WEB开发网
开发学院网络安全安全技术 详解如何利用Windows设备驱动 阅读

详解如何利用Windows设备驱动

 2009-02-12 13:55:33 来源:WEB开发网   
核心提示: 含漏洞的驱动样本这是含漏洞驱动的样例代码,我们将会在文章接下来尝试攻击它,详解如何利用Windows设备驱动(3),这个驱动的基于Iczelion 的框架模型,;buggy.asmstart.386.MODELFLAT,STDCALLOPTIONCASEMAP:NONEINCLUDED:m

含漏洞的驱动样本

这是含漏洞驱动的样例代码,我们将会在文章接下来尝试攻击它。这个驱动的基于Iczelion 的框架模型。

   ;buggy.asmstart
  .386
  .MODELFLAT,STDCALL
  OPTIONCASEMAP:NONE
  INCLUDED:masm32includewindows.inc
  INCLUDEincstring.INC
  INCLUDEincntstruc.INC
  INCLUDEincntddk.INC
  INCLUDEincntoskrnl.INC
  INCLUDEincNtDll.INC
  INCLUDELIBD:masm32libwdm.lib
  INCLUDELIBD:masm32libntoskrnl.lib
  INCLUDELIBD:masm32libntdll.lib
  .CONST
  pDevObjPDEVICE_OBJECT0
  TEXTWszDevPath,<DeviceBUGGY/0>
  TEXTWszSymPath,<DosDevicesBUGGY/0>
  .CODE
  assumefs:NOTHING
  DriverDispatchprocusesesiediebx,pDriverObject,pIrp
  movedi,pIrp
  assumeedi:PTR_IRP
  subeax,eax
  mov[edi].IoStatus.Information,eax
  mov[edi].IoStatus.Status,eax
  assumeedi:NOTHING
  movesi,(_IRPPTR[edi]).PCurrentIrpStackLocation
  assumeesi:PTRIO_STACK_LOCATION
  .IF[esi].MajorFunction==IRP_MJ_DEVICE_CONTROL
  moveax,[esi].DeviceIoControl.IoControlCode
  .IFeax==011111111h
  moveax,(_IRPptr[edi]).SystemBuffer;inbuffer
  testeax,eax
  jzno_write
  movedi,[eax];[inbuffer]=dest
  movesi,[eax+4];[inbuffer+4]=src
  movecx,512;ecx=512bytes
  repmovsb;copy
  no_write:
  .ENDIF
  .ENDIF
  assumeesi:NOTHING
  movedx,IO_NO_INCREMENT;specialcalling
  movecx,pIrp
  callIoCompleteRequest
  moveax,STATUS_SUCCESS
  ret
  DriverDispatchENDP
  DriverUnloadprocusesebxesiedi,DriverObjectlocalusSym:UNICODE_STRING
  invokeRtlInitUnicodeString,ADDRusSym,OFFSETszSymPath
  invokeIoDeleteSymbolicLink,ADDRusSym
  invokeIoDeleteDevice,pDevObj
  ret
  DriverUnloadENDP
  .CODEINIT
  DriverEntryprocusesebxesiedi,DriverObject,RegPath
  localusDev:UNICODE_STRING
  localusSym:UNICODE_STRING
  invokeRtlInitUnicodeString,ADDRusDev,OFFSETszDevPath
  invokeIoCreateDevice,DriverObject,0,ADDRusDev,FILE_DEVICE_NULL,0,
  FALSE,OFFSETpDevObj
  testeax,eax
  jnzepr
  invokeRtlInitUnicodeString,ADDRusSym,OFFSETszSymPath
  invokeIoCreateSymbolicLink,ADDRusSym,ADDRusDev
  testeax,eax
  jnzepr
  movesi,DriverObject
  assumeesi:PTRDRIVER_OBJECT
  mov[esi].PDISPATCH_IRP_MJ_DEVICE_CONTROL,OFFSETDriverDispatch
  mov[esi].PDISPATCH_IRP_MJ_CREATE,OFFSETDriverDispatch
  mov[esi].PDRIVER_UNLOAD,OFFSETDriverUnload
  assumeesi:NOTHING
  moveax,STATUS_SUCCESS
  epr:
  ret
  DriverEntryENDP
  EndDriverEntry
  ;buggy.asmends

上一页  1 2 3 4 5 6 7 8  下一页

Tags:详解 如何 利用

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接