A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #10372  by bug0
 Thu Dec 15, 2011 9:45 am
Image

Driver Radar Pro is a very useful utility with a very simplified GUI which can help you not only permit/deny the loading of kernel mode drivers via secure whitelisting methods but also allows you to copy the to-be-loaded driver file to a user-specified location. Malware analysis can easily be sped up by what Driver Radar Pro offers or perhaps you just want to make sure only whitelisted drivers and protected system drivers are only allowed to be loaded… Driver Radar to the rescue!

Features

* Detailed info about to-be-loaded drivers
* Lightweight in memory
* Manage whitelisted drivers
* Monitor loading of kernel mode drivers
* Save drivers as MD5 hash name
* Save drivers to custom folder
* Save Logs to File
* Secure whitelisting methods
* Start with Windows
* Very user-friendly GUI

Driver Radar Pro is compatible with the following 32-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7

Download (Installer and Portable):
http://www.novirusthanks.org/product/driver-radar-pro/
 #12366  by STRELiTZIA
 Tue Mar 27, 2012 12:55 pm
Hello,
Tested and bypassed by loading driver test from long path:
C:\123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF\_lmtreached.sys
Attached: Flash movie and PoC...

Regards
Attachments
(210.57 KiB) Downloaded 44 times
 #12368  by Brock
 Tue Mar 27, 2012 7:54 pm
Strelitzia, see here too http://www.kernelmode.info/forum/viewto ... n&start=20 All current public tools which use load image notify routines and overwrite driver entrypoints are affected.

AddressOfEntryPoint of a driver can be set to zero and a jmp is placed directly after IMAGE_DOS_SIGNATURE in driver to the real original entrypoint RVA, driver checksum is then recalculated. This is much harder to fix than a filename being truncated through ImageInfo->FileName because filename means nothing and driver can still be denied through your PoC since it still has a valid AddressOfEntryPoint field from what I see on my end
 #12372  by bug0
 Tue Mar 27, 2012 11:10 pm
STRELiTZIA, thanks for reporting this issue, it has been fixed now:

[27-03-2012] - v1.3.1.0

+ Fixed logic error in filename handling where drivers which exceed a maximum path of MAX_PATH characters (259 + NULL) could be loaded