FSecureLABS/win_driver_plugin FSecureLABS/win_driver_plugin

  • Stars
    star
    417
  • Rank 103,202 (Top 3 %)
  • Language
    Python
  • License
    Other
  • Created about 8 years ago
  • Updated about 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
FSecureLABS/win_driver_plugin
github

FSecureLABS

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers.

Windows Driver Plugin

An IDA Pro plugin to help when working with IOCTL codes or reversing Windows drivers.

Installation

Just drop the 'win_driver_plugin.py' file and the 'win_driver_plugin' folder into IDA's plugin directory.
If you want FLOSS to be used when hunting for device names, you can install FLOSS with the following commands:

pip install https://github.com/williballenthin/vivisect/zipball/master   
pip install https://github.com/fireeye/flare-floss/zipball/master

If you want to use Angr to find IOCTL codes used in the dispatch function, the following links provide potential install instructions.
http://angr.horse
https://github.com/andreafioraldi/angr-win64-wheels

Shortcuts

Ctrl+Alt+A => Find potential device names
Ctrl+Alt+S => Find the dispatch function
Ctrl+Alt+D => Decode currently selected IOCTL code
Ctrl+Alt+Z => Dump pooltags

Usage

Finding device names

Using Ctrl+Alt+A it's possible to attempt to the find the drivers registered device paths, for example we get several potential paths when inspecting a random AVG driver:

If no paths can be found by looking at Unicode strings inside the binary then FLOSS will be used in an attempt to find obsfucated paths, for example inspecting the infamous capcom driver:

Finding dispatch functions

Using Ctrl+Alt+S it's possible to attempt to find the currently inspected drivers dispatch function, this is quite hacky but seems to work most of the time - here's an example of this working on a random AVG driver:

Trying this on a different AVG driver leads to it failing completely, in this case because the drivers IOCTL handler is basically a stub which sends some requests to a different function begore passing most to the actual IOCTL handler

Decoding IOCTL codes

By right-clicking on a potential IOCTL code a context menu option can be used to decode the value, alternatively Ctrl+Alt+D can be used.

This will print a table with all decoded IOCTL codes each time a new one is decoded:

By right-clicking on a decoded IOCTL code it's possible to mark it as invalid:

This will leave any non-IOCTL define based comment contents intact.

The right-click menu also included a display all defines option which display the CTL_CODE definitions for all IOCTL codes decoded in the current session:

If you right click on the first instruction of the function you believe to be the IOCTL dispatcher a decode all options appears, this attempt to decode all IOCTL codes it can find in the function. This is super hacky but can speed things up most of the time.

If you want to do this in a smarter way and can get Angr installed successfully, the 'Decode IOCTLs using Angr' option shown below will use symbolic execution to attempt to recover all IOCTL codes. This will deal with jump tables, optimizations etc whereas the dumb method is just looking for comparisons to constants.

Viewing IOCTL codes

If you've decoder one or more IOCTLs a new option appears on the plugins right click context menu.

This will take you to a new tab which shows all the IOCTLs which have been found.

Right clicking on any IOCTL opens up some more commands, such as copying them to the clipboard or attempting to load the driver and send them.

Dumping pool tags

Using Ctrl+Alt+Z it's possible to dump the pooltags in use by the binary in a format which works with pooltags.txt. This means the output can be copy pasted at the end of the file and then be picked up by windbg etc.

Acknowledgements

The IOCTL code parsing functions are mostly based off of Satoshi Tanda's https://github.com/tandasat/WinIoCtlDecoder/blob/master/plugins/WinIoCtlDecoder.py
The original code for adding items to the right-click menu (and possibly some other random snippets) came from 'herrcore' https://gist.github.com/herrcore/b3143dde185cecda7c1dee7ffbce5d2c
The logic for calling floss and the unicode string finding functions are taken from https://github.com/fireeye/flare-floss
The driver type identification code logic is taken from NCC Group's DriverBuddy plugin https://github.com/nccgroup/DriverBuddy

License

This code is released under a 3-clause BSD License. See the LICENSE file for full details.

More Repositories

1

SharpGPOAbuse

SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
C#
1,017
star
2

dref

DNS Rebinding Exploitation Framework
JavaScript
482
star
3

KernelFuzzer

Cross Platform Kernel Fuzzer Framework
C
440
star
4

wePWNise

WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.
Python
350
star
5

OSXFuzz

macOS Kernel Fuzzer
C
249
star
6

Azurite

Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
PowerShell
247
star
7

Ninjasploit

A meterpreter extension for applying hooks to avoid windows defender memory scans
C
230
star
8

z3_and_angr_binary_analysis_workshop

Code and exercises for a workshop on z3 and angr
Python
209
star
9

SharpClipHistory

SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
C#
188
star
10

XRulez

A command line tool for creating malicious outlook rules
C
156
star
11

drozer-modules

Python
139
star
12

ViridianFuzzer

Kernel driver to fuzz Hyper-V hypercalls
C++
132
star
13

incognito

One Token To Rule Them All https://labs.mwrinfosecurity.com/blog/incognito-v2-0-released/
C
129
star
14

CVE-2018-4121

macOS 10.13.3 (17D47) Safari Wasm Exploit
JavaScript
120
star
15

GWTMap

Python
90
star
16

CVE-2016-7255

An exploit for CVE-2016-7255 on Windows 7/8/8.1/10(pre-anniversary) 64 bit
C++
84
star
17

N1QLMap

The tool exfiltrates data from Couchbase database by exploiting N1QL injection vulnerabilities.
Python
72
star
18

SharpGPO-RemoteAccessPolicies

A C# tool for enumerating remote access policies through group policy.
C#
71
star
19

defcon25_uac_workshop

UAC 0Day all day!
58
star
20

3d-accelerated-exploitation

3D Accelerated Exploitation
C
55
star
21

Athena

GUI Tool to generate threat intelligence information in various formats
C#
44
star
22

honeypot_recipes

A chef cookbook which can be used to quickly deploy a high interaction honeypot, using the sysdig and falco tools
Ruby
43
star
23

needle-agent

The iOS Agent for the Needle Security Assessment Framework
Objective-C
41
star
24

CalendarPersist

JXA script to allow programmatic persistence via macOS Calendar.app alerts.
JavaScript
41
star
25

coralsun

macOS Cython IOKit Utility Library
Python
40
star
26

avrop

ROP based Movfuscator VM
Assembly
29
star
27

mercury-modules

Extra modules for the Mercury Android Security Assessment Framework.
Python
25
star
28

jASMin

Python
24
star
29

fdpasser

Example of passing file descriptors into a container to perform a privilege escalation on the host
C
23
star
30

tapjacking-poc

Java
23
star
31

fingertec-tool

A tool for communicating with FingerTec access control devices, as well as other ZKTeco based devices
Python
21
star
32

gists

Short handy snippets from the @mwrlabs team
PowerShell
20
star
33

timeinator

Timeinator is an extension for Burp Suite that can be used to perform timing attacks over an unreliable network such as the internet.
Python
20
star
34

weasel

C
19
star
35

veripy

a network-centric compliance testing framework for verifying the operation of network equipment against the RFCs specified in ripe-554
Python
12
star
36

Ellume-COVID-Test_Research-Files

Java
11
star
37

jar-agent

Java
9
star
38

mercury-common

This repository contains Mercury components that are shared between the Agent and the Server/Console.
9
star
39

Cisco-UCM-SQLi-Scripts

Scripts that can be used to exploit CVE-2019-15972 which was an Authenticated SQLi issue in Cisco Unified Call Manager (UCM).
Python
8
star
40

mwr-tls

A collection of utilities for interacting with SSL and X509 Certificates on Android.
Java
8
star
41

bsides18_breakfree

Example tools and output from BSides 2018 "I Want to Break Free"
Python
7
star
42

rogue-agent

Java
5
star
43

ByteConverter

C++
1
star
44

Re-Desk-v2.3-Vulnerabilities

Python
1
star