weclome to ic0de.ws Check here

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
"Advanced" Network Requests, From UserMode to a KernelMode Driver
In this tutorial i will show you how to make network requests by communicating with a kernel mode driver.
The driver which we wish to communicate with is AFD.sys.
This will work for versions of windows greater than XP. (as far as ik it works from greater than 7)
First lets compose a basic HTTP GET request
GET / HTTP/1.1\r\nHost: ic0de.ws\r\n\r\n
This has the proper delimiters and everything needed for a proper GET request.
All of requests, whatever GET or POST etc will have to follow the standards of whatever protocol is chosen.

In this tutorial i will not being showing socket reuse. For socket reuse, a little more work is required. This code will not handle large responses in which data may be chunked. In cases when data is large you will need to "dechunk" the data. It's not hard but thats on you... (you could just use HTTP 1.0 and for the best).

Now the first step is to open the driver in IDA or any disasm.
I will just be looking at Psuedo C code and IDA since I am lazy. Decompile the code to make life ez and verify what is believed by using the disassembler and WINDGB.

now we take a break to listen to some pajeet music:
"never do we dont fight, and never do we get scared"

okay now:
[Image: LueqHtC.png]
looking at the disasm and psuedo C we can see that the device name of the driver that it creates is

Let's keep this in mind.
Now that we have identified the name of the device lets see how we can communicate with the driver.
I am not going to talk about the different methods of communication with a driver, there is a lot... even some undocumented ones which I dont know and some nasty ones... but if you want to read more about IOCTLs : https://docs.microsoft.com/en-us/windows...ce-control

looking at a header file from windows we can see
#define IRP_MJ_DEVICE_CONTROL          0x0e
0x0e in decimal is 14.
[Image: pshxS9D.png]
V1 is the device object returned from IoCreateDevice(),
Lets analyze the function sub_1c0057b80, i am not going to rename this function in IDA since I am a lazy cuck.
But before even doing an call, we need to get an open handle to the device. This has to be done with a usermode call to NtCreateFile() or CreateFile().
looking at the above image we can see several IOCTL's setup.
[Image: GYtZPfC.png]after some searching , the function which we need to focus on is found.
[Image: RMNZMxR.png]
after analyzing the subfunction it can be see that what we want to focus on is specifying
in the next tutorial i will show the dumping of the structure. and the opening of the device as well as sending data.
[-] The following 2 users Like xor_dhillon's post:
  • 0xadmin, Xyt0

Forum Jump:

Users browsing this thread: 1 Guest(s)