[bug0]

Driver Radar Pro is a very useful utility with a very simplified GUI which can help you not only permit/deny the loading of kernel mode drivers via secure whitelisting methods but also allows you to copy the to-be-loaded driver file to a user-specified location. Malware analysis can easily be sped up by what Driver Radar Pro offers or perhaps you just want to make sure only whitelisted drivers and protected system drivers are only allowed to be loaded… Driver Radar to the rescue!

Features

* Detailed info about to-be-loaded drivers
* Lightweight in memory
* Manage whitelisted drivers
* Monitor loading of kernel mode drivers
* Save drivers as MD5 hash name
* Save drivers to custom folder
* Save Logs to File
* Secure whitelisting methods
* Start with Windows
* Very user-friendly GUI

Driver Radar Pro is compatible with the following 32-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7

Download (Installer and Portable):
http://www.novirusthanks.org/product/driver-radar-pro/

[frank_boldewin]

looks like a recode of EP_X0FF's and Fyyre's Drvmon.

[bug0]

Changelog:

[23-03-2012] - v1.3.0.0

+ Added multilingual support
+ Added Italian language
+ Added support for 64-Bit OS
+ Signed both executables and kernel drivers
+ Minor fixes

Download page:
http://www.novirusthanks.org/product/driver-radar-pro/

[STRELiTZIA]

Hello,
Tested and bypassed by loading driver test from long path:

C:\123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF123456789ABCDEF\_lmtreached.sys

Attached: Flash movie and PoC...

Regards

[Brock]

Strelitzia, see here too http://www.kernelmode.info/forum/viewto ... n&start=20 All current public tools which use load image notify routines and overwrite driver entrypoints are affected.

AddressOfEntryPoint of a driver can be set to zero and a jmp is placed directly after IMAGE_DOS_SIGNATURE in driver to the real original entrypoint RVA, driver checksum is then recalculated. This is much harder to fix than a filename being truncated through ImageInfo->FileName because filename means nothing and driver can still be denied through your PoC since it still has a valid AddressOfEntryPoint field from what I see on my end

[bug0]

STRELiTZIA, thanks for reporting this issue, it has been fixed now:

[27-03-2012] - v1.3.1.0

+ Fixed logic error in filename handling where drivers which exceed a maximum path of MAX_PATH characters (259 + NULL) could be loaded