Page 2 of 2 FirstFirst 12
Results 16 to 18 of 18

Thread: vmware's sidt relocation, how?

  1. #16
    : Code Injector : nikolatesla20's Avatar
    Join Date
    Apr 2002
    Speaking of that Kayaker, I've always had a hard time trying to map IOCTL calls in a driver. I just get lost in that jump table and stuff. Do you have any good hints or methods you use to do this?

    Guess I need to practice a bit more.


  2. #17

    "All entry and exit to and from
    the guest is through xok, which is able to set and reset IDTR."

    this could work

  3. #18
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Yeah nt20, I guess it's just a matter of following the IRP_MJ_DEVICE_CONTROL routine. You can usually define its location in DriverEntry (INIT section) by a common pattern, as the DRIVER_OBJECT is being loaded with the addresses of the IRP_MJ_Xxx routines. Can also be found by the DRIVER <drivername> command in Sice.

    Commonly you'll get something like this in DriverEntry, where ESI is the DRIVER_OBJECT. The offset [esi+38] corresponds to the first of the IRP_MJ_xx requests, up to a maximum of IRP_MJ_MAXIMUM_FUNCTION. The addresses may be individually defined, or as in this case, all pointing to a further DispatchControl proc. The DispatchControl proc will likely contain a switch statement for the IRP_MJ requests where you try to pick out the IRP_MJ_DEVICE_CONTROL jump or call, if it isn't explicitly defined right off. The switch statement will relate to the enum order of the IRP_MJ_xx requests, IRP_MJ_CREATE I believe is 0, IRP_MJ_DEVICE_CONTROL will be 0Ch.

    INIT:000106EA                 mov     eax, offset DispatchControl
    INIT:000106F1                 mov     [esi+38h], eax   // IRP_MJ_CREATE
    INIT:000106F4                 mov     [esi+40h], eax   // IRP_MJ_CLOSE
    INIT:000106F7                 mov     [esi+70h], eax   // IRP_MJ_DEVICE_CONTROL
    INIT:0001070B                 mov     dword ptr [esi+34h], offset DriverUnload
    Which programatically looks like:
    	// Set up dispatch routine entry points for IRP_MJ_Xxx requests
    	// IRP's sent by app when opening and closing a handle to the driver.
    	pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchControl;
    	pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchControl;
    	// Dispatch routine for DeviceIoControl calls from the app
    	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchControl;
    	// Define the DriverUnload procedure
    	pDriverObject->DriverUnload = DriverUnload;
    The IRP_MJ_DEVICE_CONTROL routine may have a further switch statement to sort out the IOCTL codes. The values will be same as the dwIoControlCode pushed onto the corresponding DeviceIOControl call. Live tracing IRP_MJ_DEVICE_CONTROL would be the best way to follow what happens (assuming a call is triggered), but even from a disassembly, well the IOCTL code variable has to be used, early and probably off the stack, so it should be recognizable as such with a bit of guesswork.

    The driver vmx86.sys way of doing it pretty much follows the pattern, except for the interesting twist at the end of using a magic number with an indexed jump table. That lea statement is kind of a nice trick


Similar Threads

  1. 64bit and 32bit OS for cracking, using vmware?
    By Gallaxhar in forum The Newbie Forum
    Replies: 1
    Last Post: November 8th, 2012, 08:56
  2. Dll relocation?
    By crUsAdEr in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: June 1st, 2004, 21:22
  3. Old winice (vxd) & relocation
    By Timbo in forum Tools of Our Trade (TOT) Messageboard
    Replies: 3
    Last Post: May 25th, 2004, 23:19
  4. IDA disassembly relocation
    By laserman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: September 22nd, 2002, 12:19
  5. softice with vmware
    By dya in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: August 23rd, 2002, 17:25


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts