Hello everyone,
I was trying to google on this subject, but found nothing really useful. Is there any obfuscators for Windows kernel drivers? It seems like there are none … If so, why not? There are plenty of them for user mode applications …
Just want to hear different opinions on this.
Thanks in advance for answering,
Petr.
I don’t really know anything about it, but CodeVirtualizer
(http://www.oreans.com/codevirtualizer.php) was developed by the same people
as Themdia specifically for drivers.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, October 01, 2010 4:57 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Obfuscators for drivers?
Hello everyone,
I was trying to google on this subject, but found nothing really useful. Is
there any obfuscators for Windows kernel drivers? It seems like there are
none … If so, why not? There are plenty of them for user mode applications
…
Just want to hear different opinions on this.
Thanks in advance for answering,
Petr.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
xxxxx@gmail.com wrote:
I was trying to google on this subject, but found nothing really useful. Is there any obfuscators for Windows kernel drivers? It seems like there are none … If so, why not? There are plenty of them for user mode applications …
The fact that there are plenty of them doesn’t mean the entire concept
isn’t stupid. But I digress.
There is no point in obfuscating something that costs $0, and that is
the suggested retail price of most drivers.
You have to ask yourself “what is the point of an obfuscator?”. I might
reply “none at all,” but that doesn’t forward the discussion. The point
is to protect IP. With a few exceptions, drivers do not contain IP.
They merely contain plumbing to provide access to a piece of hardware.
It’s the hardware that has the IP.
What does a person gain by reverse engineering and reinventing my web
cam driver? If they write their own, all they can do is drive one of my
client’s cameras. My client would be tickled pink by that, since it
just means more camera sales.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
You can strip the symbols out - that leaves things fairly well
obfuscated. See binplace.
Mark Roddy
On Fri, Oct 1, 2010 at 4:56 PM, wrote:
> Hello everyone,
>
> I was trying to google on this subject, but found nothing really useful. Is there any obfuscators for Windows kernel drivers? It seems like there are none … If so, why not? There are plenty of them for user mode applications …
>
> Just want to hear different opinions on this.
>
> Thanks in advance for answering,
>
> Petr.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
Given the large vulnerability research market out there right now, there are
definitely many ‘security’ products that would have an interest in making it
harder to re their stuff by people who are looking to charge them to not
publish their findings about, say, a firewall. I’m not saying that this
means that they would use something like this, nor is it IP, but I think
that you could make an argument here for a pretty large number of products,
though one that of course ignores (at least for the moment) all the
tradeoffs that come with anything like this.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Friday, October 01, 2010 5:09 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Obfuscators for drivers?
xxxxx@gmail.com wrote:
I was trying to google on this subject, but found nothing really useful.
Is there any obfuscators for Windows kernel drivers? It seems like there are
none … If so, why not? There are plenty of them for user mode applications
…
The fact that there are plenty of them doesn’t mean the entire concept
isn’t stupid. But I digress.
There is no point in obfuscating something that costs $0, and that is
the suggested retail price of most drivers.
You have to ask yourself “what is the point of an obfuscator?”. I might
reply “none at all,” but that doesn’t forward the discussion. The point
is to protect IP. With a few exceptions, drivers do not contain IP.
They merely contain plumbing to provide access to a piece of hardware.
It’s the hardware that has the IP.
What does a person gain by reverse engineering and reinventing my web
cam driver? If they write their own, all they can do is drive one of my
client’s cameras. My client would be tickled pink by that, since it
just means more camera sales.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I agree that obfuscating hardware driver seems to be quite usless idea.
But not all drivers are hardware …
Let’s assume hypotetically (!), that I wrote a driver which is a part of security system and I don’t want it to be analyzed because competitors may get some ideas from my code :). I patented my technology, but I still don’t want it to be analyzed or at least I want to make life of bad guys a little bit more complex.
How should I proceed?
P.S. I just took a free version of IDA and I saw that the code is quite readable 
Some might argue that drivers are self-obfuscating…
–mkj
On 10/1/2010 4:56 PM, xxxxx@gmail.com wrote:
Hello everyone,
I was trying to google on this subject, but found nothing really useful. Is there any obfuscators for Windows kernel drivers? It seems like there are none … If so, why not? There are plenty of them for user mode applications …
Just want to hear different opinions on this.
Thanks in advance for answering,
Petr.
–
//
// Michael K. Jones
// Stone Hill Consulting, LLC
// http://www.stonehill.com
//_______________________________________________
The link that I posted is the only product that I am aware of that purports
to tackle this problem.
Good luck,
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, October 01, 2010 5:40 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Obfuscators for drivers?
I agree that obfuscating hardware driver seems to be quite usless idea.
But not all drivers are hardware …
Let’s assume hypotetically (!), that I wrote a driver which is a part of
security system and I don’t want it to be analyzed because competitors may
get some ideas from my code :). I patented my technology, but I still don’t
want it to be analyzed or at least I want to make life of bad guys a little
bit more complex.
How should I proceed?
P.S. I just took a free version of IDA and I saw that the code is quite
readable
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Also, just to state the obvious, on the value scale, I would put obscure
dead last behind functional, correct and stable and my concern would be that
achieving the obscure goal might detract from those three.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, October 01, 2010 5:40 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Obfuscators for drivers?
I agree that obfuscating hardware driver seems to be quite usless idea.
But not all drivers are hardware …
Let’s assume hypotetically (!), that I wrote a driver which is a part of
security system and I don’t want it to be analyzed because competitors may
get some ideas from my code :). I patented my technology, but I still don’t
want it to be analyzed or at least I want to make life of bad guys a little
bit more complex.
How should I proceed?
P.S. I just took a free version of IDA and I saw that the code is quite
readable
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
mm,
Thanks for your comments. Stability and reliablity is my main concern, therefore I am thinking about making obfuscation myself …
Actually, drivers are easier to analyze than other code. There are more
well defined entry point where you can start, DDIs used can give a good
picture what is code doing. Depends on the kind of code, of course.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michael Jones
Sent: Friday, October 01, 2010 11:41 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Obfuscators for drivers?Some might argue that drivers are self-obfuscating…
–mkj
On 10/1/2010 4:56 PM, xxxxx@gmail.com wrote:
> Hello everyone,
>
> I was trying to google on this subject, but found nothing
really useful. Is there any obfuscators for Windows kernel
drivers? It seems like there are none … If so, why not?
There are plenty of them for user mode applications …
>
> Just want to hear different opinions on this.
>
> Thanks in advance for answering,
>
> Petr.
>–
//
// Michael K. Jones
// Stone Hill Consulting, LLC
// http://www.stonehill.com
//_______________________________________________
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
They are also usually smaller, simpler and for the most part they are
written in C, or really NOT written in C++, which makes reverse engineering
something harder and static analysis problematic.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michal Vodicka
Sent: Friday, October 01, 2010 5:57 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Obfuscators for drivers?
Actually, drivers are easier to analyze than other code. There are more
well defined entry point where you can start, DDIs used can give a good
picture what is code doing. Depends on the kind of code, of course.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Michael Jones
Sent: Friday, October 01, 2010 11:41 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Obfuscators for drivers?Some might argue that drivers are self-obfuscating…
–mkj
On 10/1/2010 4:56 PM, xxxxx@gmail.com wrote:
> Hello everyone,
>
> I was trying to google on this subject, but found nothing
really useful. Is there any obfuscators for Windows kernel
drivers? It seems like there are none … If so, why not?
There are plenty of them for user mode applications …
>
> Just want to hear different opinions on this.
>
> Thanks in advance for answering,
>
> Petr.
>–
//
// Michael K. Jones
// Stone Hill Consulting, LLC
// http://www.stonehill.com
//_______________________________________________
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Not easy tak, IMO. I presume you want to obfuscate binary code.
If the code you need to protect is complicated enough, it could be
sufficient to strip symbols as Mark wrote and never give away debug
version even without them. Compiler optimization in the release version
obfuscates code for you. Anyway, as you saw, IDA is very good and makes
disassembing easy.
You can also refactor your sources to make code uglier and less logical
to attacker. Use long functions instead of clear short ones, pass
parameters packed to blocks, call functions via pointers or tables of
pointers etc. Or rewrite code to C++ and don’t forget to use templates
for everything 
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Friday, October 01, 2010 11:49 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Obfuscators for drivers?mm,
Thanks for your comments. Stability and reliablity is my main
concern, therefore I am thinking about making obfuscation myself …
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
Michal,
Thanks, I will follow your suggestions. As a metter of fact, sometimes I indeed pass params via structures just not to waste stack to much on x32 builds. And I do long functions sometimes. However, making code too ugly can make it hard for the good guys to understand source code 
Interetsting, among all projects on sourceforge, there are none obfuscators for low level code: http://sourceforge.net/search/?words=obfuscator&sort=score&sortdir=desc&offset=0&type_of_search=soft
>I agree that obfuscating hardware driver seems to be quite usless idea. But not all drivers are >hardware …
I know some hardware drivers which designs were patented. And focus in development of such design is more on drivers than in hardware.
And some company don’t want release source code of their hardware drivers for Linux.
Igor Sharovar
Yes, BROADCOM does not release it’s sources for chip drivers on many wi-fi routers, thus forcing different firmwares like dd-wrt, tomato, oleg’s firmware to stick to the old version of linux kernel.
wrote in message news:xxxxx@ntdev…
> Interetsting, among all projects on sourceforge, there are none
> obfuscators for low level code
Just think a moment about jailbroken Apple devices,
Xbox and others. This is more or less same type of code
that is found in drivers, made specially with some “security thru obscurity”
in mind.
Motivated people and organizations will break your stuff.
Serious obfuscation is hardware assisted. For example, you can make
for your firmware side a private instruction set, unknown to IDA;
new FPGA based processors (Altera…) endorse this.
On the idea of obfuscation of kerrnel code in general - try to ask in Linux
forums
Regards,
–pa
I would recommend not obfuscating. While I was at Symantec, we never
would have considered this for symevent/savrt because of the
supportability problems it creates. IMHO, your time is better spent
writing better product than protecting IP.
On 10/1/10, Pavel A. wrote:
> wrote in message news:xxxxx@ntdev…
>
>> Interetsting, among all projects on sourceforge, there are none
>> obfuscators for low level code
>
> Just think a moment about jailbroken Apple devices,
> Xbox and others. This is more or less same type of code
> that is found in drivers, made specially with some “security thru obscurity”
> in mind.
> Motivated people and organizations will break your stuff.
>
> Serious obfuscation is hardware assisted. For example, you can make
> for your firmware side a private instruction set, unknown to IDA;
> new FPGA based processors (Altera…) endorse this.
>
> On the idea of obfuscation of kerrnel code in general - try to ask in Linux
> forums
>
> Regards,
> --pa
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Sent from my mobile device
+1
I would never do this, but if you (op) feel you must do this, at least
consider buying the feature and spending your time on your code. Keeping
the conversation reasonable, no matter what it costs, it’s not going to even
chart compared to what it will cost you to implement and maintain a product
that will now be less mature as a result of the time tradeoff.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Luxford
Sent: Friday, October 01, 2010 9:13 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Obfuscators for drivers?
I would recommend not obfuscating. While I was at Symantec, we never would
have considered this for symevent/savrt because of the supportability
problems it creates. IMHO, your time is better spent writing better product
than protecting IP.
On 10/1/10, Pavel A. wrote:
> wrote in message news:xxxxx@ntdev…
>
>> Interetsting, among all projects on sourceforge, there are none
>> obfuscators for low level code
>
> Just think a moment about jailbroken Apple devices, Xbox and others.
> This is more or less same type of code that is found in drivers, made
> specially with some “security thru obscurity”
> in mind.
> Motivated people and organizations will break your stuff.
>
> Serious obfuscation is hardware assisted. For example, you can make
> for your firmware side a private instruction set, unknown to IDA; new
> FPGA based processors (Altera…) endorse this.
>
> On the idea of obfuscation of kerrnel code in general - try to ask in
> Linux forums
>
> Regards,
> --pa
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Sent from my mobile device
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
“M. M. O’Brien” wrote in message
news:xxxxx@ntdev…
> +1
>
> I would never do this, but if you (op) feel you must do this, at least
> consider buying the feature and spending your time on your code. Keeping
> the conversation reasonable, no matter what it costs, it’s not going to
> even
> chart compared to what it will cost you to implement and maintain a
> product
> that will now be less mature as a result of the time tradeoff.
>
> mm
Buying requires spending time to studying and evaluation, besides of money.
It may be a “do or die” situation, especially in these damn days
/me recalls couple of urgent calls to obfuscate code (that we did not plan
to do so from the beginning), before demoing in a certain country
known for dealing with IP issues liberally.
–pa
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of David Luxford
> Sent: Friday, October 01, 2010 9:13 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Obfuscators for drivers?
>
> I would recommend not obfuscating. While I was at Symantec, we never
> would
> have considered this for symevent/savrt because of the supportability
> problems it creates. IMHO, your time is better spent writing better
> product
> than protecting IP.
>
> On 10/1/10, Pavel A. wrote:
>> wrote in message news:xxxxx@ntdev…
>>
>>> Interetsting, among all projects on sourceforge, there are none
>>> obfuscators for low level code
>>
>> Just think a moment about jailbroken Apple devices, Xbox and others.
>> This is more or less same type of code that is found in drivers, made
>> specially with some “security thru obscurity”
>> in mind.
>> Motivated people and organizations will break your stuff.
>>
>> Serious obfuscation is hardware assisted. For example, you can make
>> for your firmware side a private instruction set, unknown to IDA; new
>> FPGA based processors (Altera…) endorse this.
>>
>> On the idea of obfuscation of kerrnel code in general - try to ask in
>> Linux forums
>>
>> Regards,
>> --pa
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> –
> Sent from my mobile device
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>