From Collaborative RCE Tool Library

Jump to: navigation, search

Driver & IRP Monitoring Tools


Tool name: IRP Tracker
Rating: 0.0 (0 votes)
Author: OSR                        
Website: http://www.osronline.com/article.cfm?article=199
Current version: v2.20
Last updated: February 2010
Direct D/L link: http://www.osronline.com/OsrDown.cfm/IrpTracker_V220_x86.zip?name=IrpTracker_v220_x86.zip&id=199
License type: freeware
Description: IrpTracker allows you to monitor all I/O request packets (IRPs) on a system without the use of any filter drivers and with no references to any device objects, leaving the PnP system entirely undisturbed. In addition to being able to see the path the IRP takes down the driver stack and its ultimate completion status, a detailed view is available that allows you to see the entire contents of static portion of the IRP and an interpreted view of the current and previous stack locations.

Use it as a learning tool if you're wondering how different devices/drivers interact or handle certain typs of I/O. Or, use it as a debugging tool (i.e. why does this I/O request succeed, but this one fails?). "Supported" on XP through Windows 7.
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: IRPTrace
Rating: 0.0 (0 votes)
Author: APSoft                        
Website: http://www.tssc.de/products/tools/irptrace/default.htm
Current version: 1.00.007
Last updated: September 18, 2005
Direct D/L link: N/A
License type: Commercial
Description: IrpTrace is a tool that watches I/O request packages (IRP) sent to kernel-mode driver(s) of Windows NT 4.0, Windows 2000 or Windows XP. Information about IRP requests can be sent to remote debugger and/or saved to a file. The collected information is available for instantaneous or deferred analysis, which makes this tool indispensable for debugging and support of device drivers.

Debug and support drivers

If a driver causes system crash or hangs at processing of an IRP, IrpTrace can help to locate buggy handler by information sent to remote debugger or output window of terminal application. Usually developers insert debug messages to locate crash point. Advantage of IrpTrace in that that: a) it can do it for non-debug version of drivers; b) developer can save time using for writing debug code.

If a driver forgets to complete an IRP request, it can cause various problems (up to system hang or blue screen). The list of not completed IRP requests can be determined using IrpTrace.

Windows 2000/XP build a stack of physical, filter and functional devices for each PnP device. Your software for a PnP device can malfunction due to a third-party software installed on the computer. IrpTrace can help you to locate such kind of problems.
Investigate interaction of software components

In some cases developer need to investigate communication protocol of existing software (driver - application, driver - driver). If protocol is a sequence of I/O requests (for example, device control, internal device control, read and write requests), IrpTrace can help to do it.

The list of I/O requests IrpTrace will watch for can be specified by:

* Name of driver that is owner of IRP request target device
* Name of target device
* Name of module which is sending IRP request
* Name / ID of PnP device

Information about IRP request includes:

* Name of request
* Name and address of target device
* Completion status
* Address of code that sent the request
* IRQL, process name and ID of thread that sent the request
* Address of procedure that completed request
* Detailed information about input and output parameters of request (if any)
Also listed in: (Not listed in any other category)
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)



Tool name: Security Research and Development Framework
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Website: http://blog.amrthabet.co.cc
Current version: v 1.00
Last updated: November 25, 2012
Direct D/L link: http://code.google.com/p/srdf
License type: GPL v.2
Description: Do you see writing a security tool in windows is hard?
Do you have a great idea but you can’t implement it?
Do you have a good malware analysis tool and you don’t need it to become a plugin in OllyDbg or IDA Pro?
So, Security Research and Development Framework is for you.


Abstract:

This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation.

This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.

Introduction:

In the last several years, the malware black market grows widely. The statistics shows that the number of new viruses increased from 300,000 viruses to millions and millions nowadays.

The complexity of malware attacks also increased from small amateur viruses to stuxnet, duqu and flame.

The malware field is searching for new technologies and researches, searching for united community can withstand against these attacks. And that’s why SRDF

The SRDF is not and will not be developed by one person or a team. It will be developed by a big community tries to share their knowledge and tools inside this Framework

SRDF still not finished … and it will not be finished as it’s a community based framework developed by the contributors. We just begin the idea.

The SRDF is divided into 2 parts: User-Mode and Kernel-Mode. And we will describe each one in the next section.

The Features:

Before talking about SRDF Design and structure, I want to give you what you will gain from SRDF and what it could add to your project.

In User-Mode part, SRDF gives you many helpful tools … and they are:

· Assembler and Disassembler
· x86 Emulator
· Debugger
· PE Analyzer
· Process Analyzer (Loaded DLLs, Memory Maps … etc)
· MD5, SSDeep and Wildlist Scanner (YARA)
· API Hooker and Process Injection
· Backend Database, XML Serializer
· And many more

In the Kernel-Mode part, it tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object oriented (as much as we can) development framework with these features:

· Object-oriented and easy to use development framework
· Easy IRP dispatching mechanism
· SSDT Hooker
· Layered Devices Filtering
· TDI Firewall
· File and Registry Manager
· Kernel Mode easy to use internet sockets
· Filesystem Filter

Still the Kernel-Mode in progress and many features will be added in the near future.

Source Code: http://code.google.com/p/srdf
Facebook Page: http://www.facebook.com/SecDevelop

JOIN US ... just mail me at: amr.thabet[at]student.alx.edu.eg
Also listed in: Assembler IDE Tools, Assemblers, Automated Unpackers, Debugger Libraries, Debuggers, Disassembler Libraries, Disassemblers, Exe Analyzers, Kernel Filter Monitoring Tools, Kernel Tools, Low-level Development Libraries, Malware Analysis Tools, Programming Libraries, Reverse Engineering Frameworks, X64 Disassembler Libraries, X86 Disassembler Libraries, X86 Emulators
More details: Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry)


RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.





Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)