Comments (7)
Thank you for the report. The checks implemented in:
DriverBuddyReloaded/DriverBuddyReloaded.py
Line 218 in 1b7b104
DriverBuddyReloaded/DriverBuddyReloaded.py
Line 263 in 1b7b104
are present in order to significantly lower the false positives; at the moment the script is trying to decode IOCTLs only if an immediate value, with at least 10 digits, is found in a possible DispatchDeviceControl routine and the value does not belong to a known NTSTATUS.
While it's true for most of the IOCTL values I've encountered to be in a format like 9C4060D4
h = 2621464788
dec (10 digits), there are also valid IOCTL codes as 0x222004
h = 2236420
dec (7 digits).
Unfortunately, that's a silly problem as I was not able to find any convention/definition on Windows that states what is their minimum/maximum possible value they can have nor their minimum digits. AFAIK even 0x1 will be a valid IOCTL and will be decoded successfully:
I can think of removing/limiting the safeguard to exclude unprobable IOCTL code (e.g. 1/2 digits only) in the next release thus resulting in much higher false-positive rates
from driverbuddyreloaded.
I'm not sure 0 is a legal device number... I mean generally you can probably do anything you want, but maybe you won't get as much 0s...
Looks like 0x10000 (== 65536) might be a good minimal value. Instead of number of digits, you could check 0x10000 <= value... Might be able to also limit value from above. According to this: https://github.com/h0mbre/ioctl.py/blob/master/ioctl.py , maximal device type is 0xf60 (though I don't know what is that repo based on)
from driverbuddyreloaded.
Umh, as per Microsoft guidelines:
DeviceType: Values of less than 0x8000 are reserved for Microsoft. Values of 0x8000 and higher can be used by vendors.
Unfortunately 0x10000
is a valid IOCTL and cannot be used to tell them apart:
I spoke with @hacksysteam as well as other kernel driver hackers and we didn't come up with any good way of finding IOTCL ranges; I'll keep trying and let you know the result :)
from driverbuddyreloaded.
So maybe only check minimal value, i.e. anything greater than 0x10000 is valid? Maybe we can also check that the Access and Method values give valid enum values (I didn't check their width), but I think just starting with 0x10000 <= value is a good enough check for now (and an improvement to the current one).
from driverbuddyreloaded.
At the moment it has been partially fixed in 96be3fa, It now includes all the IOCTL values with more than 2 digits. It will have a bit more false positives but hopefully nothing that will break
from driverbuddyreloaded.
Why do you even need to calculate digits? Why not change the check to if value >= 0x10000 and value not in NTSTATUS.ntstatus_values:
?
from driverbuddyreloaded.
You're right. I've just realized that you were using the value of 0x10000
as anything below will result in 0 as a device number.
Theoretically, 0 is an unknown device but I'll agree with you that using 0x10000
won't result in many false positives.
I'll make a new commit to reflect those changes.
from driverbuddyreloaded.
Related Issues (20)
- [FEATURE] refactor list of vulnerable functions into an external module
- [BUG] find opcodes
- DriverBuddy entry does not shown in plugins menu HOT 2
- [BUG] Deprecated `ExAllocatePoolWithTag` function
- [FEATURE] Some pooltags aren't recognized HOT 3
- [FEATURE] Print the address where IOCTLs have been found
- [BUG] `parse_binpat_str` expected at least 4 arguments HOT 3
- [BUG] TypeError: in method 'get_struc', argument 1 of type 'ea_t'
- [BUG] TypeError: %d format: a number is required, not struc_t
- [BUG] WDF Structures HOT 4
- [FEATURE] enumeration of MajorCodes HOT 2
- [BUG] module 'idaapi' has no attribute 'compiled_binpat_vec_t' HOT 14
- [BUG] WDF/KMDF detection HOT 1
- [FEATURE] Print the address where DeviceName has been found HOT 1
- [BUG] IDA will automatically identifies the driver entry as "GsDriverEntry".
- [BUG] find opcode HOT 1
- [FEATURE] Shortcut for "Decode All" action
- [FEATURE] Save the analysis results
- [FEATURE] print addr/sub location of DeviceName HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from driverbuddyreloaded.