NTSTATUS
NTAPI
KsecGenRandom(
PVOID Buffer,
SIZE_T Length)
{
LARGE_INTEGER TickCount;
ULONG i, RandomValue;
PULONG P;
/* Try to generate a more random seed */
KeQueryTickCount(&TickCount);
KsecRandomSeed ^= _rotl(TickCount.LowPart, (KsecRandomSeed % 23));
P = Buffer;
for (i = 0; i < Length / sizeof(ULONG); i++)
{
P[i] = RtlRandomEx(&KsecRandomSeed);
}
Length &= (sizeof(ULONG) - 1);
if (Length > 0)
{
RandomValue = RtlRandomEx(&KsecRandomSeed);
RtlCopyMemory(&P[i], &RandomValue, Length);
}
return STATUS_SUCCESS;
}
VOID GenerateRandomMacAddress(PMAC_ADDRESS Address)
{
// Vendor "C0:13:37"
Address->Vendor0 = 0xC0;
Address->Vendor1 = 0x13;
Address->Vendor2 = 0x37;
ULONG seed = KeQueryPerformanceCounter(NULL).LowPart;
Address->Nic0 = RtlRandomEx(&seed) % 0xFF;
Address->Nic1 = RtlRandomEx(&seed) % 0xFF;
Address->Nic2 = RtlRandomEx(&seed) % 0xFF;
}
int __cdecl _rand (
void
)
{
ULONG r = RtlRandomEx(&g_seed);
return ((r * 214013L+ 2531011L) >> 16) & 0x7fff;
}
static
VOID
GetJobName(
HKEY hJobsKey,
PWSTR pszJobName)
{
WCHAR szNameBuffer[JOB_NAME_LENGTH];
FILETIME SystemTime;
ULONG ulSeed, ulValue;
HKEY hKey;
LONG lError;
GetSystemTimeAsFileTime(&SystemTime);
ulSeed = SystemTime.dwLowDateTime;
for (;;)
{
ulValue = RtlRandomEx(&ulSeed);
swprintf(szNameBuffer, L"%08lx", ulValue);
hKey = NULL;
lError = RegOpenKeyEx(hJobsKey,
szNameBuffer,
0,
KEY_READ,
&hKey);
if (lError != ERROR_SUCCESS)
{
wcscpy(pszJobName, szNameBuffer);
return;
}
RegCloseKey(hKey);
}
}
String<CharType> GenerateRandomString(ULONG seed, size_t str_length)
{
String<CharType> r_str(str_length);
FOR(i, str_length)
{
CharType c = CharType('A') + CharType(RtlRandomEx(&seed) % 26);
r_str << c;
}
static NTSTATUS
V4vCtrlConnect(XENV4V_EXTENSION *pde, XENV4V_CONTEXT *ctx, V4V_CONNECT_VALUES *cvs, PIRP irp)
{
NTSTATUS status = STATUS_SUCCESS;
LONG val;
XENV4V_INSERT ins = {FALSE};
val = InterlockedExchangeAdd(&ctx->state, 0);
if (val != XENV4V_STATE_BOUND) {
TraceWarning(("state not BOUND, cannot complete connect request\n"));
return STATUS_INVALID_DEVICE_REQUEST;
}
// Any IRPs that are queued are given a sanity initialization
V4vInitializeIrp(irp);
// These stream related values are only set once during a single phase of transitioning
// to a stream type.
ctx->sdst = cvs->ringAddr;
ctx->connId = (ULONG64)(RtlRandomEx(&pde->seed) & 0xffffffff);
// Update the stream header in the IRPs buffer. The cvs pointer points to the IRPs actual
// in/out buffer the IOCTL is defined to have output.
cvs->sh.flags = V4V_SHF_SYN;
cvs->sh.conid = (ULONG32)ctx->connId;
// Now it becomes a connector type for ever more
InterlockedExchange(&ctx->type, XENV4V_TYPE_CONNECTOR);
// After this transition, we will still send a SYN datagram and get the ACK
InterlockedExchange(&ctx->state, XENV4V_STATE_CONNECTING);
// Start the connecting timer each time a context goes into this state.
V4vStartConnectionTimer(pde);
// Flag it
irp->Tail.Overlay.DriverContext[0] =
(PVOID)(ULONG_PTR)(XENV4V_PEEK_STREAM|XENV4V_PEEK_WRITE|XENV4V_PEEK_SYN|XENV4V_PEEK_IOCTL);
// Always queue it to the back and marks it pending
status = IoCsqInsertIrpEx(&pde->csqObject, irp, NULL, &ins);
if (NT_SUCCESS(status)) {
status = STATUS_PENDING;
// Drive any write IO
V4vProcessContextWrites(pde, ctx);
}
else {
// Fail it in IOCTL routine and return go to disconnected state
V4vStopConnectionTimer(pde, FALSE);
InterlockedExchange(&ctx->state, XENV4V_STATE_DISCONNECTED);
}
return status;
}
int
random(void)
{
#ifdef _WIN32
static unsigned long seed;
if (seed == 0) {
LARGE_INTEGER tm;
KeQuerySystemTime(&tm);
seed = tm.LowPart;
}
return RtlRandomEx(&seed) & 0x7fffffff;
#else
int r;
get_random_bytes(&r, sizeof(r));
return r & 0x7fffffff;
#endif
}
/*
* gofuzz
*
* Purpose:
*
* Fuzzing procedure, building parameters list and using syscall gate.
*
*/
void gofuzz(ULONG ServiceIndex, ULONG ParametersInStack)
{
ULONG_PTR Arguments[MAX_PARAMETERS];
ULONG c, r, k;
RtlSecureZeroMemory(Arguments, sizeof(Arguments));
ParametersInStack /= 4;
for (c = 0; c < ParametersInStack + 4; c++)
{
k = ~GetTickCount();
r = RtlRandomEx(&k);
Arguments[c] = fuzzdata[r % SIZEOF_FUZZDATA];
}
#ifdef _DEBUG
if (g_Log) {
log_call(ServiceIndex, ParametersInStack, Arguments);
}
#endif
ntSyscallGate(ServiceIndex, ParametersInStack + 4, Arguments);
}
