Paste V1.1

ida_pages/ioctl_hook_setup.html

@@ -0,0 +1,71 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>IDA - driver.sys.i64 (driver.sys) C:\Users\xerox\Desktop\amlegit.com\driver.sys.i64</title>
+</head>
+<body bgcolor="#ffffff">
+<span style="white-space: pre; font-family: Consolas; color: blue; background: #ffffff">
+
+<span style="color:gray">__int64 __fastcall ioctl_hook_setup(__int64 DRIVER_OBJECT)
+</span><span style="color:navy">{
+  </span><span style="color:gray">// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-&quot;+&quot; TO EXPAND]
+
+  </span><span style="color:#8080ff">device_name </span><span style="color:navy">= (</span><span style="color:gray">const UNICODE_STRING *</span><span style="color:navy">)(</span><span style="color:#8080ff">DRIVER_OBJECT </span><span style="color:navy">+ 0x38);
+  </span><span style="color:#8080ff">pdriver_object </span><span style="color:navy">= (</span><span style="color:gray">struct _DRIVER_OBJECT *</span><span style="color:navy">)</span><span style="color:#8080ff">DRIVER_OBJECT</span><span style="color:navy">;
+  </span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)&quot;</span><span style="color:green">Going to %wZ @ 0x%p\n&quot;</span><span style="color:navy">, </span><span style="color:#8080ff">DRIVER_OBJECT </span><span style="color:navy">+ 0x38, </span><span style="color:#8080ff">DRIVER_OBJECT</span><span style="color:navy">);
+  if ( !</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DeviceObject )
+  {
+    </span><span style="color:#8080ff">register_result </span><span style="color:navy">= </span>register_device<span style="color:navy">(</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">, (</span><span style="color:gray">PDEVICE_OBJECT *</span><span style="color:navy">)&amp;</span>qword_140006180<span style="color:navy">);
+    if ( (</span><span style="color:#8080ff">register_result &amp; </span><span style="color:navy">0xC0000000) == 0xC0000000 )
+    {
+      </span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)&quot;</span><span style="color:green">Failed to create Device!\n&quot;</span><span style="color:navy">);
+      return </span><span style="color:#8080ff">register_result</span><span style="color:navy">;
+    </span><span style="background:#8080ff"></span><span style="color:navy">}
+    </span><span style="color:#8080ff">v5 </span><span style="color:navy">= 1;
+    goto LABEL_11;
+  </span><span style="background:navy"></span><span style="color:navy">}
+  if ( !</span><span style="color:#ff00ff">ObQueryNameInfo</span><span style="color:navy">() )
+  {
+    </span><span style="color:#8080ff">print_string </span><span style="color:navy">= &quot;</span><span style="color:green">Unnamed device. Skipping.\n&quot;</span><span style="color:navy">;
+LABEL_7:
+    </span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">print_string</span><span style="color:navy">);
+    return 0xC0000002i64;                       </span><span style="color:green">// STATUS_NOT_IMPLEMENTED
+  </span><span style="background:navy"></span><span style="color:navy">}
+  </span><span style="color:#ff00ff">RtlInitUnicodeString</span><span style="color:navy">(&amp;</span><span style="color:#8080ff">gpu_energy_drv_str</span><span style="color:navy">, </span><span style="color:#8080ff">L&quot;</span><span style="color:green">\\Driver\\GpuEnergyDrv&quot;</span><span style="color:navy">);
+  if ( !</span><span style="color:#ff00ff">RtlEqualUnicodeString</span><span style="color:navy">(&amp;</span><span style="color:#8080ff">gpu_energy_drv_str</span><span style="color:navy">, </span><span style="color:#8080ff">device_name</span><span style="color:navy">, 0) )
+  {
+    </span><span style="color:#8080ff">print_string </span><span style="color:navy">= &quot;</span><span style="color:green">Not our target driver. Skipping.\n&quot;</span><span style="color:navy">;
+    goto LABEL_7;
+  </span><span style="background:navy"></span><span style="color:navy">}
+  </span>original_ioctl <span style="color:navy">= </span>install_ioctl_hook<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">, (</span><span style="color:gray">__int64</span><span style="color:navy">)</span>ioctl_inline_hook<span style="color:navy">);
+  </span><span style="color:#8080ff">v5 </span><span style="color:navy">= 0;
+LABEL_11:
+  </span>byte_140006188 <span style="color:navy">= </span><span style="color:#8080ff">v5</span><span style="color:navy">;
+  </span>qword_140006180 <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DeviceObject;
+  if ( (</span>sub_1400044CC<span style="color:navy">(</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;MajorFunction, </span>qword_1400060A0<span style="color:navy">, 28i64) &amp; 0xC0000000) == 0xC0000000 )
+  {
+    if ( </span>byte_140006188 <span style="color:navy">== 1 )
+      </span>sub_140001544<span style="color:navy">(&amp;</span>qword_140006180<span style="color:navy">);
+    </span>byte_140006188 <span style="color:navy">= 0;
+    </span><span style="color:#8080ff">result </span><span style="color:navy">= 0xC0000305i64;
+  </span><span style="background:navy"></span><span style="color:navy">}
+  else
+  {
+    </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;MajorFunction[0] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IRP_MJ_CREATE<span style="color:navy">;
+    </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;MajorFunction[2] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IRP_MJ_CLOSE<span style="color:navy">;
+    </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;MajorFunction[14] = (</span><span style="color:gray">PDRIVER_DISPATCH</span><span style="color:navy">)</span>IOCTL_HOOK_FUNCTION<span style="color:navy">;
+    </span>pdriver_obj <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">;
+    if ( (</span><span style="color:gray">int</span><span style="color:navy">)</span>sub_140001438<span style="color:navy">(</span>qword_140006180<span style="color:navy">) &lt; 0 )
+      </span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)&quot;</span><span style="color:green">Failed to create symlink\n&quot;</span><span style="color:navy">);
+    if ( </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DriverUnload )
+    {
+      </span>driver_unload_orig <span style="color:navy">= (</span><span style="color:gray">__int64</span><span style="color:navy">)</span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DriverUnload;
+      </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">-&gt;DriverUnload = (</span><span style="color:gray">PDRIVER_UNLOAD</span><span style="color:navy">)</span>new_driver_unload<span style="color:navy">;
+    </span><span style="background:blue"></span><span style="color:navy">}
+    </span>debug_with_prefix<span style="color:navy">((</span><span style="color:gray">__int64</span><span style="color:navy">)&quot;</span><span style="color:green">Successfully hooked %wZ @ 0x%p\n&quot;</span><span style="color:navy">, </span><span style="color:#8080ff">device_name</span><span style="color:navy">, </span><span style="color:#8080ff">pdriver_object</span><span style="color:navy">);
+    </span><span style="color:#8080ff">result </span><span style="color:navy">= 0i64;
+  </span><span style="background:navy"></span><span style="color:navy">}
+  return </span><span style="color:#8080ff">result</span><span style="color:navy">;
+</span><span style="background:#8080ff"></span><span style="color:navy">}
+</span></body></html>