-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path__init__.py
125 lines (96 loc) · 3.98 KB
/
__init__.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/usr/bin/env python3
"""Windows Driver Analyzer Binary Ninja Plugin
This plugin can be used within the Binary Ninja GUI or standalone with the
commercial or enterprise version to detect IRP dispatch routines and valid
IOCTL codes in Windows kernel drivers.
TODO:
- Function detection for ThreadCreateNotify, ProcessCreateNotify, Workitems, IoCsqInitialize, etc.
- Recursively follow calls from DriverEntry for code that initializes the DriverObject when
finding dispatch routines. We currently only search DriverEntry.
- Set function signatures for known functions
"""
from __future__ import print_function
import argparse
import os
import sys
from binaryninja import BinaryViewType, BackgroundTaskThread, PluginCommand
if sys.platform == "win32":
sys.path.append("C:\\Python27\\Lib\\site-packages")
import analyze
class LabelDriverDispatchRoutinesTask(BackgroundTaskThread):
def __init__(self, bv):
BackgroundTaskThread.__init__(self, "Labeling Driver Dispatch Routines", can_cancel=True)
self.bv = bv
def run(self):
self.bv.begin_undo_actions()
a = analyze.Analysis(self.bv)
a.label_driver_dispatch_routines()
self.bv.commit_undo_actions()
self.bv.update_analysis()
class LabelCallbackRoutinesTask(BackgroundTaskThread):
def __init__(self, bv):
BackgroundTaskThread.__init__(self, "Labeling Callback Routines", can_cancel=True)
self.bv = bv
def run(self):
self.bv.begin_undo_actions()
a = analyze.Analysis(self.bv)
a.label_callback_routines()
self.bv.commit_undo_actions()
self.bv.update_analysis()
class FindIoctlsTask(BackgroundTaskThread):
def __init__(self, bv, function=None):
BackgroundTaskThread.__init__(self, "Finding IOCTLs", can_cancel=True)
self.bv = bv
if function:
self.function = function.start
else:
self.function = None
def run(self):
self.bv.begin_undo_actions()
a = analyze.Analysis(self.bv)
a.find_ioctls(self.function)
self.bv.commit_undo_actions()
self.bv.update_analysis()
def label_driver_dispatch_routines(bv):
t = LabelDriverDispatchRoutinesTask(bv)
t.start()
def label_callback_routines(bv):
t = LabelCallbackRoutinesTask(bv)
t.start()
def find_ioctls(bv, function=None):
t = FindIoctlsTask(bv, function)
t.start()
def cmdline_main():
parser = argparse.ArgumentParser(description="Auto-detect IRP Dispatch routines and IOCTLs.",
formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument("-i", "--ioctls", action="store_true", default=False,
help="Detect supported IOCTL control codes.")
parser.add_argument("driver", help="Windows driver to analyze.")
args = parser.parse_args()
if not os.path.isfile(args.driver):
print("[-] '{:s}' is not a file".format(args.driver), file=sys.stderr)
return 1
# TODO: This line always returns None
bv = BinaryViewType["PE"].open(args.driver)
if not bv:
print("[-] Error loading file: {:s}".format(args.driver), file=sys.stderr)
return 1
analysis = analyze.Analysis(bv)
analysis.label_driver_dispatch_routines()
if args.ioctls:
analysis.find_ioctls()
if __name__ == "__main__":
cmdline_main()
else:
PluginCommand.register(
"Label Driver Dispatch Routines", "Label driver dispatch routines for IRPs and other callbacks",
action=label_driver_dispatch_routines)
#PluginCommand.register(
# "Label Callback Routines", "Label callback routines used in common kernel APIs",
# action=label_callback_routines)
PluginCommand.register(
"Find IOCTLs [global]", "Find supported IOCTLs and generate CTL_CODE macros",
action=find_ioctls)
PluginCommand.register_for_function(
"Find IOCTLs [current function]", "Find supported IOCTLs and generate CTL_CODE macros",
action=find_ioctls)