Got a program here that is using DeviceIOControl as part of it's protection, and can't seem to work out what it's doing with it.

According to MSDN docs, the IO control dword is created like so:

#define CTL_CODE( DeviceType, Function, Method, Access ) ( \
((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
)

The DWORD IO Control Code I have is 8001201C. However, once I have broken this down into DeviceType, Access, Function and Method, I fail to find anything about the function it's trying to execute - certainly can't find anything in the winioctl.h header file.

The function uses a 16 byte in buffer and a 16 byte output buffer if it helps to try and match the function. Program uses the resulting output buffer to determine registration status.

Any ideas ?

DeviceIoControl is typically used to access a device driver.

CreateFile is used to open the driver and get a handle to the driver.

File the CreateFile function and you have found the driver.

Reverse engineer the driver to see what it is doing with the packets you are sending it.

Regards,

TGODD

Thanks, I have now found what was happening, it was using a previously (silently installed) kernel mode device driver to check the registration status of the application. The input and output buffers were encrypted with a simple XOR. The device driver itself checked the disk and registry for eval/registered status and returned a structure containing the results.

Now to visit MSDN to find out how zwOpenKey, zwCreateKey etc work and how they are different to the normal ones.

Good Luck in your endevours.

Regards,

TGODD