Page 1 of 2 12 LastLast
Results 1 to 15 of 29

Thread: Driver reversing and defeating (WDM, not VXD)

  1. #1
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    As mentioned recently in several other threads on this board, device drivers like this really seems to be quickly becoming very popular in protections, and give lots of people around here major trouble. I.e., a new interesting field of protections that needs to be explored and conquered. Seems like we will need to breed some new talents who will be to driver reversing what Splaj and the gang was/is to unpacking...

    How about some more serious driver protection technique projects, e.g. in the Mini Project forum? Do we have any people who are driver knowledgeable enough and willing to submit crackmes and similar teaching material to get such a thing started? Kayaker? ZaiRoN? Anyone? What do you all think of this?


    Just a thought anyway, but it seems to become more and more clear what the future of advanced protections is going to be...


    dELTA

  2. #2
    Hello Everybody

    Four-F tuts on how to write device driver is *worth* reading. Here's the link
    http://www.masmforum.com/website/tutorials/kmdtute/index.html
    for those who don't know After reading & understanding i guess we know how a driver is loaded, its working & how to set break point on driver called proc. In short its an excellent stuff for reading & understanding about drivers.

    Regards, Sope.

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Seems like a very good start, thanks for the link sope!

    Now go read them, all of you.


    dELTA

  4. #4
    Registered User hobferret's Avatar
    Join Date
    Jul 2002
    Location
    Alien Area near Albuquerque
    Posts
    203
    Very interesting stuff

    It will take a while to read, study and inwardly digest

    I am sure we will get to grips with it sooner rather than later

    great link sope thanks for that!

    /hobferret

  5. #5
    Seems to be down at the moment. Hope their back up soon.

    Regards,
    JMI

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Fear not, here they are.
    Attached Files Attached Files

  7. #7
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Kayaker just posted a nice example project (including source) in this thread. It deals with Windows 2k/XP services and kernel mode drivers (that is, WDM drivers, contrary to the older VXD drivers that at least a few more people are knowledgeable about, but which are practically dead today).

    An unpublished driver tutorial by Clandestiny is also included in that thread. So what are you waiting for, go get it!


    It would be good to initially use this thread (i.e. the one I'm writing in right now) as the center of all ideas, questions, projects and such regarding driver reversing and programming, so that it would be easy to follow for everyone interested. As mentioned in my original post in this thread, driver reversing is becoming more and more essential in todays protections, so it should be quite interesting for many serious reversers. Let's try to make this a fun and educational project!


    dELTA

  8. #8
    Well, I'm certainly interested as I want to write my own driver-based memory dumper

  9. #9
    I'd like to point out the following link:

    http://www.orgon.com/w2k_internals/cd.html

    It contains various utils and source code related to Windows Internals.. such as:
    - SC Manager functions, listing services, etc.
    - an hooking device driver that allows to spy on kernel APIs.
    - debugging interface: pdb, psapi, imghlp stuff
    - a memory spy device, to read from any address you like.
    [...]

    It comes with a book, but the utils are available for download from the website. Some utils (those using undocumented functions) might not work "out of the box", but with a few fixes, they work again.

    It is interesting because:
    - Source code is included
    - Includes a driver skeleton for ms vc++
    - It contains both kernel and user mode software.
    - They are tools mainly aimed at reverse-engineering.

    An excellent learning utility.

  10. #10
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I might very well just be blind, but where did you find the source code on that page? I can only find the binaries in downloadable form, and then some text saying that the source is available on the actual CD?

    Seems like very interesting stuff though, especially the API-spying/hooking part, and some of the other things too, so it would be very nice indeed to have the source for it.

  11. #11
    oh, my bad.. I did not actually test the thing..
    I own the book.. and it ships with source on the CD..

    I assumed it was the same deal on the website.

    Besides it's usefulness, I guess it can be used as a RE target =D

  12. #12
    nino
    Guest

    Lightbulb

    well doug
    don't you feel committed to up the CD to the ftp site?
    (You gave the link after all)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    We'll take that last comment as a joke, better to reverse the exes, learn more, steal less

  14. #14
    Reversing Since '98 \o/ [yAtEs]'s Avatar
    Join Date
    Feb 2002
    Posts
    97
    Blog Entries
    2
    perhapes a new forum section on the subject of system coding etc
    would be greatly welcomed by some :-)

    im soon to publish some of my own stuff and beginner templates
    on my site in the forth coming weekend,

    regards,
    yates.

  15. #15
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    The "Advanced reversing and programming" forum is meant for such things, but if this subject grows big we can eventually give it a completely own forum, sure. A thread like this in the mini-project forum is a good way to organize a smaller subject until it grows into its own forum though.

    Sounds great with your upcoming publications, looking foward to them! Please announce in this thread when they are released.


    dELTA

Similar Threads

  1. Driver Tracing
    By anthrazius in forum The Newbie Forum
    Replies: 5
    Last Post: April 3rd, 2012, 02:18
  2. Driver Studio 3.2/Softice 4.3.2
    By Greyhound2004 in forum The Newbie Forum
    Replies: 14
    Last Post: July 2nd, 2009, 20:42
  3. defeating frogsice help please
    By daze666 in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: January 3rd, 2002, 13:37
  4. Driver Studio 2.5 and IceDump 6.024
    By Asassin in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: December 1st, 2001, 22:17
  5. Cracking a DLL Driver
    By Dark7622 in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: December 7th, 2000, 04:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •