{"id":13387219,"url":"https://github.com/nccgroup/driverbuddy","last_synced_at":"2025-04-07T06:12:51.626Z","repository":{"id":38205764,"uuid":"68311713","full_name":"nccgroup/DriverBuddy","owner":"nccgroup","description":"DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers.","archived":false,"fork":false,"pushed_at":"2020-01-08T19:28:54.000Z","size":15,"stargazers_count":358,"open_issues_count":4,"forks_count":74,"subscribers_count":25,"default_branch":"master","last_synced_at":"2025-03-31T05:05:55.631Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/november/driverbuddy-tool-release/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nccgroup.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-09-15T16:33:56.000Z","updated_at":"2025-03-24T02:40:54.000Z","dependencies_parsed_at":"2022-08-18T21:40:26.147Z","dependency_job_id":null,"html_url":"https://github.com/nccgroup/DriverBuddy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2FDriverBuddy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2FDriverBuddy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2FDriverBuddy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2FDriverBuddy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nccgroup","download_url":"https://codeload.github.com/nccgroup/DriverBuddy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247601449,"owners_count":20964864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T12:01:12.368Z","updated_at":"2025-04-07T06:12:51.607Z","avatar_url":"https://github.com/nccgroup.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"004c199e1dbf71769fbafcd8e58d1ead\"\u003e\u003c/a\u003e针对特定分析目标","使用"],"sub_categories":["\u003ca id=\"4c158ccc5aee04383755851844fdd137\"\u003e\u003c/a\u003eWindows驱动","\u003ca id=\"004c199e1dbf71769fbafcd8e58d1ead\"\u003e\u003c/a\u003e针对特定分析目标"],"readme":"## Quickstart\n\n### DriverBuddy Installation Instructions\n1. Copy DriverBuddy folder and DriverBuddy.py file into the IDA plugins folder C:\\Program Files (x86)\\IDA 6.8\\plugins or wherever you installed IDA\n\n\n### DriverBuddy Usage Instructions \n1. Start IDA and open a Windows kernel driver\n2. Go to Edit-\u003ePlugins and select Driver Buddy or press ctrl-alt-d\n3. Check Output window for DriverBuddy analysis results\n4. To decode IOCTLs, highlight the suspected IOCTL and press ctrl-alt-i\n\n## DriverBuddy \n\nDriverBuddy is an IDAPython plugin that helps automate some of the tedium\nsurrounding the reverse engineering of Windows Kernel Drivers. It has a number\nof handy features, such as:\n\n* Identifying the type of driver\n* Locating DispatchDeviceControl and DispatchInternalDeviceControl functions\n* Populating common structs for WDF and WDM drivers\n\t* Attempts to identify and label structs like the IRP and IO_STACK_LOCATION\n\t* Labels calls to WDF functions that would normally be unlabeled\n* Finding known IOCTL codes and decoding them\n* Flagging functions prone to misuse\n\n\n### Finding DispatchDeviceControl\n\nBeing able to automatically locate and identify the DispatchDeviceControl\nfunction is a time saving task during driver reverse engineering. This function\nis used to route all incoming DeviceIoControl codes to the specific driver\nfunction associated with that code. Automatically identifying this function\nmakes finding the valid DeviceIoControl codes for each driver much quicker.\nAdditionally, when investigating possible vulnerabilities in a driver due to a\ncrash, knowing the location of this function helps narrow the focus to the\nspecific function call associated with the crashing DeviceIoControl code.\n\n\n### Labeling WDM Structs\n\nSeveral driver structures are shared among all WDM drivers. Being able to\nautomatically identify these structures, such as the IO_STACK_LOCATION, IRP,\nand DeviceObject structures, can help save time during the reverse engineering\nprocess. DriverBuddy attempts to locate and identify many of these structs.\n\n\n### Labeling WDF Functions\n\nAs with WDM drivers, there are several functions and structures that are shared\namong all WDF drivers. Automatically identifying these functions and structures\nwill save time during the reverse engineering process and provide context to\nunindentified areas of the driver where these functions are in use.\n\n### Decoding DeviceIoControl Codes \n\nWhile reversing drivers, it is common to come across IOCTL codes as part of the \nanalysis. These codes, when decoded, reveal useful information to reverse \nengineers and may draw focus to specific parts of the driver where \nvulnerabilities are more likely to exist.  \n\n\n### Future things:\n\n1. Add obref and deref checks of some sort to help find refcount issues\n2. Polish output, gui? \n3. Strengthen/polish current features\n    - Improve reliablity of DispatchDeviceControl finder\n    - Write short blurbs about why things are flagged\n    - MSDN doc importer\n\nStretch Goals:\n1. Find IOCTLs automatically\n2. IRP taint analysis aka follow aliasing of sysbuf/inbuf, size\n3. Identify other common structures\n4. Uninitialized variables, etc\n\n\n### Credits\n\n* We are using Satoshi Tanda's IOCTL decoder, originally found here https://github.com/tandasat/WinIoCtlDecoder.\n* The WDF functions struct is based on Red Plait's work (http://redplait.blogspot.ru/2012/12/wdffunctionsidc.html) and was ported to IDA Python by Nicolas Guigo, later updated by us.\n\n\n### License\n\nThis software is released under the MIT License, see LICENSE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fdriverbuddy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnccgroup%2Fdriverbuddy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fdriverbuddy/lists"}