Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Kernel Driver Fuzzing

JMC31337
JMC31337
in Malware Reverse Engineering

Featured Replies

Posted

Came across a cool little prog called ioctlbf...

Its used to try and BSOD the system via DeviceIOControl IRQ's which is how user talks to kernel via its sys drivers

 

For a quick example:

C:\ioctlbf_0.4\bin>ioctlbf -d IP -r 120040-120050    _                   _  _       ___   (_)              _  | || |     / __)    _  ___   ____ _| |_| || |__ _| |__   | |/ _ \ / ___|_   _) ||  _ (_   __)   | | |_| ( (___  | |_| || |_) )| |   |_|\___/ \____)  \__)\_)____/ |_|    v0.4[~] Open handle to the device \\.\IP ... OK  Summary  -------  IOCTL scanning mode   : Range mode 0x00120040 - 0x00120050  Filter mode           : Filter disabled  Symbolic Device Name  : \\.\IP  Device handle         : 0x000007e8[~] Bruteforce function code + transfer type and determine input sizes...[+] 2 valid IOCTL have been found  Valid IOCTLs found  ------------------  0x00120044    function code: 0x0011                transfer type: METHOD_BUFFERED                input bufsize: min = 4 (0x4) | max = 4096 (0x1000)  0x00120040    function code: 0x0010                transfer type: METHOD_BUFFERED                input bufsize: min = 264 (0x108) | max = 4096 (0x1000)[?] Choose an IOCTL to fuzz...        [0] 0x00120044        [1] 0x00120040Choice : 0

which begs my next question: If you have used this prog, does it take a LOOOOONNNNNGGGG time to fill up the DWORD buffers?

Filling the whole buffer with predetermined DWORDsInput buffer: 849 (0x351) bytesError 259: No more data is available.-------------------------------------------------------------------fe ff ff ff 00 6b 41 00  00 6b 41 00 01 00 00 00  | .....kA..kA.....e0 49 41 00 fc ff ff ff  fe ff ff ff 00 6b 41 00  | .IA..........kA.00 00 00 70 f0 ff ff ff  e0 35 41 00 fe ff ff ff  | ...p.....5A.....f0 ff ff ff f0 ff ff ff  c0 35 41 00 00 00 ff ff  | .........5A.....ff ff fe 7f 00 6b 41 00  ff ff ff 7f c0 35 41 00  | .....kA......5A.e0 45 41 00 ff ff fe 7f  c0 35 41 00 f0 ff ff ff  | .EA......5A.....00 00 00 80 fc ff ff ff  00 00 00 70 c0 35 41 00  | ...........p.5A.00 4a 41 00 00 00 00 70  00 6b 41 00 fc ff ff ff  | .JA....p.kA.....ff ff fe 7f 00 00 00 80  04 00 00 00 ff ff fe 7f  | ................fe ff ff ff ff ff fe 7f  01 00 00 00 ff ff fe 7f  | ................fc ff ff ff 00 00 00 70  00 6a 41 00 00 6b 41 00  | .......p.jA..kA.01 00 00 00 00 6a 41 00  00 4a 41 00 fc ff ff ff  | .....jA..JA.....00 00 ff ff 00 00 00 00  01 00 00 00 00 6a 41 00  | .............jA.00 6a 41 00 00 6b 41 00  e0 49 41 00 00 00 ff ff  | .jA..kA..IA.....00 00 00 80 ff ff ff 7f  00 10 00 00 fe ff ff ff  | ................e0 45 41 00 01 00 00 00  00 00 00 70 00 00 ff ff  | .EA........p....f0 ff ff ff 00 00 00 80  fe ff ff ff 00 00 00 70  | ...............pf0 ff ff ff 00 6b 41 00  01 00 00 00 00 6b 41 00  | .....kA......kA.00 00 00 80 ff ff ff ff  e0 35 41 00 fc ff ff ff  | .........5A.....e0 35 41 00 e0 49 41 00  00 00 00 80 00 00 00 80  | .5A..IA.........ff ff fe 7f f0 ff ff ff  ff ff ff ff 00 6a 41 00  | .............jA.04 00 00 00 fc ff ff ff  f0 ff ff ff c0 35 41 00  | .............5A.f0 ff ff ff e0 35 41 00  00 00 00 00 00 00 00 70  | .....5A........pf0 ff ff ff f0 ff ff ff  e0 45 41 00 ff ff fe 7f  | .........EA.....00 6a 41 00 00 4a 41 00  00 00 00 70 e0 49 41 00  | .jA..JA....p.IA.00 00 00 70 c0 35 41 00  04 00 00 00 00 00 ff ff  | ...p.5A.........00 6a 41 00 ff ff ff 7f  ff ff ff ff 00 6a 41 00  | .jA..........jA.00 00 00 80 00 00 00 70  e0 35 41 00 e0 49 41 00  | .......p.5A..IA.ff ff ff ff fe ff ff ff  fe ff ff ff c0 35 41 00  | .............5A.00 00 00 00 00 6a 41 00  fe ff ff ff 04 00 00 00  | .....jA.........fc ff ff ff 00 4a 41 00  00 6a 41 00 00 00 00 70  | .....JA..jA....p01 00 00 00 ff ff ff 7f  ff ff ff 7f 00 6a 41 00  | .............jA.ff ff fe 7f ff ff ff 7f  ff ff ff ff e0 49 41 00  | .............IA.00 4a 41 00 ff ff ff 7f  00 6b 41 00 01 00 00 00  | .JA......kA.....00 6b 41 00 04 00 00 00  00 4a 41 00 00 00 ff ff  | .kA......JA.....00 00 00 00 00 00 00 70  e0 45 41 00 00 6b 41 00  | .......p.EA..kA.e0 49 41 00 00 00 00 80  f0 ff ff ff 01 00 00 00  | .IA.............e0 45 41 00 04 00 00 00  fe ff ff ff ff ff fe 7f  | .EA.............00 00 00 70 01 00 00 00  00 00 ff ff 00 00 00 70  | ...p...........petc etc

with 1024 DWORD buffers in this case some are filled others dont give that Error 259: No more data is available.

 

and if ya wanna play mean with other IRQ's

here are some i picked up in Russia.. HAVE FUN!// Interface for \Device\Ip and\Device\IPMULTICAST/************************************************************************//************************************************************************//*                            \Device\Ip                                    *//************************************************************************//************************************************************************//************************************************************************//*                        IOCTL_ICMP_ECHO_REQUEST (0x120000)                *//************************************************************************//************************************************************************//*                        IOCTL_ARP_SEND_REQUEST(0x12003C)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_INTERFACE_INFO (0x120040)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_IGMPLIST (0x120054)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_BEST_INTERFACE    (0x120044)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_ADDRESS (0x128004)                    *//*                        IOCTL_IP_SET_ADDRESS_DUP (0x1280A0)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_BLOCKOFROUTES(0x12805C)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_ROUTEWITHREF (0x128060)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_MULTIHOPROUTE (0x128074)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_ADD_NTE (0x12801C)                        *//************************************************************************//************************************************************************//*                        IOCTL_IP_DELETE_NTE    (0x128020)                    *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_DHCP_INTERFACE    (0x128008)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_IF_CONTEXT (0x12800C)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_IF_PROMISCUOUS    (0x12804C)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_BESTINTFC_FUNC_ADDR (0x128070)        *//* Request should be initiated from the kernel mode, otherwise            *//* STATUS_ACCESS_DENIED returned. This requests returnes 4 bytes pointer*/ /* to the TCPIP.SYS internal routine IPGetBestInterfaceIndex (see        *//* declaration below):                                                    *//*                                                                        *//* NTSTATUS __stdcall                                                    *//*    IPGetBestInterfaceIndex (                                            *//*        unsigned long Address,                                            *//*        unsigned long* pIndex,                                            *//*        unsigned long* pMetric);                                        *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_FILTER_POINTER (0x128010)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_FIREWALL_HOOK (0x128030)            *//************************************************************************//************************************************************************//*                        IOCTL_IP_SET_MAP_ROUTE_POINTER (0x128014)        *//************************************************************************//************************************************************************//*                        IOCTL_IP_RTCHANGE_NOTIFY_REQUEST (0x120034)        *//************************************************************************//************************************************************************//*                        IOCTL_IP_RTCHANGE_NOTIFY_REQUEST_EX    (0x12007C)    *//************************************************************************//************************************************************************//*                        IOCTL_IP_ADDCHANGE_NOTIFY_REQUEST (0x120038)    *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_PNP_ARP_POINTERS (0x128018)        *//************************************************************************//************************************************************************//*                        IOCTL_IP_WAKEUP_PATTERN    (0x128028)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_WOL_CAPABILITY                        *//************************************************************************/// Can't find in the code !!!/************************************************************************//*                        IOCTL_IP_GET_IP_EVENT (0x12802C)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_FLUSH_ARP_TABLE (0x128050)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_IF_INDEX (0x120068)                *//************************************************************************//************************************************************************//*                        IOCTL_IP_GET_IF_NAME (0x12006C)                    *//************************************************************************//************************************************************************//*                        IOCTL_IP_ENABLE_ROUTER_REQUEST (0x128080)        *//************************************************************************//************************************************************************//*                        IOCTL_IP_UNENABLE_ROUTER_REQUEST (0x128084)        *//************************************************************************//************************************************************************//*                        \Device\IPMULTICAST                                *//************************************************************************//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_SET_MFE (0x128000)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_GET_MFE (0x128004)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_DELETE_MFE (0x128008)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_SET_TTL (0x12800C)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_GET_TTL (0x128010)                *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_POST_NOTIFICATION (0x128014)        *//************************************************************************//************************************************************************//*                        IOCTL_IPMCAST_START_STOP (0x128018)                *//************************************************************************//************************************************************************//*                         IOCTL_IPMCAST_SET_IF_STATE (0x12801C)            *//************************************************************************/

Another world, another time
In the age of wonder
Another world, another time
This land was green and good
Until the crystal cracked

Once more
They will replenish themselves
Cheat death again
The power of their source

The crystal

Oh my God this is the best

Uh, I want you to trip like me, I want you to have fun

...

sorry OPs, sometimes i get a lil carried away
 

Edited by JMC31337

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.