Driver Initial Reconnaissance Tool
I'm writing this tool to learn C++ and get an initial assessment of drivers installed on a Windows system (e.g. master images developed by OEMs or enterprises). It's supposed to help with target selection, finding low-hanging fruit, and some assistance with deep-dive binary analysis. Currently unstable, undergoing active development.
I've used a combination of DeviceTree, WinObjEx64, and WinDbg for these use-cases. It's more of a tedious manual process that doesn't scale easily, so DIRT just attempts to make it more convenient.
This should compile with Visual Studio 2015 or greater.
bcdedit -debug on
with an administrative Command Prompt.kldbgdrv.sys
(found with WinDbg) in the same directory as DIRT.exe
.DIRT.exe > output.txt
with administrative privileges.The --lp-only
and --no-msft
switches can be used to filter results.
Below is some sample output to know what to expect:
DIRT v0.1.0: Driver Initial Reconnaisance Tool (@Jackson_T)
Repository: https://github.com/jthuraisamy/DIRT
Compiled on: Aug 22 2018 00:01:04
INFO: Hiding Microsoft drivers (--no-msft).
INFO: Only showing drivers that low-privileged users can interface with (--lp-only).
Capcom: Capcom
Path: C:\Windows\System32\Capcom.sys
DispatchDeviceControl: 0xFFFFF8024C9A0590
Devices: 1
└── \Device\Htsysm72FB (open DACL, 1 symlinks)
└── \\.\Global\Htsysm72FB
SmbDrvI: SmbDrvI (Synaptics Incorporated)
Path: C:\WINDOWS\System32\drivers\Smb_driver_Intel.sys - Hooked by Wdf01000 (Microsoft Corporation)
DispatchDeviceControl: 0xFFFFF808212C72B0
Devices: 1
└── \Device\SmbDriver (open DACL, 1 symlinks)
└── \\.\Global\SmbDriver
nvlddmkm: nvlddmkm
Path: C:\Windows\System32\DriverStore\FileRepository\nvlt.inf_amd64_ed3ba3fb30d4dd86\nvlddmkm.sys
DispatchDeviceControl: 0xFFFFF80822D074D0
Devices: 2
├── \Device\NvAdminDevice (open DACL, 1 symlinks)
│ └── \\.\Global\NvAdminDevice
└── \Device\UVMLiteController0x1 (open DACL, 1 symlinks)
└── \\.\Global\UVMLiteController
There is also a CSV output available using DIRT::Main::ExportCSV()
:
Jackson Thuraisamy (2018). The code is heavily derived from the WinObjEx64 project by @hFireF0X.
MIT