Last active
October 10, 2022 12:31
-
-
Save exoosh/c8763bc1033f72a0839012d35c8dae90 to your computer and use it in GitHub Desktop.
IOCTLs used by \Device\KsecDD, e.g. via RtlEncryptMemory and RtlDecryptMemory for use in C/C++ and IDA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <idc.idc> | |
| static main(void) | |
| { | |
| auto id; | |
| // set 'loading idc file' mode | |
| set_inf_attr(INF_GENFLAGS, INFFL_LOADIDC|get_inf_attr(INF_GENFLAGS)); | |
| begin_type_updating(UTP_ENUM); | |
| id = add_enum(-1,"IOCTL_KSEC",0x1100000); | |
| add_enum_member(id,"IOCTL_KSEC_CONNECT_LSA", 0x398000, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x00, METHOD_BUFFERED, FILE_WRITE_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_RNG", 0x390004, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x01, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_RANDOM_FILL_BUFFER", 0x390008, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x02, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_ENCRYPT_MEMORY", 0x39000e, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x03, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_DECRYPT_MEMORY", 0x390012, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x04, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_ENCRYPT_MEMORY_CROSS_PROC", 0x390016, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x05, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_DECRYPT_MEMORY_CROSS_PROC", 0x39001a, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x06, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_ENCRYPT_MEMORY_SAME_LOGON", 0x39001e, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x07, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_DECRYPT_MEMORY_SAME_LOGON", 0x390022, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x08, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_FIPS_GET_FUNCTION_TABLE", 0x390024, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x09, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_REGISTER_EXTENSION", 0x390038, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x0e, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_ALLOC_POOL", 0x390040, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x10, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_FREE_POOL", 0x390044, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x11, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_COPY_POOL", 0x390048, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x12, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_DUPLICATE_HANDLE", 0x39004c, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x13, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_CLIENT_CALLBACK", 0x390054, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x15, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_GET_BCRYPT_EXTENSION", 0x390058, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x16, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_GET_SSL_EXTENSION", 0x39005c, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x17, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_GET_DEVICECONTROL_EXTENSION", 0x390060, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x18, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_ALLOC_VM", 0x390064, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x19, METHOD_BUFFERED,FILE_ANY_ACCESS) | |
| // Following two have a guessed symbol name | |
| add_enum_member(id,"IOCTL_KSEC_ENCRYPT_FOR_SYSTEM", 0x39007A, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x1e, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_DECRYPT_FOR_SYSTEM", 0x39007E, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x1f, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_FREE_VM", 0x390080, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x20, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_COPY_VM", 0x390084, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x21, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_CLIENT_FREE_VM", 0x390088, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x22, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_INSERT_PROTECTED_PROCESS_ADDRESS", 0x39008c, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x23, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_REMOVE_PROTECTED_PROCESS_ADDRESS", 0x390090, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x24, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_GET_BCRYPT_EXTENSION2", 0x390094, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x25, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS", 0x39009a, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x26, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_IPC_SET_FUNCTION_RETURN", 0x39009f, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x27, METHOD_NEITHER, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_AUDIT_SELFTEST_SUCCESS", 0x3900a3, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x28, METHOD_NEITHER, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_AUDIT_SELFTEST_FAILURE", 0x3900a4, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x29, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| // Aliases | |
| add_enum_member(id,"IOCTL_KSEC_DECRYPT_CROSS_PROCESS", 0x39001a, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x06, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_DECRYPT_SAME_LOGON", 0x390022, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x08, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_DECRYPT_SAME_PROCESS", 0x390012, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x04, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_ENCRYPT_CROSS_PROCESS", 0x390016, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x05, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_ENCRYPT_SAME_LOGON", 0x39001e, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x07, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_ENCRYPT_SAME_PROCESS", 0x39000e, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x03, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_REGISTER_LSA_PROCESS", 0x398000, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x00, METHOD_BUFFERED, FILE_WRITE_ACCESS) | |
| add_enum_member(id,"IOCTL_KSEC_RNG_REKEY", 0x390008, -1); // CTL_CODE(FILE_DEVICE_KSEC, 0x02, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| end_type_updating(UTP_ENUM); | |
| // clear 'loading idc file' mode | |
| set_inf_attr(INF_GENFLAGS, ~INFFL_LOADIDC&get_inf_attr(INF_GENFLAGS)); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define IOCTL_KSEC_CONNECT_LSA 0x398000 // CTL_CODE(FILE_DEVICE_KSEC, 0x00, METHOD_BUFFERED, FILE_WRITE_ACCESS) | |
| #define IOCTL_KSEC_RNG 0x390004 // CTL_CODE(FILE_DEVICE_KSEC, 0x01, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_RANDOM_FILL_BUFFER 0x390008 // CTL_CODE(FILE_DEVICE_KSEC, 0x02, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_ENCRYPT_MEMORY 0x39000e // CTL_CODE(FILE_DEVICE_KSEC, 0x03, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_DECRYPT_MEMORY 0x390012 // CTL_CODE(FILE_DEVICE_KSEC, 0x04, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_ENCRYPT_MEMORY_CROSS_PROC 0x390016 // CTL_CODE(FILE_DEVICE_KSEC, 0x05, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_DECRYPT_MEMORY_CROSS_PROC 0x39001a // CTL_CODE(FILE_DEVICE_KSEC, 0x06, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_ENCRYPT_MEMORY_SAME_LOGON 0x39001e // CTL_CODE(FILE_DEVICE_KSEC, 0x07, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_DECRYPT_MEMORY_SAME_LOGON 0x390022 // CTL_CODE(FILE_DEVICE_KSEC, 0x08, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_FIPS_GET_FUNCTION_TABLE 0x390024 // CTL_CODE(FILE_DEVICE_KSEC, 0x09, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_REGISTER_EXTENSION 0x390038 // CTL_CODE(FILE_DEVICE_KSEC, 0x0e, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_ALLOC_POOL 0x390040 // CTL_CODE(FILE_DEVICE_KSEC, 0x10, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_FREE_POOL 0x390044 // CTL_CODE(FILE_DEVICE_KSEC, 0x11, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_COPY_POOL 0x390048 // CTL_CODE(FILE_DEVICE_KSEC, 0x12, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_DUPLICATE_HANDLE 0x39004c // CTL_CODE(FILE_DEVICE_KSEC, 0x13, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_CLIENT_CALLBACK 0x390054 // CTL_CODE(FILE_DEVICE_KSEC, 0x15, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_GET_BCRYPT_EXTENSION 0x390058 // CTL_CODE(FILE_DEVICE_KSEC, 0x16, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_GET_SSL_EXTENSION 0x39005c // CTL_CODE(FILE_DEVICE_KSEC, 0x17, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_GET_DEVICECONTROL_EXTENSION 0x390060 // CTL_CODE(FILE_DEVICE_KSEC, 0x18, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_ALLOC_VM 0x390064 // CTL_CODE(FILE_DEVICE_KSEC, 0x19, METHOD_BUFFERED,FILE_ANY_ACCESS) | |
| // Following two have a guessed symbol name | |
| #define IOCTL_KSEC_ENCRYPT_FOR_SYSTEM 0x39007A // CTL_CODE(FILE_DEVICE_KSEC, 0x1e, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_DECRYPT_FOR_SYSTEM 0x39007E // CTL_CODE(FILE_DEVICE_KSEC, 0x1f, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_FREE_VM 0x390080 // CTL_CODE(FILE_DEVICE_KSEC, 0x20, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_COPY_VM 0x390084 // CTL_CODE(FILE_DEVICE_KSEC, 0x21, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_CLIENT_FREE_VM 0x390088 // CTL_CODE(FILE_DEVICE_KSEC, 0x22, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_INSERT_PROTECTED_PROCESS_ADDRESS 0x39008c // CTL_CODE(FILE_DEVICE_KSEC, 0x23, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_REMOVE_PROTECTED_PROCESS_ADDRESS 0x390090 // CTL_CODE(FILE_DEVICE_KSEC, 0x24, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_GET_BCRYPT_EXTENSION2 0x390094 // CTL_CODE(FILE_DEVICE_KSEC, 0x25, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_IPC_GET_QUEUED_FUNCTION_CALLS 0x39009a // CTL_CODE(FILE_DEVICE_KSEC, 0x26, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_IPC_SET_FUNCTION_RETURN 0x39009f // CTL_CODE(FILE_DEVICE_KSEC, 0x27, METHOD_NEITHER, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_AUDIT_SELFTEST_SUCCESS 0x3900a3 // CTL_CODE(FILE_DEVICE_KSEC, 0x28, METHOD_NEITHER, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_AUDIT_SELFTEST_FAILURE 0x3900a4 // CTL_CODE(FILE_DEVICE_KSEC, 0x29, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
| #define IOCTL_KSEC_DECRYPT_CROSS_PROCESS IOCTL_KSEC_DECRYPT_MEMORY_CROSS_PROC | |
| #define IOCTL_KSEC_DECRYPT_SAME_LOGON IOCTL_KSEC_DECRYPT_MEMORY_SAME_LOGON | |
| #define IOCTL_KSEC_DECRYPT_SAME_PROCESS IOCTL_KSEC_DECRYPT_MEMORY | |
| #define IOCTL_KSEC_ENCRYPT_CROSS_PROCESS IOCTL_KSEC_ENCRYPT_MEMORY_CROSS_PROC | |
| #define IOCTL_KSEC_ENCRYPT_SAME_LOGON IOCTL_KSEC_ENCRYPT_MEMORY_SAME_LOGON | |
| #define IOCTL_KSEC_ENCRYPT_SAME_PROCESS IOCTL_KSEC_ENCRYPT_MEMORY | |
| #define IOCTL_KSEC_REGISTER_LSA_PROCESS IOCTL_KSEC_CONNECT_LSA | |
| #define IOCTL_KSEC_RNG_REKEY IOCTL_KSEC_RANDOM_FILL_BUFFER |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Based upon the
IOCTL_KSEC_*subset from here, but further decoded and dupes/aliases weeded out.IDC script to import as enum into IDA.
Relevant for
\Device\KsecDD,EncryptMemoryInitialize(),RtlEncryptMemory(),RtlDecryptMemory(),SystemFunction040(),SystemFunction041()indpapisvc.dll,cryptbase.dlletc.