[InvokeStatic]

Hi,

There's a pesky driver that is packed with VMProtect that I would like to analyze (I'm pretty sure the author of it is a member of this forum :D ). I can't imagine there is any utility to do this in usermode, so I guess there is really only one way to go about doing this - cause a bugcheck and parse out the dump file.

Are there any utilities designed for this purpose (i.e. parse the dump file and isolate the driver), or are there other ways to dump the driver?

Thanks.

[Vrtule]

If you want to extract the driver from a dump file, you may succeed with the following:
1) Open the crash dump in WinDbg,
2) find the target driver base address and size (the lm command should to the job),
3) .writemem <filename> <driverbase> L <driversize>.

[r0ar]

If the driver is loaded, it might be possible to take a memory dump of the system and use Volatility's modscan/moddump to extract the driver.

[Buster_BSA]

Check if this is what you are looking for:

http://www.kernelmode.info/forum/viewto ... lit=Drvmon

[EP_X0FF]

@Buster_BSA

OP want driver from memory, assume he already have a file. So DrvMon won't make any help here.

@InvokeStatic

You can dump whole physical memory for example with win32dd (now moonsols) and look for driver in it. Or you can force bugcheck with full kernel dump option. However since you are talking about VMProtect, what you will have in the end will be likely the same virtualized code.

[InvokeStatic]

@InvokeStatic

You can dump whole physical memory for example with win32dd (now moonsols) and look for driver in it. Or you can force bugcheck with full kernel dump option. However since you are talking about VMProtect, what you will have in the end will be likely the same virtualized code.

The driver does some pretty intensive tasks so I'm pretty sure most of it is not virtualized. Plus all I really need to see is what calls it makes.