Reverse Engineering Windows Drivers: IOCTL Codes Explained #shorts

with drivers is a little bit more simple from an starting point because they all all follow the same structure. Yeah. At least they should follow the same structure in the majority. They don't have to but they they they they must. What it means is that if you grab any driver, so if you go system uh system 32 drivers and you grab any of those drivers in your machine and you putting into IDA or gyra and you the compiler code, you will see something similar the structure will be similar to the one I have here of this driver that I just made. I define the the IOCL codes. Yeah. Uh so um this is basically the IOCL codes. I I

have five different IOCL codes. Uh I have attach read memory, write memory, check write memory, and kill process. First attach is going to allow me to attach a process and then move the process memory from that target process into my target process into the process. Then read memory is going to allow me to read the memory of a targeted process. Write memory is almost the same implementation, but the other way around. I'm going to be able to write memory from the kernel. Check writable is basically going to try to write something in the memory of that process of that user memory process and if it doesn't it doesn't succeed the statute is is is not the good status. So

basically zero then kill process and choose killing a process. Yeah because the kernel is higher high on the hierarchy of of processes. So you can kill any seam from the from the from the kernel.