- Driver Buddy Reloaded
The install method depends on your IDA version, because the built-in plugin manager (and therefore the hcli
tool and the ida-plugin.json manifest) only exists in IDA 9.0 and above. IDA 7.6 and 8.x have no plugin
manager and only scan the top level of the plugins folder.
The repository ships an ida-plugin.json manifest, so IDA 9.0+ loads the plugin from its own subdirectory. Install it with:
hcli plugin install DriverBuddyReloaded
This drops the plugin into a subdirectory of your user plugins folder (e.g.
%APPDATA%\Hex-Rays\IDA Pro\plugins\DriverBuddyReloaded\ or ~/.idapro/plugins/DriverBuddyReloaded/), keeping the
DriverBuddyReloaded.py entry point inside that subdirectory. This is the intended layout: IDA reads the manifest,
loads the declared entry point from the subdirectory, and puts the subdirectory on sys.path so the entry point can
import the sibling DriverBuddyReloaded package. You do not need to move DriverBuddyReloaded.py to the top level.
Verify the install with hcli plugin status, then launch IDA and confirm the plugin appears under
Edit -> Plugins (check the Output window for any Python errors at startup).
To install from a local checkout for testing (e.g. after your own changes), run hcli plugin install . from the
repository root; hcli plugin lint . validates the manifest/layout first.
These versions have no plugin manager, so an hcli-installed subdirectory plugin will not be picked up. Copy
the DriverBuddyReloaded folder and the DriverBuddyReloaded.py script file directly into the top level of the
IDA plugins folder, for example:
%APPDATA%\Hex-Rays\IDA Pro\plugins\C:\Program Files\IDA Pro 8.4\plugins\~/.idapro/plugins/
The resulting layout is plugins\DriverBuddyReloaded.py alongside plugins\DriverBuddyReloaded\ (the package folder).
If your IDA is configured for Python 2, run the idapyswitch binary (located in IDA's folder) to switch it to Python 3.
NOTE: Driver Buddy Reloaded runs on IDA 7.6+, 8.x (including 8.4) and 9.0+ with Python 3. All version-specific
IDA API differences (the removal of get_inf_structure, the ida_struct module and the idc.*struc* helpers in
IDA 9.0, etc.) are handled internally by the DriverBuddyReloaded/ida_compat.py compatibility layer.
To use the auto-analysis feature:
- Start IDA and load a Windows kernel driver.
- Go to
Edit -> Plugins -> Driver Buddy Reloadedor pressCTRL+ALT+Ato start the auto-analysis. - Check the "Output" window for the analysis results, and the Driver Buddy Reloaded - Findings window that opens at the end of the run (double-click a row to jump to its address).
- The following files are written under IDA's DB directory (all prefixed with
<DRIVER_NAME>-YYYY-MM-DD-TIMESTAMP-):findings.json- machine-readable findings (IOCTLs, flagged functions, device names, pooltags, call chains, heuristics, device ACL audit, symbolic links, exports audit, privileged opcodes)report.html- a standalone, severity-grouped HTML reportpooltags.txt- dumped Pooltags inpooltags.txtformat for WinDbgautoanalysis.txt- the full text analysis log (mirrors the Output window)
To decode an IOCTL:
- Place the mouse cursor on the line containing a suspected IOCTL code.
- Right-click and select
Driver Buddy Reloaded -> Decode IOCTL; alternatively, press theCTRL+ALT+Dshortcut.
To reopen the IOCTLs window or findings window at any time (without re-running analysis):
- Press
CTRL+ALT+Ito open the IOCTLs window. - Press
CTRL+ALT+Fto open the findings window.
-
The vulnerable_function_lists directory contains a lists of potentially dangerous/problematic functions, Windows APIs and opcodes; a brief description on why a specific function/API has been listed is provided. You can edit the
customlist including driver's specific functions.Note:
winapi_function_prefixeswill partial match to start of function name (e.g.Zwwill matchZwClose,ZwCommitCompleteand so on) whilewinapi_functionswill perform exact matches only. -
In find_opcodes.py, the
find_opcode_dataoption (defaultFalse) suppresses opcode matches that fall in data sections (issue #11). Switching it toTruealso surfaces raw byte matches in data; if a real opcode was missed this way, going to the reported address and re-defining the bytes as code usually recovers it. Matches are reported like every other stage (results window,findings.json,report.html).Watch out: switching it to
Truegenerates more false positives!
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks. It has a number of handy features, such as:
- Identifying the type of the driver (WDM, KMDF, UMDF, WDF, Mini-Filter, Stream Minidriver, AVStream, PortCls)
- Locating
DispatchDeviceControl/DispatchInternalDeviceControlfunctions for every driver type (aMajorFunction[IRP_MJ_DEVICE_CONTROL]store scan finds the handler even in a minifilter/WDF driver that also exposes a legacy control device, and even when the assignment lives in a helper rather thanDriverEntry) - Populating common structures for
WDFandWDMdrivers- Attempts to identify and label structures like the
IRPandIO_STACK_LOCATION - Label calls to
WDFfunctions that would normally be unlabeled - Creates an
IRP_MJ_FUNCTIONIDA enum and applies it toMajorFunctionarray slots inDriverEntry(WDM)
- Attempts to identify and label structures like the
- Finding and decoding IOCTL codes
- Automatic multi-strategy scan of identified dispatcher functions (no cursor placement required): decompiler ctree (recovers codes hidden by jump-table or binary-search dispatch that never appear as immediates), IDA switch-table recovery, and a raw immediate-operand fallback (the fallback runs only on a function that actually reads the IRP's IoControlCode, so a mis-identified library helper cannot leak its internal constants as false IOCTLs)
- NTSTATUS values resolved dynamically from the IDA type database (with a broad hardcoded fallback), and
outbound IOCTLs the driver merely sends downstream (
IoBuildDeviceIoControlRequest/ZwDeviceIoControlFile/ ...) are excluded so they are not mistaken for the driver's own attack surface
- Flagging functions prone to misuse
- Finding potential
DeviceName(mmap scan + IDA Strings DB fallback, with source address) - Dumping
Pooltags(import-based primary + register-propagated fallback for tags staged in a register) - Heuristic vulnerability checks over each dispatcher and the functions it transitively calls: unvalidated
user-copy, TOCTOU/double-fetch, use-after-free (intra-function and cross-function via a freed global), missing
privilege gate, IRQL mismatch, unsafe MDL mapping, stack-allocated buffers (
_alloca), pool allocation without size validation, privileged CPU instructions (port I/Oin/out,mov cr*), arbitrary-write (write-what-where), and\Device\PhysicalMemoryreferences (BYOVD pattern) - see Heuristic Vulnerability Checks - Device ACL audit and symbolic-link tracking: flags
IoCreateDevicedevices created with no security descriptor (world-accessible) / weakIoCreateDeviceSecureSDDLs, and decodesIoCreateSymbolicLinktarget paths - Exports audit: flags driver exports with zero internal cross-references (potential attack surface)
- Risk-scoring decoded IOCTLs per-IOCTL (prioritising
METHOD_NEITHER/FILE_ANY_ACCESS, and bumping an IOCTL only for the dangerous sinks/opcodes reachable from its own case handler -MmMapIoSpace,memcpy,__writemsr, port I/O, PCI-config access - so a benign code in a monolithic dispatcher is no longer tarred with a dangerous sibling's sinks; when attribution is imprecise the bump is capped rather than forced to CRITICAL) and presenting all findings, by severity, in a clickable results window (double-click to jump to the address) - Tracing call chains from dispatch / IOCTL handlers to dangerous sinks (heuristic, name-based)
- Exporting results as a machine-readable JSON file and a standalone HTML report
The tool can automatically locate and identify the DispatchDeviceControl routine. This function is used to route all
incoming DeviceIoControl codes to the specific driver function associated with that code. Automatically identifying
this function makes finding the valid DeviceIoControl codes for each driver much quicker. Additionally, when
investigating possible vulnerabilities in a driver due to a crash, knowing the location of this function helps narrow
the focus to the specific function call associated with the crashing DeviceIoControl code.
When the analysis is successful some subs will be renamed as follow:
DriverEntry: the original first driver-supplied routine that is called after a driver is loaded. It is responsible for initializing the driver.Real_Driver_Entry: usually the function where the execution fromDriverEntryhas been transferred to. It is usually where theDeviceNameis initialized.DispatchDeviceControl/DispatchInternalDeviceControl: if the tool was able to recover the functions at some specific offsets, the functions will then be renamed with the appropriate name.Possible_DispatchDeviceControl_#: if the tool was not able to recoverDispatchDeviceControlorDispatchInternalDeviceControl, it employs an experimental searching, following the execution flow, and checking for cases where the function is loading knownIO_STACK_LOCATION&IRPaddresses; indicating that the function could be the DispatchDeviceControl. As it is based on heuristic, it could return more than one result, and it is prone to false positives.
Several driver structures are shared among all WDM/WDF drivers. The tool is able to automatically identify these
structures, such as the IO_STACK_LOCATION, IRP, and DeviceObject structures and can help save time during the
reverse engineering process and provide context to areas of the driver where these functions are in use.
While reversing drivers, it is common to come across IOCTL codes as part of the analysis. These codes, when decoded, reveal useful information and may draw focus to specific parts of the driver where vulnerabilities are more likely to exist.
By right-clicking on a potential IOCTL code, a context menu option is presented (alternatively using the
Ctrl+Alt+D shortcut when the cursor is on the line containing a suspected IOCTL code) and can be used to decode the
value. This will print out a table with all decoded IOCTL codes. By right-clicking on a decoded IOCTL code, in the
disassembly view, it's possible to mark it as invalid; this will leave any non-IOCTL comment intact.
- The decoded IOCTLs are printed to the Output window and listed in the severity-coloured IOCTLs window; after
auto-analysis they are also recorded in
findings.json/report.html.
Auto-analysis additionally runs a multi-strategy scan over identified dispatcher functions to discover IOCTLs
automatically, without requiring manual cursor placement. For each dispatcher it uses the Hex-Rays decompiler
(when available) to read switch-case labels and ==/!= comparison constants directly from the reconstructed
control flow, falling back to IDA's switch-table metadata and then to a raw immediate-operand scan. The
decompiler path recovers codes that never appear verbatim in the disassembly - e.g. drivers whose dispatcher
the compiler emitted as a jump table (only the table base/bound survive as immediates) or as a binary-search
comparison tree (intermediate codes survive only as deltas). On a representative corpus this raised recovery
from 7/28 to 28/28 (HEVD) and 4/17 to 17/17 (ALSysIO64) with no false positives.
Driver Buddy Reloaded has lists of C/C++ functions, opcodes and Windows APIs (defined in the vulnerable_function_lists directory) that are commonly vulnerable or that can facilitate buffer overflow conditions. All found instances are reported back during the auto-analysis and can help while looking for possible user-controlled code paths reaching sensitive functions.
The tool automatically attempts to find the drivers registered device paths (DeviceName), if no paths can be found by
looking at Unicode strings inside the binary, then the analyst can manually try to use
Madiant's FLOSS in an attempt to find obfuscated paths.
During the auto-analysis, the tool also dumps the Pooltags used by the binary in a format that works
with pooltags.txt. The output can then be copy-pasted at the end of the file and later picked up by WinDbg.
- A
DriverName.sys-DATE-TIME_STAMP-pooltags.txtfile, containing all the dumped Pooltags, will be written under IDA's DB directory.
The heuristics.py module runs after call-chain tracing and examines each dispatcher and the functions it
transitively calls - so the per-IOCTL handlers, not just the dispatcher prologue, are analysed. Callee matching
is import-aware (an imported call cs:__imp_<Name> matches the same name as a local call). It emits findings in
the heuristic category (privileged-instruction findings use the opcode category):
| Check | What is flagged | Severity |
|---|---|---|
| Unvalidated user copy | memcpy/RtlCopyMemory/etc. with no nearby ProbeForRead/ProbeForWrite/safe-string guard |
HIGH (handler), MEDIUM (other) |
| TOCTOU / double fetch | a user-mode pointer field re-read on one control-flow path with no intervening ProbeForRead (only on METHOD_NEITHER handlers, so kernel-buffer re-reads are not flagged) |
MEDIUM |
| Use-after-free | a freed pointer reused intra-function (register CFG walk), or a global freed without being nulled and then dereferenced from another function | HIGH |
| Missing privilege gate | a sensitive op (ZwOpenProcess/MmMapIoSpace/PCI-config/etc.) reachable from a dispatcher with no SeAccessCheck/SeSinglePrivilegeCheck/token check anywhere on the path |
HIGH |
| IRQL mismatch | Pageable / Zw* / MmMap* call when an IRQL-raising function is also present |
MEDIUM |
| Unsafe MDL mapping | MmMapLockedPages/MmProbeAndLockPages/etc. with UserMode in disassembly |
HIGH, else MEDIUM |
| Stack allocation | _alloca/_malloca/_chkstk call (large or dynamic stack allocation) |
LOW |
| Pool alloc without size validation | ExAllocatePool* call with no safe-arithmetic guard nearby (integer-overflow-before-alloc pattern) |
HIGH |
| Privileged instruction | port I/O (in/out), control/debug-register move (mov cr*/mov dr*), descriptor-table load, cli/sti/hlt reachable from a handler (BYOVD hardware-access primitive) |
CRITICAL (out) / HIGH (in) / MEDIUM |
| Arbitrary write (write-what-where) | a store through a double-dereferenced user pointer *(*p) = c; a *p = *q controlled copy is reported as a weaker lead |
HIGH / MEDIUM |
\Device\PhysicalMemory reference |
Cross-reference to the physical memory device object string (BYOVD pattern via ZwOpenSection/ZwMapViewOfSection) |
HIGH (handler), MEDIUM (other) |
These are lead generators, not confirmed vulnerabilities. Treat HIGH/CRITICAL findings as starting points for manual review.
All optional analysis stages are controlled by DriverBuddyReloaded/config.py. Edit the Feature class to
enable or disable them:
| Flag | Default | Description |
|---|---|---|
IOCTL_SCAN |
True |
Discover & decode IOCTLs (dispatcher scan + IoControlCode fallback) |
IOCTL_DECOMPILER |
True |
Use the Hex-Rays ctree in the dispatcher scan (recovers jump-table / binary-search codes) |
HEURISTICS |
True |
Heuristic vulnerability checks (see the table above) |
TOCTOU_CHECK |
True |
Double-fetch / TOCTOU heuristic |
UAF_DETECT |
True |
Use-after-free heuristics (intra-function register walk + cross-function global) |
ACL_AUDIT |
True |
Flag world-accessible IoCreateDevice / weak IoCreateDeviceSecure SDDL |
SYMLINK_TRACK |
True |
Decode IoCreateSymbolicLink target paths |
CALLCHAIN |
True |
BFS call-chain tracing from handlers to dangerous sinks |
EXPORTS_AUDIT |
True |
Flag driver exports with zero internal cross-references |
POOLTAG_FALLBACK |
True |
Register-propagated pool tag scanner (used when import-based scan finds nothing) |
IRP_MJ_ENUM |
True |
Create IRP_MJ_FUNCTION IDA enum and apply to MajorFunction slots (WDM only) |
RISK_SCORING |
True |
IOCTL risk scoring (METHOD/ACCESS weights + per-handler sink bump) |
RESULTS_WINDOW |
True |
Show the Driver Buddy Reloaded findings window after analysis |
JSON_EXPORT |
True |
Write findings.json |
HTML_REPORT |
True |
Write report.html |
SEGMENT_OPCODE_SCAN |
False |
Linear segment-wide opcode scan (noisy, off by default) |
Three layers, from fast to thorough:
- Pure-Python regression (no IDA required) - covers all logic that does not touch the live database:
python tests/test_dbr.py DBR_SDK=900 python tests/test_dbr.py # simulate the IDA 9.0 import paths - Cross-version smoke - runs the full pipeline under IDA 7.6 SP1, 8.4 and Free 9.3 against a matrix of real
.sysfiles and prints a pass/fail table:pwsh tests/run_cross_version.ps1. - Golden-output regression (the false-positive / false-negative guard) -
pwsh tests/run_golden.ps1re-runs the full analysis on a pristine copy of each reference driver intests/drivers/and compares the findings to the committedtests/drivers/<driver>.golden.jsonbaseline (order-insensitive on category, title, severity and IOCTL code/method/access). Any added finding (false positive), missing finding (false negative) or severity change fails the run. Regenerate a golden only when a change intentionally alters findings, and review the diff. Goldens are tied to the IDA decompiler build they were captured with (8.4), so run the regression with that version.
- IOCTL candidates are validated against the
CTL_CODEstructure by_is_valid_ctl_code(): the DeviceType field (bits 31-16) must be non-zero, and the value must not match a known NTSTATUS code or the0xFFFFFFFF(DWORD)-1sentinel (a comparison constant seen inside real dispatchers, e.g. WinRing0). This rules out loop counters, small immediates and error codes while preserving all valid IOCTLs including vendor-defined device types (0x8000+). The same filter is applied to all four discovery paths: theIoControlCodexref scan and the three dispatcher collectors (decompiler ctree, IDA switch-table recovery, and the raw immediate-operand scan). - Risk scoring and call-chain tracing are heuristic, name-based lead generators, not dataflow analysis; treat
High/Critical findings as places to look first, not as confirmed vulnerabilities. Feature toggles live in
DriverBuddyReloaded/config.py. - Experimental
DispatchDeviceControlsearching works only for x64 drivers - In find_opcodes.py, the
find_opcode_dataoption (defaultFalse) suppresses opcode matches that fall in data sections. Switching it toTruealso surfaces raw byte matches in data, which is prone to false positives; if a real opcode was missed, going to the reported address and re-defining the bytes as code usually recovers it. Matches are reported like every other stage (results window,findings.json,report.html).
- Created in 2021 by Paolo Stagno aka @Void_Sec:
- Risk-scoring and reporting ideas adapted from Driver Buddy Revolutions by Juan Sacco.
- DriverBuddy was originally written by Braden Hollembaek and Adam Pond of NCC Group.
- Using Satoshi Tanda's IOCTL decoder.
- The WDF functions struct is based on Red Plait's work and was ported to IDA Python by Nicolas Guigo, later updated by Braden Hollembaek and Adam Pond.
- Using Sam Brown's F-Secure win_driver_plugin to retrieve device name and pool tags, specifically Alexander Pick fork.
- The original code for adding items to the right-click menu (and possibly some other random snippets) came from 'herrcore'.
- Proudly developed using PyCharm for Open Source development by JetBrains








