Github-ioctlfuzzer&ioctlbf

最新推荐文章于 2018-10-14 14:57:50 发布

原创

最新推荐文章于 2018-10-14 14:57:50 发布 · 804 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#github #windows 7 #驱动

最近做二进制安全研究实习生，主要看的东西是驱动，在Github上发现了款做Fuzz的工具，适用场景说大不大，说小不小。因为它支持的系统只到Windows7(x86+x64)。但是漏洞挖掘嘛，Fuzz还是很重要的，有源码自然要看看了，学习下前辈们的Fuzz方法
大部分的记录我都是直接标记在了源码中，有兴趣的可以直接在我的Github上Clone或者Fork<请务必先仔细看Readme.md>都行，这里放出的只是在看源码中遇见的一些比较重要的问题
由于编码的原因，所以都是英文记录，英语渣，凑合看吧
Github：https://github.com/Iolop/ioctlfuzzer

Important Funtion src\driver\src\driver.cpp

KernelGetModuleBase src\driver\src\r0_common\common.cpp
KernelGetExportAddress
KeAddSystemServiceTable

seems like an interesting function. Not sure how does this routine works , here is its assembly code.a way to find ssdt in x64 platform

kd> uf nt!KeAddSystemServiceTable
nt!KeAddSystemServiceTable:
83dc40f2 8bff            mov     edi,edi
83dc40f4 55              push    ebp
83dc40f5 8bec            mov     ebp,esp // create stack,but no sub esp??
83dc40f7 837d1801        cmp     dword ptr [ebp+18h],1
83dc40fb 7760            ja      nt!KeAddSystemServiceTable+0x6b (83dc415d)  Branch <END>

nt!KeAddSystemServiceTable+0xb:
83dc40fd 8b4518          mov     eax,dword ptr [ebp+18h]
83dc4100 c1e004          shl     eax,4
83dc4103 83b8c009da8300  cmp     dword ptr nt!KeServiceDescriptorTable (83da09c0)[eax],0
83dc410a 7551            jne     nt!KeAddSystemServiceTable+0x6b (83dc415d)  Branch

nt!KeAddSystemServiceTable+0x1a:                                                            Check the instructions before and the valid address
83dc410c 8d88000ada83    lea     ecx,nt!KeServiceDescriptorTableShadow (83da0a00)[eax]
83dc4112 833900          cmp     dword ptr [ecx],0
83dc4115 7546            jne     nt!KeAddSystemServiceTable+0x6b (83dc415d)  Branch

nt!KeAddSystemServiceTable+0x25:
83dc4117 837d1801        cmp     dword ptr [ebp+18h],1
83dc411b 8b5508          mov     edx,dword ptr [ebp+8]
83dc411e 56              push    esi
83dc411f 8b7510          mov     esi,dword ptr [ebp+10h]
83dc4122 57              push    edi
83dc4123 8b7d14          mov     edi,dword ptr [ebp+14h]
83dc4126 8911            mov     dword ptr [ecx],edx
83dc4128 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
83dc412b 8988040ada83    mov     dword ptr nt!KeServiceDescriptorTableShadow+0x4 (83da0a04)[eax],ecx
83dc4131 89b0080ada83    mov     dword ptr nt!KeServiceDescriptorTableShadow+0x8 (83da0a08)[eax],esi
83dc4137 89b80c0ada83    mov     dword ptr nt!KeServiceDescriptorTableShadow+0xc (83da0a0c)[eax],edi
83dc413d 7418            je      nt!KeAddSystemServiceTable+0x65 (83dc4157)  Branch

nt!KeAddSystemServiceTable+0x4d:
83dc413f 8990c009da83    mov     dword ptr nt!KeServiceDescriptorTable (83da09c0)[eax],edx
83dc4145 8988c409da83    mov     dword ptr nt!KeServiceDescriptorTable+0x4 (83da09c4)[eax],ecx
83dc414b 89b0c809da83    mov     dword ptr nt!KeServiceDescriptorTable+0x8 (83da09c8)[eax],esi
83dc4151 89b8cc09da83    mov     dword ptr nt!KeServiceDescriptorTable+0xc (83da09cc)[eax],edi

nt!KeAddSystemServiceTable+0x65:
83dc4157 5f              pop     edi
83dc4158 b001            mov     al,1
83dc415a 5e              pop     esi
83dc415b eb02            jmp     nt!KeAddSystemServiceTable+0x6d (83dc415f)  Branch

nt!KeAddSystemServiceTable+0x6b:
83dc415d 32c0            xor     al,al

nt!KeAddSystemServiceTable+0x6d:
83dc415f 5d              pop     ebp
83dc4160 c21400          ret     14h

SetUpHooks-Hook x64 platform src\driver\src

Keep walking in this file, I found this tool seems store fuzz options in register
It contains three functions
- SaveFuzzerOptions
- DeleteSavedFuzzerOptions
- LoadFuzzerOptions
DriverDispatch

most important and complicated

NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    PIO_STACK_LOCATION stack;
    NTSTATUS ns = STATUS_SUCCESS;

    Irp->IoStatus.Status = ns;
    Irp->IoStatus.Information = 0;

    stack = IoGetCurrentIrpStackLocation(Irp);

    if (stack->MajorFunction == IRP_MJ_DEVICE_CONTROL)
    {
        ULONG Code = stack->Parameters.DeviceIoControl.IoControlCode;       
        ULONG Size = stack->Parameters.DeviceIoControl.InputBufferLength;
        PREQUEST_BUFFER Buff = (PREQUEST_BUFFER)Irp->AssociatedIrp.SystemBuffer;   

#ifdef DBG_IO

        DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): IRP_MJ_DEVICE_CONTROL 0x%.8x\n", Code);
#endif
        Irp->IoStatus.Information = Size;

        switch (Code)
        {
        case IOCTL_DRV_CONTROL:
            {
                Buff->Status = S_ERROR;

                if (Size >= sizeof(REQUEST_BUFFER))//inputBufferLength >= struct<REQUEST_BUFFER>
                {
                    ULONG KdCommandLength = 0;
                    IOCTL_FILTER Flt;                   
                    RtlZeroMemory(&Flt, sizeof(Flt));

                    if (Buff->AddObject.bDbgcbAction && Size > sizeof(REQUEST_BUFFER))
                    {
                        // check for zero byte at the end of the string
                        if (Buff->Buff[Size - sizeof(REQUEST_BUFFER) - 1] != 0)
                        {         
                            goto _bad_addobj_request;
                        }

                        // debugger command available
                        KdCommandLength = strlen(Buff->Buff) + 1;
                    }