Privilage Escalation check on Drivers in Python

This code will query the WMI service in order to retrieve information about current drivers, their status and access rights. As you might be aware if drivers are not locked down properly, it may be possible to create nice rootkit loaded by the kernel and execute any code you might find useful. Furthermore it can be possible to override driver with your custom made stuff to elevate privileges from there.

print "[+] List System driver and Check file access permissions "
print "[+]                        By Y                          " 
print "[+] If you know me then give me a shout                  "
 
class driver():
	def getSystemDrivers(self):
        print "[+] Dumping System Drivers And Their Location"
        # function reference : http://msdn.microsoft.com/en-us/library/windows/desktop/aa394472%28v=vs.85%29.aspx
        strComputer = "."
        WmiServiceConnector = win32com.client.Dispatch("WbemScripting.SWbemLocator")
        objSWbemServices = WmiServiceConnector.ConnectServer(strComputer,"root\CIMV2")
        listOfDrivers = objSWbemServices.ExecQuery("SELECT * FROM Win32_SystemDriver")
        for objItem1 in listOfDrivers:
            print "\t[+] Dumping info for driver : " , objItem1.PathName
            if objItem1.PathName is not None:
                print "\t\tDriver Path : " , objItem1.PathName
            if objItem1.Description is not None:
                print "\t\tDescription : " , objItem1.Description
            if objItem1.InstallDate is not None:
                print "\t\tInstallation Date : ", objItem1.InstallDate
            if objItem1.ServiceType is not None:
                print "\t\tService Type : ", objItem1.ServiceType
            if objItem1.StartMode is not None:
                print "\t\tStart Mode : ", objItem1.StartMode
            if objItem1.DesktopInteract is not None:
                print "\t\tDesktop Interaction : ", objItem1.DesktopInteract
            if objItem1.Name is not None:
                print "\t\tDriver Name : ", objItem1.Name
            if objItem1.Started is not None:
                print "\t\tDriver started :" , objItem1.Started
            if objItem1.State is not None:
                print "\t\tCurrent Driver State : ",  objItem1.State
            if objItem1.ErrorControl is not None:
                print "\t\tErrorControl : ", objItem1.ErrorControl
            
            fileChecks().checkPermission(objItem1.PathName)
            fileChecks().getBasicInfo(objItem1.PathName)



class fileChecks():
    def checkPermission(self,filePath):
        # based on http://www.ibm.com/developerworks/aix/library/au-python/
        mode=stat.S_IMODE(os.lstat(filePath)[stat.ST_MODE])
        print "\t\t\t[+] Permissions for file ", filePath
        for level in "USR", "GRP", "OTH":
            for perm in "R", "W", "X":
                if mode & getattr(stat,"S_I"+perm+level):
                    print "\t\t\t\t",level, " has ", perm, " permission"
                else:
                    print "\t\t\t\t",level, " does NOT have ", perm, " permission"
    
    def getBasicInfo(self,file_name):
        time_format = "%m/%d/%Y %I:%M:%S %p"
        file_stats = os.stat(file_name)
        modification_time = time.strftime(time_format,time.localtime(file_stats[stat.ST_MTIME]))
        access_time = time.strftime(time_format,time.localtime(file_stats[stat.ST_ATIME]))
        creation_time = time.strftime(time_format,time.localtime(file_stats[stat.ST_CTIME]))
        print "\t\t\t[+] Basic File Information "
        print "\t\t\t\t Modification time: " , modification_time
        print "\t\t\t\t Access time: " , access_time
        print "\t\t\t\t Creation time: " , creation_time
        print "\t\t\t\t Owner UID : ", file_stats[stat.ST_UID]
        print "\t\t\t\t Owner GID : ",  file_stats[stat.ST_GID]   

drivers = driver()
drivers.getSystemDrivers()

Dumping Drivers on Windows

Ever wonder how to list all the drivers on your windows machine ? Here is a quick answer coded in Python that hopefully can help some people.

from ctypes import *
#Windows modules loader
kernel32 =  windll.kernel32
psapi = windll.psapi

class drivers():
    def getAllDeviceDrivers(self):
        lpcbNeeded =          c_ulong(0)
        empty_init_array      = c_ulong * 1024
        lpImageBase           = empty_init_array()
        drivername_size       = c_long()
        drivername_size.value = 48
        if psapi.EnumDeviceDrivers(byref(lpImageBase),sizeof(c_void_p)*1024,byref(lpcbNeeded)):
            no_drivers = int(lpcbNeeded.value / sizeof(c_void_p))
            print "[*] EnumDeviceDrivers: %d modules detected" % no_drivers
            print "\t[+] Dumping all device drivers"
            for baseaddy in lpImageBase:
     
                drivername = c_char_p("\x00"*drivername_size.value)
                if baseaddy:
                    psapi.GetDeviceDriverBaseNameA(baseaddy, drivername, drivername_size.value)         
                             
                    driverpath = c_char_p("\x00"*drivername_size.value)
                    psapi.GetDeviceDriverFileNameA(baseaddy,driverpath,drivername_size.value)
                    # if we have drivers with addresses allocated within 0x80000000 and 0xFFFFFFFF they loaded directly kernel
                    if baseaddy > 2147483648 and baseaddy < 4294967295:  
                        print "\t\t [-] Kernel Driver",drivername.value.lower(),"is located on 0x%08x load path is %s" % (baseaddy,driverpath.value.lower())
                    else:
                        # user level drivers are within 0x00000000 and 0x7FFFFFFF
                        print "\t\t [-] User Driver",drivername.value.lower(),"is located on 0x%08x load path is %s" % (baseaddy,driverpath.value.lower())                 

drivers = drivers()
drivers.getAllDeviceDrivers()