[Fyyre]

updated to v1.1 -- see first post for new download.

[EP_X0FF]

Changelog for this version (also in readme.txt inside archive)

v1.1 changes:

1). DrvMon now appends Low/High part of KeQueryTickCount to name of saved driver, this allows you to load the same driver
many times, and not overwrite older copies.

2). Minimize to systray support. Double click systray icon DrvMon will minimize to systray. Double click icon again to display DrvMon window.

3). DrvMon now deletes his driver and registry entry upon application exit.

[Buster_BSA]

Nice utility. Thank you!

[Orkblutt]

Nice tool!

This is accomplished by use of PsSetLoadImageNotifyRoutine and handler routine.

Any chance to take a look to your code?

Kindest regards,

Ork

[EP_X0FF]

Hi,

nice to see you here ;)

what exactly do you want to know? This driver is quite simple.

Regards.

[Orkblutt]

Yo EP, (Hey Fyyre)

I'm around since the site creation... But nothing to say. Just reading :)

In fact I don't want to know something in particular about this code... I just like when good tools are open source: can give some improvement idea for this tool or other ones.
And I'm curious. I'd like to see the GUI src (I guess native code only). How is written the driver part? asm, delphi, c ?
It's also good to see code from people that know how to code with some style ;)

Regards,

Orky

[EP_X0FF]

Driver is written on C (MSVC 2008, ported to 2010 in v1.1). Application also on C (MSVC 2008, ported to 2010 in v1.1). Yes it is pure native Windows API :)

[EP_X0FF]

updated to 1.2 - see first post for download.

v1.2 changes:

1). Block drivers loading support. Now you can grab malware drivers without their actual loading.

2). DrvMon GUI has been redesigned (richedit as output window).

3). DrvMon driver name randomization, it will be named like application (e.g. Test.exe -> Test.sys). This was made to complicate DrvMon detection via filenames blacklists by some malware.

4). Some fixes and improvements.

Example of work (TDL4 driver collected and blocked, TDL3 driver collected and blocked).

[Brock]

@EP_X0FF & Fyyre:

I wrote something identical to this months back for the same purpose which is the collection of malware drivers so I decided to leave you some constructive criticism. This DrvMon tool's "concept" is great but the actual tool itself needs to address some major issues... ;)

[1] DrvMon's disabling of drivers can easily be completely bypassed by setting any driver's AddressOfEntryPoint to 0 for example, and then placing a jump to the real OEP address directly below the MZ signature inside the driver file. DrvMon cannot prevent the driver load anymore (DrvMon can only log it) because DrvMon (like my own tool) relies on this optional header member to be a "valid" relative address

[2] "Monitor->Deny drivers loading" is very unstable by design since you're denying all drivers from loading and in essence important OS drivers such as vga.dll (in XP) for example cannot load resulting in a one way ticket to a frozen OS environment if you're lucky, otherwise it's an instant BSOD! Perhaps you should allow "sfc protected" system files or something like this to automatically be permitted to load, this is basically what I did to solve the problem in my tools

[3] Abnormally terminating the DrvMon executable and rerunning it, the driver doesn't correctly handle this scenario and will BSOD the machine

[EP_X0FF]

Hello,

[1] DrvMon's disabling of drivers can easily be completely bypassed by setting any driver's AddressOfEntryPoint to 0 for example, and then placing a jump to the real OEP address directly below the MZ signature inside the driver file. DrvMon cannot prevent the driver load anymore (DrvMon can only log it) because DrvMon (like my own tool) relies on this optional header member to be a "valid" relative address

Malware example in studio.

sfc protected

Sfc can be disabled, not exists. Whitelisting/DS?

[3] Abnormally terminating the DrvMon executable and rerunning it, the driver doesn't correctly handle this scenario and will BSOD the machine

Could you be more specific? What do you mean under "abnormally". Several simple tests with TaskManager resulting in no any kind of BSOD. If you experienced BSOD, then also please post a crashdump.

Thanks.