IoSpy

IoSpy is a filter driver that records data about IOCTL and WMI requests made to the kernel-mode driver of a device.

You can install and remove IoSpy using the Penetration Tests (Device Fundamentals) tests, Enable I/O Spy and Disable I/O Spy. The DQ parameter controls which devices the IoSpy filter driver is installed on. IoSpy records the details about the IOCTL and WMI requests within the IoSpy Data File, which is used by IoAttack to perform the fuzz tests.

Important  Before you run IoAttack, you must have previously run IoSpy and then removed it from the test system. For more information, see How to Perform Fuzz tests with IoSpy and IoAttack.

TermDescription

Disable I/O Spy

Disable I/O Spy on 1 or more devices. Uninstalls IoSpy and disables IOCTL and WMI filtering for all devices on the test system.

Test binary: Devfund_IOSpy_DisableSupport.wsc

Test method: DisableIoSpy

Parameters: - see Device Fundamentals Test Parameters

DQ

Display I/O Spy-enabled Device

Display devices that have I/O Spy enabled on them.

Test binary: Devfund_IOSpy_DisplayEnabledDevices.wsc

Test method: DisplayIoSpyDevices

Enable I/O Spy

Installs IoSpy on the test system and enables IOCTL and WMI filtering on one or more devices. The DQ parameter controls which devices the IoSpy filter driver will get installed on.

Test binary: Devfund_IOSpy_EnableSupport.wsc

Test method: EnableIoSpy

Parameters: - see Device Fundamentals Test Parameters

DQ

DFD - specifies the path to the IoSpy data file. The default location is %SystemDrive%\DriverTest\IoSpy

 

IoSpy data file

After IoSpy is installed in a test system, it records the data sent through IOCTL and WMI requests to the drivers for devices enabled for fuzz tests. While IoSpy does not analyze the payloads of these requests, it does record the details of the requests such as the length of the payload buffers.

The DFD parameter for the Enable I/O Spy test specifies the path to the IoSpy data file. The default location is %SystemDrive%\DriverTest\IoSpy

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft