Hi
I’m new to debugging and patch anaylzying of security issues which is patched by microsoft. my problem is that how can I extract the function IOCTL for a driver !? like afd.sys
thanks
Have you found IrpTracker at OsrOnline.com?
Gary Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
On Jan 24, 2012, at 5:45 AM, xxxxx@gmail.com wrote:
Hi
I’m new to debugging and patch anaylzying of security issues which is patched by microsoft. my problem is that how can I extract the function IOCTL for a driver !? like afd.systhanks
WINDBG is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hi , thanks for you reply
Yeah I saw that , but it’s a tracker …
I wanna know that how he does it (at the following picture)… Do I have to write a code that send a range of IOCTL codes ?
http://www.offensive-security.com/wp-content/uploads/2011/12/01-VULNFUNC.png
>I wanna know that how he does it (at the following picture)… Do I have to
write a code that send a range of IOCTL codes ?
There’s no magic answer for this for an arbitrary driver, you have to do it
through some sort of analysis (either static or dynamic).
As for how the image you posted was done…I know pretty much nothing about
the inner workings of AFD, but the image on the right looks to me like this
driver has an array of supported IOCTL values that this person is dumping.
Based on that guess, I searched AFD for something that might possibly be an
array of IOCTL values:
1: kd> x afd!*ioctl*
fffff88000b4ae00 afd!AfdIoctlTable = <no type information><br>fffff88000b9d010 afd!WskTdiCOMPIoctl =
fffff88000b904f8 afd!AfdHandleISBIoctls = <no type information><br>fffff88000b39324 afd!AfdWskIoctlTransportListChange =
afd!AfdIoctlTable sounded good, so I dumped that and I believe that’s where
the image on the right came from:
1: kd> dd afd!AfdIoctlTable
fffff88000b4ae00 00012003 00012007 0001200b 0001200c<br>fffff88000b4ae10 00012010 00012017 0001201b 0001201f
fffff88000b4ae20 00012023 00012024 0001202b 0001202f<br>fffff88000b4ae30 00012033 00012037 0001203b 0001203f
fffff88000b4ae40 00012043 00012047 0001204b 0001204f<br><br>As for the functions listed in the left image, I found this by looking at <br>how afd!AfdIoctlTable was used in the device control handler. I found the <br>device control handler using the following steps:<br><br>1: kd> !object \driver\afd<br>Object: fffffa8001f0add0 Type: (fffffa8001a74f20) Driver<br> ObjectHeader: fffffa8001f0ada0 (new version)<br> HandleCount: 0 PointerCount: 3<br> Directory Object: fffff8a00007c7f0 Name: AFD<br><br>1: kd> !drvobj fffffa8001f0add0 7<br>...<br>[0e] IRP_MJ_DEVICE_CONTROL fffff88000b723d0 <br>afd!AfdDispatchDeviceControl<br>...<br>1: kd> uf afd!AfdDispatchDeviceControl<br>...<br><br>Based on that analysis, I found an array of function pointers which I <br>suspect is where the image on the left came from:<br><br>1: kd> dps afd!AfdIrpCallDispatch<br>fffff88000b4abc0 fffff88000b5f170 afd!AfdBind<br>fffff88000b4abc8 fffff88000b778f0 afd!AfdConnect<br>fffff88000b4abd0 fffff88000b810b0 afd!AfdStartListen<br>fffff88000b4abd8 fffff880`00b7e3e0 afd!AfdWaitForListen
…
(Note that I could have also jumped right to the IOCTL handler and
discovered both afd!AfdIoctlTable and afd!AfdIrpCallDispatch that way)
So, in the end, that image is based entirely upon implementation details of
the AFD driver. That means it’s not going to be generally applicable to
other drivers or even to future versions of the AFD driver.
HTH,
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@windbg…
Hi , thanks for you reply
Yeah I saw that , but it’s a tracker …
I wanna know that how he does it (at the following picture)… Do I have to
write a code that send a range of IOCTL codes ?
http://www.offensive-security.com/wp-content/uploads/2011/12/01-VULNFUNC.png
Thanks scott , I owe you one 
xxxxx@gmail.com wrote:
I’m new to debugging and patch anaylzying of security issues which is patched by microsoft. my problem is that how can I extract the function IOCTL for a driver !? like afd.sys
That’s one of the most confusing paragraphs I’ve ever read. Based on
the follow-ups, I’m think you are asking “how can I find which function
handles each ioctl in a driver?”
If so, then there is no single answer. All ioctls go to the central
ioctl handler for the driver. You can find the address of that function
in the DRIVER_OBJECT for the driver, in
MajorFunction[IRP_MJ_DEVICE_CONTROL]. Beyond that, every implementation
is different. Many drivers just do a big switch statement:
switch( piosl->Parameters.DeviceIoControl.IoControlCode )
{
case CODE_1:
In that, there is no separate function. It’s possible the code might
call a handler in each case, but you can’t tell that from outside.
AFD.SYS apparently has a function table that maps an ioctl code to a
function. That’s another way to do it, but it’s not common, in my
experience.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.