[Windows Driver] Reversing

Kernel Setting : http://tribal1012.tistory.com/164

시작 전, 위에 나오는 디버기 설정을 따라해서 가상머신 세팅을 끝낸다.

------------------------------------------------------------------------------------------------------------------------------

sys 파일 분석 방법

1. VirtualKD로 잡힌 후, Windbg가 잡혀서 켜져야 한다.
2. .symfix c:\symbols
3. sxe ld file.sys 으로 sys 파일 로드
4. lm으로 확인
5. start와 end의 주소 확인
6. IDA를 이용해 분석하고자 하는 함수의 Offset 주소 확인
7. Disassembly에 start + Offset 주소(가장 뒤 4자, ex> 0x15148이면, 0x5148만) 적용
8. 분석..

Dispath MajorFunction

#define IRP_MJ_CREATE                   0x00
#define IRP_MJ_CREATE_NAMED_PIPE        0x01
#define IRP_MJ_CLOSE                    0x02
#define IRP_MJ_READ                     0x03
#define IRP_MJ_WRITE                    0x04
#define IRP_MJ_QUERY_INFORMATION        0x05
#define IRP_MJ_SET_INFORMATION          0x06
#define IRP_MJ_QUERY_EA                 0x07
#define IRP_MJ_SET_EA                   0x08
#define IRP_MJ_FLUSH_BUFFERS            0x09
#define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a
#define IRP_MJ_SET_VOLUME_INFORMATION   0x0b
#define IRP_MJ_DIRECTORY_CONTROL        0x0c
#define IRP_MJ_FILE_SYSTEM_CONTROL      0x0d
#define IRP_MJ_DEVICE_CONTROL           0x0e
#define IRP_MJ_INTERNAL_DEVICE_CONTROL  0x0f
#define IRP_MJ_SHUTDOWN                 0x10
#define IRP_MJ_LOCK_CONTROL             0x11
#define IRP_MJ_CLEANUP                  0x12
#define IRP_MJ_CREATE_MAILSLOT          0x13
#define IRP_MJ_QUERY_SECURITY           0x14
#define IRP_MJ_SET_SECURITY             0x15
#define IRP_MJ_POWER                    0x16
#define IRP_MJ_SYSTEM_CONTROL           0x17
#define IRP_MJ_DEVICE_CHANGE            0x18
#define IRP_MJ_QUERY_QUOTA              0x19
#define IRP_MJ_SET_QUOTA                0x1a
#define IRP_MJ_PNP                      0x1b
#define IRP_MJ_PNP_POWER                IRP_MJ_PNP      // Obsolete....
#define IRP_MJ_MAXIMUM_FUNCTION         0x1b

• IRP_MJ_CREATE : 0x00
• IRP_MJ_CLOSE : 0x02
• IRP_MJ_DEVICE_CONTROL : 0xe