0

I have this code in my driver.cpp

uintptr_t driver::find_image() {
    uintptr_t image_address = { NULL };
    t_image arguments = { NULL };

    arguments.security_code = code_security;
    arguments.process_id = ProcId;
    arguments.address = (ULONGLONG*)&image_address;

    if (!DeviceIoControl(driver_handle, code_image, (LPVOID)&arguments, sizeof(arguments), nullptr, NULL, NULL, NULL)) {
        DWORD error_code = GetLastError();
        LPSTR error_message = nullptr;
        FormatMessageA(
            FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
            nullptr,
            error_code,
            MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
            (LPSTR)&error_message,
            0,
            nullptr
        );
        std::cout << "DeviceIoControl failed with error " << error_code << ": " << error_message << std::endl;
        LocalFree(error_message);
    }

    DeviceIoControl(driver_handle, code_image, &arguments, sizeof(arguments), nullptr, NULL, NULL, NULL);

    return image_address;
}

when ran, it return code 87 which means invalid params, althought i cant see why not. this is what DeviceIoControl looks like

DeviceIoControl(
    _In_ HANDLE hDevice,
    _In_ DWORD dwIoControlCode,
    _In_reads_bytes_opt_(nInBufferSize) LPVOID lpInBuffer,
    _In_ DWORD nInBufferSize,
    _Out_writes_bytes_to_opt_(nOutBufferSize,*lpBytesReturned) LPVOID lpOutBuffer,
    _In_ DWORD nOutBufferSize,
    _Out_opt_ LPDWORD lpBytesReturned,
    _Inout_opt_ LPOVERLAPPED lpOverlapped
    );

these are my CTL CODES

#define code_virtual CTL_CODE(FILE_DEVICE_UNKNOWN, 0x269, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define code_physical CTL_CODE(FILE_DEVICE_UNKNOWN, 0x472, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define code_image CTL_CODE(FILE_DEVICE_UNKNOWN, 0xfee, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)

and these are my driver typedefs

typedef struct t_virtual {
    INT32 security_code;
    INT32 process_id;
    INT32 virtual_mode;
    ULONGLONG address;
    ULONGLONG buffer;
    ULONGLONG size;
} e_virtual, * s_virtual;

typedef struct t_physical {
    INT32 security_code;
    INT32 process_id;
    INT32 physical_mode;
    ULONGLONG address;
    ULONGLONG buffer;
    ULONGLONG size;
} e_physical, * s_physical;

typedef struct t_image {
    INT32 security_code;
    INT32 process_id;
    ULONGLONG* address;
} e_image, * s_image;

I was trying to return the image address. But it returns code 87 invalid params

genpfault
  • 51,148
  • 11
  • 85
  • 139
Time Clox
  • 1

0 Answers0