As mentioned recently in several other threads on this board, device drivers like this really seems to be quickly becoming very popular in protections, and give lots of people around here major trouble. I.e., a new interesting field of protections that needs to be explored and conquered. Seems like we will need to breed some new talents who will be to driver reversing what Splaj and the gang was/is to unpacking...

How about some more serious driver protection technique projects, e.g. in the Mini Project forum? Do we have any people who are driver knowledgeable enough and willing to submit crackmes and similar teaching material to get such a thing started? Kayaker? ZaiRoN? Anyone? What do you all think of this?


Just a thought anyway, but it seems to become more and more clear what the future of advanced protections is going to be...


dELTA

Hello Everybody

Four-F tuts on how to write device driver is *worth* reading. Here's the link
http://www.masmforum.com/website/tutorials/kmdtute/index.html
for those who don't know After reading & understanding i guess we know how a driver is loaded, its working & how to set break point on driver called proc. In short its an excellent stuff for reading & understanding about drivers.

Regards, Sope.

Seems like a very good start, thanks for the link sope!

Now go read them, all of you.


dELTA

Very interesting stuff

It will take a while to read, study and inwardly digest

I am sure we will get to grips with it sooner rather than later

great link sope thanks for that!

/hobferret

Seems to be down at the moment. Hope their back up soon.

Regards,

Fear not, here they are.

Kayaker just posted a nice example project (including source) in this thread (http://www.woodmann.net/forum/showthread.php?s=&threadid=4991). It deals with Windows 2k/XP services and kernel mode drivers (that is, WDM drivers, contrary to the older VXD drivers that at least a few more people are knowledgeable about, but which are practically dead today).

An unpublished driver tutorial by Clandestiny is also included in that thread. So what are you waiting for, go get it (http://www.woodmann.net/forum/showthread.php?s=&threadid=4991)!


It would be good to initially use this thread (i.e. the one I'm writing in right now) as the center of all ideas, questions, projects and such regarding driver reversing and programming, so that it would be easy to follow for everyone interested. As mentioned in my original post in this thread, driver reversing is becoming more and more essential in todays protections, so it should be quite interesting for many serious reversers. Let's try to make this a fun and educational project!


dELTA

Well, I'm certainly interested as I want to write my own driver-based memory dumper

I'd like to point out the following link:

hxxp://www.orgon.com/w2k_internals/cd.html

It contains various utils and source code related to Windows Internals.. such as:
- SC Manager functions, listing services, etc.
- an hooking device driver that allows to spy on kernel APIs.
- debugging interface: pdb, psapi, imghlp stuff
- a memory spy device, to read from any address you like.
[...]

It comes with a book, but the utils are available for download from the website. Some utils (those using undocumented functions) might not work "out of the box", but with a few fixes, they work again.

It is interesting because:
- Source code is included
- Includes a driver skeleton for ms vc++
- It contains both kernel and user mode software.
- They are tools mainly aimed at reverse-engineering.

An excellent learning utility.

I might very well just be blind, but where did you find the source code on that page? I can only find the binaries in downloadable form, and then some text saying that the source is available on the actual CD?

Seems like very interesting stuff though, especially the API-spying/hooking part, and some of the other things too, so it would be very nice indeed to have the source for it.

oh, my bad.. I did not actually test the thing..
I own the book.. and it ships with source on the CD..

I assumed it was the same deal on the website.

Besides it's usefulness, I guess it can be used as a RE target =D

well doug
don't you feel committed to up the CD to the ftp site?
(You gave the link after all)

We'll take that last comment as a joke, better to reverse the exes, learn more, steal less

perhapes a new forum section on the subject of system coding etc
would be greatly welcomed by some :-)

im soon to publish some of my own stuff and beginner templates
on my site in the forth coming weekend,

regards,
yates.

The "Advanced reversing and programming" forum is meant for such things, but if this subject grows big we can eventually give it a completely own forum, sure. A thread like this in the mini-project forum is a good way to organize a smaller subject until it grows into its own forum though.

Sounds great with your upcoming publications, looking foward to them! Please announce in this thread when they are released.


dELTA

okey dokey,
updated* http://www.yates2k.net/syscode.htm

yates.

Looks very nice and useful, thanks yAtEs!


dELTA

Also make sure to check out these great resources (http://www.woodmann.net/forum/showthread.php?s=&threadid=5005), just contributed by Kayaker!


dELTA

yAtEs just added another really cool creation to his syscode page (http://www.yates2k.net/syscode.htm). You can read more about it here (http://www.woodmann.net/forum/showthread.php?s=&threadid=5022).

Enjoy!


dELTA

More good resources from Kayaker, check 'em out here (http://www.woodmann.net/forum/showthread.php?s=&threadid=5030).


dELTA

hello reversers,
debugging and live dumping wdm drivers is very difficult especially
when they handle int3 and int1 and uses DRx to store values and
self instaure bpm to redirect control flow.
Attempt to emulate drx or harware bpm in softice often messes with the
stack and tend to reboot the computer.
One way to study safely these malicious driver is maybe to convert them to
win32 dos real mode program and use our old debuuging and tunneling tools.
What is your opinion about that?
LiSa

perhapes you would like to expand on this a bit, have you ever done
this and what are the limits?

well, guys, i'm watching this topic & mostly TITLE is wrong!?

So this is not about reversing but about learning - how-to code driver.
Okey?
Very good thing.

Now I "remember", that I wrote tracer code-snipet,
which traces all-1 R3 protectors.

Terribl-History:
1. Firstly I coded my tracer in HIEW - on BEEP.SYS ~:0
each time i reassembled jumps,calls..poor i ~

2. Then I decided to dld MASM, compile code as DLL and again inject in BEEP.SYS
(good, no more reassembling~

3. last days i found in sources, that MASM can do command /DRIVER ~:0
so i did some experiments, look in Hello.sys source,
created custom NTOSKRNL.INC & LIB with few functions needed.
So my driver loads on XP.

**

Ok, today I dld from yates "basic.rar" & found inside iNTOSKRNL.LIB;
I became happy, but soon less happy,
because there is not NTOSKRNL.INC, & l2INC.EXE can't create INC from it.
Suggestions? ok it's not so important, just luxury.


Well, if you like, we can together help me() for better write driver,
because i'm mega-lazy guy..so?

Greetings evaluator,

Can this help you, d/l Four-F's kmdkit1.4 has ntoskrnl.inc + many more inc's to get started. Here's the url hxxp://wasm.ru/tools/11/kmdkit14.zip OR I understood wrongly as usual.

Regards, Sope.

it would be simpler if you just copy
http://www.yates2k.net/syscode/ring0.asm

into the same folder as the syskit1 then all you need do is
hit compile, it couldnt be simpler then just alter ring0.asm
to add your code in.

yates.

Like with most cracking, it is best done when you are well acquainted with the underlying technology, so yes, very good thing.

And thanks as always [yAtEs] (and everyone else) for your great contributions!

woah!

very enjoed, when in KmdKit i found NTOSKRNL,NTDLL & others INCs.
thanksus!

now i'm rearanging to invoke.

hello Yates,

What I do with thes fucking drivers is cutting the service dispatcher code (often obfuscated) and
then paste it into a masm dos program which feed first a fake IRP structure and then
call the pasted dispatcher with all services and buffers I previously found
using my deviceiocontrol hook.
Doing this, I collect a table service code - jmp code or call.
After that I cut the e code I want to explore in the driver and run it in dos controled condition.
What I mean is that I scan first for macros (Mow's), sidt, dro and cro instructions,
if needed I emulate or use a buffer as fake idt or variable and change freely code in my new test program
(as an sidt sequence by a mov reg,my_fake_idt).Then I watch what's happening.,
If exception occurs in code it is catched by softice and I will insert in my dos prg a jmp to new handler
Doing this is like building an unpacker as I think others do.

This technic is long but was very helpful for me to investigate a t*k*.sys 70060 service code.
Finely cuting-pasting-running-nopping-emulating three "layers" lead me
to final decrypting routine which is protected by int1 and int3 handler hooking
and bpm redirection for code flow.
if debugged reboot with keyborard or other, and also check rtc CMOS clock to eventually fuck off
decryption key.
DOS 32 was useful because you can use in al, dl and out functions easilly, even reboot
and test malicious code without waiting hours that scandisk finishes his job.
One year ago, I even use old Tron on a dos 32 program I wrote with pieces of win32 virii to have acces
to decrypted very intesting layers.

I hope this clarify a bit what I am doing

Regards
LiSa

Hehe, now that's cool. It's just great having guys like you all hanging around here.