|
|
|
|
@ -43,9 +43,31 @@ Registeration of APCS:
|
|
|
|
|
|
|
|
|
|
# HWID
|
|
|
|
|
|
|
|
|
|
```cpp
|
|
|
|
|
BEDaisy opens a handle to DR0 (disk.sys).
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
02646022 190.98799133 [GoodEye]ZwOpenFile called from: 0xFFFFF804DEFDB904
|
|
|
|
|
02646023 190.98799133 [GoodEye] - ZwOpenFile(\Device\Harddisk0\DR0)
|
|
|
|
|
02646024 190.98869324 [GoodEye] - ZwOpenFile handle result: 0xFFFFFFFF80003E28
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
BEDaisy then sends a few IOCTL's to disk.sys using `ZwDeviceIoControlFile`
|
|
|
|
|
```
|
|
|
|
|
02646049 190.99142456 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB94A
|
|
|
|
|
02646050 190.99143982 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
|
|
|
|
|
02646051 190.99143982 [GoodEye] - IoControlCode: 0x00000000002D1400
|
|
|
|
|
02646052 190.99143982 [GoodEye] - OutputBufferLength: 0x0000000000000008
|
|
|
|
|
02646053 190.99143982 [GoodEye] - InoutBufferLength: 0x000000000000000C
|
|
|
|
|
|
|
|
|
|
02646059 190.99192810 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB960
|
|
|
|
|
02646060 190.99192810 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
|
|
|
|
|
02646061 190.99192810 [GoodEye] - IoControlCode: 0x00000000002D1400
|
|
|
|
|
02646062 190.99192810 [GoodEye] - OutputBufferLength: 0x0000000000000000
|
|
|
|
|
02646063 190.99194336 [GoodEye] - InoutBufferLength: 0x000000000000000C
|
|
|
|
|
|
|
|
|
|
02646072 190.99209595 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB9B1
|
|
|
|
|
02646073 190.99211121 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
|
|
|
|
|
02646074 190.99211121 [GoodEye] - IoControlCode: 0x000000000007C088
|
|
|
|
|
02646075 190.99211121 [GoodEye] - OutputBufferLength: 0x0000000000000211
|
|
|
|
|
02646076 190.99211121 [GoodEye] - InoutBufferLength: 0x0000000000000021
|
|
|
|
|
02646076 190.99211121 [GoodEye] - InoutBufferLength: 0x0000000000000021
|
|
|
|
|
```
|
xerox
4 years ago