A Bug Hunter's Diary by Tobias Klein
Author:Tobias Klein [Tobias Klein]
Language: eng
Format: epub, mobi, pdf
Tags: COMPUTERS / Security / General
ISBN: 9781593274153
Publisher: No Starch Press
Published: 2011-11-22T16:00:00+00:00
Step 5: Find the User-Controlled Input Values
After I generated the list of all the supported IOCTLs, I tried to locate the buffer containing the user-supplied IOCTL input data. All IRP_MJ_DEVICE_CONTROL requests supply both an input buffer and an output buffer. The way the system describes these buffers depends on the data transfer type. The transfer type is stored in the IOCTL code itself. Under Microsoft Windows, the IOCTL code values are normally created using the CTL_CODE macro.[71] Here’s another excerpt from ntddk.h:
[..] // // Macro definition for defining IOCTL and FSCTL function control codes. Note // that function codes 0-2047 are reserved for Microsoft Corporation, and // 2048-4095 are reserved for customers. // #define CTL_CODE( DeviceType, Function, Method, Access ) ( \ ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \ ) [..] // // Define the method codes for how buffers are passed for I/O and FS controls // #define METHOD_BUFFERED 0 #define METHOD_IN_DIRECT 1 #define METHOD_OUT_DIRECT 2 #define METHOD_NEITHER 3 [..]
The transfer type is specified using the Method parameter of the CTL_CODE macro. I wrote a little tool to reveal which data transfer type is used by the IOCTLs of Aavmker4.sys:
Example 6-1. A little tool that I wrote (IOCTL_method.c) to show which data transfer type is used by the IOCTLs of Aavmker4.sys
01 #include <windows.h> 02 #include <stdio.h> 03 04 int 05 main (int argc, char *argv[]) 06 { 07 unsigned int method = 0; 08 unsigned int code = 0; 09 10 if (argc != 2) { 11 fprintf (stderr, "Usage: %s <IOCTL code>\n", argv[0]); 12 return 1; 13 } 14 15 code = strtoul (argv[1], (char **) NULL, 16); 16 method = code & 3; 17 18 switch (method) { 19 case 0: 20 printf ("METHOD_BUFFERED\n"); 21 break; 22 case 1: 23 printf ("METHOD_IN_DIRECT\n"); 24 break; 25 case 2: 26 printf ("METHOD_OUT_DIRECT\n"); 27 break; 28 case 3: 29 printf ("METHOD_NEITHER\n"); 30 break; 31 default: 32 fprintf (stderr, "ERROR: invalid IOCTL data transfer method\n"); 33 break; 34 } 35 36 return 0; 37 }
Download
A Bug Hunter's Diary by Tobias Klein.mobi
A Bug Hunter's Diary by Tobias Klein.pdf
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Ajax | Assembly Language Programming |
Borland Delphi | C & C++ |
C# | CSS |
Compiler Design | Compilers |
DHTML | Debugging |
Delphi | Fortran |
Java | Lisp |
Perl | Prolog |
Python | RPG |
Ruby | Swift |
Visual Basic | XHTML |
XML | XSL |
Deep Learning with Python by François Chollet(12881)
Hello! Python by Anthony Briggs(10130)
The Mikado Method by Ola Ellnestam Daniel Brolund(10020)
OCA Java SE 8 Programmer I Certification Guide by Mala Gupta(9988)
Dependency Injection in .NET by Mark Seemann(9524)
Algorithms of the Intelligent Web by Haralambos Marmanis;Dmitry Babenko(8529)
Grails in Action by Glen Smith Peter Ledbrook(7890)
Test-Driven iOS Development with Swift 4 by Dominik Hauser(7858)
Becoming a Dynamics 365 Finance and Supply Chain Solution Architect by Brent Dawson(7777)
The Well-Grounded Java Developer by Benjamin J. Evans Martijn Verburg(7776)
Microservices with Go by Alexander Shuiskov(7538)
Practical Design Patterns for Java Developers by Miroslav Wengner(7452)
Test Automation Engineering Handbook by Manikandan Sambamurthy(7401)
Angular Projects - Third Edition by Aristeidis Bampakos(6827)
Secrets of the JavaScript Ninja by John Resig Bear Bibeault(6645)
The Art of Crafting User Stories by The Art of Crafting User Stories(6313)
NetSuite for Consultants - Second Edition by Peter Ries(6258)
Demystifying Cryptography with OpenSSL 3.0 by Alexei Khlebnikov(6063)
Kotlin in Action by Dmitry Jemerov(5302)
