You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
53 lines
2.1 KiB
53 lines
2.1 KiB
#include "hooks.h"
|
|
|
|
namespace hooks
|
|
{
|
|
NTSTATUS device_control(
|
|
PDEVICE_OBJECT device_obj,
|
|
PIRP irp
|
|
)
|
|
{
|
|
UNREFERENCED_PARAMETER(device_obj);
|
|
PIO_STACK_LOCATION stack_location = IoGetCurrentIrpStackLocation(irp);
|
|
|
|
if (stack_location->Parameters.DeviceIoControl.IoControlCode == INTEL_LAN_DRIVER_IOCTL)
|
|
{
|
|
if (stack_location->Parameters.DeviceIoControl.InputBufferLength)
|
|
{
|
|
PCOPY_MEMORY_BUFFER_INFO copy_memory_buffer = reinterpret_cast<PCOPY_MEMORY_BUFFER_INFO>(stack_location->Parameters.SetFile.DeleteHandle);
|
|
|
|
//
|
|
// if case is memmove and the destination is in the kernel (pml4 index is > 255)
|
|
//
|
|
if (copy_memory_buffer->case_number == INTEL_LAN_COPY_CASE_NUMBER)
|
|
{
|
|
if (virt_addr_t{ copy_memory_buffer->destination }.pml4_index > 255)
|
|
{
|
|
//
|
|
// there are a few writes of size 0xC (inline jump code) we can skip those.
|
|
//
|
|
if (copy_memory_buffer->length > 0x20)
|
|
{
|
|
DBG_PRINT("=============== Dumping Memory ==============");
|
|
DBG_PRINT(
|
|
"Copying memory from 0x%p to 0x%p of size 0x%x",
|
|
copy_memory_buffer->source,
|
|
copy_memory_buffer->destination,
|
|
copy_memory_buffer->length
|
|
);
|
|
|
|
//
|
|
// dump memory from inside of the calling process to disk.
|
|
//
|
|
driver_util::mem_dump(
|
|
copy_memory_buffer->source,
|
|
copy_memory_buffer->length
|
|
);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return reinterpret_cast<decltype(&device_control)>(orig_device_control)(device_obj, irp);
|
|
}
|
|
} |