I know it's a POC, but I thought it would be good to fix this anyway -
-
There is a stack buffer overflow reading the 'pid' from user mode. Replace inBufferLength with sizeof(pid).
|
strcpy_s(pid, inBufferLength, inBuf); |
-
The output buffer's length is not checked
|
RtlCopyBytes(buffer, data, outBufferLength); |
-
This memory is not freed anywhere
|
LPSTR result = ExAllocatePool(NonPagedPool, sizeof(ULONG) + 20);; |
-
This buffer was allocated with length=(sizeof(ULONG) + 20), why is the param to sprintf_s longer?
|
sprintf_s(result, 2 * sizeof(ULONG) + 30, "Found offsets: %lu & %lu", PID_OFFSET, LIST_OFFSET); |
-
This string is not used anywhere (copied from the microsoft ioctl sample:) )
|
PCHAR data = "This String is from Device Driver !!!"; |
-
Here, you use 'datalen' which is the length of the string from the sample instead of the real result string:
|
Irp->IoStatus.Information = (outBufferLength<datalen ? outBufferLength : datalen); |
I know it's a POC, but I thought it would be good to fix this anyway -
There is a stack buffer overflow reading the 'pid' from user mode. Replace inBufferLength with sizeof(pid).
HideProcess/driver/irphandlers.c
Line 60 in 99d7a72
The output buffer's length is not checked
HideProcess/driver/irphandlers.c
Line 92 in 99d7a72
This memory is not freed anywhere
HideProcess/driver/hideprocess.c
Line 7 in 99d7a72
This buffer was allocated with length=(sizeof(ULONG) + 20), why is the param to sprintf_s longer?
HideProcess/driver/hideprocess.c
Line 29 in 99d7a72
This string is not used anywhere (copied from the microsoft ioctl sample:) )
HideProcess/driver/irphandlers.c
Line 43 in 99d7a72
Here, you use 'datalen' which is the length of the string from the sample instead of the real result string:
HideProcess/driver/irphandlers.c
Line 95 in 99d7a72