среда, 25 апреля 2012 г.


wincheck can (with -dump_patched option) dump patched sections of loaded drivers. You get two files for each section. Lets assume that there are patched bytes in section PAGE inside driver evildrv.sys. In this case your dump includes these files:
  • evildrv.sysPAGE.kmem - actual content of PAGE section from memory
  • evildrv.sysPAGE.orig - relocated content of PAGE section from disk
So you can always do "fc /b  evildrv.sysPAGE.kmem evildrv.sysPAGE.orig" to get list of patched bytes. But this list is really huge sometimes, so you might want to load this section in IDA Pro and check what happened. But there can be a problem - both dump files contain data relocated to some address in kernel memory and probably you have idb for you driver evildrv.sys at base 0x10000. Sure you can manually rebase your idb - Edit menu -> Segments -> Rebase program
Since I am too lazy so I wrote simple plugin lpdm for IDA Pro (for 5.x version) which
  • load .kmem file
  • relocates it to image base currently used in your .idb. You'll need original PE file (evildrv.sys in this case) of course, not only .idb
  • load only patched bytes
You must point address of your driver in memory, for example from wincheck log:
FFFFF880070EA000:70000 flags 49104000 LoadCount 1 \SystemRoot\system32\drivers\evildrv.sys

You can download lpdm plugin (for idag & idag64) from here

Комментариев нет:

Отправить комментарий