CFB
CFB is a ProcMon-style tool designed to assist capturing IRPs sent to Windows drivers.
Install / Use
/learn @hugsy/CFBREADME
What is it?
[!CAUTION] CFB is meant for research and debug purposes, it should never be used on production systems. Also BSoD may happen. You've been warned.
Canadian Furious Beaver is a ProcMon-style tool designed only for capturing IRPs sent to any Windows driver. It operates in 2 parts:
-
the "Broker" combines both a user-land agent and a self-extractable driver (
IrpMonitor.sys) that will install itself on the targeted system. After installing the driver, the broker will expose a TCP port listening (by default, on TCP/1337) and start collecting IRP from hooked drivers. The communication protocol was made to be simple by design (i.e. not secure) allowing any 3rd party tool to dump the driver IRPs from the same Broker easily (via simple JSON messages). -
the clients can connect to the broker, and will receive IRPs as a JSON message making it easy to view, or convert to another format.
- IRPs (metadata, input/output buffers) can be stored to file on disk in the JSON format allowing for easy further scripting.
[!WARNING] Although the CFB driver (
IrpMonitor.sys) should not violate patchguard, it however is only self-signed and so requiresTestSigningenabled in the BCD
Why the name?
Because I had no idea for the name of this tool, so it was graciously generated by a script of mine.
Kudos
processhackerfor theirphntheader filesnlohmannfor theirjsonlibrary
