DriverBuddy:IDA plugin to assist with reverse engineering Windows kernel drivers
DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers
DriverBuddy is an IDAPython plugin that helps automate some of the tedium surrounding the reverse engineering of Windows Kernel Drivers. It has a number of handy features, such as:
Identifying the type of driver
Locating DispatchDeviceControl and DispatchInternalDeviceControl functions
Populating common structs for WDF and WDM drivers
Attempts to identify and label structs like the IRP and IO_STACK_LOCATION
Labels calls to WDF functions that would normally be unlabeled
Finding known IOCTL codes and decoding them
Flagging functions prone to misuse
Being able to automatically locate and identify the DispatchDeviceControl function is a time saving task during driver reverse engineering. This function is used to route all incoming DeviceIoControl codes to the specific driver function associated with that code. Automatically identifying this function makes finding the valid DeviceIoControl codes for each driver much quicker. Additionally, when investigating possible vulnerabilities in a driver due to a crash, knowing the location of this function helps narrow the focus to the specific function call associated with the crashing DeviceIoControl code.
Labeling WDM Structs
Several driver structures are shared among all WDM drivers. Being able to automatically identify these structures, such as the IO_STACK_LOCATION, IRP, and DeviceObject structures, can help save time during the reverse engineering process. DriverBuddy attempts to locate and identify many of these structs.
Labeling WDF Functions
As with WDM drivers, there are several functions and structures that are shared among all WDF drivers. Automatically identifying these functions and structures will save time during the reverse engineering process and provide context to unindentified areas of the driver where these functions are in use.
Decoding DeviceIoControl Codes
While reversing drivers, it is common to come across IOCTL codes as part of the analysis. These codes, when decoded, reveal useful information to reverse engineers and may draw focus to specific parts of the driver where vulnerabilities are more likely to exist.
|ida pro plugin|
|Thread||Thread Starter||Forum||Replies||Last Post|
|Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code||sh3dow||Source Code||0||05-12-2016 03:15|
|How to debug kernel Drivers??||loman||General Discussion||14||06-18-2004 21:31|