Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-24-2016, 02:49
sh3dow sh3dow is offline
Family
 
Join Date: Oct 2014
Posts: 158
Rept. Given: 113
Rept. Rcvd 79 Times in 24 Posts
Thanks Given: 458
Thanks Rcvd at 202 Times in 75 Posts
sh3dow Reputation: 79
DriverBuddy:IDA plugin to assist with reverse engineering Windows kernel drivers

DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/november/driverbuddy-tool-release/
DriverBuddy

DriverBuddy is an IDAPython plugin that helps automate some of the tedium surrounding the reverse engineering of Windows Kernel Drivers. It has a number of handy features, such as:

Identifying the type of driver
Locating DispatchDeviceControl and DispatchInternalDeviceControl functions
Populating common structs for WDF and WDM drivers
Attempts to identify and label structs like the IRP and IO_STACK_LOCATION
Labels calls to WDF functions that would normally be unlabeled
Finding known IOCTL codes and decoding them
Flagging functions prone to misuse

Finding DispatchDeviceControl

Being able to automatically locate and identify the DispatchDeviceControl function is a time saving task during driver reverse engineering. This function is used to route all incoming DeviceIoControl codes to the specific driver function associated with that code. Automatically identifying this function makes finding the valid DeviceIoControl codes for each driver much quicker. Additionally, when investigating possible vulnerabilities in a driver due to a crash, knowing the location of this function helps narrow the focus to the specific function call associated with the crashing DeviceIoControl code.

Labeling WDM Structs

Several driver structures are shared among all WDM drivers. Being able to automatically identify these structures, such as the IO_STACK_LOCATION, IRP, and DeviceObject structures, can help save time during the reverse engineering process. DriverBuddy attempts to locate and identify many of these structs.

Labeling WDF Functions

As with WDM drivers, there are several functions and structures that are shared among all WDF drivers. Automatically identifying these functions and structures will save time during the reverse engineering process and provide context to unindentified areas of the driver where these functions are in use.

Decoding DeviceIoControl Codes

While reversing drivers, it is common to come across IOCTL codes as part of the analysis. These codes, when decoded, reveal useful information to reverse engineers and may draw focus to specific parts of the driver where vulnerabilities are more likely to exist.

PHP Code:
https://github.com/nccgroup/DriverBuddy 
Reply With Quote
The Following 6 Users Say Thank You to sh3dow For This Useful Post:
chants (11-24-2016), Git (11-28-2016), Indigo (07-19-2019), niculaita (11-24-2016), nimaarek (09-02-2017), WRP (11-24-2016)
Reply

Tags
ida pro plugin

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code sh3dow Source Code 0 05-12-2016 03:15


All times are GMT +8. The time now is 17:15.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )