Log in

View Full Version : Alternatives to BoundsChecker Driver Edition


alexanderlukas
November 14th, 2006, 05:01
Hi all,

For quite a while I've been looking for an alternative to BoundsChecker Driver Edition (included in DriverStudio, together with SoftICE). It doesn't matter if the alternative is free or not (will buy it if it is not free). To be more precise, what I'm looking for is a tool that works like strace but for inside kernel mode in Windows (must work on XP and/or 2003). It should log all calls (with parameters) that a driver makes to subroutines in the kernel. And there is no possibility to recompile the driver in question.

Thanks beforehand! if you help me solve this!

blabberer
November 14th, 2006, 05:43
have you checked formerly bindview's now symantecs strace for windows ?

does it suit your needs

i ve once or twice used it in its original (ex razor version)

i ve heard the latest versions are able to monitor api in ntoskrnl and hal

alexanderlukas
November 14th, 2006, 06:42
Yes I have, but it doesn't seem to suite my needs.

I checked their web site once again just a few minutes ago but from what I can tell their tool can only monitor the Nt* calls from user mode to kernel mode against ntoskrnl. What I need is something to monitor all calls to all exported subroutines (not only the Nt* / Zw* ones) in ntoskrnl.

autarky
November 14th, 2006, 09:40
Edit: ignoring my wibbling on general kernel API hooking, this link *may* be of some use for hooking specific drivers. I haven't tried it, though I downloaded it a while ago. It's been built for Win2k, though I don't see why it shouldn't work with XP/2k3.

http://www.codeproject.com/system/kernelspying.asp

alexanderlukas
November 20th, 2006, 02:21
Thank you for the tip! Now I have downloaded and tested it a bit. Unfortunately it has crashed the three computers I have tested it on (two WinXP and one Win2k). I've never got it working. Depending on which driver I try to spy on the computers either just instantly reboot or I get a bluescreen. So it seems like I have to look for another tool to do what I want.

LLXX
November 20th, 2006, 02:52
Do you see something amiss?

Kernel-level hooking on a site that deals mainly with applications coding?

I'd look somewhere else if I were you...

autarky
November 20th, 2006, 07:18
Quote:
[Originally Posted by alexanderlukas;62521]Depending on which driver I try to spy on the computers either just instantly reboot or I get a bluescreen.


That's probably a per-system registry setting, it determines whether the system displays a bluescreen on a bugcheck, or just reboots. I *think* XP is defaulted to just reboot.

Depending on whether the driver is loaded before you want to spy on it, you may be able to write a driver that can set up the IAT patching when the driver you wish to spy on is loaded (there are a couple of ways to do this). If it's already loaded, then that may involve all kinds of nasty problems. You may want to ask at rootkit.com.

blabberer
November 20th, 2006, 10:20
i tried it long ago in w2k real machine and it worked then also i have used his other applications like irqs.exe which shows how to get into r0 from r3 without a driver they too worked well and it works well in xp-sp2 too (i ve heard they dont work in vm's but i havent checked them in vm's)

now after your comment that it crashed i tried it again in winxp xp-sp2 (real machine not vm) and it works i tried spying cdrom.sys as beep.sys

used four-fs kmdkit Kmd-Manager to load the spydriver.sys and told the gui to start i get a nice spylog.txt in the same folder

ok i have some spurious drivers i asked this to spy and boom it crashes

whats the cause
because the spurious driver in question has exclusive access to the file
so CreateFile() fails with (ACCESS_SHARING_VIOLATION) no error checking so create filemapping fails and access violation happens when it tries to access image--> dosheader lea eax,[eax+0x3c]

but this doesnt bsod either gets trapped by AeDebugger or by Wer if AeDebugger didnt exist

@LLXX
looks almost always never matter unless you are in fashion industry if you do a good search of that site you do fetch some gems that you wouldnt get elsewhere

alexanderlukas
November 20th, 2006, 11:14
Quote:
[Originally Posted by blabberer;62530]
now after your comment that it crashed i tried it again in winxp xp-sp2 (real machine not vm) and it works i tried spying cdrom.sys as beep.sys


I just tested it on a fourth computer running XP and there it worked (at least for spying on cdrom.sys). Unfortunately it doesn't seem to be able to help me anyway because 1) it crashed when I tried to spy on the driver I need to spy on , and 2) it doesn't log the parameters of the calls. Pretty cool tool anyway though.