{"id":13540403,"url":"https://github.com/FSecureLABS/win_driver_plugin","last_synced_at":"2025-04-02T07:31:03.817Z","repository":{"id":90565748,"uuid":"65835010","full_name":"FSecureLABS/win_driver_plugin","owner":"FSecureLABS","description":"A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers.","archived":false,"fork":false,"pushed_at":"2018-08-22T21:12:54.000Z","size":346,"stargazers_count":421,"open_issues_count":2,"forks_count":122,"subscribers_count":41,"default_branch":"master","last_synced_at":"2024-11-03T05:32:44.125Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://labs.mwrinfosecurity.com/tools/win-driver-tool/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FSecureLABS.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-08-16T16:15:02.000Z","updated_at":"2024-09-26T16:47:58.000Z","dependencies_parsed_at":"2023-04-26T10:33:59.138Z","dependency_job_id":null,"html_url":"https://github.com/FSecureLABS/win_driver_plugin","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FSecureLABS%2Fwin_driver_plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FSecureLABS%2Fwin_driver_plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FSecureLABS%2Fwin_driver_plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FSecureLABS%2Fwin_driver_plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FSecureLABS","download_url":"https://codeload.github.com/FSecureLABS/win_driver_plugin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246774377,"owners_count":20831528,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:48.821Z","updated_at":"2025-04-02T07:30:58.798Z","avatar_url":"https://github.com/FSecureLABS.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"f56806b5b229bdf6c118f5fb1092e141\"\u003e\u003c/a\u003e威胁情报","\u003ca id=\"004c199e1dbf71769fbafcd8e58d1ead\"\u003e\u003c/a\u003e针对特定分析目标","Python (1887)","Python","使用"],"sub_categories":["\u003ca id=\"3e10f389acfbd56b79f52ab4765e11bf\"\u003e\u003c/a\u003eIOC","\u003ca id=\"4c158ccc5aee04383755851844fdd137\"\u003e\u003c/a\u003eWindows驱动","\u003ca id=\"004c199e1dbf71769fbafcd8e58d1ead\"\u003e\u003c/a\u003e针对特定分析目标"],"readme":"# Windows Driver Plugin\n\nAn IDA Pro plugin to help when working with IOCTL codes or reversing Windows drivers.\n\n## Installation\n\nJust drop the 'win_driver_plugin.py' file and the 'win_driver_plugin' folder into IDA's plugin directory.   \nIf you want [FLOSS](https://github.com/fireeye/flare-floss) to be used when hunting for device names, you can install FLOSS with the following commands:   \n```\npip install https://github.com/williballenthin/vivisect/zipball/master   \npip install https://github.com/fireeye/flare-floss/zipball/master\n```\nIf you want to use Angr to find IOCTL codes used in the dispatch function, the following links provide potential install instructions.   \n[http://angr.horse](http://angr.horse)   \n[https://github.com/andreafioraldi/angr-win64-wheels](https://github.com/andreafioraldi/angr-win64-wheels)   \n\n## Shortcuts\n\n*Ctrl+Alt+A* =\u003e Find potential device names    \n*Ctrl+Alt+S* =\u003e Find the dispatch function   \n*Ctrl+Alt+D* =\u003e Decode currently selected IOCTL code  \n*Ctrl+Alt+Z* =\u003e Dump pooltags \n\n## Usage\n\n### Finding device names\n\nUsing *Ctrl+Alt+A* it's possible to attempt to the find the drivers registered device paths, for example we get several potential paths when inspecting a random AVG driver:   \n![](/screenshots/find_device_random_avg_driver.PNG)   \nIf no paths can be found by looking at Unicode strings inside the binary then FLOSS will be used in an attempt to find obsfucated paths, for example inspecting the infamous [capcom driver](http://www.theregister.co.uk/2016/09/23/capcom_street_fighter_v/):   \n![](/screenshots/find_device_name_capcom.PNG)   \n\n### Finding dispatch functions\n\nUsing *Ctrl+Alt+S* it's possible to attempt to find the currently inspected drivers dispatch function, this is quite hacky but seems to work most of the time - here's an example of this working on a random AVG driver:   \n![](/screenshots/find_dispatch_random_avg_driver.PNG)  \nTrying this on a different AVG driver leads to it failing completely, in this case because the drivers IOCTL handler is basically a stub which sends some requests to a different function begore passing most to the actual IOCTL handler    \n![](/screenshots/find_dispatch_different_avg_driver_fail.PNG)   \n\n### Decoding IOCTL codes\n\nBy right-clicking on a potential IOCTL code a context menu option can be used to decode the value, alternatively *Ctrl+Alt+D* can be used.   \n![](/screenshots/decode_ioctl_capcom_decoded.PNG)   \nThis will print a table with all decoded IOCTL codes each time a new one is decoded:   \n![](/screenshots/decode_ioctl_summary_table.PNG)   \nBy right-clicking on a decoded IOCTL code it's possible to mark it as invalid:   \n![](/screenshots/decode_ioctl_mark_ioctl_invalid.png)   \nThis will leave any non-IOCTL define based comment contents intact.   \n![](/screenshots/decode_ioctl_mark_invalid_only_delete_define.PNG)   \nThe right-click menu also included a display all defines option which display the CTL_CODE definitions for all IOCTL codes decoded in the current session:   \n![](/screenshots/decode_ioctl_display_all_defines.PNG)   \nIf you right click on the first instruction of the function you believe to be the IOCTL dispatcher a decode all options appears, this attempt to decode all IOCTL codes it can find in the function. This is super hacky but can speed things up most of the time.   \n![](/screenshots/decode_all_ioctls_fail.PNG)   \nIf you want to do this in a smarter way and can get [Angr](http://angr.horse) installed successfully, the 'Decode IOCTLs using Angr' option shown below will use symbolic execution to attempt to recover all IOCTL codes. This will deal with jump tables, optimizations etc whereas the dumb method is just looking for comparisons to constants. \n![](/screenshots/angr_decode_option.png)\n\n### Viewing IOCTL codes \n\nIf you've decoder one or more IOCTLs a new option appears on the plugins right click context menu.\n\n![](/screenshots/view_all.png)\n\nThis will take you to a new tab which shows all the IOCTLs which have been found. \n\n![](/screenshots/define_tab.PNG)\n\nRight clicking on any IOCTL opens up some more commands, such as copying them to the clipboard or attempting to load the driver and send them.\n\n![](/screenshots/define_tab_right_click.PNG)\n\n### Dumping pool tags \n\nUsing *Ctrl+Alt+Z* it's possible to dump the pooltags in use by the binary in a format which works with pooltags.txt. This means the output can be copy pasted at the end of the file and then be picked up by windbg etc.\n![](/screenshots/dump_pool_tags.PNG)\n\n## Acknowledgements\n\nThe IOCTL code parsing functions are mostly based off of Satoshi Tanda's https://github.com/tandasat/WinIoCtlDecoder/blob/master/plugins/WinIoCtlDecoder.py   \nThe original code for adding items to the right-click menu (and possibly some other random snippets) came from 'herrcore' https://gist.github.com/herrcore/b3143dde185cecda7c1dee7ffbce5d2c   \nThe logic for calling floss and the unicode string finding functions are taken from https://github.com/fireeye/flare-floss   \nThe driver type identification code logic is taken from NCC Group's DriverBuddy plugin https://github.com/nccgroup/DriverBuddy    \n\n## License\n\nThis code is released under a 3-clause BSD License. See the LICENSE file for full details.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFSecureLABS%2Fwin_driver_plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFSecureLABS%2Fwin_driver_plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFSecureLABS%2Fwin_driver_plugin/lists"}