ioctlance: detect various vulnerability types in Windows Driver Model (WDM) drivers

by ddos · Published · Updated

IOCTLance

Presented at CODE BLUE 2023, this project titled Enhanced Vulnerability Hunting in WDM Drivers with Symbolic Execution and Taint Analysis introduces IOCTLance, a tool that enhances its capacity to detect various vulnerability types in Windows Driver Model (WDM) drivers. In a comprehensive evaluation involving 104 known vulnerable WDM drivers and 328 unknown ones, IOCTLance successfully unveiled 117 previously unidentified vulnerabilities within 26 distinct drivers. As a result, 41 CVEs were reported, encompassing 25 cases of denial of service, 5 instances of insufficient access control, and 11 examples of elevation of privilege.

Features

Target Vulnerability Types

  • map physical memory
  • controllable process handle
  • buffer overflow
  • null pointer dereference
  • read/write controllable address
  • arbitrary shellcode execution
  • arbitrary wrmsr
  • arbitrary out
  • dangerous file operation

Optional Customizations

  • length limit
  • loop bound
  • total timeout
  • IoControlCode timeout
  • recursion
  • symbolize data section

Build

Docker

git clone https://github.com/zeze-zeze/ioctlance.git
docker build .

Local

dpkg --add-architecture i386
apt-get update
apt-get install git build-essential python3 python3-pip python3-dev htop vim sudo \
                openjdk-8-jdk zlib1g:i386 libtinfo5:i386 libstdc++6:i386 libgcc1:i386 \
                libc6:i386 libssl-dev nasm binutils-multiarch qtdeclarative5-dev libpixman-1-dev \
                libglib2.0-dev debian-archive-keyring debootstrap libtool libreadline-dev cmake \
                libffi-dev libxslt1-dev libxml2-dev

pip install angr==9.2.18 ipython==8.5.0 ipdb==0.13.9

Use

Copyright (C) 2023 zeze-zeze

Source: https://github.com/zeze-zeze/

Tags: detect Windows Driver Model drivers vulnerabilityioctlanceWindows Driver Model drivers vulnerability