Want to Join Us ?

you'll be able to discuss, share and send private messages.

NEW Ida pro Windows Driver Plugin by Sam-b

Discussion in 'Plugins' started by storm shadow, Oct 17, 2016.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    An IDA Pro plugin to help when working with IOCTL codes or reversing Windows drivers.
    Installation

    Just drop 'win_driver_plugin.py' file and the 'win_driver_plugin' folder into IDA's plugin directory.
    If you want FLOSS to be used when hunting for device names, you can install FLOSS with the following commands:
    pip install https://github.com/williballenthin/vivisect/zipball/master
    pip install https://github.com/fireeye/flare-floss/zipball/master

    Shortcuts

    Ctrl+Alt+A => Find device name
    Ctrl+Alt+S => Find the dispatch function
    Ctrl+Alt+D => Decode currently selected IOCTL code
    Usage

    Finding device names

    Using Ctrl+Alt+A it's possible to attempt to the find the drivers registered device paths, for example we get several potential paths when inspecting a random AVG driver:
    [​IMG]
    If no paths can be found by looking at Unicode strings inside the binary then FLOSS will be used in an attempt to find obsfucated paths, for example inspecting the infamous capcom driver:
    [​IMG]
    Finding dispatch functions

    Using Ctrl+Alt+S it's possible to attempt to find the currently inspected drivers dispatch function, this is quite hacky but seems to work most of the time - here's an example of this working on a random AVG driver:
    [​IMG]
    Trying this on a different AVG driver leads to it failing completely, in this case because the drivers IOCTL handler is basically a stub which sends some requests to a different function begore passing most to the actual IOCTL handler
    [​IMG]
    Decoding IOCTL codes

    By right-clicking on a potential IOCTL code a context menu option can be used to decode the value, alternatively Ctrl+Alt+D can be used.
    [​IMG]
    This will print a table with all decoded IOCTL codes each time a new one is decoded:
    [​IMG]
    By right-clicking on a decoded IOCTL code it's possible to mark it as invalid:
    [​IMG]
    This will leave any non-IOCTL define based comment contents intact.
    [​IMG]
    The right-click menu also included a display all defines option which display the CTL_CODE definitions for all IOCTL codes decoded in the current session:
    [​IMG]
    If you right click on the first instruction of the function you beleive to be the IOCTL dispatcher a decode all options appears, this attempt to decode all IOCTL codes it can find in the function. This super hacky but can speed things up most of the time.
    [​IMG]
    Acknowledgements

    The IOCTL code parsing functions are mostly based off of Satoshi Tanda's https://github.com/tandasat/WinIoCtlDecoder/blob/master/plugins/WinIoCtlDecoder.py
    The original code for adding items to the right-click menu (and possibly some other random snippets) came from 'herrcore'
    The logic for calling floss and the unicode string finding functions are taken from https://github.com/fireeye/flare-floss

    source
    https://github.com/sam-b/win_driver_plugin
     

    Attached Files:

    Rip Cord likes this.
Top