landhb
Multiple bugs in the driver's implementation
I know it's a POC, but I thought it would be good to fix this anyway -
-
There is a stack buffer overflow reading the 'pid' from user mode. Replace inBufferLength with sizeof(pid). https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L60
-
The output buffer's length is not checked https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L92
-
This memory is not freed anywhere https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/hideprocess.c#L7
-
This buffer was allocated with length=(sizeof(ULONG) + 20), why is the param to sprintf_s longer? https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/hideprocess.c#L29
-
This string is not used anywhere (copied from the microsoft ioctl sample:) ) https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L43
-
Here, you use 'datalen' which is the length of the string from the sample instead of the real result string: https://github.com/landhb/HideProcess/blob/99d7a72900191a801925406b678fd1c493fc8e28/driver/irphandlers.c#L95
