Determining Supported IOCTL Codes
The IOCTL dispatch routine commonly will perform various actions based on the value of the code being passed in to the routine. We want to be able to exercise each of the possible paths that are determined by the IOCTL code, which is why we go to all the trouble of finding these values. Let's first examine what the C source code for a skeleton IOCTL dispatch function would look like, and then we'll see how to decode the assembly to retrieve the IOCTL code values. Example 10-5 shows a typical IOCTL dispatch routine.
Example 10-5. A simplified IOCTL dispatch routine with three supported IOCTL codes (0x1337, 0x1338, 0x1339)
NTSTATUS IOCTLDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { ULONG FunctionCode; ...Get Gray Hat Python now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
