mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5535 lines
180 KiB
5535 lines
180 KiB
/*
|
|
* Devctl.c
|
|
*
|
|
* IoCrash
|
|
*
|
|
* Copyright(c) 1997 Microsoft Corporation
|
|
*
|
|
* NeillC 23-Oct-97
|
|
*
|
|
* This program is designed to call as many of the user mode native NT API's as
|
|
* possible. The program is written to crash drivers as its primary function.
|
|
*
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <math.h>
|
|
|
|
#include "nt.h"
|
|
#include "ntrtl.h"
|
|
#include "nturtl.h"
|
|
#include <winsock2.h>
|
|
#include <mswsock.h>
|
|
#include "windows.h"
|
|
#include "wmistr.h"
|
|
#include "wmiumkm.h"
|
|
#include "time.h"
|
|
#include "tdi.h"
|
|
#include "vdm.h"
|
|
#include "sddl.h"
|
|
|
|
#define MAX_DEVICES 4096
|
|
#define PROT_REP 100000
|
|
#define MAX_RET 5000
|
|
#define DIAG_RET 50
|
|
#define CRASH_LINE_SIZE 1024
|
|
#define SLOP_SENTINAL 0xA5
|
|
|
|
#define SLOP 100
|
|
#define BIGBUF_SIZE 0x10000
|
|
#define RAND_REP 1000
|
|
#define MAX_IOCTL_TAILOR 100
|
|
#define INITIAL_IOCTL_TAILOR_SIZE 200
|
|
|
|
#define FLAGS_DO_IOCTL_NULL 0x00000001
|
|
#define FLAGS_DO_IOCTL_RANDOM 0x00000002
|
|
#define FLAGS_DO_FSCTL_NULL 0x00000004
|
|
#define FLAGS_DO_FSCTL_RANDOM 0x00000008
|
|
#define FLAGS_DO_USAGE 0x00000010
|
|
#define FLAGS_DO_LOGGING 0x00000020
|
|
#define FLAGS_DO_POOLCHECK 0x00000040
|
|
#define FLAGS_DO_SKIPDONE 0x00000080
|
|
#define FLAGS_DO_SKIPCRASH 0x00000100
|
|
#define FLAGS_DO_MISC 0x00000200
|
|
#define FLAGS_DO_QUERY 0x00000400
|
|
#define FLAGS_DO_SUBOPENS 0x00000800
|
|
#define FLAGS_DO_ALLDEVS 0x00001000
|
|
#define FLAGS_DO_ZEROEA 0x00002000
|
|
#define FLAGS_DO_GRAB 0x00004000
|
|
#define FLAGS_DO_ERRORS 0x00008000
|
|
#define FLAGS_DO_ALERT 0x00010000
|
|
#define FLAGS_DO_LPC 0x00020000
|
|
#define FLAGS_DO_MAPNULL 0x00040000
|
|
#define FLAGS_DO_STREAMS 0x00080000
|
|
#define FLAGS_DO_WINSOCK 0x00100000
|
|
#define FLAGS_DO_SYNC 0x00200000
|
|
#define FLAGS_DO_DISKS 0x00400000
|
|
#define FLAGS_DO_PROT 0x00800000
|
|
#define FLAGS_DO_SECURITY 0x01000000
|
|
#define FLAGS_DO_IMPERSONATION 0x02000000
|
|
#define FLAGS_DO_DIRECT_DEVICE 0x04000000
|
|
#define FLAGS_DO_FAILURE_INJECTION 0x08000000
|
|
#define FLAGS_DO_PRINT_DEVS 0x10000000
|
|
#define FLAGS_DO_RANDOM_DEVICE 0x20000000
|
|
#define FLAGS_DO_SYMBOLIC 0x40000000
|
|
#define FLAGS_DO_OPEN_CLOSE 0x80000000
|
|
|
|
#define FLAGS_DO_DRIVER 0x00000001
|
|
|
|
#define DIAG_NOEXCEPTIONS 0x1
|
|
|
|
#define OPEN_TYPE_TDI_CONNECTION 1
|
|
#define OPEN_TYPE_TDI_ADDR_IP 2
|
|
#define OPEN_TYPE_TDI_ADDR_NETBIOS 3
|
|
#define OPEN_TYPE_TDI_ADDR_IPX 4
|
|
#define OPEN_TYPE_TDI_ADDR_APPLE 5
|
|
#define OPEN_TYPE_NAMED_PIPE 6
|
|
#define OPEN_TYPE_MAIL_SLOT 7
|
|
#define OPEN_TYPE_TREE_CONNECT 8
|
|
|
|
typedef struct _DEVMAP {
|
|
OBJECT_NAME_INFORMATION *name;
|
|
FILE_NAME_INFORMATION *filename;
|
|
HANDLE handle;
|
|
DEVICE_TYPE devtype;
|
|
ACCESS_MASK access;
|
|
} DEVMAP, *PDEVMAP;
|
|
|
|
//
|
|
// Define a structure to keep a track of issued IOCTL's. We do this to try and make a
|
|
// guess at what IOCTL's/FSCTL's a driver is actualy processing.
|
|
//
|
|
typedef struct _IOCTLINFO {
|
|
NTSTATUS status;
|
|
ULONG ioctl;
|
|
ULONG count;
|
|
} IOCTLINFO, *PIOCTLINFO;
|
|
|
|
typedef struct _IOCTLREC {
|
|
ULONG total, count, start;
|
|
IOCTLINFO ioctl[];
|
|
} IOCTLREC, *PIOCTLREC;
|
|
|
|
typedef struct _CRASHNODE {
|
|
struct _CRASHNODE *next;
|
|
PWCHAR string;
|
|
} CRASHNODE, *PCRASHNODE;
|
|
|
|
DEVMAP devmap[MAX_DEVICES];
|
|
ULONG devscount;
|
|
ULONG skipped = 0;
|
|
ULONG random_device = 0;
|
|
UCHAR *bigbuf;
|
|
FILE *skipfile = NULL;
|
|
FILE *crashfile = NULL;
|
|
FILE *diag_file = NULL;
|
|
PCRASHNODE crashlist = NULL;
|
|
HANDLE changethread, randthread, alertthread, mainthread;
|
|
SOCKET ls, cs;
|
|
ULONG flags=0, flags2=0;
|
|
ULONG ioctl_min_function=0;
|
|
ULONG ioctl_max_function=400 /*0xFFF*/;
|
|
ULONG ioctl_min_devtype=0;
|
|
ULONG ioctl_max_devtype=200;
|
|
ULONG ioctl_inbuf_min=0x0;
|
|
ULONG ioctl_inbuf_max=0x200;
|
|
ULONG ioctl_outbuf_min=0;
|
|
ULONG ioctl_outbuf_max=0x200;
|
|
ULONG max_random_calls = 100000;
|
|
ULONG max_tailured_calls = 10000;
|
|
ULONG progress_counter=0;
|
|
ULONG alerted=0;
|
|
ULONG cid = 0;
|
|
HANDLE process_handle = NULL;
|
|
WCHAR lastcrashline[CRASH_LINE_SIZE];
|
|
HANDLE sync_event = NULL;
|
|
ULONG sessionid = 0;
|
|
PCHAR prefix_string = NULL;
|
|
HANDLE NonAdminToken=NULL;
|
|
UNICODE_STRING DriverName={0};
|
|
BOOLEAN Impersonating = FALSE;
|
|
|
|
HANDLE
|
|
Create_nonadmin_token ()
|
|
/*
|
|
Create a token with administrator filtered out.
|
|
*/
|
|
{
|
|
HANDLE ProcessToken, RestrictedToken;
|
|
SID_AND_ATTRIBUTES AdminSidAttrib;
|
|
PSID pSid;
|
|
SID_IDENTIFIER_AUTHORITY sia = {SECURITY_WORLD_SID_AUTHORITY};
|
|
|
|
|
|
//
|
|
// Open the process token
|
|
//
|
|
if (!OpenProcessToken (GetCurrentProcess (),
|
|
MAXIMUM_ALLOWED,
|
|
&ProcessToken)) {
|
|
printf ("OpenProcessToken failed %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
|
|
if (!AllocateAndInitializeSid (&sia, 1, 0, 0, 0, 0, 0, 0, 0, 0, &pSid)) {
|
|
printf ("AllocateAndInitializeSid failed %d\n", GetLastError ());
|
|
CloseHandle (ProcessToken);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
|
|
AdminSidAttrib.Sid = pSid;
|
|
AdminSidAttrib.Attributes = 0;
|
|
|
|
if (!CreateRestrictedToken (ProcessToken,
|
|
DISABLE_MAX_PRIVILEGE,
|
|
0,
|
|
NULL,
|
|
0,
|
|
NULL,
|
|
1,
|
|
&AdminSidAttrib,
|
|
&RestrictedToken)) {
|
|
FreeSid (pSid);
|
|
CloseHandle (ProcessToken);
|
|
printf ("CreateRestrictedToken failed %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
|
|
FreeSid (pSid);
|
|
CloseHandle (ProcessToken);
|
|
|
|
if (!DuplicateToken (RestrictedToken,
|
|
SecurityDelegation,
|
|
&NonAdminToken)) {
|
|
CloseHandle (RestrictedToken);
|
|
printf ("DuplicateToken failed %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
CloseHandle (RestrictedToken);
|
|
|
|
return NonAdminToken;
|
|
}
|
|
|
|
VOID
|
|
Impersonate_nonadmin ()
|
|
{
|
|
Impersonating = TRUE;
|
|
if (NonAdminToken != NULL && !SetThreadToken (NULL, NonAdminToken)) {
|
|
printf ("SetThreadToken failed %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
|
|
DWORD
|
|
Revert_from_admin ()
|
|
{
|
|
Impersonating = FALSE;
|
|
return RevertToSelf ();
|
|
}
|
|
|
|
|
|
void
|
|
tag_to_wide (PUCHAR t, PWCHAR wt)
|
|
{
|
|
ULONG i;
|
|
|
|
for (i = 0; i < 4; i++) {
|
|
*wt++ = *t++;
|
|
}
|
|
}
|
|
|
|
/*
|
|
Try and locate pool leaks by looking at pool tag info and lookaside list info.
|
|
Try and locate where handled exceptions might reveal problems in the code.
|
|
*/
|
|
BOOL
|
|
print_diags (ULONG diag_flags, ULONG ret)
|
|
{
|
|
static PSYSTEM_POOLTAG_INFORMATION opb=NULL;
|
|
PSYSTEM_POOLTAG_INFORMATION pb;
|
|
static PSYSTEM_LOOKASIDE_INFORMATION olpb=NULL;
|
|
static ULONG olpbl;
|
|
PSYSTEM_LOOKASIDE_INFORMATION lpb;
|
|
ULONG pbl, lpbl, i, j, retlen, retlen1;
|
|
BOOL found, diff, newtag;
|
|
NTSTATUS status;
|
|
static ULONG firsterror = 1;
|
|
static SYSTEM_EXCEPTION_INFORMATION sei, osei;
|
|
WCHAR wtag[4];
|
|
static ULONG lpbi = 1, pbi = 1;
|
|
|
|
if ((flags&FLAGS_DO_POOLCHECK) == 0) {
|
|
return FALSE;
|
|
}
|
|
if (!diag_file) {
|
|
diag_file = _wfopen (L"diags.log", L"ab");
|
|
if (!diag_file) {
|
|
printf ("Failed to open diags.log for diagnostics\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
diff = FALSE;
|
|
newtag = FALSE;
|
|
|
|
status = NtQuerySystemInformation (SystemExceptionInformation, &sei, sizeof (sei),
|
|
&retlen);
|
|
if (!NT_SUCCESS (status)) {
|
|
if (firsterror) {
|
|
printf ("NtQuerySystemInformation for SystemExceptionInformation failed %x\n",
|
|
status);
|
|
firsterror = 0;
|
|
}
|
|
flags &= ~FLAGS_DO_POOLCHECK;
|
|
return FALSE;
|
|
}
|
|
if (sei.ExceptionDispatchCount > osei.ExceptionDispatchCount &&
|
|
osei.ExceptionDispatchCount) {
|
|
if (!(diag_flags&DIAG_NOEXCEPTIONS)) {
|
|
printf ("Exception count changed from %d to %d\n", osei.ExceptionDispatchCount,
|
|
sei.ExceptionDispatchCount);
|
|
if (ret == DIAG_RET) {
|
|
fwprintf (diag_file, L"%s Exception count changed from %d to %d\r\n",
|
|
lastcrashline,
|
|
osei.ExceptionDispatchCount,
|
|
sei.ExceptionDispatchCount);
|
|
fflush (diag_file);
|
|
} else if (ret < DIAG_RET) {
|
|
diff = TRUE;
|
|
}
|
|
}
|
|
}
|
|
osei = sei;
|
|
|
|
while (1) {
|
|
/*
|
|
Get memory for tag info
|
|
*/
|
|
pbl = sizeof (*pb) + pbi * sizeof (pb->TagInfo[0]);
|
|
pb = malloc (pbl);
|
|
if (!pb) {
|
|
printf ("Failed to allocate memory for pool buffer\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
status = NtQuerySystemInformation (SystemPoolTagInformation, pb, pbl, &retlen1);
|
|
if (pbl <= retlen1) {
|
|
ULONG pbio = pbi;
|
|
pbi = 1 + (retlen1 - sizeof (*pb)) / sizeof (pb->TagInfo[0]);
|
|
// printf ("Increasing pooltag list table size to %d from %d\n", pbi, pbio);
|
|
free (pb);
|
|
continue;
|
|
}
|
|
if (!NT_SUCCESS (status)) {
|
|
if (firsterror) {
|
|
printf ("NtQuerySystemInformation failed %x\n", status);
|
|
firsterror = 0;
|
|
}
|
|
flags &= ~FLAGS_DO_POOLCHECK;
|
|
free (pb);
|
|
return FALSE;
|
|
}
|
|
break;
|
|
}
|
|
|
|
while (1) {
|
|
/*
|
|
Get memory for lookaside info
|
|
*/
|
|
lpbl = sizeof (*lpb) * lpbi;
|
|
lpb = malloc (lpbl);
|
|
if (!pb) {
|
|
printf ("Failed to allocate memory for pool buffer\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
status = NtQuerySystemInformation (SystemLookasideInformation, lpb, lpbl, &retlen);
|
|
if (lpbl <= retlen) {
|
|
ULONG lpbio = lpbi;
|
|
lpbi = 1 + retlen / sizeof (*lpb);
|
|
// printf ("Increasing lookaside list table size to %d from %d\n", lpbi, lpbio);
|
|
free (lpb);
|
|
continue;
|
|
}
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtQuerySystemInformation failed %x\n", status);
|
|
flags &= ~FLAGS_DO_POOLCHECK;
|
|
free (lpb);
|
|
free (pb);
|
|
return FALSE;
|
|
}
|
|
break;
|
|
}
|
|
lpbl = retlen / sizeof (*lpb);
|
|
if (olpb) {
|
|
for (i = 0; i < lpbl; i++) {
|
|
/*
|
|
Quick check here. the tag is probably in the same place it was last time
|
|
*/
|
|
if (i < olpbl && lpb[i].Tag == olpb[i].Tag && lpb[i].Type == olpb[i].Type &&
|
|
lpb[i].Size == olpb[i].Size) {
|
|
found = TRUE;
|
|
j = i;
|
|
} else {
|
|
/*
|
|
It has moved so search them all.
|
|
*/
|
|
for (j = 0; j < olpbl; j++) {
|
|
if (lpb[i].Tag == olpb[j].Tag && lpb[i].Type == olpb[j].Type &&
|
|
lpb[i].Size == olpb[j].Size) {
|
|
found = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (found) {
|
|
if (olpb[i].CurrentDepth > lpb[i].CurrentDepth) {
|
|
printf ("Lookaside: %4.4s, size %d up %d\n",
|
|
&lpb[i].Tag, lpb[i].Size,
|
|
olpb[i].CurrentDepth - lpb[i].CurrentDepth);
|
|
diff = TRUE;
|
|
if (ret == DIAG_RET) {
|
|
tag_to_wide ((PUCHAR)&lpb[i].Tag, wtag);
|
|
fwprintf (diag_file, L"%s Lookaside: %4.4s, size %d up %d\r\n",
|
|
lastcrashline,
|
|
wtag, lpb[i].Size,
|
|
olpb[i].CurrentDepth - lpb[i].CurrentDepth);
|
|
fflush (diag_file);
|
|
}
|
|
}
|
|
} else {
|
|
/*
|
|
A new tag has appeared here
|
|
*/
|
|
printf ("New Lookaside %4.4s, size %d, depth %d\n",
|
|
&lpb[i].Tag, lpb[i].Size,
|
|
lpb[i].CurrentDepth);
|
|
diff = TRUE;
|
|
}
|
|
}
|
|
free (olpb);
|
|
}
|
|
|
|
/*
|
|
now do lookaside information
|
|
*/
|
|
// printf ("Total tags %d\n", pb->Count);
|
|
if (opb) {
|
|
for (i = 0; i < pb->Count; i++) {
|
|
found = FALSE;
|
|
if (i < opb->Count && pb->TagInfo[i].TagUlong == opb->TagInfo[i].TagUlong) {
|
|
j = i;
|
|
found = TRUE;
|
|
} else {
|
|
for (j = 0; j < pb->Count; j++) {
|
|
if (pb->TagInfo[i].TagUlong == opb->TagInfo[j].TagUlong) {
|
|
found = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
if (found) {
|
|
if (pb->TagInfo[i].PagedUsed > opb->TagInfo[j].PagedUsed ||
|
|
pb->TagInfo[i].NonPagedUsed > opb->TagInfo[j].NonPagedUsed) {
|
|
diff = TRUE;
|
|
printf ("Pool: %4.4s, Paged up %d, NonPaged up %d\n",
|
|
&pb->TagInfo[i].TagUlong,
|
|
pb->TagInfo[i].PagedUsed - opb->TagInfo[i].PagedUsed,
|
|
pb->TagInfo[i].NonPagedUsed - opb->TagInfo[i].NonPagedUsed);
|
|
if (ret == DIAG_RET) {
|
|
tag_to_wide ((PUCHAR)&pb->TagInfo[i].TagUlong, wtag);
|
|
fwprintf (diag_file, L"%s Pool: %4.4s, Paged up %d, NonPaged up %d\r\n",
|
|
lastcrashline,
|
|
wtag,
|
|
pb->TagInfo[i].PagedUsed - opb->TagInfo[i].PagedUsed,
|
|
pb->TagInfo[i].NonPagedUsed - opb->TagInfo[i].NonPagedUsed);
|
|
fflush (diag_file);
|
|
}
|
|
}
|
|
} else {
|
|
diff = TRUE;
|
|
newtag = TRUE;
|
|
printf ("New tag %4.4s\n", &pb->TagInfo[i].TagUlong);
|
|
}
|
|
}
|
|
free (opb);
|
|
}
|
|
opb = pb;
|
|
olpb = lpb;
|
|
olpbl = lpbl;
|
|
return diff;
|
|
}
|
|
/*
|
|
Turn on fault injection in the driver verifier
|
|
*/
|
|
void turn_on_fault_injection ()
|
|
{
|
|
ULONG svi;
|
|
NTSTATUS status;
|
|
|
|
svi = DRIVER_VERIFIER_SPECIAL_POOLING |
|
|
DRIVER_VERIFIER_FORCE_IRQL_CHECKING |
|
|
DRIVER_VERIFIER_INJECT_ALLOCATION_FAILURES;
|
|
status = NtSetSystemInformation (SystemVerifierInformation, &svi, sizeof (svi));
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtSetSystemInformation for SystemVerifierInformation failed %x\n",
|
|
status);
|
|
flags &= ~FLAGS_DO_FAILURE_INJECTION; // Turn off flag to prevent errors
|
|
}
|
|
}
|
|
|
|
/*
|
|
Turn off fault injection in the driver verifier
|
|
*/
|
|
void turn_off_fault_injection ()
|
|
{
|
|
ULONG svi;
|
|
NTSTATUS status;
|
|
|
|
svi = DRIVER_VERIFIER_SPECIAL_POOLING |
|
|
DRIVER_VERIFIER_FORCE_IRQL_CHECKING;
|
|
status = NtSetSystemInformation (SystemVerifierInformation, &svi, sizeof (svi));
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtSetSystemInformation for SystemVerifierInformation failed %x\n",
|
|
status);
|
|
}
|
|
}
|
|
|
|
/*
|
|
Read a line from the crash file and remove returns etc
|
|
*/
|
|
PWCHAR getline (PWCHAR templine, ULONG size, FILE *file)
|
|
{
|
|
PWCHAR ret;
|
|
PWCHAR cp;
|
|
|
|
ret = fgetws (templine, size, file);
|
|
if (ret) {
|
|
cp = wcsstr (templine, L"\r");
|
|
if (cp)
|
|
*cp = '\0';
|
|
cp = wcsstr (templine, L"\n");
|
|
if (cp)
|
|
*cp = '\0';
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
Add a line to the list of lines that crashed us before
|
|
*/
|
|
VOID add_crash_list (PWCHAR crashline)
|
|
{
|
|
PCRASHNODE node;
|
|
|
|
node = malloc (sizeof (CRASHNODE));
|
|
if (!node) {
|
|
printf ("Memory allocation failed for crash node!\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
node->next = crashlist;
|
|
crashlist = node;
|
|
node->string = malloc ((wcslen (crashline) + 1) * sizeof (WCHAR));
|
|
if (!node->string) {
|
|
printf ("Memory allocation failed for crash line!\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
wcscpy (node->string, crashline);
|
|
}
|
|
|
|
/*
|
|
See if this operation crashed us before
|
|
*/
|
|
BOOL crashes (PWCHAR path, PWCHAR thing1, PWCHAR thing2, PWCHAR thing3, PWCHAR thing4)
|
|
{
|
|
PWCHAR crashline = NULL;
|
|
PWCHAR templine = NULL;
|
|
BOOL result;
|
|
HANDLE crashfilehandle;
|
|
DWORD retlen;
|
|
BOOL opened;
|
|
PCRASHNODE node;
|
|
ULONG count;
|
|
BOOLEAN StoppedImpersonating;
|
|
|
|
progress_counter++;
|
|
_snwprintf (lastcrashline, sizeof (lastcrashline)/sizeof (WCHAR),
|
|
L"%s %s %s %s %s", path, thing1, thing2, thing3, thing4);
|
|
if ((flags&FLAGS_DO_LOGGING) == 0) {
|
|
wprintf (L"%s\n", lastcrashline);
|
|
SetConsoleTitleW (lastcrashline);
|
|
return FALSE;
|
|
}
|
|
crashline = malloc (CRASH_LINE_SIZE*sizeof (WCHAR));
|
|
if (!crashline) {
|
|
printf ("Failed to allocate crash line buffer\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
templine = malloc (CRASH_LINE_SIZE*sizeof (WCHAR));
|
|
if (!templine) {
|
|
printf ("Failed to allocate crash line buffer\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
StoppedImpersonating = FALSE;
|
|
if (Impersonating) {
|
|
Revert_from_admin ();
|
|
StoppedImpersonating = TRUE;
|
|
}
|
|
opened = FALSE;
|
|
if (!skipfile) {
|
|
/*
|
|
First time in openen up the files
|
|
*/
|
|
opened = TRUE;
|
|
skipfile = _wfopen (L"crash.log", L"ab");
|
|
if (skipfile) {
|
|
crashfile = _wfopen (L"crashn.log", L"rb");
|
|
if (crashfile) {
|
|
printf ("Opened crashn.log for reading\n");
|
|
crashline[0] = '\0';
|
|
while (getline (templine, CRASH_LINE_SIZE, crashfile)) {
|
|
if (wcslen (templine) > 0) {
|
|
if (flags&FLAGS_DO_SKIPDONE) {
|
|
add_crash_list (templine);
|
|
}
|
|
wcscpy (crashline, templine);
|
|
}
|
|
}
|
|
fclose (crashfile);
|
|
crashfile = NULL;
|
|
if (crashline[0] != '\0' && wcsncmp (crashline, L"DONE", 4) != 0) {
|
|
fputws (crashline, skipfile);
|
|
fputws (L"\r\n", skipfile);
|
|
}
|
|
}
|
|
fclose (skipfile);
|
|
}
|
|
skipfile = _wfopen (L"crash.log", L"rb");
|
|
}
|
|
if (skipfile && opened) {
|
|
while (getline (crashline, CRASH_LINE_SIZE, skipfile)) {
|
|
if (flags&FLAGS_DO_SKIPCRASH && wcscmp (crashline, L"DONE") != 0) {
|
|
add_crash_list (crashline);
|
|
}
|
|
}
|
|
}
|
|
/*
|
|
Run through crashing lines looking for a match
|
|
*/
|
|
result = FALSE;
|
|
_snwprintf (templine, CRASH_LINE_SIZE, L"%s %s %s %s %s", path, thing1, thing2, thing3, thing4);
|
|
SetConsoleTitleW (templine);
|
|
for (node = crashlist; node; node = node->next) {
|
|
if (_wcsicmp (node->string, templine) == 0) {
|
|
result = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
if (!result) {
|
|
print_diags (0, 0);
|
|
count = 0;
|
|
do {
|
|
crashfilehandle = CreateFile("crashn.log", GENERIC_WRITE, 0, NULL,
|
|
OPEN_ALWAYS, FILE_FLAG_WRITE_THROUGH, 0 );
|
|
if (crashfilehandle == INVALID_HANDLE_VALUE) {
|
|
printf ("CreateFile failed for crash logging file %d\n", GetLastError ());
|
|
if (count++ > 20) {
|
|
break;
|
|
} else {
|
|
Sleep (5000);
|
|
}
|
|
}
|
|
} while (crashfilehandle == INVALID_HANDLE_VALUE);
|
|
|
|
if (crashfilehandle != INVALID_HANDLE_VALUE) {
|
|
SetFilePointer (crashfilehandle, 0, 0, FILE_END);
|
|
_snwprintf (templine, CRASH_LINE_SIZE,
|
|
L"%s %s %s %s %s\r\n", path, thing1, thing2, thing3, thing4);
|
|
wprintf (L"%s", templine);
|
|
/*
|
|
This is a bit excessive and costly but I really want to make sure this gets
|
|
logged as the next operation may crash the machine.
|
|
*/
|
|
if (!WriteFile (crashfilehandle, templine, wcslen(templine)*sizeof (WCHAR), &retlen, 0)) {
|
|
printf ("WriteFile failed fore crash line %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
if (!FlushFileBuffers (crashfilehandle)) {
|
|
printf ("FlushFileBuffers failed for crash file %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
if (!CloseHandle (crashfilehandle)) {
|
|
printf ("CloseHandle failed for crash file %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
}
|
|
if (StoppedImpersonating) {
|
|
Impersonate_nonadmin ();
|
|
}
|
|
|
|
free (crashline);
|
|
free (templine);
|
|
return result;
|
|
}
|
|
|
|
|
|
/*
|
|
Hack to get a 32 bit random value from a 15 bit source
|
|
*/
|
|
ULONG
|
|
rand32(
|
|
void
|
|
)
|
|
{
|
|
return(rand() << 17) + rand() + rand();
|
|
}
|
|
|
|
/*
|
|
RandInRange - produce a random number in some range
|
|
*/
|
|
ULONG
|
|
RandInRange( ULONG lowerb, ULONG upperb )
|
|
{
|
|
if( lowerb > upperb ) {
|
|
ULONG temp;
|
|
temp= upperb;
|
|
|
|
return lowerb + rand32()%(upperb-lowerb);
|
|
upperb= lowerb;
|
|
upperb= temp;
|
|
}
|
|
|
|
return lowerb + rand32()%(upperb-lowerb);
|
|
|
|
}
|
|
|
|
/*
|
|
Allocate a buffer with slop and fill the slop with a know value
|
|
*/
|
|
PVOID
|
|
reallocslop(
|
|
PVOID p,
|
|
ULONG len
|
|
)
|
|
{
|
|
progress_counter++;
|
|
p = realloc(p,
|
|
len + SLOP);
|
|
|
|
memset(p,
|
|
SLOP_SENTINAL,
|
|
len + SLOP);
|
|
|
|
return p;
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
Check to see if the driver wrote too far by checking the slop values
|
|
*/
|
|
VOID
|
|
testslop(
|
|
PVOID p,
|
|
ULONG len,
|
|
PWCHAR what,
|
|
PWCHAR subwhat
|
|
)
|
|
{
|
|
UCHAR string[100], *pc;
|
|
ULONG i;
|
|
|
|
pc = p;
|
|
|
|
pc += len;
|
|
|
|
for (i = 0; i < SLOP; i++, pc++) {
|
|
if (*pc != SLOP_SENTINAL) {
|
|
wprintf(L"Driver wrote beyond end during %s %s for length %d!\n",
|
|
what, subwhat, len);
|
|
|
|
scanf("%100s",
|
|
&string);
|
|
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
Issue different sized EA's
|
|
*/
|
|
VOID
|
|
do_query_ea(
|
|
HANDLE handle,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG l, i, old, ret;
|
|
IO_STATUS_BLOCK iosb;
|
|
ULONG tmp;
|
|
PVOID buf;
|
|
NTSTATUS status, last_status;
|
|
|
|
|
|
if (crashes (path, L"NtQueryEaFile", L"", L"", L""))
|
|
return;
|
|
|
|
ret = 0;
|
|
buf = NULL;
|
|
do {
|
|
last_status = 0;
|
|
|
|
l = 1024;
|
|
|
|
|
|
do {
|
|
buf = reallocslop(buf,
|
|
l);
|
|
|
|
status = NtQueryEaFile (handle, &iosb, buf, l, FALSE, NULL, 0, NULL, FALSE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
testslop(buf,
|
|
l,
|
|
L"NtQueryEaFile",
|
|
L"");
|
|
|
|
if (status == STATUS_NOT_IMPLEMENTED ||
|
|
status == STATUS_INVALID_INFO_CLASS ||
|
|
status == STATUS_INVALID_DEVICE_REQUEST ||
|
|
status == STATUS_INVALID_PARAMETER ||
|
|
status == STATUS_ACCESS_DENIED) {
|
|
|
|
// break;
|
|
}
|
|
|
|
if (!NT_SUCCESS(status) &&
|
|
status != last_status) {
|
|
|
|
last_status = status;
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf("NtQueryEaFile failed %x\n",
|
|
status);
|
|
}
|
|
} while (l-- != 0);
|
|
|
|
if (flags&FLAGS_DO_ZEROEA) {
|
|
status = NtQueryEaFile(handle,
|
|
&iosb,
|
|
(PVOID)-1024,
|
|
0,
|
|
FALSE, NULL, 0, NULL, FALSE);
|
|
}
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf("NtQueryEaFile failed %x\n",
|
|
status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
|
|
free(buf);
|
|
|
|
if (!(flags&FLAGS_DO_PROT) || crashes (path, L"NtQueryEaFile prot", L"", L"", L""))
|
|
return;
|
|
status = NtResumeThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
|
|
for (i = 1; i < PROT_REP; i++) {
|
|
if (!VirtualProtect (buf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
status = NtQueryEaFile(handle,
|
|
&iosb,
|
|
bigbuf,
|
|
BIGBUF_SIZE,
|
|
FALSE, NULL, 0, NULL, FALSE);
|
|
}
|
|
status = NtSuspendThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
if (!VirtualProtect (buf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
|
|
}
|
|
/*
|
|
Do volume queries of different lengths
|
|
*/
|
|
VOID
|
|
do_query_volume(
|
|
HANDLE handle,
|
|
FS_INFORMATION_CLASS InfoType,
|
|
ULONG bufl,
|
|
PWCHAR what,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG l, ret;
|
|
IO_STATUS_BLOCK iosb;
|
|
PVOID buf;
|
|
NTSTATUS status, last_status;
|
|
|
|
if (crashes (path, L"NtQueryVolumeInformationFile", what, L"", L""))
|
|
return;
|
|
|
|
ret = 0;
|
|
buf = NULL;
|
|
do {
|
|
last_status = 0;
|
|
|
|
l = bufl + 1024;
|
|
|
|
|
|
do {
|
|
buf = reallocslop(buf,
|
|
l);
|
|
|
|
status = NtQueryVolumeInformationFile(handle,
|
|
&iosb,
|
|
buf,
|
|
l,
|
|
InfoType);
|
|
|
|
testslop(buf,
|
|
l,
|
|
L"NtQueryVolumeInformationFile",
|
|
what);
|
|
|
|
if (status == STATUS_NOT_IMPLEMENTED ||
|
|
status == STATUS_INVALID_INFO_CLASS ||
|
|
status == STATUS_INVALID_DEVICE_REQUEST ||
|
|
status == STATUS_INVALID_PARAMETER ||
|
|
status == STATUS_ACCESS_DENIED) {
|
|
|
|
// break;
|
|
}
|
|
|
|
if (!NT_SUCCESS(status) &&
|
|
status != last_status) {
|
|
|
|
last_status = status;
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQueryVolumeInformationFile for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (l-- != 0);
|
|
|
|
status = NtQueryVolumeInformationFile(handle,
|
|
&iosb,
|
|
(PVOID)-1024,
|
|
0,
|
|
InfoType);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQueryVolumeInformationFile for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
free(buf);
|
|
}
|
|
|
|
/*
|
|
Do volume sets of different lengths
|
|
*/
|
|
VOID
|
|
do_set_volume(
|
|
HANDLE handle,
|
|
FS_INFORMATION_CLASS InfoType,
|
|
ULONG bufl,
|
|
PWCHAR what,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG l, i, ret;
|
|
IO_STATUS_BLOCK iosb;
|
|
PVOID buf;
|
|
NTSTATUS status, last_status;
|
|
|
|
if (crashes (path, L"NtSetVolumeInformationFile", what, L"", L""))
|
|
return;
|
|
|
|
ret = 0;
|
|
buf = NULL;
|
|
do {
|
|
last_status = 0;
|
|
|
|
l = bufl + 1024;
|
|
|
|
|
|
buf = malloc (l);
|
|
do {
|
|
for (i = 0; i < l; i++) {
|
|
((PCHAR)buf)[i] = (CHAR) rand ();
|
|
}
|
|
|
|
progress_counter++;
|
|
status = NtSetVolumeInformationFile(handle,
|
|
&iosb,
|
|
buf,
|
|
l,
|
|
InfoType);
|
|
|
|
if (status == STATUS_NOT_IMPLEMENTED ||
|
|
status == STATUS_INVALID_INFO_CLASS ||
|
|
status == STATUS_INVALID_DEVICE_REQUEST ||
|
|
status == STATUS_INVALID_PARAMETER ||
|
|
status == STATUS_ACCESS_DENIED) {
|
|
|
|
// break;
|
|
}
|
|
|
|
if (!NT_SUCCESS(status) &&
|
|
status != last_status) {
|
|
|
|
last_status = status;
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtSetVolumeInformationFile for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (l-- != 0);
|
|
|
|
progress_counter++;
|
|
status = NtSetVolumeInformationFile(handle,
|
|
&iosb,
|
|
(PVOID)-1024,
|
|
0,
|
|
InfoType);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtSetVolumeInformationFile for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
free(buf);
|
|
}
|
|
|
|
/*
|
|
Do file queries
|
|
*/
|
|
VOID
|
|
do_query_file(
|
|
HANDLE handle,
|
|
FILE_INFORMATION_CLASS InfoType,
|
|
ULONG bufl,
|
|
PWCHAR what,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG l, i, ret;
|
|
IO_STATUS_BLOCK iosb;
|
|
PVOID buf;
|
|
NTSTATUS status, last_status;
|
|
ULONG tmp;
|
|
DWORD old;
|
|
|
|
if (crashes (path, L"NtQueryInformationFile", what, L"", L""))
|
|
return;
|
|
|
|
ret = 0;
|
|
buf = NULL;
|
|
do {
|
|
last_status = 0;
|
|
|
|
l = bufl + 1024;
|
|
|
|
|
|
do {
|
|
buf = reallocslop(buf,
|
|
l);
|
|
status = NtQueryInformationFile(handle,
|
|
&iosb,
|
|
buf,
|
|
l,
|
|
InfoType);
|
|
|
|
testslop(buf,
|
|
l,
|
|
L"NtQueryInformationFile",
|
|
what);
|
|
|
|
if (status == STATUS_NOT_IMPLEMENTED ||
|
|
status == STATUS_INVALID_INFO_CLASS ||
|
|
status == STATUS_INVALID_DEVICE_REQUEST ||
|
|
status == STATUS_INVALID_PARAMETER ||
|
|
status == STATUS_ACCESS_DENIED) {
|
|
|
|
// break;
|
|
}
|
|
|
|
if (!NT_SUCCESS(status) &&
|
|
status != last_status) {
|
|
last_status = status;
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQueryInformationFile for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (l-- != 0);
|
|
|
|
status = NtQueryInformationFile(handle,
|
|
&iosb,
|
|
(PVOID)-1024,
|
|
0,
|
|
InfoType);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQueryInformationFile for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
free(buf);
|
|
|
|
if (!(flags&FLAGS_DO_PROT) ||
|
|
crashes (path, L"NtQueryInformationFile prot", L"", L"", L""))
|
|
return;
|
|
status = NtResumeThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
|
|
for (i = 1; i < PROT_REP; i++) {
|
|
if (!VirtualProtect (buf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
status = NtQueryInformationFile(handle,
|
|
&iosb,
|
|
bigbuf,
|
|
bufl,
|
|
InfoType);
|
|
}
|
|
status = NtSuspendThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
if (!VirtualProtect (buf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
}
|
|
|
|
/*
|
|
Do file sets
|
|
*/
|
|
VOID
|
|
do_set_file(
|
|
HANDLE handle,
|
|
FILE_INFORMATION_CLASS InfoType,
|
|
ULONG bufl,
|
|
PWCHAR what,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG l, i, ret;
|
|
IO_STATUS_BLOCK iosb;
|
|
PVOID buf;
|
|
NTSTATUS status, last_status;
|
|
ULONG tmp;
|
|
DWORD old;
|
|
|
|
if (crashes (path, L"NtSetInformationFile", what, L"", L""))
|
|
return;
|
|
|
|
ret = 0;
|
|
buf = NULL;
|
|
do {
|
|
last_status = 0;
|
|
|
|
l = bufl + 1024;
|
|
buf = malloc (l);
|
|
do {
|
|
for (i = 0; i < l; i++) {
|
|
((PCHAR)buf)[i] = (CHAR) rand ();
|
|
}
|
|
progress_counter++;
|
|
status = NtSetInformationFile(handle,
|
|
&iosb,
|
|
buf,
|
|
l,
|
|
InfoType);
|
|
|
|
if (status == STATUS_NOT_IMPLEMENTED ||
|
|
status == STATUS_INVALID_INFO_CLASS ||
|
|
status == STATUS_INVALID_DEVICE_REQUEST ||
|
|
status == STATUS_INVALID_PARAMETER ||
|
|
status == STATUS_ACCESS_DENIED) {
|
|
|
|
// break;
|
|
}
|
|
|
|
if (!NT_SUCCESS(status) &&
|
|
status != last_status) {
|
|
last_status = status;
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtSetInformationFile for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (l-- != 0);
|
|
|
|
status = NtSetInformationFile(handle,
|
|
&iosb,
|
|
(PVOID)-1024,
|
|
0,
|
|
InfoType);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtSetInformationFile for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
free(buf);
|
|
|
|
if (!(flags&FLAGS_DO_PROT) ||
|
|
crashes (path, L"NtSetInformationFile prot", L"", L"", L""))
|
|
return;
|
|
status = NtResumeThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
|
|
for (i = 1; i < PROT_REP; i++) {
|
|
if (!VirtualProtect (buf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
status = NtSetInformationFile(handle,
|
|
&iosb,
|
|
bigbuf,
|
|
bufl,
|
|
InfoType);
|
|
}
|
|
status = NtSuspendThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
if (!VirtualProtect (buf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
}
|
|
|
|
/*
|
|
Do object queries with variable length buffers
|
|
*/
|
|
VOID
|
|
do_query_object(
|
|
HANDLE handle,
|
|
OBJECT_INFORMATION_CLASS InfoType,
|
|
ULONG bufl,
|
|
PWCHAR what,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG l, ret;
|
|
IO_STATUS_BLOCK iosb;
|
|
PVOID buf;
|
|
NTSTATUS status, last_status;
|
|
|
|
last_status = 0;
|
|
|
|
if (crashes (path, L"NtQueryObject", what, L"", L""))
|
|
return;
|
|
|
|
buf = NULL;
|
|
ret = 0;
|
|
do {
|
|
l = bufl + 1024;
|
|
|
|
|
|
do {
|
|
buf = reallocslop(buf,
|
|
l);
|
|
|
|
status = NtQueryObject(handle,
|
|
InfoType,
|
|
buf,
|
|
l,
|
|
NULL);
|
|
|
|
testslop(buf, l, L"NtQueryObject", what);
|
|
|
|
if (!NT_SUCCESS(status) &&
|
|
status != last_status) {
|
|
|
|
last_status = status;
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQueryObject for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (l-- != 0);
|
|
|
|
status = NtQueryObject(handle,
|
|
InfoType,
|
|
(PVOID)-1024,
|
|
0,
|
|
NULL);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQueryObject for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
free(buf);
|
|
}
|
|
|
|
/*
|
|
Do query security
|
|
*/
|
|
VOID
|
|
do_query_security(
|
|
HANDLE handle,
|
|
SECURITY_INFORMATION InfoType,
|
|
ULONG bufl,
|
|
PWCHAR what,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG l, i, tmp, ret;
|
|
IO_STATUS_BLOCK iosb;
|
|
PVOID buf;
|
|
NTSTATUS status, last_status;
|
|
ULONG ln;
|
|
DWORD old;
|
|
|
|
if (crashes (path, L"NtQuerySecurityObject", what, L"", L""))
|
|
return;
|
|
|
|
buf = NULL;
|
|
ret = 0;
|
|
do {
|
|
last_status = 0;
|
|
|
|
l = bufl + 1024;
|
|
|
|
|
|
do {
|
|
buf = reallocslop(buf,
|
|
l);
|
|
|
|
status = NtQuerySecurityObject(handle,
|
|
InfoType,
|
|
buf,
|
|
l,
|
|
&ln);
|
|
|
|
testslop(buf, l, L"NtQuerySecurityObject", what);
|
|
|
|
if (!NT_SUCCESS(status) &&
|
|
status != last_status && status) {
|
|
|
|
last_status = status;
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQuerySecurityObject for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (l-- != 0);
|
|
|
|
status = NtQuerySecurityObject(handle,
|
|
InfoType,
|
|
(PVOID)-1024,
|
|
0,
|
|
&ln);
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQuerySecurityObject for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
free(buf);
|
|
|
|
if (!(flags&FLAGS_DO_PROT) ||
|
|
crashes (path, L"NtQuerySecurityFile prot", L"", L"", L""))
|
|
return;
|
|
status = NtResumeThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
|
|
for (i = 1; i < PROT_REP; i++) {
|
|
if (!VirtualProtect (buf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
status = NtQuerySecurityObject(handle,
|
|
InfoType,
|
|
bigbuf,
|
|
bufl,
|
|
&ln);
|
|
}
|
|
status = NtSuspendThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
if (!VirtualProtect (buf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
}
|
|
|
|
/*
|
|
Do set security
|
|
*/
|
|
VOID
|
|
do_set_security(
|
|
HANDLE handle,
|
|
SECURITY_INFORMATION InfoType,
|
|
ULONG bufl,
|
|
PWCHAR what,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG l, i, tmp, ret;
|
|
IO_STATUS_BLOCK iosb;
|
|
PVOID buf;
|
|
NTSTATUS status, last_status;
|
|
ULONG ln;
|
|
DWORD old;
|
|
PSECURITY_DESCRIPTOR psd;
|
|
LPTSTR tsd;
|
|
|
|
if (crashes (path, L"NtSetSecurityObject", what, L"", L""))
|
|
return;
|
|
|
|
psd = malloc (l = 4096);
|
|
if (!psd) {
|
|
printf ("Failed to allocate security descriptor space\n");
|
|
return;
|
|
}
|
|
status = NtQuerySecurityObject(handle,
|
|
InfoType,
|
|
psd,
|
|
l,
|
|
&ln);
|
|
if (!NT_SUCCESS(status)) {
|
|
free (psd);
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQuerySecurityObject for %s failed %x\n",
|
|
what, status);
|
|
return;
|
|
}
|
|
if (InfoType) {
|
|
if (ConvertSecurityDescriptorToStringSecurityDescriptor (psd,
|
|
SDDL_REVISION_1,
|
|
InfoType,
|
|
&tsd,
|
|
NULL)) {
|
|
printf ("%ws: %s\n", what, tsd);
|
|
LocalFree (tsd);
|
|
} else {
|
|
printf ("ConvertSecurityDescriptorToStringSecurityDescriptor failed %d\n", GetLastError ());
|
|
}
|
|
}
|
|
buf = NULL;
|
|
ret = 0;
|
|
do {
|
|
last_status = 0;
|
|
|
|
status = NtSetSecurityObject(handle,
|
|
InfoType,
|
|
psd);
|
|
|
|
if (!NT_SUCCESS(status) &&
|
|
status != last_status && status) {
|
|
|
|
last_status = status;
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtSetSecurityObject for %s failed %x\n",
|
|
what, status);
|
|
}
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
|
|
free(psd);
|
|
}
|
|
|
|
/*
|
|
Do all the query functions
|
|
*/
|
|
NTSTATUS
|
|
query_object(
|
|
HANDLE handle,
|
|
PDEVMAP devmap,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
OBJECT_NAME_INFORMATION *on = NULL;
|
|
FILE_NAME_INFORMATION *fn = NULL;
|
|
ULONG sfn, son;
|
|
FILE_FS_DEVICE_INFORMATION devinfo;
|
|
NTSTATUS status;
|
|
static IO_STATUS_BLOCK iosb;
|
|
|
|
sfn = sizeof (*fn) + 1024;
|
|
son = sizeof (*on) + 1024;
|
|
fn = reallocslop(NULL,
|
|
sfn);
|
|
on = reallocslop(NULL,
|
|
son);
|
|
if (devmap) {
|
|
devmap->filename = fn;
|
|
devmap->name = on;
|
|
}
|
|
|
|
if (fn == NULL || on == NULL) {
|
|
printf("Memory allocation failure in query_object!\n");
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
status = NtQueryObject(handle,
|
|
ObjectNameInformation,
|
|
on,
|
|
son,
|
|
NULL);
|
|
|
|
testslop(on,
|
|
son, L"NtQueryObject", L"ObjectNameInformation");
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS) {
|
|
wprintf(L"NtQueryObject for ObjectNameInformation failed %x\n",
|
|
status);
|
|
}
|
|
|
|
on->Name.Length = 0;
|
|
} else {
|
|
wprintf (L"Object name is %s\n", on->Name.Buffer);
|
|
}
|
|
|
|
status = NtQueryInformationFile(handle,
|
|
&iosb,
|
|
fn,
|
|
sfn,
|
|
FileNameInformation);
|
|
|
|
testslop(fn,
|
|
sfn,
|
|
L"NtQueryInformationFile",
|
|
L"FileNameInformation");
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
status = iosb.Status;
|
|
}
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQueryInformationFile for FileNameInformation failed %x\n",
|
|
status);
|
|
fn->FileNameLength = 0;
|
|
}
|
|
|
|
if (!devmap) {
|
|
free (fn);
|
|
free (on);
|
|
}
|
|
|
|
status = NtQueryVolumeInformationFile(handle,
|
|
&iosb,
|
|
&devinfo,
|
|
sizeof (devinfo),
|
|
FileFsDeviceInformation);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
status = iosb.Status;
|
|
}
|
|
|
|
if (!NT_SUCCESS(status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
wprintf(L"NtQueryVolumeInformationFile for FileFsDeviceInformation failed %x\n",
|
|
status);
|
|
|
|
if (devmap)
|
|
devmap->devtype = 0;
|
|
} else {
|
|
if (devmap)
|
|
devmap->devtype = devinfo.DeviceType;
|
|
// printf("Got the device number for a device!\n");
|
|
}
|
|
|
|
if (flags&FLAGS_DO_QUERY) {
|
|
//
|
|
// Do loads of different queries with different buffer lengths.
|
|
//
|
|
do_query_object(handle,
|
|
ObjectNameInformation,
|
|
sizeof (OBJECT_NAME_INFORMATION),
|
|
L"ObjectNameInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileBasicInformation,
|
|
sizeof (FILE_BASIC_INFORMATION),
|
|
L"FileBasicInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileStandardInformation,
|
|
sizeof (FILE_STANDARD_INFORMATION),
|
|
L"FileStandardInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileInternalInformation,
|
|
sizeof (FILE_INTERNAL_INFORMATION),
|
|
L"FileInternalInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileEaInformation,
|
|
sizeof (FILE_EA_INFORMATION),
|
|
L"FileEaInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileAccessInformation,
|
|
sizeof (FILE_ACCESS_INFORMATION),
|
|
L"FileAccessInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileNameInformation,
|
|
sizeof (FILE_NAME_INFORMATION) + 1024,
|
|
L"FileNameInformation",
|
|
path);
|
|
|
|
//
|
|
// We end up turning off alertable handle with this.
|
|
//
|
|
// do_query_file(handle,
|
|
// FileModeInformation,
|
|
// sizeof (FILE_MODE_INFORMATION),
|
|
// L"FileModeInformation",
|
|
// path);
|
|
|
|
do_query_file(handle,
|
|
FileAlignmentInformation,
|
|
sizeof (FILE_ALIGNMENT_INFORMATION),
|
|
L"FileAlignmentInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileAllInformation,
|
|
sizeof (FILE_ALL_INFORMATION),
|
|
L"FileAllInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileStreamInformation,
|
|
sizeof (FILE_STREAM_INFORMATION),
|
|
L"FileStreamInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FilePipeInformation,
|
|
sizeof (FILE_PIPE_INFORMATION),
|
|
L"FilePipeInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FilePipeLocalInformation,
|
|
sizeof (FILE_PIPE_LOCAL_INFORMATION),
|
|
L"FilePipeLocalInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FilePipeRemoteInformation,
|
|
sizeof (FILE_PIPE_REMOTE_INFORMATION),
|
|
L"FilePipeRemoteInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileCompressionInformation,
|
|
sizeof (FILE_COMPRESSION_INFORMATION),
|
|
L"FileCompressionInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileObjectIdInformation,
|
|
sizeof (FILE_OBJECTID_INFORMATION),
|
|
L"FileObjectIdInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileMailslotQueryInformation,
|
|
sizeof (FILE_MAILSLOT_QUERY_INFORMATION),
|
|
L"FileMailslotQueryInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileQuotaInformation,
|
|
sizeof (FILE_QUOTA_INFORMATION),
|
|
L"FileQuotaInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileReparsePointInformation,
|
|
sizeof (FILE_REPARSE_POINT_INFORMATION),
|
|
L"FileReparsePointInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileNetworkOpenInformation,
|
|
sizeof (FILE_NETWORK_OPEN_INFORMATION),
|
|
L"FileNetworkOpenInformation",
|
|
path);
|
|
|
|
do_query_file(handle,
|
|
FileAttributeTagInformation,
|
|
sizeof (FILE_ATTRIBUTE_TAG_INFORMATION),
|
|
L"FileAttributeTagInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileBasicInformation,
|
|
sizeof (FILE_BASIC_INFORMATION),
|
|
L"FileBasicInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileRenameInformation,
|
|
sizeof (FILE_RENAME_INFORMATION),
|
|
L"FileRenameInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileLinkInformation,
|
|
sizeof (FILE_LINK_INFORMATION),
|
|
L"FileLinkInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileDispositionInformation,
|
|
sizeof (FILE_DISPOSITION_INFORMATION),
|
|
L"FileDispositionInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FilePositionInformation,
|
|
sizeof (FILE_POSITION_INFORMATION),
|
|
L"FilePositionInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileAllocationInformation,
|
|
sizeof (FILE_ALLOCATION_INFORMATION),
|
|
L"FileAllocationInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileEndOfFileInformation,
|
|
sizeof (FILE_END_OF_FILE_INFORMATION),
|
|
L"FileEndOfFileInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FilePipeInformation,
|
|
sizeof (FILE_PIPE_INFORMATION),
|
|
L"FilePipeInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FilePipeRemoteInformation,
|
|
sizeof (FILE_PIPE_REMOTE_INFORMATION),
|
|
L"FilePipeRemoteInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileMailslotSetInformation,
|
|
sizeof (FILE_MAILSLOT_SET_INFORMATION),
|
|
L"FileMailslotSetInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileObjectIdInformation,
|
|
sizeof (FILE_OBJECTID_INFORMATION),
|
|
L"FileObjectIdInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileMoveClusterInformation,
|
|
sizeof (FILE_MOVE_CLUSTER_INFORMATION),
|
|
L"FileMoveClusterInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileQuotaInformation,
|
|
sizeof (FILE_QUOTA_INFORMATION),
|
|
L"FileQuotaInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileTrackingInformation,
|
|
sizeof (FILE_TRACKING_INFORMATION),
|
|
L"FileTrackingInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileValidDataLengthInformation,
|
|
sizeof (FILE_VALID_DATA_LENGTH_INFORMATION),
|
|
L"FileValidDataLengthInformation",
|
|
path);
|
|
|
|
do_set_file(handle,
|
|
FileShortNameInformation,
|
|
sizeof (FILE_NAME_INFORMATION) + 1024,
|
|
L"FileShortNameInformation",
|
|
path);
|
|
|
|
do_query_volume(handle,
|
|
FileFsVolumeInformation,
|
|
sizeof( FILE_FS_VOLUME_INFORMATION ) + 1024,
|
|
L"FileFsVolumeInformation",
|
|
path);
|
|
|
|
do_query_volume(handle,
|
|
FileFsSizeInformation,
|
|
sizeof( FILE_FS_SIZE_INFORMATION ),
|
|
L"FileFsSizeInformation",
|
|
path);
|
|
|
|
do_query_volume(handle,
|
|
FileFsDeviceInformation,
|
|
sizeof( FILE_FS_DEVICE_INFORMATION ) + 1024,
|
|
L"FileFsDeviceInformation",
|
|
path);
|
|
|
|
do_query_volume(handle,
|
|
FileFsAttributeInformation,
|
|
sizeof( FILE_FS_ATTRIBUTE_INFORMATION ),
|
|
L"FileFsAttributeInformation",
|
|
path);
|
|
|
|
do_query_volume(handle,
|
|
FileFsControlInformation,
|
|
sizeof( FILE_FS_CONTROL_INFORMATION ),
|
|
L"FileFsControlInformation",
|
|
path);
|
|
|
|
do_query_volume(handle,
|
|
FileFsFullSizeInformation,
|
|
sizeof( FILE_FS_SIZE_INFORMATION ),
|
|
L"FileFsFullSizeInformation",
|
|
path);
|
|
|
|
do_query_volume(handle,
|
|
FileFsObjectIdInformation,
|
|
sizeof( FILE_FS_OBJECTID_INFORMATION ) + 1024,
|
|
L"FileFsObjectIdInformation",
|
|
path);
|
|
|
|
do_query_volume(handle,
|
|
FileFsDriverPathInformation,
|
|
sizeof( FILE_FS_DRIVER_PATH_INFORMATION ) + 1024,
|
|
L"FileFsDriverPathInformation",
|
|
path);
|
|
|
|
do_set_volume(handle,
|
|
FileFsObjectIdInformation,
|
|
sizeof( FILE_FS_OBJECTID_INFORMATION ) + 1024,
|
|
L"FileFsObjectIdInformation",
|
|
path);
|
|
|
|
do_set_volume(handle,
|
|
FileFsControlInformation,
|
|
sizeof( FILE_FS_CONTROL_INFORMATION ) + 1024,
|
|
L"FileFsControlInformation",
|
|
path);
|
|
|
|
do_set_volume(handle,
|
|
FileFsLabelInformation,
|
|
sizeof( FILE_FS_LABEL_INFORMATION ) + 1024,
|
|
L"FileFsLabelInformation",
|
|
path);
|
|
}
|
|
|
|
if (flags&FLAGS_DO_SECURITY) {
|
|
do_query_security(handle,
|
|
0,
|
|
1024,
|
|
L"NONE",
|
|
path);
|
|
|
|
do_query_security(handle,
|
|
OWNER_SECURITY_INFORMATION,
|
|
1024,
|
|
L"OWNER_SECURITY_INFORMATION",
|
|
path);
|
|
|
|
do_query_security(handle,
|
|
GROUP_SECURITY_INFORMATION,
|
|
1024,
|
|
L"GROUP_SECURITY_INFORMATION",
|
|
path);
|
|
|
|
do_query_security(handle,
|
|
DACL_SECURITY_INFORMATION,
|
|
1024,
|
|
L"DACL_SECURITY_INFORMATION",
|
|
path);
|
|
|
|
do_query_security(handle,
|
|
SACL_SECURITY_INFORMATION,
|
|
1024,
|
|
L"SACL_SECURITY_INFORMATION",
|
|
path);
|
|
|
|
do_set_security(handle,
|
|
0,
|
|
1024,
|
|
L"NONE",
|
|
path);
|
|
|
|
do_set_security(handle,
|
|
OWNER_SECURITY_INFORMATION,
|
|
1024,
|
|
L"OWNER_SECURITY_INFORMATION",
|
|
path);
|
|
|
|
do_set_security(handle,
|
|
GROUP_SECURITY_INFORMATION,
|
|
1024,
|
|
L"GROUP_SECURITY_INFORMATION",
|
|
path);
|
|
|
|
do_set_security(handle,
|
|
DACL_SECURITY_INFORMATION,
|
|
1024,
|
|
L"DACL_SECURITY_INFORMATION",
|
|
path);
|
|
|
|
do_set_security(handle,
|
|
SACL_SECURITY_INFORMATION,
|
|
1024,
|
|
L"SACL_SECURITY_INFORMATION",
|
|
path);
|
|
}
|
|
return status;
|
|
}
|
|
|
|
/*
|
|
Do the fast queries on the open path
|
|
*/
|
|
NTSTATUS
|
|
try_fast_query_delete_etc(
|
|
POBJECT_ATTRIBUTES poa,
|
|
PWCHAR path,
|
|
PWCHAR type)
|
|
{
|
|
PVOID fi = NULL;
|
|
NTSTATUS status;
|
|
ULONG ret;
|
|
|
|
if (!(flags&FLAGS_DO_MISC))
|
|
return 0;
|
|
|
|
status = STATUS_SUCCESS;
|
|
if (!crashes (path, L"NtQueryAttributesFile", type, L"", L"")) {
|
|
ret = 0;
|
|
do {
|
|
fi = reallocslop(fi,
|
|
sizeof (FILE_BASIC_INFORMATION));
|
|
status = NtQueryAttributesFile (poa, fi);
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryAttributesFile failed %x\n", status);
|
|
}
|
|
testslop(fi,
|
|
sizeof (FILE_BASIC_INFORMATION), L"NtQueryAttributesFile", L"");
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
|
|
if (!crashes (path, L"NtQueryFullAttributesFile", type, L"", L"")) {
|
|
ret = 0;
|
|
do {
|
|
fi = reallocslop(fi,
|
|
sizeof (FILE_NETWORK_OPEN_INFORMATION));
|
|
status = NtQueryFullAttributesFile (poa, fi);
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryFullAttributesFile failed %x\n", status);
|
|
}
|
|
testslop(fi,
|
|
sizeof (FILE_NETWORK_OPEN_INFORMATION), L"NtQueryFULLAttributesFile", L"");
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
|
|
|
|
if (!crashes (path, L"NtDeleteFile", type, L"", L"")) {
|
|
ret = 0;
|
|
do {
|
|
status = NtDeleteFile(poa);
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtDeleteFile failed %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
free (fi);
|
|
return status;
|
|
}
|
|
|
|
/*
|
|
Do a whole bunch of random things
|
|
*/
|
|
NTSTATUS misc_functions(
|
|
HANDLE handle,
|
|
PWCHAR path,
|
|
ULONG sync
|
|
)
|
|
{
|
|
IO_STATUS_BLOCK iosb;
|
|
NTSTATUS status;
|
|
PVOID buf;
|
|
ULONG bufl;
|
|
LONG i;
|
|
HANDLE sectionhandle;
|
|
LARGE_INTEGER bo, bl;
|
|
ULONG ret, managed_read, managed_write;
|
|
|
|
if (!(flags&FLAGS_DO_MISC))
|
|
return STATUS_SUCCESS;
|
|
|
|
buf = malloc (bufl = 1024);
|
|
if (buf == 0) {
|
|
printf ("Failed to allocate buffer!\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
|
|
managed_read = 0;
|
|
if (!sync) {
|
|
if (!crashes (path, L"NtReadFile", L"", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
bo.QuadPart = 0;
|
|
status = NtReadFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
&bo, NULL);
|
|
if (NT_SUCCESS (status)) {
|
|
status = iosb.Status;
|
|
managed_read = 1;
|
|
}
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtReadFile failed %x\n", status);
|
|
}
|
|
progress_counter++;
|
|
bo.QuadPart = 0x7FFFFFFFFFFFFFFF - i + 1;
|
|
status = NtReadFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
&bo, NULL);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtReadFile failed %x\n", status);
|
|
}
|
|
NtCancelIoFile (handle, &iosb);
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
|
|
if (managed_read) {
|
|
printf ("Managed to read from the device\n");
|
|
if (diag_file) {
|
|
fwprintf (diag_file, L"Managed to read from device %s\r\n", path);
|
|
}
|
|
}
|
|
|
|
managed_write = 0;
|
|
if (!crashes (path, L"NtWriteFile", L"", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
bo.QuadPart = 0;
|
|
status = NtWriteFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
&bo, NULL);
|
|
if (NT_SUCCESS (status)) {
|
|
status = iosb.Status;
|
|
managed_write = 0;
|
|
}
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtWriteFile failed %x\n", status);
|
|
}
|
|
/*
|
|
Wrap to negative call
|
|
*/
|
|
progress_counter++;
|
|
bo.QuadPart = 0x7FFFFFFFFFFFFFFF - i + 1;
|
|
status = NtWriteFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
&bo, NULL);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtWriteFile failed %x\n", status);
|
|
}
|
|
/*
|
|
Do an append call.
|
|
*/
|
|
progress_counter++;
|
|
bo.QuadPart = -1;
|
|
status = NtWriteFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
&bo, NULL);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtWriteFile failed %x\n", status);
|
|
}
|
|
NtCancelIoFile (handle, &iosb);
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
if (managed_write) {
|
|
printf ("Managed to write to the device\n");
|
|
if (diag_file) {
|
|
fwprintf (diag_file, L"Managed to write to the device %s\r\n", path);
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!crashes (path, L"NtCancelIoFile", L"", L"", L"")) {
|
|
ret = 0;
|
|
do {
|
|
status = NtCancelIoFile (handle, &iosb);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtCancelIoFile failed %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
|
|
if (!crashes (path, L"NtFlushBuffersFile", L"", L"", L"")) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtFlushBuffersFile (handle, &iosb);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtFlushBuffersFile failed %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
if (!crashes (path, L"NtQueryDirectoryFile", L"FileNamesInformation", L"", L"")) {
|
|
ULONG first = 1, j, datalen, l;
|
|
WCHAR bufn[1024];
|
|
PFILE_NAMES_INFORMATION tfni;
|
|
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtQueryDirectoryFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
FileNamesInformation, FALSE, NULL, TRUE);
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryDirectoryFile failed for type FileNamesInformation %x\n",
|
|
status);
|
|
} else if (first && status != STATUS_PENDING) {
|
|
first = 0;
|
|
datalen = (ULONG) iosb.Information;
|
|
for (j = 0; j < datalen; j += tfni->NextEntryOffset) {
|
|
tfni = (PFILE_NAMES_INFORMATION)((PCHAR)buf + j);
|
|
memset (bufn, 0, sizeof (bufn));
|
|
l = tfni->FileNameLength / sizeof (WCHAR);
|
|
if (l >= sizeof (bufn) / sizeof (bufn[0]))
|
|
l = sizeof (bufn) / sizeof (bufn[0]) - 1;
|
|
wcsncpy (bufn, tfni->FileName, l);
|
|
wprintf (L"-> %s\n", bufn);
|
|
if (tfni->NextEntryOffset == 0)
|
|
break;
|
|
}
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
if (!crashes (path, L"NtQueryDirectoryFile", L"FileDirectoryInformation", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtQueryDirectoryFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
FileDirectoryInformation, FALSE, NULL, TRUE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryDirectoryFile failed for type FileDirectoryInformation %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
if (!crashes (path, L"NtQueryDirectoryFile", L"FileFullDirectoryInformation", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtQueryDirectoryFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
FileFullDirectoryInformation, FALSE, NULL, TRUE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryDirectoryFile failed for type FileFullDirectoryInformation %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
|
|
if (!crashes (path, L"NtQueryDirectoryFile", L"FileBothDirectoryInformation", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtQueryDirectoryFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
FileBothDirectoryInformation, FALSE, NULL, TRUE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryDirectoryFile failed for type FileBothDirectoryInformation %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
|
|
if (!crashes (path, L"NtQueryDirectoryFile", L"FileObjectIdInformation", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtQueryDirectoryFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
FileObjectIdInformation, FALSE, NULL, TRUE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryDirectoryFile failed for type FileObjectIdInformation %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
|
|
if (!crashes (path, L"NtQueryDirectoryFile", L"FileQuotaInformation", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtQueryDirectoryFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
FileQuotaInformation, FALSE, NULL, TRUE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryDirectoryFile failed for type FileQuotaInformation %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
|
|
if (!crashes (path, L"NtQueryDirectoryFile", L"FileReparsePointInformation", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtQueryDirectoryFile (handle, NULL, NULL, NULL, &iosb, buf, i,
|
|
FileReparsePointInformation, FALSE, NULL, TRUE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryDirectoryFile failed for type FileReparsePointInformation %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
|
|
if (!crashes (path, L"NtVdmContol", L"VdmQueryDir", L"", L"")) {
|
|
VDMQUERYDIRINFO vqdi;
|
|
UNICODE_STRING name;
|
|
|
|
memset (&vqdi, 0, sizeof (vqdi));
|
|
RtlInitUnicodeString (&name, L"*");
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
vqdi.FileHandle = handle;
|
|
vqdi.FileInformation = buf;
|
|
vqdi.Length = bufl;
|
|
vqdi.FileName = &name;
|
|
|
|
status = NtVdmControl(VdmQueryDir, &vqdi);
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtVdmControl failed for type VdmQueryDir %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
|
|
if (!sync) {
|
|
if (!crashes (path, L"NtNotifyChangeDirectoryFile", L"", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtNotifyChangeDirectoryFile (handle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&iosb,
|
|
buf,
|
|
i,
|
|
FILE_NOTIFY_CHANGE_FILE_NAME,
|
|
FALSE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtNotifyChangeDirectoryFile failed %x\n", status);
|
|
}
|
|
NtCancelIoFile (handle, &iosb);
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
Query the EA info
|
|
*/
|
|
do_query_ea (handle, path);
|
|
|
|
if (!crashes (path, L"NtCreateSection", L"", L"", L"")) {
|
|
ret = 0;
|
|
do {
|
|
status = NtCreateSection (§ionhandle, GENERIC_READ,
|
|
NULL, NULL, PAGE_READONLY, SEC_COMMIT, handle);
|
|
if (NT_SUCCESS (status)) {
|
|
printf ("Created a section!\n");
|
|
status = NtClose (sectionhandle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtClose on section handle failed %x\n", status);
|
|
}
|
|
} else if (flags&FLAGS_DO_ERRORS){
|
|
printf ("NtCreateSection failed %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
ret = 0;
|
|
do {
|
|
status = NtCreateSection (§ionhandle, GENERIC_READ,
|
|
NULL, NULL, PAGE_READONLY, SEC_IMAGE, handle);
|
|
if (NT_SUCCESS (status)) {
|
|
printf ("Created a section!\n");
|
|
status = NtClose (sectionhandle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtClose on section handle failed %x\n", status);
|
|
}
|
|
} else if (flags&FLAGS_DO_ERRORS){
|
|
printf ("NtCreateSection failed for image %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
|
|
if (!crashes (path, L"NtLockFile", L"", L"", L"")) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
bl.QuadPart = 1;
|
|
bo.QuadPart = 1;
|
|
status = NtLockFile (handle, NULL, NULL, NULL, &iosb, &bo, &bl, 0, TRUE, FALSE);
|
|
if (NT_SUCCESS (status) && status != STATUS_PENDING) {
|
|
NtUnlockFile (handle, &iosb, &bo, &bl, 0);
|
|
}
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtLockFile failed %x\n", status);
|
|
}
|
|
NtCancelIoFile (handle, &iosb);
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
if (!crashes (path, L"NtUnlockFile", L"", L"", L"")) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtUnlockFile (handle, &iosb, &bo, &bl, 0);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtUnlockFile failed %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
if (!crashes (path, L"NtQueryQuotaInformationFile", L"", L"", L"")) {
|
|
for (i = bufl; i >= 0; i--) {
|
|
ret = 0;
|
|
do {
|
|
progress_counter++;
|
|
status = NtQueryQuotaInformationFile(handle, &iosb, buf, i, FALSE, NULL, 0,
|
|
NULL, TRUE);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (!NT_SUCCESS (status)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("NtQueryQuotaInformationFile failed %x\n", status);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
}
|
|
}
|
|
if (flags&FLAGS_DO_WINSOCK) {
|
|
if (!crashes (path, L"TransmitFile", L"", L"", L"")) {
|
|
progress_counter++;
|
|
if (!TransmitFile (cs, handle, 10, 0, NULL, NULL, TF_WRITE_BEHIND)) {
|
|
if (flags&FLAGS_DO_ERRORS)
|
|
printf ("TransmitFile failed %d\n", WSAGetLastError ());
|
|
}
|
|
}
|
|
}
|
|
NtCancelIoFile (devmap->handle, &iosb);
|
|
free (buf);
|
|
return status;
|
|
}
|
|
|
|
/*
|
|
Get the access mask for this handle
|
|
*/
|
|
NTSTATUS
|
|
get_handle_access (HANDLE handle, PACCESS_MASK access)
|
|
{
|
|
NTSTATUS status;
|
|
OBJECT_BASIC_INFORMATION obi;
|
|
//
|
|
// Find out our handle access so we can know what IOCTLs and FSCTLs we can do.
|
|
//
|
|
status = NtQueryObject (handle,
|
|
ObjectBasicInformation,
|
|
&obi,
|
|
sizeof (obi),
|
|
NULL);
|
|
if (NT_SUCCESS (status)) {
|
|
*access = obi.GrantedAccess;
|
|
} else {
|
|
printf ("NtQueryObject for handle access failed %x\n", status);
|
|
*access = 0;
|
|
}
|
|
return status;
|
|
}
|
|
|
|
NTSTATUS check_tdi_handle (HANDLE handle)
|
|
{
|
|
NTSTATUS status;
|
|
IO_STATUS_BLOCK iosb;
|
|
TDI_REQUEST_QUERY_INFORMATION trqi;
|
|
TDI_PROVIDER_INFO tpi;
|
|
|
|
trqi.QueryType = TDI_QUERY_PROVIDER_INFORMATION;
|
|
status = NtDeviceIoControlFile (handle, sync_event, NULL, NULL,
|
|
&iosb,
|
|
IOCTL_TDI_QUERY_INFORMATION,
|
|
&trqi,
|
|
sizeof (trqi),
|
|
&tpi,
|
|
sizeof (tpi));
|
|
if (status == STATUS_PENDING) {
|
|
status = NtWaitForSingleObject (sync_event, FALSE, NULL);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtWaitForSingleObject failed %x\n", status);
|
|
} else {
|
|
status = iosb.Status;
|
|
}
|
|
}
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtDeviceIoControlFile failed for IOCTL_TDI_QUERY_INFORMATION %x\n", status);
|
|
return status;
|
|
}
|
|
printf ("Detected a TDI driver\n");
|
|
return status;
|
|
}
|
|
//
|
|
// Do a load of opens etc relative from the current handle
|
|
//
|
|
NTSTATUS
|
|
do_sub_open_etc(
|
|
HANDLE handle,
|
|
PWCHAR s,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
OBJECT_ATTRIBUTES oa;
|
|
UNICODE_STRING name;
|
|
NTSTATUS status;
|
|
IO_STATUS_BLOCK iosb;
|
|
ACCESS_MASK access;
|
|
LARGE_INTEGER tmo;
|
|
PWCHAR as;
|
|
|
|
if (wcslen (s) > 30) {
|
|
as = L"Big...";
|
|
} else {
|
|
as = s;
|
|
}
|
|
|
|
if (crashes (path, L"Sub open", as, L"", L""))
|
|
return STATUS_SUCCESS;
|
|
|
|
wprintf (L"Doing sub open for %s\n", as);
|
|
RtlInitUnicodeString (&name, s);
|
|
InitializeObjectAttributes(&oa,
|
|
&name,
|
|
OBJ_CASE_INSENSITIVE,
|
|
handle,
|
|
NULL);
|
|
status = NtCreateFile(&handle,
|
|
MAXIMUM_ALLOWED,
|
|
&oa,
|
|
&iosb,
|
|
NULL,
|
|
0,
|
|
0,
|
|
FILE_OPEN,
|
|
0,
|
|
NULL,
|
|
0);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (NT_SUCCESS (status)) {
|
|
status = get_handle_access (handle, &access);
|
|
wprintf (L"Sub open for %s worked with access %x\n", as, access);
|
|
if (DELETE&access) {
|
|
printf ("Got delete access to device\n");
|
|
if (diag_file) {
|
|
fwprintf (diag_file, L"Got DELETE access to %s\r\n", path);
|
|
}
|
|
}
|
|
if (WRITE_DAC&access) {
|
|
printf ("Got write_dac access to device\n");
|
|
if (diag_file) {
|
|
fwprintf (diag_file, L"Got WRITE_DAC access to %s\r\n", path);
|
|
}
|
|
}
|
|
if (WRITE_OWNER&access) {
|
|
printf ("Got write_owner access to device\n");
|
|
if (diag_file) {
|
|
fwprintf (diag_file, L"Got WRITE_OWNER access to %s\r\n", path);
|
|
}
|
|
}
|
|
if (FILE_WRITE_ACCESS&access) {
|
|
printf ("Got write access to device\n");
|
|
if (diag_file) {
|
|
fwprintf (diag_file, L"Got FILE_WRITE_ACCESS access to %s\r\n", path);
|
|
}
|
|
}
|
|
if (FILE_READ_ACCESS&access) {
|
|
printf ("Got read access to device\n");
|
|
if (diag_file) {
|
|
fwprintf (diag_file, L"Got FILE_READ_ACCESS access to %s\r\n", path);
|
|
}
|
|
}
|
|
query_object(handle, NULL, path);
|
|
misc_functions (handle, path, 0);
|
|
status = NtClose (handle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtClose failed %x\n", status);
|
|
}
|
|
} else {
|
|
printf ("NtCreateFile failed %x\n", status);
|
|
}
|
|
if (crashes (path, L"Sub create pipe", as, L"", L""))
|
|
return STATUS_SUCCESS;
|
|
|
|
tmo.QuadPart = 1000;
|
|
status = NtCreateNamedPipeFile (&handle,
|
|
MAXIMUM_ALLOWED,
|
|
&oa,
|
|
&iosb,
|
|
FILE_SHARE_READ|FILE_SHARE_WRITE,
|
|
FILE_CREATE,
|
|
0,
|
|
FILE_PIPE_MESSAGE_TYPE,
|
|
FILE_PIPE_MESSAGE_MODE,
|
|
FILE_PIPE_COMPLETE_OPERATION,
|
|
10,
|
|
1000, 1000,
|
|
&tmo);
|
|
if (NT_SUCCESS (status))
|
|
status = iosb.Status;
|
|
if (NT_SUCCESS (status)) {
|
|
status = get_handle_access (handle, &access);
|
|
wprintf (L"Sub create pipe for %s worked with access %x\n", as, access);
|
|
if (DELETE&access) {
|
|
printf ("Got delete access to device\n");
|
|
}
|
|
if (WRITE_DAC&access) {
|
|
printf ("Got write_dac access to device\n");
|
|
}
|
|
if (WRITE_OWNER&access) {
|
|
printf ("Got write_owner access to device\n");
|
|
}
|
|
query_object(handle, NULL, path);
|
|
misc_functions (handle, path, 0);
|
|
status = NtClose (handle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtClose failed %x\n", status);
|
|
}
|
|
} else {
|
|
printf ("NtCreateNamedPipeFile failed %x\n", status);
|
|
}
|
|
if (crashes (path, L"Sub create mailslot", as, L"", L""))
|
|
return STATUS_SUCCESS;
|
|
|
|
tmo.QuadPart = 1000;
|
|
status = NtCreateMailslotFile (&handle,
|
|
MAXIMUM_ALLOWED,
|
|
&oa,
|
|
&iosb,
|
|
0,
|
|
1024,
|
|
256,
|
|
&tmo);
|
|
if (NT_SUCCESS (status)) {
|
|
status = get_handle_access (handle, &access);
|
|
wprintf (L"Sub create mailslot for %s worked with access %x\n", as, access);
|
|
if (DELETE&access) {
|
|
printf ("Got delete access to device\n");
|
|
}
|
|
if (WRITE_DAC&access) {
|
|
printf ("Got write_dac access to device\n");
|
|
}
|
|
if (WRITE_OWNER&access) {
|
|
printf ("Got write_owner access to device\n");
|
|
}
|
|
query_object(handle, NULL, path);
|
|
misc_functions (handle, path, 0);
|
|
status = NtClose (handle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtClose failed %x\n", status);
|
|
}
|
|
} else {
|
|
printf ("NtCreateMailslotFile failed %x\n", status);
|
|
}
|
|
|
|
try_fast_query_delete_etc (&oa, path, L"Sub open");
|
|
return status;
|
|
}
|
|
//
|
|
// Try a few opens relative to the device its self.
|
|
//
|
|
NTSTATUS
|
|
try_funny_opens(
|
|
HANDLE handle,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG ret, i;
|
|
static PWCHAR big=NULL;
|
|
static ULONG bigl;
|
|
|
|
if (!(flags&FLAGS_DO_SUBOPENS))
|
|
return 0;
|
|
|
|
if (big == NULL) {
|
|
big = malloc (bigl = 0x10000);
|
|
if (big == NULL) {
|
|
printf ("Memory allocation failure in try_funny_opens!\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
bigl /= sizeof (big[0]);
|
|
for (i = 0; i < bigl; i++)
|
|
big[i] = 'A';
|
|
big[bigl - 3] = '\0';
|
|
}
|
|
ret = 0;
|
|
do {
|
|
do_sub_open_etc (handle, L"", path);
|
|
do_sub_open_etc (handle, L" ", path);
|
|
do_sub_open_etc (handle, L"\\", path);
|
|
do_sub_open_etc (handle, L"\\\\\\\\\\\\", path);
|
|
do_sub_open_etc (handle, big, path);
|
|
if (flags&FLAGS_DO_STREAMS) {
|
|
do_sub_open_etc (handle, L":", path);
|
|
do_sub_open_etc (handle, L" :", path);
|
|
do_sub_open_etc (handle, L": ", path);
|
|
do_sub_open_etc (handle, L": ", path);
|
|
do_sub_open_etc (handle, L"::", path);
|
|
do_sub_open_etc (handle, L": :", path);
|
|
do_sub_open_etc (handle, L"::$UNUSED", path);
|
|
do_sub_open_etc (handle, L"::$STANDARD_INFORMATION", path);
|
|
do_sub_open_etc (handle, L"::$ATTRIBUTE_LIST", path);
|
|
do_sub_open_etc (handle, L"::$FILE_NAME", path);
|
|
do_sub_open_etc (handle, L"::$OBJECT_ID", path);
|
|
do_sub_open_etc (handle, L"::$SECURITY_DESCRIPTOR", path);
|
|
do_sub_open_etc (handle, L"::$VOLUME_NAME", path);
|
|
do_sub_open_etc (handle, L"::$VOLUME_INFORMATION", path);
|
|
do_sub_open_etc (handle, L"::$DATA", path);
|
|
do_sub_open_etc (handle, L"::$INDEX_ROOT", path);
|
|
do_sub_open_etc (handle, L"::$INDEX_ALLOCATION", path);
|
|
do_sub_open_etc (handle, L"::$BITMAP", path);
|
|
do_sub_open_etc (handle, L"::$REPARSE_POINT", path);
|
|
do_sub_open_etc (handle, L"::$EA_INFORMATION", path);
|
|
do_sub_open_etc (handle, L"::$PROPERTY_SET", path);
|
|
do_sub_open_etc (handle, L"::$FIRST_USER_DEFINED_ATTRIBUTE", path);
|
|
do_sub_open_etc (handle, L"::$END", path);
|
|
}
|
|
} while (print_diags (0, ret++) && ret < MAX_RET);
|
|
return 0;
|
|
}
|
|
|
|
VOID
|
|
randomize_buf(
|
|
PVOID buf,
|
|
ULONG bufl
|
|
)
|
|
{
|
|
ULONG i;
|
|
PUCHAR pc = buf;
|
|
|
|
for (i = 0; i < bufl; i++) {
|
|
pc[i] = rand() & 0xff;
|
|
}
|
|
}
|
|
|
|
/*
|
|
Thread used to randomize buffers
|
|
*/
|
|
DWORD WINAPI
|
|
randomize(
|
|
PVOID buf
|
|
)
|
|
{
|
|
ULONG i;
|
|
PUCHAR pc = buf;
|
|
|
|
while (1) {
|
|
try {
|
|
for (i = 0; i < BIGBUF_SIZE; i++) {
|
|
pc[i] = rand() & 0xff;
|
|
}
|
|
} except (EXCEPTION_EXECUTE_HANDLER) {
|
|
}
|
|
Sleep (0);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
// changeprot and alerter won't return and we do not need to be
|
|
// told this by the compiler
|
|
#pragma warning(disable:4715)
|
|
|
|
DWORD WINAPI
|
|
changeprot(
|
|
PVOID buf
|
|
)
|
|
{
|
|
DWORD old;
|
|
|
|
while (1) {
|
|
if (!VirtualProtect (buf, 1, PAGE_READONLY, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
Sleep (1);
|
|
if (!VirtualProtect (buf, 1, PAGE_NOACCESS, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
Sleep (1);
|
|
if (!VirtualProtect (buf, 1, PAGE_GUARD|PAGE_READONLY, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
Sleep (1);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
Thread used to alert the main
|
|
*/
|
|
DWORD WINAPI
|
|
alerter(
|
|
PVOID handle
|
|
)
|
|
{
|
|
NTSTATUS status;
|
|
ULONG last = progress_counter, count;
|
|
|
|
//
|
|
// Do a nasty hack to keep the main thread moving if it gets stuck in a sync IOCTL
|
|
//
|
|
while (1) {
|
|
if (flags&FLAGS_DO_ALERT) {
|
|
Sleep (0);
|
|
} else {
|
|
last = progress_counter;
|
|
Sleep (60000);
|
|
if (progress_counter == 0 || progress_counter != last) {
|
|
continue;
|
|
}
|
|
printf ("Alerting thread\n");
|
|
}
|
|
// status = NtAlertResumeThread ((HANDLE) handle, &count);
|
|
// if (!NT_SUCCESS (status)) {
|
|
// printf ("NtAlertResumeThread failed %x\n", status);
|
|
// }
|
|
status = NtAlertThread ((HANDLE) handle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtAlertThread failed %x\n", status);
|
|
}
|
|
alerted++;
|
|
if (alerted > 10) {
|
|
if (diag_file) {
|
|
fwprintf (diag_file, L"Main thread appears hung. Teminating process\r\n");
|
|
fflush (diag_file);
|
|
NtTerminateProcess (NtCurrentProcess (), 0);
|
|
}
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
#pragma warning(3:4715)
|
|
|
|
void record_ioctl (PIOCTLREC *piorec, ULONG ioctl, NTSTATUS status)
|
|
{
|
|
PIOCTLREC iorec = *piorec;
|
|
IOCTLINFO tmp;
|
|
ULONG i, j, new;
|
|
|
|
if (!iorec) {
|
|
iorec = malloc (sizeof (*iorec) +
|
|
INITIAL_IOCTL_TAILOR_SIZE * sizeof (iorec->ioctl[0]));
|
|
if (!iorec) {
|
|
return;
|
|
}
|
|
*piorec = iorec;
|
|
iorec->total = INITIAL_IOCTL_TAILOR_SIZE;
|
|
iorec->count = 0;
|
|
iorec->start = 0;
|
|
}
|
|
new = 1;
|
|
for (i = 0; i < iorec->count; i++) {
|
|
if (iorec->ioctl[i].ioctl == ioctl && iorec->ioctl[i].status == status) {
|
|
return;
|
|
}
|
|
if (iorec->ioctl[i].status == status) {
|
|
new = 0;
|
|
if (iorec->ioctl[i].count > MAX_IOCTL_TAILOR) {
|
|
return; // too many seen of this one
|
|
}
|
|
if (++iorec->ioctl[i].count > MAX_IOCTL_TAILOR) {
|
|
printf ("Removing IOCTLs with status %X\n", status);
|
|
for (j = i + 1; j < iorec->count; j++) {
|
|
if (iorec->ioctl[j].status == status) {
|
|
/*
|
|
printf ("Removing IOCTL %X with status %X\n",
|
|
iorec->ioctl[j].ioctl, iorec->ioctl[j].status);
|
|
*/
|
|
iorec->ioctl[j] = iorec->ioctl[--iorec->count];
|
|
j--;
|
|
}
|
|
}
|
|
tmp = iorec->ioctl[iorec->start];
|
|
iorec->ioctl[iorec->start++] = iorec->ioctl[i];
|
|
iorec->ioctl[i] = tmp;
|
|
return;
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
if (new) {
|
|
printf ("New status for IOCTL %X status %X\n", ioctl, status);
|
|
}
|
|
if (iorec->total == iorec->count) {
|
|
iorec = realloc (iorec, sizeof (*iorec) +
|
|
iorec->total * 2 * sizeof (iorec->ioctl[0]));
|
|
if (!iorec) {
|
|
return;
|
|
}
|
|
*piorec = iorec;
|
|
iorec->total *= 2;
|
|
}
|
|
i = iorec->count;
|
|
iorec->ioctl[i].status = status;
|
|
iorec->ioctl[i].ioctl = ioctl;
|
|
iorec->ioctl[i].count = 0;
|
|
iorec->count = i + 1;
|
|
}
|
|
|
|
void do_tailored_ioctl (PDEVMAP devmap,
|
|
PWCHAR path,
|
|
PIOCTLREC iorec,
|
|
ULONG fsctl)
|
|
{
|
|
ULONG method, ioctl_val;
|
|
PVOID inbuf, outbuf;
|
|
ULONG inlen, outlen;
|
|
static IO_STATUS_BLOCK static_iosb;
|
|
ULONG ret;
|
|
ULONG i, j, k;
|
|
WCHAR num[20];
|
|
NTSTATUS status;
|
|
ULONG tmp;
|
|
DWORD old;
|
|
ULONG done_something;
|
|
|
|
if (!iorec) {
|
|
return;
|
|
}
|
|
|
|
do {
|
|
done_something = 0;
|
|
for (i = 1; i < iorec->count; i++) {
|
|
IOCTLINFO ii;
|
|
if (iorec->ioctl[i-1].ioctl < iorec->ioctl[i].ioctl) {
|
|
continue;
|
|
} else if (iorec->ioctl[i-1].ioctl == iorec->ioctl[i].ioctl &&
|
|
iorec->ioctl[i-1].count <= iorec->ioctl[i].count) {
|
|
continue;
|
|
}
|
|
ii = iorec->ioctl[i-1];
|
|
iorec->ioctl[i-1] = iorec->ioctl[i];
|
|
iorec->ioctl[i] = ii;
|
|
done_something = 1;
|
|
}
|
|
} while (done_something);
|
|
|
|
for (i = 0; i < iorec->count; i++) {
|
|
if (iorec->ioctl[i].count >= MAX_IOCTL_TAILOR) {
|
|
continue;
|
|
}
|
|
if (i > 0 && iorec->ioctl[i].ioctl == iorec->ioctl[i-1].ioctl) {
|
|
continue;
|
|
}
|
|
ioctl_val = iorec->ioctl[i].ioctl;
|
|
method = ioctl_val&0x3;
|
|
_snwprintf (num, sizeof (num) / sizeof (WCHAR), L"%%X%X", ioctl_val);
|
|
if (crashes (path, L"IOCTL value", num, L"", L""))
|
|
continue;
|
|
|
|
alerted = 0;
|
|
for (j = 0; j < max_tailured_calls; j += RAND_REP) {
|
|
ret = 0;
|
|
do {
|
|
if (ret != 0) {
|
|
printf ("Re-doing random with ioctl %%X%x\n", ioctl_val);
|
|
}
|
|
|
|
for (k = 0; k < RAND_REP; k++) {
|
|
switch(method) {
|
|
case METHOD_BUFFERED :
|
|
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
|
|
inbuf = bigbuf;
|
|
if (outlen == 0)
|
|
outbuf = (PVOID) -1024;
|
|
else
|
|
outbuf = bigbuf;
|
|
|
|
randomize_buf (inbuf, inlen);
|
|
break;
|
|
|
|
case METHOD_IN_DIRECT :
|
|
case METHOD_OUT_DIRECT :
|
|
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
|
|
inbuf = bigbuf;
|
|
outbuf = &bigbuf[BIGBUF_SIZE - outlen];
|
|
randomize_buf (inbuf, inlen);
|
|
randomize_buf (outbuf, outlen);
|
|
|
|
break;
|
|
|
|
case METHOD_NEITHER :
|
|
|
|
switch (rand ()&3) {
|
|
//
|
|
// Completely random pointers. We may corrupt ourselves here
|
|
// case 0 :
|
|
// inlen = rand32();
|
|
// outlen = rand32();
|
|
//
|
|
// inbuf = (PVOID)rand32();
|
|
// outbuf = (PVOID)rand32();
|
|
// break;
|
|
|
|
//
|
|
// Kernel crashing pointers with smallish lengths
|
|
case 1 :
|
|
inbuf = (PVOID) -1024;
|
|
outbuf = (PVOID) -1024;
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
break;
|
|
//
|
|
// Good pointers
|
|
case 0 :
|
|
case 2 :
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
|
|
inbuf = &bigbuf[BIGBUF_SIZE - outlen];
|
|
outbuf = &bigbuf[BIGBUF_SIZE - outlen];
|
|
break;
|
|
//
|
|
// Bad user mode pointers
|
|
case 3 :
|
|
inlen = rand() & 0xFFFF;
|
|
outlen = rand() & 0xFFFF;
|
|
inbuf = UintToPtr( rand() & 0xFFFF );
|
|
outbuf = UintToPtr( rand() & 0xFFFF );
|
|
break;
|
|
break;
|
|
}
|
|
}
|
|
|
|
progress_counter++;
|
|
if (!fsctl) {
|
|
status = NtDeviceIoControlFile(devmap->handle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&static_iosb,
|
|
ioctl_val,
|
|
inbuf,
|
|
inlen,
|
|
outbuf,
|
|
outlen);
|
|
} else {
|
|
status = NtFsControlFile(devmap->handle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&static_iosb,
|
|
ioctl_val,
|
|
inbuf,
|
|
inlen,
|
|
outbuf,
|
|
outlen);
|
|
}
|
|
}
|
|
NtCancelIoFile (devmap->handle, &static_iosb);
|
|
if (alerted > 5) {
|
|
break;
|
|
}
|
|
} while (print_diags ((method == METHOD_BUFFERED)?0:DIAG_NOEXCEPTIONS, ret++) && ret < MAX_RET);
|
|
if (alerted > 5) {
|
|
break;
|
|
}
|
|
|
|
}
|
|
if (!(flags&FLAGS_DO_PROT) ||
|
|
crashes (path, L"IOCTL prot value", num, L"", L"")) {
|
|
continue;
|
|
}
|
|
|
|
status = NtResumeThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
|
|
for (i = 1; i < PROT_REP; i += RAND_REP) {
|
|
ret = 0;
|
|
do {
|
|
if (ret != 0) {
|
|
printf ("Re-doing random with ioctl %%X%x\n", ioctl_val);
|
|
}
|
|
for (k = 0; k < RAND_REP; k++) {
|
|
if (!VirtualProtect (bigbuf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
|
|
inbuf = bigbuf;
|
|
outbuf = bigbuf;
|
|
|
|
progress_counter++;
|
|
if (!fsctl) {
|
|
status = NtDeviceIoControlFile(devmap->handle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&static_iosb,
|
|
ioctl_val,
|
|
inbuf,
|
|
inlen,
|
|
outbuf,
|
|
outlen);
|
|
} else {
|
|
status = NtFsControlFile(devmap->handle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&static_iosb,
|
|
ioctl_val,
|
|
inbuf,
|
|
inlen,
|
|
outbuf,
|
|
outlen);
|
|
}
|
|
}
|
|
NtCancelIoFile (devmap->handle, &static_iosb);
|
|
if (alerted > 5) {
|
|
break;
|
|
}
|
|
} while (print_diags (DIAG_NOEXCEPTIONS, ret++) && ret < MAX_RET);
|
|
|
|
if (alerted > 5) {
|
|
break;
|
|
}
|
|
}
|
|
status = NtSuspendThread (changethread, &tmp);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtResumeThread failed %x\n", status);
|
|
}
|
|
if (!VirtualProtect (bigbuf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
}
|
|
}
|
|
|
|
NTSTATUS
|
|
do_ioctl(
|
|
PDEVMAP devmap,
|
|
PWCHAR path
|
|
)
|
|
{
|
|
ULONG function, method, access, i, j, ioctl_val;
|
|
static IO_STATUS_BLOCK static_iosb;
|
|
PVOID inbuf, outbuf;
|
|
ULONG inlen, outlen;
|
|
ULONG tmp;
|
|
NTSTATUS status;
|
|
ULONG devtype;
|
|
ULONG ret;
|
|
BOOL hit_leak;
|
|
WCHAR num[20];
|
|
PIOCTLREC iorec = NULL, fsrec = NULL;
|
|
ULONG set_rand;
|
|
|
|
if ((flags&(FLAGS_DO_IOCTL_NULL|FLAGS_DO_FSCTL_NULL)) &&
|
|
ioctl_inbuf_min == 0 && ioctl_outbuf_min == 0) {
|
|
//
|
|
// do I/O calls with no buffer
|
|
//
|
|
for (function = ioctl_min_function; function <= ioctl_max_function; function++) {
|
|
_snwprintf (num, sizeof (num) / sizeof (WCHAR), L"%d", function);
|
|
if (crashes (path, L"IOCTL function ", num, L"", L""))
|
|
continue;
|
|
for (devtype = ioctl_min_devtype; devtype <= ioctl_max_devtype; devtype++) {
|
|
ret = 0;
|
|
do {
|
|
if (ret != 0)
|
|
printf ("Re-doing devtype = %d, function = %d\n", devtype, function);
|
|
hit_leak = FALSE;
|
|
for (access = FILE_ANY_ACCESS;
|
|
access <= (devmap->access&(FILE_READ_ACCESS|FILE_WRITE_ACCESS));
|
|
access++) {
|
|
for (method = 0; method < 4; method++) {
|
|
ioctl_val = CTL_CODE(devtype, function, method, access);
|
|
|
|
progress_counter++;
|
|
if ((flags&FLAGS_DO_IOCTL_NULL)) {
|
|
status = NtDeviceIoControlFile(devmap->handle,
|
|
NULL, NULL, NULL,
|
|
&static_iosb,
|
|
ioctl_val,
|
|
(PVOID) -1024,
|
|
0,
|
|
(PVOID) -1024,
|
|
0);
|
|
record_ioctl (&iorec, ioctl_val, status);
|
|
}
|
|
if ((flags&FLAGS_DO_FSCTL_NULL)) {
|
|
status = NtFsControlFile(devmap->handle, NULL, NULL, NULL,
|
|
&static_iosb,
|
|
ioctl_val,
|
|
(PVOID) -1024,
|
|
0,
|
|
(PVOID) -1024,
|
|
0);
|
|
record_ioctl (&fsrec, ioctl_val, status);
|
|
}
|
|
Sleep (0);
|
|
}
|
|
}
|
|
if (ret > (MAX_RET * 95 ) / 100) {
|
|
NtCancelIoFile (devmap->handle, &static_iosb);
|
|
//
|
|
// Report exceptions for method buffered.
|
|
// This may be ok but its worth knowing.
|
|
//
|
|
if (print_diags ((method == METHOD_BUFFERED)?0:DIAG_NOEXCEPTIONS, ret++)) {
|
|
printf ("IOCTL/FSCTL %x devtype %x (%d) function %x (%d) access %x method %x\n",
|
|
ioctl_val, devtype, devtype, function, function,
|
|
access, method);
|
|
hit_leak = TRUE;
|
|
}
|
|
}
|
|
NtCancelIoFile (devmap->handle, &static_iosb);
|
|
} while ((hit_leak || print_diags ((method == METHOD_BUFFERED)?0:DIAG_NOEXCEPTIONS, ret++)) && ret < MAX_RET);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
if (flags&(FLAGS_DO_IOCTL_RANDOM|FLAGS_DO_FSCTL_RANDOM) &&
|
|
!crashes (path, L"IOCTL", L"random", L"", L"")) {
|
|
// if (!(flags&FLAGS_DO_RANDOM_DEVICE)) {
|
|
// status = NtResumeThread (randthread, &tmp);
|
|
// if (!NT_SUCCESS (status)) {
|
|
// printf ("NtResumeThread failed %x\n", status);
|
|
// }
|
|
// }
|
|
for (i = 0; i < max_random_calls; i += RAND_REP) {
|
|
if (ioctl_min_function >= ioctl_max_function)
|
|
function = ioctl_min_function;
|
|
else
|
|
function = RandInRange( ioctl_min_function, ioctl_max_function );
|
|
ret = 0;
|
|
do {
|
|
if (ret != 0) {
|
|
printf ("Re-doing random with function %x\n", function);
|
|
}
|
|
for (j = 0; j < RAND_REP; j++) {
|
|
if (ioctl_min_devtype >= ioctl_max_devtype)
|
|
devtype = ioctl_min_devtype;
|
|
else
|
|
devtype = RandInRange( ioctl_min_devtype, ioctl_max_devtype );
|
|
|
|
switch (rand ()&3) {
|
|
case 0 :
|
|
if (fsrec && fsrec->count - fsrec->start) {
|
|
devtype = fsrec->ioctl[fsrec->start +
|
|
(rand()%(fsrec->count - fsrec->start))].ioctl>>16;
|
|
}
|
|
break;
|
|
case 1 :
|
|
if (iorec && iorec->count - iorec->start) {
|
|
devtype = iorec->ioctl[iorec->start +
|
|
(rand()%(iorec->count - iorec->start))].ioctl>>16;
|
|
}
|
|
break;
|
|
case 2 :
|
|
case 3 :
|
|
break;
|
|
}
|
|
method = rand() & 0x3;
|
|
|
|
access = rand() & devmap->access&(FILE_READ_ACCESS|FILE_WRITE_ACCESS);
|
|
|
|
ioctl_val = CTL_CODE(devtype,
|
|
function,
|
|
method,
|
|
access);
|
|
|
|
set_rand = 0;
|
|
switch(method) {
|
|
case METHOD_BUFFERED :
|
|
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
|
|
inbuf = bigbuf;
|
|
if (outlen == 0)
|
|
outbuf = (PVOID) -1024;
|
|
else
|
|
outbuf = bigbuf;
|
|
|
|
set_rand = 1;
|
|
break;
|
|
|
|
case METHOD_IN_DIRECT :
|
|
case METHOD_OUT_DIRECT :
|
|
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
|
|
inbuf = bigbuf;
|
|
outbuf = &bigbuf[BIGBUF_SIZE - outlen];
|
|
// printf ("%p %d %p %d\n", inbuf, inlen, outbuf, outlen);
|
|
|
|
set_rand = 1;
|
|
break;
|
|
|
|
case METHOD_NEITHER :
|
|
|
|
switch (rand ()&3) {
|
|
//
|
|
// Completely random pointers. We may corrupt ourselves here
|
|
// case 0 :
|
|
// inlen = rand32();
|
|
// outlen = rand32();
|
|
//
|
|
// inbuf = (PVOID)rand32();
|
|
// outbuf = (PVOID)rand32();
|
|
// break;
|
|
|
|
//
|
|
// Kernel crashing pointers with smallish lengths
|
|
case 1 :
|
|
inbuf = (PVOID) -1024;
|
|
outbuf = (PVOID) -1024;
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
break;
|
|
//
|
|
// Good pointers
|
|
case 0 :
|
|
case 2 :
|
|
inlen = RandInRange( ioctl_inbuf_min, ioctl_inbuf_max );
|
|
outlen = RandInRange( ioctl_outbuf_min, ioctl_outbuf_max );
|
|
|
|
inbuf = &bigbuf[BIGBUF_SIZE - outlen];
|
|
outbuf = &bigbuf[BIGBUF_SIZE - outlen];
|
|
set_rand = 1;
|
|
break;
|
|
//
|
|
// Bad user mode pointers
|
|
case 3 :
|
|
inlen = rand() & 0xFFFF;
|
|
outlen = rand() & 0xFFFF;
|
|
inbuf = UintToPtr( rand() & 0xFFFF);
|
|
outbuf = UintToPtr( rand() & 0xFFFF);
|
|
break;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (set_rand) {
|
|
randomize_buf (inbuf, inlen);
|
|
}
|
|
progress_counter++;
|
|
if (flags&FLAGS_DO_IOCTL_RANDOM) {
|
|
status = NtDeviceIoControlFile(devmap->handle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&static_iosb,
|
|
ioctl_val,
|
|
inbuf,
|
|
inlen,
|
|
outbuf,
|
|
outlen);
|
|
record_ioctl (&iorec, ioctl_val, status);
|
|
}
|
|
|
|
if (flags&FLAGS_DO_FSCTL_RANDOM) {
|
|
status = NtFsControlFile(devmap->handle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&static_iosb,
|
|
ioctl_val,
|
|
inbuf,
|
|
inlen,
|
|
outbuf,
|
|
outlen);
|
|
record_ioctl (&fsrec, ioctl_val, status);
|
|
}
|
|
}
|
|
|
|
NtCancelIoFile (devmap->handle, &static_iosb);
|
|
} while (print_diags ((method == METHOD_BUFFERED)?0:DIAG_NOEXCEPTIONS, ret++) && ret < MAX_RET);
|
|
}
|
|
|
|
// if (!(flags&FLAGS_DO_RANDOM_DEVICE)) {
|
|
// status = NtSuspendThread (randthread, &tmp);
|
|
// if (!NT_SUCCESS (status)) {
|
|
// printf ("NtSuspendThread failed %x\n", status);
|
|
// }
|
|
// }
|
|
}
|
|
if (flags&FLAGS_DO_IOCTL_RANDOM) {
|
|
do_tailored_ioctl (devmap, path, iorec, 0);
|
|
}
|
|
if (flags&FLAGS_DO_FSCTL_RANDOM) {
|
|
do_tailored_ioctl (devmap, path, fsrec, 1);
|
|
}
|
|
|
|
if (iorec) {
|
|
free (iorec);
|
|
}
|
|
if (fsrec) {
|
|
free (fsrec);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
PFILE_FULL_EA_INFORMATION build_adr_ea (PCHAR name, USHORT adrtype,
|
|
USHORT adrl, PVOID padr,
|
|
PULONG peal)
|
|
{
|
|
PFILE_FULL_EA_INFORMATION ea = NULL;
|
|
TRANSPORT_ADDRESS UNALIGNED *pta;
|
|
TA_ADDRESS *ptaa;
|
|
ULONG eal;
|
|
ULONG nl;
|
|
|
|
nl = strlen (name);
|
|
eal = sizeof (FILE_FULL_EA_INFORMATION) + nl +
|
|
sizeof (TRANSPORT_ADDRESS) - 1 + adrl;
|
|
ea = malloc (eal);
|
|
if (!ea) {
|
|
printf ("Failed to allocate %d bytes\n", eal);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
memset (ea, 0, eal);
|
|
ea->EaNameLength = (UCHAR) nl;
|
|
strcpy (ea->EaName, name);
|
|
ea->EaValueLength = (USHORT)(eal - sizeof (*ea) - nl);
|
|
pta = (TRANSPORT_ADDRESS UNALIGNED *)(ea->EaName + nl + 1);
|
|
pta->TAAddressCount = 1;
|
|
ptaa = (TA_ADDRESS *) pta->Address;
|
|
ptaa->AddressLength = adrl;
|
|
ptaa->AddressType = adrtype;
|
|
memcpy (ptaa->Address, padr, adrl);
|
|
*peal = eal;
|
|
return ea;
|
|
}
|
|
|
|
PFILE_FULL_EA_INFORMATION build_con_ea (PCHAR name, CONNECTION_CONTEXT ctx,
|
|
PULONG peal)
|
|
{
|
|
PFILE_FULL_EA_INFORMATION ea = NULL;
|
|
CONNECTION_CONTEXT UNALIGNED *pctx;
|
|
ULONG eal;
|
|
ULONG nl;
|
|
|
|
nl = strlen (name);
|
|
eal = sizeof (FILE_FULL_EA_INFORMATION) + nl +
|
|
sizeof (ctx);
|
|
ea = malloc (eal);
|
|
if (!ea) {
|
|
printf ("Failed to allocate %d bytes\n", eal);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
memset (ea, 0, eal);
|
|
ea->EaNameLength = (UCHAR) nl;
|
|
strcpy (ea->EaName, name);
|
|
ea->EaValueLength = (USHORT)(eal - sizeof (*ea) - nl);
|
|
pctx = (CONNECTION_CONTEXT UNALIGNED*) (ea->EaName + nl + 1);
|
|
*pctx = ctx;
|
|
*peal = eal;
|
|
return ea;
|
|
}
|
|
|
|
#define DRIVER_PREFIX1 L"\\Driver\\"
|
|
#define DRIVER_PREFIX2 L"\\FileSystem\\"
|
|
|
|
NTSTATUS
|
|
check_driver (HANDLE handle,
|
|
PUNICODE_STRING DriverName)
|
|
/*
|
|
Check to see if the specified device object is associated with the driver object
|
|
*/
|
|
{
|
|
PFILE_FS_DRIVER_PATH_INFORMATION fsDpInfo;
|
|
ULONG fsDpSize;
|
|
ULONG DriverBufferLength;
|
|
UNICODE_STRING us;
|
|
NTSTATUS status;
|
|
IO_STATUS_BLOCK iosb;
|
|
|
|
DriverBufferLength = sizeof (DRIVER_PREFIX1);
|
|
if (sizeof (DRIVER_PREFIX2) > DriverBufferLength) {
|
|
DriverBufferLength = sizeof (DRIVER_PREFIX2);
|
|
}
|
|
DriverBufferLength += DriverName->Length;
|
|
|
|
fsDpSize = sizeof(FILE_FS_DRIVER_PATH_INFORMATION) + DriverBufferLength;
|
|
|
|
fsDpInfo = malloc (fsDpSize);
|
|
if (fsDpInfo == 0) {
|
|
printf ("Failed to allocate buffer for driver query\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
|
|
ZeroMemory(fsDpInfo, fsDpSize);
|
|
|
|
us.MaximumLength = (USHORT)DriverBufferLength;
|
|
us.Length = 0;
|
|
us.Buffer = fsDpInfo->DriverName;
|
|
RtlAppendUnicodeToString (&us, DRIVER_PREFIX1);
|
|
RtlAppendUnicodeStringToString (&us, DriverName);
|
|
fsDpInfo->DriverNameLength = us.Length;
|
|
|
|
|
|
status = NtQueryVolumeInformationFile(handle,
|
|
&iosb,
|
|
fsDpInfo,
|
|
fsDpSize,
|
|
FileFsDriverPathInformation);
|
|
|
|
if (NT_SUCCESS (status)) {
|
|
if (fsDpInfo->DriverInPath) {
|
|
status = STATUS_SUCCESS;
|
|
} else {
|
|
status = -1;
|
|
}
|
|
free (fsDpInfo);
|
|
return status;
|
|
}
|
|
|
|
us.MaximumLength = (USHORT)DriverBufferLength;
|
|
us.Length = 0;
|
|
us.Buffer = fsDpInfo->DriverName;
|
|
RtlAppendUnicodeToString (&us, DRIVER_PREFIX2);
|
|
RtlAppendUnicodeStringToString (&us, DriverName);
|
|
fsDpInfo->DriverNameLength = us.Length;
|
|
status = NtQueryVolumeInformationFile(handle,
|
|
&iosb,
|
|
fsDpInfo,
|
|
fsDpSize,
|
|
FileFsDriverPathInformation);
|
|
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtQueryVolumeInformationFile for FileFsDriverPathInformation failed %x\n", status);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
if (fsDpInfo->DriverInPath) {
|
|
status = STATUS_SUCCESS;
|
|
} else {
|
|
status = -1;
|
|
}
|
|
free (fsDpInfo);
|
|
return status;
|
|
}
|
|
|
|
DWORD
|
|
WINAPI
|
|
do_open_close_thread (
|
|
LPVOID arg)
|
|
{
|
|
ULONG i;
|
|
POBJECT_ATTRIBUTES oa = arg;
|
|
NTSTATUS status;
|
|
IO_STATUS_BLOCK iosb;
|
|
HANDLE handle;
|
|
|
|
for (i = 0; i < 10000; i++) {
|
|
status = NtCreateFile (&handle,
|
|
MAXIMUM_ALLOWED,
|
|
oa,
|
|
&iosb,
|
|
NULL,
|
|
0,
|
|
FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
|
|
FILE_OPEN,
|
|
0,
|
|
NULL,
|
|
0);
|
|
if (NT_SUCCESS (status)) {
|
|
status = NtClose (handle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtClose failed %x\n", status);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
VOID
|
|
do_open_close (POBJECT_ATTRIBUTES oa,
|
|
PUNICODE_STRING name,
|
|
PWCHAR path)
|
|
/*
|
|
Open and close the device rapidly to catch open close races
|
|
*/
|
|
{
|
|
#define MAX_OPEN_THREAD 4
|
|
HANDLE Thread[MAX_OPEN_THREAD];
|
|
ULONG i;
|
|
DWORD id;
|
|
|
|
if (crashes (path, L"OPENCLOSE", L"", L"", L"")) {
|
|
return;
|
|
}
|
|
|
|
for (i = 0; i < MAX_OPEN_THREAD; i++) {
|
|
Thread[i] = CreateThread (NULL, 0, do_open_close_thread, oa, 0, &id);
|
|
if (Thread[i] == NULL) {
|
|
printf ("CreateThread failed %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
for (i = 0; i < MAX_OPEN_THREAD; i++) {
|
|
WaitForSingleObject (Thread[i], INFINITE);
|
|
CloseHandle (Thread[i]);
|
|
}
|
|
}
|
|
|
|
|
|
/*
|
|
Open device with various options
|
|
*/
|
|
NTSTATUS
|
|
open_device(
|
|
HANDLE parent,
|
|
PUNICODE_STRING name,
|
|
PDEVMAP devmap,
|
|
BOOL synch, // Do a synchronous open
|
|
BOOL addbackslash, // Add trailing backslash to name
|
|
BOOL direct, // Do a direct open
|
|
ULONG opentype, // Connection, address etc.
|
|
PWCHAR path
|
|
)
|
|
{
|
|
NTSTATUS status;
|
|
IO_STATUS_BLOCK iosb;
|
|
ULONG i, l, lw, first;
|
|
WCHAR dn[1024];
|
|
UNICODE_STRING dnu;
|
|
ULONG options;
|
|
OBJECT_ATTRIBUTES oa;
|
|
ACCESS_MASK am;
|
|
ULONG share;
|
|
PFILE_FULL_EA_INFORMATION pea = NULL;
|
|
ULONG eal = 0;
|
|
TDI_ADDRESS_IP ipaddr;
|
|
TDI_ADDRESS_NETBIOS netbiosaddr;
|
|
TDI_ADDRESS_IPX ipxaddr;
|
|
TDI_ADDRESS_APPLETALK appleaddr;
|
|
LARGE_INTEGER tmo;
|
|
PCHAR api;
|
|
|
|
if (direct && !(FLAGS_DO_DIRECT_DEVICE&flags)) {
|
|
return STATUS_ACCESS_DENIED;
|
|
}
|
|
l = name->Length;
|
|
if (l >= sizeof (dn))
|
|
l = sizeof (dn) - 1;
|
|
lw = l / sizeof (dn[0]);
|
|
wcsncpy (dn, name->Buffer, lw);
|
|
dn[lw] = '\0';
|
|
RtlInitUnicodeString (&dnu, dn);
|
|
if (addbackslash && dnu.Length < sizeof (dn)) {
|
|
dn[min (dnu.Length, sizeof (dn) - sizeof (dn[0]))/sizeof(dn[0])] = '\\';
|
|
dnu.Length += 2;
|
|
}
|
|
dn[min(dnu.Length, sizeof (dn) - sizeof (dn[0]))/sizeof(dn[0])] = 0;
|
|
|
|
InitializeObjectAttributes(&oa,
|
|
&dnu,
|
|
OBJ_CASE_INSENSITIVE,
|
|
parent,
|
|
NULL);
|
|
|
|
if ((flags2&FLAGS_DO_DRIVER) != 0) {
|
|
HANDLE handle;
|
|
status = NtCreateFile (&handle,
|
|
MAXIMUM_ALLOWED,
|
|
&oa,
|
|
&iosb,
|
|
NULL,
|
|
0,
|
|
FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
|
|
FILE_OPEN,
|
|
0,
|
|
NULL,
|
|
0);
|
|
if (NT_SUCCESS (status)) {
|
|
status = check_driver (handle, &DriverName);
|
|
NtClose (handle);
|
|
if (!NT_SUCCESS (status)) {
|
|
return status;
|
|
}
|
|
} else {
|
|
wprintf(L"Failed to open device %s for driver checking %x\n",
|
|
dn, status);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
if ((flags&FLAGS_DO_OPEN_CLOSE) && !synch && !direct && opentype == 0) {
|
|
do_open_close (&oa,
|
|
name,
|
|
path);
|
|
}
|
|
|
|
devmap->handle = NULL;
|
|
|
|
if (direct) {
|
|
options = 0;
|
|
am = SYNCHRONIZE|FILE_READ_ATTRIBUTES|READ_CONTROL|WRITE_OWNER|WRITE_DAC;
|
|
} else if (synch) {
|
|
options = FILE_SYNCHRONOUS_IO_ALERT;
|
|
am = MAXIMUM_ALLOWED|SYNCHRONIZE;
|
|
} else {
|
|
options = 0;
|
|
am = MAXIMUM_ALLOWED;
|
|
}
|
|
if (opentype == OPEN_TYPE_NAMED_PIPE) {
|
|
share = FILE_SHARE_READ|FILE_SHARE_WRITE;
|
|
} else if (opentype == OPEN_TYPE_TREE_CONNECT) {
|
|
share = FILE_SHARE_READ|FILE_SHARE_WRITE;
|
|
options |= FILE_CREATE_TREE_CONNECTION;
|
|
} else {
|
|
share = 0;
|
|
}
|
|
if (opentype == OPEN_TYPE_TDI_CONNECTION) {
|
|
pea = build_con_ea (TdiConnectionContext, (CONNECTION_CONTEXT) 12345, &eal);
|
|
} else if (opentype == OPEN_TYPE_TDI_ADDR_IP) {
|
|
memset (&ipaddr, 0, sizeof (ipaddr));
|
|
pea = build_adr_ea (TdiTransportAddress,
|
|
TDI_ADDRESS_TYPE_IP,
|
|
sizeof (ipaddr), &ipaddr,
|
|
&eal);
|
|
} else if (opentype == OPEN_TYPE_TDI_ADDR_NETBIOS) {
|
|
memset (&netbiosaddr, 0, sizeof (netbiosaddr));
|
|
pea = build_adr_ea (TdiTransportAddress,
|
|
TDI_ADDRESS_TYPE_NETBIOS,
|
|
sizeof (netbiosaddr), &netbiosaddr,
|
|
&eal);
|
|
} else if (opentype == OPEN_TYPE_TDI_ADDR_IPX) {
|
|
memset (&ipxaddr, 0, sizeof (ipxaddr));
|
|
pea = build_adr_ea (TdiTransportAddress,
|
|
TDI_ADDRESS_TYPE_IPX,
|
|
sizeof (ipxaddr), &ipxaddr,
|
|
&eal);
|
|
} else if (opentype == OPEN_TYPE_TDI_ADDR_APPLE) {
|
|
memset (&appleaddr, 0, sizeof (appleaddr));
|
|
pea = build_adr_ea (TdiTransportAddress,
|
|
TDI_ADDRESS_TYPE_APPLETALK,
|
|
sizeof (appleaddr), &appleaddr,
|
|
&eal);
|
|
}
|
|
|
|
wprintf(L"Trying to open device %s %s %s %s\n",
|
|
dn, direct?L"direct ":L"", synch?L"synchronous":L"",
|
|
pea?L"TDI open":(opentype == OPEN_TYPE_NAMED_PIPE)?
|
|
L"NamedPipe":(opentype == OPEN_TYPE_MAIL_SLOT)?
|
|
L"Mailslot":L"");
|
|
|
|
if (crashes (path, L"Open", direct?L"direct":L"", synch?L"synchronous":L"",
|
|
addbackslash?L"Add backslash":L""))
|
|
status = STATUS_ACCESS_DENIED;
|
|
else {
|
|
do {
|
|
if (opentype == OPEN_TYPE_NAMED_PIPE) {
|
|
tmo.QuadPart = -1000;
|
|
api = "NtCreateNamedPipeFile";
|
|
status = NtCreateNamedPipeFile (&devmap->handle,
|
|
am,
|
|
&oa,
|
|
&iosb,
|
|
share,
|
|
FILE_CREATE,
|
|
options,
|
|
FILE_PIPE_MESSAGE_TYPE,
|
|
FILE_PIPE_MESSAGE_MODE,
|
|
FILE_PIPE_COMPLETE_OPERATION,
|
|
10,
|
|
1000, 1000,
|
|
&tmo);
|
|
} else if (opentype == OPEN_TYPE_MAIL_SLOT) {
|
|
tmo.QuadPart = -1000;
|
|
api = "NtCreateMailslotFile";
|
|
status = NtCreateMailslotFile (&devmap->handle,
|
|
am,
|
|
&oa,
|
|
&iosb,
|
|
options,
|
|
1024,
|
|
256,
|
|
&tmo);
|
|
|
|
} else {
|
|
api = "NtCreateFile";
|
|
status = NtCreateFile(&devmap->handle,
|
|
am,
|
|
&oa,
|
|
&iosb,
|
|
NULL,
|
|
0,
|
|
share,
|
|
FILE_OPEN,
|
|
options,
|
|
pea,
|
|
eal);
|
|
}
|
|
|
|
if (status == STATUS_SHARING_VIOLATION) {
|
|
printf ("Hit file share violation for %X\n", share);
|
|
if (share&FILE_SHARE_READ) {
|
|
share &= ~FILE_SHARE_READ;
|
|
if (share&FILE_SHARE_WRITE) {
|
|
share &= ~FILE_SHARE_WRITE;
|
|
if (share&FILE_SHARE_DELETE) {
|
|
break;
|
|
} else {
|
|
share |= FILE_SHARE_DELETE;
|
|
}
|
|
} else {
|
|
share |= FILE_SHARE_WRITE;
|
|
}
|
|
} else {
|
|
share |= FILE_SHARE_READ;
|
|
}
|
|
} else if (status == STATUS_ACCESS_DENIED) {
|
|
printf ("Hit file protection violation for %X\n", am);
|
|
if (am&MAXIMUM_ALLOWED) {
|
|
am &= ~MAXIMUM_ALLOWED;
|
|
am |= FILE_READ_DATA|FILE_WRITE_DATA|SYNCHRONIZE|FILE_READ_ATTRIBUTES|
|
|
READ_CONTROL|FILE_APPEND_DATA;
|
|
} else if (am&FILE_WRITE_DATA) {
|
|
am &= ~FILE_WRITE_DATA;
|
|
} else if (am&FILE_APPEND_DATA) {
|
|
am &= ~FILE_APPEND_DATA;
|
|
} else if (am&FILE_READ_DATA) {
|
|
am &= ~FILE_READ_DATA;
|
|
} else if (am&WRITE_OWNER) {
|
|
am &= ~WRITE_OWNER;
|
|
} else if (am&WRITE_DAC) {
|
|
am &= ~WRITE_DAC;
|
|
} else if (am&WRITE_DAC) {
|
|
am &= ~WRITE_DAC;
|
|
} else if (am&READ_CONTROL) {
|
|
am &= ~READ_CONTROL;
|
|
} else if (am&FILE_READ_ATTRIBUTES) {
|
|
am &= ~FILE_READ_ATTRIBUTES;
|
|
} else {
|
|
break;
|
|
}
|
|
}
|
|
} while (status == STATUS_SHARING_VIOLATION || status == STATUS_ACCESS_DENIED);
|
|
}
|
|
if (pea)
|
|
free (pea);
|
|
if (NT_SUCCESS(status)) {
|
|
status = get_handle_access (devmap->handle, &devmap->access);
|
|
}
|
|
if (NT_SUCCESS(status)) {
|
|
wprintf(L"Opened file %s with access %x\n",
|
|
dn,
|
|
devmap->access);
|
|
|
|
if (DELETE&devmap->access) {
|
|
printf ("Got delete access to device\n");
|
|
}
|
|
if (WRITE_DAC&devmap->access) {
|
|
printf ("Got write_dac access to device\n");
|
|
}
|
|
if (WRITE_OWNER&devmap->access) {
|
|
printf ("Got write_owner access to device\n");
|
|
}
|
|
query_object(devmap->handle, devmap, path);
|
|
misc_functions (devmap->handle, path, synch);
|
|
} else {
|
|
if (status != STATUS_INVALID_DEVICE_REQUEST &&
|
|
status != STATUS_ACCESS_DENIED) {
|
|
printf("%s failed %x\n", api,
|
|
status);
|
|
}
|
|
}
|
|
if ((direct && synch) || (addbackslash & !synch && !direct)) // Only do this twice
|
|
try_fast_query_delete_etc (&oa, path, L"Top open");
|
|
|
|
|
|
return status;
|
|
}
|
|
|
|
/*
|
|
Compare routine for sorting the object directory
|
|
*/
|
|
int __cdecl compare_unicode (const void *arg1, const void *arg2)
|
|
{
|
|
POBJECT_DIRECTORY_INFORMATION s1, s2;
|
|
ULONG i, j;
|
|
|
|
s1 = (POBJECT_DIRECTORY_INFORMATION) arg1;
|
|
s2 = (POBJECT_DIRECTORY_INFORMATION) arg2;
|
|
for (i = 0, j = 0;
|
|
(i < s1->Name.Length / sizeof (WCHAR)) &&
|
|
(j < s2->Name.Length / sizeof (WCHAR)); i++, j++) {
|
|
if (s1->Name.Buffer[i] < s2->Name.Buffer[j])
|
|
return -1;
|
|
else if (s1->Name.Buffer[i] > s2->Name.Buffer[j])
|
|
return +1;
|
|
}
|
|
if (i > j)
|
|
return -1;
|
|
else if (i < j)
|
|
return +1;
|
|
else
|
|
return 0;
|
|
}
|
|
|
|
|
|
/*
|
|
Do all the various different opens looking for handles
|
|
*/
|
|
NTSTATUS do_device_opens (HANDLE handle,
|
|
PUNICODE_STRING name,
|
|
PDEVMAP devmap,
|
|
PULONG devscount,
|
|
PWCHAR path,
|
|
PWCHAR devbuf)
|
|
{
|
|
NTSTATUS status;
|
|
ULONG do_tdi_opens=0;
|
|
ULONG OrigDevCount;
|
|
|
|
|
|
OrigDevCount = *devscount;
|
|
|
|
if (flags&FLAGS_DO_SYNC) {
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
TRUE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* No direct device open */
|
|
0,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
if (NT_SUCCESS (check_tdi_handle (devmap[*devscount].handle))) {
|
|
do_tdi_opens = 1;
|
|
}
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* No direct device access */
|
|
0,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
if (!do_tdi_opens && NT_SUCCESS (check_tdi_handle (devmap[*devscount].handle))) {
|
|
do_tdi_opens = 1;
|
|
}
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
TRUE, /* No added backslash */
|
|
FALSE, /* No direct device access */
|
|
0,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
|
|
if (flags&FLAGS_DO_SYNC) {
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
TRUE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
TRUE, /* Direct device access */
|
|
0,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
}
|
|
|
|
if (flags&FLAGS_DO_SYNC) {
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
TRUE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_NAMED_PIPE,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
TRUE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_MAIL_SLOT,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
}
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_NAMED_PIPE,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_MAIL_SLOT,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_TREE_CONNECT,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
|
|
if (do_tdi_opens) {
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_TDI_CONNECTION,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_TDI_ADDR_IP,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_TDI_ADDR_IPX,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_TDI_ADDR_NETBIOS,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
status = open_device(handle,
|
|
name,
|
|
&devmap[*devscount],
|
|
FALSE, /* Synchronous */
|
|
FALSE, /* No added backslash */
|
|
FALSE, /* Direct device access */
|
|
OPEN_TYPE_TDI_ADDR_APPLE,
|
|
path);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
try_funny_opens(devmap[*devscount].handle, path);
|
|
do_ioctl(&devmap[*devscount], path);
|
|
|
|
*devscount = *devscount + 1;
|
|
} else {
|
|
if (status == -1) {
|
|
return status;
|
|
} else {
|
|
wprintf(L"Failed to open device %s status is %x\n",
|
|
devbuf,
|
|
status);
|
|
}
|
|
}
|
|
}
|
|
|
|
if (OrigDevCount == *devscount) {
|
|
crashes (path, L"FAILED all open attempts", L"", L"", L"");
|
|
}
|
|
|
|
crashes (path, L"DONE", L"", L"", L"");
|
|
|
|
return status;
|
|
}
|
|
|
|
NTSTATUS
|
|
do_lpc_connect (HANDLE handle,
|
|
PUNICODE_STRING name,
|
|
PDEVMAP devmap,
|
|
PULONG devscount,
|
|
PWCHAR path,
|
|
PWCHAR devbuf)
|
|
{
|
|
HANDLE nhandle;
|
|
NTSTATUS status;
|
|
SECURITY_QUALITY_OF_SERVICE qos;
|
|
ULONG maxmsg, i, opened;
|
|
UNICODE_STRING fullname;
|
|
|
|
RtlInitUnicodeString (&fullname, path);
|
|
qos.ImpersonationLevel = SecurityImpersonation;
|
|
qos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
|
|
qos.EffectiveOnly = TRUE;
|
|
opened = 0;
|
|
for (i = 0; i < 1000; i++) {
|
|
status = NtConnectPort (&nhandle, &fullname, &qos, NULL, NULL, &maxmsg, NULL, NULL);
|
|
if (!NT_SUCCESS (status)) {
|
|
wprintf (L"NtConnectPort failed to %s %x\n", path, status);
|
|
return status;
|
|
}
|
|
opened++;
|
|
status = NtClose (nhandle);
|
|
if (!NT_SUCCESS (status)) {
|
|
wprintf (L"NtClose of port handle failed %x\n", status);
|
|
}
|
|
}
|
|
if (opened) {
|
|
wprintf (L"Opened port %ws %d times\n", path, opened);
|
|
}
|
|
return status;
|
|
}
|
|
|
|
/*
|
|
Traverse the object tree looking for devices
|
|
*/
|
|
NTSTATUS
|
|
recurse(
|
|
HANDLE handle,
|
|
PUNICODE_STRING name,
|
|
PDEVMAP devmap,
|
|
PULONG devscount,
|
|
PWCHAR path,
|
|
ULONG depth
|
|
)
|
|
{
|
|
HANDLE nhandle, shandle;
|
|
NTSTATUS status;
|
|
OBJECT_ATTRIBUTES oa;
|
|
OBJECT_DIRECTORY_INFORMATION *od;
|
|
PVOID buffer;
|
|
ULONG bufferlen;
|
|
ULONG context;
|
|
ULONG retlen;
|
|
ULONG ul;
|
|
UNICODE_STRING equiv;
|
|
WCHAR buf[100], devbuf[200], objtype[80];
|
|
PWCHAR npath = NULL;
|
|
static WCHAR ans[100]={0};
|
|
ULONG c;
|
|
|
|
if (depth > 10) {
|
|
return STATUS_SUCCESS;
|
|
}
|
|
InitializeObjectAttributes(&oa,
|
|
name,
|
|
OBJ_CASE_INSENSITIVE,
|
|
handle,
|
|
NULL);
|
|
|
|
wcsncpy(devbuf,
|
|
name->Buffer,
|
|
sizeof (devbuf) / sizeof (devbuf[0]));
|
|
|
|
devbuf[sizeof (devbuf) - 1] = L'\0';
|
|
|
|
status = NtOpenDirectoryObject(&nhandle,
|
|
MAXIMUM_ALLOWED/*DIRECTORY_QUERY | DIRECTORY_TRAVERSE*/,
|
|
&oa);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
context = 0;
|
|
|
|
bufferlen = 0x10000;
|
|
|
|
buffer = malloc(bufferlen);
|
|
|
|
status = NtQueryDirectoryObject(nhandle,
|
|
buffer,
|
|
bufferlen,
|
|
FALSE,
|
|
TRUE,
|
|
&context,
|
|
&retlen);
|
|
|
|
if (NT_SUCCESS(status)) {
|
|
|
|
for (od = (POBJECT_DIRECTORY_INFORMATION) buffer, c = 0;
|
|
od->Name.Length != 0 || od->TypeName.Length != 0; od++, c++)
|
|
;
|
|
|
|
qsort (buffer, c, sizeof (*od), compare_unicode);
|
|
|
|
for (od = (POBJECT_DIRECTORY_INFORMATION) buffer;
|
|
*devscount < MAX_DEVICES; od++) {
|
|
|
|
if (od->Name.Length == 0 &&
|
|
od->TypeName.Length == 0) {
|
|
|
|
break;
|
|
}
|
|
|
|
wcsncpy(devbuf,
|
|
od->Name.Buffer,
|
|
sizeof (devbuf) / sizeof (devbuf[0]));
|
|
devbuf[sizeof (devbuf) / sizeof (devbuf[0]) - 1] = L'\0';
|
|
|
|
wcsncpy(objtype,
|
|
od->TypeName.Buffer,
|
|
sizeof (objtype) / sizeof (objtype[0]));
|
|
objtype[sizeof (objtype) / sizeof (objtype[0]) - 1] = L'\0';
|
|
|
|
npath = realloc (npath,
|
|
(wcslen (path) + 1 + wcslen (devbuf) + 1) *
|
|
sizeof (WCHAR));
|
|
if (!npath) {
|
|
printf ("Memory allocation failed for path buffer!");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
wcscpy (npath, path);
|
|
if (path[wcslen (path)-1] != '\\' &&
|
|
devbuf[wcslen (devbuf)-1] != '\\')
|
|
wcscat (npath, L"\\");
|
|
wcscat (npath, devbuf);
|
|
if (wcsncmp(objtype,
|
|
L"Directory",
|
|
od->TypeName.Length / sizeof (WCHAR)) == 0) {
|
|
|
|
recurse(nhandle,
|
|
&od->Name,
|
|
devmap,
|
|
devscount,
|
|
npath,
|
|
depth+1);
|
|
|
|
} else if (!(flags&FLAGS_DO_LPC) && (
|
|
wcsncmp(objtype,
|
|
L"Device",
|
|
od->TypeName.Length / sizeof (WCHAR)) == 0 ||
|
|
(wcsncmp(objtype,
|
|
L"SymbolicLink",
|
|
od->TypeName.Length / sizeof (WCHAR)) == 0 && (flags&FLAGS_DO_SYMBOLIC)))) {
|
|
if (!(flags&FLAGS_DO_ALLDEVS)) {
|
|
if (skipped == 0) {
|
|
ans[0] = 0;
|
|
skipped = 1;
|
|
}
|
|
if (ans[0] == '/') {
|
|
// wprintf (L"Matching \"%s\" against \"%s\"\n", &ans[1], devbuf);
|
|
if (_wcsnicmp (&ans[1], devbuf, wcslen (&ans[1])) != 0)
|
|
continue;
|
|
} else if (ans[0] == '?' || (flags&FLAGS_DO_PRINT_DEVS)) {
|
|
if (prefix_string) {
|
|
printf ("%s %ws\\%ws\n", prefix_string, path, devbuf);
|
|
} else {
|
|
printf ("%ws %ws\\%ws\n", objtype, path, devbuf);
|
|
}
|
|
continue;
|
|
}
|
|
|
|
progress_counter = 0;
|
|
if (flags & FLAGS_DO_RANDOM_DEVICE) {
|
|
if (random_device > 0) {
|
|
// wprintf (L"%s %s\\%s\n", objtype, path, devbuf);
|
|
random_device--;
|
|
continue;
|
|
}
|
|
} else if (ans[0] != 'a' && ans[0] != 'A') {
|
|
wprintf (L"Open device %s %s\\%s? ", objtype, path, devbuf);
|
|
wscanf (L"%100s", ans);
|
|
if (ans[0] == 'q' || ans[0] == 'Q') {
|
|
exit (EXIT_SUCCESS);
|
|
} else if (ans[0] != 'y' && ans[0] != 'Y' &&
|
|
ans[0] != 'a' && ans[0] != 'A') {
|
|
continue;
|
|
}
|
|
}
|
|
}
|
|
if (!(flags&FLAGS_DO_DISKS)) {
|
|
if (wcsstr (path, L"Harddisk") ||
|
|
wcsstr (path, L"Ide") ||
|
|
wcsstr (path, L"Scsi")) {
|
|
printf ("Skipping this device as it looks like a disk\n");
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if (flags&FLAGS_DO_FAILURE_INJECTION) {
|
|
turn_on_fault_injection ();
|
|
}
|
|
if (flags&FLAGS_DO_IMPERSONATION) {
|
|
Impersonate_nonadmin ();
|
|
}
|
|
|
|
status = do_device_opens (nhandle,
|
|
&od->Name,
|
|
devmap,
|
|
devscount,
|
|
npath,
|
|
devbuf);
|
|
|
|
|
|
if (flags&FLAGS_DO_IMPERSONATION) {
|
|
if (!Revert_from_admin ()) {
|
|
printf ("Revert_from_admin failed %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
if (flags&FLAGS_DO_FAILURE_INJECTION) {
|
|
turn_off_fault_injection ();
|
|
}
|
|
print_diags (0, 0);
|
|
if (flags & FLAGS_DO_RANDOM_DEVICE) {
|
|
break;
|
|
}
|
|
} else if ((flags&FLAGS_DO_LPC) &&
|
|
wcsncmp(od->TypeName.Buffer,
|
|
L"Port",
|
|
od->TypeName.Length / sizeof (WCHAR)) == 0) {
|
|
|
|
if (!(flags&FLAGS_DO_ALLDEVS)) {
|
|
if (skipped == 0) {
|
|
ans[0] = 0;
|
|
skipped = 1;
|
|
}
|
|
if (ans[0] == '/') {
|
|
wprintf (L"Matching \"%s\" against \"%s\"\n", &ans[1], devbuf);
|
|
if (_wcsnicmp (&ans[1], devbuf, wcslen (&ans[1])) != 0)
|
|
continue;
|
|
} else if (ans[0] == '?') {
|
|
wprintf (L"%s\\%s\n", path, devbuf);
|
|
continue;
|
|
} else if (ans[0] == 'q' || ans[0] == 'Q') {
|
|
exit (EXIT_SUCCESS);
|
|
}
|
|
if (ans[0] != 'a' && ans[0] != 'A') {
|
|
wprintf (L"Open LPC port %s\\%s? ", path, devbuf);
|
|
wscanf (L"%100s", ans);
|
|
if (ans[0] != 'y' && ans[0] != 'Y' &&
|
|
ans[0] != 'a' && ans[0] != 'A')
|
|
continue;
|
|
}
|
|
if (flags&FLAGS_DO_IMPERSONATION) {
|
|
Impersonate_nonadmin ();
|
|
}
|
|
|
|
|
|
status = do_lpc_connect (nhandle,
|
|
&od->Name,
|
|
devmap,
|
|
devscount,
|
|
npath,
|
|
devbuf);
|
|
if (flags&FLAGS_DO_IMPERSONATION) {
|
|
if (!Revert_from_admin ()) {
|
|
printf ("Revert_from_admin failed %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
if (status != STATUS_NO_MORE_ENTRIES) {
|
|
wprintf(L"NtQueryDirectoryObject failed %x for directory %s\n",
|
|
status,
|
|
devbuf);
|
|
}
|
|
}
|
|
|
|
free(buffer);
|
|
|
|
NtClose(nhandle);
|
|
} else {
|
|
wprintf(L"NtOpenDirectoryObject failed %x for directory %s\n",
|
|
status,
|
|
devbuf);
|
|
}
|
|
|
|
free (npath);
|
|
return status;
|
|
}
|
|
|
|
/*
|
|
Look who registers for WMI
|
|
*/
|
|
void do_wmi ()
|
|
{
|
|
UNICODE_STRING name;
|
|
OBJECT_ATTRIBUTES oa;
|
|
NTSTATUS status;
|
|
PKMREGINFO reginfo = NULL;
|
|
HANDLE handle;
|
|
IO_STATUS_BLOCK iosb;
|
|
ULONG reginfol, i;
|
|
|
|
RtlInitUnicodeString (&name, L"\\Device\\WMIServiceDevice\\");
|
|
InitializeObjectAttributes (&oa, &name, OBJ_CASE_INSENSITIVE, NULL, NULL);
|
|
status = NtOpenFile (&handle,
|
|
MAXIMUM_ALLOWED|SYNCHRONIZE,
|
|
&oa,
|
|
&iosb,
|
|
FILE_SHARE_READ|FILE_SHARE_WRITE,
|
|
FILE_SYNCHRONOUS_IO_NONALERT);
|
|
if (NT_SUCCESS (status)) {
|
|
status = iosb.Status;
|
|
}
|
|
if (!NT_SUCCESS (status)) {
|
|
// printf ("Failed to open WMI device %x\n", status);
|
|
return;
|
|
}
|
|
|
|
reginfo = malloc (reginfol = 4096);
|
|
if (!reginfo) {
|
|
printf ("Memory allocation failure for WMI buffer\n");
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
status = NtDeviceIoControlFile (handle,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
&iosb,
|
|
IOCTL_WMI_GET_ALL_REGISTRANT,
|
|
NULL,
|
|
0,
|
|
reginfo,
|
|
reginfol);
|
|
|
|
|
|
if (NT_SUCCESS (status)) {
|
|
status = iosb.Status;
|
|
}
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtDeviceIoControlFile failed %X\n", status);
|
|
} else {
|
|
for (i = 0; i < iosb.Information / sizeof (*reginfo); i++) {
|
|
printf ("Device %x registered with WMI\n", reginfo[i].ProviderId);
|
|
}
|
|
}
|
|
|
|
if (reginfo)
|
|
free (reginfo);
|
|
status = NtClose (handle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtClose failed %x\n", status);
|
|
}
|
|
}
|
|
|
|
/*
|
|
Thread to read from a socket so we can test out transmit file
|
|
*/
|
|
DWORD WINAPI do_listen (LPVOID arg)
|
|
{
|
|
SOCKET s;
|
|
struct sockaddr_in sockaddr;
|
|
int l;
|
|
int status;
|
|
DWORD retlen;
|
|
CHAR buf[100];
|
|
|
|
l = sizeof (sockaddr);
|
|
s = accept (ls, (struct sockaddr *) &sockaddr, &l);
|
|
if (s == INVALID_SOCKET) {
|
|
printf ("Socket failed %d\n", WSAGetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
while (1) {
|
|
l = recv (s, buf, sizeof (buf), 0);
|
|
if (l == 0) {
|
|
break;
|
|
}
|
|
if (l == SOCKET_ERROR) {
|
|
printf ("recv failed %d\n", WSAGetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
void do_handle_grab (PDEVMAP devmap,
|
|
PULONG devscount)
|
|
{
|
|
NTSTATUS status;
|
|
CLIENT_ID clid;
|
|
OBJECT_ATTRIBUTES oa;
|
|
HANDLE handle;
|
|
|
|
InitializeObjectAttributes (&oa, NULL, 0, NULL, NULL);
|
|
clid.UniqueThread = 0;
|
|
clid.UniqueProcess = UlongToHandle( cid );
|
|
status = NtOpenProcess (&handle, PROCESS_DUP_HANDLE, &oa, &clid);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtOpenProcess for process %d failed %x\n", cid, status);
|
|
return;
|
|
}
|
|
status = NtDuplicateObject (handle, process_handle, NtCurrentProcess (),
|
|
&devmap->handle, 0, 0, DUPLICATE_SAME_ACCESS);
|
|
if (NT_SUCCESS (status)) {
|
|
*devscount += 1;
|
|
status = get_handle_access (devmap->handle, &devmap->access);
|
|
if (NT_SUCCESS(status)) {
|
|
wprintf(L"Grabbed handle with access %x\n",
|
|
devmap->access);
|
|
if (DELETE&devmap->access) {
|
|
printf ("Got delete access to device\n");
|
|
}
|
|
if (WRITE_DAC&devmap->access) {
|
|
printf ("Got write_dac access to device\n");
|
|
}
|
|
if (WRITE_OWNER&devmap->access) {
|
|
printf ("Got write_owner access to device\n");
|
|
}
|
|
}
|
|
query_object(devmap->handle, devmap, L"HANDLE");
|
|
misc_functions (devmap->handle, L"HANDLE", 0);
|
|
InitializeObjectAttributes (&oa, NULL, 0, devmap->handle, NULL);
|
|
try_fast_query_delete_etc (&oa, L"HANDLE", L"Top open");
|
|
try_funny_opens(devmap->handle, L"HANDLE");
|
|
do_ioctl(devmap, L"HANDLE");
|
|
} else {
|
|
printf ("NtDuplicateObject failed %x\n", status);
|
|
}
|
|
|
|
status = NtClose (handle);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtClose for process handle failed %x\n", status);
|
|
return;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Parse command line
|
|
//
|
|
void process_parameters(int argc, char *argv[], PUNICODE_STRING name, long *flags, long *flags2)
|
|
{
|
|
char c, nc, *p, st;
|
|
int i;
|
|
NTSTATUS status;
|
|
|
|
*flags = FLAGS_DO_IOCTL_NULL|FLAGS_DO_IOCTL_RANDOM|
|
|
FLAGS_DO_FSCTL_NULL|FLAGS_DO_FSCTL_RANDOM|
|
|
FLAGS_DO_LOGGING|FLAGS_DO_SKIPCRASH|FLAGS_DO_POOLCHECK|
|
|
FLAGS_DO_MISC|FLAGS_DO_QUERY|FLAGS_DO_SUBOPENS|FLAGS_DO_ZEROEA|
|
|
FLAGS_DO_DISKS|FLAGS_DO_SECURITY|FLAGS_DO_OPEN_CLOSE|
|
|
FLAGS_DO_DIRECT_DEVICE|FLAGS_DO_SYMBOLIC|FLAGS_DO_IMPERSONATION;
|
|
*flags2 = 0;
|
|
|
|
name->Length = name->MaximumLength = 0;
|
|
name->Buffer = NULL;
|
|
while (--argc) {
|
|
p = *++argv;
|
|
st = *p;
|
|
if (st == '/' || st == '-' || st == '+') {
|
|
c = *++p;
|
|
nc = *++p;
|
|
nc = (char) toupper (nc);
|
|
switch (toupper (c)) {
|
|
case 'I' :
|
|
if (nc == 'R') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_IOCTL_RANDOM;
|
|
else
|
|
*flags |= FLAGS_DO_IOCTL_RANDOM;
|
|
} else if (nc == 'N') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_IOCTL_NULL;
|
|
else
|
|
*flags |= FLAGS_DO_IOCTL_NULL;
|
|
} else if (nc == 'F') {
|
|
if (st == '-')
|
|
*flags &= ~(FLAGS_DO_IOCTL_NULL|FLAGS_DO_FSCTL_NULL|
|
|
FLAGS_DO_IOCTL_RANDOM|FLAGS_DO_FSCTL_RANDOM);
|
|
else
|
|
*flags |= FLAGS_DO_IOCTL_NULL|FLAGS_DO_FSCTL_NULL|
|
|
FLAGS_DO_IOCTL_RANDOM|FLAGS_DO_FSCTL_RANDOM;
|
|
} else if (nc == 'M') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_IMPERSONATION;
|
|
else
|
|
*flags |= FLAGS_DO_IMPERSONATION;
|
|
} else if (nc == 'L') {
|
|
if (argc > 1) {
|
|
ioctl_inbuf_min = atoi (*++argv);
|
|
ioctl_inbuf_min = min (ioctl_inbuf_min, BIGBUF_SIZE);
|
|
argc--;
|
|
printf ("IOCTL/FSCTL lower input buffer limit %d\n", ioctl_inbuf_min);
|
|
} else {
|
|
printf ("IOCTL/FSCTL lower input limit missing\n");
|
|
}
|
|
} else if (nc == 'U') {
|
|
if (argc > 1) {
|
|
ioctl_inbuf_max = atoi (*++argv);
|
|
ioctl_inbuf_max = min (ioctl_inbuf_max, BIGBUF_SIZE);
|
|
argc--;
|
|
printf ("IOCTL/FSCTL upper input buffer limit %d\n", ioctl_inbuf_max);
|
|
} else {
|
|
printf ("IOCTL/FSCTL upper input limit missing\n");
|
|
}
|
|
} else if (!nc) {
|
|
if (st == '-')
|
|
*flags &= ~(FLAGS_DO_IOCTL_NULL|FLAGS_DO_IOCTL_RANDOM);
|
|
else
|
|
*flags |= FLAGS_DO_IOCTL_NULL|FLAGS_DO_IOCTL_RANDOM;
|
|
}
|
|
break;
|
|
case 'F' :
|
|
if (nc == 'L') {
|
|
if (argc > 1) {
|
|
ioctl_min_function = atoi (*++argv);
|
|
ioctl_min_function = min (ioctl_min_function, 0xFFF);
|
|
argc--;
|
|
printf ("IOCTL/FSCTL lower function limit %d\n", ioctl_min_function);
|
|
} else {
|
|
printf ("IOCTL/FSCTL lower function limit missing\n");
|
|
}
|
|
} else if (nc == 'U') {
|
|
if (argc > 1) {
|
|
ioctl_max_function = atoi (*++argv);
|
|
ioctl_max_function = min (ioctl_max_function, 0xFFF);
|
|
argc--;
|
|
printf ("IOCTL/FSCTL upper function limit %d\n", ioctl_max_function);
|
|
} else {
|
|
printf ("IOCTL/FSCTL upper function limit missing\n");
|
|
}
|
|
} else if (nc == 'R') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_FSCTL_RANDOM;
|
|
else
|
|
*flags |= FLAGS_DO_FSCTL_RANDOM;
|
|
} else if (nc == 'N') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_FSCTL_NULL;
|
|
else
|
|
*flags |= FLAGS_DO_FSCTL_NULL;
|
|
} else if (nc == 'I') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_FAILURE_INJECTION;
|
|
else
|
|
*flags |= FLAGS_DO_FAILURE_INJECTION;
|
|
} else if (!nc) {
|
|
if (st == '-')
|
|
*flags &= ~(FLAGS_DO_FSCTL_NULL|FLAGS_DO_FSCTL_RANDOM);
|
|
else
|
|
*flags |= FLAGS_DO_FSCTL_NULL|FLAGS_DO_FSCTL_RANDOM;
|
|
}
|
|
break;
|
|
case 'C' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_SKIPCRASH;
|
|
else
|
|
*flags |= FLAGS_DO_SKIPCRASH;
|
|
break;
|
|
case 'L' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_LOGGING;
|
|
else
|
|
*flags |= FLAGS_DO_LOGGING;
|
|
break;
|
|
case 'P' :
|
|
if (!nc) {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_POOLCHECK;
|
|
else
|
|
*flags |= FLAGS_DO_POOLCHECK;
|
|
} else if (nc == 'R') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_PROT;
|
|
else
|
|
*flags |= FLAGS_DO_PROT;
|
|
} else if (nc == 'D') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_PRINT_DEVS;
|
|
else
|
|
*flags |= FLAGS_DO_PRINT_DEVS;
|
|
} else if (nc == 'S') {
|
|
if (argc > 1) {
|
|
prefix_string = *++argv;
|
|
argc--;
|
|
} else {
|
|
printf ("Prefix string missing\n");
|
|
}
|
|
}
|
|
break;
|
|
case 'R' :
|
|
if (!nc) {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_SKIPDONE;
|
|
else
|
|
*flags |= FLAGS_DO_SKIPDONE;
|
|
} else if (nc == 'D') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_RANDOM_DEVICE;
|
|
else
|
|
*flags |= FLAGS_DO_RANDOM_DEVICE;
|
|
}
|
|
break;
|
|
case 'M' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_MISC;
|
|
else
|
|
*flags |= FLAGS_DO_MISC;
|
|
break;
|
|
case 'N' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_MAPNULL;
|
|
else
|
|
*flags |= FLAGS_DO_MAPNULL;
|
|
break;
|
|
case 'O' :
|
|
if (nc == 'L') {
|
|
if (argc > 1) {
|
|
ioctl_outbuf_min = atoi (*++argv);
|
|
ioctl_outbuf_min = min (ioctl_outbuf_min, BIGBUF_SIZE);
|
|
argc--;
|
|
printf ("IOCTL/FSCTL lower output buffer limit %d\n", ioctl_outbuf_min);
|
|
} else {
|
|
printf ("IOCTL/FSCTL lower output limit missing\n");
|
|
}
|
|
} else if (nc == 'U') {
|
|
if (argc > 1) {
|
|
ioctl_outbuf_max = atoi (*++argv);
|
|
ioctl_outbuf_max = min (ioctl_outbuf_max, BIGBUF_SIZE);
|
|
argc--;
|
|
printf ("IOCTL/FSCTL upper output buffer limit %d\n", ioctl_outbuf_max);
|
|
} else {
|
|
printf ("IOCTL/FSCTL upper output limit missing\n");
|
|
}
|
|
} else if (nc == 'C') {
|
|
if (st == '-') {
|
|
*flags &= ~FLAGS_DO_OPEN_CLOSE;
|
|
} else {
|
|
*flags |= FLAGS_DO_OPEN_CLOSE;
|
|
}
|
|
}
|
|
break;
|
|
case 'S' :
|
|
if (nc == 'D') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_SECURITY;
|
|
else
|
|
*flags |= FLAGS_DO_SECURITY;
|
|
} else if (nc == 'L'){
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_SYMBOLIC;
|
|
else
|
|
*flags |= FLAGS_DO_SYMBOLIC;
|
|
} else {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_SUBOPENS;
|
|
else
|
|
*flags |= FLAGS_DO_SUBOPENS;
|
|
}
|
|
break;
|
|
case 'Q' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_QUERY;
|
|
else
|
|
*flags |= FLAGS_DO_QUERY;
|
|
break;
|
|
case 'A' :
|
|
if (nc == 'L') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_ALERT;
|
|
else
|
|
*flags |= FLAGS_DO_ALERT;
|
|
} else {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_ALLDEVS;
|
|
else
|
|
*flags |= FLAGS_DO_ALLDEVS;
|
|
}
|
|
break;
|
|
case 'E' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_ZEROEA;
|
|
else
|
|
*flags |= FLAGS_DO_ZEROEA;
|
|
break;
|
|
case 'Z' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_LPC;
|
|
else
|
|
*flags |= FLAGS_DO_LPC;
|
|
break;
|
|
case 'V' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_ERRORS;
|
|
else
|
|
*flags |= FLAGS_DO_ERRORS;
|
|
break;
|
|
case 'J' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_STREAMS;
|
|
else
|
|
*flags |= FLAGS_DO_STREAMS;
|
|
break;
|
|
case 'W' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_WINSOCK;
|
|
else
|
|
*flags |= FLAGS_DO_WINSOCK;
|
|
break;
|
|
case 'K' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_SYNC;
|
|
else
|
|
*flags |= FLAGS_DO_SYNC;
|
|
break;
|
|
case 'T' :
|
|
if (nc == 'T') {
|
|
if (argc > 1) {
|
|
max_tailured_calls = atoi (*++argv);
|
|
argc--;
|
|
max_tailured_calls = ((max_tailured_calls + RAND_REP - 1) / RAND_REP) *
|
|
RAND_REP;
|
|
printf ("IOCTL/FSCTL tailured calls %d\n", max_tailured_calls);
|
|
} else {
|
|
printf ("IOCTL/FSCTL tailured calls value is missing\n");
|
|
}
|
|
} else {
|
|
if (argc > 1) {
|
|
max_random_calls = atoi (*++argv);
|
|
argc--;
|
|
max_random_calls = ((max_random_calls + RAND_REP - 1) / RAND_REP) *
|
|
RAND_REP;
|
|
printf ("IOCTL/FSCTL random calls %d\n", max_random_calls);
|
|
} else {
|
|
printf ("IOCTL/FSCTL random calls value is missing\n");
|
|
}
|
|
}
|
|
break;
|
|
case 'D' :
|
|
if (nc == 'L') {
|
|
if (argc > 1) {
|
|
ioctl_min_devtype = atoi (*++argv);
|
|
argc--;
|
|
ioctl_min_devtype = min (ioctl_min_devtype, 0xFFFF);
|
|
printf ("IOCTL/FSCTL lower device type limit %d\n",
|
|
ioctl_min_devtype);
|
|
} else {
|
|
printf ("IOCTL/FSCTL lower device type limit missing\n");
|
|
}
|
|
} else if (nc == 'U') {
|
|
if (argc > 1) {
|
|
ioctl_max_devtype = atoi (*++argv);
|
|
ioctl_max_devtype = min (ioctl_max_devtype, 0xFFFF);
|
|
argc--;
|
|
printf ("IOCTL/FSCTL upper device type limit %d\n",
|
|
ioctl_max_devtype);
|
|
} else {
|
|
printf ("IOCTL/FSCTL upper device type limit missing\n");
|
|
}
|
|
} else if (nc == 'D') {
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_DIRECT_DEVICE;
|
|
else
|
|
*flags |= FLAGS_DO_DIRECT_DEVICE;
|
|
break;
|
|
} else if (nc == 'R') {
|
|
if (st == '-') {
|
|
*flags2 &= ~FLAGS_DO_DRIVER;
|
|
} else {
|
|
*flags2 |= FLAGS_DO_DRIVER;
|
|
*flags |= FLAGS_DO_ALLDEVS;
|
|
if (argc > 1) {
|
|
status = RtlCreateUnicodeStringFromAsciiz (&DriverName, *++argv);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("RtlCreateUnicodeStringFromAsciiz failed %x\n", status);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
argc--;
|
|
} else {
|
|
printf ("Input driver name missing on command line\n");
|
|
}
|
|
}
|
|
break;
|
|
} else if (!nc) {
|
|
if (argc > 1) {
|
|
status = RtlCreateUnicodeStringFromAsciiz (name, *++argv);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("RtlCreateUnicodeStringFromAsciiz failed %x\n", status);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
argc--;
|
|
} else {
|
|
printf ("Input device missing on command line\n");
|
|
}
|
|
}
|
|
break;
|
|
case 'G':
|
|
if (argc > 2) {
|
|
*flags |= FLAGS_DO_GRAB;
|
|
cid = atoi (*++argv);
|
|
process_handle = UlongToHandle( atoi (*++argv) );
|
|
argc -= 2;
|
|
} else {
|
|
printf ("Client ID and handle missing\n");
|
|
}
|
|
break;
|
|
case 'Y' :
|
|
if (st == '-')
|
|
*flags &= ~FLAGS_DO_DISKS;
|
|
else
|
|
*flags |= FLAGS_DO_DISKS;
|
|
break;
|
|
case '?':
|
|
case 'H':
|
|
default :
|
|
*flags |= FLAGS_DO_USAGE;
|
|
break;
|
|
}
|
|
} else {
|
|
status = RtlCreateUnicodeStringFromAsciiz (name, *argv);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("RtlCreateUnicodeStringFromAsciiz failed %x\n", status);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
}
|
|
ioctl_inbuf_max = max (ioctl_inbuf_min, ioctl_inbuf_max);
|
|
ioctl_outbuf_max = max (ioctl_outbuf_min, ioctl_outbuf_max);
|
|
if (prefix_string && (*flags&FLAGS_DO_PRINT_DEVS) == 0) {
|
|
prefix_string = NULL;
|
|
}
|
|
return;
|
|
}
|
|
|
|
/*
|
|
Print out usage message
|
|
*/
|
|
void
|
|
do_usage (void)
|
|
{
|
|
printf ("devctl [/i] [/l] [/il nn] [/iu mm] [devnam]\n\n");
|
|
printf ("/ and + enable options, - disables options\n\n");
|
|
printf ("/a\tDo all devices in system. Don't prompt for yes/no etc\n");
|
|
printf ("/al\tAlert the main thread periodically\n");
|
|
printf ("/c\tEnable or disable skipping operations that aborted or crashed\n");
|
|
printf ("/dd\tEnable or disable the direct device open paths\n");
|
|
printf ("/dl nn\tSets max for device type portion of IOCTL/FSCTL code, default 0\n");
|
|
printf ("/dr drv\tOnly runs on device objects with driver <drv> in their stack\n");
|
|
printf ("/du nn\tSets min limit for device type portion of IOCTL/FSCTL code, default 200\n");
|
|
printf ("/e\tEnable or disable zero length EA's, needed on checked builds\n");
|
|
printf ("/f\tEnable or disable all FSCTL paths\n");
|
|
printf ("/fi\tEnable or disable turning on failure injection in the driver verifier\n");
|
|
printf ("/fn\tEnable or disable FSCTL paths with null buffers\n");
|
|
printf ("/fr\tEnable or disable FSCTL paths with random buffers\n");
|
|
printf ("/fl nn\tSets max for function portion of IOCTL and FSCTL code, default 0\n");
|
|
printf ("/fu nn\tSets min for function portion of IOCTL and FSCTL code, default 400\n");
|
|
printf ("/g c h\tGrabs a handle from another process\n");
|
|
printf ("/h /?\tPrints this message\n");
|
|
printf ("/i\tEnable or disable all IOCTL paths\n");
|
|
printf ("/if\tEnable or disable all FSCTL and IOCTL paths\n");
|
|
printf ("/in\tEnable or disable IOCTL paths with null buffers\n");
|
|
printf ("/il nnn\tSet lower input buffer size\n");
|
|
printf ("/im\tEnable or disable the impersonation of a non-admin during the test\n");
|
|
printf ("/iu nnn\tSet upper input buffer size\n");
|
|
printf ("/ir\tEnable or disable IOCTL paths with random buffers\n");
|
|
printf ("/j\tEnable or disable relative stream opens for filesystems\n");
|
|
printf ("/k\tEnable or disable synchronous handles\n");
|
|
printf ("/l\tEnable or disable logging and skipping failing functions\n");
|
|
printf ("/m\tEnable or disable the misc functions\n");
|
|
printf ("/n\tMap zero page so that NULL pointer de-references don't raise\n");
|
|
printf ("/oc\tEnable or disable the multithreaded open and close stage\n");
|
|
printf ("/ol nnn\tSet lower output buffer size\n");
|
|
printf ("/ou nnn\tSet upper output buffer size\n");
|
|
printf ("/p\tEnable or disable the checks on pool usage via tags and lookaside lists\n");
|
|
printf ("/pd\tPrint out device objects and symbolic links and exit\n");
|
|
printf ("/pr\tEnable or disable protection change tests\n");
|
|
printf ("/ps sss\tSet prefix string for use with /pd\n");
|
|
printf ("/q\tEnable or disable the normal handle query functions\n");
|
|
printf ("/r\tEnable or disable skipping operations already logged as done\n");
|
|
printf ("/rd\tSelect a random device object or symbolic link for testing\n");
|
|
printf ("/s\tEnable or disable the sub or relative opens to obtain handles\n");
|
|
printf ("/sd\tEnable or disable the query and set security functions\n");
|
|
printf ("/sl\tEnable or disable the opening of symbolic links\n");
|
|
printf ("/se nnn\tSet session id to nnn\n");
|
|
printf ("/t nn\tSet max IOCTL/FSCTL calls made with random buffers, default 100000\n");
|
|
printf ("/tt nn\tSet max tailured calls made for discovered IOCTLs/FSCTLs, default 10000\n");
|
|
printf ("/v\tEnable or disable the printing of error status values for calls\n");
|
|
printf ("/w\tEnable or disable the winsock TransmitFile test\n");
|
|
printf ("/y\tEnable or disable touching disk devices\n");
|
|
printf ("\n");
|
|
printf ("Defaults: devctl -a -al +c +dd +dl 0 -dr +du 200 +e +fn +fr +fl 0 fu 400 +im\n");
|
|
printf (" +il 0 +in +iu 512 +ir -j -k +l +m -n +oc +ol 0 +ou 512 +p -pr\n");
|
|
printf (" +q +s +sd +sl +t 100000 +tt 10000 -v -w +y\n");
|
|
}
|
|
|
|
void change_session (ULONG sessionid)
|
|
{
|
|
HANDLE token;
|
|
|
|
if (!OpenProcessToken (NtCurrentProcess (), MAXIMUM_ALLOWED, &token)) {
|
|
printf ("OpenProcessToken failed %d\n", GetLastError ());
|
|
return;
|
|
}
|
|
if (SetTokenInformation (token, TokenSessionId, &sessionid, sizeof (sessionid))) {
|
|
printf ("Token session ID changed to %d\n", sessionid);
|
|
} else {
|
|
printf ("SetTokenInformation failed %d\n", GetLastError ());
|
|
}
|
|
if (!CloseHandle (token)) {
|
|
printf ("CloseHandle failed %d\n", GetLastError ());
|
|
return;
|
|
}
|
|
}
|
|
|
|
BOOL
|
|
EnableDebugPrivilege (
|
|
)
|
|
{
|
|
struct
|
|
{
|
|
DWORD Count;
|
|
LUID_AND_ATTRIBUTES Privilege [1];
|
|
|
|
} Info;
|
|
|
|
HANDLE Token;
|
|
BOOL Result;
|
|
|
|
//
|
|
// open the process token
|
|
//
|
|
|
|
Result = OpenProcessToken (
|
|
GetCurrentProcess (),
|
|
TOKEN_ADJUST_PRIVILEGES,
|
|
& Token);
|
|
|
|
if( Result != TRUE )
|
|
{
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// prepare the info structure
|
|
//
|
|
|
|
Info.Count = 1;
|
|
Info.Privilege[0].Attributes = SE_PRIVILEGE_ENABLED;
|
|
|
|
Result = LookupPrivilegeValue (
|
|
NULL,
|
|
SE_DEBUG_NAME,
|
|
&(Info.Privilege[0].Luid));
|
|
|
|
if( Result != TRUE )
|
|
{
|
|
CloseHandle( Token );
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// adjust the privileges
|
|
//
|
|
|
|
Result = AdjustTokenPrivileges (
|
|
Token,
|
|
FALSE,
|
|
(PTOKEN_PRIVILEGES) &Info,
|
|
0,
|
|
NULL,
|
|
NULL);
|
|
|
|
if( Result != TRUE || GetLastError() != ERROR_SUCCESS )
|
|
{
|
|
CloseHandle( Token );
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
CloseHandle( Token );
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
void
|
|
__cdecl
|
|
main(
|
|
int argc, char **argv
|
|
)
|
|
{
|
|
ULONG seed, i;
|
|
UNICODE_STRING us;
|
|
ULONG id, tmp;
|
|
DWORD old;
|
|
NTSTATUS status;
|
|
UNICODE_STRING name;
|
|
WSADATA wsadata;
|
|
WORD version;
|
|
int istatus;
|
|
SOCKET s;
|
|
struct sockaddr_in sockaddr;
|
|
char nameb[255];
|
|
HOSTENT *host;
|
|
struct in_addr localaddr;
|
|
DWORD retlen;
|
|
int t;
|
|
HANDLE listenthread;
|
|
struct sockaddr_in laddr;
|
|
SIZE_T size;
|
|
PVOID base;
|
|
|
|
//
|
|
// Turn off popups for a missing floppy etc
|
|
//
|
|
SetErrorMode(SEM_FAILCRITICALERRORS);
|
|
|
|
Create_nonadmin_token ();
|
|
|
|
//
|
|
// Create and event for any requests we really need to work on a async handle
|
|
//
|
|
status = NtCreateEvent (&sync_event, EVENT_ALL_ACCESS, NULL, NotificationEvent, FALSE);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtCreateEvent failed %x\n", status);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
process_parameters (argc, argv, &name, &flags, &flags2);
|
|
if (flags&FLAGS_DO_USAGE) {
|
|
do_usage ();
|
|
exit (EXIT_SUCCESS);
|
|
}
|
|
EnableDebugPrivilege ();
|
|
|
|
/*
|
|
Seed RNG
|
|
*/
|
|
|
|
|
|
// printf("Seed? ");
|
|
// scanf("%d", &seed);
|
|
// srand(seed);
|
|
srand ((unsigned) time (NULL));
|
|
|
|
//
|
|
// Build a socket etc to handle the TransmitFile API
|
|
//
|
|
do {
|
|
if (!(flags&FLAGS_DO_WINSOCK))
|
|
break;
|
|
if (flags&FLAGS_DO_PRINT_DEVS)
|
|
break;
|
|
|
|
version = MAKEWORD (2, 0);
|
|
istatus = WSAStartup (version, &wsadata);
|
|
if (istatus != 0) {
|
|
printf ("Failed to start winsock %x!\n", istatus);
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
|
|
istatus = gethostname (nameb, sizeof (nameb));
|
|
if (istatus != 0) {
|
|
printf ("Gethostname failed %d\n", WSAGetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
|
|
host = gethostbyname (nameb);
|
|
if (!host) {
|
|
printf ("Gethostbyname failed %d\n", WSAGetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
localaddr = *(struct in_addr *) host->h_addr_list[0];
|
|
|
|
ls = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
if (ls == INVALID_SOCKET) {
|
|
printf ("Socket failed %d\n", WSAGetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
memset (&sockaddr, 0, sizeof (sockaddr));
|
|
sockaddr.sin_family = AF_INET;
|
|
sockaddr.sin_port = htons (0);
|
|
sockaddr.sin_addr = localaddr;
|
|
istatus = bind (ls, (struct sockaddr *) &sockaddr, sizeof (sockaddr));
|
|
if (istatus != 0) {
|
|
printf ("Bind failed %d\n", WSAGetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
|
|
istatus = listen (ls, 2);
|
|
if (istatus != 0) {
|
|
printf ("Listen failed %d\n", WSAGetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
|
|
t = sizeof (laddr);
|
|
istatus = getsockname (ls, (struct sockaddr *) &laddr, &t);
|
|
if (istatus != 0) {
|
|
printf ("Getsockname failed %d\n", WSAGetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
printf ("Listen socket on port %d address %s\n",
|
|
ntohs (laddr.sin_port), inet_ntoa (laddr.sin_addr));
|
|
|
|
listenthread = CreateThread (NULL, 0, do_listen, NULL, 0, &id);
|
|
if (!listenthread) {
|
|
printf ("CreateThread failed %d\n", GetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
|
|
cs = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
|
|
if (cs == INVALID_SOCKET) {
|
|
printf ("Socket failed %d\n", WSAGetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
istatus = connect (cs, (struct sockaddr *) &laddr, sizeof (laddr));
|
|
if (istatus != 0) {
|
|
printf ("connect failed %d\n", WSAGetLastError ());
|
|
flags &= ~FLAGS_DO_WINSOCK;
|
|
break;
|
|
}
|
|
} while (FALSE);
|
|
|
|
//
|
|
// Build a big buffer to pass to requests
|
|
//
|
|
bigbuf = VirtualAlloc(NULL, BIGBUF_SIZE + SLOP, MEM_COMMIT, PAGE_READWRITE);
|
|
if (!bigbuf) {
|
|
printf ("Failed to allocate I/O buffers %x\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
//
|
|
// Map the zero page and fill it with junk
|
|
//
|
|
if (flags&FLAGS_DO_MAPNULL) {
|
|
base = (PVOID) 1;
|
|
size = 1;
|
|
status = NtAllocateVirtualMemory (NtCurrentProcess (), &base, 1, &size,
|
|
MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtAllocateVirtualMemory for zero page failed %x\n", status);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
for (i = 0; i < size; i++) {
|
|
*((PUCHAR) base + i) = (UCHAR) rand ();
|
|
}
|
|
}
|
|
// randthread = CreateThread (NULL, 0, randomize, bigbuf, CREATE_SUSPENDED, &id);
|
|
// if (!randthread) {
|
|
// printf ("Failed to create radomizing thread %x\n", GetLastError ());
|
|
// exit (EXIT_FAILURE);
|
|
// }
|
|
//
|
|
// Create a thread to change the page protection of our buffer if need be
|
|
//
|
|
if (flags&FLAGS_DO_PROT) {
|
|
changethread = CreateThread (NULL, 0, changeprot, bigbuf, CREATE_SUSPENDED, &id);
|
|
if (!changethread) {
|
|
printf ("Failed to create protection change thread %x\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
//
|
|
// Get a real handle to our thread to pass to other threads
|
|
//
|
|
status = NtDuplicateObject (NtCurrentProcess (), NtCurrentThread (),
|
|
NtCurrentProcess (), &mainthread,
|
|
0, 0, DUPLICATE_SAME_ACCESS);
|
|
if (!NT_SUCCESS (status)) {
|
|
printf ("NtDuplcateObject failed %x\n", status);
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
//
|
|
// Create a thread to alert this one periodicaly or when it thinks we are stuck
|
|
//
|
|
alertthread = CreateThread (NULL, 0, alerter, mainthread, 0, &id);
|
|
if (!alertthread) {
|
|
printf ("Failed to create alerting thread %x\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
// status = NtSuspendThread (changethread, &tmp);
|
|
// if (!NT_SUCCESS (status)) {
|
|
// printf ("NtSuspendThread failed %x\n", status);
|
|
// }
|
|
// status = NtSuspendThread (randthread, &tmp);
|
|
// if (!NT_SUCCESS (status)) {
|
|
// printf ("NtSuspendThread failed %x\n", status);
|
|
// }
|
|
if (!VirtualProtect (bigbuf, 1, PAGE_READWRITE, &old)) {
|
|
printf ("VirtualProtect failed %d\n", GetLastError ());
|
|
}
|
|
|
|
devscount = 0;
|
|
print_diags (0, 0);
|
|
if (flags&FLAGS_DO_GRAB) {
|
|
do_handle_grab (devmap,
|
|
&devscount);
|
|
}
|
|
|
|
/*
|
|
* Crash the system.
|
|
*/
|
|
if (name.Length > 0) {
|
|
if (flags&FLAGS_DO_IMPERSONATION) {
|
|
Impersonate_nonadmin ();
|
|
}
|
|
|
|
status = do_device_opens (NULL,
|
|
&name,
|
|
devmap,
|
|
&devscount,
|
|
name.Buffer,
|
|
name.Buffer);
|
|
|
|
if (flags&FLAGS_DO_IMPERSONATION) {
|
|
if (!Revert_from_admin ()) {
|
|
printf ("Revert_from_admin failed %d\n", GetLastError ());
|
|
exit (EXIT_FAILURE);
|
|
}
|
|
}
|
|
} else {
|
|
do_wmi ();
|
|
|
|
random_device = (rand () % 1345) + 1;
|
|
|
|
while (1) {
|
|
|
|
RtlInitUnicodeString(&us,
|
|
L"\\");
|
|
|
|
skipped = 0;
|
|
recurse(0,
|
|
&us,
|
|
devmap,
|
|
&devscount,
|
|
L"",
|
|
1);
|
|
|
|
for (i = 0; i < devscount; i++) {
|
|
free (devmap[i].name);
|
|
devmap[i].name = NULL;
|
|
free (devmap[i].filename);
|
|
devmap[i].filename = NULL;
|
|
NtClose(devmap[i].handle);
|
|
}
|
|
devscount = 0;
|
|
if (flags&(FLAGS_DO_ALLDEVS|FLAGS_DO_PRINT_DEVS)) {
|
|
break;
|
|
}
|
|
if ((flags&FLAGS_DO_RANDOM_DEVICE) && (random_device == 0)) {
|
|
Sleep (30*1000);
|
|
random_device = (rand () % 1345) + 1;
|
|
}
|
|
}
|
|
}
|
|
if ((flags&FLAGS_DO_PRINT_DEVS) == 0) {
|
|
crashes (L"DONE", L"", L"", L"", L"");
|
|
}
|
|
|
|
exit(EXIT_SUCCESS);
|
|
}
|