A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #18926  by Vrtule
 Sat Apr 13, 2013 2:58 pm
Hello,

about half a year ago, I was doing something with device objects and their chains. and I needed to see the chains in order to understand the topic better. Of course, I tried to use the DeviceTree utility which had helped me well in the past. However, it seems the DeviceTree does not work for me on Wndows VIsta/7; it either does not load, or crashes.

Hence I decided to create my own simple program that provides me with information I needed. So, VrtuleTree was born. It shows loaded drivers and device object chains. The amount of information displayed by VrtuleTree is incomparable to the DeviceTree. The utility was created with stability in mind, hence it should not perform any illegal action like sending IRP_MN_QUERY_DEVICE_RELATIONS IRPs. It also does not parse Object Manager data structures, it uses more or less documented methods to achieve its goal.

Because the utility does not contain many features I decided to provide source code with it. I admit I did not my best when writting the code; I needed to get the utility working in a short time rather than producing nice code. So, do not expect many comments and other things nice source codes usually have.

I hope somebody finds the utility (and/or its source) useful in some way. I plan to update the utility from time to time, howerver, my free time seems to be really limited.

Best regards
Vrtule

EDIT: The utility should work on Windows XP/2003/Vista/7 both 32bit and 64bit versions. I did not tested it on Windows 8 yet.
Attachments
Binaries & Sources
(1.1 MiB) Downloaded 93 times
 #18953  by Vrtule
 Mon Apr 15, 2013 6:12 pm
Hello,

I updated the utility in serveral ways:
- a bug causing BSOD when snapshotting device device object that is being removed from a device chain was fixed,
- more information about drivers is displayed (filename, image base, image size, DriverEntry, DriverUnload, StartIo, Flags)
- the utility is now able to save the information to log files. It is possible to specify what information should be saved.
Attachments
(1.14 MiB) Downloaded 75 times
 #19096  by SUPERIOR
 Sat Apr 27, 2013 6:08 pm
thank you alot i was looking for this ...i will test on windows 8 and give feedback
about GUI ...is there anyway to make the slide changes or moves ..because i cant see the list of device names fully
PS: I tried it on 2 windows 8 (64x) not working double click and nothing happens ..i run as admin but it was on VM ...can it be the reason?
 #19102  by Vrtule
 Sun Apr 28, 2013 8:46 pm
Hello,
SUPERIOR wrote:thank you alot i was looking for this ...i will test on windows 8 and give feedback
about GUI ...is there anyway to make the slide changes or moves ..because i cant see the list of device names fully
Are you talking about the tree on the left where the drivers and devices are dispalyed? It is possible to use horizontal scrollbar to read names of the devies, however, it is not really convenient. I plan to do something with it.
SUPERIOR wrote: PS: I tried it on 2 windows 8 (64x) not working double click and nothing happens ..i run as admin but it was on VM ...can it be the reason?
Thank you for testing on Windows 8. If you want to run the application on 64-bit version of Windows Vista/7/8, you need either to sign the VrtuleTree.sys driver with a test certificate, enable test signing and reboot. The application should be always run under administrator. It should display the UAC dialog if required.

I will test the application on Windows 8 as soon as I install a virtual machine with that system.
 #19257  by Vrtule
 Sat May 11, 2013 3:52 pm
Hello,

I just finished a new version of the tool. Well, there are not many changes in functionality, I mainly focused on quality of source code, that should be now better, and some bug fixing.

New things:
* Successfuly tested on Windows 8
* GUI improvements
* Quality of source code improved
* Application now benefits of Delphi generics
* Device type is now displayed also as a named constant

I have also created a small website for the project. The URL is http://vrtuletree.jadro-windows.cz/.

Best regards
Attachments
VrtuleTree
(1.17 MiB) Downloaded 51 times
 #21263  by Vrtule
 Mon Oct 28, 2013 6:57 pm
Hello,

today, I made a really small update to the tool. Just added displaying of Volume Parameter Block structures (VPBs) for volume devices.

The update was lying on my drive for really long time because I had wanted to release the new version with driver signed by a trusted certificate. However, it seems I am failing to verify my identity for Symantec due to local law situation. So I decided to push the update to the web.

You can download the new version either as an attachment to this post, or from
http://vrtuletree.jadro-windows.cz/files/vtree4.zip
Attachments
VrtuleTree
(1.82 MiB) Downloaded 51 times
 #21276  by xanax
 Tue Oct 29, 2013 8:08 pm
Hi!
this compiled version (from vtree4.zip) not work for me on Win 7 SP1 x64 and several WM's with Win XP,7,8,8.1,x86,x64
left pane is totaly empty, privious version (from vtree3.zip) works fine on this systems