Author: dge
Translator: ayarei
Note: Because my English is very poor, My translation have a lot of bugs. And…hope you can find them.
Recently, I use OllyDbg and IDA instead of the kernel debugger. Mostly, I didn’t need to debug the driver. So IDA is enough for me.
I recorded some useful skills during my works. Now, share them to you.
Q: Some software often hide their drivers. How can I find them?
A: That’s so easy. Those files often protect by drivers. If this driver doesn’t work, you can find the hide file. You can use SSM to stop the software load their driver.
Q: How can I read the disassembly code easier?
A: There are so many IRP. DEVICE_OBJECT, DRIVER_OBJECT and IO_STACK_LOCATION in driver. So you can add those signatures to IDA to help your work.
Q: How can I find the code I want easier?
A: A normal driver uses DeviceIoControl to send IRP_MJ_DEVICE_CONTROL to call the code. Then it processes IOCRL. The IOCTL is a parameter of DeviceIoControl, so you can watch DeviceIoControl to find the code you want.
Q: Now, how can I get this IOCTL?
A: 1) You can breakpoint at DeviceIoControl. But there also have some anti-debugger. It’s a hard work for you.
2) You can write a program to watch DeviceIoControl. Print IOCTL as a log file. If you want to analyze a function, you can find the IOCTL in the log file, and then search it in the driver. I thinks it’s a good way for you and you didn’t need to think about anti-debugger.
Q: How can I do this?
A: Change the way of DeviceIoControl, just a inline hook.
Q:Anyother things?
A: interest and patient is what you need.
–EOF–
