Fast ApiSpy (of DeviceIoControl) via oSpy2 Defined Hook

Hi,

oSpy2 is the evolution of oSpy-1.9.6 coded by oleavr.

With oSpy2 is possible to Spy API Activity of the selected process, you can think that there are many other ApiSpy Tools, but oSpy2 implements a well organized XML called config.xml that allows you to define the function that you want to Spy, it has also other Logging features such as dump of CPU Registers.

Here an XML Samplied applied to DeviceIoControl Spy

 

<hookManager>
    <specs>
    <functions>
      <function name="DeviceIoControl" callingConvention="stdcall">
        <returnValue type="MSBool"/>
        <arguments>
          <argument name="hDevice" direction="in" type="UInt32" hex="true"/>
          <argument name="dwIoControlCode" direction="in" type="UInt32" hex="true" />
          <argument name="lpInBuffer" direction="in" type="ByteArrayPtr" size="arg.nInBufferSize"/>
          <argument name="nInBufferSize" direction="in" type="UInt32"/>
          <argument name="lpOutBuffer" direction="out" type="ByteArrayPtr" size="arg.lpBytesReturned">
            <logCondition>reg.eax !=0</logCondition>
          </argument>
          <argument name="nOutBufferSize" direction="in" type="UInt32"/>
          <argument name="lpBytesReturned" direction="out" type="UInt32Ptr"/>
          <argument name="lpOverlapped" direction="in" type="UInt32" hex="true"/>                    
        </arguments>
      </function>
    </functions>   
  </specs>
  <hooks>
    <dllModule name="kernel32.dll">
      <function specId="DeviceIoControl"/>
    </dllModule>
  </hooks>
</hookManager>

 

Note that this sample code is thaken from oleavr’s blog but with a basical difference

 <argument name=”dwIoControlCode” direction=”in” type=”UInt32″ hex=”true” />
He used as type IoControlCode and hex disabled, in this way oSpy2 not worked because he wasn’t able to recognize IoControlCode type.
Here thew output result:
<event id="1" type="FunctionCall" timestamp="128651541912187500" processName="_CENSORED_" processId="1924" threadId="2620">
    <name>
        kernel32.dll::DeviceIoControl
    </name>
    <backtrace>
        <entry moduleName="_CENSORED_">
            0x100786d9
        </entry>
        <entry moduleName="_CENSORED_">
            0x10078780
        </entry>
        <entry moduleName="_CENSORED_l">
            0x10078803
        </entry>
        <entry moduleName="_CENSORED_l">
            0x1007886c
        </entry>
        <entry moduleName="_CENSORED_l">
            0x10078983
        </entry>
        <entry moduleName="_CENSORED_">
            0x10078a15
        </entry>
        <entry moduleName="_CENSORED_l">
            0x10077fe0
        </entry>
        <entry moduleName="_CENSORED_l">
            0x100963f6
        </entry>
    </backtrace>
    <cpuContext direction="in">
        <register name="eax" value="0x78"/>
        <register name="ebx" value="0x2000"/>
        <register name="ecx" value="0xc3fa28"/>
        <register name="edx" value="0xc3fa28"/>
        <register name="edi" value="0xad0000"/>
        <register name="esi" value="0x62babc"/>
        <register name="ebp" value="0x78"/>
        <register name="esp" value="0xc3f9ec"/>
    </cpuContext>
    <arguments direction="in">
        <argument name="hDevice">
            <value type="UInt32" value="0x78"/>
        </argument>
        <argument name="dwIoControlCode">
            <value type="UInt32" value="0x80012004"/>
        </argument>
        <argument name="lpInBuffer">
            <value type="Pointer" value="0x00C3FA28">
                <value type="ByteArray" size="16">
                    AAAAAAAAAAAAAK0AACAAAA==
                </value>
            </value>
        </argument>
        <argument name="nInBufferSize">
            <value type="UInt32" value="16"/>
        </argument>
        <argument name="lpOutBuffer">
            <value type="Pointer" value="0x00C3FA28"/>
        </argument>
        <argument name="nOutBufferSize">
            <value type="UInt32" value="16"/>
        </argument>
        <argument name="lpBytesReturned">
            <value type="Pointer" value="0x00C3FA24"/>
        </argument>
        <argument name="lpOverlapped">
            <value type="UInt32" value="0"/>
        </argument>
    </arguments>
    <cpuContext direction="out">
        <register name="eax" value="0x1"/>
        <register name="ebx" value="0x2000"/>
        <register name="ecx" value="0x7c801694"/>
        <register name="edx" value="0x7c91eb94"/>
        <register name="edi" value="0xad0000"/>
        <register name="esi" value="0x62babc"/>
        <register name="ebp" value="0x78"/>
        <register name="esp" value="0xc3fa1c"/>
    </cpuContext>
<arguments direction="out">
        <argument name="lpOutBuffer">
            <value type="Pointer" value="0x00C3FA28"/>
        </argument>
        <argument name="lpBytesReturned">
            <value type="Pointer" value="0x00C3FA24">
                <value type="UInt32" value="16"/>
            </value>
        </argument>
    </arguments>
    <returnValue>
        <value type="Boolean" value="true"/>
    </returnValue>
</event>
What to say..a really powerful tool!
See you to the next post.. :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: