lkakforall.blogg.se - Windows kernel driver fuzzing tools

A tool like DriverView ( ) can be used in order to easily spot non-Microsoft drivers (third-party drivers). > ioctlbf.EXE -d deviceName -i 00004000 -u -qįirst of all, it is necessary to locate the target driver. Scanning a given IOCTL codes range (filter enabled): > ioctlbf.EXE -d deviceName -i 00004000 -q Scanning by Function code + Transfer type bruteforce from given valid IOCTL:

e Display error codes during IOCTL codes scanning q Quiet mode (do not display hexdumps when fuzzing) f Filter out IOCTLs with no buffer length restriction i IOCTL code used as reference for scanning (see also -u) Hooks NtDeviceIoControlFile in order to take control of all IOCTL requests throughout the system. Note: for mutation-based IOCTL fuzzing, check out the great tool IOCTL fuzzer ( ). Valid IOCTL buffers and adding anomalies), the code coverage is of course less important. Compared to mutation-based fuzzing (which consists in taking Note that this tool only performs generation-based fuzzing. Once scanning is done and valid IOCTLs have been found for a given driver, the user can choose one IOCTL in the list to begin theįuzzing process.

IOCTLs used for debugging purpose that are sometimes let in drivers.

IOCTLs called in very specific conditions (not easy to discover and/or to reproduce).

Therefore, it is able to detect valid IOCTLs codes supportedīy drivers and that are not often, or even never, used by applications from user land.

Scanning for valid IOCTLs codes supported by drivers,Īn advantage of this tool is that it does not rely on captured IOCTLs.

IOCTLbf is just a small tool (Proof of Concept) that can be used to search vulnerabilities in Windows kernel drivers by performing two

More info about this tool and kernel exploitation at: įor french people, an article was also written in MISC Magazine #62: Table of contents Kinda dirty code, but worked for me to find several bugs in Windows Drivers. This is a project from back in tha dayz, in 2011-2012.