Last active
November 7, 2022 21:45
-
-
Save oopsmishap/db41f0960f75eabdaf301362d06f105d to your computer and use it in GitHub Desktop.
DispatchDeviceControl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __int64 __fastcall DispatchDeviceControl(PDEVICE_OBJECT DeviceObject, IRP *arg_irp) | |
| { | |
| __int64 idx; // rdi | |
| _IO_STACK_LOCATION *CurrentStackLocation; // rbx | |
| ULONG_PTR len; // rdi | |
| ULONG InputBufferLength; // esi | |
| unsigned __int64 OutputBufferLength; // r12 | |
| int v8; // esi | |
| void *SystemBuffer; // r15 | |
| char v10; // al | |
| union _LARGE_INTEGER ByteOffset; // [rsp+68h] [rbp-69h] BYREF | |
| void *FileHandle; // [rsp+70h] [rbp-61h] BYREF | |
| struct _UNICODE_STRING DestinationString; // [rsp+78h] [rbp-59h] BYREF | |
| struct _IO_STATUS_BLOCK IoStatusBlock; // [rsp+88h] [rbp-49h] BYREF | |
| struct _OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+98h] [rbp-39h] BYREF | |
| char Buffer[49]; // [rsp+C8h] [rbp-9h] BYREF | |
| char v18; // [rsp+F9h] [rbp+28h] | |
| idx = -1i64; | |
| do | |
| ++idx; | |
| while ( aHelloStrangerC[idx] ); | |
| CurrentStackLocation = arg_irp->Tail.Overlay.CurrentStackLocation; | |
| len = idx + 1; | |
| InputBufferLength = CurrentStackLocation->Parameters.DeviceIoControl.InputBufferLength; | |
| OutputBufferLength = CurrentStackLocation->Parameters.DeviceIoControl.OutputBufferLength; | |
| DbgPrint("Control code: %x", CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode); | |
| if ( CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode == 0x222001 ) | |
| { | |
| DbgPrint("METHOD_IN_DIRECT. Not implemented.\n"); | |
| goto LABEL_22; | |
| } | |
| if ( CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode == 0x222006 ) | |
| { | |
| DbgPrint("METHOD_OUT_DIRECT. Not implemented.\n"); | |
| goto LABEL_22; | |
| } | |
| if ( CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode != 0x222008 ) | |
| { | |
| if ( CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode != 0x22200F ) | |
| { | |
| v8 = 0xC0000010; | |
| goto LABEL_23; | |
| } | |
| DbgPrint("METHOD_NEITHER. Not Implemented\n"); | |
| LABEL_22: | |
| v8 = 0; | |
| goto LABEL_23; | |
| } | |
| DbgPrint("METHOD_BUFFERED.\n"); | |
| SystemBuffer = arg_irp->AssociatedIrp.SystemBuffer; | |
| DbgPrint("inbuf: %s", (const char *)SystemBuffer); | |
| DbgPrint("inbuf length: %u", InputBufferLength); | |
| if ( !strstr((const char *)SystemBuffer, "EPT4LIFE") ) | |
| { | |
| sub_140001140(SystemBuffer, "Hello stranger. Can you haz flags?", OutputBufferLength); | |
| if ( OutputBufferLength < len ) | |
| len = OutputBufferLength; | |
| arg_irp->IoStatus.Information = len; | |
| goto LABEL_22; | |
| } | |
| RtlInitUnicodeString(&DestinationString, L"\\DosDevices\\C:\\users\\administrator\\desktop\\flag.txt"); | |
| ObjectAttributes.Length = 48; | |
| ObjectAttributes.RootDirectory = 0i64; | |
| ObjectAttributes.Attributes = 576; | |
| ObjectAttributes.ObjectName = &DestinationString; | |
| *(_OWORD *)&ObjectAttributes.SecurityDescriptor = 0i64; | |
| v8 = ZwCreateFile(&FileHandle, 0x80000000, &ObjectAttributes, &IoStatusBlock, 0i64, 0x80u, 0, 1u, 0x20u, 0i64, 0); | |
| if ( v8 >= 0 ) | |
| { | |
| ByteOffset.QuadPart = 0i64; | |
| v8 = ZwReadFile(FileHandle, 0i64, 0i64, 0i64, &IoStatusBlock, Buffer, 0x32u, &ByteOffset, 0i64); | |
| v10 = v18; | |
| if ( v8 >= 0 ) | |
| v10 = 0; | |
| v18 = v10; | |
| ZwClose(FileHandle); | |
| } | |
| sub_140001140(SystemBuffer, Buffer, OutputBufferLength); | |
| if ( OutputBufferLength < len ) | |
| len = OutputBufferLength; | |
| arg_irp->IoStatus.Information = len; | |
| LABEL_23: | |
| arg_irp->IoStatus.Status = v8; | |
| IofCompleteRequest(arg_irp, 0); | |
| return (unsigned int)v8; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment