Writing good drivers is really hard, part 2

kao

Mr. eXoDia was very quick in fixing the bug I described few days ago.. That's a great work! 🙂

This is part of his new code:

...
if (IsHidden)
{
	Log("[TITANHIDE] NtSetContextThread by %d\n", pid);
	__try
	{
		ProbeForWrite(&Context->ContextFlags, sizeof(ULONG), 1);
		OriginalContextFlags = Context->ContextFlags;
		Context->ContextFlags &= ~CONTEXT_DEBUG_REGISTERS;
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		return Undocumented::NtSetContextThread(ThreadHandle, Context);
	}
}
NTSTATUS ret = Undocumented::NtSetContextThread(ThreadHandle, Context);
...

There are 2 bugs hiding in this short snippet, can you spot them?

Hints

Bug #1 is old and breaks the functionality of SetContextThread. It's much easier to spot it in disassembly than in source code.
Bug #2 makes it easy to bypass TitanHide. It was introduced in this commit.

Let the analysis begin! I'm waiting for your comments.. 🙂

One thought on “Writing good drivers is really hard, part 2

  1. Mr. eXoDia

    Being really curious what the second bug is to bypass TitanHide... The first probably has something to do with CONTEXT_DEBUG_REGISTERS, which also removes the CONTEXT_AMD64 flag, which should break things (but somehow doesn't in the real world)...

    Reply

Leave a Reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

 +  4  =  thirteen