OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: October 14, 2008 03:19 CDT by kcynice .

There is a cdrom driver which simply implements IRP_MJ_READ routine by calling IofCallDriver. But the driver can decrypt the data in special disc. If so, when and how the driver gets the chance to hold the data read by lower level driver and decrypt it?

gemoroy		October 14, 2008 05:15.51 CDT
I think that would be helpfull http://www.tech-archive.net/Archive/Development/microsoft.public.development.device.drivers/2008-02/msg00371.html

kcynice		October 15, 2008 03:59.36 CDT
> gemoroy: I think that would be helpfull > http://www.tech-archive.net/Archive/Development/microsoft.public.development.device.drivers/2008-02/msg00371.html Thanks for your reply. yes, it's helpful. I know the procedure of it. But the problem is, i have wrotten a test program which just call ReadFile to read a block of data from the disc but i find the IRP_MJ_READ rountine would not be called.

gemoroy		October 15, 2008 05:03.01 CDT
Mmm...I think i hand'nt completley understand what did you want to do...Did you want to Call IRP_MJ_READ when usermode call ReadFile()? If you had some problems with ReadFile() you could avoid it using DeviceIoControl()[uses IRP_MJ_DEVICE_CONTROL instead, but you l need to add DEP for it], or please describe your problem more deitaly...or what about posting your test program code? PS:(Sorry for my bad english)

kcynice		October 15, 2008 20:56.56 CDT
> gemoroy: Mmm...I think i hand\'nt completley understand what did you want to do...Did you want to Call IRP_MJ_READ when usermode call ReadFile()? > If you had some problems with ReadFile() you could avoid it using DeviceIoControl()[uses IRP_MJ_DEVICE_CONTROL instead, but you l need to add DEP for it], or please describe your problem more deitaly...or what about posting your test program code? > PS:(Sorry for my bad english) Oh,my test program is very simple, just call CreateFileA to open a file on the disc to read, then call ReadFile to read a block from the file. My aim is to reverse the driver, mainly about when and how the driver can hold the data read from the file of discs. As i know, the user mode apps call ReadFile would make the system send IRP_MJ_READ IO request to specified driver, the result is that the system would call the driver's IRP_MJ_READ routine to do the real job, right? The problem is that, i has inserted a bp at the driver's IRP_MJ_READ routine before my test program runs, but the softICE doesn't break at that bp eventhough my test program has read the data what i want to.

kcynice		November 8, 2008 00:31.21 CST
Hoho, im afraid i got it! This was just a low filter driver! So, it would not receive IRP_MJ_READ message when user apps call ReadFile to read data from the disc, but communicate with user apps by IRP_MJ_SCSI routine.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit