A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1495  by Fyyre
 Tue Jul 13, 2010 8:08 pm
DrvMon v1.2
by Fyyre & EP_X0FF


DrvMon tool monitors the system for new drivers and saves them to a directory of your choice.

We created this to make easy saving drivers from certain types of rootkit malware, which
erase the driver immediately after loading.

Updated to version 1.2 (is attached).
Attachments
v1.2
(17.23 KiB) Downloaded 336 times
v1.1
(7.89 KiB) Downloaded 136 times
Last edited by EP_X0FF on Sun Nov 28, 2010 7:46 am, edited 2 times in total. Reason: updated post for 1.2
 #1496  by NOP
 Tue Jul 13, 2010 10:29 pm
Great work guys, grabs TDL driver nicely. :D
 #1498  by Meriadoc
 Wed Jul 14, 2010 12:01 am
Thanks guys nice work, less trouble :) works well.
 #1500  by EP_X0FF
 Wed Jul 14, 2010 12:47 am
Thanks :) We did it long time ago to save some time while reversing rootkits.
If you will find any bugs - please report we will try to fix them asap.
 #1503  by STRELiTZIA
 Wed Jul 14, 2010 8:14 am
Very usefull tool, thanks :)
We did it long time ago to save some time while reversing rootkits
And me the poor :oops: who pause each time a breakpoint at: CreateFileA, WriteFile to catch rootkits driver :(
 #1504  by Brookit
 Wed Jul 14, 2010 10:01 am
Useful and handy tool, thank you.

Same driver twice in file? Intended?
 #1505  by EP_X0FF
 Wed Jul 14, 2010 11:04 am
Yes, same named drivers will be dumped to one file. This can be changed in next version :)
 #1533  by Dreg
 Thu Jul 15, 2010 2:09 am
Nice work guys! :-)
 #1541  by __Genius__
 Thu Jul 15, 2010 8:36 am
Hi, Good job, thanks Fyyre & EP_X0FF .
worth to catch malwares ;)
 #1544  by Vrtule
 Thu Jul 15, 2010 12:25 pm
Hello,

that's nice tool. I previously used SSDT hook on NtLoadDriver to catch drivers being loated. The hook handler called KeDelayExecutionThread and waited for a few seconds, so I have a chance to copy driver file to a safe place :-).