NTSTATUS NTAPI KsecGenRandom( PVOID Buffer, SIZE_T Length) { LARGE_INTEGER TickCount; ULONG i, RandomValue; PULONG P; /* Try to generate a more random seed */ KeQueryTickCount(&TickCount); KsecRandomSeed ^= _rotl(TickCount.LowPart, (KsecRandomSeed % 23)); P = Buffer; for (i = 0; i < Length / sizeof(ULONG); i++) { P[i] = RtlRandomEx(&KsecRandomSeed); } Length &= (sizeof(ULONG) - 1); if (Length > 0) { RandomValue = RtlRandomEx(&KsecRandomSeed); RtlCopyMemory(&P[i], &RandomValue, Length); } return STATUS_SUCCESS; }
VOID GenerateRandomMacAddress(PMAC_ADDRESS Address) { // Vendor "C0:13:37" Address->Vendor0 = 0xC0; Address->Vendor1 = 0x13; Address->Vendor2 = 0x37; ULONG seed = KeQueryPerformanceCounter(NULL).LowPart; Address->Nic0 = RtlRandomEx(&seed) % 0xFF; Address->Nic1 = RtlRandomEx(&seed) % 0xFF; Address->Nic2 = RtlRandomEx(&seed) % 0xFF; }
int __cdecl _rand ( void ) { ULONG r = RtlRandomEx(&g_seed); return ((r * 214013L+ 2531011L) >> 16) & 0x7fff; }
static VOID GetJobName( HKEY hJobsKey, PWSTR pszJobName) { WCHAR szNameBuffer[JOB_NAME_LENGTH]; FILETIME SystemTime; ULONG ulSeed, ulValue; HKEY hKey; LONG lError; GetSystemTimeAsFileTime(&SystemTime); ulSeed = SystemTime.dwLowDateTime; for (;;) { ulValue = RtlRandomEx(&ulSeed); swprintf(szNameBuffer, L"%08lx", ulValue); hKey = NULL; lError = RegOpenKeyEx(hJobsKey, szNameBuffer, 0, KEY_READ, &hKey); if (lError != ERROR_SUCCESS) { wcscpy(pszJobName, szNameBuffer); return; } RegCloseKey(hKey); } }
String<CharType> GenerateRandomString(ULONG seed, size_t str_length) { String<CharType> r_str(str_length); FOR(i, str_length) { CharType c = CharType('A') + CharType(RtlRandomEx(&seed) % 26); r_str << c; }
static NTSTATUS V4vCtrlConnect(XENV4V_EXTENSION *pde, XENV4V_CONTEXT *ctx, V4V_CONNECT_VALUES *cvs, PIRP irp) { NTSTATUS status = STATUS_SUCCESS; LONG val; XENV4V_INSERT ins = {FALSE}; val = InterlockedExchangeAdd(&ctx->state, 0); if (val != XENV4V_STATE_BOUND) { TraceWarning(("state not BOUND, cannot complete connect request\n")); return STATUS_INVALID_DEVICE_REQUEST; } // Any IRPs that are queued are given a sanity initialization V4vInitializeIrp(irp); // These stream related values are only set once during a single phase of transitioning // to a stream type. ctx->sdst = cvs->ringAddr; ctx->connId = (ULONG64)(RtlRandomEx(&pde->seed) & 0xffffffff); // Update the stream header in the IRPs buffer. The cvs pointer points to the IRPs actual // in/out buffer the IOCTL is defined to have output. cvs->sh.flags = V4V_SHF_SYN; cvs->sh.conid = (ULONG32)ctx->connId; // Now it becomes a connector type for ever more InterlockedExchange(&ctx->type, XENV4V_TYPE_CONNECTOR); // After this transition, we will still send a SYN datagram and get the ACK InterlockedExchange(&ctx->state, XENV4V_STATE_CONNECTING); // Start the connecting timer each time a context goes into this state. V4vStartConnectionTimer(pde); // Flag it irp->Tail.Overlay.DriverContext[0] = (PVOID)(ULONG_PTR)(XENV4V_PEEK_STREAM|XENV4V_PEEK_WRITE|XENV4V_PEEK_SYN|XENV4V_PEEK_IOCTL); // Always queue it to the back and marks it pending status = IoCsqInsertIrpEx(&pde->csqObject, irp, NULL, &ins); if (NT_SUCCESS(status)) { status = STATUS_PENDING; // Drive any write IO V4vProcessContextWrites(pde, ctx); } else { // Fail it in IOCTL routine and return go to disconnected state V4vStopConnectionTimer(pde, FALSE); InterlockedExchange(&ctx->state, XENV4V_STATE_DISCONNECTED); } return status; }
int random(void) { #ifdef _WIN32 static unsigned long seed; if (seed == 0) { LARGE_INTEGER tm; KeQuerySystemTime(&tm); seed = tm.LowPart; } return RtlRandomEx(&seed) & 0x7fffffff; #else int r; get_random_bytes(&r, sizeof(r)); return r & 0x7fffffff; #endif }
/* * gofuzz * * Purpose: * * Fuzzing procedure, building parameters list and using syscall gate. * */ void gofuzz(ULONG ServiceIndex, ULONG ParametersInStack) { ULONG_PTR Arguments[MAX_PARAMETERS]; ULONG c, r, k; RtlSecureZeroMemory(Arguments, sizeof(Arguments)); ParametersInStack /= 4; for (c = 0; c < ParametersInStack + 4; c++) { k = ~GetTickCount(); r = RtlRandomEx(&k); Arguments[c] = fuzzdata[r % SIZEOF_FUZZDATA]; } #ifdef _DEBUG if (g_Log) { log_call(ServiceIndex, ParametersInStack, Arguments); } #endif ntSyscallGate(ServiceIndex, ParametersInStack + 4, Arguments); }