I'm writing this tool to learn C++ and get an initial assessment of drivers installed on a Windows system (e.g. master images developed by OEMs or enterprises). It's supposed to help with target selection, finding low-hanging fruit, and some assistance with deep-dive binary analysis. Currently unstable, undergoing active development.
- Listing of kernel-mode drivers non-administrative users can interact with via DeviceIoControl.
- This can be useful to narrow down on drivers that can potentially be used toward LPE.
- Retrieval of company names associated with drivers to determine ownership.
- This can be useful in target selection to separate third-party drivers from Microsoft drivers.
- Resolution of the DispatchDeviceControl routine used to handle requests from DeviceIoControl.
- This makes it easier to find the function in IDA (versus relying on heuristics in static analysis).
- The function can be analyzed to enumerate IOCTL codes and perform attack surface analysis.
- Enumeration of the IOCTL codes supported by DispatchDeviceControl.
- There might be an opportunity for symbolic execution like this, but not sure how robust it can be.
- Enumeration of user-mode drivers that make calls to a given kernel-mode driver.
- CLI and GUI modes.
- Output formats: JSON, CSV, and human readable text.
I've used a combination of DeviceTree, WinObjEx64, and WinDbg for these use-cases. It's more of a tedious manual process that doesn't scale easily, so DIRT just attempts to make it more convenient.
This should compile with Visual Studio 2015 or greater.
- Enable debug mode with
bcdedit -debug onwith an administrative Command Prompt.
kldbgdrv.sys(found with WinDbg) in the same directory as
DIRT.exe > output.txtwith administrative privileges.
--no-msft switches can be used to filter results.
Below is some sample output to know what to expect:
DIRT v0.1.0: Driver Initial Reconnaisance Tool (@Jackson_T) Repository: https://github.com/jthuraisamy/DIRT Compiled on: Aug 22 2018 00:01:04 INFO: Hiding Microsoft drivers (--no-msft). INFO: Only showing drivers that low-privileged users can interface with (--lp-only). Capcom: Capcom Path: C:\Windows\System32\Capcom.sys DispatchDeviceControl: 0xFFFFF8024C9A0590 Devices: 1 └── \Device\Htsysm72FB (open DACL, 1 symlinks) └── \\.\Global\Htsysm72FB SmbDrvI: SmbDrvI (Synaptics Incorporated) Path: C:\WINDOWS\System32\drivers\Smb_driver_Intel.sys - Hooked by Wdf01000 (Microsoft Corporation) DispatchDeviceControl: 0xFFFFF808212C72B0 Devices: 1 └── \Device\SmbDriver (open DACL, 1 symlinks) └── \\.\Global\SmbDriver nvlddmkm: nvlddmkm Path: C:\Windows\System32\DriverStore\FileRepository\nvlt.inf_amd64_ed3ba3fb30d4dd86\nvlddmkm.sys DispatchDeviceControl: 0xFFFFF80822D074D0 Devices: 2 ├── \Device\NvAdminDevice (open DACL, 1 symlinks) │ └── \\.\Global\NvAdminDevice └── \Device\UVMLiteController0x1 (open DACL, 1 symlinks) └── \\.\Global\UVMLiteController
There is also a CSV output available using