ionescu007 / winipt Goto Github PK

Hi Alex,

I was wondering why starting a trace with size > 1MB fails on my machine (Windows 10 Pro, Build 10.0.19043):

PS C:\Users\ipt\Desktop\Masterthesis\ipt> ./ipttool.exe --start 11488 3200000 0x0
/------------------------------------------\
|=== Windows 10 RS5 1809+ IPT Test Tool ===|
|===  Copyright (c) 2018 Alex Ionescu   ===|
|===    http://github.com/ionescu007    ===|
|===  http://www.windows-internals.com  ===|
\------------------------------------------/

[*] Size will be aligned to a power of 2
[+] Using size: 2097152 bytes 
[+] Tracing Options:
           Match by: Any process
         Trace mode: User-mode only
     Timing packets: No  Packets
[-] Failed to start a trace (err=87)

However, specifying a size <= 1MB works:

PS C:\Users\ipt\Desktop\Masterthesis\ipt> ./ipttool.exe --start 11488 1600000 0x0
/------------------------------------------\
|=== Windows 10 RS5 1809+ IPT Test Tool ===|
|===  Copyright (c) 2018 Alex Ionescu   ===|
|===    http://github.com/ionescu007    ===|
|===  http://www.windows-internals.com  ===|
\------------------------------------------/

[*] Size will be aligned to a power of 2
[+] Using size: 1048576 bytes
[+] Tracing Options:
           Match by: Any process
         Trace mode: User-mode only
     Timing packets: No  Packets
[+] Trace for PID 11488 started

Regarding your soure code ( ipttool.c , libipt.h ) it should be possible to specifiy a range between 4KB and 128MB. I also checked CheckOption in ìpt.sys and it seems like specifying a range between 4KB - 128MB should be valid. Unfortunately, I do not have the time to debug the kernel driver.

Are you aware of this bug or do you have any idea what could be the reason for this?

Hey Folks!

I have been trying to do some fuzzing using alf win fork (https://github.com/googleprojectzero/winafl) but have run into an issue with the IPT instrumentation. As per @ifratric suggestion in this issue: googleprojectzero/winafl#273 I ran winipt directly and ran into the same error.

Here is the command log:
C:\FuzzingExp\Ipt\winipt\x64\Release>c:\tools\pslist.exe -d -e notepad -nobanner

notepad 4484:
Tid Pri Cswtch State User Time Kernel Time Elapsed Time
12080 10 2751 Wait:UserReq 0:00:00.031 0:00:00.093 0:02:10.613
24972 8 40 Wait:Queue 0:00:00.000 0:00:00.000 0:02:09.818
19972 8 2 Wait:Queue 0:00:00.000 0:00:00.000 0:02:09.803

C:\FuzzingExp\Ipt\winipt\x64\Release>ipttool.exe --start 4484 200000 1
/-----------------------------------------
|=== Windows 10 RS5 1809 IPT Test Tool ===|
|=== Copyright (c) 2018 Alex Ionescu ===|
|=== http://github.com/ionescu007 ===|
|=== http://www.windows-internals.com ===|
-----------------------------------------/

[*] Size will be aligned to a power of 2
[+] Using size: 131072 bytes
[+] Tracing Options:
Match by: Any process
Trace mode: User-mode only
Timing packets: MTC Packets
[-] Failed to get Trace Version from IPT Service (err=87)

System info:
OS Name: Microsoft Windows 10 Enterprise
Version: 10.0.19041 Build 19041
Processor: Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz, 2112 Mhz, 4 Core(s), 8 Logical Processor(s)

Thanks!

Hi ionescu007,
Will kernel tracing be supported anytime soon ? Thanks

The picture shows in the Readme.You get the trace twice, the size is the same?Why the same size?And how can i make sure that i can get all the trace data,if the buffer is full?How the ipt server works?Could you introduce more detail?Tks.

I didn't see any mention of this in the readme but it seems if Hyper-V is installed and enabled(BCD hypervisorlaunchtype not set to off) on a system, Processor Trace is disabled well at least the cpuid values are reporting it not supported causing the IPT driver to fail to start, this is on a i5 6600k with RS5.
If i try start the IPT driver directly with net start Ipt it will fail with error 50 like if your CPU doesn't support processor trace, but after i uninstalled Hyper-V i could start the driver successfully.

This old thread on the intel forum seems to confirm cpuid masking in the root partition\host system but i expect you know Hyper-V internals better than most of us based on past talks you have done.

I would like to point out that an identifier like “_IPT_MATCH_SETTINGS” does eventually not fit to the expected naming convention of the C language standard.
Would you like to adjust your selection for unique names?

As the title do you know any CPU support 4 IP filtering range? I looked the latest core i9 11th gen but they only support 2.

Can i use this code in the Vmware workstation 15.0.2 build-10952284？

Good Morning,

first of all thank you for sharing your work with us!

I am experiencing problems when I try to start a kernel level trace:
ipttool.exe --start 20000 4
and
ipttool.exe --start 20000 8

both fail with error 87(ERROR_INVALID_PARAMETER) on my machine.

My test system is a freshly setup Windows 10 1809 (Build 17763.1). ipt.sys is in version 10.0.17763.1

Is it just me, or is this a general problem (e.g. the API changed)?

Best regards

Tom

• Windows 10 Pro build 17704
• SDK version 17134
• Command used: ipttool.exe --start 3332 100000 0 (pid of notepad.exe)
• Output: Same in both admin and normal CMD

[*] Size will be aligned to a power of 2
[+] Using size: 65536 bytes
[+] Tracing Options:
           Match by: Any process
         Trace mode: User-mode only
    Timing patckets: None
[-] Unable to start Intel PT Service (err=50)
[-] Intel PT Service could not be started!