Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim at 44CON 2018

Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim at 44CON 2018

Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how a specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do a quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I’ll introduce KMDF with all its relevant functions for reverse engineering through a set of case-studies. I’ll describe how to interact with a KMDF device object through SetupDI api and how to find and analyze the different IO queues dispatch routines. Does the framework actually enhances security? We’ll come to a conclusion after revealing some major vendor implementation problems.

Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.

For more from 44CON and tickets visit 44CON Website: https://44con.com

--=== Contact ===--
YouTube:    / 44contv  
Website: https://44con.com
Twitter:   / 44con  
LinkedIn:   / 44con-3886577  
Facebook:   / 44con  

--=== Music Credits ===--
Island - by MBB:   / mbbofficial   (  / mbbmusic  )
Grind - by Andrew Huang - YouTube Music Library