-1

I've been reversing an exemplary application given in class & I'm facing a problem trying to find out what the DeviceIoControl() function is returning in the Output Buffer & since DeviceIoControl() is often used after calling CreateFile(), i have to discuss about that last one. Those are the steps the program goes through:

  1. The program opens C: drive with READ|WRITE access & READ|WRITE shared mode (CreateFile() function).
  2. Then fills an input buffer (which seems to be a structure) with certain data I'll be posting at the end.
  3. Specifies Input Buffer & Output Buffer sizes.
  4. And finally calling DeviceIoControl() with control code: 4D004h

By looking at the data returned in the Output Buffer, it seems like it's all about hard drive info like: manufacturer, model name...etc

This is the data block returned: Data Returned

The most important string which is kept for later use is: Z2P1S4PJ and i have no idea what it means !!

For the rest of supplements:

CreateFile

ControlIODevice

Input Buffer content

Seki
  • 11,135
  • 7
  • 46
  • 70
afr0ck
  • 65
  • 6
  • I forgot to comment the last pictures .The first one (at the end) is the call to CreateFile.The second one is the call to ControlIoDevice.The third and the last is Input Buffer data. – afr0ck Apr 30 '16 at 23:56
  • is it a call to `ControlIoDevice` or `DeviceIoControl`? MSDN has no help about the first. – Seki May 04 '16 at 08:55
  • @Seki It is `DeviceIoControl`,im sorry for the mistake. – afr0ck May 11 '16 at 14:27
  • @Seki i added a comment to your answer,please check it out! – afr0ck May 11 '16 at 14:40

1 Answers1

0

After a bit of searching, and if we are talking of the dwIoControlCode of the winapi DeviceIoControl() function, it seems that the 4D004 code is defined as IOCTL_SCSI_PASS_THROUGH, so it let sending some commands to SCSI devices. The detail of the command should be in the buffer pointed by the parameters pair lpInBuffer / nInBufferSize.

It will be difficult to tell what command exactly, without knowing the device, and I do not know the details of SCSI interface management.

Seki
  • 11,135
  • 7
  • 46
  • 70
  • I've already found myself reading the same info about that `IOCTL_SCSI_PASS_THROUGH` command but unfortunately,i have no idea about SCSI devices.The other thing is that the handle that `DeviceIoControl` uses is a handle to a volume ("C:\") ,so it must be a hard drive command & the hard drive is a SATA device (Because as it seems the program tries to open some SCSI device but it fails to retreive requested data,so it proceeds to a second choice which is opening the ("C:\") & requesting data with that code & the data is successfully returned (some hard drive info-see Capture above). – afr0ck May 11 '16 at 14:39