
#endif // DBGPIPE/DBGLOGFILE
M_FREE(lpszBuff);
M_FREE(lpszOutBuff);
}
//--------------------------------------------------------------------------------------
#ifdef DBGPIPE
//--------------------------------------------------------------------------------------
void DbgOpenPipe(void)
{
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK IoStatusBlock;
UNICODE_STRING usPipeName;
NTSTATUS status = STATUS_UNSUCCESSFUL;
RtlInitUnicodeString(&usPipeName, L"\\Device\\NamedPipe\\" DBG_PIPE_NAME);
InitializeObjectAttributes(&ObjAttr, &usPipeName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL);
// open data pipe by name
status = ZwCreateFile(
&hDbgPipe,
FILE_WRITE_DATA | SYNCHRONIZE,
&ObjAttr,
&IoStatusBlock,
0,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if (!NT_SUCCESS(status))
{
DbgMsg(__FILE__, __LINE__, "ZwCreateFile() fails; status: 0x%.8x\n", status);
}
KeReleaseMutex(&DbgMutex, FALSE);
}
//--------------------------------------------------------------------------------------
void DbgClosePipe(void)
{
KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL);
if (hDbgPipe)
{
ZwClose(hDbgPipe);
hDbgPipe = NULL;
}
KeReleaseMutex(&DbgMutex, FALSE);
}
//--------------------------------------------------------------------------------------
#endif // DBGPIPE
//--------------------------------------------------------------------------------------
#ifdef DBGLOGFILE
//--------------------------------------------------------------------------------------
void DbgOpenLogFile(void)
{
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK StatusBlock;
UNICODE_STRING usFileName;
RtlInitUnicodeString(&usFileName, DBG_LOGFILE_NAME);
InitializeObjectAttributes(&ObjAttr, &usFileName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE , NULL, NULL);
KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL);
NTSTATUS status = ZwCreateFile(
&hDbgLogFile,
FILE_ALL_ACCESS | SYNCHRONIZE,
&ObjAttr,
&StatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if (!NT_SUCCESS(status))
{
DbgMsg(__FILE__, __LINE__, "ZwCreateFile() fails; status: 0x%.8x\n", status);
}
KeReleaseMutex(&DbgMutex, FALSE);
}
//--------------------------------------------------------------------------------------
#endif // DBGLOGFILE
//--------------------------------------------------------------------------------------
void DbgClose(void)
{
KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL);
if (hDbgPipe)
{
ZwClose(hDbgPipe);
hDbgPipe = NULL;
}
if (hDbgLogFile)
{
ZwClose(hDbgLogFile);
hDbgLogFile = NULL;
}
KeReleaseMutex(&DbgMutex, FALSE);
}
//--------------------------------------------------------------------------------------
void DbgInit(void)
{
#if defined(DBGPIPE) || defined(DBGLOGFILE)
KeInitializeMutex(&DbgMutex, NULL);
#endif // DBGPIPE/DBGLOGFILE
}
//--------------------------------------------------------------------------------------
#endif // DBGMSG_FULL
//--------------------------------------------------------------------------------------
void DbgHexdump(PUCHAR Data, ULONG Length)
{
ULONG dp = 0, p = 0;
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~...................................."
"....................................................."
"........................................";
char szBuff[0x100], szChar[10];
RtlZeroMemory(szBuff, sizeof(szBuff));
for (dp = 1; dp <= Length; dp++)
{
sprintf(szChar, "%02x ", Data[dp-1]);
strcat(szBuff, szChar);
if ((dp % 8) == 0)
{
strcat(szBuff, " ");
}
if ((dp % 16) == 0)
{
strcat(szBuff, "| ");
p = dp;
for (dp -= 16; dp < p; dp++)
{
sprintf(szChar, "%c", trans[Data[dp]]);
strcat(szBuff, szChar);
}
DbgMsg(__FILE__, __LINE__, "%.8x: %s\r\n", dp - 16, szBuff);
RtlZeroMemory(szBuff, sizeof(szBuff));
}
}
if ((Length % 16) != 0)
{
p = dp = 16 - (Length % 16);
for (dp = p; dp > 0; dp--)
{
strcat(szBuff, " ");
if (((dp % 8) == 0) && (p != 8))
{
strcat(szBuff, " ");
}
}
strcat(szBuff, " | ");
for (dp = (Length - (16 - p)); dp < Length; dp++)
{
sprintf(szChar, "%c", trans[Data[dp]]);
strcat(szBuff, szChar);
}
DbgMsg(__FILE__, __LINE__, "%.8x: %s\r\n", Length - (Length % 16), szBuff);
}
}
//--------------------------------------------------------------------------------------
// EoF

25
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/debug.h Normal file
View File

@ -0,0 +1,25 @@
#include <ntifs.h>
#ifdef DBGMSG_FULL
void DbgMsg(char *lpszFile, int Line, char *lpszMsg, ...);
void DbgClose(void);
void DbgInit(void);
#else // DBGMSG_FULL
#define DbgMsg
#define DbgClose
#define DbgInit
#endif // DBGMSG_FULL
#ifdef DBGPIPE
void DbgOpenPipe(void);
void DbgClosePipe(void);
#endif
#ifdef DBGLOGFILE
void DbgOpenLogFile(void);
#endif
void DbgHexdump(PUCHAR Data, ULONG Length);

1353
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/driver.c Normal file
View File

File diff suppressed because it is too large Load Diff

2
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/driver.h Normal file
View File

@ -0,0 +1,2 @@
void SetPreviousMode(KPROCESSOR_MODE Mode);

117
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/drvcomm.h Normal file
View File

@ -0,0 +1,117 @@
#define DEVICE_NAME L"IOCTLfuzzer"
#define DBG_PIPE_NAME L"IOCTLfuzzer"
#define DBG_PIPE_NAME_A "IOCTLfuzzer"
#define IOCTL_DRV_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x01, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define S_ERROR 0x00
#define S_SUCCESS 0x01
#define C_ADD_DEVICE 0x01
#define C_ADD_DRIVER 0x02
#define C_ADD_IOCTL 0x03
#define C_ADD_PROCESS 0x04
#define C_SET_OPTIONS 0x05
#define C_GET_DEVICE_INFO 0x06
#define C_CHECK_HOOKS 0x07
#define C_DEL_OPTIONS 0x08
#define C_GET_OBJECT_NAME 0x09
// fuzzing options
#define FUZZ_OPT_LOG_IOCTL 0x00000001
#define FUZZ_OPT_LOG_IOCTL_BUFFERS 0x00000002
#define FUZZ_OPT_LOG_IOCTL_GLOBAL 0x00000004
#define FUZZ_OPT_LOG_EXCEPTIONS 0x00000008
#define FUZZ_OPT_LOG_DEBUG 0x00000010
#define FUZZ_OPT_FUZZ 0x00000020
#define FUZZ_OPT_FUZZ_SIZE 0x00000040
#define FUZZ_OPT_FUZZ_FAIR 0x00000080
#define FUZZ_OPT_FUZZ_BOOT 0x00000100
#define FUZZ_OPT_NO_SDT_HOOKS 0x00000200
typedef ULONG FUZZING_TYPE;
#define FuzzingType_Random 0x00000001
#define FuzzingType_Dword 0x00000002
// area to store some variables, that must located in user mode
#pragma pack(push, 1)
typedef struct _USER_MODE_DATA
{
IO_STATUS_BLOCK IoStatus;
} USER_MODE_DATA,
*PUSER_MODE_DATA;
#pragma pack(pop)
#define MAX_REQUEST_STRING 0x100
#pragma pack(push, 1)
typedef struct _REQUEST_BUFFER
{
// operation status (see S_* definitions)
ULONG Status;
// operation code (see C_* definitions)
ULONG Code;
union
{
struct
{
ULONG Options;
ULONG FuzzThreadId;
FUZZING_TYPE FuzzingType;
PUSER_MODE_DATA UserModeData;
ULONG KiDispatchException_Offset;
} Options;
struct
{
PVOID DeviceObjectAddr;
PVOID DriverObjectAddr;
char szDriverObjectName[MAX_REQUEST_STRING];
char szDriverFilePath[MAX_REQUEST_STRING];
} DeviceInfo;
struct
{
// for C_ADD_IOCTL
ULONG IoctlCode;
// for all C_ADD_*
BOOLEAN bAllow;
// for C_ADD_DEVICE, C_ADD_DRIVER and C_ADD_PROCESS
char szObjectName[MAX_REQUEST_STRING];
/*
If TRUE -- debugger command, that stored in Buff[],
must be executed for every IOCTL, that has been matched
by this object.
*/
BOOLEAN bDbgcbAction;
} AddObject;
struct
{
HANDLE hObject;
char szObjectName[MAX_REQUEST_STRING];
} ObjectName;
struct
{
BOOLEAN bHooksInstalled;
} CheckHooks;
};
char Buff[1];
} REQUEST_BUFFER,
*PREQUEST_BUFFER;
#pragma pack(pop)

67
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/extern.h Normal file
View File

@ -0,0 +1,67 @@
/* -----------------------------------------------------------------------------
* extern.h
*
* Copyright (c) 2004, 2005, 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#ifndef UD_EXTERN_H
#define UD_EXTERN_H
#ifdef __cplusplus
extern "C" {
#endif
#include <stdio.h>
#include "types.h"
/* ============================= PUBLIC API ================================= */
extern void ud_init(struct ud*);
extern void ud_set_mode(struct ud*, uint8_t);
extern void ud_set_pc(struct ud*, uint64_t);
extern void ud_set_input_hook(struct ud*, int (*)(struct ud*));
extern void ud_set_input_buffer(struct ud*, uint8_t*, size_t);
#ifndef __UD_STANDALONE__
extern void ud_set_input_file(struct ud*, FILE*);
#endif /* __UD_STANDALONE__ */
extern void ud_set_vendor(struct ud*, unsigned);
extern void ud_set_syntax(struct ud*, void (*)(struct ud*));
extern void ud_input_skip(struct ud*, size_t);
extern int ud_input_end(struct ud*);
extern unsigned int ud_decode(struct ud*);
extern unsigned int ud_disassemble(struct ud*);
extern void ud_translate_intel(struct ud*);
extern void ud_translate_att(struct ud*);
extern char* ud_insn_asm(struct ud* u);
extern uint8_t* ud_insn_ptr(struct ud* u);
extern uint64_t ud_insn_off(struct ud*);
extern char* ud_insn_hex(struct ud*);
extern unsigned int ud_insn_len(struct ud* u);
extern const char* ud_lookup_mnemonic(enum ud_mnemonic_code c);
/* ========================================================================== */
#ifdef __cplusplus
}
#endif
#endif

563
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/handlers.c Normal file
View File

@ -0,0 +1,563 @@
#include "stdafx.h"
NT_DEVICE_IO_CONTROL_FILE old_NtDeviceIoControlFile = NULL;
/**
* Fuzzing settings
*/
ULONG m_FuzzOptions = 0;
FUZZING_TYPE m_FuzzingType = FuzzingType_Random;
/**
* Exported variables for acessing to the
* last IOCTL request information from the kernel debugger.
*/
PDEVICE_OBJECT currentDeviceObject = NULL;
PDRIVER_OBJECT currentDriverObject = NULL;
ULONG currentIoControlCode = 0;
PVOID currentInputBuffer = NULL;
ULONG currentInputBufferLength = 0;
PVOID currentOutputBuffer = NULL;
ULONG currentOutputBufferLength = 0;
/**
* Handle and objetc pointer of the fuzzer's process (uses for fair fuzzing mode)
*/
HANDLE m_FuzzThreadId = 0;
PEPROCESS m_FuzzProcess = NULL;
PUSER_MODE_DATA m_UserModeData = NULL;
/**
* Some fuzzing parameters
*/
#define RANDOM_FUZZING_ITERATIONS 10
#define BUFFERED_FUZZING_ITERATIONS 5
#define DWORD_FUZZING_MAX_LENGTH 0x2000
#define DWORD_FUZZING_DELTA 4
ULONG g_newDeviceIoControlFileCallCount = 0;
#ifdef _X86_
// pointer values for invalid kernel and user buffers
#define KERNEL_BUFFER_ADDRESS (PVOID)(0xFFFF0000)
#define USER_BUFFER_ADDRESS (PVOID)(0x00001000)
#elif _AMD64_
#define KERNEL_BUFFER_ADDRESS (PVOID)(0xFFFFFFFFFFFF0000)
#define USER_BUFFER_ADDRESS (PVOID)(0x0000000000001000)
#endif
// constants for dword fuzzing
ULONG m_DwordFuzzingConstants[] =
{
0x00000000,
0x00001000,
0xFFFF0000,
0xFFFFFFFF
};
// defined in driver.cpp
extern PDEVICE_OBJECT m_DeviceObject;
extern KMUTEX m_CommonMutex;
extern PCOMMON_LST m_ProcessesList;
//--------------------------------------------------------------------------------------
PCOMMON_LST_ENTRY LookupProcessInfo(PEPROCESS Process)
{
PCOMMON_LST_ENTRY process_entry = NULL;
KIRQL OldIrql;
KeAcquireSpinLock(&m_ProcessesList->ListLock, &OldIrql);
__try
{
PCOMMON_LST_ENTRY e = m_ProcessesList->list_head;
// enumerate all processes
while (e)
{
if (e->Data && e->DataSize == sizeof(LST_PROCESS_INFO))
{
PLST_PROCESS_INFO Info = (PLST_PROCESS_INFO)e->Data;
if (Info->Process == Process)
{
process_entry = e;
break;
}
}
e = e->next;
}
}
__finally
{
KeReleaseSpinLock(&m_ProcessesList->ListLock, OldIrql);
}
return process_entry;
}
//--------------------------------------------------------------------------------------
void FreeProcessInfo(void)
{
KIRQL OldIrql;
KeAcquireSpinLock(&m_ProcessesList->ListLock, &OldIrql);
__try
{
PCOMMON_LST_ENTRY e = m_ProcessesList->list_head;
// enumerate all processes
while (e)
{
if (e->Data && e->DataSize == sizeof(LST_PROCESS_INFO))
{
PLST_PROCESS_INFO Info = (PLST_PROCESS_INFO)e->Data;
if (Info->usImagePath.Buffer)
{
// free process image path
RtlFreeUnicodeString(&Info->usImagePath);
}
}
e = e->next;
}
}
__finally
{
KeReleaseSpinLock(&m_ProcessesList->ListLock, OldIrql);
}
}
//--------------------------------------------------------------------------------------
void NTAPI ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create)
{
PEPROCESS Process;
NTSTATUS ns = PsLookupProcessByProcessId(ProcessId, &Process);
if (NT_SUCCESS(ns))
{
KeWaitForMutexObject(&m_CommonMutex, UserRequest, KernelMode, FALSE, NULL);
__try
{
if (Create)
{
// process has been created
UNICODE_STRING ImagePath;
// get full image path for this process
if (GetProcessFullImagePath(Process, &ImagePath))
{
WCHAR wcProcess[0x200];
UNICODE_STRING usProcess;
LST_PROCESS_INFO Info;
LogData("Process "IFMT" started: '%wZ' (PID: %d)\r\n\r\n", Process, &ImagePath, ProcessId);
swprintf(wcProcess, L"'%wZ' (" IFMT_W L")", &ImagePath, Process);
RtlInitUnicodeString(&usProcess, wcProcess);
Info.Process = Process;
Info.ProcessId = ProcessId;
Info.usImagePath.Buffer = ImagePath.Buffer;
Info.usImagePath.Length = ImagePath.Length;
Info.usImagePath.MaximumLength = ImagePath.MaximumLength;
// add process information into the list
if (LstAddEntry(m_ProcessesList, &usProcess, &Info, sizeof(Info)) == NULL)
{
RtlFreeUnicodeString(&ImagePath);
}
}
}
else
{
PCOMMON_LST_ENTRY process_entry = NULL;
LogData("Process "IFMT" terminated\r\n\r\n", Process);
// process terminating
process_entry = LookupProcessInfo(Process);
if (process_entry)
{
if (process_entry->Data &&
process_entry->DataSize == sizeof(LST_PROCESS_INFO))
{
PLST_PROCESS_INFO Info = (PLST_PROCESS_INFO)process_entry->Data;
if (Info->usImagePath.Buffer)
{
// free process image path
RtlFreeUnicodeString(&Info->usImagePath);
}
}
// delete information about this process from list
LstDelEntry(m_ProcessesList, process_entry);
}
}
}
__finally
{
KeReleaseMutex(&m_CommonMutex, FALSE);
}
ObDereferenceObject(Process);
}
else
{
DbgMsg(__FILE__, __LINE__, "PsLookupProcessByProcessId() fails; status: 0x%.8x\n", ns);
}
}
//--------------------------------------------------------------------------------------
PUNICODE_STRING LookupProcessName(PEPROCESS TargetProcess)
{
PEPROCESS Process = TargetProcess;
PCOMMON_LST_ENTRY process_entry = NULL;
HANDLE ProcessId = NULL;
UNICODE_STRING ImagePath;
PUNICODE_STRING Ret = NULL;
if (Process == NULL)
{
// lookup current process information entry
Process = PsGetCurrentProcess();
}
process_entry = LookupProcessInfo(Process);
if (process_entry)
{
if (process_entry->Data &&
process_entry->DataSize == sizeof(LST_PROCESS_INFO))
{
PLST_PROCESS_INFO Info = (PLST_PROCESS_INFO)process_entry->Data;
if (Info->usImagePath.Buffer)
{
// return process image path
return &Info->usImagePath;
}
}
return NULL;
}
// information entry for current process is not found, allocate it
ProcessId = PsGetCurrentProcessId();
// get full image path for this process
if (GetProcessFullImagePath(Process, &ImagePath))
{
WCHAR wcProcess[0x200];
UNICODE_STRING usProcess;
LST_PROCESS_INFO Info;
swprintf(wcProcess, L"'%wZ' (" IFMT_W L")", &ImagePath, Process);
RtlInitUnicodeString(&usProcess, wcProcess);
Info.Process = Process;
Info.ProcessId = ProcessId;
Info.usImagePath.Buffer = ImagePath.Buffer;
Info.usImagePath.Length = ImagePath.Length;
Info.usImagePath.MaximumLength = ImagePath.MaximumLength;
// add process information into the list
if (process_entry = LstAddEntry(m_ProcessesList, &usProcess, &Info, sizeof(Info)))
{
PLST_PROCESS_INFO pInfo = (PLST_PROCESS_INFO)process_entry->Data;
Ret = &pInfo->usImagePath;
}
else
{
RtlFreeUnicodeString(&ImagePath);
}
}
return Ret;
}
//--------------------------------------------------------------------------------------
BOOLEAN ValidateUnicodeString(PUNICODE_STRING usStr)
{
ULONG i = 0;
if (!MmIsAddressValid(usStr))
{
return FALSE;
}
if (usStr->Buffer == NULL || usStr->Length == 0)
{
return FALSE;
}
for (i = 0; i < usStr->Length; i++)
{
if (!MmIsAddressValid((PUCHAR)usStr->Buffer + i))
{
return FALSE;
}
}
return TRUE;
}
//--------------------------------------------------------------------------------------
NTSTATUS NTAPI new_NtDeviceIoControlFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength)
{
KPROCESSOR_MODE PrevMode = ExGetPreviousMode();
BOOLEAN bLogOutputBuffer = FALSE;
NTSTATUS status = STATUS_UNSUCCESSFUL;
POBJECT_NAME_INFORMATION DeviceObjectName = NULL, DriverObjectName = NULL;
PFILE_OBJECT pFileObject = NULL;
NTSTATUS ns = 0;
BOOLEAN bProcessEvent = FALSE;
LARGE_INTEGER Timeout;
PVOID pDeviceObject = NULL;
PLDR_DATA_TABLE_ENTRY pModuleEntry = NULL;
PEPROCESS Process;
HANDLE ProcessId;
_InterlockedIncrement(&g_newDeviceIoControlFileCallCount);
// get device object by handle
ns = ObReferenceObjectByHandle(
FileHandle,
0, 0,
KernelMode,
(PVOID *)&pFileObject,
NULL
);
if(!NT_SUCCESS(ns))
goto end;
// validate pointer to device object
if (MmIsAddressValid(pFileObject->DeviceObject))
{
pDeviceObject = pFileObject->DeviceObject;
}
else
{
goto end;
}
if (pDeviceObject == m_DeviceObject)
{
// don't handle requests to our driver
goto end;
}
// validate pointer to driver object
if (!MmIsAddressValid(pFileObject->DeviceObject->DriverObject))
{
goto end;
}
// get loader information entry for the driver module
pModuleEntry = (PLDR_DATA_TABLE_ENTRY)
pFileObject->DeviceObject->DriverObject->DriverSection;
if (pModuleEntry == NULL)
{
goto end;
}
// validate pointer to loader's table and data from it
if (!MmIsAddressValid(pModuleEntry) ||
!ValidateUnicodeString(&pModuleEntry->FullDllName))
{
goto end;
}
// get device name by poinet
DeviceObjectName = GetObjectName(pDeviceObject);
if(!DeviceObjectName)
goto end;
DriverObjectName = GetObjectName(pFileObject->DeviceObject->DriverObject);
if(!DriverObjectName)
goto end;
Process = PsGetCurrentProcess();
ProcessId = PsGetCurrentProcessId();
Timeout.QuadPart = RELATIVE(SECONDS(5));
ns = KeWaitForMutexObject(&m_CommonMutex, Executive, KernelMode, FALSE, &Timeout);
if (ns == STATUS_TIMEOUT)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Wait timeout\n");
goto end;
}
__try
{
PWSTR Methods[] =
{
L"METHOD_BUFFERED",
L"METHOD_IN_DIRECT",
L"METHOD_OUT_DIRECT",
L"METHOD_NEITHER"
};
PWSTR lpwcMethod = Methods[IoControlCode & 3];
char *lpszKdCommand = NULL;
LARGE_INTEGER Time;
// get process image path
PUNICODE_STRING ProcessImagePath = LookupProcessName(NULL);
if(!ProcessImagePath)
__leave;
KeQuerySystemTime(&Time);
// get text name of the method
currentDeviceObject = pFileObject->DeviceObject;
currentDriverObject = pFileObject->DeviceObject->DriverObject;
currentIoControlCode = IoControlCode;
currentInputBuffer = InputBuffer;
currentInputBufferLength = InputBufferLength;
currentOutputBuffer = OutputBuffer;
currentOutputBufferLength = OutputBufferLength;
// if (m_FuzzOptions & FUZZ_OPT_LOG_IOCTL_GLOBAL)
// {
// // log IOCTL information into the global log
// LogDataIoctls("timestamp=0x%.8x%.8x\r\n", Time.HighPart, Time.LowPart);
// LogDataIoctls("process_id=%d\r\n", ProcessId);
// LogDataIoctls("process_path=%wZ\r\n", ProcessImagePath);
// LogDataIoctls("device=%wZ\r\n", &DeviceObjectName->Name);
// LogDataIoctls("driver=%wZ\r\n", &DriverObjectName->Name);
// LogDataIoctls("image_file=%wZ\r\n", &pModuleEntry->FullDllName);
// LogDataIoctls("code=0x%.8x\r\n", IoControlCode);
// LogDataIoctls("method=%ws\r\n", lpwcMethod);
// LogDataIoctls("in_size=%d\r\n", InputBufferLength);
// LogDataIoctls("out_size=%d\r\n", OutputBufferLength);
// LogDataIoctls("\r\n");
// }
// get debugger command, that can be associated with this IOCTL
lpszKdCommand = FltGetKdCommand(
&DeviceObjectName->Name,
&DriverObjectName->Name/*pModuleEntry->FullDllName*/,
IoControlCode,
ProcessImagePath
);
bProcessEvent = FltIsMatchedRequest(
&DeviceObjectName->Name,
&pModuleEntry->FullDllName,
IoControlCode,
ProcessImagePath
);
if ((bProcessEvent || lpszKdCommand) &&
(m_FuzzOptions & FUZZ_OPT_LOG_IOCTL))
{
LogDataIoctls(
"timestamp=0x%.8x%.8x\r\n \
process_id=%d\r\n \
process_path=%wZ\r\n \
device=%wZ\r\n \
driver=%wZ\r\n \
image_file=%wZ\r\n \
code=0x%.8x\r\n \
method=%ws\r\n \
in_size=%d\r\n \
out_size=%d\r\n \
\r\n",
Time.HighPart, Time.LowPart,
ProcessId,
ProcessImagePath,
&DeviceObjectName->Name,
&DriverObjectName->Name,
&pModuleEntry->FullDllName,
IoControlCode,
lpwcMethod,
InputBufferLength,
OutputBufferLength);
if (m_FuzzOptions & FUZZ_OPT_LOG_IOCTL_BUFFERS)
{
// log output buffer information
LogDataIoctls(" OutBuff: "IFMT", OutSize: 0x%.8x\r\n",
OutputBuffer,
OutputBufferLength);
// log input buffer information
LogDataIoctls(" InBuff: "IFMT", InSize: 0x%.8x\r\n",
InputBuffer,
InputBufferLength);
// print input buffer contents
LogDataIoctls("--------------------------------------------------------------------\r\n");
LogDataHexdump((PUCHAR)InputBuffer, min(InputBufferLength, MAX_IOCTL_BUFFER_LEGTH));
LogDataIoctls("\r\n");
}
}
}
__finally
{
KeReleaseMutex(&m_CommonMutex, FALSE);
}
end:
if(pFileObject)
ObDereferenceObject(pFileObject);
if(DriverObjectName)
ExFreePool(DriverObjectName);
if(DeviceObjectName)
ExFreePool(DeviceObjectName);
// restore KTHREAD::PreviousMode
SetPreviousMode(PrevMode);
// call original function
status = old_NtDeviceIoControlFile(
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
IoControlCode,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength
);
_InterlockedDecrement( &g_newDeviceIoControlFileCallCount );
return status;
}
VOID WaitHookRemoveComplete()
{
LONG Count = 0;
const LARGE_INTEGER WaitTime = {(ULONG)(-50 * 1000 * 10), -1};
do
{
KeDelayExecutionThread( KernelMode , FALSE , (PLARGE_INTEGER)&WaitTime );
_InterlockedExchange( &Count , g_newDeviceIoControlFileCallCount );
} while (Count != 0 );
return;
}
//--------------------------------------------------------------------------------------
// EoF

43
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/handlers.h Normal file
View File

@ -0,0 +1,43 @@
typedef struct _LST_PROCESS_INFO
{
PEPROCESS Process;
HANDLE ProcessId;
UNICODE_STRING usImagePath;
} LST_PROCESS_INFO,
*PLST_PROCESS_INFO;
void FreeProcessInfo(void);
void NTAPI ProcessNotifyRoutine(HANDLE ParentId, HANDLE ProcessId, BOOLEAN Create);
PUNICODE_STRING LookupProcessName(PEPROCESS TargetProcess);
typedef NTSTATUS (NTAPI * NT_DEVICE_IO_CONTROL_FILE)(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength
);
NTSTATUS NTAPI new_NtDeviceIoControlFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength
);
BOOLEAN ValidateUnicodeString(PUNICODE_STRING usStr);
VOID WaitHookRemoveComplete();

152
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/hook.c Normal file
View File

@ -0,0 +1,152 @@
#include "stdafx.h"
//--------------------------------------------------------------------------------------
PVOID Hook(PVOID Function, PVOID Handler, PULONG pBytesPatched)
{
#ifdef _X86_
#define SIZEOFJUMP 6
#elif _AMD64_
#define SIZEOFJUMP 14
#endif
ULONG Size = 0, CollectedSpace = 0;
PUCHAR pInst = (PUCHAR)Function;
ud_t ud_obj;
PVOID CallGate = NULL;
ULONG CallGateSize = 0;
if (pBytesPatched)
{
*pBytesPatched = 0;
}
// initialize disassembler engine
ud_init(&ud_obj);
// set mode, syntax and vendor
ud_set_mode(&ud_obj, UD_MODE);
ud_set_syntax(&ud_obj, UD_SYN_INTEL);
ud_set_vendor(&ud_obj, UD_VENDOR_INTEL);
while (CollectedSpace < SIZEOFJUMP)
{
ULONG dwInstLen = 0;
int i = 0;
ud_set_input_buffer(&ud_obj, pInst, MAX_INST_LEN);
// get length of instruction
dwInstLen = ud_disassemble(&ud_obj);
if (dwInstLen == 0)
{
// error while disassembling instruction
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() ERROR: Can't disassemble instruction at "IFMT"\n", pInst);
return NULL;
}
if (ud_obj.mnemonic == UD_Ijmp ||
ud_obj.mnemonic == UD_Icall)
{
// call/jmp with relative address
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() call/jmp/jxx instruction at "IFMT"\n", pInst);
return NULL;
}
for (i = 0; i < 3; i++)
{
if (ud_obj.operand[i].type == UD_OP_JIMM)
{
// jxx with relative address
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() jxx instruction at "IFMT"\n", pInst);
return NULL;
}
}
pInst += dwInstLen;
CollectedSpace += dwInstLen;
if (ud_obj.mnemonic == UD_Iret ||
ud_obj.mnemonic == UD_Iretf ||
ud_obj.mnemonic == UD_Iiretw ||
ud_obj.mnemonic == UD_Iiretq ||
ud_obj.mnemonic == UD_Iiretd)
{
// end of the function thunk?
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() ret/retn/iret instruction at "IFMT"\n", pInst);
break;
}
}
if (SIZEOFJUMP > CollectedSpace)
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() ERROR: not enough memory for jump\n");
return NULL;
}
CallGateSize = CollectedSpace + SIZEOFJUMP;
// allocate memory for callgate
CallGate = M_ALLOC(CallGateSize);
if (CallGate)
{
// generate callgate
memset(CallGate, 0x90, CallGateSize);
// save begining of the function
memcpy(CallGate, Function, CollectedSpace);
#ifdef _X86_
// jump from callgate to function body
// push imm32
*(PUCHAR)((PUCHAR)CallGate + CollectedSpace) = 0x68;
*(PUCHAR *)((PUCHAR)CallGate + CollectedSpace + 1) = (PUCHAR)Function + SIZEOFJUMP;
// ret
*(PUCHAR)((PUCHAR)CallGate + CollectedSpace + 5) = 0xC3;
#elif _AMD64_
// jmp qword [addr]
*(PUSHORT)((PUCHAR)CallGate + CollectedSpace) = 0x25FF;
*(PULONG)((PUCHAR)CallGate + CollectedSpace + 2) = 0;
// addr dq XXXh
*(PULONGLONG)((PUCHAR)CallGate + CollectedSpace + 6) = (ULONGLONG)Function + SIZEOFJUMP;
#endif
// jump from the function to callgate
memset(Function, 0x90, CollectedSpace);
#ifdef _X86_
// push imm32
*(PUCHAR)Function = 0x68;
*(PUCHAR *)((PUCHAR)Function + 1) = (PUCHAR)Handler;
// ret
*(PUCHAR)((PUCHAR)Function + 5) = 0xC3;
#elif _AMD64_
// jmp qword [addr]
*(PUSHORT)Function = 0x25FF;
*(PULONG)((PUCHAR)Function + 2) = 0;
// addr dq XXXh
*(PULONGLONG)((PUCHAR)Function + 6) = (ULONGLONG)Handler;
#endif
*pBytesPatched = CollectedSpace;
return CallGate;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
}
return NULL;
}
//--------------------------------------------------------------------------------------
// EoF

13
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/hook.h Normal file
View File

@ -0,0 +1,13 @@
#ifdef _X86_
#define MAX_INST_LEN 16
#define UD_MODE 32
#elif _AMD64_
#define MAX_INST_LEN 24
#define UD_MODE 64
#endif
PVOID Hook(PVOID Function, PVOID Handler, PULONG pBytesPatched);

266
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/log.c Normal file
View File

@ -0,0 +1,266 @@
#include "stdafx.h"
// defined in handlers.cpp
extern ULONG m_FuzzOptions;
// defined in debug.cpp
extern HANDLE hDbgPipe;
extern KMUTEX DbgMutex;
#define LOG_BUFF_SIZE 0x1000
HANDLE m_hIoctlsLogFile = NULL;
WCHAR m_wcIoctlsLogFilePath[MAX_REQUEST_STRING];
UNICODE_STRING m_usIoctlsLogFilePath;
//--------------------------------------------------------------------------------------
void LogData(char *lpszFormat, ...)
{
IO_STATUS_BLOCK IoStatusBlock;
va_list mylist;
char *lpszBuff = (char *)M_ALLOC(LOG_BUFF_SIZE);
if (lpszBuff == NULL)
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
return;
}
va_start(mylist, lpszFormat);
vsprintf(lpszBuff, lpszFormat, mylist);
va_end(mylist);
if (m_FuzzOptions & FUZZ_OPT_LOG_DEBUG)
{
// post message into debug output
DbgPrint(lpszBuff);
}
#ifdef DBGPIPE
if (KeGetCurrentIrql() == PASSIVE_LEVEL)
{
KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL);
if (hDbgPipe)
{
// write debug message into pipe
IO_STATUS_BLOCK IoStatusBlock;
ULONG Len = (ULONG)strlen(lpszBuff) + 1;
ZwWriteFile(hDbgPipe, 0, NULL, NULL, &IoStatusBlock, (PVOID)&Len, sizeof(Len), NULL, NULL);
ZwWriteFile(hDbgPipe, 0, NULL, NULL, &IoStatusBlock, lpszBuff, Len, NULL, NULL);
}
KeReleaseMutex(&DbgMutex, FALSE);
}
#endif // DBGPIPE
M_FREE(lpszBuff);
}
//--------------------------------------------------------------------------------------
BOOLEAN LogDataIoctlsInitLogFile(void)
{
BOOLEAN bRet = FALSE;
UNICODE_STRING usNtdllPath;
OBJECT_ATTRIBUTES ObjAttr;
HANDLE hNtdll = NULL;
IO_STATUS_BLOCK StatusBlock;
NTSTATUS ns = STATUS_UNSUCCESSFUL;
RtlInitUnicodeString(&usNtdllPath, L"\\SystemRoot\\system32\\ntdll.dll");
InitializeObjectAttributes(&ObjAttr, &usNtdllPath, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE , NULL, NULL);
// get file handle
ns = ZwOpenFile(
&hNtdll,
FILE_READ_DATA | SYNCHRONIZE,
&ObjAttr,
&StatusBlock,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_SYNCHRONOUS_IO_NONALERT
);
if (NT_SUCCESS(ns))
{
PFILE_OBJECT FileObject = NULL;
// get file object by handle
ns = ObReferenceObjectByHandle(hNtdll, 0, 0, KernelMode, (PVOID *)&FileObject, NULL);
if (NT_SUCCESS(ns))
{
// get DOS path for file object
POBJECT_NAME_INFORMATION ObjectNameInfo;
ns = IoQueryFileDosDeviceName(FileObject, &ObjectNameInfo);
if (NT_SUCCESS(ns))
{
size_t DosDriveLen = wcslen(L"C:\\");
RtlZeroMemory(m_wcIoctlsLogFilePath, sizeof(m_wcIoctlsLogFilePath));
// check for valid DOS path
if (ObjectNameInfo &&
ObjectNameInfo->Name.Length > (DosDriveLen * sizeof(WCHAR)) &&
ObjectNameInfo->Name.Buffer[1] == L':' &&
ObjectNameInfo->Name.Buffer[2] == L'\\')
{
UNICODE_STRING usXmlPath;
wcscpy(m_wcIoctlsLogFilePath, L"\\??\\");
wcsncat(m_wcIoctlsLogFilePath, ObjectNameInfo->Name.Buffer, DosDriveLen);
wcscat(m_wcIoctlsLogFilePath, IOCTLS_LOG_NAME);
RtlInitUnicodeString(&m_usIoctlsLogFilePath, m_wcIoctlsLogFilePath);
InitializeObjectAttributes(&ObjAttr, &m_usIoctlsLogFilePath,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE , NULL, NULL);
// open IOCTLs log file
ns = ZwCreateFile(
&m_hIoctlsLogFile,
FILE_ALL_ACCESS | SYNCHRONIZE,
&ObjAttr,
&StatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL, 0
);
if (NT_SUCCESS(ns))
{
DbgMsg(__FILE__, __LINE__, "[+] IOCTLs log started: \"%wZ\"\n\n", &m_usIoctlsLogFilePath);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "ZwCreateFile() fails; status: 0x%.8x\n", ns);
}
}
}
else
{
DbgMsg(__FILE__, __LINE__, "IoQueryFileDosDeviceName() fails; status: 0x%.8x\n", ns);
}
ObDereferenceObject(FileObject);
}
else
{
DbgMsg(__FILE__, __LINE__, "ObReferenceObjectByHandle() fails; status: 0x%.8x\n", ns);
}
ZwClose(hNtdll);
}
else
{
DbgMsg(__FILE__, __LINE__, "ZwOpenFile() fails; status: 0x%.8x\n", ns);
}
return bRet;
}
//--------------------------------------------------------------------------------------
void LogDataIoctls(char *lpszFormat, ...)
{
IO_STATUS_BLOCK IoStatusBlock;
va_list mylist;
char *lpszBuff = (char *)M_ALLOC(LOG_BUFF_SIZE);
if (lpszBuff == NULL)
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
return;
}
if (KeGetCurrentIrql() > PASSIVE_LEVEL)
{
// IRQL is too high
return;
}
if ((m_FuzzOptions & FUZZ_OPT_LOG_IOCTL_GLOBAL) && m_hIoctlsLogFile == NULL)
{
// log file is not initialized, try to create it
if (!LogDataIoctlsInitLogFile())
{
// ... fails
return;
}
}
va_start(mylist, lpszFormat);
vsprintf(lpszBuff, lpszFormat, mylist);
va_end(mylist);
// write string into the log file
ZwWriteFile(m_hIoctlsLogFile, 0, NULL, NULL, &IoStatusBlock, lpszBuff, (ULONG)strlen(lpszBuff), NULL, NULL);
M_FREE(lpszBuff);
}
//--------------------------------------------------------------------------------------
void LogDataHexdump(PUCHAR Data, ULONG Size)
{
unsigned int dp = 0, p = 0;
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~...................................."
"....................................................."
"........................................";
char szBuff[0x100], szChr[10];
RtlZeroMemory(szBuff, sizeof(szBuff));
for (dp = 1; dp <= Size; dp++)
{
sprintf(szChr, "%02x ", Data[dp-1]);
strcat(szBuff, szChr);
if ((dp % 8) == 0)
{
strcat(szBuff, " ");
}
if ((dp % 16) == 0)
{
strcat(szBuff, "| ");
p = dp;
for (dp -= 16; dp < p; dp++)
{
sprintf(szChr, "%c", trans[Data[dp]]);
strcat(szBuff, szChr);
}
LogDataIoctls("%s\r\n", szBuff);
RtlZeroMemory(szBuff, sizeof(szBuff));
}
}
if ((Size % 16) != 0)
{
p = dp = 16 - (Size % 16);
for (dp = p; dp > 0; dp--)
{
strcat(szBuff, " ");
if (((dp % 8) == 0) && (p != 8))
{
strcat(szBuff, " ");
}
}
strcat(szBuff, " | ");
for (dp = (Size - (16 - p)); dp < Size; dp++)
{
sprintf(szChr, "%c", trans[Data[dp]]);
strcat(szBuff, szChr);
}
LogDataIoctls("%s\r\n", szBuff);
}
LogDataIoctls("\r\n");
}
//--------------------------------------------------------------------------------------
// EoF

4
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/log.h Normal file
View File

@ -0,0 +1,4 @@
void LogData(char *lpszFormat, ...);
void LogDataIoctls(char *lpszFormat, ...);
void LogDataHexdump(PUCHAR Data, ULONG Size);

222
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/lst.c Normal file
View File

@ -0,0 +1,222 @@
#include "stdafx.h"
//--------------------------------------------------------------------------------------
PCOMMON_LST_ENTRY LstFindEntry(
PCOMMON_LST list,
PUNICODE_STRING ObjectName)
{
PCOMMON_LST_ENTRY ret = NULL;
KIRQL OldIrql;
KeAcquireSpinLock(&list->ListLock, &OldIrql);
__try
{
PCOMMON_LST_ENTRY e = list->list_head;
while (e)
{
// for empty object name - just return first entry
if (ObjectName == NULL ||
RtlEqualUnicodeString(&e->ObjectName, ObjectName, TRUE))
{
ret = e;
break;
}
e = e->next;
}
}
__finally
{
KeReleaseSpinLock(&list->ListLock, OldIrql);
}
return ret;
}
//--------------------------------------------------------------------------------------
PCOMMON_LST_ENTRY LstAddEntry(
PCOMMON_LST list,
PUNICODE_STRING ObjectName,
PVOID Data,
ULONG DataSize)
{
PCOMMON_LST_ENTRY ret = NULL;
KIRQL OldIrql;
KeAcquireSpinLock(&list->ListLock, &OldIrql);
__try
{
// allocate single list entry
PCOMMON_LST_ENTRY e = (PCOMMON_LST_ENTRY)M_ALLOC(sizeof(COMMON_LST_ENTRY));
if (e)
{
RtlZeroMemory(e, sizeof(COMMON_LST_ENTRY));
if (Data && DataSize > 0)
{
// allocate memory for custom data
if (e->Data = M_ALLOC(DataSize))
{
e->DataSize = DataSize;
RtlCopyMemory(e->Data, Data, DataSize);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
M_FREE(e);
return NULL;
}
}
// allocate and copy string name
if (AllocUnicodeString(&e->ObjectName, ObjectName->MaximumLength))
{
RtlCopyUnicodeString(&e->ObjectName, ObjectName);
}
else
{
if (e->Data)
{
M_FREE(e->Data);
}
M_FREE(e);
return NULL;
}
// add it to list
if (list->list_end)
{
list->list_end->next = e;
e->prev = list->list_end;
list->list_end = e;
}
else
{
list->list_end = list->list_head = e;
}
ret = e;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
}
}
__finally
{
KeReleaseSpinLock(&list->ListLock, OldIrql);
}
return ret;
}
//--------------------------------------------------------------------------------------
void LstFlush(PCOMMON_LST list)
{
KIRQL OldIrql;
KeAcquireSpinLock(&list->ListLock, &OldIrql);
__try
{
// delete all entries from list
PCOMMON_LST_ENTRY e = list->list_head;
while (e)
{
PCOMMON_LST_ENTRY e_tmp = e->next;
// delete single entry from list
if (e->prev)
e->prev->next = e->next;
if (e->next)
e->next->prev = e->prev;
if (list->list_head == e)
list->list_head = e->next;
if (list->list_end == e)
list->list_end = e->prev;
if (e->Data)
{
// delete data, if present
M_FREE(e->Data);
}
// free name string
RtlFreeUnicodeString(&e->ObjectName);
M_FREE(e);
e = e_tmp;
}
list->list_head = NULL;
list->list_end = NULL;
}
__finally
{
KeReleaseSpinLock(&list->ListLock, OldIrql);
}
}
//--------------------------------------------------------------------------------------
void LstDelEntry(PCOMMON_LST list, PCOMMON_LST_ENTRY e)
{
KIRQL OldIrql;
KeAcquireSpinLock(&list->ListLock, &OldIrql);
__try
{
// delete single entry from list
if (e->prev)
e->prev->next = e->next;
if (e->next)
e->next->prev = e->prev;
if (list->list_head == e)
list->list_head = e->next;
if (list->list_end == e)
list->list_end = e->prev;
if (e->Data)
{
// delete data, if present
M_FREE(e->Data);
}
// free name string
RtlFreeUnicodeString(&e->ObjectName);
M_FREE(e);
}
__finally
{
KeReleaseSpinLock(&list->ListLock, OldIrql);
}
}
//--------------------------------------------------------------------------------------
PCOMMON_LST LstInit(void)
{
// allocate new list
PCOMMON_LST ret = (PCOMMON_LST)M_ALLOC(sizeof(COMMON_LST));
if (ret)
{
ret->list_head = ret->list_end = NULL;
KeInitializeSpinLock(&ret->ListLock);
return ret;
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
}
return NULL;
}
//--------------------------------------------------------------------------------------
void LstFree(PCOMMON_LST list)
{
// flust list and free list descriptor
LstFlush(list);
M_FREE(list);
}
//--------------------------------------------------------------------------------------
// EoF

45
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/lst.h Normal file
View File

@ -0,0 +1,45 @@
/*
Common linked lists structures
*/
typedef struct _COMMON_LST_ENTRY
{
UNICODE_STRING ObjectName;
ULONG ObjectType;
PVOID Data;
ULONG DataSize;
struct _COMMON_LST_ENTRY *next, *prev;
} COMMON_LST_ENTRY,
*PCOMMON_LST_ENTRY;
typedef struct _COMMON_LST
{
KSPIN_LOCK ListLock;
PCOMMON_LST_ENTRY list_head, list_end;
} COMMON_LST,
*PCOMMON_LST;
/*
Common linked lists routines
*/
PCOMMON_LST_ENTRY LstFindEntry(
PCOMMON_LST list,
PUNICODE_STRING ObjectName
);
PCOMMON_LST_ENTRY LstAddEntry(
PCOMMON_LST list,
PUNICODE_STRING ObjectName,
PVOID Data,
ULONG DataSize
);
void LstFlush(PCOMMON_LST list);
void LstDelEntry(PCOMMON_LST list, PCOMMON_LST_ENTRY e);
PCOMMON_LST LstInit(void);
void LstFree(PCOMMON_LST list);

44
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/options.h Normal file
View File

@ -0,0 +1,44 @@
/**
* Program information, copyright, etc.
*/
#define PROGRAM_NAME "IOCTL Fuzzer"
#define PROGRAM_AUTHOR "by Oleksiuk Dmytro (aka Cr4sh) :: dmitry@esagelab.com"
#define PROGRAM_COPYRIGHT "(c) 2011 Esage Lab :: http://www.esagelab.com/"
/**
* Log file name to store all IOCTLs requests information.
*/
#define IOCTLS_LOG_NAME L"ioctls.log"
/**
* Main application log file name.
*/
#define IOCTLFUZZER_LOG_FILE "ioctlfuzzer.log"
/**
* File and service name for the kernel driver.
*/
#define DRIVER_SERVICE_NAME "IOCTL_fuzzer"
#define DRIVER_FILE_NAME "IOCTL_fuzzer.sys"
/**
* Directory name to store downloaded debug symbols.
*/
#define SYMBOLS_DIR_NAME "Symbols"
/**
* Default value for fuzzing type option.
*/
#define DEFAULT_FUZZING_TYPE FuzzingType_Random
/**
* IOCTL buffer length limit for dumping into the
* application log or debugger output.
*/
#define MAX_IOCTL_BUFFER_LEGTH 0x1000
/**
* Maximum number of lines in console window.
*/
#define CONSOLE_BUFFER_HEIGHT 0x1000

142
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rng.c Normal file
View File

@ -0,0 +1,142 @@
/*
A C-program for MT19937, with initialization improved 2002/1/26.
Coded by Takuji Nishimura and Makoto Matsumoto.
Before using, initialize the state by using init_genrand(seed)
or init_by_array(init_key, key_length).
Copyright (C) 1997 - 2002, Makoto Matsumoto and Takuji Nishimura,
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The names of its contributors may not be used to endorse or promote
products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Any feedback is very welcome.
http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/emt.html
email: m-mat @ math.sci.hiroshima-u.ac.jp (remove space)
*/
#include <stdio.h>
/* Period parameters */
#define N 624
#define M 397
#define MATRIX_A 0x9908b0dfUL /* constant vector a */
#define UPPER_MASK 0x80000000UL /* most significant w-r bits */
#define LOWER_MASK 0x7fffffffUL /* least significant r bits */
static unsigned long mt[N]; /* the array for the state vector */
static int mti=N+1; /* mti==N+1 means mt[N] is not initialized */
/* initializes mt[N] with a seed */
void init_genrand(unsigned long s)
{
mt[0]= s & 0xffffffffUL;
for (mti=1; mti<N; mti++) {
mt[mti] =
(1812433253UL * (mt[mti-1] ^ (mt[mti-1] >> 30)) + mti);
/* See Knuth TAOCP Vol2. 3rd Ed. P.106 for multiplier. */
/* In the previous versions, MSBs of the seed affect */
/* only MSBs of the array mt[]. */
/* 2002/01/09 modified by Makoto Matsumoto */
mt[mti] &= 0xffffffffUL;
/* for >32 bit machines */
}
}
/* initialize by an array with array-length */
/* init_key is the array for initializing keys */
/* key_length is its length */
/* slight change for C++, 2004/2/26 */
void init_by_array(unsigned long init_key[], int key_length)
{
int i, j, k;
init_genrand(19650218UL);
i=1; j=0;
k = (N>key_length ? N : key_length);
for (; k; k--) {
mt[i] = (mt[i] ^ ((mt[i-1] ^ (mt[i-1] >> 30)) * 1664525UL))
+ init_key[j] + j; /* non linear */
mt[i] &= 0xffffffffUL; /* for WORDSIZE > 32 machines */
i++; j++;
if (i>=N) { mt[0] = mt[N-1]; i=1; }
if (j>=key_length) j=0;
}
for (k=N-1; k; k--) {
mt[i] = (mt[i] ^ ((mt[i-1] ^ (mt[i-1] >> 30)) * 1566083941UL))
- i; /* non linear */
mt[i] &= 0xffffffffUL; /* for WORDSIZE > 32 machines */
i++;
if (i>=N) { mt[0] = mt[N-1]; i=1; }
}
mt[0] = 0x80000000UL; /* MSB is 1; assuring non-zero initial array */
}
/* generates a random number on [0,0xffffffff]-interval */
unsigned long genrand_int32(void)
{
unsigned long y;
static unsigned long mag01[2]={0x0UL, MATRIX_A};
/* mag01[x] = x * MATRIX_A for x=0,1 */
if (mti >= N) { /* generate N words at one time */
int kk;
if (mti == N+1) /* if init_genrand() has not been called, */
init_genrand(5489UL); /* a default initial seed is used */
for (kk=0;kk<N-M;kk++) {
y = (mt[kk]&UPPER_MASK)|(mt[kk+1]&LOWER_MASK);
mt[kk] = mt[kk+M] ^ (y >> 1) ^ mag01[y & 0x1UL];
}
for (;kk<N-1;kk++) {
y = (mt[kk]&UPPER_MASK)|(mt[kk+1]&LOWER_MASK);
mt[kk] = mt[kk+(M-N)] ^ (y >> 1) ^ mag01[y & 0x1UL];
}
y = (mt[N-1]&UPPER_MASK)|(mt[0]&LOWER_MASK);
mt[N-1] = mt[M-1] ^ (y >> 1) ^ mag01[y & 0x1UL];
mti = 0;
}
y = mt[mti++];
/* Tempering */
y ^= (y >> 11);
y ^= (y << 7) & 0x9d2c5680UL;
y ^= (y << 15) & 0xefc60000UL;
y ^= (y >> 18);
return y;
}
unsigned long getrand(unsigned long min, unsigned long max)
{
return (genrand_int32() % (max - min + 1)) + min;
}

4
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rng.h Normal file
View File

@ -0,0 +1,4 @@
void init_genrand(unsigned long s);
void init_by_array(unsigned long init_key[], int key_length);
unsigned long genrand_int32(void);
unsigned long getrand(unsigned long min, unsigned long max);

695
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rules.c Normal file
View File

@ -0,0 +1,695 @@
#include "stdafx.h"
// defined in driver.cpp
extern UNICODE_STRING m_RegistryPath;
extern KMUTEX m_CommonMutex;
BOOLEAN g_RuleInited = FALSE;
ERESOURCE g_RuleResource;
LIST_ENTRY g_DenyRuleList;
LIST_ENTRY g_AllowRuleList;
LIST_ENTRY g_DbgcbRuleList;
FORCEINLINE
VOID
RuleLock(
__in BOOLEAN Exclusive
)
{
KeEnterCriticalRegion();
if (Exclusive)
ExAcquireResourceExclusiveLite(&g_RuleResource, TRUE);
else
ExAcquireResourceSharedLite(&g_RuleResource, TRUE);
}
FORCEINLINE
VOID
RuleUnlock()
{
ExReleaseResourceLite(&g_RuleResource);
KeLeaveCriticalRegion();
}
NTSTATUS FltInitRuleList()
{
NTSTATUS Status = 0;
InitializeListHead( &g_DenyRuleList );
InitializeListHead( &g_AllowRuleList );
InitializeListHead( &g_DbgcbRuleList );
Status = ExInitializeResourceLite( &g_RuleResource );
if(!NT_SUCCESS(Status))
return Status;
g_RuleInited = TRUE;
return STATUS_SUCCESS;
}
VOID FltUnInitRuleList()
{
if(!g_RuleInited)
return;
FltFlushAllList();
g_RuleInited = FALSE;
ExDeleteResourceLite(&g_RuleResource);
}
//--------------------------------------------------------------------------------------
wchar_t xchrlower_w(wchar_t chr)
{
if ((chr >= 'A') && (chr <= 'Z'))
{
return chr + ('a'-'A');
}
return chr;
}
//--------------------------------------------------------------------------------------
BOOLEAN EqualUnicodeString_r(PUNICODE_STRING Str1, PUNICODE_STRING Str2, BOOLEAN CaseInSensitive)
{
USHORT CmpLen = min(Str1->Length, Str2->Length) / sizeof(WCHAR);
USHORT i = 0;
for ( i = 1; i < CmpLen; i++)
{
WCHAR Chr1 = Str1->Buffer[Str1->Length / sizeof(WCHAR) - i],
Chr2 = Str2->Buffer[Str2->Length / sizeof(WCHAR) - i];
if (CaseInSensitive)
{
Chr1 = xchrlower_w(Chr1);
Chr2 = xchrlower_w(Chr2);
}
if (Chr1 != Chr2)
{
return FALSE;
}
}
return TRUE;
}
PIOCTL_FILTER FltAdd(PIOCTL_FILTER f, PLIST_ENTRY ListEntry, ULONG KdCommandLength)
{
ULONG Length = 0;
PIOCTL_FILTER f_entry = NULL;
if(!g_RuleInited || !ListEntry || !f)
return NULL;
Length = KdCommandLength + sizeof(IOCTL_FILTER);
f_entry = (PIOCTL_FILTER)ExAllocatePool(NonPagedPool, Length);
if (f_entry)
{
RtlZeroMemory(f_entry, Length);
RtlCopyMemory(f_entry, f, sizeof(IOCTL_FILTER));
InsertHeadList(ListEntry, &f_entry->List);
return f_entry;
}
else
{
DbgMsg(__FILE__, __LINE__, "ExAllocatePool() fails\n");
}
return NULL;
}
VOID DeferenceRuleCount(PIOCTL_FILTER Item)
{
if(!g_RuleInited)
return;
RuleLock(TRUE);
Item->ReferenceCount--;
RuleUnlock();
}
PIOCTL_FILTER FltAddDenyRule(PIOCTL_FILTER f, ULONG KdCommandLength)
{
PIOCTL_FILTER Item = NULL;
if(!g_RuleInited)
return NULL;
RuleLock(TRUE);
Item = FltAdd(f, &g_DenyRuleList, KdCommandLength);
Item->ReferenceCount +=1 ;
RuleUnlock();
return Item;
}
PIOCTL_FILTER FltAddAllowRule(PIOCTL_FILTER f, ULONG KdCommandLength)
{
PIOCTL_FILTER Item = NULL;
if(!g_RuleInited)
return NULL;
RuleLock(TRUE);
Item = FltAdd(f, &g_AllowRuleList, KdCommandLength);
Item->ReferenceCount +=1 ;
RuleUnlock();
return Item;
}
PIOCTL_FILTER FltAddDbgcbRule(PIOCTL_FILTER f, ULONG KdCommandLength)
{
PIOCTL_FILTER Item = NULL;
if(!g_RuleInited)
return NULL;
RuleLock(TRUE);
Item = FltAdd(f, &g_DbgcbRuleList, KdCommandLength);
Item->ReferenceCount +=1 ;
RuleUnlock();
return Item;
}
//--------------------------------------------------------------------------------------
void FltFlushList(PLIST_ENTRY ListEntryHead)
{
PLIST_ENTRY ListEntry = NULL;
PLIST_ENTRY ListRemove = NULL;
PIOCTL_FILTER RuleItem = NULL;
if(!g_RuleInited || !ListEntryHead)
return;
ListEntry = ListEntryHead->Flink;
while(ListEntry != ListEntryHead)
{
RuleItem = CONTAINING_RECORD(ListEntry, IOCTL_FILTER, List);
if(RuleItem->ReferenceCount != 0)
{
ListEntry = ListEntry->Flink;
continue;
}
if (RuleItem->Type == FLT_DEVICE_NAME ||
RuleItem->Type == FLT_DRIVER_NAME ||
RuleItem->Type == FLT_PROCESS_PATH)
{
RtlFreeUnicodeString(&RuleItem->usName);
}
ListRemove = ListEntry;
ListEntry = ListEntry->Flink;
RemoveEntryList(ListRemove);
ExFreePool(RuleItem);
}
}
void FltFlushAllList()
{
if(!g_RuleInited)
return ;
RuleLock(TRUE);
FltFlushList(&g_DenyRuleList);
FltFlushList(&g_AllowRuleList);
FltFlushList(&g_DbgcbRuleList);
RuleUnlock();
}
//--------------------------------------------------------------------------------------
PIOCTL_FILTER FltMatch(
PLIST_ENTRY ListEntryHead,
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName)
{
PIOCTL_FILTER ret = NULL;
PIOCTL_FILTER RuleItem = NULL;
PLIST_ENTRY ListEntry = NULL;
if(!ListEntryHead)
return NULL;
// match parameters by filter list
ListEntry = ListEntryHead->Flink;
while (ListEntry != ListEntryHead)
{
RuleItem = CONTAINING_RECORD(ListEntry, IOCTL_FILTER, List);
if (RuleItem->bDbgcbAction)
{
// skip entries with debugger commands
goto next;
}
if (RuleItem->Type == FLT_DEVICE_NAME)
{
if (EqualUnicodeString_r(&RuleItem->usName, fDeviceName, TRUE))
{
ret = RuleItem;
break;
}
}
else if (RuleItem->Type == FLT_DRIVER_NAME)
{
if (EqualUnicodeString_r(&RuleItem->usName, fDriverName, TRUE))
{
ret = RuleItem;
break;
}
}
else if (RuleItem->Type == FLT_IOCTL_CODE)
{
if (RuleItem->IoctlCode == IoControlCode)
{
ret = RuleItem;
break;
}
}
else if (RuleItem->Type == FLT_PROCESS_PATH)
{
if (EqualUnicodeString_r(&RuleItem->usName, fProcessName, TRUE))
{
ret = RuleItem;
break;
}
}
next:
ListEntry = ListEntry->Flink;
}
return ret;
}
BOOLEAN FltMatchDeny(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName)
{
PIOCTL_FILTER Rule = NULL;
if(!g_RuleInited)
return FALSE;
RuleLock(FALSE);
Rule = FltMatch(&g_DenyRuleList, fDeviceName, fDriverName, IoControlCode, fProcessName);
RuleUnlock();
if(Rule)
return TRUE;
else
return FALSE;
}
BOOLEAN FltMatchAllow(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName)
{
PIOCTL_FILTER Rule = NULL;
if(!g_RuleInited)
return FALSE;
RuleLock(FALSE);
if(IsListEmpty(&g_AllowRuleList))
return TRUE;
Rule = FltMatch(&g_AllowRuleList, fDeviceName, fDriverName, IoControlCode, fProcessName);
RuleUnlock();
if(Rule)
return TRUE;
else
return FALSE;
}
//--------------------------------------------------------------------------------------
char *FltGetKdCommand(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName)
{
char *lpszCmd = NULL;
PLIST_ENTRY ListEntry = NULL;
PIOCTL_FILTER RuleItem = NULL;
if(!g_RuleInited)
return NULL;
RuleLock(FALSE);
// match parameters by filter list
ListEntry = g_DbgcbRuleList.Flink;
while (ListEntry != &g_DbgcbRuleList)
{
RuleItem = CONTAINING_RECORD(ListEntry, IOCTL_FILTER, List);
if (!RuleItem->bDbgcbAction)
{
// skip entries with debugger commands
goto next;
}
if (RuleItem->Type == FLT_DEVICE_NAME)
{
if (EqualUnicodeString_r(&RuleItem->usName, fDeviceName, TRUE))
{
lpszCmd = RuleItem->szKdCommand;
break;
}
}
else if (RuleItem->Type == FLT_DRIVER_NAME)
{
if (EqualUnicodeString_r(&RuleItem->usName, fDriverName, TRUE))
{
lpszCmd = RuleItem->szKdCommand;
break;
}
}
else if (RuleItem->Type == FLT_IOCTL_CODE)
{
if (RuleItem->IoctlCode == IoControlCode)
{
lpszCmd = RuleItem->szKdCommand;
break;
}
}
else if (RuleItem->Type == FLT_PROCESS_PATH)
{
if (EqualUnicodeString_r(&RuleItem->usName, fProcessName, TRUE))
{
lpszCmd = RuleItem->szKdCommand;
break;
}
}
next:
ListEntry = ListEntry->Flink;
}
RuleUnlock();
return lpszCmd;
}
//--------------------------------------------------------------------------------------
BOOLEAN FltIsMatchedRequest(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName)
{
if(!g_RuleInited)
return FALSE;
// match process by allow/deny list
if (FltMatchAllow(fDeviceName, fDriverName, IoControlCode, fProcessName) &&
FltMatchDeny(fDeviceName, fDriverName, IoControlCode, fProcessName) == FALSE)
{
return TRUE;
}
return FALSE;
}
//--------------------------------------------------------------------------------------
BOOLEAN SaveRules(PLIST_ENTRY ListEntryHead, HANDLE hKey, PUNICODE_STRING usValueName)
{
BOOLEAN bRet = FALSE;
ULONG BuffSize = 0, RulesToSerialize = 0;
PLIST_ENTRY ListEntry = NULL;
PIOCTL_FILTER RuleItem = NULL;
if(!ListEntryHead)
return FALSE;
// calculate reqired buffer size
ListEntry = ListEntryHead->Flink;
while (ListEntry != ListEntryHead)
{
RuleItem = CONTAINING_RECORD(ListEntry, IOCTL_FILTER, List);
if (!RuleItem->bDbgcbAction)
{
BuffSize += sizeof(IOCTL_FILTER_SERIALIZED);
if (RuleItem->Type == FLT_DEVICE_NAME ||
RuleItem->Type == FLT_DRIVER_NAME ||
RuleItem->Type == FLT_PROCESS_PATH)
{
// we an have object name
BuffSize += RuleItem->usName.Length;
}
RulesToSerialize++;
}
ListEntry = ListEntry->Flink;
}
if (BuffSize > 0)
{
// allocate memory for serialized rules
PUCHAR Buff = (PUCHAR)M_ALLOC(BuffSize);
if (Buff)
{
NTSTATUS ns = STATUS_UNSUCCESSFUL;
PIOCTL_FILTER_SERIALIZED f_s = NULL;
RtlZeroMemory(Buff, BuffSize);
f_s = (PIOCTL_FILTER_SERIALIZED)Buff;
// serialize available entries
ListEntry = ListEntryHead->Flink;
while (ListEntry != ListEntryHead)
{
RuleItem = CONTAINING_RECORD(ListEntry, IOCTL_FILTER, List);
if (!RuleItem->bDbgcbAction)
{
ULONG NextEntryOffset = sizeof(IOCTL_FILTER_SERIALIZED);
f_s->Type = RuleItem->Type;
f_s->IoctlCode = RuleItem->IoctlCode;
if (RuleItem->Type == FLT_DEVICE_NAME ||
RuleItem->Type == FLT_DRIVER_NAME ||
RuleItem->Type == FLT_PROCESS_PATH)
{
// we have an object name
f_s->NameLen = RuleItem->usName.Length;
NextEntryOffset += f_s->NameLen;
memcpy(&f_s->Name, RuleItem->usName.Buffer, f_s->NameLen);
}
// go to the next serialized entry
f_s = (PIOCTL_FILTER_SERIALIZED)((PUCHAR)f_s + NextEntryOffset);
}
ListEntry = ListEntry->Flink;
}
ns = ZwSetValueKey(hKey, usValueName, 0, REG_BINARY, Buff, BuffSize);
if (NT_SUCCESS(ns))
{
bRet = TRUE;
DbgMsg(
__FILE__, __LINE__,
__FUNCTION__"(): %d rules (%d bytes) saved in '%wZ'\n",
RulesToSerialize, BuffSize, usValueName
);
}
else
{
DbgMsg(__FILE__, __LINE__, "ZwSetValueKey() fails; status: 0x%.8x\n", ns);
}
M_FREE(Buff);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
}
}
return bRet;
}
BOOLEAN SaveDenyRules(HANDLE hKey, PUNICODE_STRING usValueName)
{
BOOLEAN bRet = FALSE;
if(!g_RuleInited)
return FALSE;
RuleLock(FALSE);
bRet = SaveRules(&g_DenyRuleList, hKey, usValueName);
RuleUnlock();
return bRet;
}
BOOLEAN SaveAllowRules(HANDLE hKey, PUNICODE_STRING usValueName)
{
BOOLEAN bRet = FALSE;
if(!g_RuleInited)
return FALSE;
RuleLock(FALSE);
bRet = SaveRules(&g_AllowRuleList, hKey, usValueName);
RuleUnlock();
return bRet;
}
//--------------------------------------------------------------------------------------
BOOLEAN LoadRules(PLIST_ENTRY ListEntryHead, HANDLE hKey, PUNICODE_STRING usValueName)
{
BOOLEAN bRet = FALSE;
PKEY_VALUE_FULL_INFORMATION KeyInfo = NULL;
ULONG Length = 0, RulesLoaded = 0;
NTSTATUS ns = 0;
if(!ListEntryHead)
return FALSE;
// query buffer size
ns = ZwQueryValueKey(
hKey,
usValueName,
KeyValueFullInformation,
KeyInfo,
0,
&Length
);
if (ns == STATUS_BUFFER_OVERFLOW ||
ns == STATUS_BUFFER_TOO_SMALL)
{
// allocate buffer
PKEY_VALUE_FULL_INFORMATION KeyInfo = (PKEY_VALUE_FULL_INFORMATION)M_ALLOC(Length);
if (KeyInfo)
{
// query value
ns = ZwQueryValueKey(
hKey,
usValueName,
KeyValueFullInformation,
KeyInfo,
Length,
&Length
);
if (NT_SUCCESS(ns))
{
if (KeyInfo->DataLength > 0)
{
// deserialize rules
PUCHAR Buff = (PUCHAR)KeyInfo + KeyInfo->DataOffset;
PIOCTL_FILTER_SERIALIZED f_s = (PIOCTL_FILTER_SERIALIZED)Buff;
while ((ULONG)((PUCHAR)f_s - Buff) < KeyInfo->DataLength)
{
// add rule into list
IOCTL_FILTER Flt;
RtlZeroMemory(&Flt, sizeof(Flt));
Flt.Type = f_s->Type;
Flt.IoctlCode = f_s->IoctlCode;
if ((f_s->Type == FLT_DEVICE_NAME ||
f_s->Type == FLT_DRIVER_NAME ||
f_s->Type == FLT_PROCESS_PATH) &&
f_s->NameLen > 0)
{
// we have an object name
if (AllocUnicodeString(&Flt.usName, (USHORT)f_s->NameLen))
{
Flt.usName.Length = (USHORT)f_s->NameLen;
memcpy(Flt.usName.Buffer, &f_s->Name, f_s->NameLen);
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): '%wZ'\n", &Flt.usName);
}
else
{
goto err;
}
}
if (!FltAdd(&Flt, ListEntryHead, 0))
{
if (Flt.usName.Buffer)
{
RtlFreeUnicodeString(&Flt.usName);
}
}
else
{
RulesLoaded++;
}
err:
// go to the next serialized entry
f_s = (PIOCTL_FILTER_SERIALIZED)((PUCHAR)f_s +
sizeof(IOCTL_FILTER_SERIALIZED) + f_s->NameLen);
}
}
DbgMsg(
__FILE__, __LINE__,
__FUNCTION__"(): %d rules loaded from '%wZ'\n",
RulesLoaded, usValueName
);
bRet = TRUE;
}
else
{
DbgMsg(__FILE__, __LINE__, "ZwQueryValueKey() fails; status: 0x%.8x\n", ns);
}
M_FREE(KeyInfo);
}
else
{
DbgMsg(__FILE__, __LINE__, "M_ALLOC() fails\n");
}
}
else
{
DbgMsg(__FILE__, __LINE__, __FUNCTION__"() WARNING: '%wZ' value is not set\n", usValueName);
}
return bRet;
}
BOOLEAN LoadDenyRules(HANDLE hKey, PUNICODE_STRING usValueName)
{
BOOLEAN bRet = FALSE;
if(!g_RuleInited)
return FALSE;
RuleLock(TRUE);
bRet = LoadRules(&g_DenyRuleList, hKey, usValueName);
RuleUnlock();
return bRet;
}
BOOLEAN LoadAllowRules(HANDLE hKey, PUNICODE_STRING usValueName)
{
BOOLEAN bRet = FALSE;
if(!g_RuleInited)
return FALSE;
RuleLock(TRUE);
bRet = LoadRules(&g_AllowRuleList, hKey, usValueName);
RuleUnlock();
return bRet;
}
//--------------------------------------------------------------------------------------

88
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/rules.h Normal file
View File

@ -0,0 +1,88 @@
/**
* Structures and defines for IOCTL filtering
*/
#define FLT_DEVICE_NAME 1
#define FLT_DRIVER_NAME 2
#define FLT_IOCTL_CODE 3
#define FLT_PROCESS_PATH 4
typedef struct _IOCTL_FILTER
{
LIST_ENTRY List;
ULONG ReferenceCount;
ULONG Type;
UNICODE_STRING usName;
ULONG IoctlCode;
BOOLEAN bDbgcbAction;
char szKdCommand[1];
} IOCTL_FILTER, *PIOCTL_FILTER;
typedef struct _IOCTL_FILTER_SERIALIZED
{
ULONG Type;
ULONG IoctlCode;
ULONG NameLen;
WCHAR Name[];
} IOCTL_FILTER_SERIALIZED,
*PIOCTL_FILTER_SERIALIZED;
PIOCTL_FILTER FltAdd(PIOCTL_FILTER f, PLIST_ENTRY ListEntry, ULONG KdCommandLength);
BOOLEAN FltIsMatchedRequest(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName
);
char *FltGetKdCommand(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName
);
BOOLEAN SaveRules(PLIST_ENTRY ListEntryHead, HANDLE hKey, PUNICODE_STRING usValueName);
BOOLEAN LoadRules(PLIST_ENTRY ListEntryHead, HANDLE hKey, PUNICODE_STRING usValueName);
/**
* Macro defines for allow/deny lists of IOCTL filtering
*/
// #define FltAllowMatch(_drv_, _dev_, _c_, _p_) FltMatch(&f_allow_head, (_drv_), (_dev_), (_c_), (_p_))
//
// #define FltDenyMatch(_drv_, _dev_, _c_, _p_) FltMatch(&f_deny_head, (_drv_), (_dev_), (_c_), (_p_))
//
NTSTATUS FltInitRuleList();
VOID FltUnInitRuleList();
PIOCTL_FILTER FltAddDbgcbRule(PIOCTL_FILTER f, ULONG KdCommandLength);
PIOCTL_FILTER FltAddDenyRule(PIOCTL_FILTER f, ULONG KdCommandLength);
PIOCTL_FILTER FltAddAllowRule(PIOCTL_FILTER f, ULONG KdCommandLength);
void FltFlushAllList();
BOOLEAN FltMatchAllow(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName);
BOOLEAN FltMatchDeny(
PUNICODE_STRING fDeviceName,
PUNICODE_STRING fDriverName,
ULONG IoControlCode,
PUNICODE_STRING fProcessName);
BOOLEAN SaveDenyRules(HANDLE hKey, PUNICODE_STRING usValueName);
BOOLEAN SaveAllowRules(HANDLE hKey, PUNICODE_STRING usValueName);
BOOLEAN LoadDenyRules(HANDLE hKey, PUNICODE_STRING usValueName);
BOOLEAN LoadAllowRules(HANDLE hKey, PUNICODE_STRING usValueName);
VOID DeferenceRuleCount(PIOCTL_FILTER Item);

22
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/sources Normal file
View File

@ -0,0 +1,22 @@
TARGETNAME=IOCTL_fuzzer
TARGETTYPE=DRIVER
DRIVERTYPE=FS
TARGETLIBS=$(TARGETLIBS) \
.\udis86\udis86_i386.lib \
.\udis86\udis86_amd64.lib
SOURCES=driver.c \
common.c \
debug.c \
handlers.c \
hook.c \
log.c \
lst.c \
rng.c \
rules.c \
version.rc

39
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/stdafx.h Normal file
View File

@ -0,0 +1,39 @@
//extern "C"
//{
#include <ntifs.h>
#include <stdio.h>
#include <stdarg.h>
#include <ntimage.h>
#include "undocnt.h"
//}
#define WP_STUFF
#include "debug.h"
#include "common.h"
#include "lst.h"
#include "options.h"
#include "common_asm.h"
#include "drvcomm.h"
#include "rng.h"
#include "driver.h"
#include "handlers.h"
#include "hook.h"
#include "log.h"
#include "rules.h"
// udis86 disasm engine
#include "udis86/extern.h"
// kernel debugger communication engine (dbgcb) client
//#include "../../dbgcb/common/dbgcb_api.h"
#ifdef _X86_
#pragma comment(lib,"../udis86/udis86_i386.lib")
#elif _AMD64_
#pragma comment(lib,"../udis86/udis86_amd64.lib")
#endif

3
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/build.bat Normal file
View File

@ -0,0 +1,3 @@
@echo off
nmake /f makefile_i386
nmake /f makefile_i386 clean

3
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/build64.bat Normal file
View File

@ -0,0 +1,3 @@
@echo off
nmake /f makefile_amd64
nmake /f makefile_amd64 clean

67
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/extern.h Normal file
View File

@ -0,0 +1,67 @@
/* -----------------------------------------------------------------------------
* extern.h
*
* Copyright (c) 2004, 2005, 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#ifndef UD_EXTERN_H
#define UD_EXTERN_H
#ifdef __cplusplus
extern "C" {
#endif
#include <stdio.h>
#include "types.h"
/* ============================= PUBLIC API ================================= */
extern void ud_init(struct ud*);
extern void ud_set_mode(struct ud*, uint8_t);
extern void ud_set_pc(struct ud*, uint64_t);
extern void ud_set_input_hook(struct ud*, int (*)(struct ud*));
extern void ud_set_input_buffer(struct ud*, uint8_t*, size_t);
#ifndef __UD_STANDALONE__
extern void ud_set_input_file(struct ud*, FILE*);
#endif /* __UD_STANDALONE__ */
extern void ud_set_vendor(struct ud*, unsigned);
extern void ud_set_syntax(struct ud*, void (*)(struct ud*));
extern void ud_input_skip(struct ud*, size_t);
extern int ud_input_end(struct ud*);
extern unsigned int ud_decode(struct ud*);
extern unsigned int ud_disassemble(struct ud*);
extern void ud_translate_intel(struct ud*);
extern void ud_translate_att(struct ud*);
extern char* ud_insn_asm(struct ud* u);
extern uint8_t* ud_insn_ptr(struct ud* u);
extern uint64_t ud_insn_off(struct ud*);
extern char* ud_insn_hex(struct ud*);
extern unsigned int ud_insn_len(struct ud* u);
extern const char* ud_lookup_mnemonic(enum ud_mnemonic_code c);
/* ========================================================================== */
#ifdef __cplusplus
}
#endif
#endif

719
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/itab.h Normal file
View File

@ -0,0 +1,719 @@
/* itab.h -- auto generated by opgen.py, do not edit. */
#ifndef UD_ITAB_H
#define UD_ITAB_H
enum ud_itab_vendor_index {
ITAB__VENDOR_INDX__AMD,
ITAB__VENDOR_INDX__INTEL,
};
enum ud_itab_mode_index {
ITAB__MODE_INDX__16,
ITAB__MODE_INDX__32,
ITAB__MODE_INDX__64
};
enum ud_itab_mod_index {
ITAB__MOD_INDX__NOT_11,
ITAB__MOD_INDX__11
};
enum ud_itab_index {
ITAB__0F,
ITAB__0F__OP_00__REG,
ITAB__0F__OP_01__REG,
ITAB__0F__OP_01__REG__OP_00__MOD,
ITAB__0F__OP_01__REG__OP_00__MOD__OP_01__RM,
ITAB__0F__OP_01__REG__OP_00__MOD__OP_01__RM__OP_01__VENDOR,
ITAB__0F__OP_01__REG__OP_00__MOD__OP_01__RM__OP_03__VENDOR,
ITAB__0F__OP_01__REG__OP_00__MOD__OP_01__RM__OP_04__VENDOR,
ITAB__0F__OP_01__REG__OP_01__MOD,
ITAB__0F__OP_01__REG__OP_01__MOD__OP_01__RM,
ITAB__0F__OP_01__REG__OP_02__MOD,
ITAB__0F__OP_01__REG__OP_03__MOD,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_00__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_01__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_02__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_03__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_04__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_05__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_06__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_07__VENDOR,
ITAB__0F__OP_01__REG__OP_04__MOD,
ITAB__0F__OP_01__REG__OP_06__MOD,
ITAB__0F__OP_01__REG__OP_07__MOD,
ITAB__0F__OP_01__REG__OP_07__MOD__OP_01__RM,
ITAB__0F__OP_01__REG__OP_07__MOD__OP_01__RM__OP_01__VENDOR,
ITAB__0F__OP_0D__REG,
ITAB__0F__OP_18__REG,
ITAB__0F__OP_71__REG,
ITAB__0F__OP_72__REG,
ITAB__0F__OP_73__REG,
ITAB__0F__OP_AE__REG,
ITAB__0F__OP_AE__REG__OP_05__MOD,
ITAB__0F__OP_AE__REG__OP_05__MOD__OP_01__RM,
ITAB__0F__OP_AE__REG__OP_06__MOD,
ITAB__0F__OP_AE__REG__OP_06__MOD__OP_01__RM,
ITAB__0F__OP_AE__REG__OP_07__MOD,
ITAB__0F__OP_AE__REG__OP_07__MOD__OP_01__RM,
ITAB__0F__OP_BA__REG,
ITAB__0F__OP_C7__REG,
ITAB__0F__OP_C7__REG__OP_00__VENDOR,
ITAB__0F__OP_C7__REG__OP_07__VENDOR,
ITAB__0F__OP_D9__MOD,
ITAB__0F__OP_D9__MOD__OP_01__X87,
ITAB__1BYTE,
ITAB__1BYTE__OP_60__OSIZE,
ITAB__1BYTE__OP_61__OSIZE,
ITAB__1BYTE__OP_63__MODE,
ITAB__1BYTE__OP_6D__OSIZE,
ITAB__1BYTE__OP_6F__OSIZE,
ITAB__1BYTE__OP_80__REG,
ITAB__1BYTE__OP_81__REG,
ITAB__1BYTE__OP_82__REG,
ITAB__1BYTE__OP_83__REG,
ITAB__1BYTE__OP_8F__REG,
ITAB__1BYTE__OP_98__OSIZE,
ITAB__1BYTE__OP_99__OSIZE,
ITAB__1BYTE__OP_9C__MODE,
ITAB__1BYTE__OP_9C__MODE__OP_00__OSIZE,
ITAB__1BYTE__OP_9C__MODE__OP_01__OSIZE,
ITAB__1BYTE__OP_9D__MODE,
ITAB__1BYTE__OP_9D__MODE__OP_00__OSIZE,
ITAB__1BYTE__OP_9D__MODE__OP_01__OSIZE,
ITAB__1BYTE__OP_A5__OSIZE,
ITAB__1BYTE__OP_A7__OSIZE,
ITAB__1BYTE__OP_AB__OSIZE,
ITAB__1BYTE__OP_AD__OSIZE,
ITAB__1BYTE__OP_AE__MOD,
ITAB__1BYTE__OP_AE__MOD__OP_00__REG,
ITAB__1BYTE__OP_AF__OSIZE,
ITAB__1BYTE__OP_C0__REG,
ITAB__1BYTE__OP_C1__REG,
ITAB__1BYTE__OP_C6__REG,
ITAB__1BYTE__OP_C7__REG,
ITAB__1BYTE__OP_CF__OSIZE,
ITAB__1BYTE__OP_D0__REG,
ITAB__1BYTE__OP_D1__REG,
ITAB__1BYTE__OP_D2__REG,
ITAB__1BYTE__OP_D3__REG,
ITAB__1BYTE__OP_D8__MOD,
ITAB__1BYTE__OP_D8__MOD__OP_00__REG,
ITAB__1BYTE__OP_D8__MOD__OP_01__X87,
ITAB__1BYTE__OP_D9__MOD,
ITAB__1BYTE__OP_D9__MOD__OP_00__REG,
ITAB__1BYTE__OP_D9__MOD__OP_01__X87,
ITAB__1BYTE__OP_DA__MOD,
ITAB__1BYTE__OP_DA__MOD__OP_00__REG,
ITAB__1BYTE__OP_DA__MOD__OP_01__X87,
ITAB__1BYTE__OP_DB__MOD,
ITAB__1BYTE__OP_DB__MOD__OP_00__REG,
ITAB__1BYTE__OP_DB__MOD__OP_01__X87,
ITAB__1BYTE__OP_DC__MOD,
ITAB__1BYTE__OP_DC__MOD__OP_00__REG,
ITAB__1BYTE__OP_DC__MOD__OP_01__X87,
ITAB__1BYTE__OP_DD__MOD,
ITAB__1BYTE__OP_DD__MOD__OP_00__REG,
ITAB__1BYTE__OP_DD__MOD__OP_01__X87,
ITAB__1BYTE__OP_DE__MOD,
ITAB__1BYTE__OP_DE__MOD__OP_00__REG,
ITAB__1BYTE__OP_DE__MOD__OP_01__X87,
ITAB__1BYTE__OP_DF__MOD,
ITAB__1BYTE__OP_DF__MOD__OP_00__REG,
ITAB__1BYTE__OP_DF__MOD__OP_01__X87,
ITAB__1BYTE__OP_E3__ASIZE,
ITAB__1BYTE__OP_F6__REG,
ITAB__1BYTE__OP_F7__REG,
ITAB__1BYTE__OP_FE__REG,
ITAB__1BYTE__OP_FF__REG,
ITAB__3DNOW,
ITAB__PFX_SSE66__0F,
ITAB__PFX_SSE66__0F__OP_71__REG,
ITAB__PFX_SSE66__0F__OP_72__REG,
ITAB__PFX_SSE66__0F__OP_73__REG,
ITAB__PFX_SSE66__0F__OP_C7__REG,
ITAB__PFX_SSE66__0F__OP_C7__REG__OP_00__VENDOR,
ITAB__PFX_SSEF2__0F,
ITAB__PFX_SSEF3__0F,
ITAB__PFX_SSEF3__0F__OP_C7__REG,
ITAB__PFX_SSEF3__0F__OP_C7__REG__OP_07__VENDOR,
};
enum ud_mnemonic_code {
UD_I3dnow,
UD_Iaaa,
UD_Iaad,
UD_Iaam,
UD_Iaas,
UD_Iadc,
UD_Iadd,
UD_Iaddpd,
UD_Iaddps,
UD_Iaddsd,
UD_Iaddss,
UD_Iaddsubpd,
UD_Iaddsubps,
UD_Iand,
UD_Iandpd,
UD_Iandps,
UD_Iandnpd,
UD_Iandnps,
UD_Iarpl,
UD_Imovsxd,
UD_Ibound,
UD_Ibsf,
UD_Ibsr,
UD_Ibswap,
UD_Ibt,
UD_Ibtc,
UD_Ibtr,
UD_Ibts,
UD_Icall,
UD_Icbw,
UD_Icwde,
UD_Icdqe,
UD_Iclc,
UD_Icld,
UD_Iclflush,
UD_Iclgi,
UD_Icli,
UD_Iclts,
UD_Icmc,
UD_Icmovo,
UD_Icmovno,
UD_Icmovb,
UD_Icmovae,
UD_Icmovz,
UD_Icmovnz,
UD_Icmovbe,
UD_Icmova,
UD_Icmovs,
UD_Icmovns,
UD_Icmovp,
UD_Icmovnp,
UD_Icmovl,
UD_Icmovge,
UD_Icmovle,
UD_Icmovg,
UD_Icmp,
UD_Icmppd,
UD_Icmpps,
UD_Icmpsb,
UD_Icmpsw,
UD_Icmpsd,
UD_Icmpsq,
UD_Icmpss,
UD_Icmpxchg,
UD_Icmpxchg8b,
UD_Icomisd,
UD_Icomiss,
UD_Icpuid,
UD_Icvtdq2pd,
UD_Icvtdq2ps,
UD_Icvtpd2dq,
UD_Icvtpd2pi,
UD_Icvtpd2ps,
UD_Icvtpi2ps,
UD_Icvtpi2pd,
UD_Icvtps2dq,
UD_Icvtps2pi,
UD_Icvtps2pd,
UD_Icvtsd2si,
UD_Icvtsd2ss,
UD_Icvtsi2ss,
UD_Icvtss2si,
UD_Icvtss2sd,
UD_Icvttpd2pi,
UD_Icvttpd2dq,
UD_Icvttps2dq,
UD_Icvttps2pi,
UD_Icvttsd2si,
UD_Icvtsi2sd,
UD_Icvttss2si,
UD_Icwd,
UD_Icdq,
UD_Icqo,
UD_Idaa,
UD_Idas,
UD_Idec,
UD_Idiv,
UD_Idivpd,
UD_Idivps,
UD_Idivsd,
UD_Idivss,
UD_Iemms,
UD_Ienter,
UD_If2xm1,
UD_Ifabs,
UD_Ifadd,
UD_Ifaddp,
UD_Ifbld,
UD_Ifbstp,
UD_Ifchs,
UD_Ifclex,
UD_Ifcmovb,
UD_Ifcmove,
UD_Ifcmovbe,
UD_Ifcmovu,
UD_Ifcmovnb,
UD_Ifcmovne,
UD_Ifcmovnbe,
UD_Ifcmovnu,
UD_Ifucomi,
UD_Ifcom,
UD_Ifcom2,
UD_Ifcomp3,
UD_Ifcomi,
UD_Ifucomip,
UD_Ifcomip,
UD_Ifcomp,
UD_Ifcomp5,
UD_Ifcompp,
UD_Ifcos,
UD_Ifdecstp,
UD_Ifdiv,
UD_Ifdivp,
UD_Ifdivr,
UD_Ifdivrp,
UD_Ifemms,
UD_Iffree,
UD_Iffreep,
UD_Ificom,
UD_Ificomp,
UD_Ifild,
UD_Ifncstp,
UD_Ifninit,
UD_Ifiadd,
UD_Ifidivr,
UD_Ifidiv,
UD_Ifisub,
UD_Ifisubr,
UD_Ifist,
UD_Ifistp,
UD_Ifisttp,
UD_Ifld,
UD_Ifld1,
UD_Ifldl2t,
UD_Ifldl2e,
UD_Ifldlpi,
UD_Ifldlg2,
UD_Ifldln2,
UD_Ifldz,
UD_Ifldcw,
UD_Ifldenv,
UD_Ifmul,
UD_Ifmulp,
UD_Ifimul,
UD_Ifnop,
UD_Ifpatan,
UD_Ifprem,
UD_Ifprem1,
UD_Ifptan,
UD_Ifrndint,
UD_Ifrstor,
UD_Ifnsave,
UD_Ifscale,
UD_Ifsin,
UD_Ifsincos,
UD_Ifsqrt,
UD_Ifstp,
UD_Ifstp1,
UD_Ifstp8,
UD_Ifstp9,
UD_Ifst,
UD_Ifnstcw,
UD_Ifnstenv,
UD_Ifnstsw,
UD_Ifsub,
UD_Ifsubp,
UD_Ifsubr,
UD_Ifsubrp,
UD_Iftst,
UD_Ifucom,
UD_Ifucomp,
UD_Ifucompp,
UD_Ifxam,
UD_Ifxch,
UD_Ifxch4,
UD_Ifxch7,
UD_Ifxrstor,
UD_Ifxsave,
UD_Ifpxtract,
UD_Ifyl2x,
UD_Ifyl2xp1,
UD_Ihaddpd,
UD_Ihaddps,
UD_Ihlt,
UD_Ihsubpd,
UD_Ihsubps,
UD_Iidiv,
UD_Iin,
UD_Iimul,
UD_Iinc,
UD_Iinsb,
UD_Iinsw,
UD_Iinsd,
UD_Iint1,
UD_Iint3,
UD_Iint,
UD_Iinto,
UD_Iinvd,
UD_Iinvlpg,
UD_Iinvlpga,
UD_Iiretw,
UD_Iiretd,
UD_Iiretq,
UD_Ijo,
UD_Ijno,
UD_Ijb,
UD_Ijae,
UD_Ijz,
UD_Ijnz,
UD_Ijbe,
UD_Ija,
UD_Ijs,
UD_Ijns,
UD_Ijp,
UD_Ijnp,
UD_Ijl,
UD_Ijge,
UD_Ijle,
UD_Ijg,
UD_Ijcxz,
UD_Ijecxz,
UD_Ijrcxz,
UD_Ijmp,
UD_Ilahf,
UD_Ilar,
UD_Ilddqu,
UD_Ildmxcsr,
UD_Ilds,
UD_Ilea,
UD_Iles,
UD_Ilfs,
UD_Ilgs,
UD_Ilidt,
UD_Ilss,
UD_Ileave,
UD_Ilfence,
UD_Ilgdt,
UD_Illdt,
UD_Ilmsw,
UD_Ilock,
UD_Ilodsb,
UD_Ilodsw,
UD_Ilodsd,
UD_Ilodsq,
UD_Iloopnz,
UD_Iloope,
UD_Iloop,
UD_Ilsl,
UD_Iltr,
UD_Imaskmovq,
UD_Imaxpd,
UD_Imaxps,
UD_Imaxsd,
UD_Imaxss,
UD_Imfence,
UD_Iminpd,
UD_Iminps,
UD_Iminsd,
UD_Iminss,
UD_Imonitor,
UD_Imov,
UD_Imovapd,
UD_Imovaps,
UD_Imovd,
UD_Imovddup,
UD_Imovdqa,
UD_Imovdqu,
UD_Imovdq2q,
UD_Imovhpd,
UD_Imovhps,
UD_Imovlhps,
UD_Imovlpd,
UD_Imovlps,
UD_Imovhlps,
UD_Imovmskpd,
UD_Imovmskps,
UD_Imovntdq,
UD_Imovnti,
UD_Imovntpd,
UD_Imovntps,
UD_Imovntq,
UD_Imovq,
UD_Imovqa,
UD_Imovq2dq,
UD_Imovsb,
UD_Imovsw,
UD_Imovsd,
UD_Imovsq,
UD_Imovsldup,
UD_Imovshdup,
UD_Imovss,
UD_Imovsx,
UD_Imovupd,
UD_Imovups,
UD_Imovzx,
UD_Imul,
UD_Imulpd,
UD_Imulps,
UD_Imulsd,
UD_Imulss,
UD_Imwait,
UD_Ineg,
UD_Inop,
UD_Inot,
UD_Ior,
UD_Iorpd,
UD_Iorps,
UD_Iout,
UD_Ioutsb,
UD_Ioutsw,
UD_Ioutsd,
UD_Ioutsq,
UD_Ipacksswb,
UD_Ipackssdw,
UD_Ipackuswb,
UD_Ipaddb,
UD_Ipaddw,
UD_Ipaddq,
UD_Ipaddsb,
UD_Ipaddsw,
UD_Ipaddusb,
UD_Ipaddusw,
UD_Ipand,
UD_Ipandn,
UD_Ipause,
UD_Ipavgb,
UD_Ipavgw,
UD_Ipcmpeqb,
UD_Ipcmpeqw,
UD_Ipcmpeqd,
UD_Ipcmpgtb,
UD_Ipcmpgtw,
UD_Ipcmpgtd,
UD_Ipextrw,
UD_Ipinsrw,
UD_Ipmaddwd,
UD_Ipmaxsw,
UD_Ipmaxub,
UD_Ipminsw,
UD_Ipminub,
UD_Ipmovmskb,
UD_Ipmulhuw,
UD_Ipmulhw,
UD_Ipmullw,
UD_Ipmuludq,
UD_Ipop,
UD_Ipopa,
UD_Ipopad,
UD_Ipopfw,
UD_Ipopfd,
UD_Ipopfq,
UD_Ipor,
UD_Iprefetch,
UD_Iprefetchnta,
UD_Iprefetcht0,
UD_Iprefetcht1,
UD_Iprefetcht2,
UD_Ipsadbw,
UD_Ipshufd,
UD_Ipshufhw,
UD_Ipshuflw,
UD_Ipshufw,
UD_Ipslldq,
UD_Ipsllw,
UD_Ipslld,
UD_Ipsllq,
UD_Ipsraw,
UD_Ipsrad,
UD_Ipsrlw,
UD_Ipsrld,
UD_Ipsrlq,
UD_Ipsrldq,
UD_Ipsubb,
UD_Ipsubw,
UD_Ipsubd,
UD_Ipsubq,
UD_Ipsubsb,
UD_Ipsubsw,
UD_Ipsubusb,
UD_Ipsubusw,
UD_Ipunpckhbw,
UD_Ipunpckhwd,
UD_Ipunpckhdq,
UD_Ipunpckhqdq,
UD_Ipunpcklbw,
UD_Ipunpcklwd,
UD_Ipunpckldq,
UD_Ipunpcklqdq,
UD_Ipi2fw,
UD_Ipi2fd,
UD_Ipf2iw,
UD_Ipf2id,
UD_Ipfnacc,
UD_Ipfpnacc,
UD_Ipfcmpge,
UD_Ipfmin,
UD_Ipfrcp,
UD_Ipfrsqrt,
UD_Ipfsub,
UD_Ipfadd,
UD_Ipfcmpgt,
UD_Ipfmax,
UD_Ipfrcpit1,
UD_Ipfrspit1,
UD_Ipfsubr,
UD_Ipfacc,
UD_Ipfcmpeq,
UD_Ipfmul,
UD_Ipfrcpit2,
UD_Ipmulhrw,
UD_Ipswapd,
UD_Ipavgusb,
UD_Ipush,
UD_Ipusha,
UD_Ipushad,
UD_Ipushfw,
UD_Ipushfd,
UD_Ipushfq,
UD_Ipxor,
UD_Ircl,
UD_Ircr,
UD_Irol,
UD_Iror,
UD_Ircpps,
UD_Ircpss,
UD_Irdmsr,
UD_Irdpmc,
UD_Irdtsc,
UD_Irdtscp,
UD_Irepne,
UD_Irep,
UD_Iret,
UD_Iretf,
UD_Irsm,
UD_Irsqrtps,
UD_Irsqrtss,
UD_Isahf,
UD_Isal,
UD_Isalc,
UD_Isar,
UD_Ishl,
UD_Ishr,
UD_Isbb,
UD_Iscasb,
UD_Iscasw,
UD_Iscasd,
UD_Iscasq,
UD_Iseto,
UD_Isetno,
UD_Isetb,
UD_Isetnb,
UD_Isetz,
UD_Isetnz,
UD_Isetbe,
UD_Iseta,
UD_Isets,
UD_Isetns,
UD_Isetp,
UD_Isetnp,
UD_Isetl,
UD_Isetge,
UD_Isetle,
UD_Isetg,
UD_Isfence,
UD_Isgdt,
UD_Ishld,
UD_Ishrd,
UD_Ishufpd,
UD_Ishufps,
UD_Isidt,
UD_Isldt,
UD_Ismsw,
UD_Isqrtps,
UD_Isqrtpd,
UD_Isqrtsd,
UD_Isqrtss,
UD_Istc,
UD_Istd,
UD_Istgi,
UD_Isti,
UD_Iskinit,
UD_Istmxcsr,
UD_Istosb,
UD_Istosw,
UD_Istosd,
UD_Istosq,
UD_Istr,
UD_Isub,
UD_Isubpd,
UD_Isubps,
UD_Isubsd,
UD_Isubss,
UD_Iswapgs,
UD_Isyscall,
UD_Isysenter,
UD_Isysexit,
UD_Isysret,
UD_Itest,
UD_Iucomisd,
UD_Iucomiss,
UD_Iud2,
UD_Iunpckhpd,
UD_Iunpckhps,
UD_Iunpcklps,
UD_Iunpcklpd,
UD_Iverr,
UD_Iverw,
UD_Ivmcall,
UD_Ivmclear,
UD_Ivmxon,
UD_Ivmptrld,
UD_Ivmptrst,
UD_Ivmresume,
UD_Ivmxoff,
UD_Ivmrun,
UD_Ivmmcall,
UD_Ivmload,
UD_Ivmsave,
UD_Iwait,
UD_Iwbinvd,
UD_Iwrmsr,
UD_Ixadd,
UD_Ixchg,
UD_Ixlatb,
UD_Ixor,
UD_Ixorpd,
UD_Ixorps,
UD_Idb,
UD_Iinvalid,
UD_Id3vil,
UD_Ina,
UD_Igrp_reg,
UD_Igrp_rm,
UD_Igrp_vendor,
UD_Igrp_x87,
UD_Igrp_mode,
UD_Igrp_osize,
UD_Igrp_asize,
UD_Igrp_mod,
UD_Inone,
};
extern const char* ud_mnemonics_str[];;
extern struct ud_itab_entry* ud_itab_list[];
#endif

22
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/makefile.inc Normal file
View File

@ -0,0 +1,22 @@
decode.obj: src/decode.c
$(CC) $(CFLAGS) src/decode.c
input.obj: src/input.c
$(CC) $(CFLAGS) src/input.c
itab.obj: src/itab.c
$(CC) $(CFLAGS) src/itab.c
syn.obj: src/syn.c
$(CC) $(CFLAGS) src/syn.c
syn-att.obj: src/syn-att.c
$(CC) $(CFLAGS) src/syn-att.c
syn-intel.obj: src/syn-intel.c
$(CC) $(CFLAGS) src/syn-intel.c
udis86.obj: src/udis86.c
$(CC) $(CFLAGS) src/udis86.c
LOBJS = decode.obj input.obj itab.obj syn.obj syn-att.obj syn-intel.obj udis86.obj

20
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/makefile_amd64 Normal file
View File

@ -0,0 +1,20 @@
OUTNAME = udis86_amd64
ALL: $(OUTNAME).lib
CC = cl.exe
CFLAGS = /nologo -I".\src" -I"$(CRT_INC_PATH)" -D__UD_STANDALONE__ -D_AMD64_=1 -D_M_AMD64 /Gz /c
include Makefile.inc
LN = lib.exe
LFLAGS = /LIBPATH:$(CRT_LIB_PATH)\..\amd64 /out:$(OUTNAME).lib
$(OUTNAME).lib: $(LOBJS)
$(LN) $(LFLAGS) $(LOBJS)
clean:
@del *.obj

19
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/makefile_i386 Normal file
View File

@ -0,0 +1,19 @@
OUTNAME = udis86_i386
ALL: $(OUTNAME).lib
CC = cl.exe
CFLAGS=/nologo -I".\src" -I"$(CRT_INC_PATH)" -D__UD_STANDALONE__ -D_X86_=1 /Gz /c
include Makefile.inc
LN = lib.exe
LFLAGS = /LIBPATH:$(CRT_LIB_PATH)\..\i386 /out:$(OUTNAME).lib
$(OUTNAME).lib: $(LOBJS)
$(LN) $(LFLAGS) $(LOBJS)
clean:
@del *.obj

1194
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/decode.c Normal file
View File

File diff suppressed because it is too large Load Diff

275
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/decode.h Normal file
View File

@ -0,0 +1,275 @@
#ifndef UD_DECODE_H
#define UD_DECODE_H
#define MAX_INSN_LENGTH 15
/* register classes */
#define T_NONE 0
#define T_GPR 1
#define T_MMX 2
#define T_CRG 3
#define T_DBG 4
#define T_SEG 5
#define T_XMM 6
/* itab prefix bits */
#define P_none ( 0 )
#define P_c1 ( 1 << 0 )
#define P_C1(n) ( ( n >> 0 ) & 1 )
#define P_rexb ( 1 << 1 )
#define P_REXB(n) ( ( n >> 1 ) & 1 )
#define P_depM ( 1 << 2 )
#define P_DEPM(n) ( ( n >> 2 ) & 1 )
#define P_c3 ( 1 << 3 )
#define P_C3(n) ( ( n >> 3 ) & 1 )
#define P_inv64 ( 1 << 4 )
#define P_INV64(n) ( ( n >> 4 ) & 1 )
#define P_rexw ( 1 << 5 )
#define P_REXW(n) ( ( n >> 5 ) & 1 )
#define P_c2 ( 1 << 6 )
#define P_C2(n) ( ( n >> 6 ) & 1 )
#define P_def64 ( 1 << 7 )
#define P_DEF64(n) ( ( n >> 7 ) & 1 )
#define P_rexr ( 1 << 8 )
#define P_REXR(n) ( ( n >> 8 ) & 1 )
#define P_oso ( 1 << 9 )
#define P_OSO(n) ( ( n >> 9 ) & 1 )
#define P_aso ( 1 << 10 )
#define P_ASO(n) ( ( n >> 10 ) & 1 )
#define P_rexx ( 1 << 11 )
#define P_REXX(n) ( ( n >> 11 ) & 1 )
#define P_ImpAddr ( 1 << 12 )
#define P_IMPADDR(n) ( ( n >> 12 ) & 1 )
/* rex prefix bits */
#define REX_W(r) ( ( 0xF & ( r ) ) >> 3 )
#define REX_R(r) ( ( 0x7 & ( r ) ) >> 2 )
#define REX_X(r) ( ( 0x3 & ( r ) ) >> 1 )
#define REX_B(r) ( ( 0x1 & ( r ) ) >> 0 )
#define REX_PFX_MASK(n) ( ( P_REXW(n) << 3 ) | \
( P_REXR(n) << 2 ) | \
( P_REXX(n) << 1 ) | \
( P_REXB(n) << 0 ) )
/* scable-index-base bits */
#define SIB_S(b) ( ( b ) >> 6 )
#define SIB_I(b) ( ( ( b ) >> 3 ) & 7 )
#define SIB_B(b) ( ( b ) & 7 )
/* modrm bits */
#define MODRM_REG(b) ( ( ( b ) >> 3 ) & 7 )
#define MODRM_NNN(b) ( ( ( b ) >> 3 ) & 7 )
#define MODRM_MOD(b) ( ( ( b ) >> 6 ) & 3 )
#define MODRM_RM(b) ( ( b ) & 7 )
/* operand type constants -- order is important! */
enum ud_operand_code {
OP_NONE,
OP_A, OP_E, OP_M, OP_G,
OP_I,
OP_AL, OP_CL, OP_DL, OP_BL,
OP_AH, OP_CH, OP_DH, OP_BH,
OP_ALr8b, OP_CLr9b, OP_DLr10b, OP_BLr11b,
OP_AHr12b, OP_CHr13b, OP_DHr14b, OP_BHr15b,
OP_AX, OP_CX, OP_DX, OP_BX,
OP_SI, OP_DI, OP_SP, OP_BP,
OP_rAX, OP_rCX, OP_rDX, OP_rBX,
OP_rSP, OP_rBP, OP_rSI, OP_rDI,
OP_rAXr8, OP_rCXr9, OP_rDXr10, OP_rBXr11,
OP_rSPr12, OP_rBPr13, OP_rSIr14, OP_rDIr15,
OP_eAX, OP_eCX, OP_eDX, OP_eBX,
OP_eSP, OP_eBP, OP_eSI, OP_eDI,
OP_ES, OP_CS, OP_SS, OP_DS,
OP_FS, OP_GS,
OP_ST0, OP_ST1, OP_ST2, OP_ST3,
OP_ST4, OP_ST5, OP_ST6, OP_ST7,
OP_J, OP_S, OP_O,
OP_I1, OP_I3,
OP_V, OP_W, OP_Q, OP_P,
OP_R, OP_C, OP_D, OP_VR, OP_PR
};
/* operand size constants */
enum ud_operand_size {
SZ_NA = 0,
SZ_Z = 1,
SZ_V = 2,
SZ_P = 3,
SZ_WP = 4,
SZ_DP = 5,
SZ_MDQ = 6,
SZ_RDQ = 7,
/* the following values are used as is,
* and thus hard-coded. changing them
* will break internals
*/
SZ_B = 8,
SZ_W = 16,
SZ_D = 32,
SZ_Q = 64,
SZ_T = 80,
};
/* itab entry operand definitions */
#define O_rSPr12 { OP_rSPr12, SZ_NA }
#define O_BL { OP_BL, SZ_NA }
#define O_BH { OP_BH, SZ_NA }
#define O_BP { OP_BP, SZ_NA }
#define O_AHr12b { OP_AHr12b, SZ_NA }
#define O_BX { OP_BX, SZ_NA }
#define O_Jz { OP_J, SZ_Z }
#define O_Jv { OP_J, SZ_V }
#define O_Jb { OP_J, SZ_B }
#define O_rSIr14 { OP_rSIr14, SZ_NA }
#define O_GS { OP_GS, SZ_NA }
#define O_D { OP_D, SZ_NA }
#define O_rBPr13 { OP_rBPr13, SZ_NA }
#define O_Ob { OP_O, SZ_B }
#define O_P { OP_P, SZ_NA }
#define O_Ow { OP_O, SZ_W }
#define O_Ov { OP_O, SZ_V }
#define O_Gw { OP_G, SZ_W }
#define O_Gv { OP_G, SZ_V }
#define O_rDX { OP_rDX, SZ_NA }
#define O_Gx { OP_G, SZ_MDQ }
#define O_Gd { OP_G, SZ_D }
#define O_Gb { OP_G, SZ_B }
#define O_rBXr11 { OP_rBXr11, SZ_NA }
#define O_rDI { OP_rDI, SZ_NA }
#define O_rSI { OP_rSI, SZ_NA }
#define O_ALr8b { OP_ALr8b, SZ_NA }
#define O_eDI { OP_eDI, SZ_NA }
#define O_Gz { OP_G, SZ_Z }
#define O_eDX { OP_eDX, SZ_NA }
#define O_DHr14b { OP_DHr14b, SZ_NA }
#define O_rSP { OP_rSP, SZ_NA }
#define O_PR { OP_PR, SZ_NA }
#define O_NONE { OP_NONE, SZ_NA }
#define O_rCX { OP_rCX, SZ_NA }
#define O_jWP { OP_J, SZ_WP }
#define O_rDXr10 { OP_rDXr10, SZ_NA }
#define O_Md { OP_M, SZ_D }
#define O_C { OP_C, SZ_NA }
#define O_G { OP_G, SZ_NA }
#define O_Mb { OP_M, SZ_B }
#define O_Mt { OP_M, SZ_T }
#define O_S { OP_S, SZ_NA }
#define O_Mq { OP_M, SZ_Q }
#define O_W { OP_W, SZ_NA }
#define O_ES { OP_ES, SZ_NA }
#define O_rBX { OP_rBX, SZ_NA }
#define O_Ed { OP_E, SZ_D }
#define O_DLr10b { OP_DLr10b, SZ_NA }
#define O_Mw { OP_M, SZ_W }
#define O_Eb { OP_E, SZ_B }
#define O_Ex { OP_E, SZ_MDQ }
#define O_Ez { OP_E, SZ_Z }
#define O_Ew { OP_E, SZ_W }
#define O_Ev { OP_E, SZ_V }
#define O_Ep { OP_E, SZ_P }
#define O_FS { OP_FS, SZ_NA }
#define O_Ms { OP_M, SZ_W }
#define O_rAXr8 { OP_rAXr8, SZ_NA }
#define O_eBP { OP_eBP, SZ_NA }
#define O_Isb { OP_I, SZ_SB }
#define O_eBX { OP_eBX, SZ_NA }
#define O_rCXr9 { OP_rCXr9, SZ_NA }
#define O_jDP { OP_J, SZ_DP }
#define O_CH { OP_CH, SZ_NA }
#define O_CL { OP_CL, SZ_NA }
#define O_R { OP_R, SZ_RDQ }
#define O_V { OP_V, SZ_NA }
#define O_CS { OP_CS, SZ_NA }
#define O_CHr13b { OP_CHr13b, SZ_NA }
#define O_eCX { OP_eCX, SZ_NA }
#define O_eSP { OP_eSP, SZ_NA }
#define O_SS { OP_SS, SZ_NA }
#define O_SP { OP_SP, SZ_NA }
#define O_BLr11b { OP_BLr11b, SZ_NA }
#define O_SI { OP_SI, SZ_NA }
#define O_eSI { OP_eSI, SZ_NA }
#define O_DL { OP_DL, SZ_NA }
#define O_DH { OP_DH, SZ_NA }
#define O_DI { OP_DI, SZ_NA }
#define O_DX { OP_DX, SZ_NA }
#define O_rBP { OP_rBP, SZ_NA }
#define O_Gvw { OP_G, SZ_MDQ }
#define O_I1 { OP_I1, SZ_NA }
#define O_I3 { OP_I3, SZ_NA }
#define O_DS { OP_DS, SZ_NA }
#define O_ST4 { OP_ST4, SZ_NA }
#define O_ST5 { OP_ST5, SZ_NA }
#define O_ST6 { OP_ST6, SZ_NA }
#define O_ST7 { OP_ST7, SZ_NA }
#define O_ST0 { OP_ST0, SZ_NA }
#define O_ST1 { OP_ST1, SZ_NA }
#define O_ST2 { OP_ST2, SZ_NA }
#define O_ST3 { OP_ST3, SZ_NA }
#define O_E { OP_E, SZ_NA }
#define O_AH { OP_AH, SZ_NA }
#define O_M { OP_M, SZ_NA }
#define O_AL { OP_AL, SZ_NA }
#define O_CLr9b { OP_CLr9b, SZ_NA }
#define O_Q { OP_Q, SZ_NA }
#define O_eAX { OP_eAX, SZ_NA }
#define O_VR { OP_VR, SZ_NA }
#define O_AX { OP_AX, SZ_NA }
#define O_rAX { OP_rAX, SZ_NA }
#define O_Iz { OP_I, SZ_Z }
#define O_rDIr15 { OP_rDIr15, SZ_NA }
#define O_Iw { OP_I, SZ_W }
#define O_Iv { OP_I, SZ_V }
#define O_Ap { OP_A, SZ_P }
#define O_CX { OP_CX, SZ_NA }
#define O_Ib { OP_I, SZ_B }
#define O_BHr15b { OP_BHr15b, SZ_NA }
/* A single operand of an entry in the instruction table.
* (internal use only)
*/
struct ud_itab_entry_operand
{
enum ud_operand_code type;
enum ud_operand_size size;
};
/* A single entry in an instruction table.
*(internal use only)
*/
struct ud_itab_entry
{
enum ud_mnemonic_code mnemonic;
struct ud_itab_entry_operand operand1;
struct ud_itab_entry_operand operand2;
struct ud_itab_entry_operand operand3;
uint32_t prefix;
};
extern const char * ud_lookup_mnemonic( enum ud_mnemonic_code c );
#endif /* UD_DECODE_H */
/* vim:cindent
* vim:expandtab
* vim:ts=4
* vim:sw=4
*/

67
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/extern.h Normal file
View File

@ -0,0 +1,67 @@
/* -----------------------------------------------------------------------------
* extern.h
*
* Copyright (c) 2004, 2005, 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#ifndef UD_EXTERN_H
#define UD_EXTERN_H
#ifdef __cplusplus
extern "C" {
#endif
#include <stdio.h>
#include "types.h"
/* ============================= PUBLIC API ================================= */
extern void ud_init(struct ud*);
extern void ud_set_mode(struct ud*, uint8_t);
extern void ud_set_pc(struct ud*, uint64_t);
extern void ud_set_input_hook(struct ud*, int (*)(struct ud*));
extern void ud_set_input_buffer(struct ud*, uint8_t*, size_t);
#ifndef __UD_STANDALONE__
extern void ud_set_input_file(struct ud*, FILE*);
#endif /* __UD_STANDALONE__ */
extern void ud_set_vendor(struct ud*, unsigned);
extern void ud_set_syntax(struct ud*, void (*)(struct ud*));
extern void ud_input_skip(struct ud*, size_t);
extern int ud_input_end(struct ud*);
extern unsigned int ud_decode(struct ud*);
extern unsigned int ud_disassemble(struct ud*);
extern void ud_translate_intel(struct ud*);
extern void ud_translate_att(struct ud*);
extern char* ud_insn_asm(struct ud* u);
extern uint8_t* ud_insn_ptr(struct ud* u);
extern uint64_t ud_insn_off(struct ud*);
extern char* ud_insn_hex(struct ud*);
extern unsigned int ud_insn_len(struct ud* u);
extern const char* ud_lookup_mnemonic(enum ud_mnemonic_code c);
/* ========================================================================== */
#ifdef __cplusplus
}
#endif
#endif

226
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/input.c Normal file
View File

@ -0,0 +1,226 @@
/* -----------------------------------------------------------------------------
* input.c
*
* Copyright (c) 2004, 2005, 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#include "extern.h"
#include "types.h"
#include "input.h"
/* -----------------------------------------------------------------------------
* inp_buff_hook() - Hook for buffered inputs.
* -----------------------------------------------------------------------------
*/
static int
inp_buff_hook(struct ud* u)
{
if (u->inp_buff < u->inp_buff_end)
return *u->inp_buff++;
else return -1;
}
#ifndef __UD_STANDALONE__
/* -----------------------------------------------------------------------------
* inp_file_hook() - Hook for FILE inputs.
* -----------------------------------------------------------------------------
*/
static int
inp_file_hook(struct ud* u)
{
return fgetc(u->inp_file);
}
#endif /* __UD_STANDALONE__*/
/* =============================================================================
* ud_inp_set_hook() - Sets input hook.
* =============================================================================
*/
extern void
ud_set_input_hook(register struct ud* u, int (*hook)(struct ud*))
{
u->inp_hook = hook;
inp_init(u);
}
/* =============================================================================
* ud_inp_set_buffer() - Set buffer as input.
* =============================================================================
*/
extern void
ud_set_input_buffer(register struct ud* u, uint8_t* buf, size_t len)
{
u->inp_hook = inp_buff_hook;
u->inp_buff = buf;
u->inp_buff_end = buf + len;
inp_init(u);
}
#ifndef __UD_STANDALONE__
/* =============================================================================
* ud_input_set_file() - Set buffer as input.
* =============================================================================
*/
extern void
ud_set_input_file(register struct ud* u, FILE* f)
{
u->inp_hook = inp_file_hook;
u->inp_file = f;
inp_init(u);
}
#endif /* __UD_STANDALONE__ */
/* =============================================================================
* ud_input_skip() - Skip n input bytes.
* =============================================================================
*/
extern void
ud_input_skip(struct ud* u, size_t n)
{
while (n--) {
u->inp_hook(u);
}
}
/* =============================================================================
* ud_input_end() - Test for end of input.
* =============================================================================
*/
extern int
ud_input_end(struct ud* u)
{
return (u->inp_curr == u->inp_fill) && u->inp_end;
}
/* -----------------------------------------------------------------------------
* inp_next() - Loads and returns the next byte from input.
*
* inp_curr and inp_fill are pointers to the cache. The program is written based
* on the property that they are 8-bits in size, and will eventually wrap around
* forming a circular buffer. So, the size of the cache is 256 in size, kind of
* unnecessary yet optimized.
*
* A buffer inp_sess stores the bytes disassembled for a single session.
* -----------------------------------------------------------------------------
*/
extern uint8_t inp_next(struct ud* u)
{
int c = -1;
/* if current pointer is not upto the fill point in the
* input cache.
*/
if ( u->inp_curr != u->inp_fill ) {
c = u->inp_cache[ ++u->inp_curr ];
/* if !end-of-input, call the input hook and get a byte */
} else if ( u->inp_end || ( c = u->inp_hook( u ) ) == -1 ) {
/* end-of-input, mark it as an error, since the decoder,
* expected a byte more.
*/
u->error = 1;
/* flag end of input */
u->inp_end = 1;
return 0;
} else {
/* increment pointers, we have a new byte. */
u->inp_curr = ++u->inp_fill;
/* add the byte to the cache */
u->inp_cache[ u->inp_fill ] = c;
}
/* record bytes input per decode-session. */
u->inp_sess[ u->inp_ctr++ ] = c;
/* return byte */
return ( uint8_t ) c;
}
/* -----------------------------------------------------------------------------
* inp_back() - Move back a single byte in the stream.
* -----------------------------------------------------------------------------
*/
extern void
inp_back(struct ud* u)
{
if ( u->inp_ctr > 0 ) {
--u->inp_curr;
--u->inp_ctr;
}
}
/* -----------------------------------------------------------------------------
* inp_peek() - Peek into the next byte in source.
* -----------------------------------------------------------------------------
*/
extern uint8_t
inp_peek(struct ud* u)
{
uint8_t r = inp_next(u);
if ( !u->error ) inp_back(u); /* Don't backup if there was an error */
return r;
}
/* -----------------------------------------------------------------------------
* inp_move() - Move ahead n input bytes.
* -----------------------------------------------------------------------------
*/
extern void
inp_move(struct ud* u, size_t n)
{
while (n--)
inp_next(u);
}
/*------------------------------------------------------------------------------
* inp_uintN() - return uintN from source.
*------------------------------------------------------------------------------
*/
extern uint8_t
inp_uint8(struct ud* u)
{
return inp_next(u);
}
extern uint16_t
inp_uint16(struct ud* u)
{
uint16_t r, ret;
ret = inp_next(u);
r = inp_next(u);
return ret | (r << 8);
}
extern uint32_t
inp_uint32(struct ud* u)
{
uint32_t r, ret;
ret = inp_next(u);
r = inp_next(u);
ret = ret | (r << 8);
r = inp_next(u);
ret = ret | (r << 16);
r = inp_next(u);
return ret | (r << 24);
}
extern uint64_t
inp_uint64(struct ud* u)
{
uint64_t r, ret;
ret = inp_next(u);
r = inp_next(u);
ret = ret | (r << 8);
r = inp_next(u);
ret = ret | (r << 16);
r = inp_next(u);
ret = ret | (r << 24);
r = inp_next(u);
ret = ret | (r << 32);
r = inp_next(u);
ret = ret | (r << 40);
r = inp_next(u);
ret = ret | (r << 48);
r = inp_next(u);
return ret | (r << 56);
}

49
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/input.h Normal file
View File

@ -0,0 +1,49 @@
/* -----------------------------------------------------------------------------
* input.h
*
* Copyright (c) 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#ifndef UD_INPUT_H
#define UD_INPUT_H
#include "types.h"
uint8_t inp_next(struct ud*);
uint8_t inp_peek(struct ud*);
uint8_t inp_uint8(struct ud*);
uint16_t inp_uint16(struct ud*);
uint32_t inp_uint32(struct ud*);
uint64_t inp_uint64(struct ud*);
void inp_move(struct ud*, size_t);
void inp_back(struct ud*);
/* inp_init() - Initializes the input system. */
#define inp_init(u) \
do { \
u->inp_curr = 0; \
u->inp_fill = 0; \
u->inp_ctr = 0; \
u->inp_end = 0; \
} while (0)
/* inp_start() - Should be called before each de-code operation. */
#define inp_start(u) u->inp_ctr = 0
/* inp_back() - Resets the current pointer to its position before the current
* instruction disassembly was started.
*/
#define inp_reset(u) \
do { \
u->inp_curr -= u->inp_ctr; \
u->inp_ctr = 0; \
} while (0)
/* inp_sess() - Returns the pointer to current session. */
#define inp_sess(u) (u->inp_sess)
/* inp_cur() - Returns the current input byte. */
#define inp_curr(u) ((u)->inp_cache[(u)->inp_curr])
#endif

3668
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/itab.c Normal file
View File

File diff suppressed because it is too large Load Diff

719
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/itab.h Normal file
View File

@ -0,0 +1,719 @@
/* itab.h -- auto generated by opgen.py, do not edit. */
#ifndef UD_ITAB_H
#define UD_ITAB_H
enum ud_itab_vendor_index {
ITAB__VENDOR_INDX__AMD,
ITAB__VENDOR_INDX__INTEL,
};
enum ud_itab_mode_index {
ITAB__MODE_INDX__16,
ITAB__MODE_INDX__32,
ITAB__MODE_INDX__64
};
enum ud_itab_mod_index {
ITAB__MOD_INDX__NOT_11,
ITAB__MOD_INDX__11
};
enum ud_itab_index {
ITAB__0F,
ITAB__0F__OP_00__REG,
ITAB__0F__OP_01__REG,
ITAB__0F__OP_01__REG__OP_00__MOD,
ITAB__0F__OP_01__REG__OP_00__MOD__OP_01__RM,
ITAB__0F__OP_01__REG__OP_00__MOD__OP_01__RM__OP_01__VENDOR,
ITAB__0F__OP_01__REG__OP_00__MOD__OP_01__RM__OP_03__VENDOR,
ITAB__0F__OP_01__REG__OP_00__MOD__OP_01__RM__OP_04__VENDOR,
ITAB__0F__OP_01__REG__OP_01__MOD,
ITAB__0F__OP_01__REG__OP_01__MOD__OP_01__RM,
ITAB__0F__OP_01__REG__OP_02__MOD,
ITAB__0F__OP_01__REG__OP_03__MOD,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_00__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_01__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_02__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_03__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_04__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_05__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_06__VENDOR,
ITAB__0F__OP_01__REG__OP_03__MOD__OP_01__RM__OP_07__VENDOR,
ITAB__0F__OP_01__REG__OP_04__MOD,
ITAB__0F__OP_01__REG__OP_06__MOD,
ITAB__0F__OP_01__REG__OP_07__MOD,
ITAB__0F__OP_01__REG__OP_07__MOD__OP_01__RM,
ITAB__0F__OP_01__REG__OP_07__MOD__OP_01__RM__OP_01__VENDOR,
ITAB__0F__OP_0D__REG,
ITAB__0F__OP_18__REG,
ITAB__0F__OP_71__REG,
ITAB__0F__OP_72__REG,
ITAB__0F__OP_73__REG,
ITAB__0F__OP_AE__REG,
ITAB__0F__OP_AE__REG__OP_05__MOD,
ITAB__0F__OP_AE__REG__OP_05__MOD__OP_01__RM,
ITAB__0F__OP_AE__REG__OP_06__MOD,
ITAB__0F__OP_AE__REG__OP_06__MOD__OP_01__RM,
ITAB__0F__OP_AE__REG__OP_07__MOD,
ITAB__0F__OP_AE__REG__OP_07__MOD__OP_01__RM,
ITAB__0F__OP_BA__REG,
ITAB__0F__OP_C7__REG,
ITAB__0F__OP_C7__REG__OP_00__VENDOR,
ITAB__0F__OP_C7__REG__OP_07__VENDOR,
ITAB__0F__OP_D9__MOD,
ITAB__0F__OP_D9__MOD__OP_01__X87,
ITAB__1BYTE,
ITAB__1BYTE__OP_60__OSIZE,
ITAB__1BYTE__OP_61__OSIZE,
ITAB__1BYTE__OP_63__MODE,
ITAB__1BYTE__OP_6D__OSIZE,
ITAB__1BYTE__OP_6F__OSIZE,
ITAB__1BYTE__OP_80__REG,
ITAB__1BYTE__OP_81__REG,
ITAB__1BYTE__OP_82__REG,
ITAB__1BYTE__OP_83__REG,
ITAB__1BYTE__OP_8F__REG,
ITAB__1BYTE__OP_98__OSIZE,
ITAB__1BYTE__OP_99__OSIZE,
ITAB__1BYTE__OP_9C__MODE,
ITAB__1BYTE__OP_9C__MODE__OP_00__OSIZE,
ITAB__1BYTE__OP_9C__MODE__OP_01__OSIZE,
ITAB__1BYTE__OP_9D__MODE,
ITAB__1BYTE__OP_9D__MODE__OP_00__OSIZE,
ITAB__1BYTE__OP_9D__MODE__OP_01__OSIZE,
ITAB__1BYTE__OP_A5__OSIZE,
ITAB__1BYTE__OP_A7__OSIZE,
ITAB__1BYTE__OP_AB__OSIZE,
ITAB__1BYTE__OP_AD__OSIZE,
ITAB__1BYTE__OP_AE__MOD,
ITAB__1BYTE__OP_AE__MOD__OP_00__REG,
ITAB__1BYTE__OP_AF__OSIZE,
ITAB__1BYTE__OP_C0__REG,
ITAB__1BYTE__OP_C1__REG,
ITAB__1BYTE__OP_C6__REG,
ITAB__1BYTE__OP_C7__REG,
ITAB__1BYTE__OP_CF__OSIZE,
ITAB__1BYTE__OP_D0__REG,
ITAB__1BYTE__OP_D1__REG,
ITAB__1BYTE__OP_D2__REG,
ITAB__1BYTE__OP_D3__REG,
ITAB__1BYTE__OP_D8__MOD,
ITAB__1BYTE__OP_D8__MOD__OP_00__REG,
ITAB__1BYTE__OP_D8__MOD__OP_01__X87,
ITAB__1BYTE__OP_D9__MOD,
ITAB__1BYTE__OP_D9__MOD__OP_00__REG,
ITAB__1BYTE__OP_D9__MOD__OP_01__X87,
ITAB__1BYTE__OP_DA__MOD,
ITAB__1BYTE__OP_DA__MOD__OP_00__REG,
ITAB__1BYTE__OP_DA__MOD__OP_01__X87,
ITAB__1BYTE__OP_DB__MOD,
ITAB__1BYTE__OP_DB__MOD__OP_00__REG,
ITAB__1BYTE__OP_DB__MOD__OP_01__X87,
ITAB__1BYTE__OP_DC__MOD,
ITAB__1BYTE__OP_DC__MOD__OP_00__REG,
ITAB__1BYTE__OP_DC__MOD__OP_01__X87,
ITAB__1BYTE__OP_DD__MOD,
ITAB__1BYTE__OP_DD__MOD__OP_00__REG,
ITAB__1BYTE__OP_DD__MOD__OP_01__X87,
ITAB__1BYTE__OP_DE__MOD,
ITAB__1BYTE__OP_DE__MOD__OP_00__REG,
ITAB__1BYTE__OP_DE__MOD__OP_01__X87,
ITAB__1BYTE__OP_DF__MOD,
ITAB__1BYTE__OP_DF__MOD__OP_00__REG,
ITAB__1BYTE__OP_DF__MOD__OP_01__X87,
ITAB__1BYTE__OP_E3__ASIZE,
ITAB__1BYTE__OP_F6__REG,
ITAB__1BYTE__OP_F7__REG,
ITAB__1BYTE__OP_FE__REG,
ITAB__1BYTE__OP_FF__REG,
ITAB__3DNOW,
ITAB__PFX_SSE66__0F,
ITAB__PFX_SSE66__0F__OP_71__REG,
ITAB__PFX_SSE66__0F__OP_72__REG,
ITAB__PFX_SSE66__0F__OP_73__REG,
ITAB__PFX_SSE66__0F__OP_C7__REG,
ITAB__PFX_SSE66__0F__OP_C7__REG__OP_00__VENDOR,
ITAB__PFX_SSEF2__0F,
ITAB__PFX_SSEF3__0F,
ITAB__PFX_SSEF3__0F__OP_C7__REG,
ITAB__PFX_SSEF3__0F__OP_C7__REG__OP_07__VENDOR,
};
enum ud_mnemonic_code {
UD_I3dnow,
UD_Iaaa,
UD_Iaad,
UD_Iaam,
UD_Iaas,
UD_Iadc,
UD_Iadd,
UD_Iaddpd,
UD_Iaddps,
UD_Iaddsd,
UD_Iaddss,
UD_Iaddsubpd,
UD_Iaddsubps,
UD_Iand,
UD_Iandpd,
UD_Iandps,
UD_Iandnpd,
UD_Iandnps,
UD_Iarpl,
UD_Imovsxd,
UD_Ibound,
UD_Ibsf,
UD_Ibsr,
UD_Ibswap,
UD_Ibt,
UD_Ibtc,
UD_Ibtr,
UD_Ibts,
UD_Icall,
UD_Icbw,
UD_Icwde,
UD_Icdqe,
UD_Iclc,
UD_Icld,
UD_Iclflush,
UD_Iclgi,
UD_Icli,
UD_Iclts,
UD_Icmc,
UD_Icmovo,
UD_Icmovno,
UD_Icmovb,
UD_Icmovae,
UD_Icmovz,
UD_Icmovnz,
UD_Icmovbe,
UD_Icmova,
UD_Icmovs,
UD_Icmovns,
UD_Icmovp,
UD_Icmovnp,
UD_Icmovl,
UD_Icmovge,
UD_Icmovle,
UD_Icmovg,
UD_Icmp,
UD_Icmppd,
UD_Icmpps,
UD_Icmpsb,
UD_Icmpsw,
UD_Icmpsd,
UD_Icmpsq,
UD_Icmpss,
UD_Icmpxchg,
UD_Icmpxchg8b,
UD_Icomisd,
UD_Icomiss,
UD_Icpuid,
UD_Icvtdq2pd,
UD_Icvtdq2ps,
UD_Icvtpd2dq,
UD_Icvtpd2pi,
UD_Icvtpd2ps,
UD_Icvtpi2ps,
UD_Icvtpi2pd,
UD_Icvtps2dq,
UD_Icvtps2pi,
UD_Icvtps2pd,
UD_Icvtsd2si,
UD_Icvtsd2ss,
UD_Icvtsi2ss,
UD_Icvtss2si,
UD_Icvtss2sd,
UD_Icvttpd2pi,
UD_Icvttpd2dq,
UD_Icvttps2dq,
UD_Icvttps2pi,
UD_Icvttsd2si,
UD_Icvtsi2sd,
UD_Icvttss2si,
UD_Icwd,
UD_Icdq,
UD_Icqo,
UD_Idaa,
UD_Idas,
UD_Idec,
UD_Idiv,
UD_Idivpd,
UD_Idivps,
UD_Idivsd,
UD_Idivss,
UD_Iemms,
UD_Ienter,
UD_If2xm1,
UD_Ifabs,
UD_Ifadd,
UD_Ifaddp,
UD_Ifbld,
UD_Ifbstp,
UD_Ifchs,
UD_Ifclex,
UD_Ifcmovb,
UD_Ifcmove,
UD_Ifcmovbe,
UD_Ifcmovu,
UD_Ifcmovnb,
UD_Ifcmovne,
UD_Ifcmovnbe,
UD_Ifcmovnu,
UD_Ifucomi,
UD_Ifcom,
UD_Ifcom2,
UD_Ifcomp3,
UD_Ifcomi,
UD_Ifucomip,
UD_Ifcomip,
UD_Ifcomp,
UD_Ifcomp5,
UD_Ifcompp,
UD_Ifcos,
UD_Ifdecstp,
UD_Ifdiv,
UD_Ifdivp,
UD_Ifdivr,
UD_Ifdivrp,
UD_Ifemms,
UD_Iffree,
UD_Iffreep,
UD_Ificom,
UD_Ificomp,
UD_Ifild,
UD_Ifncstp,
UD_Ifninit,
UD_Ifiadd,
UD_Ifidivr,
UD_Ifidiv,
UD_Ifisub,
UD_Ifisubr,
UD_Ifist,
UD_Ifistp,
UD_Ifisttp,
UD_Ifld,
UD_Ifld1,
UD_Ifldl2t,
UD_Ifldl2e,
UD_Ifldlpi,
UD_Ifldlg2,
UD_Ifldln2,
UD_Ifldz,
UD_Ifldcw,
UD_Ifldenv,
UD_Ifmul,
UD_Ifmulp,
UD_Ifimul,
UD_Ifnop,
UD_Ifpatan,
UD_Ifprem,
UD_Ifprem1,
UD_Ifptan,
UD_Ifrndint,
UD_Ifrstor,
UD_Ifnsave,
UD_Ifscale,
UD_Ifsin,
UD_Ifsincos,
UD_Ifsqrt,
UD_Ifstp,
UD_Ifstp1,
UD_Ifstp8,
UD_Ifstp9,
UD_Ifst,
UD_Ifnstcw,
UD_Ifnstenv,
UD_Ifnstsw,
UD_Ifsub,
UD_Ifsubp,
UD_Ifsubr,
UD_Ifsubrp,
UD_Iftst,
UD_Ifucom,
UD_Ifucomp,
UD_Ifucompp,
UD_Ifxam,
UD_Ifxch,
UD_Ifxch4,
UD_Ifxch7,
UD_Ifxrstor,
UD_Ifxsave,
UD_Ifpxtract,
UD_Ifyl2x,
UD_Ifyl2xp1,
UD_Ihaddpd,
UD_Ihaddps,
UD_Ihlt,
UD_Ihsubpd,
UD_Ihsubps,
UD_Iidiv,
UD_Iin,
UD_Iimul,
UD_Iinc,
UD_Iinsb,
UD_Iinsw,
UD_Iinsd,
UD_Iint1,
UD_Iint3,
UD_Iint,
UD_Iinto,
UD_Iinvd,
UD_Iinvlpg,
UD_Iinvlpga,
UD_Iiretw,
UD_Iiretd,
UD_Iiretq,
UD_Ijo,
UD_Ijno,
UD_Ijb,
UD_Ijae,
UD_Ijz,
UD_Ijnz,
UD_Ijbe,
UD_Ija,
UD_Ijs,
UD_Ijns,
UD_Ijp,
UD_Ijnp,
UD_Ijl,
UD_Ijge,
UD_Ijle,
UD_Ijg,
UD_Ijcxz,
UD_Ijecxz,
UD_Ijrcxz,
UD_Ijmp,
UD_Ilahf,
UD_Ilar,
UD_Ilddqu,
UD_Ildmxcsr,
UD_Ilds,
UD_Ilea,
UD_Iles,
UD_Ilfs,
UD_Ilgs,
UD_Ilidt,
UD_Ilss,
UD_Ileave,
UD_Ilfence,
UD_Ilgdt,
UD_Illdt,
UD_Ilmsw,
UD_Ilock,
UD_Ilodsb,
UD_Ilodsw,
UD_Ilodsd,
UD_Ilodsq,
UD_Iloopnz,
UD_Iloope,
UD_Iloop,
UD_Ilsl,
UD_Iltr,
UD_Imaskmovq,
UD_Imaxpd,
UD_Imaxps,
UD_Imaxsd,
UD_Imaxss,
UD_Imfence,
UD_Iminpd,
UD_Iminps,
UD_Iminsd,
UD_Iminss,
UD_Imonitor,
UD_Imov,
UD_Imovapd,
UD_Imovaps,
UD_Imovd,
UD_Imovddup,
UD_Imovdqa,
UD_Imovdqu,
UD_Imovdq2q,
UD_Imovhpd,
UD_Imovhps,
UD_Imovlhps,
UD_Imovlpd,
UD_Imovlps,
UD_Imovhlps,
UD_Imovmskpd,
UD_Imovmskps,
UD_Imovntdq,
UD_Imovnti,
UD_Imovntpd,
UD_Imovntps,
UD_Imovntq,
UD_Imovq,
UD_Imovqa,
UD_Imovq2dq,
UD_Imovsb,
UD_Imovsw,
UD_Imovsd,
UD_Imovsq,
UD_Imovsldup,
UD_Imovshdup,
UD_Imovss,
UD_Imovsx,
UD_Imovupd,
UD_Imovups,
UD_Imovzx,
UD_Imul,
UD_Imulpd,
UD_Imulps,
UD_Imulsd,
UD_Imulss,
UD_Imwait,
UD_Ineg,
UD_Inop,
UD_Inot,
UD_Ior,
UD_Iorpd,
UD_Iorps,
UD_Iout,
UD_Ioutsb,
UD_Ioutsw,
UD_Ioutsd,
UD_Ioutsq,
UD_Ipacksswb,
UD_Ipackssdw,
UD_Ipackuswb,
UD_Ipaddb,
UD_Ipaddw,
UD_Ipaddq,
UD_Ipaddsb,
UD_Ipaddsw,
UD_Ipaddusb,
UD_Ipaddusw,
UD_Ipand,
UD_Ipandn,
UD_Ipause,
UD_Ipavgb,
UD_Ipavgw,
UD_Ipcmpeqb,
UD_Ipcmpeqw,
UD_Ipcmpeqd,
UD_Ipcmpgtb,
UD_Ipcmpgtw,
UD_Ipcmpgtd,
UD_Ipextrw,
UD_Ipinsrw,
UD_Ipmaddwd,
UD_Ipmaxsw,
UD_Ipmaxub,
UD_Ipminsw,
UD_Ipminub,
UD_Ipmovmskb,
UD_Ipmulhuw,
UD_Ipmulhw,
UD_Ipmullw,
UD_Ipmuludq,
UD_Ipop,
UD_Ipopa,
UD_Ipopad,
UD_Ipopfw,
UD_Ipopfd,
UD_Ipopfq,
UD_Ipor,
UD_Iprefetch,
UD_Iprefetchnta,
UD_Iprefetcht0,
UD_Iprefetcht1,
UD_Iprefetcht2,
UD_Ipsadbw,
UD_Ipshufd,
UD_Ipshufhw,
UD_Ipshuflw,
UD_Ipshufw,
UD_Ipslldq,
UD_Ipsllw,
UD_Ipslld,
UD_Ipsllq,
UD_Ipsraw,
UD_Ipsrad,
UD_Ipsrlw,
UD_Ipsrld,
UD_Ipsrlq,
UD_Ipsrldq,
UD_Ipsubb,
UD_Ipsubw,
UD_Ipsubd,
UD_Ipsubq,
UD_Ipsubsb,
UD_Ipsubsw,
UD_Ipsubusb,
UD_Ipsubusw,
UD_Ipunpckhbw,
UD_Ipunpckhwd,
UD_Ipunpckhdq,
UD_Ipunpckhqdq,
UD_Ipunpcklbw,
UD_Ipunpcklwd,
UD_Ipunpckldq,
UD_Ipunpcklqdq,
UD_Ipi2fw,
UD_Ipi2fd,
UD_Ipf2iw,
UD_Ipf2id,
UD_Ipfnacc,
UD_Ipfpnacc,
UD_Ipfcmpge,
UD_Ipfmin,
UD_Ipfrcp,
UD_Ipfrsqrt,
UD_Ipfsub,
UD_Ipfadd,
UD_Ipfcmpgt,
UD_Ipfmax,
UD_Ipfrcpit1,
UD_Ipfrspit1,
UD_Ipfsubr,
UD_Ipfacc,
UD_Ipfcmpeq,
UD_Ipfmul,
UD_Ipfrcpit2,
UD_Ipmulhrw,
UD_Ipswapd,
UD_Ipavgusb,
UD_Ipush,
UD_Ipusha,
UD_Ipushad,
UD_Ipushfw,
UD_Ipushfd,
UD_Ipushfq,
UD_Ipxor,
UD_Ircl,
UD_Ircr,
UD_Irol,
UD_Iror,
UD_Ircpps,
UD_Ircpss,
UD_Irdmsr,
UD_Irdpmc,
UD_Irdtsc,
UD_Irdtscp,
UD_Irepne,
UD_Irep,
UD_Iret,
UD_Iretf,
UD_Irsm,
UD_Irsqrtps,
UD_Irsqrtss,
UD_Isahf,
UD_Isal,
UD_Isalc,
UD_Isar,
UD_Ishl,
UD_Ishr,
UD_Isbb,
UD_Iscasb,
UD_Iscasw,
UD_Iscasd,
UD_Iscasq,
UD_Iseto,
UD_Isetno,
UD_Isetb,
UD_Isetnb,
UD_Isetz,
UD_Isetnz,
UD_Isetbe,
UD_Iseta,
UD_Isets,
UD_Isetns,
UD_Isetp,
UD_Isetnp,
UD_Isetl,
UD_Isetge,
UD_Isetle,
UD_Isetg,
UD_Isfence,
UD_Isgdt,
UD_Ishld,
UD_Ishrd,
UD_Ishufpd,
UD_Ishufps,
UD_Isidt,
UD_Isldt,
UD_Ismsw,
UD_Isqrtps,
UD_Isqrtpd,
UD_Isqrtsd,
UD_Isqrtss,
UD_Istc,
UD_Istd,
UD_Istgi,
UD_Isti,
UD_Iskinit,
UD_Istmxcsr,
UD_Istosb,
UD_Istosw,
UD_Istosd,
UD_Istosq,
UD_Istr,
UD_Isub,
UD_Isubpd,
UD_Isubps,
UD_Isubsd,
UD_Isubss,
UD_Iswapgs,
UD_Isyscall,
UD_Isysenter,
UD_Isysexit,
UD_Isysret,
UD_Itest,
UD_Iucomisd,
UD_Iucomiss,
UD_Iud2,
UD_Iunpckhpd,
UD_Iunpckhps,
UD_Iunpcklps,
UD_Iunpcklpd,
UD_Iverr,
UD_Iverw,
UD_Ivmcall,
UD_Ivmclear,
UD_Ivmxon,
UD_Ivmptrld,
UD_Ivmptrst,
UD_Ivmresume,
UD_Ivmxoff,
UD_Ivmrun,
UD_Ivmmcall,
UD_Ivmload,
UD_Ivmsave,
UD_Iwait,
UD_Iwbinvd,
UD_Iwrmsr,
UD_Ixadd,
UD_Ixchg,
UD_Ixlatb,
UD_Ixor,
UD_Ixorpd,
UD_Ixorps,
UD_Idb,
UD_Iinvalid,
UD_Id3vil,
UD_Ina,
UD_Igrp_reg,
UD_Igrp_rm,
UD_Igrp_vendor,
UD_Igrp_x87,
UD_Igrp_mode,
UD_Igrp_osize,
UD_Igrp_asize,
UD_Igrp_mod,
UD_Inone,
};
extern const char* ud_mnemonics_str[];;
extern struct ud_itab_entry* ud_itab_list[];
#endif

211
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn-att.c Normal file
View File

@ -0,0 +1,211 @@
/* -----------------------------------------------------------------------------
* syn-att.c
*
* Copyright (c) 2004, 2005, 2006 Vivek Mohan <vivek@sig9.com>
* All rights reserved. See (LICENSE)
* -----------------------------------------------------------------------------
*/
#include "types.h"
#include "extern.h"
#include "decode.h"
#include "itab.h"
#include "syn.h"
/* -----------------------------------------------------------------------------
* opr_cast() - Prints an operand cast.
* -----------------------------------------------------------------------------
*/
static void
opr_cast(struct ud* u, struct ud_operand* op)
{
switch(op->size) {
case 16 : case 32 :
mkasm(u, "*"); break;
default: break;
}
}
/* -----------------------------------------------------------------------------
* gen_operand() - Generates assembly output for each operand.
* -----------------------------------------------------------------------------
*/
static void
gen_operand(struct ud* u, struct ud_operand* op)
{
switch(op->type) {
case UD_OP_REG:
mkasm(u, "%%%s", ud_reg_tab[op->base - UD_R_AL]);
break;
case UD_OP_MEM:
if (u->br_far) opr_cast(u, op);
if (u->pfx_seg)
mkasm(u, "%%%s:", ud_reg_tab[u->pfx_seg - UD_R_AL]);
if (op->offset == 8) {
if (op->lval.sbyte < 0)
mkasm(u, "-0x%x", (-op->lval.sbyte) & 0xff);
else mkasm(u, "0x%x", op->lval.sbyte);
}
else if (op->offset == 16)
mkasm(u, "0x%x", op->lval.uword);
else if (op->offset == 32)
mkasm(u, "0x%lx", op->lval.udword);
else if (op->offset == 64)
mkasm(u, "0x" FMT64 "x", op->lval.uqword);
if (op->base)
mkasm(u, "(%%%s", ud_reg_tab[op->base - UD_R_AL]);
if (op->index) {
if (op->base)
mkasm(u, ",");
else mkasm(u, "(");
mkasm(u, "%%%s", ud_reg_tab[op->index - UD_R_AL]);
}
if (op->scale)
mkasm(u, ",%d", op->scale);
if (op->base || op->index)
mkasm(u, ")");
break;
case UD_OP_IMM:
switch (op->size) {
case 8: mkasm(u, "$0x%x", op->lval.ubyte); break;
case 16: mkasm(u, "$0x%x", op->lval.uword); break;
case 32: mkasm(u, "$0x%lx", op->lval.udword); break;
case 64: mkasm(u, "$0x" FMT64 "x", op->lval.uqword); break;
default: break;
}
break;
case UD_OP_JIMM:
switch (op->size) {
case 8:
mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sbyte);
break;
case 16:
mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sword);
break;
case 32:
mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sdword);
break;
default:break;
}
break;
case UD_OP_PTR:
switch (op->size) {
case 32:
mkasm(u, "$0x%x, $0x%x", op->lval.ptr.seg,
op->lval.ptr.off & 0xFFFF);
break;
case 48:
mkasm(u, "$0x%x, $0x%lx", op->lval.ptr.seg,
op->lval.ptr.off);
break;
}
break;
default: return;
}
}
/* =============================================================================
* translates to AT&T syntax
* =============================================================================
*/
extern void
ud_translate_att(struct ud *u)
{
int size = 0;
/* check if P_OSO prefix is used */
if (! P_OSO(u->itab_entry->prefix) && u->pfx_opr) {
switch (u->dis_mode) {
case 16:
mkasm(u, "o32 ");
break;
case 32:
case 64:
mkasm(u, "o16 ");
break;
}
}
/* check if P_ASO prefix was used */
if (! P_ASO(u->itab_entry->prefix) && u->pfx_adr) {
switch (u->dis_mode) {
case 16:
mkasm(u, "a32 ");
break;
case 32:
mkasm(u, "a16 ");
break;
case 64:
mkasm(u, "a32 ");
break;
}
}
if (u->pfx_lock)
mkasm(u, "lock ");
if (u->pfx_rep)
mkasm(u, "rep ");
if (u->pfx_repne)
mkasm(u, "repne ");
/* special instructions */
switch (u->mnemonic) {
case UD_Iretf:
mkasm(u, "lret ");
break;
case UD_Idb:
mkasm(u, ".byte 0x%x", u->operand[0].lval.ubyte);
return;
case UD_Ijmp:
case UD_Icall:
if (u->br_far) mkasm(u, "l");
mkasm(u, "%s", ud_lookup_mnemonic(u->mnemonic));
break;
case UD_Ibound:
case UD_Ienter:
if (u->operand[0].type != UD_NONE)
gen_operand(u, &u->operand[0]);
if (u->operand[1].type != UD_NONE) {
mkasm(u, ",");
gen_operand(u, &u->operand[1]);
}
return;
default:
mkasm(u, "%s", ud_lookup_mnemonic(u->mnemonic));
}
if (u->c1)
size = u->operand[0].size;
else if (u->c2)
size = u->operand[1].size;
else if (u->c3)
size = u->operand[2].size;
if (size == 8)
mkasm(u, "b");
else if (size == 16)
mkasm(u, "w");
else if (size == 64)
mkasm(u, "q");
mkasm(u, " ");
if (u->operand[2].type != UD_NONE) {
gen_operand(u, &u->operand[2]);
mkasm(u, ", ");
}
if (u->operand[1].type != UD_NONE) {
gen_operand(u, &u->operand[1]);
mkasm(u, ", ");
}
if (u->operand[0].type != UD_NONE)
gen_operand(u, &u->operand[0]);
}

208
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn-intel.c Normal file
View File

@ -0,0 +1,208 @@
/* -----------------------------------------------------------------------------
* syn-intel.c
*
* Copyright (c) 2002, 2003, 2004 Vivek Mohan <vivek@sig9.com>
* All rights reserved. See (LICENSE)
* -----------------------------------------------------------------------------
*/
#include "types.h"
#include "extern.h"
#include "decode.h"
#include "itab.h"
#include "syn.h"
/* -----------------------------------------------------------------------------
* opr_cast() - Prints an operand cast.
* -----------------------------------------------------------------------------
*/
static void
opr_cast(struct ud* u, struct ud_operand* op)
{
switch(op->size) {
case 8: mkasm(u, "byte " ); break;
case 16: mkasm(u, "word " ); break;
case 32: mkasm(u, "dword "); break;
case 64: mkasm(u, "qword "); break;
case 80: mkasm(u, "tword "); break;
default: break;
}
if (u->br_far)
mkasm(u, "far ");
else if (u->br_near)
mkasm(u, "near ");
}
/* -----------------------------------------------------------------------------
* gen_operand() - Generates assembly output for each operand.
* -----------------------------------------------------------------------------
*/
static void gen_operand(struct ud* u, struct ud_operand* op, int syn_cast)
{
switch(op->type) {
case UD_OP_REG:
mkasm(u, ud_reg_tab[op->base - UD_R_AL]);
break;
case UD_OP_MEM: {
int op_f = 0;
if (syn_cast)
opr_cast(u, op);
mkasm(u, "[");
if (u->pfx_seg)
mkasm(u, "%s:", ud_reg_tab[u->pfx_seg - UD_R_AL]);
if (op->base) {
mkasm(u, "%s", ud_reg_tab[op->base - UD_R_AL]);
op_f = 1;
}
if (op->index) {
if (op_f)
mkasm(u, "+");
mkasm(u, "%s", ud_reg_tab[op->index - UD_R_AL]);
op_f = 1;
}
if (op->scale)
mkasm(u, "*%d", op->scale);
if (op->offset == 8) {
if (op->lval.sbyte < 0)
mkasm(u, "-0x%x", -op->lval.sbyte);
else mkasm(u, "%s0x%x", (op_f) ? "+" : "", op->lval.sbyte);
}
else if (op->offset == 16)
mkasm(u, "%s0x%x", (op_f) ? "+" : "", op->lval.uword);
else if (op->offset == 32) {
if (u->adr_mode == 64) {
if (op->lval.sdword < 0)
mkasm(u, "-0x%x", -op->lval.sdword);
else mkasm(u, "%s0x%x", (op_f) ? "+" : "", op->lval.sdword);
}
else mkasm(u, "%s0x%lx", (op_f) ? "+" : "", op->lval.udword);
}
else if (op->offset == 64)
mkasm(u, "%s0x" FMT64 "x", (op_f) ? "+" : "", op->lval.uqword);
mkasm(u, "]");
break;
}
case UD_OP_IMM:
if (syn_cast) opr_cast(u, op);
switch (op->size) {
case 8: mkasm(u, "0x%x", op->lval.ubyte); break;
case 16: mkasm(u, "0x%x", op->lval.uword); break;
case 32: mkasm(u, "0x%lx", op->lval.udword); break;
case 64: mkasm(u, "0x" FMT64 "x", op->lval.uqword); break;
default: break;
}
break;
case UD_OP_JIMM:
if (syn_cast) opr_cast(u, op);
switch (op->size) {
case 8:
mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sbyte);
break;
case 16:
mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sword);
break;
case 32:
mkasm(u, "0x" FMT64 "x", u->pc + op->lval.sdword);
break;
default:break;
}
break;
case UD_OP_PTR:
switch (op->size) {
case 32:
mkasm(u, "word 0x%x:0x%x", op->lval.ptr.seg,
op->lval.ptr.off & 0xFFFF);
break;
case 48:
mkasm(u, "dword 0x%x:0x%lx", op->lval.ptr.seg,
op->lval.ptr.off);
break;
}
break;
case UD_OP_CONST:
if (syn_cast) opr_cast(u, op);
mkasm(u, "%d", op->lval.udword);
break;
default: return;
}
}
/* =============================================================================
* translates to intel syntax
* =============================================================================
*/
extern void ud_translate_intel(struct ud* u)
{
/* -- prefixes -- */
/* check if P_OSO prefix is used */
if (! P_OSO(u->itab_entry->prefix) && u->pfx_opr) {
switch (u->dis_mode) {
case 16:
mkasm(u, "o32 ");
break;
case 32:
case 64:
mkasm(u, "o16 ");
break;
}
}
/* check if P_ASO prefix was used */
if (! P_ASO(u->itab_entry->prefix) && u->pfx_adr) {
switch (u->dis_mode) {
case 16:
mkasm(u, "a32 ");
break;
case 32:
mkasm(u, "a16 ");
break;
case 64:
mkasm(u, "a32 ");
break;
}
}
if (u->pfx_lock)
mkasm(u, "lock ");
if (u->pfx_rep)
mkasm(u, "rep ");
if (u->pfx_repne)
mkasm(u, "repne ");
if (u->implicit_addr && u->pfx_seg)
mkasm(u, "%s ", ud_reg_tab[u->pfx_seg - UD_R_AL]);
/* print the instruction mnemonic */
mkasm(u, "%s ", ud_lookup_mnemonic(u->mnemonic));
/* operand 1 */
if (u->operand[0].type != UD_NONE) {
gen_operand(u, &u->operand[0], u->c1);
}
/* operand 2 */
if (u->operand[1].type != UD_NONE) {
mkasm(u, ", ");
gen_operand(u, &u->operand[1], u->c2);
}
/* operand 3 */
if (u->operand[2].type != UD_NONE) {
mkasm(u, ", ");
gen_operand(u, &u->operand[2], u->c3);
}
}

61
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn.c Normal file
View File

@ -0,0 +1,61 @@
/* -----------------------------------------------------------------------------
* syn.c
*
* Copyright (c) 2002, 2003, 2004 Vivek Mohan <vivek@sig9.com>
* All rights reserved. See (LICENSE)
* -----------------------------------------------------------------------------
*/
/* -----------------------------------------------------------------------------
* Intel Register Table - Order Matters (types.h)!
* -----------------------------------------------------------------------------
*/
const char* ud_reg_tab[] =
{
"al", "cl", "dl", "bl",
"ah", "ch", "dh", "bh",
"spl", "bpl", "sil", "dil",
"r8b", "r9b", "r10b", "r11b",
"r12b", "r13b", "r14b", "r15b",
"ax", "cx", "dx", "bx",
"sp", "bp", "si", "di",
"r8w", "r9w", "r10w", "r11w",
"r12w", "r13W" , "r14w", "r15w",
"eax", "ecx", "edx", "ebx",
"esp", "ebp", "esi", "edi",
"r8d", "r9d", "r10d", "r11d",
"r12d", "r13d", "r14d", "r15d",
"rax", "rcx", "rdx", "rbx",
"rsp", "rbp", "rsi", "rdi",
"r8", "r9", "r10", "r11",
"r12", "r13", "r14", "r15",
"es", "cs", "ss", "ds",
"fs", "gs",
"cr0", "cr1", "cr2", "cr3",
"cr4", "cr5", "cr6", "cr7",
"cr8", "cr9", "cr10", "cr11",
"cr12", "cr13", "cr14", "cr15",
"dr0", "dr1", "dr2", "dr3",
"dr4", "dr5", "dr6", "dr7",
"dr8", "dr9", "dr10", "dr11",
"dr12", "dr13", "dr14", "dr15",
"mm0", "mm1", "mm2", "mm3",
"mm4", "mm5", "mm6", "mm7",
"st0", "st1", "st2", "st3",
"st4", "st5", "st6", "st7",
"xmm0", "xmm1", "xmm2", "xmm3",
"xmm4", "xmm5", "xmm6", "xmm7",
"xmm8", "xmm9", "xmm10", "xmm11",
"xmm12", "xmm13", "xmm14", "xmm15",
"rip"
};

25
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/syn.h Normal file
View File

@ -0,0 +1,25 @@
/* -----------------------------------------------------------------------------
* syn.h
*
* Copyright (c) 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#ifndef UD_SYN_H
#define UD_SYN_H
#include <stdio.h>
#include <stdarg.h>
#include "types.h"
extern const char* ud_reg_tab[];
static void mkasm(struct ud* u, const char* fmt, ...)
{
va_list ap;
va_start(ap, fmt);
u->insn_fill += vsprintf((char*) u->insn_buffer + u->insn_fill, fmt, ap);
va_end(ap);
}
#endif

200
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/types.h Normal file
View File

@ -0,0 +1,200 @@
/* -----------------------------------------------------------------------------
* types.h
*
* Copyright (c) 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#ifndef UD_TYPES_H
#define UD_TYPES_H
#include <stdio.h>
#ifdef _MSC_VER
# define FMT64 "%I64"
typedef unsigned __int8 uint8_t;
typedef unsigned __int16 uint16_t;
typedef unsigned __int32 uint32_t;
typedef unsigned __int64 uint64_t;
typedef __int8 int8_t;
typedef __int16 int16_t;
typedef __int32 int32_t;
typedef __int64 int64_t;
#else
# define FMT64 "%ll"
# include <inttypes.h>
#endif
#include "itab.h"
/* -----------------------------------------------------------------------------
* All possible "types" of objects in udis86. Order is Important!
* -----------------------------------------------------------------------------
*/
enum ud_type
{
UD_NONE,
/* 8 bit GPRs */
UD_R_AL, UD_R_CL, UD_R_DL, UD_R_BL,
UD_R_AH, UD_R_CH, UD_R_DH, UD_R_BH,
UD_R_SPL, UD_R_BPL, UD_R_SIL, UD_R_DIL,
UD_R_R8B, UD_R_R9B, UD_R_R10B, UD_R_R11B,
UD_R_R12B, UD_R_R13B, UD_R_R14B, UD_R_R15B,
/* 16 bit GPRs */
UD_R_AX, UD_R_CX, UD_R_DX, UD_R_BX,
UD_R_SP, UD_R_BP, UD_R_SI, UD_R_DI,
UD_R_R8W, UD_R_R9W, UD_R_R10W, UD_R_R11W,
UD_R_R12W, UD_R_R13W, UD_R_R14W, UD_R_R15W,
/* 32 bit GPRs */
UD_R_EAX, UD_R_ECX, UD_R_EDX, UD_R_EBX,
UD_R_ESP, UD_R_EBP, UD_R_ESI, UD_R_EDI,
UD_R_R8D, UD_R_R9D, UD_R_R10D, UD_R_R11D,
UD_R_R12D, UD_R_R13D, UD_R_R14D, UD_R_R15D,
/* 64 bit GPRs */
UD_R_RAX, UD_R_RCX, UD_R_RDX, UD_R_RBX,
UD_R_RSP, UD_R_RBP, UD_R_RSI, UD_R_RDI,
UD_R_R8, UD_R_R9, UD_R_R10, UD_R_R11,
UD_R_R12, UD_R_R13, UD_R_R14, UD_R_R15,
/* segment registers */
UD_R_ES, UD_R_CS, UD_R_SS, UD_R_DS,
UD_R_FS, UD_R_GS,
/* control registers*/
UD_R_CR0, UD_R_CR1, UD_R_CR2, UD_R_CR3,
UD_R_CR4, UD_R_CR5, UD_R_CR6, UD_R_CR7,
UD_R_CR8, UD_R_CR9, UD_R_CR10, UD_R_CR11,
UD_R_CR12, UD_R_CR13, UD_R_CR14, UD_R_CR15,
/* debug registers */
UD_R_DR0, UD_R_DR1, UD_R_DR2, UD_R_DR3,
UD_R_DR4, UD_R_DR5, UD_R_DR6, UD_R_DR7,
UD_R_DR8, UD_R_DR9, UD_R_DR10, UD_R_DR11,
UD_R_DR12, UD_R_DR13, UD_R_DR14, UD_R_DR15,
/* mmx registers */
UD_R_MM0, UD_R_MM1, UD_R_MM2, UD_R_MM3,
UD_R_MM4, UD_R_MM5, UD_R_MM6, UD_R_MM7,
/* x87 registers */
UD_R_ST0, UD_R_ST1, UD_R_ST2, UD_R_ST3,
UD_R_ST4, UD_R_ST5, UD_R_ST6, UD_R_ST7,
/* extended multimedia registers */
UD_R_XMM0, UD_R_XMM1, UD_R_XMM2, UD_R_XMM3,
UD_R_XMM4, UD_R_XMM5, UD_R_XMM6, UD_R_XMM7,
UD_R_XMM8, UD_R_XMM9, UD_R_XMM10, UD_R_XMM11,
UD_R_XMM12, UD_R_XMM13, UD_R_XMM14, UD_R_XMM15,
UD_R_RIP,
/* Operand Types */
UD_OP_REG, UD_OP_MEM, UD_OP_PTR, UD_OP_IMM,
UD_OP_JIMM, UD_OP_CONST
};
/* -----------------------------------------------------------------------------
* struct ud_operand - Disassembled instruction Operand.
* -----------------------------------------------------------------------------
*/
struct ud_operand
{
enum ud_type type;
uint8_t size;
union {
int8_t sbyte;
uint8_t ubyte;
int16_t sword;
uint16_t uword;
int32_t sdword;
uint32_t udword;
int64_t sqword;
uint64_t uqword;
struct {
uint16_t seg;
uint32_t off;
} ptr;
} lval;
enum ud_type base;
enum ud_type index;
uint8_t offset;
uint8_t scale;
};
/* -----------------------------------------------------------------------------
* struct ud - The udis86 object.
* -----------------------------------------------------------------------------
*/
struct ud
{
int (*inp_hook) (struct ud*);
uint8_t inp_curr;
uint8_t inp_fill;
FILE* inp_file;
uint8_t inp_ctr;
uint8_t* inp_buff;
uint8_t* inp_buff_end;
uint8_t inp_end;
void (*translator)(struct ud*);
uint64_t insn_offset;
char insn_hexcode[32];
char insn_buffer[64];
unsigned int insn_fill;
uint8_t dis_mode;
uint64_t pc;
uint8_t vendor;
struct map_entry* mapen;
enum ud_mnemonic_code mnemonic;
struct ud_operand operand[3];
uint8_t error;
uint8_t pfx_rex;
uint8_t pfx_seg;
uint8_t pfx_opr;
uint8_t pfx_adr;
uint8_t pfx_lock;
uint8_t pfx_rep;
uint8_t pfx_repe;
uint8_t pfx_repne;
uint8_t pfx_insn;
uint8_t default64;
uint8_t opr_mode;
uint8_t adr_mode;
uint8_t br_far;
uint8_t br_near;
uint8_t implicit_addr;
uint8_t c1;
uint8_t c2;
uint8_t c3;
uint8_t inp_cache[256];
uint8_t inp_sess[64];
struct ud_itab_entry * itab_entry;
};
/* -----------------------------------------------------------------------------
* Type-definitions
* -----------------------------------------------------------------------------
*/
typedef enum ud_type ud_type_t;
typedef enum ud_mnemonic_code ud_mnemonic_code_t;
typedef struct ud ud_t;
typedef struct ud_operand ud_operand_t;
#define UD_SYN_INTEL ud_translate_intel
#define UD_SYN_ATT ud_translate_att
#define UD_EOI -1
#define UD_INP_CACHE_SZ 32
#define UD_VENDOR_AMD 0
#define UD_VENDOR_INTEL 1
#define bail_out(ud,error_code) longjmp( (ud)->bailout, error_code )
#define try_decode(ud) if ( setjmp( (ud)->bailout ) == 0 )
#define catch_error() else
#endif

154
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/src/udis86.c Normal file
View File

@ -0,0 +1,154 @@
/* -----------------------------------------------------------------------------
* udis86.c
*
* Copyright (c) 2004, 2005, 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include "input.h"
#include "extern.h"
/* =============================================================================
* ud_init() - Initializes ud_t object.
* =============================================================================
*/
extern void
ud_init(struct ud* u)
{
memset((void*)u, 0, sizeof(struct ud));
ud_set_mode(u, 16);
u->mnemonic = UD_Iinvalid;
ud_set_pc(u, 0);
#ifndef __UD_STANDALONE__
ud_set_input_file(u, stdin);
#endif /* __UD_STANDALONE__ */
}
/* =============================================================================
* ud_disassemble() - disassembles one instruction and returns the number of
* bytes disassembled. A zero means end of disassembly.
* =============================================================================
*/
extern unsigned int
ud_disassemble(struct ud* u)
{
if (ud_input_end(u))
return 0;
u->insn_buffer[0] = u->insn_hexcode[0] = 0;
if (ud_decode(u) == 0)
return 0;
if (u->translator)
u->translator(u);
return ud_insn_len(u);
}
/* =============================================================================
* ud_set_mode() - Set Disassemly Mode.
* =============================================================================
*/
extern void
ud_set_mode(struct ud* u, uint8_t m)
{
switch(m) {
case 16:
case 32:
case 64: u->dis_mode = m ; return;
default: u->dis_mode = 16; return;
}
}
/* =============================================================================
* ud_set_vendor() - Set vendor.
* =============================================================================
*/
extern void
ud_set_vendor(struct ud* u, unsigned v)
{
switch(v) {
case UD_VENDOR_INTEL:
u->vendor = v;
break;
default:
u->vendor = UD_VENDOR_AMD;
}
}
/* =============================================================================
* ud_set_pc() - Sets code origin.
* =============================================================================
*/
extern void
ud_set_pc(struct ud* u, uint64_t o)
{
u->pc = o;
}
/* =============================================================================
* ud_set_syntax() - Sets the output syntax.
* =============================================================================
*/
extern void
ud_set_syntax(struct ud* u, void (*t)(struct ud*))
{
u->translator = t;
}
/* =============================================================================
* ud_insn() - returns the disassembled instruction
* =============================================================================
*/
extern char*
ud_insn_asm(struct ud* u)
{
return u->insn_buffer;
}
/* =============================================================================
* ud_insn_offset() - Returns the offset.
* =============================================================================
*/
extern uint64_t
ud_insn_off(struct ud* u)
{
return u->insn_offset;
}
/* =============================================================================
* ud_insn_hex() - Returns hex form of disassembled instruction.
* =============================================================================
*/
extern char*
ud_insn_hex(struct ud* u)
{
return u->insn_hexcode;
}
/* =============================================================================
* ud_insn_ptr() - Returns code disassembled.
* =============================================================================
*/
extern uint8_t*
ud_insn_ptr(struct ud* u)
{
return u->inp_sess;
}
/* =============================================================================
* ud_insn_len() - Returns the count of bytes disassembled.
* =============================================================================
*/
extern unsigned int
ud_insn_len(struct ud* u)
{
return u->inp_ctr;
}

200
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/types.h Normal file
View File

@ -0,0 +1,200 @@
/* -----------------------------------------------------------------------------
* types.h
*
* Copyright (c) 2006, Vivek Mohan <vivek@sig9.com>
* All rights reserved. See LICENSE
* -----------------------------------------------------------------------------
*/
#ifndef UD_TYPES_H
#define UD_TYPES_H
#include <stdio.h>
#ifdef _MSC_VER
# define FMT64 "%I64"
typedef unsigned __int8 uint8_t;
typedef unsigned __int16 uint16_t;
typedef unsigned __int32 uint32_t;
typedef unsigned __int64 uint64_t;
typedef __int8 int8_t;
typedef __int16 int16_t;
typedef __int32 int32_t;
typedef __int64 int64_t;
#else
# define FMT64 "%ll"
# include <inttypes.h>
#endif
#include "itab.h"
/* -----------------------------------------------------------------------------
* All possible "types" of objects in udis86. Order is Important!
* -----------------------------------------------------------------------------
*/
enum ud_type
{
UD_NONE,
/* 8 bit GPRs */
UD_R_AL, UD_R_CL, UD_R_DL, UD_R_BL,
UD_R_AH, UD_R_CH, UD_R_DH, UD_R_BH,
UD_R_SPL, UD_R_BPL, UD_R_SIL, UD_R_DIL,
UD_R_R8B, UD_R_R9B, UD_R_R10B, UD_R_R11B,
UD_R_R12B, UD_R_R13B, UD_R_R14B, UD_R_R15B,
/* 16 bit GPRs */
UD_R_AX, UD_R_CX, UD_R_DX, UD_R_BX,
UD_R_SP, UD_R_BP, UD_R_SI, UD_R_DI,
UD_R_R8W, UD_R_R9W, UD_R_R10W, UD_R_R11W,
UD_R_R12W, UD_R_R13W, UD_R_R14W, UD_R_R15W,
/* 32 bit GPRs */
UD_R_EAX, UD_R_ECX, UD_R_EDX, UD_R_EBX,
UD_R_ESP, UD_R_EBP, UD_R_ESI, UD_R_EDI,
UD_R_R8D, UD_R_R9D, UD_R_R10D, UD_R_R11D,
UD_R_R12D, UD_R_R13D, UD_R_R14D, UD_R_R15D,
/* 64 bit GPRs */
UD_R_RAX, UD_R_RCX, UD_R_RDX, UD_R_RBX,
UD_R_RSP, UD_R_RBP, UD_R_RSI, UD_R_RDI,
UD_R_R8, UD_R_R9, UD_R_R10, UD_R_R11,
UD_R_R12, UD_R_R13, UD_R_R14, UD_R_R15,
/* segment registers */
UD_R_ES, UD_R_CS, UD_R_SS, UD_R_DS,
UD_R_FS, UD_R_GS,
/* control registers*/
UD_R_CR0, UD_R_CR1, UD_R_CR2, UD_R_CR3,
UD_R_CR4, UD_R_CR5, UD_R_CR6, UD_R_CR7,
UD_R_CR8, UD_R_CR9, UD_R_CR10, UD_R_CR11,
UD_R_CR12, UD_R_CR13, UD_R_CR14, UD_R_CR15,
/* debug registers */
UD_R_DR0, UD_R_DR1, UD_R_DR2, UD_R_DR3,
UD_R_DR4, UD_R_DR5, UD_R_DR6, UD_R_DR7,
UD_R_DR8, UD_R_DR9, UD_R_DR10, UD_R_DR11,
UD_R_DR12, UD_R_DR13, UD_R_DR14, UD_R_DR15,
/* mmx registers */
UD_R_MM0, UD_R_MM1, UD_R_MM2, UD_R_MM3,
UD_R_MM4, UD_R_MM5, UD_R_MM6, UD_R_MM7,
/* x87 registers */
UD_R_ST0, UD_R_ST1, UD_R_ST2, UD_R_ST3,
UD_R_ST4, UD_R_ST5, UD_R_ST6, UD_R_ST7,
/* extended multimedia registers */
UD_R_XMM0, UD_R_XMM1, UD_R_XMM2, UD_R_XMM3,
UD_R_XMM4, UD_R_XMM5, UD_R_XMM6, UD_R_XMM7,
UD_R_XMM8, UD_R_XMM9, UD_R_XMM10, UD_R_XMM11,
UD_R_XMM12, UD_R_XMM13, UD_R_XMM14, UD_R_XMM15,
UD_R_RIP,
/* Operand Types */
UD_OP_REG, UD_OP_MEM, UD_OP_PTR, UD_OP_IMM,
UD_OP_JIMM, UD_OP_CONST
};
/* -----------------------------------------------------------------------------
* struct ud_operand - Disassembled instruction Operand.
* -----------------------------------------------------------------------------
*/
struct ud_operand
{
enum ud_type type;
uint8_t size;
union {
int8_t sbyte;
uint8_t ubyte;
int16_t sword;
uint16_t uword;
int32_t sdword;
uint32_t udword;
int64_t sqword;
uint64_t uqword;
struct {
uint16_t seg;
uint32_t off;
} ptr;
} lval;
enum ud_type base;
enum ud_type index;
uint8_t offset;
uint8_t scale;
};
/* -----------------------------------------------------------------------------
* struct ud - The udis86 object.
* -----------------------------------------------------------------------------
*/
struct ud
{
int (*inp_hook) (struct ud*);
uint8_t inp_curr;
uint8_t inp_fill;
FILE* inp_file;
uint8_t inp_ctr;
uint8_t* inp_buff;
uint8_t* inp_buff_end;
uint8_t inp_end;
void (*translator)(struct ud*);
uint64_t insn_offset;
char insn_hexcode[32];
char insn_buffer[64];
unsigned int insn_fill;
uint8_t dis_mode;
uint64_t pc;
uint8_t vendor;
struct map_entry* mapen;
enum ud_mnemonic_code mnemonic;
struct ud_operand operand[3];
uint8_t error;
uint8_t pfx_rex;
uint8_t pfx_seg;
uint8_t pfx_opr;
uint8_t pfx_adr;
uint8_t pfx_lock;
uint8_t pfx_rep;
uint8_t pfx_repe;
uint8_t pfx_repne;
uint8_t pfx_insn;
uint8_t default64;
uint8_t opr_mode;
uint8_t adr_mode;
uint8_t br_far;
uint8_t br_near;
uint8_t implicit_addr;
uint8_t c1;
uint8_t c2;
uint8_t c3;
uint8_t inp_cache[256];
uint8_t inp_sess[64];
struct ud_itab_entry * itab_entry;
};
/* -----------------------------------------------------------------------------
* Type-definitions
* -----------------------------------------------------------------------------
*/
typedef enum ud_type ud_type_t;
typedef enum ud_mnemonic_code ud_mnemonic_code_t;
typedef struct ud ud_t;
typedef struct ud_operand ud_operand_t;
#define UD_SYN_INTEL ud_translate_intel
#define UD_SYN_ATT ud_translate_att
#define UD_EOI -1
#define UD_INP_CACHE_SZ 32
#define UD_VENDOR_AMD 0
#define UD_VENDOR_INTEL 1
#define bail_out(ud,error_code) longjmp( (ud)->bailout, error_code )
#define try_decode(ud) if ( setjmp( (ud)->bailout ) == 0 )
#define catch_error() else
#endif

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/udis86_amd64.lib Normal file
View File

Binary file not shown.

BIN
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/udis86/udis86_i386.lib Normal file
View File

Binary file not shown.

718
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/undocnt.h Normal file
View File

@ -0,0 +1,718 @@
// ********************************************************
// some user-mode structures
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY,
*PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY ModuleListLoadOrder;
LIST_ENTRY ModuleListMemoryOrder;
LIST_ENTRY ModuleListInitOrder;
} PEB_LDR_DATA,
*PPEB_LDR_DATA;
// ********************************************************
typedef struct SERVICE_DESCRIPTOR_ENTRY
{
PVOID *ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfServices;
PUCHAR ParamTableBase;
} SERVICE_DESCRIPTOR_ENTRY,
*PSERVICE_DESCRIPTOR_ENTRY;
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
SERVICE_DESCRIPTOR_ENTRY Entry[2];
} SERVICE_DESCRIPTOR_TABLE,
*PSERVICE_DESCRIPTOR_TABLE;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation, // obsolete...delete
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemMirrorMemoryInformation,
SystemPerformanceTraceInformation,
SystemObsolete0,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemVerifierAddDriverInformation,
SystemVerifierRemoveDriverInformation,
SystemProcessorIdleInformation,
SystemLegacyDriverInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation,
SystemTimeSlipNotification,
SystemSessionCreate,
SystemSessionDetach,
SystemSessionInformation,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemVerifierThunkExtend,
SystemSessionProcessInformation,
SystemLoadGdiDriverInSystemSpace,
SystemNumaProcessorMap,
SystemPrefetcherInformation,
SystemExtendedProcessInformation,
SystemRecommendedSharedDataAlignment,
SystemComPlusPackage,
SystemNumaAvailableMemory,
SystemProcessorPowerInformation,
SystemEmulationBasicInformation,
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation,
SystemLostDelayedWriteInformation,
SystemBigPoolInformation,
SystemSessionPoolTagInformation,
SystemSessionMappedViewInformation,
SystemHotpatchInformation,
SystemObjectSecurityMode,
SystemWatchdogTimerHandler,
SystemWatchdogTimerInformation,
SystemLogicalProcessorInformation,
SystemWow64SharedInformation,
SystemRegisterFirmwareTableInformationHandler,
SystemFirmwareTableInformation,
SystemModuleInformationEx,
SystemVerifierTriageInformation,
SystemSuperfetchInformation,
SystemMemoryListInformation,
SystemFileCacheInformationEx,
MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
typedef struct _RTL_PROCESS_MODULE_INFORMATION
{
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION,
*PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES
{
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES,
*PRTL_PROCESS_MODULES;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO,
*PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[ 1 ];
} SYSTEM_HANDLE_INFORMATION,
*PSYSTEM_HANDLE_INFORMATION;
#ifndef _NTIFS_INCLUDED_
typedef struct _FILE_DIRECTORY_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION,
*PFILE_DIRECTORY_INFORMATION;
typedef struct _FILE_NAMES_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_NAMES_INFORMATION,
*PFILE_NAMES_INFORMATION;
#endif
typedef struct _FILE_FULL_DIRECTORY_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
WCHAR FileName[1];
} FILE_FULL_DIRECTORY_INFORMATION,
*PFILE_FULL_DIRECTORY_INFORMATION;
typedef struct _FILE_BOTH_DIRECTORY_INFORMATION
{
ULONG NextEntryOffset;
ULONG Unknown;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaInformationLength;
UCHAR AlternateNameLength;
WCHAR AlternateName[12];
WCHAR FileName[1];
} FILE_BOTH_DIRECTORY_INFORMATION,
*PFILE_BOTH_DIRECTORY_INFORMATION;
typedef struct _FILE_ID_BOTH_DIRECTORY_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
LARGE_INTEGER FileId;
WCHAR FileName[1];
} FILE_ID_BOTH_DIRECTORY_INFORMATION,
*PFILE_ID_BOTH_DIRECTORY_INFORMATION;
typedef struct _FILE_ID_FULL_DIRECTORY_INFORMATION
{
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
LARGE_INTEGER FileId;
WCHAR FileName[1];
} FILE_ID_FULL_DIRECTORY_INFORMATION,
*PFILE_ID_FULL_DIRECTORY_INFORMATION;
typedef struct _SYSTEM_OBJECT_TYPE_INFORMATION
{
ULONG NextEntryOffset;
ULONG ObjectCount;
ULONG HandleCount;
ULONG TypeNumber;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK ValidAccessMask;
POOL_TYPE PoolType;
UCHAR Unknown;
UNICODE_STRING Name;
} SYSTEM_OBJECT_TYPE_INFORMATION,
*PSYSTEM_OBJECT_TYPE_INFORMATION;
typedef struct _SYSTEM_OBJECT_INFORMATION
{
ULONG NextEntryOffset;
PVOID Object;
ULONG CreatorProcessId;
USHORT Unknown;
USHORT Flags;
ULONG PointerCount;
ULONG HandleCount;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG ExclusiveProcessId;
PSECURITY_DESCRIPTOR SecurityDescriptor;
UNICODE_STRING Name;
} SYSTEM_OBJECT_INFORMATION,
*PSYSTEM_OBJECT_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryDirectoryFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FileInformation,
ULONG FileInformationLength,
FILE_INFORMATION_CLASS FileInformationClass,
BOOLEAN ReturnSingleEntry,
PUNICODE_STRING FileName,
BOOLEAN RestartScan
);
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER SpareLi1;
LARGE_INTEGER SpareLi2;
LARGE_INTEGER SpareLi3;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR PageDirectoryBase;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct THREAD_BASIC_INFORMATION
{
NTSTATUS ExitStatus;
PVOID TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION,
*PTHREAD_BASIC_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
HANDLE ProcessHandle,
PROCESSINFOCLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength,
PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenThread(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDeviceIoControlFile(
HANDLE FileHandle,
HANDLE Event,
PIO_APC_ROUTINE ApcRoutine,
PVOID ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG IoControlCode,
PVOID InputBuffer,
ULONG InputBufferLength,
PVOID OutputBuffer,
ULONG OutputBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwFsControlFile(
HANDLE FileHandle,
HANDLE Event OPTIONAL,
PIO_APC_ROUTINE ApcRoutine OPTIONAL,
PVOID ApcContext OPTIONAL,
PIO_STATUS_BLOCK IoStatusBlock,
ULONG FsControlCode,
PVOID InputBuffer OPTIONAL,
ULONG InputBufferLength,
PVOID OutputBuffer OPTIONAL,
ULONG OutputBufferLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSaveKey(
HANDLE KeyHandle,
HANDLE FileHandle
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryVolumeInformationFile(
HANDLE FileHandle,
PIO_STATUS_BLOCK IoStatusBlock,
PVOID FsInformation,
ULONG Length,
FS_INFORMATION_CLASS FsInformationClass
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySecurityObject(
HANDLE Handle,
SECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR SecurityDescriptor,
ULONG Length,
PULONG LengthNeeded
);
NTSYSAPI
NTSTATUS
NTAPI
ZwSetSecurityObject(
HANDLE Handle,
SECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR SecurityDescriptor
);
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject(
HANDLE SourceProcessHandle,
HANDLE SourceHandle,
HANDLE TargetProcessHandle,
PHANDLE TargetHandle,
ACCESS_MASK DesiredAccess,
ULONG HandleAttributes,
ULONG Options
);
NTSYSAPI
NTSTATUS
NTAPI
RtlGetDaclSecurityDescriptor(
PSECURITY_DESCRIPTOR SecurityDescriptor,
PBOOLEAN DaclPresent,
PACL *Dacl,
PBOOLEAN DaclDefaulted
);
#ifndef _NTIFS_INCLUDED_
typedef struct _SID_IDENTIFIER_AUTHORITY
{
UCHAR Value[ 6 ];
} SID_IDENTIFIER_AUTHORITY;
typedef struct _SID_IDENTIFIER_AUTHORITY *PSID_IDENTIFIER_AUTHORITY;
#endif
NTSYSAPI
NTSTATUS
NTAPI
RtlInitializeSid(
PSID Sid,
PSID_IDENTIFIER_AUTHORITY IdentifierAuthority,
UCHAR SubAuthorityCount
);
NTSYSAPI
ULONG
NTAPI
RtlLengthSid(
PSID Sid
);
NTSYSAPI
NTSTATUS
NTAPI
RtlAddAccessAllowedAce(
PACL Acl,
ULONG AceRevision,
ACCESS_MASK AccessMask,
PSID Sid
);
NTSYSAPI
NTSTATUS
NTAPI
RtlSetDaclSecurityDescriptor(
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
BOOLEAN DaclPresent,
PACL Dacl,
BOOLEAN DaclDefaulted
);
NTSYSAPI
NTSTATUS
NTAPI
RtlSelfRelativeToAbsoluteSD2(
PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,
PULONG pBufferSize
);
NTSYSAPI
BOOLEAN
NTAPI
RtlValidSid(
PSID Sid
);
#ifndef _NTIFS_INCLUDED_
typedef struct _KAPC_STATE
{
LIST_ENTRY ApcListHead[2];
PVOID Process;
BOOLEAN KernelApcInProgress;
BOOLEAN KernelApcPending;
BOOLEAN UserApcPending;
} KAPC_STATE,
*PKAPC_STATE;
#endif
NTSYSAPI
VOID
NTAPI
KeStackAttachProcess(
PEPROCESS Process,
PKAPC_STATE ApcState
);
NTSYSAPI
VOID
NTAPI
KeUnstackDetachProcess(
PKAPC_STATE ApcState
);
NTSYSAPI
NTSTATUS
NTAPI
PsLookupProcessByProcessId(
HANDLE ProcessId,
PEPROCESS *Process
);
NTSYSAPI
NTSTATUS
NTAPI
PsLookupThreadByThreadId(
HANDLE ThreadId,
PETHREAD *Thread
);
NTSYSAPI
NTSTATUS
NTAPI
ObOpenObjectByPointer(
PVOID Object,
ULONG HandleAttributes,
PACCESS_STATE PassedAccessState,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PHANDLE Handle
);
NTSYSAPI
NTSTATUS
NTAPI
ObOpenObjectByName(
POBJECT_ATTRIBUTES ObjectAttributes,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PACCESS_STATE AccessState,
ACCESS_MASK DesiredAccess,
PVOID ParseContext,
PHANDLE Handle
);
NTSYSAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
PUNICODE_STRING ObjectPath,
ULONG Attributes,
PACCESS_STATE PassedAccessState,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PVOID ParseContext,
PVOID *ObjectPtr
);
NTKERNELAPI
NTSTATUS
ObQueryNameString(
PVOID Object,
POBJECT_NAME_INFORMATION ObjectNameInfo,
ULONG Length,
PULONG ReturnLength
);
NTKERNELAPI
VOID
KeSetSystemAffinityThread(
KAFFINITY Affinity
);
typedef enum
{
OriginalApcEnvironment,
AttachedApcEnvironment,
CurrentApcEnvironment
} KAPC_ENVIRONMENT;
NTKERNELAPI
VOID
KeInitializeApc(
PRKAPC Apc,
PRKTHREAD Thread,
KAPC_ENVIRONMENT Environment,
PKKERNEL_ROUTINE KernelRoutine,
PKRUNDOWN_ROUTINE RundownRoutine,
PKNORMAL_ROUTINE NormalRoutine,
KPROCESSOR_MODE ApcMode,
PVOID NormalContext
);
NTKERNELAPI
BOOLEAN
KeInsertQueueApc(
PKAPC Apc,
PVOID SystemArgument1,
PVOID SystemArgument2,
KPRIORITY Increment
);

124
HookDeviceIocontrlFile/HookDeviceIoControlFileDrv/HookDeviceIoControlFile/version.rc Normal file
View File

@ -0,0 +1,124 @@
//Microsoft Developer Studio generated resource script.
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 101
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_COMMAND_CONTROL_VALUE 1000
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#define APSTUDIO_HIDDEN_SYMBOLS
#include "windows.h"
#undef APSTUDIO_HIDDEN_SYMBOLS
#include "ntverp.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// Chinese (P.R.C.) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
#ifdef _WIN32
LANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED
#pragma code_page(936)
#endif //_WIN32
#ifndef _MAC
/////////////////////////////////////////////////////////////////////////////
//
// Version
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 1,0,0,5
PRODUCTVERSION 1,0,0,5
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x40004L
FILETYPE 0x3L
FILESUBTYPE 0x7L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "080404b0"
BEGIN
VALUE "Comments", "Fuzzer\0"
VALUE "CompanyName", "\0"
VALUE "FileDescription", "IOCTL Fuzzer\0"
VALUE "FileVersion", "1.0.0.5\0"
VALUE "InternalName", "IOCTL_fuzzer.sys\0"
VALUE "LegalCopyright", "\0"
VALUE "LegalTrademarks", "\0"
VALUE "OriginalFilename", "IOCTL_fuzzer.sys\0"
VALUE "PrivateBuild", "\0"
VALUE "ProductName", "Fuzzer\0"
VALUE "ProductVersion", "1.0.0.5\0"
VALUE "SpecialBuild", "\0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x804, 1200
END
END
#endif // !_MAC
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE MOVEABLE PURE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE MOVEABLE PURE
BEGIN
"#define APSTUDIO_HIDDEN_SYMBOLS\r\n"
"#include ""windows.h""\r\n"
"#undef APSTUDIO_HIDDEN_SYMBOLS\r\n"
"#include ""ntverp.h""\r\n"
"\0"
END
3 TEXTINCLUDE MOVEABLE PURE
BEGIN
"\r\n"
"\0"
END
#endif // APSTUDIO_INVOKED
#endif // Chinese (P.R.C.) resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED

5
HookDeviceIocontrlFile/ReadMe.txt Normal file
View File

@ -0,0 +1,5 @@
change from https://github.com/Cr4sh/ioctlfuzzer
to log DeviceIoControl buffer by xml file.
support for 32 and 64 bits.