I've also included a built winxp sys driver which is actually just the generic WinDDK ioctl sample driver + exe. If you use the ioctlapp.exe it will install/load the sioctl.sys driver and call it with 4 different IOCTLs. My auto ghast tool was built by repeatedly running/testing with this.
Anyways, here's auto ghast in action recording a single breakpoint:
auto ghast automatically setting breakpoints/recording data |
- It steps into the DriverEntry function
- Grabs the DriverObject ptr and creates a custom 'driver' object that we can use in the program.
- By calling driver.get_driver_by_address(esp) it will extract the pointer and give us access to the drivers properties
- Prints out the base/end/entry addresses
- Runs through the entire DriverEntry function
- Extracts the IRP_MJ_DEVICE_CONTROL address (driver.get_device_control_address())
- Creates a custom breakpoint object that I've designed. Set's up various information to record for the breakpoint when it's callback handler is called
- Sets the breakpoint
- Runs the program
What's nice about having a custom recorder is that we can extract/work with various registers, memory addresses or whatever we want for each time the breakpoint is hit. I'll fix up the documentation of it later but please consider this VERY ALPHA!
Finally, thanks to a blog post about pykdtrace which allowed me to figure out that I needed to return DEBUG_STATUS_GO from my debug handler (was banging my head!) to get the dang thing to continue to run.
Check out my ghast git repo for the code!