{"id":21516417,"url":"https://github.com/voidsec/driverbuddyreloaded","last_synced_at":"2025-04-09T08:11:48.156Z","repository":{"id":37424066,"uuid":"420138711","full_name":"VoidSec/DriverBuddyReloaded","owner":"VoidSec","description":"Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks","archived":false,"fork":false,"pushed_at":"2023-05-23T12:24:40.000Z","size":245,"stargazers_count":250,"open_issues_count":7,"forks_count":43,"subscribers_count":14,"default_branch":"main","last_synced_at":"2023-11-07T15:04:31.007Z","etag":null,"topics":["driver-exploitation","ida","ida-plugin","idapython","reverse-engineering","windows-driver","windows-kernel"],"latest_commit_sha":null,"homepage":"https://voidsec.com/driver-buddy-reloaded","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/VoidSec.png","metadata":{"files":{"readme":"README.MD","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-22T14:55:04.000Z","updated_at":"2023-11-05T14:57:43.000Z","dependencies_parsed_at":"2024-10-25T12:54:10.574Z","dependency_job_id":"3f97fcaf-e4c3-4cc6-88a1-9bf411d4305a","html_url":"https://github.com/VoidSec/DriverBuddyReloaded","commit_stats":null,"previous_names":[],"tags_count":7,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FDriverBuddyReloaded","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FDriverBuddyReloaded/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FDriverBuddyReloaded/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VoidSec%2FDriverBuddyReloaded/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/VoidSec","download_url":"https://codeload.github.com/VoidSec/DriverBuddyReloaded/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247999864,"owners_count":21031046,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["driver-exploitation","ida","ida-plugin","idapython","reverse-engineering","windows-driver","windows-kernel"],"created_at":"2024-11-24T00:20:55.925Z","updated_at":"2025-04-09T08:11:48.137Z","avatar_url":"https://github.com/VoidSec.png","language":"Python","readme":"# Driver Buddy Reloaded Quickstart\n\n## Table of Contents\n\n- [Driver Buddy Reloaded Quickstart](#driver-buddy-reloaded-quickstart)\n  - [Table of Contents](#table-of-contents)\n  - [Installation](#installation)\n  - [Quick Usage](#quick-usage)\n    - [Advanced Usage](#advanced-usage)\n  - [About Driver Buddy Reloaded](#about-driver-buddy-reloaded)\n    - [Finding DispatchDeviceControl](#finding-dispatchdevicecontrol)\n    - [Labelling WDM and WDF Structures](#labelling-wdm-and-wdf-structures)\n    - [Finding and Decoding IOCTL Codes](#finding-and-decoding-ioctl-codes)\n    - [Flagging Functions](#flagging-functions)\n    - [Finding DeviceName](#finding-devicename)\n    - [Dumping Pooltags](#dumping-pooltags)\n  - [Known Caveats and Limitations](#known-caveats-and-limitations)\n  - [Credits and Acknowledgements](#credits-and-acknowledgements)\n\n## Installation\n\nCopy the `DriverBuddyReloaded` folder and the `DriverBuddyReloaded.py` script file into the IDA plugins folder, for example:\n- `%APPDATA%\\Hex-Rays\\IDA Pro\\plugins\\`\n- `C:\\Program Files\\IDA Pro 7.6\\plugins\\`\n- `~/.idapro/plugins/`\n\nIf you use Python v. 3.x, run the `idapyswitch.exe` binary (located in IDA's folder) from an admin command prompt.\n\n**NOTE:** IDA SDK \u003e v.7.5 is required in order for this script to run. \n\n## Quick Usage\n\nTo use the auto-analysis feature:\n\n1. Start IDA and load a Windows kernel driver.\n2. Go to `Edit -\u003e Plugins -\u003e Driver Buddy Reloaded` or press `CTRL+ALT+A` to start the auto-analysis.\n3. Check the \"Output\" window for the analysis results.\n4. A `\u003cDRIVER_NAME\u003e.sys-YYYY-MM-DD-TIME_STAMP-DriverBuddyReloaded_autoanalysis.txt` file containing the analysis results,\n   will be written under IDA's DB directory.\n\nTo decode an IOCTL:\n\n1. Place the mouse cursor on the line containing a suspected IOCTL code.\n2. Right-click and select `Driver Buddy Reloaded -\u003e Decode IOCTL`; alternatively, press the `CTRL+ALT+D` shortcut.\n\nTo decode ALL IOCTLs within a function:\n\n1. Place the mouse cursor on the first instruction of the function you believe to be the IOCTL dispatcher (\n   `DispatchDeviceControl`, `DispatchInternalDeviceControl`, `Possible_DispatchDeviceControl_#`)\n2. Right-click and select `Driver Buddy Reloaded -\u003e Decode ALL IOCTLs in Function`; alternatively, press the `CTRL+ALT+F`\n   shortcut.\n3. A `DriverName.sys-2021-12-10-TIME_STAMP-IOCTLs.txt`/`DriverName.sys-2021-12-10-TIME_STAMP-IOCTLs.txt_dumb.txt` file,\n   containing all the decoded IOCTLs up to that moment, will be written under IDA's DB directory.\n\n### Advanced Usage\n\n- The [vulnerable_function_lists](DriverBuddyReloaded/vulnerable_functions_lists) directory contains a lists of potentially\n  dangerous/problematic functions, Windows APIs and opcodes; a brief description on why a specific function/API has been listed is\n  provided. You can edit the `custom` list including driver's specific functions.\n  \n  **Note**: `winapi_function_prefixes` will partial match to start of function name (e.g. `Zw` will match `ZwClose`, `ZwCommitComplete` and so on) while `winapi_functions` will perform exact matches only.\n- In [find_opcodes.py](DriverBuddyReloaded/find_opcodes.py), the `find_opcode_data` option will prevent Driver Buddy\n  Reloaded to find opcodes in data sections. Switching it to `True` will print something along\n  this [line](https://github.com/VoidSec/DriverBuddyReloaded/issues/11):\n  `Found jnz     short loc_15862 in sub_15820 at 0x00015852`\n  Usually, going at the showed address and re-defining the selection as code will bring the searched opcode back.\n  \n  **Watch out**: switching it to `True`, will generates more false positives!\n\n## About Driver Buddy Reloaded\n\n**Driver Buddy Reloaded** is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse\nengineering tasks. It has a number of handy features, such as:\n\n* Identifying the type of the driver\n* Locating `DispatchDeviceControl` / `DispatchInternalDeviceControl` functions\n* Populating common structures for `WDF` and `WDM` drivers\n    * Attempts to identify and label structures like the `IRP` and `IO_STACK_LOCATION`\n    * Label calls to `WDF` functions that would normally be unlabeled\n* Finding and decoding IOCTL codes\n* Flagging functions prone to misuse\n* Finding potential `DeviceName`\n* Dumping `Pooltags`\n\n![](/screenshots/auto-analysis.png)\n\n### Finding DispatchDeviceControl\n\nThe tool can automatically locate and identify the `DispatchDeviceControl` routine. This function is used to route all\nincoming `DeviceIoControl` codes to the specific driver function associated with that code. Automatically identifying\nthis function makes finding the valid `DeviceIoControl` codes for each driver much quicker. Additionally, when\ninvestigating possible vulnerabilities in a driver due to a crash, knowing the location of this function helps narrow\nthe focus to the specific function call associated with the crashing `DeviceIoControl` code.\n\nWhen the analysis is successful some subs will be renamed as follow:\n\n- `DriverEntry`: the original first driver-supplied routine that is called after a driver is loaded. It is responsible\n  for initializing the driver.\n- `Real_Driver_Entry`: usually the function where the execution from `DriverEntry` has been transferred to. It is\n  usually where the `DeviceName` is initialized.\n- `DispatchDeviceControl`/`DispatchInternalDeviceControl`: if the tool was able to recover the functions at some\n  specific offsets, the functions will then be renamed with the appropriate name.\n- `Possible_DispatchDeviceControl_#`: if the tool was not able to recover `DispatchDeviceControl`\n  or `DispatchInternalDeviceControl`, it employs an experimental searching, following the execution flow, and checking\n  for cases where the function is loading known `IO_STACK_LOCATION` \u0026 `IRP` addresses; indicating that the function\n  could be the DispatchDeviceControl. As it is based on heuristic, it could return more than one result, and it is prone\n  to false positives.\n\n![](/screenshots/finding-dispatchdevicecontrol.png)\n\n### Labelling WDM and WDF Structures\n\nSeveral driver structures are shared among all `WDM`/`WDF` drivers. The tool is able to automatically identify these\nstructures, such as the `IO_STACK_LOCATION`, `IRP`, and `DeviceObject` structures and can help save time during the\nreverse engineering process and provide context to areas of the driver where these functions are in use.\n\n![](/screenshots/WDM-structures.png)\n\n### Finding and Decoding IOCTL Codes\n\nWhile reversing drivers, it is common to come across IOCTL codes as part of the analysis. These codes, when decoded,\nreveal useful information and may draw focus to specific parts of the driver where vulnerabilities are more likely to\nexist.\n\nBy right-clicking on a potential IOCTL code, a context menu option is presented (alternatively using the\n`Ctrl+Alt+D` shortcut when the cursor is on the line containing a suspected IOCTL code) and can be used to decode the\nvalue. This will print out a table with all decoded IOCTL codes. By right-clicking on a decoded IOCTL code, in the\ndisassembly view, it's possible to mark it as invalid; this will leave any non-IOCTL comment intact.\n\nIf you right-click, alternatively using the\n`Ctrl+Alt+F` shortcut, on the first instruction of the function you believe to be the IOCTL dispatcher (\n`DispatchDeviceControl`, `DispatchInternalDeviceControl`, `Possible_DispatchDeviceControl_#`) under the Driver Buddy\nReloaded menu, a “**Decode All**” option appears, this attempt to decode all the IOCTL codes it can find in the\nfunction. This is a bit hacky but most of the time it can speed things up.\n\n- A `DriverName.sys-2021-12-10-TIME_STAMP-IOCTLs.txt`/`DriverName.sys-2021-12-10-TIME_STAMP-IOCTLs.txt_dumb.txt` file,\n  containing all the decoded IOCTLs up to that moment, will be written under IDA's DB directory.\n\n![](/screenshots/IOCTL-table.png)\n![](/screenshots/decode-IOCTL.png)\n\n### Flagging Functions\n\nDriver Buddy Reloaded has lists of C/C++ functions, opcodes and Windows APIs (defined in\nthe [vulnerable_function_lists](DriverBuddyReloaded/vulnerable_functions_lists) directory) that are commonly vulnerable\nor that can facilitate buffer overflow conditions. All found instances are reported back during the auto-analysis and\ncan help while looking for possible user-controlled code paths reaching sensitive functions.\n\n![](/screenshots/flagging-functions.png)\n\n### Finding DeviceName\n\nThe tool automatically attempts to find the drivers registered device paths (`DeviceName`), if no paths can be found by\nlooking at Unicode strings inside the binary, then the analyst can manually try to use\nMadiant’s [FLOSS](https://github.com/mandiant/flare-floss/) in an attempt to find obfuscated paths.\n\n![](/screenshots/devicename.png)\n\n### Dumping Pooltags\n\nDuring the auto-analysis, the tool also dumps the `Pooltags` used by the binary in a format that works\nwith `pooltags.txt`. The output can then be copy-pasted at the end of the file and later picked up by WinDbg.\n\n- A `DriverName.sys-2021-12-10-TIME_STAMP-pooltags.txt` file, containing all the dumped Pooltags, will be written under\n  IDA's DB directory.\n\n![](/screenshots/pooltag.png)\n\n## Known Caveats and Limitations\n\n- Only IOCTL values \u003e= `0x10000` will be automatically decoded, thus to prevent an high number of false positives. [Issue #15](https://github.com/VoidSec/DriverBuddyReloaded/issues/15)\n- Experimental `DispatchDeviceControl` searching works only for x64 drivers\n- Shortcuts are incompatible with F-Secure's [win_driver_plugin](https://github.com/FSecureLABS/win_driver_plugin)\n- Shortcuts are incompatible with [findcrypt-yara](https://github.com/polymorf/findcrypt-yara)\n- In [find_opcodes.py](DriverBuddyReloaded/find_opcodes.py), the `find_opcode_data` option will prevent Driver Buddy\n  Reloaded to find opcodes in data sections. Switching it to `True` will print something along\n  this [line](https://github.com/VoidSec/DriverBuddyReloaded/issues/11):\n  `Found jnz     short loc_15862 in sub_15820 at 0x00015852`\n  Usually, going at the showed address and re-defining the selection as code will bring the searched opcode back.\n  **Watch out**: It is prone to false positives!\n\n## Credits and Acknowledgements\n\n- Created in 2021 by [Paolo Stagno](https://voidsec.com/) aka [@Void_Sec](https://twitter.com/Void_Sec):\n    - Made it compatible with Python 3.x\n    - Made it compatible with IDA 7.x\n    - Updated C/C++ function and Windows APIs list\n    - Various bug fixing\n    - Various improvements\n    - Integrated part of the functionalities presents in F-Secure's win_driver_plugin\n- [DriverBuddy](https://github.com/nccgroup/DriverBuddy) was originally written by Braden Hollembaek and Adam Pond of\n  NCC Group.\n- Using Satoshi Tanda's [IOCTL decoder](https://github.com/tandasat/WinIoCtlDecoder).\n- The WDF functions struct is based on [Red Plait's work](http://redplait.blogspot.ru/2012/12/wdffunctionsidc.html) and\n  was ported to IDA Python by Nicolas Guigo, later updated by Braden Hollembaek and Adam Pond.\n- Using Sam Brown's F-Secure [win_driver_plugin](https://github.com/FSecureLABS/win_driver_plugin) to retrieve device\n  name and pool tags, specifically Alexander Pick [fork](https://github.com/alexander-pick/win_driver_plugin).\n- The original code for adding items to the right-click menu (and possibly some other random snippets) came\n  from '[herrcore](https://gist.github.com/herrcore/b3143dde185cecda7c1dee7ffbce5d2c)'.\n- Prodly developed using **PyCharm** for [Open Source development](https://www.jetbrains.com/community/opensource/#support) by JetBrains\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoidsec%2Fdriverbuddyreloaded","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoidsec%2Fdriverbuddyreloaded","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoidsec%2Fdriverbuddyreloaded/lists"}