The project consists of three files:
- NDISaster.py - An IDA Python script
- raw_packet.c - C program to generate raw packets (to be used as basis for fuzzer)
- ndis_bd_5.h - Header file that will need to be parsed by IDA Pro before running the Python script (IDA doesn't have complete types for NDIS drivers)
The solution works by first identifying the relevant callback functions in an NDIS driver, then by generating a Windbg script and using it to trace code execution and identify relevant functions.
Usage:
-
Parse ndis_bd_5.h in IDA (use "Parse C Header File")
-
Run NDISaster.py in IDA (use "Run Python script")
-
After running the script, you should see that the main callback functions have been identified by IDA
-
Generate a Windbg script by calling this function from the IDA terminal: generate_windbg_packet_trace_script(driver_name, function_to_start_hooking_from, output_script_name, fuzzing_mode)
Example: generate_windbg_packet_trace_script("bdfndisf", "Pr_ReceivePacketHandler", "C:\NDISaster\output", 0)
- Run the generated script in Windbg when it is debugging the target machine. Steps:
a. Open the log to save the trace: .logopen
b. Use this command to run the code: $$><script_name
c. Generate some traffic to the target machine
d. Close the log when you are done tracing: .logclose
-
Back in IDA, call this function: import_windbg_packet_trace(<logfile_name>)
-
You will see the functions in the disassembly tagged and named as per the protocol they are supposed to handle