morbyte.blogg.se

MasterIrp = (ULONG *)a2->AssociatedIrp.MasterIrp If (CurrentStackLocation->MajorFunction != 14) If (CurrentStackLocation->MajorFunction = 2) If (!CurrentStackLocation->MajorFunction) Status = 0xC0000002 // STATUS_NOT_IMPLEMENTED P_Information = (unsigned int *)&a2->IoStatus.Information ĬurrentStackLocation = a2-> _IO_STACK_LOCATION *CurrentStackLocation // rdx _int64 _fastcall DispatchDeviceControl(_int64 a1, IRP *a2)

This routine appears as the most complex of the entire binary, as we can see from the below image:Įven if, in reality, it’s quite simple as it acts as a “switch case” for the different IOCTL codes implemented in the driver. Without cheating and reading the open-source code of WinRing0圆4.sys, reverse engineering the MODAPI.sys driver is quite simple as it doesn’t have many functionalities:įor the sake of this blog post, we’ll focus on the DispatchDeviceControl routine and later, in the exploitation phase, on the MapPhysicalMemory function. Not only do the hashes perfectly match but “bindiffing” disassembled versions of both drivers clearly prove my point as can be seen below, MODAPI.sys is indistinguishable from the WinRing0圆4.sys driver: MODAPI.sys is a driver developed by Crucial as part of Ballistix MOD utility unfortunately, it is the exact copy of a problematic open-source project, and it also inherits its vulnerabilities: Technical DetailsĪs always the driver file, IDA’s DB and exploit code, are available on my GitHub repo.