Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Reverse kernel driver

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
Nazgul
How do I cheat?
Reputation: 0

Joined: 01 Jan 2016
Posts: 4
PostPosted: Thu Apr 21, 2016 10:59 am    Post subject: Reverse kernel driver Reply with quote
Hi,

I am trying to reverse a kernelmode driver. I did some basic digging when I stepped on something I could not understand. The driver is part of an usermode process and I prefer to disable it instead of writing my own driver. It looks like they only use WriteFile to share info with the driver

Code:
v2->DriverUnload = (PDRIVER_UNLOAD)Unload_handler;
    v2->MajorFunction[0] = (PDRIVER_DISPATCH)Create_handler;
    v2->MajorFunction[2] = (PDRIVER_DISPATCH)Close_handler;
    v2->MajorFunction[4] = (PDRIVER_DISPATCH)WriteFile_handler;
    v4 = IoCreateDevice(v2, 0, &DeviceName, 0x22u, 0, 0, &v9);


But then, this is weird to me, they call WriteFile() with 270 to write. But when it returns, they written bytes tell me it is 762. How and why is this happening. The decompiled code for the WriteFile_handler looks like this.

Code:
__int64 __fastcall WriteFile_handler(__int64 a1, IRP *a2)
{
  IRP *v2; // rbx@1
  struct _IRP::$FAC2C76DB788B2DC48583CC5AC9980EB::$F032F18AAD8404F2F0A6B22DB77B689D::$C6AB671809B24B64B336D8B1FC42605B::$A02EC6A2CE86544F716F4825015773AC::_IO_STACK_LOCATION *v3; // rax@1
  signed int v4; // esi@1
  signed int v5; // edi@1
  IRP *v6; // r14@2
  unsigned __int64 v7; // rax@4
  void *v8; // r14@4
  unsigned __int64 v9; // rcx@5
  char *v10; // rdx@5
  signed __int64 v11; // rax@6
  __int64 v13; // [sp+0h] [bp-358h]@11
  int v14; // [sp+20h] [bp-338h]@1
  int v15; // [sp+24h] [bp-334h]@1
  unsigned __int64 v16; // [sp+28h] [bp-330h]@4
  PMDL MemoryDescriptorList; // [sp+30h] [bp-328h]@4
  IRP *v18; // [sp+38h] [bp-320h]@1
  char v19; // [sp+40h] [bp-318h]@5
  __int64 v20; // [sp+340h] [bp-18h]@11

  v2 = a2;
  v18 = a2;
  v3 = a2->Tail.Overlay.CurrentStackLocation;
  v4 = 0;
  v14 = 0;
  v5 = -1073741823;
  v15 = -1073741823;
  if ( *((_DWORD *)v3 + 2) == 624 )
  {
    v6 = (IRP *)a2->AssociatedIrp.MasterIrp;
    if ( LODWORD(v6->Type) == 624 && HIDWORD(v6->Type) == 0x345821AB )
    {
      sub_140001C14(v6);
      v7 = (unsigned __int64)sub_1400038AC(*(void **)&v6->Flags, 762u, (__int64)&MemoryDescriptorList);
      v8 = (void *)v7;
      v16 = v7;
      if ( v7 )
      {
        v9 = v7;
        v10 = &v19;
        if ( ((unsigned __int8)v7 | (unsigned __int8)&v19) & 0xF )
        {
          sub_1400044A0(v7, (unsigned __int64)&v19, 0x2FAui64);
        }
        else
        {
          v11 = 5i64;
          do
          {
            *(_OWORD *)v9 = *(_OWORD *)v10;
            *(_OWORD *)(v9 + 16) = *((_OWORD *)v10 + 1);
            *(_OWORD *)(v9 + 32) = *((_OWORD *)v10 + 2);
            *(_OWORD *)(v9 + 48) = *((_OWORD *)v10 + 3);
            *(_OWORD *)(v9 + 64) = *((_OWORD *)v10 + 4);
            *(_OWORD *)(v9 + 80) = *((_OWORD *)v10 + 5);
            *(_OWORD *)(v9 + 96) = *((_OWORD *)v10 + 6);
            v9 += 128i64;
            *(_OWORD *)(v9 - 16) = *((_OWORD *)v10 + 7);
            v10 += 128;
            --v11;
          }
          while ( v11 );
          *(_OWORD *)v9 = *(_OWORD *)v10;
          *(_OWORD *)(v9 + 16) = *((_OWORD *)v10 + 1);
          *(_OWORD *)(v9 + 32) = *((_OWORD *)v10 + 2);
          *(_OWORD *)(v9 + 48) = *((_OWORD *)v10 + 3);
          *(_OWORD *)(v9 + 64) = *((_OWORD *)v10 + 4);
          *(_OWORD *)(v9 + 80) = *((_OWORD *)v10 + 5);
          *(_OWORD *)(v9 + 96) = *((_OWORD *)v10 + 6);
          *(_QWORD *)(v9 + 112) = *((_QWORD *)v10 + 14);
          *(_WORD *)(v9 + 120) = *((_WORD *)v10 + 60);
        }
        v5 = 0;
        v15 = 0;
        v4 = 762;
        v14 = 762;
        sub_140003740(MemoryDescriptorList, v8);
      }
    }
  }

}


As you can see these functions are intresting,
sub_140001C14(v6);
sub_1400038AC(*(void **)&v6->Flags, 762u, (__int64)&MemoryDescriptorList);

They look like this

Code:
int __fastcall sub_140001C14(IRP *a1)
{
  __int64 v1; // rax@1
  __int64 v2; // r8@2
  int result; // eax@5

  v1 = 0i64;
  if ( dword_140007AC0 )
  {
    v2 = (__int64)dword_1400076C0;
    while ( *(_DWORD *)v2 != HIDWORD(a1->MdlAddress) )
    {
      v1 = (unsigned int)(v1 + 1);
      v2 += 16i64;
      if ( (unsigned int)v1 >= dword_140007AC0 )
        goto LABEL_5;
    }
    result = (*(int (**)(void))&dword_1400076C0[4 * v1 + 2])();
  }
  else
  {
LABEL_5:
    result = -1073741823;
  }
  return result;
}

PVOID __fastcall sub_1400038AC(void *a1, ULONG a2, __int64 a3)
{
  __int64 v3; // rdi@1
  struct _MDL *v4; // rax@1
  struct _MDL *v5; // rbx@1
  PVOID result; // rax@2

  v3 = a3;
  v4 = IoAllocateMdl(a1, a2, 0, 0, 0i64);
  v5 = v4;
  if ( !v4 )
    return 0i64;
  MmProbeAndLockPages(v4, 1, IoModifyAccess);
  result = MmMapLockedPagesSpecifyCache(v5, 0, MmCached, 0i64, 0, HighPagePriority);
  if ( !result )
  {
    MmUnlockPages(v5);
    IoFreeMdl(v5);
    return 0i64;
  }
  *(_QWORD *)v3 = v5;
  return result;
}



I have litteraly no clue what they are doing. If some could help me the right path, I would love that.

Gr
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites