Open repnz opened 5 years ago
I know it's a POC, but I thought it would be good to fix this anyway -
1) There is a stack buffer overflow reading the 'pid' from user mode. Replace inBufferLength with sizeof(pid). https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L60
2) The output buffer's length is not checked https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L92
3) This memory is not freed anywhere https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/hideprocess.c#L7
4) This buffer was allocated with length=(sizeof(ULONG) + 20), why is the param to sprintf_s longer? https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/hideprocess.c#L29
5) This string is not used anywhere (copied from the microsoft ioctl sample:) ) https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L43
6) Here, you use 'datalen' which is the length of the string from the sample instead of the real result string: https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L95
I know it's a POC, but I thought it would be good to fix this anyway -
1) There is a stack buffer overflow reading the 'pid' from user mode. Replace inBufferLength with sizeof(pid). https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L60
2) The output buffer's length is not checked https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L92
3) This memory is not freed anywhere https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/hideprocess.c#L7
4) This buffer was allocated with length=(sizeof(ULONG) + 20), why is the param to sprintf_s longer? https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/hideprocess.c#L29
5) This string is not used anywhere (copied from the microsoft ioctl sample:) ) https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L43
6) Here, you use 'datalen' which is the length of the string from the sample instead of the real result string: https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L95