A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #25844  by InvokeStatic
 Mon May 11, 2015 3:27 pm
Hi,

There's a pesky driver that is packed with VMProtect that I would like to analyze (I'm pretty sure the author of it is a member of this forum :D ). I can't imagine there is any utility to do this in usermode, so I guess there is really only one way to go about doing this - cause a bugcheck and parse out the dump file.

Are there any utilities designed for this purpose (i.e. parse the dump file and isolate the driver), or are there other ways to dump the driver?

Thanks.
 #25845  by Vrtule
 Mon May 11, 2015 3:57 pm
If you want to extract the driver from a dump file, you may succeed with the following:
1) Open the crash dump in WinDbg,
2) find the target driver base address and size (the lm command should to the job),
3) .writemem <filename> <driverbase> L <driversize>.
 #25847  by r0ar
 Mon May 11, 2015 8:54 pm
If the driver is loaded, it might be possible to take a memory dump of the system and use Volatility's modscan/moddump to extract the driver.
 #25849  by EP_X0FF
 Tue May 12, 2015 3:33 am
@Buster_BSA

OP want driver from memory, assume he already have a file. So DrvMon won't make any help here.

@InvokeStatic

You can dump whole physical memory for example with win32dd (now moonsols) and look for driver in it. Or you can force bugcheck with full kernel dump option. However since you are talking about VMProtect, what you will have in the end will be likely the same virtualized code.
 #25851  by InvokeStatic
 Tue May 12, 2015 2:46 pm
EP_X0FF wrote:@InvokeStatic

You can dump whole physical memory for example with win32dd (now moonsols) and look for driver in it. Or you can force bugcheck with full kernel dump option. However since you are talking about VMProtect, what you will have in the end will be likely the same virtualized code.
The driver does some pretty intensive tasks so I'm pretty sure most of it is not virtualized. Plus all I really need to see is what calls it makes.