Technology

Python Script Reverse Engineering of Kernel Drivers

DriverBuddy is an IDAPython plugin that automates some of the struggle surrounding the reverse engineering of Windows kernel drivers.

DriverBuddy Installation Instructions:

  1. Create a clone of the repo: git clone https://github.com/nccgroup/DriverBuddy.git
  2. Make a copy of the DriverBuddy folder as well as the DriverBuddy.py file into the IDA plugins folder: C:\Program Files (x86)\IDA 6.8\plugins or wherever you installed IDA.

DriverBuddy Usage Instructions

  1. Begin IDA and open a Windows kernel driver.
  2. Go to Edit->Plugins and select Driver Buddy or press ctrl-alt-d.
  3. Check the output window for DriverBuddy analysis results.
  4. In order to decode IOCTLs highlight the suspected IOCTL and press ctrl-alt-i

About DriverBuddy

It has a number of useful features, such as:

  • Populating common structs for WDM and WDF drivers.
    • Attempts to identify then label structs like the IRP and IO_STACK_LOCATION
    • Labels call to WDF functions that would usually be unlabeled.
  • Discovering known IOCTL codes and then decoding them.
  • Identifying the type of driver in question.
  • Finding DispatchDeviceControl and DispatchInternalDeviceControl functionalities.
  • Flagging the functions prone to misuse.

Finding The DispatchDeviceControl

Being able to identify and auto-locate the DispatchDeviceControl function is a time-sensitive task during driver reverse engineering.

This particular function is used to route all incoming DeviceIoControl codes to the driver function associated with that particular code. Automatically identifying this function makes finding the valid DeviceIoControl codes for each driver a lot quicker. Further, when investigating possible vulnerabilities in a driver due to a crash, knowing the location of this particular function helps narrow down the focus to the specific function call associated with the crashing DeviceIoControl code.

Labeling The WDM Structs:

Multiple driver structures are shared with all WDM drivers.

Being able to automatically identify these structures like the IRP, IO_STACK_LOCATION, and DeviceObject reverse engineer structures may help save precious time during the reverse engineering process. DriverBuddy thus attempts to locate then identify many of these structs.

Labeling WDF Functions: 

Similar to WDM drivers there are several structures and functions that are shared with all WDF drivers.

Auto-identifying these unique functions as well as structures will save time during the reverse engineering process and thus provide context to unidentified areas of the driver where these functions are in use.

Decoding The DeviceIoControl Codes: 

While reversing drivers it is typical to come across IOCTL codes as part of the analysis.

These codes when they are decoded reveal useful information to reverse engineers and can draw focus to specific parts of the driver where vulnerabilities are much more likely to exist.

Olé Crypto,

CBNN

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.