A Bug Hunter's Diary by Tobias Klein

Author:Tobias Klein [Tobias Klein]
Language: eng
Format: epub, mobi, pdf
Tags: COMPUTERS / Security / General
ISBN: 9781593274153
Publisher: No Starch Press
Published: 2011-11-22T16:00:00+00:00

Step 5: Find the User-Controlled Input Values

After I generated the list of all the supported IOCTLs, I tried to locate the buffer containing the user-supplied IOCTL input data. All IRP_MJ_DEVICE_CONTROL requests supply both an input buffer and an output buffer. The way the system describes these buffers depends on the data transfer type. The transfer type is stored in the IOCTL code itself. Under Microsoft Windows, the IOCTL code values are normally created using the CTL_CODE macro.[71] Here’s another excerpt from ntddk.h:

[..] // // Macro definition for defining IOCTL and FSCTL function control codes. Note // that function codes 0-2047 are reserved for Microsoft Corporation, and // 2048-4095 are reserved for customers. // #define CTL_CODE( DeviceType, Function, Method, Access ) ( \ ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \ ) [..] // // Define the method codes for how buffers are passed for I/O and FS controls // #define METHOD_BUFFERED 0 #define METHOD_IN_DIRECT 1 #define METHOD_OUT_DIRECT 2 #define METHOD_NEITHER 3 [..]

The transfer type is specified using the Method parameter of the CTL_CODE macro. I wrote a little tool to reveal which data transfer type is used by the IOCTLs of Aavmker4.sys:

Example 6-1. A little tool that I wrote (IOCTL_method.c) to show which data transfer type is used by the IOCTLs of Aavmker4.sys

01 #include <windows.h> 02 #include <stdio.h> 03 04 int 05 main (int argc, char *argv[]) 06 { 07 unsigned int method = 0; 08 unsigned int code = 0; 09 10 if (argc != 2) { 11 fprintf (stderr, "Usage: %s <IOCTL code>\n", argv[0]); 12 return 1; 13 } 14 15 code = strtoul (argv[1], (char **) NULL, 16); 16 method = code & 3; 17 18 switch (method) { 19 case 0: 20 printf ("METHOD_BUFFERED\n"); 21 break; 22 case 1: 23 printf ("METHOD_IN_DIRECT\n"); 24 break; 25 case 2: 26 printf ("METHOD_OUT_DIRECT\n"); 27 break; 28 case 3: 29 printf ("METHOD_NEITHER\n"); 30 break; 31 default: 32 fprintf (stderr, "ERROR: invalid IOCTL data transfer method\n"); 33 break; 34 } 35 36 return 0; 37 }

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.