Tool DrvMon [Archive] - GameDeception - A Development Site for Reverse Engineering

View Full Version : Tool DrvMon

Fyyre

07-12-2010, 07:05 AM

DrvMon v1.0
by Fyyre & EP_X0FF

DrvMon tool monitors the system for new drivers and saves them to a directory of your choice.

We created this to make easy saving drivers from certain types of rootkit malware, which erase the driver immediately after loading.

This is accomplished by use of PsSetLoadImageNotifyRoutine and handler routine.

No driver escapes =)

Enjoy

v1.2 attached.

DeepblueSea

07-12-2010, 11:38 AM

This is fine and all. Kudos.
But never say "No driver escapes".

romeo

07-17-2010, 11:28 AM

i will be looking forward to the x64 verison.

err i cant seem to download this file, used opera firefox IE 6 & 8 and google chrome. some corruption erros. can someone upload this to mediafire please?

Sleepz0r

07-17-2010, 06:11 PM

This is fine and all. Kudos.
But never say "No driver escapes".

agree & thanks may come in handy some day.

Fyyre

07-18-2010, 11:33 PM

DBS,

Clumsy statement on my part. I admit not testing DrvMon with any ring-0 loaders which I have.

romeo,

The x64 version, its driver is not signed.

More than one remedy for this situation:

You may use the patch which I create. He disables enforcement of driver signing on X64 Windows 7... by patching function SepInitializeCodeIntregrity inside of ntoskrnl.exe

or, spam f8 when booting system and select "Disable Driver Signing Enforcement" .. however it reads.

If still unable to download, get DrvMon from my web site (see signature for URL).

-Fyyre

romeo

07-19-2010, 11:21 AM

thank you fyyre :) i love your works from the start

p.s. i did send you one you a message on twitter, hoping you could reply someday.

Organner

07-21-2010, 06:31 AM

Nice release, keep up great work!

Fyyre

07-26-2010, 01:14 AM

Hi all,

Here is v1.1:

v1.1 changes:

1). DrvMon now appends Low/High part of KeQueryTickCount to name of saved driver, this allows you to load the same driver many times, and not overwrite older copies.

2). Minimize to systray support. Double click systray icon DrvMon will minimize to systray. Double click icon again to display DrvMon window.

3). DrvMon now deletes his driver and registry entry upon application exit.

learn_more

08-14-2010, 09:06 AM

thanks for this awesome tool,
i was writing some r3 hooks to capture the file, then i remembered this tool.

flawless victory ^^

Tamimego

08-31-2010, 10:17 AM

The program is going into my regularly used tool set now :D, awesome work Fyyre!

4ceace

08-31-2010, 11:41 AM

awesome!

Chazwazza

08-31-2010, 10:56 PM

Just noticed this. Thanks for the share.

Fyyre

11-28-2010, 12:45 PM

DrvMon v1.2 released. Please see the attachment.

v1.2 changes:

1). Block drivers loading support. Now you can grab malware drivers without their actual loading.

2). DrvMon GUI has been redesigned (richedit as output window).

3). DrvMon driver name randomization, it will be named like application (e.g. Test.exe -> Test.sys). This was made to complicate DrvMon detection via filenames blacklists by some malware.

4). Some fixes and improvements.

-Fyyre

romeo

11-28-2010, 03:03 PM

good and thanks :) friend

warsark

07-07-2011, 02:21 AM

thanks Fyyre!
this tool is very good,but it can't copy XTRAP's driver(ver:3416)