• Stars
    star
    303
  • Rank 137,655 (Top 3 %)
  • Language
    C++
  • Created over 6 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Canadian Furious Beaver is a ProcMon-style tool designed only for capturing IRPs sent to any Windows driver.

logo

CI Discord
Broker - Build MSVC Discord

Idea

Furious Beaver is a distributed tool for capturing IRPs sent to any Windows driver. It operates in 2 parts:

  1. the "Broker" combines both a user-land agent and a self-extractable driver (IrpDumper.sys) that will install itself on the targeted system. Once running it will expose (depending on the compilation options) a remote named pipe (reachable from \\target.ip.address\pipe\cfb), or a TCP port listening on TCP/1337. The communication protocol was made to be simple by design (i.e. not secure) allowing any 3rd party tool to dump the driver IRPs from the same Broker easily (via simple JSON messages).

  2. the GUI is a Windows 10 UWP app made in a ProcMon-style: it will connect to wherever the broker is, and provide a convienent GUI for manipulating the broker (driver enumeration, hooking and IRP capturing). It also offers facililties for forging/replaying IRPs, auto-fuzzing (i.e. apply specific fuzzing policies on each IRP captured), or extract IRP in various formats (raw, as a Python script, as a PowerShell script) for further analysis. The captured data can be saved on disk in an easily parsable format (*.cfb = SQLite) for further analysis, and/or reload afterwards in the GUI.

Although the GUI obviously requires a Windows 10 environment (UWP App), the Broker itself can be deployed on any Windows 7+ host (x86 or x64). The target host must have testsigning BCD policy enabled, as the self-extracting driver is not WHQL friendly.

Screenshots

Intercepted IRP view

Intercepted IRP view

IRP details

IRP Metadata IRP InputBuffer

IRP replay

IRP Replay

Concept

IrpDumper.sys is the driver part of the CFB Broker that will auto-extract and install when launched. The driver will be responsible for hooking the IRP Major Function table of the driver that is requested to be hooked, via an IOCTL passed from the Broker. Upon success, the IRP table of the driver will then be pointing to IrpDumper.sys interception routine, as we can easily see with a debugger or tools like WinObjEx64.

img

IrpDumper.sys in itself then acts a rootkit, proxy-ing all calls to the targeted driver(s). When a DeviceIoControl is sent to a hooked driver, IrpDumper will simply capture the data if any, and push a message to the user-land agent (Broker), and yield the execution back to the legitimate drivers, allowing the intended code to continue as expected. The Broker stores all this data in user-land waiting for a event to ask for them.

Build

GUI

Clone the repository, and build the Broker in the solution CFB.sln at the project root with Visual Studio (Debug - very verbose - or Release). Additionally, you can build the App GUI by building the GUI (Universal Windows) project.

Command line

Clone the repository and in a VS prompt run

C:\cfb\> msbuild CFB.sln /p:Configuration=$Conf

Where $Conf can be set to Release to Debug.

Setup

A Windows 7+ machine (Windows 10 SDK VM is recommended)

On this target machine, simply enable BCD test signing flag (in cmd.exe as Admin):

C:\> bcdedit.exe /set {whatever-profile} testsigning on

If using in Debug mode, IrpDumper.sys will provide a lot more valuable information as to what's being hooked (the price of performance). All those info can be visible via tools like DebugView.exe or a kernel debugger like WinDbg. In either case, you must enable kernel debug BCD flag (in cmd.exe as Admin):

C:\> bcdedit.exe /set {whatever-profile} debug on

It is also recommended to edit the KD verbosity level, via:

  • the registry for a permanent effect (reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter" /v DEFAULT /t REG_DWORD /d 0xf)
  • directly from WinDbg for only the current session (ed nt!Kd_Default_Mask 0xf)

If you plan on (re-)compiling any of the tools, you must install VS (2019 preferred). If using the Release binaries, you only need VS C++ Redist installed (x86 or x64 depending on your VM architecture).

Follow the indications in the Docs/ folder to improve your setup.

Command-line client

Several command line tools (such as dumping all data to SQLite database, fuzzing IRP, etc.) can be found in the external repository CFB-cli.

Why the name?

Because I had no idea for the name of this tool, so it was graciously generated by a script of mine.

More Repositories

1

gef

GEF (GDB Enhanced Features) - a modern experience for GDB with advanced debugging capabilities for exploit devs & reverse engineers on Linux
Python
6,785
star
2

cemu

Cheap EMUlator: lightweight multi-architecture assembly playground
Python
932
star
3

defcon_27_windbg_workshop

DEFCON 27 workshop - Modern Debugging with WinDbg Preview
Python
706
star
4

gdb-static

Public repository of statically compiled GDB and GDBServer
315
star
5

stuff

Unsorted, raw, ugly & probably poorly usable tools for reversing, exploit and pentest
Python
216
star
6

proxenet

The ONLY hacker friendly proxy for webapp pentests.
C
212
star
7

windbg_js_scripts

Toy scripts for playing with WinDbg JS API
JavaScript
212
star
8

binja-retdec

Binary Ninja plugin to decompile binaries using RetDec API
Python
164
star
9

gef-extras

Extra goodies for GEF to (try to) make GDB suck even less
Python
147
star
10

pwn--

pwn++ is a Windows & Linux library oriented for exploit dev but mostly used to play with modern C++ features (17->26)
C++
119
star
11

ctfhub

Where CTFs happen
Python
76
star
12

recon_2024_windbg_workshop

JavaScript
67
star
13

gef-binja

Interface GDB-GEF with Binary Ninja
Python
58
star
14

codebro

Web based code browser using clang to provide basic code analysis.
HTML
43
star
15

modern.ie-vagrant

Modern.ie for Vagrant
PowerShell
42
star
16

bochscpu-python

Python bindings for BochsCPU
C++
33
star
17

binja-headless

Binja (sort of) headless
Python
31
star
18

hevd

Public repository for HEVD exploits
C
20
star
19

modern

A tool to unify the command line of Windows/Linux/MacOS using modern Rust tools
Python
20
star
20

shared-kernel-user-section-driver

Experiment to use sections as User/Kernelmode comm vector
C++
20
star
21

ida-headless

IDA (sort of) headless
Python
19
star
22

gef-legacy

Legacy version of GEF running for GDB+Python2
Python
18
star
23

modern-cpp-windows-driver-template

Windows driver template, using C++20 & cmake & GithubActions
C++
16
star
24

sstoper

SSTP VPN client for Linux
C
16
star
25

proxenet-plugins

Repository for proxenet plugins
Python
14
star
26

ropgadget-rs

Another (bad) ROP gadget finder, but this time in Rust
Rust
14
star
27

pywii

PyWii is a tool to help you control your PC from your Wiimote using Bluetooth.
Python
8
star
28

bakassabl

Cheap Linux sandboxer based on seccomp
C
7
star
29

gef-structs

Open repositories of custom structures for GDB Enhanced Features (GEF)
5
star
30

dji-joe

DJI Phantom3 takeover framework
Go
5
star
31

gef-docker

Ready to use Docker environment for GEF (used for https://demo.gef.blah.cat gef/gef-demo)
Python
5
star
32

socat-rs

A port forwarder for Windows written in 10min. Don't expect much from it...
Rust
4
star
33

modern-cpp-template

A template repository for my C++ projects, with docs and CI
CMake
3
star
34

CFB-cli

Command line tools for CFB
Python
2
star
35

hugsy

2
star
36

dufe

Dummy Universal Fuzzer Ever
Python
2
star
37

dji-jane

DJI Phantom3 detection tool - server part of DJI-Joe
Go
1
star
38

pwn--template

Kickstart C++ exploits with pwn++, with auto-build by GithubActions
CMake
1
star