Repair IAT of Sys Driver Dumped From Kernel Memory

Question

I'm reverse-engineering some malicious sys drivers. They are packed, so the only way for me to make them human readable was to load the drivers (with OSR Loader) and dump them from Kernel Memory (with rkUnhooker).

Unfortunately, I need to rebuild the IAT but I can't find a simple step-by-step guide to do that manually, and none of the tools I've tried (scylla, imprec, chimprec) seem to work. They work by attaching to a process, but (maybe I'm wrong) a loaded driver does not necessarily belong to a process.

So, my question is: how can I rebuild the IAT of a sys driver - when dumping from kernel memory - OR what tools are available to automate this.

Answer 1

I found the easiest workaround for analyzing a driver with no IAT is to use volatility's moddump and impscan modules. mod dump carves the driver from memory, and provides the base address.

Impscan looks for a jump table starting at the specified base address, and using the argument --output=idc, It produces an IDA script file.

I modified the dumped driver with LordPE to change the ImageBase to match the base address provided by volatility. Then I opened the driver in IDA pro. After the driver finished loading, I went to File >> Script Command and copied and pasted the IDC code from volatility's impscan.

Much better!

It doesn't repair the IAT though, but it really helps with static analysis.