IRCAP allow you to intercept all IRP requests to the target driver without any side effects. It can be used to collect interesting corpus for fuzzing and can manipulate I/O communication between an application and kernel.
A variety of interesting corpus are important to improve efficiency of coverage-guided fuzzing. If we able to capture I/O communication between an application and kernel, it will be of great help to fuzzer. So we had to find a way to use IRP requests as initial seeds.
You need to install Visual Studio and Windows Driver Kit. Once you have completed building an driver development environment, open ircap/hook.h
for editing.
// ircap/hook.h
#pragma once
UNICODE_STRING TARGET_DEVICE_NAME = RTL_CONSTANT_STRING(L"\\Driver\\@@DEVICE_NAME@@");
UNICODE_STRING PROGRAM_FILE_PATH = RTL_CONSTANT_STRING(L"\\DosDevices\\C:\\program.irp");
Specfiy TARGET_DEVICE_NAME
to the device name you want to hook. And PROGRAM_FILE_PATH
is the file path where captured IRP requests are stored.
To capture IRP requests to target driver, follow these steps (Run cmd as administrator):
- Register a
ircap.sys
as a boot service.
sc.exe create ircap binpath=ircap.sys type=kernel start=boot
- Reboot your computer
reboot
- Run the application that loads the target driver.
- After running many operatons by clicking the application, unload
ircap.sys
manually. - Then, captured IRP requests is stored in
C:\program.irp
Caution!
When the capturing finished, you should remove the service.
sc.exe delete ircap