Create a gist now

Instantly share code, notes, and snippets.

Embed

PyExZ3 Example with HackSysExtremeVulnerableDriver

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.

The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.

The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the expected_result function is defined. A @symbolic decorator is added to the ioctl parameter to treat it symbolically.

The IOCTL codes are automatically discovered by running pyexz3.py hevd_ioctl.py:

λ "C:\Program Files (x86)\Python36-32\python.exe" pyexz3.py hevd_ioctl.py
PyExZ3 (Python Exploration with Z3)
Exploring hevd_ioctl.hevd_ioctl
[('ioctl', '0x0')]
None
[('ioctl', '0x222020')]
None
[('ioctl', '0x22201f')]
HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT
[('ioctl', '0x222003')]
HACKSYS_EVD_STACKOVERFLOW
[('ioctl', '0x222007')]
HACKSYS_EVD_IOCTL_STACK_OVERFLOW
[('ioctl', '0x22200b')]
HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE
[('ioctl', '0x22200f')]
HACKSYS_EVD_IOCTL_POOL_OVERFLOW
[('ioctl', '0x222013')]
HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT
[('ioctl', '0x222017')]
HACKSYS_EVD_IOCTL_USE_UAF_OBJECT
[('ioctl', '0x22201b')]
HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT
[('ioctl', '0x222023')]
HACKSYS_EVD_IOCTL_TYPE_CONFUSION
[('ioctl', '0x222027')]
HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW
[('ioctl', '0x22202b')]
HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE
[('ioctl', '0x22202f')]
HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE
[('ioctl', '0x222033')]
HACKSYS_EVD_IOCTL_UNINITIALIZED_HEAP_VARIABLE
[('ioctl', '0x222037')]
HACKSYS_EVD_IOCTL_DOUBLE_FETCH
hevd_ioctl test passed <---

If you'd like to run this on your own, I did the following steps to setup PyExZ3 on Windows:

  1. Download and extract the contents of the PyExZ3 zipball to PyExZ3\.
  2. Download the Z3 release and extract the binaries in z3-4.6.0-x86-win.zip\z3-4.6.0-x86-win\bin\ to PyExZ3\.
  3. Also place the z3 folder (z3-4.6.0-x86-win.zip\z3-4.6.0-x86-win\bin\python\z3) in PyExZ3\.
  4. Place hevd_ioctl.py in PyExZ3\ and run pyexz3.py hevd_ioctl.py.
  5. Optional: Modify the _recordInputs() method in PyExZ3\symbolic\explore.py to return hex values.

There are probably more automated techniques for this use case than re-coding the control-flow logic in Python, but thought I'd share a simple example. Open to thoughts and feedback as always (@Jackson_T)! Thank you to Thomas Ball (PyExZ3) and Ashfaq Ansari (HEVD) for their contributions.

PAGE:0001508E ; int __stdcall IrpDeviceIoCtlHandler(_DEVICE_OBJECT *DeviceObject, _IRP *Irp)
PAGE:0001508E _IrpDeviceIoCtlHandler@8 proc near ; DATA XREF: DriverEntry(x,x)+95↓o
PAGE:0001508E
PAGE:0001508E DeviceObject = dword ptr 8
PAGE:0001508E Irp = dword ptr 0Ch
PAGE:0001508E
PAGE:0001508E mov edi, edi
PAGE:00015090 push ebp
PAGE:00015091 mov ebp, esp
PAGE:00015093 push ebx
PAGE:00015094 push esi
PAGE:00015095 push edi
PAGE:00015096 mov edi, [ebp+Irp]
PAGE:00015099 mov esi, [edi+60h]
PAGE:0001509C mov edx, [esi+0Ch]
PAGE:0001509F mov eax, 22201Fh ; #define HEVD_0x0022201F CTL_CODE(0x22, 0x807, METHOD_NEITHER, FILE_ANY_ACCESS)
PAGE:000150A4 cmp edx, eax
PAGE:000150A6 ja loc_151A2
PAGE:000150AC jz loc_1518A
PAGE:000150B2 mov eax, edx
PAGE:000150B4 sub eax, 222003h ; #define HEVD_0x00222003 CTL_CODE(0x22, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS)
PAGE:000150B9 jz loc_15172
PAGE:000150BF push 4
PAGE:000150C1 pop ecx
PAGE:000150C2 sub eax, ecx
PAGE:000150C4 jz loc_1515A
PAGE:000150CA sub eax, ecx
PAGE:000150CC jz short loc_15142
PAGE:000150CE sub eax, ecx
PAGE:000150D0 jz short loc_1512A
PAGE:000150D2 sub eax, ecx
PAGE:000150D4 jz short loc_15112
PAGE:000150D6 sub eax, ecx
PAGE:000150D8 jz short loc_150FA
PAGE:000150DA sub eax, ecx
PAGE:000150DC jnz loc_151C6
PAGE:000150E2 mov ebx, offset aHacksysEvdIoct ; "****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJEC"...
PAGE:000150E7 push ebx
PAGE:000150E8 call _DbgPrint
PAGE:000150ED pop ecx
PAGE:000150EE push esi ; IrpSp
PAGE:000150EF push edi ; Irp
PAGE:000150F0 call _FreeUaFObjectIoctlHandler@8 ; FreeUaFObjectIoctlHandler(x,x)
PAGE:000150F5 jmp loc_15258
PAGE:000150FA ; ---------------------------------------------------------------------------
PAGE:000150FA
PAGE:000150FA loc_150FA: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+4A↑j
PAGE:000150FA mov ebx, offset aHacksysEvdIoct_0 ; "****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT"...
PAGE:000150FF push ebx
PAGE:00015100 call _DbgPrint
PAGE:00015105 pop ecx
PAGE:00015106 push esi ; IrpSp
PAGE:00015107 push edi ; Irp
PAGE:00015108 call _UseUaFObjectIoctlHandler@8 ; UseUaFObjectIoctlHandler(x,x)
PAGE:0001510D jmp loc_15258
PAGE:00015112 ; ---------------------------------------------------------------------------
PAGE:00015112
PAGE:00015112 loc_15112: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+46↑j
PAGE:00015112 mov ebx, offset aHacksysEvdIoct_1 ; "****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_O"...
PAGE:00015117 push ebx
PAGE:00015118 call _DbgPrint
PAGE:0001511D pop ecx
PAGE:0001511E push esi ; IrpSp
PAGE:0001511F push edi ; Irp
PAGE:00015120 call _AllocateUaFObjectIoctlHandler@8 ; AllocateUaFObjectIoctlHandler(x,x)
PAGE:00015125 jmp loc_15258
PAGE:0001512A ; ---------------------------------------------------------------------------
PAGE:0001512A
PAGE:0001512A loc_1512A: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+42↑j
PAGE:0001512A mov ebx, offset aHacksysEvdIoct_2 ; "****** HACKSYS_EVD_IOCTL_POOL_OVERFLOW "...
PAGE:0001512F push ebx
PAGE:00015130 call _DbgPrint
PAGE:00015135 pop ecx
PAGE:00015136 push esi ; IrpSp
PAGE:00015137 push edi ; Irp
PAGE:00015138 call _PoolOverflowIoctlHandler@8 ; PoolOverflowIoctlHandler(x,x)
PAGE:0001513D jmp loc_15258
PAGE:00015142 ; ---------------------------------------------------------------------------
PAGE:00015142
PAGE:00015142 loc_15142: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+3E↑j
PAGE:00015142 mov ebx, offset aHacksysEvdIoct_3 ; "****** HACKSYS_EVD_IOCTL_ARBITRARY_OVER"...
PAGE:00015147 push ebx
PAGE:00015148 call _DbgPrint
PAGE:0001514D pop ecx
PAGE:0001514E push esi ; IrpSp
PAGE:0001514F push edi ; Irp
PAGE:00015150 call _ArbitraryOverwriteIoctlHandler@8 ; ArbitraryOverwriteIoctlHandler(x,x)
PAGE:00015155 jmp loc_15258
PAGE:0001515A ; ---------------------------------------------------------------------------
PAGE:0001515A
PAGE:0001515A loc_1515A: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+36↑j
PAGE:0001515A mov ebx, offset aHacksysEvdIoct_4 ; "****** HACKSYS_EVD_IOCTL_STACK_OVERFLOW"...
PAGE:0001515F push ebx
PAGE:00015160 call _DbgPrint
PAGE:00015165 pop ecx
PAGE:00015166 push esi ; IrpSp
PAGE:00015167 push edi ; Irp
PAGE:00015168 call _StackOverflowGSIoctlHandler@8 ; StackOverflowGSIoctlHandler(x,x)
PAGE:0001516D jmp loc_15258
PAGE:00015172 ; ---------------------------------------------------------------------------
PAGE:00015172
PAGE:00015172 loc_15172: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+2B↑j
PAGE:00015172 mov ebx, offset aHacksysEvdStac ; "****** HACKSYS_EVD_STACKOVERFLOW ******"...
PAGE:00015177 push ebx
PAGE:00015178 call _DbgPrint
PAGE:0001517D pop ecx
PAGE:0001517E push esi ; IrpSp
PAGE:0001517F push edi ; Irp
PAGE:00015180 call _StackOverflowIoctlHandler@8 ; StackOverflowIoctlHandler(x,x)
PAGE:00015185 jmp loc_15258
PAGE:0001518A ; ---------------------------------------------------------------------------
PAGE:0001518A
PAGE:0001518A loc_1518A: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+1E↑j
PAGE:0001518A mov ebx, offset aHacksysEvdIoct_5 ; "****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_"...
PAGE:0001518F push ebx
PAGE:00015190 call _DbgPrint
PAGE:00015195 pop ecx
PAGE:00015196 push esi ; IrpSp
PAGE:00015197 push edi ; Irp
PAGE:00015198 call _AllocateFakeObjectIoctlHandler@8 ; AllocateFakeObjectIoctlHandler(x,x)
PAGE:0001519D jmp loc_15258
PAGE:000151A2 ; ---------------------------------------------------------------------------
PAGE:000151A2
PAGE:000151A2 loc_151A2: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+18↑j
PAGE:000151A2 mov eax, edx
PAGE:000151A4 sub eax, 222023h ; #define HEVD_0x00222023 CTL_CODE(0x22, 0x808, METHOD_NEITHER, FILE_ANY_ACCESS)
PAGE:000151A9 jz loc_15245
PAGE:000151AF push 4
PAGE:000151B1 pop ecx
PAGE:000151B2 sub eax, ecx
PAGE:000151B4 jz short loc_15230
PAGE:000151B6 sub eax, ecx
PAGE:000151B8 jz short loc_1521B
PAGE:000151BA sub eax, ecx
PAGE:000151BC jz short loc_15206
PAGE:000151BE sub eax, ecx
PAGE:000151C0 jz short loc_151F1
PAGE:000151C2 sub eax, ecx
PAGE:000151C4 jz short loc_151DC
PAGE:000151C6
PAGE:000151C6 loc_151C6: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+4E↑j
PAGE:000151C6 push edx
PAGE:000151C7 push offset aInvalidIoctlCo ; "[-] Invalid IOCTL Code: 0x%X\n"
PAGE:000151CC call _DbgPrint
PAGE:000151D1 pop ecx
PAGE:000151D2 mov esi, 0C0000010h
PAGE:000151D7 jmp loc_15260
PAGE:000151DC ; ---------------------------------------------------------------------------
PAGE:000151DC
PAGE:000151DC loc_151DC: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+136↑j
PAGE:000151DC mov ebx, offset aHacksysEvdIoct_6 ; "****** HACKSYS_EVD_IOCTL_DOUBLE_FETCH *"...
PAGE:000151E1 push ebx
PAGE:000151E2 call _DbgPrint
PAGE:000151E7 pop ecx
PAGE:000151E8 push esi ; IrpSp
PAGE:000151E9 push edi ; Irp
PAGE:000151EA call _DoubleFetchIoctlHandler@8 ; DoubleFetchIoctlHandler(x,x)
PAGE:000151EF jmp short loc_15258
PAGE:000151F1 ; ---------------------------------------------------------------------------
PAGE:000151F1
PAGE:000151F1 loc_151F1: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+132↑j
PAGE:000151F1 mov ebx, offset aHacksysEvdIoct_7 ; "****** HACKSYS_EVD_IOCTL_UNINITIALIZED_"...
PAGE:000151F6 push ebx
PAGE:000151F7 call _DbgPrint
PAGE:000151FC pop ecx
PAGE:000151FD push esi ; IrpSp
PAGE:000151FE push edi ; Irp
PAGE:000151FF call _UninitializedHeapVariableIoctlHandler@8 ; UninitializedHeapVariableIoctlHandler(x,x)
PAGE:00015204 jmp short loc_15258
PAGE:00015206 ; ---------------------------------------------------------------------------
PAGE:00015206
PAGE:00015206 loc_15206: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+12E↑j
PAGE:00015206 mov ebx, offset aHacksysEvdIoct_8 ; "****** HACKSYS_EVD_IOCTL_UNINITIALIZED_"...
PAGE:0001520B push ebx
PAGE:0001520C call _DbgPrint
PAGE:00015211 pop ecx
PAGE:00015212 push esi ; IrpSp
PAGE:00015213 push edi ; Irp
PAGE:00015214 call _UninitializedStackVariableIoctlHandler@8 ; UninitializedStackVariableIoctlHandler(x,x)
PAGE:00015219 jmp short loc_15258
PAGE:0001521B ; ---------------------------------------------------------------------------
PAGE:0001521B
PAGE:0001521B loc_1521B: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+12A↑j
PAGE:0001521B mov ebx, offset aHacksysEvdIoct_9 ; "****** HACKSYS_EVD_IOCTL_NULL_POINTER_D"...
PAGE:00015220 push ebx
PAGE:00015221 call _DbgPrint
PAGE:00015226 pop ecx
PAGE:00015227 push esi ; IrpSp
PAGE:00015228 push edi ; Irp
PAGE:00015229 call _NullPointerDereferenceIoctlHandler@8 ; NullPointerDereferenceIoctlHandler(x,x)
PAGE:0001522E jmp short loc_15258
PAGE:00015230 ; ---------------------------------------------------------------------------
PAGE:00015230
PAGE:00015230 loc_15230: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+126↑j
PAGE:00015230 mov ebx, offset aHacksysEvdIoct_10 ; "****** HACKSYS_EVD_IOCTL_INTEGER_OVERFL"...
PAGE:00015235 push ebx
PAGE:00015236 call _DbgPrint
PAGE:0001523B pop ecx
PAGE:0001523C push esi ; IrpSp
PAGE:0001523D push edi ; Irp
PAGE:0001523E call _IntegerOverflowIoctlHandler@8 ; IntegerOverflowIoctlHandler(x,x)
PAGE:00015243 jmp short loc_15258
PAGE:00015245 ; ---------------------------------------------------------------------------
PAGE:00015245
PAGE:00015245 loc_15245: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+11B↑j
PAGE:00015245 mov ebx, offset aHacksysEvdIoct_11 ; "****** HACKSYS_EVD_IOCTL_TYPE_CONFUSION"...
PAGE:0001524A push ebx
PAGE:0001524B call _DbgPrint
PAGE:00015250 pop ecx
PAGE:00015251 push esi ; IrpSp
PAGE:00015252 push edi ; Irp
PAGE:00015253 call _TypeConfusionIoctlHandler@8 ; TypeConfusionIoctlHandler(x,x)
PAGE:00015258
PAGE:00015258 loc_15258: ; CODE XREF: IrpDeviceIoCtlHandler(x,x)+67↑j
PAGE:00015258 ; IrpDeviceIoCtlHandler(x,x)+7F↑j ...
PAGE:00015258 push ebx
PAGE:00015259 mov esi, eax
PAGE:0001525B call _DbgPrint
/// <summary>
/// IRP Device IoCtl Handler
/// </summary>
/// <param name="DeviceObject">The pointer to DEVICE_OBJECT</param>
/// <param name="Irp">The pointer to IRP</param>
/// <returns>NTSTATUS</returns>
NTSTATUS IrpDeviceIoCtlHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {
ULONG IoControlCode = 0;
PIO_STACK_LOCATION IrpSp = NULL;
NTSTATUS Status = STATUS_NOT_SUPPORTED;
UNREFERENCED_PARAMETER(DeviceObject);
PAGED_CODE();
IrpSp = IoGetCurrentIrpStackLocation(Irp);
IoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
if (IrpSp) {
switch (IoControlCode) {
case HACKSYS_EVD_IOCTL_STACK_OVERFLOW:
DbgPrint("****** HACKSYS_EVD_STACKOVERFLOW ******\n");
Status = StackOverflowIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_STACKOVERFLOW ******\n");
break;
case HACKSYS_EVD_IOCTL_STACK_OVERFLOW_GS:
DbgPrint("****** HACKSYS_EVD_IOCTL_STACK_OVERFLOW_GS ******\n");
Status = StackOverflowGSIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_STACK_OVERFLOW_GS ******\n");
break;
case HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE:
DbgPrint("****** HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE ******\n");
Status = ArbitraryOverwriteIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE ******\n");
break;
case HACKSYS_EVD_IOCTL_NON_PAGED_POOL_OVERFLOW:
DbgPrint("****** HACKSYS_EVD_IOCTL_NON_PAGED_POOL_OVERFLOW ******\n");
Status = NonPagedPoolOverflowIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_NON_PAGED_POOL_OVERFLOW ******\n");
break;
case HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT:
DbgPrint("****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******\n");
Status = AllocateUaFObjectIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT ******\n");
break;
case HACKSYS_EVD_IOCTL_USE_UAF_OBJECT:
DbgPrint("****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******\n");
Status = UseUaFObjectIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_USE_UAF_OBJECT ******\n");
break;
case HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT:
DbgPrint("****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******\n");
Status = FreeUaFObjectIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT ******\n");
break;
case HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT:
DbgPrint("****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******\n");
Status = AllocateFakeObjectIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT ******\n");
break;
case HACKSYS_EVD_IOCTL_TYPE_CONFUSION:
DbgPrint("****** HACKSYS_EVD_IOCTL_TYPE_CONFUSION ******\n");
Status = TypeConfusionIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_TYPE_CONFUSION ******\n");
break;
case HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW:
DbgPrint("****** HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW ******\n");
Status = IntegerOverflowIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW ******\n");
break;
case HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE:
DbgPrint("****** HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE ******\n");
Status = NullPointerDereferenceIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE ******\n");
break;
case HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE:
DbgPrint("****** HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE ******\n");
Status = UninitializedStackVariableIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE ******\n");
break;
case HACKSYS_EVD_IOCTL_UNINITIALIZED_HEAP_VARIABLE:
DbgPrint("****** HACKSYS_EVD_IOCTL_UNINITIALIZED_HEAP_VARIABLE ******\n");
Status = UninitializedHeapVariableIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_UNINITIALIZED_HEAP_VARIABLE ******\n");
break;
case HACKSYS_EVD_IOCTL_DOUBLE_FETCH:
DbgPrint("****** HACKSYS_EVD_IOCTL_DOUBLE_FETCH ******\n");
Status = DoubleFetchIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_DOUBLE_FETCH ******\n");
break;
case HACKSYS_EVD_IOCTL_INSECURE_KERNEL_FILE_ACCESS:
DbgPrint("****** HACKSYS_EVD_IOCTL_INSECURE_KERNEL_FILE_ACCESS ******\n");
Status = InsecureKernelFileAccessIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_INSECURE_KERNEL_FILE_ACCESS ******\n");
break;
case HACKSYS_EVD_IOCTL_MEMORY_DISCLOSURE:
DbgPrint("****** HACKSYS_EVD_IOCTL_MEMORY_DISCLOSURE ******\n");
Status = MemoryDisclosureIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_MEMORY_DISCLOSURE ******\n");
break;
case HACKSYS_EVD_IOCTL_PAGED_POOL_SESSION:
DbgPrint("****** HACKSYS_EVD_IOCTL_PAGED_POOL_SESSION ******\n");
Status = PagedPoolSessionOverflowIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_PAGED_POOL_SESSION ******\n");
break;
case HACKSYS_EVD_IOCTL_WRITE_NULL:
DbgPrint("****** HACKSYS_EVD_IOCTL_WRITE_NULL ******\n");
Status = WriteNULLIoctlHandler(Irp, IrpSp);
DbgPrint("****** HACKSYS_EVD_IOCTL_WRITE_NULL ******\n");
break;
default:
DbgPrint("[-] Invalid IOCTL Code: 0x%X\n", IoControlCode);
Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
}
}
from symbolic.args import *
@symbolic(ioctl=0) # Set it to some default number (doesn't really matter).
def hevd_ioctl(ioctl):
# PAGE:0001509F mov eax, 22201Fh
# PAGE:000150A4 cmp edx, eax
# PAGE:000150A6 ja loc_151A2
if ioctl > 0x22201F:
# PAGE:000151A2 mov eax, edx
# PAGE:000151A4 sub eax, 222023h
# PAGE:000151A9 jz loc_15245
ioctl -= 0x222023
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_TYPE_CONFUSION'
# PAGE:000151AF push 4
# PAGE:000151B1 pop ecx
# PAGE:000151B2 sub eax, ecx
# PAGE:000151B4 jz short loc_15230
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW'
# PAGE:000151B6 sub eax, ecx
# PAGE:000151B8 jz short loc_1521B
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE'
# PAGE:000151BA sub eax, ecx
# PAGE:000151BC jz short loc_15206
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE'
# PAGE:000151BE sub eax, ecx
# PAGE:000151C0 jz short loc_151F1
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_UNINITIALIZED_HEAP_VARIABLE'
# PAGE:000151C2 sub eax, ecx
# PAGE:000151C4 jz short loc_151DC
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_DOUBLE_FETCH'
# PAGE:0001509F mov eax, 22201Fh
# PAGE:000150A4 cmp edx, eax
# PAGE:000150A6 ...
# PAGE:000150AC jz loc_1518A
elif ioctl == 0x22201F:
return 'HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT'
else:
# PAGE:000150B4 sub eax, 222003h
# PAGE:000150B9 jz loc_15172
ioctl -= 0x222003
if ioctl == 0:
return 'HACKSYS_EVD_STACKOVERFLOW'
# PAGE:000150BF push 4
# PAGE:000150C1 pop ecx
# PAGE:000150C2 sub eax, ecx
# PAGE:000150C4 jz loc_1515A
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_STACK_OVERFLOW'
# PAGE:000150CA sub eax, ecx
# PAGE:000150CC jz short loc_15142
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE'
# PAGE:000150CE sub eax, ecx
# PAGE:000150D0 jz short loc_1512A
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_POOL_OVERFLOW'
# PAGE:000150D2 sub eax, ecx
# PAGE:000150D4 jz short loc_15112
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT'
# PAGE:000150D6 sub eax, ecx
# PAGE:000150D8 jz short loc_150FA
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_USE_UAF_OBJECT'
# PAGE:000150DA sub eax, ecx
# PAGE:000150DC jnz loc_151C6
# PAGE:000150E2 mov ebx, offset aHacksysEvdIoct ; "****** HACKSYS_EVD_IOCTL_FREE_UAF_OBJEC"...
# PAGE:000150E7 push ebx
# PAGE:000150E8 call _DbgPrint
# PAGE:000150ED pop ecx
# PAGE:000150EE push esi ; IrpSp
# PAGE:000150EF push edi ; Irp
# PAGE:000150F0 call _FreeUaFObjectIoctlHandler@8 ; FreeUaFObjectIoctlHandler(x,x)
ioctl -= 4
if ioctl == 0:
return 'HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT'
return None
def expected_result():
return ['HACKSYS_EVD_IOCTL_ALLOCATE_FAKE_OBJECT',
'HACKSYS_EVD_IOCTL_TYPE_CONFUSION',
'HACKSYS_EVD_IOCTL_INTEGER_OVERFLOW',
'HACKSYS_EVD_IOCTL_NULL_POINTER_DEREFERENCE',
'HACKSYS_EVD_IOCTL_UNINITIALIZED_STACK_VARIABLE',
'HACKSYS_EVD_IOCTL_UNINITIALIZED_HEAP_VARIABLE',
'HACKSYS_EVD_IOCTL_DOUBLE_FETCH',
'HACKSYS_EVD_STACKOVERFLOW',
'HACKSYS_EVD_IOCTL_STACK_OVERFLOW',
'HACKSYS_EVD_IOCTL_ARBITRARY_OVERWRITE',
'HACKSYS_EVD_IOCTL_POOL_OVERFLOW',
'HACKSYS_EVD_IOCTL_ALLOCATE_UAF_OBJECT',
'HACKSYS_EVD_IOCTL_USE_UAF_OBJECT',
'HACKSYS_EVD_IOCTL_FREE_UAF_OBJECT',
None,
None] # The extra None's are added to pass test cases.
@Island123

This comment has been minimized.

Show comment
Hide comment
@Island123

Island123 Apr 23, 2018

Hi, I wonder how could you get the hevd_ioctl.py from the binary, it seems not explained above

Hi, I wonder how could you get the hevd_ioctl.py from the binary, it seems not explained above

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment