详解如何利用Windows设备驱动
2009-02-12 13:55:33 来源:WEB开发网含漏洞的驱动样本
这是含漏洞驱动的样例代码,我们将会在文章接下来尝试攻击它。这个驱动的基于Iczelion 的框架模型。
;buggy.asmstart
.386
.MODELFLAT,STDCALL
OPTIONCASEMAP:NONE
INCLUDED:masm32includewindows.inc
INCLUDEincstring.INC
INCLUDEincntstruc.INC
INCLUDEincntddk.INC
INCLUDEincntoskrnl.INC
INCLUDEincNtDll.INC
INCLUDELIBD:masm32libwdm.lib
INCLUDELIBD:masm32libntoskrnl.lib
INCLUDELIBD:masm32libntdll.lib
.CONST
pDevObjPDEVICE_OBJECT0
TEXTWszDevPath,<DeviceBUGGY/0>
TEXTWszSymPath,<DosDevicesBUGGY/0>
.CODE
assumefs:NOTHING
DriverDispatchprocusesesiediebx,pDriverObject,pIrp
movedi,pIrp
assumeedi:PTR_IRP
subeax,eax
mov[edi].IoStatus.Information,eax
mov[edi].IoStatus.Status,eax
assumeedi:NOTHING
movesi,(_IRPPTR[edi]).PCurrentIrpStackLocation
assumeesi:PTRIO_STACK_LOCATION
.IF[esi].MajorFunction==IRP_MJ_DEVICE_CONTROL
moveax,[esi].DeviceIoControl.IoControlCode
.IFeax==011111111h
moveax,(_IRPptr[edi]).SystemBuffer;inbuffer
testeax,eax
jzno_write
movedi,[eax];[inbuffer]=dest
movesi,[eax+4];[inbuffer+4]=src
movecx,512;ecx=512bytes
repmovsb;copy
no_write:
.ENDIF
.ENDIF
assumeesi:NOTHING
movedx,IO_NO_INCREMENT;specialcalling
movecx,pIrp
callIoCompleteRequest
moveax,STATUS_SUCCESS
ret
DriverDispatchENDP
DriverUnloadprocusesebxesiedi,DriverObjectlocalusSym:UNICODE_STRING
invokeRtlInitUnicodeString,ADDRusSym,OFFSETszSymPath
invokeIoDeleteSymbolicLink,ADDRusSym
invokeIoDeleteDevice,pDevObj
ret
DriverUnloadENDP
.CODEINIT
DriverEntryprocusesebxesiedi,DriverObject,RegPath
localusDev:UNICODE_STRING
localusSym:UNICODE_STRING
invokeRtlInitUnicodeString,ADDRusDev,OFFSETszDevPath
invokeIoCreateDevice,DriverObject,0,ADDRusDev,FILE_DEVICE_NULL,0,
FALSE,OFFSETpDevObj
testeax,eax
jnzepr
invokeRtlInitUnicodeString,ADDRusSym,OFFSETszSymPath
invokeIoCreateSymbolicLink,ADDRusSym,ADDRusDev
testeax,eax
jnzepr
movesi,DriverObject
assumeesi:PTRDRIVER_OBJECT
mov[esi].PDISPATCH_IRP_MJ_DEVICE_CONTROL,OFFSETDriverDispatch
mov[esi].PDISPATCH_IRP_MJ_CREATE,OFFSETDriverDispatch
mov[esi].PDRIVER_UNLOAD,OFFSETDriverUnload
assumeesi:NOTHING
moveax,STATUS_SUCCESS
epr:
ret
DriverEntryENDP
EndDriverEntry
;buggy.asmends
更多精彩
赞助商链接