2,644
社区成员
发帖
与我相关
我的任务
分享DeviceIoControl出错返回ERROR_SEM_TIMEOUT(121)
某款手机有个后门,使用官方的PC工具可以轻易的访问手机,我通过API Monitor监控发现它通过DeviceIoControl向此手机的USB连接发出了一个IOCTL_SCSI_PASS_THROUGH指令。我将监控的数据抓下来,完全照抄通过DeviceIoControl发过去,发现实际是成功的(即能成功打开手机的这个后门),但DeviceIoControl却返回失败,GetLastError值为ERROR_SEM_TIMEOUT(121),即所谓的信号超时。而实际上,DeviceIoControl中设置的超时值很长,调用时是立即返回失败。
另外,我有使用Bus Hound这个软件监控USB通信,并且使用其模拟发送指令的功能,与上面的情况类似,发送失败(提示的错误是bus reset),但实际上也能成功打开手机的后门。
不知道哪位大虾有此经验,这倒底是什么问题?
另外,我有使用Bus Hound这个软件监控USB通信,并且使用其模拟发送指令的功能,与上面的情况类似,发送失败(提示的错误是bus reset),但实际上也能成功打开手机的后门。
不知道哪位大虾有此经验,这倒底是什么问题?
...全文
请发表友善的回复…
发表回复
MapleInHG 2011-08-23
- 打赏
- 举报
暂时hold住,等我自己研究出来了再与大家分享
MapleInHG 2011-07-06
- 打赏
- 举报
另外,使用Bus Hound监控,也只发现有一个调用
Bus Hound 6.01 capture on Windows XP Service Pack 3 (x86). Complements of www.perisoft.net
Device - Device ID (followed by the endpoint for USB devices)
Phase - Phase Type
CMD SCSI/ATAPI command
SENSE SCSI sense data
ok command complete
Data - Hex dump of the data transferred
Descr - Description of the phase
Cmd... - Position in the captured data
Device Phase Data Description Cmd.Phase.Ofs(rep)
------ ----- ------------------------------------------------------------------------------------------------------ -------------------------------- ------------------
media 1.2.0
32 CMD 16 68 74 63 80 01 RESERVE 17.1.0
32 ok
Bus Hound 6.01 capture on Windows XP Service Pack 3 (x86). Complements of www.perisoft.net
Device - Device ID (followed by the endpoint for USB devices)
Phase - Phase Type
CMD SCSI/ATAPI command
SENSE SCSI sense data
ok command complete
Data - Hex dump of the data transferred
Descr - Description of the phase
Cmd... - Position in the captured data
Device Phase Data Description Cmd.Phase.Ofs(rep)
------ ----- ------------------------------------------------------------------------------------------------------ -------------------------------- ------------------
media 1.2.0
32 CMD 16 68 74 63 80 01 RESERVE 17.1.0
32 ok
MapleInHG 2011-07-06
- 打赏
- 举报
多谢提醒,不过好像没有发现有其它的调用,API Monitor的监控序列:
5 4936 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0013d588, 256, 0x0013d580, NULL TRUE
6 4936 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0013d3f4, 3735560, 0x77e16318, 256, 0x0013d588, 256 STATUS_SUCCESS
上面这个DeviceIoControl不知道是干什么的,因为没有找到它的第一个参数的句柄是从哪创建的,除了CreateFile,还有什么形式可以得到DeviceIoControl所需要的设备句柄?
下面这一段是枚举usb设备了,应该没有问题
9 7488 ARUWizard.exe SetupDiGetClassDevsW ( 0x004275c0, NULL, NULL, DIGCF_DEVICEINTERFACE | DIGCF_PRESENT 0x0026e220
10 7488 RPCRT4.dll CreateFileW ( "\\.\PIPE\lsarpc", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL 0x000000dc
11 7488 RPCRT4.dll CreateFileW ( "\\.\PIPE\lsarpc", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL 0x000000d8
12 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
13 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
14 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
15 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
16 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
17 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
18 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
19 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
20 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
21 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
22 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
23 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
24 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
25 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
26 7488 ARUWizard.exe SetupDiEnumDeviceInterfaces ( 0x0026e220, NULL, 0x004275c0, 0, 0x0131fdb8 TRUE
27 7488 ARUWizard.exe SetupDiGetDeviceInterfaceDetailW ( 0x0026e220, 0x0131fdb8, 0x0027ace8, 1024, NULL, NULL TRUE
28 7488 ARUWizard.exe SetupDiEnumDeviceInterfaces ( 0x0026e220, NULL, 0x004275c0, 1, 0x0131fdb8 TRUE
29 7488 ARUWizard.exe SetupDiGetDeviceInterfaceDetailW ( 0x0026e220, 0x0131fdb8, 0x0027ace8, 1024, NULL, NULL TRUE
30 7488 ARUWizard.exe SetupDiEnumDeviceInterfaces ( 0x0026e220, NULL, 0x004275c0, 2, 0x0131fdb8 FALSE 259 = 没有可用的数据了。
31 7488 ARUWizard.exe SetupDiDestroyDeviceInfoList ( 0x0026e220 TRUE
接下来就是我要关注的重点了,打开手机的这个设备
32 7488 ARUWizard.exe CreateFileW ( "\\?\usbstor#disk&ven_htc&prod_android_phone&rev_0100#7&7e333b7&0&sh13apl04235&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL 0x000000a4
发送控制命令
33 7488 ARUWizard.exe DeviceIoControl ( 0x000000a4, 315396, 0x0131fba4, 44, 0x0131fba4, 592, 0x0131fba0, NULL TRUE
34 7488 kernel32.dll NtDeviceIoControlFile ( 0x000000a4, NULL, NULL, NULL, 0x0131fa70, 315396, 0x0131fba4, 44, 0x0131fba4, 592 STATUS_SUCCESS
我用完全相同的参数就失败了
5 4936 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0013d588, 256, 0x0013d580, NULL TRUE
6 4936 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0013d3f4, 3735560, 0x77e16318, 256, 0x0013d588, 256 STATUS_SUCCESS
上面这个DeviceIoControl不知道是干什么的,因为没有找到它的第一个参数的句柄是从哪创建的,除了CreateFile,还有什么形式可以得到DeviceIoControl所需要的设备句柄?
下面这一段是枚举usb设备了,应该没有问题
9 7488 ARUWizard.exe SetupDiGetClassDevsW ( 0x004275c0, NULL, NULL, DIGCF_DEVICEINTERFACE | DIGCF_PRESENT 0x0026e220
10 7488 RPCRT4.dll CreateFileW ( "\\.\PIPE\lsarpc", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL 0x000000dc
11 7488 RPCRT4.dll CreateFileW ( "\\.\PIPE\lsarpc", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL 0x000000d8
12 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
13 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
14 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
15 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
16 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
17 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
18 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
19 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
20 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
21 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
22 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
23 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
24 7488 ADVAPI32.dll DeviceIoControl ( 0x00000098, 3735560, 0x77e16318, 256, 0x0131f200, 256, 0x0131f1f8, NULL TRUE
25 7488 kernel32.dll NtDeviceIoControlFile ( 0x00000098, NULL, NULL, NULL, 0x0131f06c, 3735560, 0x77e16318, 256, 0x0131f200, 256 STATUS_SUCCESS
26 7488 ARUWizard.exe SetupDiEnumDeviceInterfaces ( 0x0026e220, NULL, 0x004275c0, 0, 0x0131fdb8 TRUE
27 7488 ARUWizard.exe SetupDiGetDeviceInterfaceDetailW ( 0x0026e220, 0x0131fdb8, 0x0027ace8, 1024, NULL, NULL TRUE
28 7488 ARUWizard.exe SetupDiEnumDeviceInterfaces ( 0x0026e220, NULL, 0x004275c0, 1, 0x0131fdb8 TRUE
29 7488 ARUWizard.exe SetupDiGetDeviceInterfaceDetailW ( 0x0026e220, 0x0131fdb8, 0x0027ace8, 1024, NULL, NULL TRUE
30 7488 ARUWizard.exe SetupDiEnumDeviceInterfaces ( 0x0026e220, NULL, 0x004275c0, 2, 0x0131fdb8 FALSE 259 = 没有可用的数据了。
31 7488 ARUWizard.exe SetupDiDestroyDeviceInfoList ( 0x0026e220 TRUE
接下来就是我要关注的重点了,打开手机的这个设备
32 7488 ARUWizard.exe CreateFileW ( "\\?\usbstor#disk&ven_htc&prod_android_phone&rev_0100#7&7e333b7&0&sh13apl04235&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL 0x000000a4
发送控制命令
33 7488 ARUWizard.exe DeviceIoControl ( 0x000000a4, 315396, 0x0131fba4, 44, 0x0131fba4, 592, 0x0131fba0, NULL TRUE
34 7488 kernel32.dll NtDeviceIoControlFile ( 0x000000a4, NULL, NULL, NULL, 0x0131fa70, 315396, 0x0131fba4, 44, 0x0131fba4, 592 STATUS_SUCCESS
我用完全相同的参数就失败了
呔妖怪来嘛 2011-07-06
- 打赏
- 举报
[Quote=引用 1 楼 ndy_w 的回复:]
驱动内部状态不同,返回值当然有可能不能。你把所有的IOCTL全部按次序发一次
[/Quote]
这还要看驱动底层的响应。。慢慢做实验了
驱动内部状态不同,返回值当然有可能不能。你把所有的IOCTL全部按次序发一次
[/Quote]
这还要看驱动底层的响应。。慢慢做实验了
Wang471981125 2011-07-06
- 打赏
- 举报
[Quote=引用楼主 mapleinhg 的回复:]
某款手机有个后门,使用官方的PC工具可以轻易的访问手机,我通过API Monitor监控发现它通过DeviceIoControl向此手机的USB连接发出了一个IOCTL_SCSI_PASS_THROUGH指令。我将监控的数据抓下来,完全照抄通过DeviceIoControl发过去,发现实际是成功的(即能成功打开手机的这个后门),但DeviceIoControl却返回失败,GetLastError值……
[/Quote]
不懂 帮顶
某款手机有个后门,使用官方的PC工具可以轻易的访问手机,我通过API Monitor监控发现它通过DeviceIoControl向此手机的USB连接发出了一个IOCTL_SCSI_PASS_THROUGH指令。我将监控的数据抓下来,完全照抄通过DeviceIoControl发过去,发现实际是成功的(即能成功打开手机的这个后门),但DeviceIoControl却返回失败,GetLastError值……
[/Quote]
不懂 帮顶
ndy_w 2011-07-06
- 打赏
- 举报
驱动内部状态不同,返回值当然有可能不能。你把所有的IOCTL全部按次序发一次
