Interestingly, the only function responsible for filling out the structure (nt!PiDqQueryGetNextIoctlInfo) only ever touches its first 8 bytes: In the cases of all three IOCTL handlers, the kernel copies of the structure are placed on the local stack. PAGE:00681867 and, 0Ĭlearly, all 16 bytes are unconditionally copied from kernel to user-mode memory. The output buffer size expected for each of the aforementioned IOCTLs is 16 (0x10), and the copying of the output data takes place in the nt!PiDqIrpComplete function: The analysis shown below was performed on Wind32-bit. We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 through the PiDqIrpQueryGetResult, PiDqIrpQuer圜reate, PiDqQuer圜ompletePendedIrp IOCTLs sent to the \Device\DeviceApi device. Change Mirror Download Windows Kernel stack memory disclosure in DeviceApi (PiDqIrpQueryGetResult, PiDqIrpQuer圜reate, PiDqQuer圜ompletePendedIrp)
0 kommentar(er)
