Speaker(s): Enrique Nissim, IOActive
Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how an specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Freamework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I'll introduce KMDF and its core concepts and functions relevant for reverse engineering through a set of case-studies. How to interact with a KMDF device object? How to find and analyze the KMDF dispatch routines? Does the framework actually enhance security?
Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.
Enrique Nissim is a Senior Security Consultant at IOActive. His experience and interests include reverse engineering, exploit development, programming and application security. He has also been a regular speaker at other international cybersecurity conferences, including CansecWest, EKOParty, and ZeroNights.