A Bug Hunter’s Diary by Klein Tobias
Author:Klein, Tobias [Tobias Klein]
Language: eng
Format: epub
Tags: COMPUTERS / Security / General
ISBN: 9781593274153
Publisher: No Starch Press
Published: 2011-11-22T16:00:00+00:00
Step 5: Find the User-Controlled Input Values
After I generated the list of all the supported IOCTLs, I tried to locate the buffer containing the user-supplied IOCTL input data. All IRP_MJ_DEVICE_CONTROL requests supply both an input buffer and an output buffer. The way the system describes these buffers depends on the data transfer type. The transfer type is stored in the IOCTL code itself. Under Microsoft Windows, the IOCTL code values are normally created using the CTL_CODE macro.[71] Here’s another excerpt from ntddk.h:
[..] // // Macro definition for defining IOCTL and FSCTL function control codes. Note // that function codes 0-2047 are reserved for Microsoft Corporation, and // 2048-4095 are reserved for customers. // #define CTL_CODE( DeviceType, Function, Method, Access ) ( \ ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \ ) [..] // // Define the method codes for how buffers are passed for I/O and FS controls // #define METHOD_BUFFERED 0 #define METHOD_IN_DIRECT 1 #define METHOD_OUT_DIRECT 2 #define METHOD_NEITHER 3 [..]
The transfer type is specified using the Method parameter of the CTL_CODE macro. I wrote a little tool to reveal which data transfer type is used by the IOCTLs of Aavmker4.sys:
Example 6-1. A little tool that I wrote (IOCTL_method.c) to show which data transfer type is used by the IOCTLs of Aavmker4.sys
01 #include <windows.h> 02 #include <stdio.h> 03 04 int 05 main (int argc, char *argv[]) 06 { 07 unsigned int method = 0; 08 unsigned int code = 0; 09 10 if (argc != 2) { 11 fprintf (stderr, "Usage: %s <IOCTL code>\n", argv[0]); 12 return 1; 13 } 14 15 code = strtoul (argv[1], (char **) NULL, 16); 16 method = code & 3; 17 18 switch (method) { 19 case 0: 20 printf ("METHOD_BUFFERED\n"); 21 break; 22 case 1: 23 printf ("METHOD_IN_DIRECT\n"); 24 break; 25 case 2: 26 printf ("METHOD_OUT_DIRECT\n"); 27 break; 28 case 3: 29 printf ("METHOD_NEITHER\n"); 30 break; 31 default: 32 fprintf (stderr, "ERROR: invalid IOCTL data transfer method\n"); 33 break; 34 } 35 36 return 0; 37 }
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Deep Learning with Python by François Chollet(14616)
The Mikado Method by Ola Ellnestam Daniel Brolund(11877)
Hello! Python by Anthony Briggs(11791)
OCA Java SE 8 Programmer I Certification Guide by Mala Gupta(11240)
Dependency Injection in .NET by Mark Seemann(11001)
A Developer's Guide to Building Resilient Cloud Applications with Azure by Hamida Rebai Trabelsi(10518)
Algorithms of the Intelligent Web by Haralambos Marmanis;Dmitry Babenko(9832)
The Well-Grounded Java Developer by Benjamin J. Evans Martijn Verburg(9420)
Grails in Action by Glen Smith Peter Ledbrook(9165)
Hit Refresh by Satya Nadella(9038)
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(8808)
Secrets of the JavaScript Ninja by John Resig Bear Bibeault(8594)
The Kubernetes Operator Framework Book by Michael Dame(8470)
Test-Driven iOS Development with Swift 4 by Dominik Hauser(8309)
Exploring Deepfakes by Bryan Lyon and Matt Tora(8290)
Robo-Advisor with Python by Aki Ranin(8245)
Practical Computer Architecture with Python and ARM by Alan Clements(8218)
Implementing Enterprise Observability for Success by Manisha Agrawal and Karun Krishnannair(8189)
Building Low Latency Applications with C++ by Sourav Ghosh(8091)
