Displaying buffer data passed to ioctls about irpmon HOT 18 CLOSED

Hello,

I'm currently investigating a software which contains communication between two drivers and so far I can see the request, but it seems that displaying the actual buffer content is not possible?

Current release (which is quite old now) cannot do this but the upcoming one can. I hope to finish it quite quickly since I need these capabilities (and some filtering improvements) myself. Well, I can try to make a release that supports what you need (displaying IOCTL buffers) but not what I need (advanced filtering, advanced output parsing). That one may be finished by the end of this week (I just need to test it a little bit).

Also, on a side note, could you please tell me where you got the certificate for signing the driver and for what price? In case I'll have to modify IRPMon for my investigation needs :-)

Mine is a Standard Code Signing certificate from Certum. For my country (Czech Republic), the verification process went always smoothly and quickly. Certum website even informs you what documents you need to apply for a cert which is very nice (IIRC Symantec did not have such info on the web). The Standard Code Signing cert cost me about 100 EUR, however, there you may spent some extra money for their smartcard reader (which can be reused in future, you may buy it just once... or not at all if you have a compatible reader in your possession).

If you wish to use less coin, the Open Source Code Signing might be an option for you. It is much cheaper (about 30 EUR when I last checked) and you need to show them your open source projects. In other respects, the verification process is the same as for the Standard Code Signing cert.

https://www.certum.eu/en/cert_offer_code_signing/

In several months (I hope) I plan to establish a company name and try the EV variant, so IRPMon may start working even with Secure Boot enabled.

P.S.
Just be prepared for some Polish. They do speak English of course but their websites sometimes not :-). At least, this was the case when I was buying a cert last time.

from irpmon.

Well, I can try to make a release that supports what you need (displaying IOCTL buffers) but not what I need (advanced filtering, advanced output parsing). That one may be finished by the end of this week (I just need to test it a little bit).

Oh, that would be very nice!

If you wish to use less coin, the Open Source Code Signing might be an option for you. It is much cheaper (about 30 EUR when I last checked) and you need to show them your open source projects. In other respects, the verification process is the same as for the Standard Code Signing cert.

Does it have to be the exact project I need to codesign or can it be just any of the projects I have on my Github/Bitbucket profiles?

from irpmon.

Does it have to be the exact project I need to codesign or can it be just any of the projects I have on my Github/Bitbucket profiles?

AFAIK they just need to see that you are working on open source projects, they issue you the cert and you can sign anything you wish. The only "restriction" is that the cert will contain the string "Open Source Developer" (together with your name) within its Common Name.

from irpmon.

Isn't a problem but considering the fact I also have to buy their USB dongle rises the price quite a bit, especially considering the price of shipping to Japan, or can I just get the certificate as a set of files?

Though, come to think of it, it's not really necessary for me to inject my own drivers if I can dump the command I need, so I think I can wait until your new version later this week :-) and if you need any help with it feel free to ask, I'll try my best.

from irpmon.

Isn't a problem but considering the fact I also have to buy their USB dongle rises the price quite a bit, especially considering the price of shipping to Japan, or can I just get the certificate as a set of files?

I think you may use your own smartcard that is supported by Certum's application. But you need to ask them about that since I have no experience here (I bought their dongle). Not sure if, for example, certain Yubico product would work or not.

from irpmon.

Hmm, I have seemingly found a way to turn off signature checking for drivers. (My target is Windows 8.0)
Is there some binary available with the new features even if it's unsigned?

from irpmon.

Is there some binary available with the new features even if it's unsigned?

No. But I can make one for you this evening (or tomorrow morning). Just keep in mind it would be quite untested (although it should satisfy your needs I think).

from irpmon.

Oh, that would be very much appreciated! Untested is fine as long as it won't bsod and save the buffer data in the log file or at least display it :-)
Btw do you have paypal for donations?

from irpmon.

Oh, that would be very much appreciated! Untested is fine as long as it won't bsod and save the buffer data in the log file or at least display it :-)

I will do a small test before pointing you to the binaries and we will see. If it BSODs for your case, please let me know.

Btw do you have paypal for donations?

I suppose you can use [email protected]. Thanks!

from irpmon.

Sure!
If you have the time please make them signed, as I'd still disturb the settings as less as possible, since the machine under inspection is not really stable (Bitlocker and stuff)

from irpmon.

Well, I have created a special branch for you named 0.9-release. The binaries are in the binaries/x64 folder. They are for x64 versions of Windows only. I have signed them with my cert, however, no timestamp was provided. Thus, the signature stops being valid when my cert expires (which is about June 20th). This should be enough since the next (real) version should be released much earlier than that.

Data associated with requests (currently, only IRPs and IRP completions are supported. If you are interested in Fast IOs, please let me know the exact fast I/O operation type and I may try to add the support for it) are displayed and saved to log in hex. I tested with Mount Point Manager (\Device\MountPointManager) and all seems working quite well.

To enable associated data capturing, you must check the Data menu item when selecting the target device (Select driver / device).

Please, let me know about any inconveniences, problems etc. Or, if you need a 32-bit binaries, just ask and I will provide them.

The branch mentioned in this post is probably a temporary one, I will delete it after you download the binaries.

from irpmon.

OK it works but when I exit it BSODs at DRIVER_IRQL_NOT_LESS_OR_EQUAL
Returned data size is always zero as well

from irpmon.

I see "Data parsers" and "Hexer" inside but cannot find a way to enable it, or make it parse the data...
For what types of requests you need to parse the data? The data should be parsed by Hexer automatically if they are present within the request. However, IRPMon collects data for certain requests only (IOCTLs, but not Fast IO I think).

To see this in action, hook the \Device\MountPointManager and together with the Hook option (in the context menu), check also the Data one.

from irpmon.

Does the order I enable them in matter?

from irpmon.

It seems so. If I check DATA then check HOOKED then it works. Got the request I needed captured. Thanks!

from irpmon.

Does the order I enable them in matter?

The order should not matter. The actual hooking operation takes place when you press the Ok button on the form.

There is currently a limit to a maximum of 1024 bytes of data associated with a single request. I implemented it in order to avoid various out-of-memory situations during the testing. I you need more, I will increase the limit for you.

from irpmon.

Thanks a lot for your support, my requests are about half that so it wasn't a problem, but it's a good idea to put it in config for the release :-)

I've dumped the data I needed and now confirming it against the static analysis of the same driver to ensure it's the right routine I've found.

I guess we can close this now?

from irpmon.

You are welcome. I will close this in the evening.

from irpmon.