IOCTLance
Presented at CODE BLUE 2023, this project titled Enhanced Vulnerability Hunting in WDM Drivers with Symbolic Execution and Taint Analysis introduces IOCTLance, a tool that enhances its capacity to detect various vulnerability types in Windows Driver Model (WDM) drivers. In a comprehensive evaluation involving 104 known vulnerable WDM drivers and 328 unknown ones, IOCTLance successfully unveiled 117 previously unidentified vulnerabilities within 26 distinct drivers. As a result, 41 CVEs were reported, encompassing 25 cases of denial of service, 5 instances of insufficient access control, and 11 examples of elevation of privilege.
Features
Target Vulnerability Types
- map physical memory
- controllable process handle
- buffer overflow
- null pointer dereference
- read/write controllable address
- arbitrary shellcode execution
- arbitrary wrmsr
- arbitrary out
- dangerous file operation
Optional Customizations
- length limit
- loop bound
- total timeout
- IoControlCode timeout
- recursion
- symbolize data section
Build
Docker
git clone https://github.com/zeze-zeze/ioctlance.git
docker build .
Local
[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”dpkg%20–add-architecture%20i386%0Aapt-get%20update%0Aapt-get%20install%20git%20build-essential%20python3%20python3-pip%20python3-dev%20htop%20vim%20sudo%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20openjdk-8-jdk%20zlib1g%3Ai386%20libtinfo5%3Ai386%20libstdc%2B%2B6%3Ai386%20libgcc1%3Ai386%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20libc6%3Ai386%20libssl-dev%20nasm%20binutils-multiarch%20qtdeclarative5-dev%20libpixman-1-dev%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20libglib2.0-dev%20debian-archive-keyring%20debootstrap%20libtool%20libreadline-dev%20cmake%20%5C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20libffi-dev%20libxslt1-dev%20libxml2-dev%0A%0Apip%20install%20angr%3D%3D9.2.18%20ipython%3D%3D8.5.0%20ipdb%3D%3D0.13.9″/]
Use
Copyright (C) 2023 zeze-zeze
Source: https://github.com/zeze-zeze/