Low blog activity cause work and real life proofs, soon I’ll be free and I’ll release something new.. 🙂
Hosted by my second blog
The ability to detect Suspicious or Malicious Binaries on a network stream is one of the fundamental Risk Mitigation technique, only by knowing what flows in a traffic stream can allow the best efficient countermeasure.
Here nPEiD (Network PEiD) which allows you to detect binary packers into a network stream.
It’s Sunday Morning, today allow me to write some non technical stuff, this blog is a container of all my life, 98% tech 2% human.. so I want to flush my empty head this morning, just because flushing in a file taste as more ordered, and order implies clearty..
There are periods in the life that have a well defined smeel, something that is mixed up with many situations, external and internal factors..
Certain months with a precise weather, temperature, wind, sun or rain..but also time situations, works/study that begins or ends, certain people around you..nice or bad mental predispositions and happenings..
All these factors, prints in you a precise life during Smell..
There are in the life, nice parfumes and bad ones..
Today all around me smeels like a black period of my life, full of orrible torturing uncertainty, all smeels like the past sorrow and doom, but it’s only the mind torturing smeel..
Smeel of the past?
Fear that the past could became present, and the future does not exists?
Fear, fear fear, but also hope, a big full of light hope that as an unpleasant partume it will vanish…
or the one that wil vanish will be again my self?
I Hope that this suffucating parfume will be only the Smeel of the Past, and not the crude Reality of the Present..
Lost lost lost.. Burzum’s Draungen picture represents perfectly this parfume..and this uncertain Sunday of another Spring..
See you to the next post.. I promise..a tech one 🙂
In the previous post we have seen the basical skeleton of a PnP Filter Driver, going a bit Off Topic, now we will see the Basical Data Transaction Capture Mechanism, so we will directly consider only IRP_MJ_DEVICE_CONTROL, to work with IOCTLs and pass down other IRPs.
After hooking the Next Lower Device (FDO) Dispatch Table obviously we have to implement the IOCTL management system.
NTSTATUS MyInternalIOCTLCompletion(PDEVICE_OBJECT fido, PIRP Irp, PVOID inContext)
PIRP_STACK_CONTEXT Context = (PIRP_STACK_CONTEXT )inContext;
Context->Stack->CompletionRoutine = Context->CompletionRoutine;
Context->Stack->Context = Context->Context;
Context->Stack->Control = Context->Control;
now we are in the IOCTL Routine so we can dump/log all what we want 🙂
Finally we have to spent some words about FDO Hooking and next you will be able to understand the basical structure of a Filter Driver.
Locating our FIDO DEVICE_EXTENSION, is accomplished by replacing the IRP_MJ_INTERNAL_DEVICE_CONTROL callback of the FDO (not our FDO), and then the FDO AttachedDevice field can be used to recover our filter’s device object.
FdoHookDispatchPnp(PDEVICE_OBJECT DeviceObject, // The FDO Device Object
PDEVICE_OBJECT FilterDeviceObject = DeviceObject->AttachedDevice;
PDEVICE_EXTENSION deviceExtension = (PDEVICE_EXTENSION )FilterDeviceObject->DeviceExtension;
// Provide Additional Information for IRP_MN_QUERY_INTERFACE
if( irpStack->MinorFunction == IRP_MN_QUERY_INTERFACE )
and final FDO Restoring
// Call The FDO’s Original IRP_MJ_PNP Callback
return (deviceExtension->OriginalLowerDriverObject)->MajorFunction[IRP_MJ_PNP]( DeviceObject,Irp );
Here ends our basical filter driver, now we need to study how to Dump and Interpret this Collected Data, to do this we have to analyse and study the URB format. An URB (USB Request Block) is the basic structure for every USB request, specifically this request is used to send
or receive data to or from a specific USB endpoint on a specific USB device in an asynchronous manner.
The best source to study URB structs is obviously MSDN the first important structure is _URB_HEADER, that provides basic information about the host controller driver.
void DumpURB(struct Buffer *b, PURB pUrb, BOOLEAN bReturnedFromHCD)
USHORT wFunction, wLength;
wFunction = pUrb->UrbHeader.Function;
wLength = pUrb->UrbHeader.Length;
lUsbdStatus = pUrb->UrbHeader.Status;
Status values are defined in usbdi.h as USBD_STATUS_XXX, and these values can be printed, so here begins our real Sniff Procedure 🙂
#define URB_SELECT_CONFIGURATION_SIZE 24
struct _URB_SELECT_CONFIGURATION *pSelectConfiguration = (struct
if(pSelectConfiguration->Hdr.Length < URB_SELECT_CONFIGURATION_SIZE)
BufferPrintf(b,”!!! Hdr.Length is wrong! (is: %d, should be at least: %d)\n”,
PUSB_CONFIGURATION_DESCRIPTOR pCD =
and now we can print the entire pCD struct such as: pCD->bLength, pCD->bDescriptorType, pCD->wTotalLength, pCD->bNumInterfaces, pCD->bConfigurationValue, pCD->iConfiguration, pCD->bmAttributes, pCD->MaxPower,
For interface information, we can print PUSBD_INTERFACE_INFORMATION as in the previous way any others informations can be retrived in this way, now we will consider the
URB_FUNCTION_SELECT_INTERFACE Switch’s case, where we can access to _URB_SELECT_INTERFACE, USB client drivers set up this structure to select an alternate setting for an interface or to change the maximum packet size of a pipe in the current configuration on a USB device.
URB_FUNCTION_SELECT_INTERFACE can be accessed in this way:
struct _URB_SELECT_INTERFACE *pSelectInterface = (struct _URB_SELECT_INTERFACE *) pUrb;
and next we can enumerate all members in this way..
The same thing can be done for:
and Data Transaction Structs:
that are a bit more complex because is used by USB client drivers to perform data transaction.
struct _URB_CONTROL_TRANSFER *pControlTransfer = (struct _URB_CONTROL_TRANSFER *) pUrb;
the complexity is caused by the TransferBuffer, that is a pointer to a resident buffer for the transfer, can be a resident buffer or an MDL.
So we have to dump, separately the TransferBuffer and/or the PipeHandle.
In the next post we will see some other struct and some other particularity to consider during the Sniffing Process 😉
See you to the next post.. 🙂
Finally the day is finished, and the Dark came with is Deadly Silence…
Good Night Darkness