[-] Failed to get Trace Version from IPT Service (err=87)

[bijan-safai]

Hey Folks!

I have been trying to do some fuzzing using alf win fork (https://github.com/googleprojectzero/winafl) but have run into an issue with the IPT instrumentation. As per @ifratric suggestion in this issue: googleprojectzero/winafl#273 I ran winipt directly and ran into the same error.

Here is the command log:
C:\FuzzingExp\Ipt\winipt\x64\Release>c:\tools\pslist.exe -d -e notepad -nobanner

notepad 4484:
Tid Pri Cswtch State User Time Kernel Time Elapsed Time
12080 10 2751 Wait:UserReq 0:00:00.031 0:00:00.093 0:02:10.613
24972 8 40 Wait:Queue 0:00:00.000 0:00:00.000 0:02:09.818
19972 8 2 Wait:Queue 0:00:00.000 0:00:00.000 0:02:09.803

C:\FuzzingExp\Ipt\winipt\x64\Release>ipttool.exe --start 4484 200000 1
/-----------------------------------------
|=== Windows 10 RS5 1809 IPT Test Tool ===|
|=== Copyright (c) 2018 Alex Ionescu ===|
|=== http://github.com/ionescu007 ===|
|=== http://www.windows-internals.com ===|
-----------------------------------------/

[*] Size will be aligned to a power of 2
[+] Using size: 131072 bytes
[+] Tracing Options:
Match by: Any process
Trace mode: User-mode only
Timing packets: MTC Packets
[-] Failed to get Trace Version from IPT Service (err=87)

System info:
OS Name: Microsoft Windows 10 Enterprise
Version: 10.0.19041 Build 19041
Processor: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 2112 Mhz, 4 Core(s), 8 Logical Processor(s)

Thanks!

[mappzor]

IPT.sys got a nice feature upgrade with Windows 10 v2004. It seems that filtering based on address ranges is now supported but I didn't reverse this new stuff yet.

Unfortunately besides adding new stuff Microsoft also broke the API. One would expect GetIptBufferVersion will catch this but it won't because BufferMajorVersion is still 1 and BufferMinorVersion is still 0 in the newest version of the driver. Why? I can only speculate but it seems that somebody thought that adding new functionality is a non-breaking change, so they can leave protocol versions unchanged. That's true but only partially. Old features seem to be unchanged but the problem lies in this generic check:

if (InputSize >= sizeof(IPT_INPUT_BUFFER) && OutputSize >= sizeof(IPT_OUTPUT_BUFFER))
{
    ProcessMsgV1(...);
}
else
{
    // fail
}

Adding new stuff to both structures caused their sizes to change and this breaks current version of the library. If you want to quickly get around this problem check out this quickfix: 835117d. I tested that starting, stopping and dumping trace data works. I'm not making a PR out of this as I plan to actually reverse new features and make a proper contribution.