An IDA Pro Plugin For Windows Driver Reversing

This is an IDA Pro plugin designed to assist reverse engineers when they are reversing Windows drivers or applications that interact with them. The source code is hosted on GitHub under a 3-clause BSD license.

Installation

Just drop the 'win_driver_plugin.py' file and the entire 'win_driver_plugin' folder into IDA's plugin directory. If you want FLOSS to be used when hunting for device names, you can install it with the following commands:

pip install https://github.com/williballenthin/vivisect/zipball/master 
pip install https://github.com/fireeye/flare-floss/zipball/master

Usage Overview

Decode IOCTL Codes

Potential IOCTL codes can be decoded by selecting the value in IDA and using the "Ctrl+Alt+D" shortcut or the right-click context menu option. This will add a comment to the instruction with the IOCTL Code represented by it's equivalent define using the CTL_CODE macro, as shown below:

decode ioctl capcom decoded

Additionally this will print a summary table with the details of all IOCTL codes decoded in the current session:

decode ioctl summary table 1

Find Potential IOCTL Dispatch Functions

The plugin implements two basic ways of identifying an IOCTL dispatch function. These can be ran using the "Ctrl+Alt+S" shortcut, as shown below:

find dispatch random avg driver

Find Potential Device Names

The plugin can also find potential device names. First, it will search for Unicode strings that could be valid device paths and if it doesn't find any, it will attempt to use FLOSS to find any obfuscated device names present in the driver. This function can be ran using the "Ctrl+Alt+A" shortcut, you can see this being run on the infamous Capcom driver below.

find device name capcom

More details can be found on the projects GitHub page.