Ида 
Скачать|Download, немного символов.
Скачать|Download, немного символов.-
XSS.stack #1 – первый литературный журнал от юзеров форума
vsdatant.sys
- Автор темы Indy
- Дата начала
- Автор темы
- Добавить закладку
- #2
Немного кодов:
Код:
; vsdatant IOCTL's
;
; Могут быть вызваны в контексте любого процесса(в VSMON/SYSTEM остальные):
;
8400000Fh; DRVIO_CTRL_GET_VERSION
840000AFh; DRVIO_CTRL_GET_PRODUCT_VERSION
8400001Bh; DRVIO_CTRL_GET_PROCESS_PATH
8400001Fh
84000013h; DRVIO_CTRL_ADD_DATA_CLIENT
84000003h
DRVIO_CTRL_ADD_DATA_CLIENT_CLASS equ 84000023h
; +
DRVIO_CTRL_ADD_DATA_CLIENT equ 84000013h; !!!WARNING: UNPROTECTED, THIS TRU SERVICE!!!
; OutputBufferLength = 10h
; +
DRVIO_CTRL_GET_VERSION equ 8400000Fh; Version, OutBufferSize:4, InBufferSize:0
; vsdata!DriverVersion()
; +
DRVIO_CTRL_GET_PRODUCT_VERSION equ 840000AFh; Product version, OutBufferSize:16(0x50, видимо резерв), InBufferSize:0
; vsdata!DriverProductVersion()
; +
DRVIO_CTRL_GET_PROCESS_CMD_LINE equ 8400000Bh
; vsdata!GetProcessCmdLine(): IoControlCode = 8400000Bh
; InputBufferLength >= 4
; +
DRVIO_CTRL_GET_PROCESS_PATH equ 8400001Bh
; vsdata!GetProcessPath(): IoControlCode = 84000001Bh
DRVIO_CTRL_OPEN_PROCESS equ 84000407H
; vsdata!DriverOpenProcess()
; InputBufferLength = 8, OutputBufferLength = 4
; NTSTATUS = PsHandle.
OPENPROCESS struct
Pid HANDLE ?
DesiredAccess ACCESS_MASK ?
OPENPROCESS ends
FWCTL struct
Process OPENPROCESS <>
ends
; +
DRVIO_OSFIREWALL_CTRL equ 8400009Bh
; InputBufferLength >= 20h
; InputBuffer[0] = ControlCode, OSFIREWALL_CTRL_*
OSFIREWALL_CTRL_UPDATE_OBJECTS equ 0
OSFIREWALL_CTRL_ADD_OBJECT equ 1
OSFIREWALL_CTRL_DEL_OBJEC equ 2
OSFIREWALL_CTRL_ASSOC_EVENTGROUP_NAME equ 3
OSFIREWALL_CTRL_HOOKING equ 4
OSFIREWALL_CTRL_CACHE equ 5
OSFIREWALL_CTRL_QUERY_EVENTGROUP_NAME equ 6
OSFIREWALL_CTRL_GET_MONITOR_OPTIONS equ 7
OSFIREWALL_CTRL_SET_MONITOR_OPTIONS equ 8
OSFIREWALL_CTRL_CLR_MONITOR_OPTIONS equ 9
OSFIREWALL_CTRL_QUERY_OBJECT equ 10
; +
DRVIO_FILTER_CTRL equ 8400002Bh; - расширенный сервис, на входе FWCTL{}.
; InputBufferLength = 20h, OutputBufferLength = 20h
FWCTL struct
FwCode ULONG ?; FILTER_CTRL_*, FWCTL_*()
...
ends
; +
;
FILTER_CTRL_ENABLE_BUFFER_ISOLATION equ 23H; FWCTL_23h()
; SetEnableBufferIsolation()
;
FWCTL struct
FwCode ULONG ?; 23H
EnableBufferIsolation BOOLEAN ?
Reserved DWORD 6 DUP (?)
ends
; +
;
FILTER_CTRL_PROTECTION_CONTROL equ 2H; FWCTL_2h()
FWCTL struct
FwCode ULONG ?; 2H
State BOOLEAN ?; TRUE
Flags DWORD ?; StartProtection(State)
Undef1 DWORD ?
ResultStatus ULONG ?
Reserved DWORD 3 DUP (?)
ends
FWCTL struct
FwCode ULONG ?; 2H
State BOOLEAN ?; FALSE
Flags DWORD ?; StopProtection(State)
Undef1 DWORD ?
ResultStatus ULONG ?
Undef2 DWORD ?; 0
Reserved DWORD 2 DUP (?)
ends
FWCTL struct
FwCode ULONG ?; 2H
State BOOLEAN ?; FALSE
Flags DWORD ?; StopProtection(State), EnableBanProtection(State)
Undef2 DWORD ?
ResultStatus ULONG ?
Undef2 DWORD ?; 1
Reserved DWORD 2 DUP (?)
ends
FWCTL struct
FwCode ULONG ?; 2H
State BOOLEAN ?; FALSE
Flags DWORD ?; DisableBanProtection(State)
Undef1 DWORD ?
ResultStatus ULONG ?
Undef2 DWORD ?; 2
Reserved DWORD 2 DUP (?)
ends
; +
;
FILTER_CTRL_TRACK_GDI_CONTROL equ 102h; FWCTL_102h()
FWCTL struct
FwCode ULONG ?; 102H
State BOOLEAN ?; TRUE: StartTrackGDI(200h), FALSE: StopTrackGDI(200h)
Undef1 DWORD ?
ResultStatus ULONG ?
Reserved DWORD 4 DUP (?)
ends
; +
;
FILTER_CTRL_TRACK_LPC_CONTROL equ 80h; FWCTL_80h()
FWCTL struct
FwCode ULONG ?; 80H
State BOOLEAN ?; TRUE: StartTrackLPC(), FALSE: StopTrackLPC()
Undef1 DWORD ?
ResultStatus ULONG ?
Reserved DWORD 4 DUP (?)
ends
; +
;
FILTER_CTRL_DISABLE_PROTECTION equ 400h; FWCTL_400h()
; DisableProtection = TRUE
;
FWCTL struct
FwCode ULONG ?; 400H
Undef1 DWORD ?
Undef2 DWORD ?
Undef3 DWORD ?
ResultStatus ULONG ?
ProcessId HANDLE ?; PID(vsmon.exe)
Reserved DWORD 2 DUP (?)
ends
; +
;
FILTER_CTRL_TRACK_GDI_CONTROL2 equ 100h; FWCTL_100h()
;
;
FWCTL struct
FwCode ULONG ?; 100H
State BOOLEAN ?; TRUE: StartTrackGDI(), FALSE: StopTrackGDI()
Undef1 DWORD ?
Undef2 DWORD ?
ResultStatus ULONG ?
Undef DWORD ?
Reserved DWORD 4 DUP (?)
ends
; vsdata!FirewallInfo(): IoControlCode = 84000087H
DRVIO_CTRL_FW equ 84000083h
; FW_CTRL_SET_LOCKUP_INFO
; FW_CTRL_ADD_XMLRULE
; FW_CTRL_EVAL_PACKET
; FW_CTRL_EVAL_RULES
; FW_CTRL_GET_HANDLE
; FW_CTRL_GET_LIST_SIZE
; FW_CTRL_DEL_ARPTABLE
; FW_CTRL_ADD_ARPTABLE
; FW_CTRL_CLR_STATES
; FW_CTRL_DUMP_LIST
; FW_CTRL_DEL_CLIENT
; FW_CTRL_GET_OPT
; FW_CTRL_SET_OPT
; FW_CTRL_DEL_IPLOCAL
; FW_CTRL_ADD_IPLOCAL
; FW_CTRL_SET_IPLOCAL
; FW_CTRL_ARP_ACTION
; FW_CTRL_CLR_LIST
; FW_CTRL_ENUM_ADAPTERS
; FW_CTRL_SET_RFLAGS
; FW_CTRL_DEL_STATE
; FW_CTRL_ADD_STATE
; FW_CTRL_DEL_RULE
; FW_CTRL_ADD_RULE