evlncrn8 Posted November 14, 2011 Posted November 14, 2011 (edited) lol...the part about researching... i meant it...try googling for an ioctl decoder and some of the ioctl codes like IOCTL_CDROM_* and the scsi ioctls to get the path/unit/lun/idand quite a few other, checking on msdn also might be a good ideayou really are way out of your depth and it shows... you really did not listen to any advice given to you...and GetDriveTypeA goes to GetDriveTypeW anyway, so you only need to hook one...and those apis actually go much deeper.. its also a really stupid api to start with as it just returns what type of drive it is... 05 for cdrom etc...stop thinking you know it all...do some researchdo some more researchdesign things firstdwIoControlCode is a dword using masking / bitflags for its specified operation (the dword explains access method etc)... and its also how drivers work (yeh you were going to write one remember?)R E S E A R C HA L LT H ET H I N G S ! ! ! Edited November 14, 2011 by evlncrn8 1
ragdog Posted November 15, 2011 Posted November 15, 2011 http://www.freewebs.com/four-f/Tools/IoctlDecoder.zip 1
Mr.reCoder Posted November 16, 2011 Author Posted November 16, 2011 @evlncrn8: first of any thing; Thank you for nice comments; now i am researching about all functions! but in the case of GetDriveType I mean that i won't hook both of them! this is example only! I used most common method to hook; this method is dll injection with CreateRemoteThread function (that is rin3!!!). this method worked on Themida protected app and I hooked CreateProcessW @ CreateFileW @ GetDriveTypeW and I ripped the stack of all this functions! ------------------------------------------------------------------------------------------------------------------------------------- @ragdog thank you for nice and usefull tool! is there any source code for this tool? else i must reverse it and extract it's codes!!! -------------------------------------------------------------------------------------------------------------------------------------- MANY REGARDS...
ragdog Posted November 16, 2011 Posted November 16, 2011 (edited) i must reverse it and extract it's codes!!!Why this?This tool contain not any hex codesYou add in the field Mnemonic as example IOCTL_CDROM_READ_TOCNow can you see in the field Ioctl code the code 00024000and backwards you have only a hex code and need the definitionadd in ioctl field the hex code the definition can you see in Mnemonic field.Now add in you projectMasm32IOCTL_CDROM_READ_TOC equ 00024000hC#define IOCTL_CDROM_READ_TOC 0x024000This is a very nice tool from Four-Fand other driver programming examples with ioctl can you found in Kmdkit from Four-F sitesYes it give a source for IOCTLDecoder it is written in Masm0547543IoctlDecoder.rarGreets, Edited November 16, 2011 by ragdog
evlncrn8 Posted November 16, 2011 Posted November 16, 2011 injection may not be the best approach, it wont work for example on starforce as the dll does everything and is loaded in the iat.. way before oep is reached (ie: way before a remote thread is accessed)..
Mr.reCoder Posted November 19, 2011 Author Posted November 19, 2011 @ragdog thank you and also Four-F for this nice tool and it source... ______________________________________________________ @evlncrn8 yes! this is not best approach! but it worked on many protections... and i will use another approaches too... I am working and researching... thanks...
Fungus Posted December 16, 2011 Posted December 16, 2011 (edited) While the starter of this thread is a big noobie, I still find it an interesting thread.Ragdog, nice tools, can you provide a link to that kit? Seems very interesting stuff.Mr.reCoder: dude, you really need to do some research, I think you better start with cdrom/dvd formats, which discuss the structure of discs, also mmc2/3 documents, iso9660 documents, there's some nice books too by Kris Kaspersky and others... ecma130 document, and many many many more. Edited December 16, 2011 by Fungus
Aguila Posted December 16, 2011 Posted December 16, 2011 IOCTL codes are not random, pretty easy to understand: http://msdn.microsof...y/ms902086.aspx #define CTL_CODE(t,f,m,a) (((t)<<16)|((a)<<14)|((f)<<2)|(m)) Just reverse the CTL_CODE macro.... #define DeviceType_M(t)((t)>>16) @Fungus/>http://www.freewebs.com/four-f/ Kmdkit = Kernel Mode Driver Development Kit Big disadvantage: MASM Coding a driver in ASM pretty sucks, too error-prone. But there are still some nice examples.
ragdog Posted December 17, 2011 Posted December 17, 2011 Big disadvantage: MASM Coding a driver in ASM pretty sucks, too error-prone. I think not
stellios Posted December 17, 2011 Posted December 17, 2011 Agree with Fungus, interesting thread but the thread starter looks to be drowning before the tide has come in! evlncrn8's comments were interesting, never looked at a project like this however it's intriguing to see what's involved. Mr.reCoder you may need a snorkel for this one... good luck
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now