IoSpy

Άρθρο
12/06/2022

Note

IoSpy and IoAttack are no longer available in the WDK after Windows 10 Version 1703.

As an alternative to these tools, consider using the fuzzing tests available in the HLK. Here are a few to consider.

DF - Fuzz random IOCTL test (Reliability)

DF - Fuzz sub-opens test (Reliability)

DF - Fuzz zero length buffer FSCTL test (Reliability)

DF - Fuzz random FSCTL test (Reliability)

DF - Fuzz Misc API test (Reliability)

You can also use the Kernel synchronization delay fuzzing that is included with Driver Verifier.

IoSpy is a filter driver that records data about IOCTL and WMI requests made to the kernel-mode driver of a device.

You can install and remove IoSpy using the Penetration Tests (Device Fundamentals) tests, Enable I/O Spy and Disable I/O Spy. The DQ parameter controls which devices the IoSpy filter driver is installed on. IoSpy records the details about the IOCTL and WMI requests within the IoSpy data file, which is used by IoAttack to perform the fuzz tests.

Important Before you run IoAttack, you must have previously run IoSpy and then removed it from the test system. For more information, see How to Perform Fuzz tests with IoSpy and IoAttack.

Term	Description
Disable I/O Spy	Disable I/O Spy on 1 or more devices. Uninstalls IoSpy and disables IOCTL and WMI filtering for all devices on the test system. Test binary: Devfund_IOSpy_DisableSupport.wsc Test method: DisableIoSpy Parameters: - see Device Fundamentals Test Parameters DQ
Display I/O Spy-enabled Device	Display devices that have I/O Spy enabled on them. Test binary: Devfund_IOSpy_DisplayEnabledDevices.wsc Test method: DisplayIoSpyDevices
Enable I/O Spy	Installs IoSpy on the test system and enables IOCTL and WMI filtering on one or more devices. The DQ parameter controls which devices the IoSpy filter driver will get installed on. Test binary: Devfund_IOSpy_EnableSupport.wsc Test method: EnableIoSpy Parameters: - see Device Fundamentals Test Parameters DQ DFD - specifies the path to the IoSpy data file. The default location is %SystemDrive%\DriverTest\IoSpy

Disable I/O Spy

Disable I/O Spy on 1 or more devices. Uninstalls IoSpy and disables IOCTL and WMI filtering for all devices on the test system.

Test binary: Devfund_IOSpy_DisableSupport.wsc

Test method: DisableIoSpy

Parameters: - see Device Fundamentals Test Parameters

Display I/O Spy-enabled Device

Display devices that have I/O Spy enabled on them.

Test binary: Devfund_IOSpy_DisplayEnabledDevices.wsc

Test method: DisplayIoSpyDevices

Enable I/O Spy

Installs IoSpy on the test system and enables IOCTL and WMI filtering on one or more devices. The DQ parameter controls which devices the IoSpy filter driver will get installed on.

Test binary: Devfund_IOSpy_EnableSupport.wsc

Test method: EnableIoSpy

Parameters: - see Device Fundamentals Test Parameters

DFD - specifies the path to the IoSpy data file. The default location is %SystemDrive%\DriverTest\IoSpy

IoSpy data file

After IoSpy is installed in a test system, it records the data sent through IOCTL and WMI requests to the drivers for devices enabled for fuzz tests. While IoSpy does not analyze the payloads of these requests, it does record the details of the requests such as the length of the payload buffers.

The DFD parameter for the Enable I/O Spy test specifies the path to the IoSpy data file. The default location is %SystemDrive%\DriverTest\IoSpy

Κοινή χρήση μέσω

IoSpy

IoSpy data file

Σχόλια

Πρόσθετοι πόροι