If you haven’t read the previous post you can find it here: Part 2 – Analyzing init functions. In this post, we will finally analyze the Dispatcher function. Remember that we identified this function in the first post. This function has the main goal of processing any I/O request packet (IRPs), and in this case, to handle any request from the major function code IRP_MJ_WRITE.

What we will go through?

1. Learn how Dispatcher routines are implemented.
2. To reverse the parsing method that handles the IRP_MJ_WRITE requests.
3. Identify custom structures used by the Driver and create new Local Types on IDA.
4. Understand how the Driver dispatches the different hard-coded handles by traversing an array with custom structures.

Introduction

When reversing Windows related things, reading the MS documentation should be mandatory. They usually provide a lot of useful information that will save you a lot of time, such as structures they use, parameters and code examples. Something that I like to do, is to browse through the examples available on their repositories and look for similar pieces of code. Driver developers usually reuse a lot of code from those examples. Looking for similar patterns in our binary could provide us a lot of information about the context and the functions that are being called inside of a similar snippet of code. At the end of this post, you will find a list of useful links

…

If you haven’t read the previous post you can find it here. Today we will continue analyzing some functions that DriverEntry is using.

On part 1 we identified the Dispatcher function of the driver as well as two functions that were initializing some variables for the driver (fn_InitDispatchMethodArray and fn_ObtainKernelFunctions). Let’s reverse each of them, and quickly analyze what are they doing. This will help us to understand the Dispatcher functions implemented on this driver.

…

This will be a series of posts related to XignCode3 (XC3) Driver. I started this at the beginning of 2019 while I was doing my research for Unveiling the underground world of Anti-Cheats. Due to that, you will find that the version of XC3 is not the lastest one available.

Reversing a Driver of this kind is not only fun but also let you learn a lot about Windows Internals. That said, I will be as short and precise as possible, and I will try to write down some highlights of what I think are some interesting code snippets or features of this driver.

…

Motivation

A few weeks ago one idea came to my mind, it was time to go for something a little harder, try to actually hack something that uses a well known Anti-cheat, analyze it statically and dynamically, and learn about how the Anti-cheat do to keep cheaters away from the games.

As you may know, tools like CheatEngine can’t even be running while you play those games. Great! Another challenge, we could try to analyze how an Anti-cheat does to detect it, and compile our own version of CheatEngine that avoid all those controls. You can find different posts about this on the internet, many of them have been written many years ago, but you never learn until you try to do it by yourself, that’s why I’m going to make this write up about the things I learned on the way.

…

Scripting Engines

In the last post, we saw how to properly hook and use AngelScript from HPL Engine to manipulate a game. If you haven’t read it yet, I really recommend you to do it, it was an interesting case, and there isn’t much information about hooking AngelScript on the Internet.

This time we go for more, we are going to see how to hook Lua inside a well-known game (Vermintide 2) to practically do anything we want, boost our experience, spawn items on your inventory or on the floor, heal yourself, send chat messages, kill everything? Why not?

…