Announcing Device IOCTL/WMI Record and Playback Platform (DRPP)

NTDEV
1

Announcing Device IOCTL/WMI Record and Playback Platform (DRPP) an extension to WDTF

At a high level, the Device IOCTL/WMI Record and Playback Platform (DRPP) is a new extension to the Windows Device Testing Framework (WDTF). It is designed to move away from "blind" fuzzing toward more deterministic, "meaningful" I/O testing for any general device class .

Driver Verifier is used to catch IOCTL issues within drivers, while fuzzing techniques are typically employed to find the following types of bugs

Why Test IOCTL Code Paths?

IOCTLs often process untrusted, variable-length user input with complex, per-code semantics. Common bug classes include:

  • Bounds/length issues : Integer over/underflow, truncated lengths, negative sizes; out-of-bounds read/write. DV Memory Checks
  • Use-after-free / double free : Lifecycle mistakes during cancel/close races or reference mismanagement. Special Pool Check
  • Race conditions : Concurrent IOCTLs, cancellation (IRP cancel on Windows), multi-handle interleaving. DV Deadlock Detection and I/O Verification
  • Info leaks : Uninitialized memory in output buffers. DV Pool Tracking
  • Privilege boundary mistakes : Missing access checks on the device object or specific IOCTLs; wrong impersonation context. DV Security Checks

How to execute these tests.

While Driver Verifier is excellent at catching these issues once triggered, finding the right sequence of I/O to expose them is often the challenge. DRPP is designed to help address this by enabling developers:

  • Record real IOCTL and WMI traffic against a target driver

  • Replay those interactions deterministically to reproduce issues in timely manner.

  • Improve regression and repeatability

  • Reduce the effort required to capture complex or timing-sensitive bugs also will help share data file in the future.

This platform can be used to shorten the development cycle and find the issues earlier in the driver code path.

We’ve published a detailed overview and usage guidance on the Microsoft Tech Community here:
:backhand_index_pointing_right: Announcing Device IOCTL/WMI Record and Playback Platform (DRPP)

Feedback from the OSR community has helped shape improvements in the Windows driver ecosystem, and we’d really appreciate your perspective here as well.

Thanks, and looking forward to the discussion.

1 Like