note to self
Dennis Elser (dennis) <dennisbacktracede> Thursday, January 10 2008 11:58.42 CST


when patching drivers such as tcpip.sys by hand, do not forget to update the image checksum before rebooting ;-)

Comments
jms Posted: Thursday, January 10 2008 14:45.51 CST
Hahahah that's great!

fileoffset Posted: Thursday, January 10 2008 20:31.22 CST
dolt :)

jms Posted: Friday, January 11 2008 02:46.16 CST
Hey wait a minute, you're weren't patching a new Vista tcpip.sys were you by chance?

dennis Posted: Friday, January 11 2008 02:52.55 CST
hey jms,

nope I don't have Vista at all but while you're making assumptions: I've had a quick look at quite some drivers yesterday, both MS ones and 3rd party ones. And some of them indeed contain similar code: malloc()-alike calls in conjunction with movzx r32, r16 instructions as size parameter. It's not that I have found anything "interesting" at a first glance yet, but you might want to have a look ;-)

jms Posted: Friday, January 11 2008 02:56.55 CST
Righteous stuff...did you take them for a spin with the ioctl fuzzer I wrote?

dennis Posted: Friday, January 11 2008 03:00.01 CST
nope. but that'd be a good idea. I might set up a new VM and do some testing this weekend if I'm in the mood. Maybe we can work together if you're interested.

c1de0x Posted: Sunday, January 13 2008 00:55.22 CST
lol @ dennis.

Good one!

jms Posted: Sunday, January 13 2008 00:58.00 CST
I am interested but very short on time as of late, however feel free to post questions here or fire me an email. Also I wrote a static analysis plugin for ImmunityDebugger to weed out the IOCTL codes that the user-mode trap could have missed. Check the SVN repo on http://ioctlizer.googlecode.com