Reverse Engineering and Bug Hunting on KMDF Drivers

Explore reverse engineering and bug hunting techniques for Kernel Mode Driver Framework (KMDF) drivers in this 45-minute conference talk from 44CON 2018. Begin with a quick recap of Windows Driver Model (WDM) drivers, their common structures, and entry point identification. Dive into KMDF, examining relevant functions for reverse engineering through case studies. Learn to interact with KMDF device objects using SetupDI API and analyze IO queue dispatch routines. Investigate whether the framework enhances security by examining major vendor implementation problems. Gain practical knowledge to conduct bug hunting sessions on KMDF drivers, covering topics such as driver models, device objects, IRP major function codes, buffer access methods, and IOCTL codes. Discover techniques for finding KMDF drivers and identifying potential security issues like unsanitized data and kernel pointer leakage.

Reverse Engineering & Bug Hunting on KMDF Drivers
Different Driver Models
Driver and Device Objects
Creating the Device
IRP Major Function Codes
Basic WDM Driver
Talking to the Driver
Interrupt Request Packets
Stack Locations
Buffer Access Methods (1/3)
IOCTL Code
KMDF Overview
A basic KMDF driver (3/3)
Using Device Interfaces
KMDF and Buffer Access
Control Device Objects (1/2)
Type of Issues • Unsanitized data
Kernel Pointers Leakage • Synaptics Touchpad Win64 Driver
Finding KMDF drivers
Check your drivers!
Conclusions (2/2)