GithubHelp home page GithubHelp logo

hartl3y94 / win_driver_plugin Goto Github PK

View Code? Open in Web Editor NEW

This project forked from fsecurelabs/win_driver_plugin

0.0 0.0 0.0 346 KB

A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers.

Home Page: https://labs.mwrinfosecurity.com/tools/win-driver-tool/

License: Other

Python 100.00%

win_driver_plugin's Introduction

Windows Driver Plugin

An IDA Pro plugin to help when working with IOCTL codes or reversing Windows drivers.

Installation

Just drop the 'win_driver_plugin.py' file and the 'win_driver_plugin' folder into IDA's plugin directory.
If you want FLOSS to be used when hunting for device names, you can install FLOSS with the following commands:

pip install https://github.com/williballenthin/vivisect/zipball/master   
pip install https://github.com/fireeye/flare-floss/zipball/master

If you want to use Angr to find IOCTL codes used in the dispatch function, the following links provide potential install instructions.
http://angr.horse
https://github.com/andreafioraldi/angr-win64-wheels

Shortcuts

Ctrl+Alt+A => Find potential device names
Ctrl+Alt+S => Find the dispatch function
Ctrl+Alt+D => Decode currently selected IOCTL code
Ctrl+Alt+Z => Dump pooltags

Usage

Finding device names

Using Ctrl+Alt+A it's possible to attempt to the find the drivers registered device paths, for example we get several potential paths when inspecting a random AVG driver:

If no paths can be found by looking at Unicode strings inside the binary then FLOSS will be used in an attempt to find obsfucated paths, for example inspecting the infamous capcom driver:

Finding dispatch functions

Using Ctrl+Alt+S it's possible to attempt to find the currently inspected drivers dispatch function, this is quite hacky but seems to work most of the time - here's an example of this working on a random AVG driver:

Trying this on a different AVG driver leads to it failing completely, in this case because the drivers IOCTL handler is basically a stub which sends some requests to a different function begore passing most to the actual IOCTL handler

Decoding IOCTL codes

By right-clicking on a potential IOCTL code a context menu option can be used to decode the value, alternatively Ctrl+Alt+D can be used.

This will print a table with all decoded IOCTL codes each time a new one is decoded:

By right-clicking on a decoded IOCTL code it's possible to mark it as invalid:

This will leave any non-IOCTL define based comment contents intact.

The right-click menu also included a display all defines option which display the CTL_CODE definitions for all IOCTL codes decoded in the current session:

If you right click on the first instruction of the function you believe to be the IOCTL dispatcher a decode all options appears, this attempt to decode all IOCTL codes it can find in the function. This is super hacky but can speed things up most of the time.

If you want to do this in a smarter way and can get Angr installed successfully, the 'Decode IOCTLs using Angr' option shown below will use symbolic execution to attempt to recover all IOCTL codes. This will deal with jump tables, optimizations etc whereas the dumb method is just looking for comparisons to constants.

Viewing IOCTL codes

If you've decoder one or more IOCTLs a new option appears on the plugins right click context menu.

This will take you to a new tab which shows all the IOCTLs which have been found.

Right clicking on any IOCTL opens up some more commands, such as copying them to the clipboard or attempting to load the driver and send them.

Dumping pool tags

Using Ctrl+Alt+Z it's possible to dump the pooltags in use by the binary in a format which works with pooltags.txt. This means the output can be copy pasted at the end of the file and then be picked up by windbg etc.

Acknowledgements

The IOCTL code parsing functions are mostly based off of Satoshi Tanda's https://github.com/tandasat/WinIoCtlDecoder/blob/master/plugins/WinIoCtlDecoder.py
The original code for adding items to the right-click menu (and possibly some other random snippets) came from 'herrcore' https://gist.github.com/herrcore/b3143dde185cecda7c1dee7ffbce5d2c
The logic for calling floss and the unicode string finding functions are taken from https://github.com/fireeye/flare-floss
The driver type identification code logic is taken from NCC Group's DriverBuddy plugin https://github.com/nccgroup/DriverBuddy

License

This code is released under a 3-clause BSD License. See the LICENSE file for full details.

win_driver_plugin's People

Contributors

sam-b avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.