Skip to content

Driver Buddy Reloaded v2.0

Latest
Latest

Choose a tag to compare

View all tags
@VoidSec VoidSec released this 22 Jun 12:22
· 33 commits to main since this release
2.0
66f8d39

Compatibility

  • IDA 7.6, 8.4, and 9.x all supported. New ida_compat.py centralizes every
    version-divergent API call. The WDF auto-analysis crash on IDA 9.0 (removed
    ida_struct / idc struct wrappers) is fixed. No other module branches on
    IDA_SDK_VERSION directly.
  • Python 3 throughout. All bytes/str mismatches and deprecated API calls
    (get_inf_structure, idc.SetType, idc.import_type, find_binary,
    idc.Dword) are replaced.
  • Ships with an ida-plugin.json manifest for the official Hex-Rays plugin
    repository.

New Analysis Features

Seven security heuristics (heuristics.py) — each emits a severity-rated finding:

  1. Copy-validation bypass — user-buffer copy sinks without a preceding
    ProbeForRead / ProbeForWrite
  2. Privilege gate — dangerous operations reachable without
    SePrivilegeCheck / PsIsProtectedProcess guards
  3. IRQL misuse — blocking calls (KeWaitForSingleObject,
    KeAcquireSpinLock, ...) at elevated IRQL
  4. MDL user memoryMmGetSystemAddressForMdlSafe /
    MmMapLockedPages without IoValidateMmapOffset guard
  5. Stack allocationalloca / _alloca in a dispatch path
  6. Pool allocation trustExAllocatePool* result used without NULL
    check before dereference
  7. Physical memory referenceMmMapIoSpace / ZwMapViewOfSection
    direct physical mapping

Call-chain tracer (callchain.py): BFS from each identified IOCTL handler
outward to dangerous sinks (RtlCopyMemory, memcpy, MmCopyMemory, ...).
Feeds into IOCTL risk scoring.

IOCTL risk scoring (scoring.py): every decoded IOCTL receives a numeric
score and a severity label (LOW / MEDIUM / HIGH / CRITICAL) based on
call-chain depth, dangerous sinks reached, and heuristic hits. CRITICAL
severity is bumped automatically when a sink is reachable with no validation.

IRP_MJ_FUNCTION enum (irp_mj.py): auto-creates an IDA enum with all 28
IRP_MJ_* constants, then annotates every MajorFunction dispatch-table
assignment in DriverEntry:

  • Disassembly view: repeatable comment on each MOV
    (e.g. ; IRP_MJ_DEVICE_CONTROL)
  • Decompiler view: end-of-line comment (// IRP_MJ_CREATE) plus a
    HexRays user_numforms entry so the bracket renders as
    MajorFunction[IRP_MJ_CREATE] instead of MajorFunction[0]

Exports audit (exports_audit.py): flags exported symbols with zero
cross-references — a common indicator of an attack surface that automated
tools miss.

Auto dispatcher scan: after the IOCTL pattern search, the identified
DispatchDeviceControl EA is flow-chart-scanned (scan_dispatchers) to
pick up IOCTLs the text-pattern pass misses.

Dynamic NTSTATUS resolution: queries the live IDA type database for the
NTSTATUS enum instead of a static hardcoded list, giving accurate
false-positive filtering across SDK versions.

Output

Old releases wrote a single plain-text log to the current working directory.
v2.0 produces four timestamped files next to the IDB:

File Contents
<driver>-<ts>-findings.json All findings, structured, machine-readable
<driver>-<ts>-report.html Severity-sorted HTML report
<driver>-<ts>-ioctl_pocs.c Ready-to-compile DeviceIoControl PoC harness, one stub per IOCTL, CRITICAL entries first
<driver>-<ts>-pooltags.txt Pool tag report (new timestamped naming)

UI

  • IOCTL chooser window (Ctrl+Alt+I): severity-colored IDA chooser showing
    Severity / Address / Code / Device / Method / Access / Function columns.
    Double-click jumps to the dispatch EA. Reopenable at any time after analysis.
  • Findings window (Ctrl+Alt+W): clickable list of every finding.
    Also reopenable without re-running analysis.
  • Right-click menu in the disassembly view now includes Show all IOCTLs
    and Show Findings alongside the existing decode actions.

Bug Fixes

  • Crash on WDF drivers in IDA 9.0 (structure API removal) — fixed
  • is_driver() false negatives and BADADDR printed as a dispatch address — fixed
  • IOCTL addresses not saved to the decoded log — fixed
  • Opcode scan incorrectly flagging data sections — fixed
  • device_name_finder bytes/str mismatch producing repeated spurious hits — fixed
  • Module-level mutable state causing cross-run contamination — eliminated via
    AnalysisContext
  • Output path defaulting to the IDA install directory instead of next to the
    IDB — fixed

Breaking Changes from 1.x

  • The plain-text auto-analysis log (*-DriverBuddyReloaded_autoanalysis.txt)
    is replaced by findings.json + report.html. Scripts that parsed the old
    format need updating.
  • Feature flags in config.py control which analysis stages run.
    SEGMENT_OPCODE_SCAN is False by default (it was unconditionally enabled
    before)
Assets 3
Loading