╔═══════════════════════════════════════════════════════════════╗
║ DriverBuddy ║
║ Windows Kernel Driver Analysis Toolkit ║
║ ║
║ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ║
╚═══════════════════════════════════════════════════════════════╝
DriverBuddy is a comprehensive toolkit for analyzing Windows kernel drivers across multiple reverse engineering platforms. It automates tedious aspects of driver analysis, helping security researchers identify potential vulnerabilities and understand driver behavior more efficiently.
- IDA Pro 7.x+ (Python 3)
- Ghidra 10.x+
- Binary Ninja 3.x+
- Radare2 5.x+
☠ Automated driver type identification (WDM, WDF, Mini-Filter, NDIS)
☠ DispatchDeviceControl and DispatchInternalDeviceControl location
☠ Automatic IOCTL code discovery and decoding
☠ Detection of dangerous C/C++ functions (buffer overflows, etc.)
☠ Windows API function identification and analysis
☠ WDM structure labeling (IRP, IO_STACK_LOCATION, DEVICE_OBJECT)
☠ WDF function pointer identification and labeling
☠ Cross-reference tracking for security-sensitive functions
-
Copy
DriverBuddy.pyand theDriverBuddy/folder to your IDA plugins directory:- Windows:
C:\Program Files\IDA Pro 7.x\plugins\ - Linux:
~/.idapro/plugins/ - macOS:
~/Library/Application Support/IDA Pro/plugins/
- Windows:
-
Restart IDA Pro
- Open Ghidra Script Manager (Window → Script Manager)
- Click the "Script Directories" button
- Add the directory containing
DriverBuddy_Ghidra.py - Refresh the script list
-
Copy
DriverBuddy_BinaryNinja.pyto your Binary Ninja plugins directory:- Windows:
%APPDATA%\Binary Ninja\plugins\ - Linux:
~/.binaryninja/plugins/ - macOS:
~/Library/Application Support/Binary Ninja/plugins/
- Windows:
-
Restart Binary Ninja
- Install r2pipe:
pip3 install r2pipe - Run from within radare2:
Or from the r2 console:
r2 -i DriverBuddy_Radare2.py driver.sys
#!pipe python3 DriverBuddy_Radare2.py
☠ Method 1: Edit → Plugins → Driver Buddy
☠ Method 2: Press Ctrl+Alt+D
☠ Decode IOCTL: Highlight suspected IOCTL value and press Ctrl+Alt+I
Example Output:
╔═══════════════════════════════════════════════════════════════╗
║ DriverBuddy for IDA Pro ║
║ Windows Kernel Driver Analysis ║
║ ║
║ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ☠ ║
╚═══════════════════════════════════════════════════════════════╝
[+] Welcome to Driver Buddy
[+] DriverEntry found
[+] Driver type detected: WDM
[+] Found DispatchDeviceControl 0x00011234
[+] Found strcpy with 3 references
[+] Found IOCTL: 0x00222004
Device : 0x0022
Function : 0x801
Method : METHOD_BUFFERED
Access : FILE_ANY_ACCESS
- Open your Windows driver in Ghidra
- Open Script Manager (Window → Script Manager)
- Run
DriverBuddy_Ghidra.py - Check the console output for analysis results
- Open your Windows driver in Binary Ninja
- Navigate to Plugins → DriverBuddy → Analyze Driver
- View results in the log window
# Method 1: Load driver and run script
r2 -i DriverBuddy_Radare2.py driver.sys
# Method 2: Run from r2 console
r2 driver.sys
[0x00000000]> aaa
[0x00000000]> #!pipe python3 DriverBuddy_Radare2.py ☠ WDM (Windows Driver Model)
☠ WDF (Windows Driver Framework)
☠ Mini-Filter (File System Filter)
☠ NDIS (Network Driver Interface Specification)
DriverBuddy automatically decodes Windows I/O Control codes to reveal:
- Device Type: The type of device the IOCTL is intended for
- Function Code: The specific operation being requested
- Transfer Method: How data is transferred (buffered, direct, neither)
- Access Rights: Required access permissions
Example:
[+] IOCTL: 0x00222004
Device : FILE_DEVICE_UNKNOWN (0x0022)
Function : 0x801
Method : METHOD_BUFFERED
Access : FILE_ANY_ACCESS
☠ Buffer Overflow Prone: strcpy, strcat, sprintf, gets
☠ Memory Operations: memcpy, RtlCopyMemory
☠ Format String Issues: scanf, printf variants
☠ Access Control: SeAccessCheck, SeQueryAuthenticationIdToken
☠ Device Management: IoRegisterDeviceInterface, IoCreateDevice
☠ Object Management: ObReferenceObject, ObDereferenceObject
☠ System Calls: Zw* functions (ZwCreateFile, ZwOpenKey, etc.)
☠ Process/Thread: PsCreateSystemThread, PsLookupProcessByProcessId
DriverBuddy/
├── __init__.py # Module initialization
├── data.py # Driver structure and function analysis
├── ioctl.py # IOCTL decoding logic
├── wdm.py # WDM-specific analysis
└── wdf.py # WDF-specific analysis (function table parsing)
DriverBuddy locates the DispatchDeviceControl function by:
- Finding
DriverEntryfunction - Analyzing assignments to
DRIVER_OBJECT.MajorFunction[0x0E] - Following references to identify the actual dispatch handler
For WDM drivers, DriverBuddy automatically identifies and labels:
- IRP (I/O Request Packet): Offset-based detection of
SystemBuffer,IoStatus.Information - IO_STACK_LOCATION: Identification of
DeviceIoControlCode,InputBufferLength,OutputBufferLength - DEVICE_OBJECT: Detection of device extension and characteristic fields
For WDF drivers, DriverBuddy:
- Locates the
WdfFunctionsstructure via theWdfVersionBindreference - Parses the function pointer table based on WDF version
- Labels function pointers for improved readability
☠ Vulnerability Discovery: Identify unsafe function usage patterns
☠ Attack Surface Analysis: Map all IOCTLs and their handlers
☠ Privilege Escalation: Track access control checks and object references
☠ Fuzzing Preparation: Extract IOCTL codes for targeted fuzzing
☠ Exploit Development: Understand driver control flow and data structures
- Issue: Plugin not loading
- Solution: Ensure Python 3 is configured in IDA (Edit → Preferences → Python)
- Solution: Check IDA console for error messages
- Issue: Script not appearing
- Solution: Refresh script list in Script Manager
- Solution: Ensure script is in a configured script directory
- Issue: Plugin not visible in menu
- Solution: Check console for import errors
- Solution: Verify Binary Ninja API version compatibility
- Issue: r2pipe connection failed
- Solution: Install r2pipe:
pip3 install r2pipe - Solution: Run script from within radare2, not standalone
- Solution: Install r2pipe:
Contributions are welcome! Areas for improvement:
- Enhanced IOCTL discovery heuristics
- Additional driver type detection
- GUI interfaces for each platform
- Automated vulnerability pattern detection
- IRP tracking and taint analysis
☠ Reference counting analysis (ObReferenceObject/ObDereferenceObject tracking)
☠ Time-of-check/time-of-use (TOCTOU) detection
☠ ProbeForRead/ProbeForWrite validation
☠ Input validation pattern recognition
☠ Race condition detection
☠ Original DriverBuddy: Braden Hollembaek and Adam Pond (NCC Group)
☠ IOCTL Decoder: Satoshi Tanda (https://github.com/tandasat/WinIoCtlDecoder)
☠ WDF Functions: Red Plait, Nicolas Guigo
☠ Modernization: Community contributors
This software is released under the MIT License. See LICENSE file for details.
╔═══════════════════════════════════════════════════════════════╗
║ ║
║ ☠ Happy Hunting! ☠ ║
║ ║
╚═══════════════════════════════════════════════════════════════╝