exploitation/spraying

make suspicious NtFsControlFile call

rule:
  meta:
    name: make suspicious NtFsControlFile call
    namespace: exploitation/spraying
    authors:
      - zdw@google.com
    description: look for suspicious possible NtFsControlFile calls that may be used for spraying objects into kernel heap pools
    scopes:
      static: basic block
      dynamic: unsupported  # requires characteristics, mnemonic features
    references:
      - https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntfscontrolfile
      - https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf
      - https://github.com/vp777/Windows-Non-Paged-Pool-Overflow-Exploitation
      - https://gist.github.com/daaximus/e813aa52980fc2a97a8a8a1082338de4
    examples:
      - 7d333c9b11b06ef0982b61bfc062631bb6cf9d12d0d4f2cf1b807a25ddf62fbc.exe_:0x140001B99
      - 86a8f267cf0f51c032f7b1777eb1e51f7cd1badf3f3894e2557a3f571fca9f3d.exe_:0x1400BE30B
  features:
    - and:
      - os: windows
      - or:
        - number: 0x11003c = FSCTL_PIPE_SET_HANDLE_ATTRIBUTE
        - number: 0x110038 = FSCTL_PIPE_GET_HANDLE_ATTRIBUTE
        - number: 0x119ff8 = FSCTL_PIPE_INTERNAL_WRITE
      # TODO(zdw): replace this with count(number(0)): 3 once https://github.com/mandiant/capa/pull/2639 lands
      - instruction:
        - mnemonic: xor
      - instruction:
        - mnemonic: call
      - not:
        - characteristic: nzxor

last edited: 2025-05-22 18:53:30