Multiple bugs in the driver's implementation

[repnz]

I know it's a POC, but I thought it would be good to fix this anyway -

1. There is a stack buffer overflow reading the 'pid' from user mode. Replace inBufferLength with sizeof(pid).
   

   HideProcess/driver/irphandlers.c

   Line 60 in 99d7a72

   strcpy_s(pid, inBufferLength, inBuf);

2. The output buffer's length is not checked
   

   HideProcess/driver/irphandlers.c

   Line 92 in 99d7a72

   RtlCopyBytes(buffer, data, outBufferLength);

3. This memory is not freed anywhere
   

   HideProcess/driver/hideprocess.c

   Line 7 in 99d7a72

   LPSTR result = ExAllocatePool(NonPagedPool, sizeof(ULONG) + 20);;

4. This buffer was allocated with length=(sizeof(ULONG) + 20), why is the param to sprintf_s longer?
   

   HideProcess/driver/hideprocess.c

   Line 29 in 99d7a72

   sprintf_s(result, 2 * sizeof(ULONG) + 30, "Found offsets: %lu & %lu", PID_OFFSET, LIST_OFFSET);

5. This string is not used anywhere (copied from the microsoft ioctl sample:) )
   

   HideProcess/driver/irphandlers.c

   Line 43 in 99d7a72

   PCHAR data = "This String is from Device Driver !!!";

6. Here, you use 'datalen' which is the length of the string from the sample instead of the real result string:
   

   HideProcess/driver/irphandlers.c

   Line 95 in 99d7a72

   Irp->IoStatus.Information = (outBufferLength<datalen ? outBufferLength : datalen);