IOCTLance
softwareWindows driver vulnerability detection through symbolic execution and taint analysis
IOCTLance is a comprehensive rewrite and enhancement of the vulnerability detection tool originally created by TeamT5 and presented at CODE BLUE 2023. The original IOCTLance found 117 vulnerabilities resulting in 41 CVEs. My refactored version maintains this capability while discovering additional vulnerabilities the original missed, particularly critical buffer overflows leading to arbitrary code execution.
This project also explores LLM-assisted adversarial testing and vulnerability summarization.
Key Improvements
- Plugin-based architecture for all vulnerability detectors
- Full parity with original plus 6 additional detector types
- 25-35% performance improvement through optimizations
- Modern Python 3.13+ with full type safety and Pydantic models
- Real driver testing with 104 known vulnerable samples
Enhanced Detection Capabilities
The original IOCTLance detected ~11 vulnerability types. My enhanced version includes ALL original detectors plus 6 additional types:
Original Detectors (Preserved):
- All physical memory mapping, process handle, and file operation checks
- Including ObOpenObjectByPointer and controllable memcpy (recently restored)
Newly Added Detectors (6):
- Use After Free - Detects access to freed memory
- Double Free - Catches multiple free operations
- Race Conditions - TOCTOU vulnerabilities
- Integer Overflow - Arithmetic vulnerabilities
- Format String - Format string bugs
- Probe Bypass - Detects actual ProbeForRead/Write bypasses (vs just tracking)
Enhanced Detectors:
- Stack Buffer Overflow - Now detects controllable PC/RCE (old version only checked memcpy size)
New Vulnerability Detection Capabilities
My enhanced version discovers vulnerabilities the original missed:
- Buffer overflows with controllable PC - Critical RCE vulnerabilities
- Improved state tracking - Continues analysis beyond initial vulnerabilities
- Example: In ilp60x64_3.sys, found 35 vulnerabilities (vs 19 in original), including 10 critical buffer overflows leading to arbitrary code execution
Technical Innovation
IOCTLance addresses critical Windows kernel security by detecting:
- Arbitrary physical memory mapping
- Null pointer dereferences
- Buffer overflows and use-after-free
- Arbitrary code execution
- Race conditions and double-free vulnerabilities
Architecture Highlights
- Modular design with separated concerns (core, detectors, hooks, models)
- FastAPI REST API with WebSocket support for real-time analysis
- Docker containerization for CLI and API deployment
- Comprehensive test suite with 48% coverage using real vulnerable drivers
Impact
The original TeamT5 IOCTLance discovered vulnerabilities in widely-deployed drivers including RTCore64.sys (used in BlackByte ransomware attacks). My enhanced version maintains this detection capability while finding additional critical vulnerabilities - particularly buffer overflows leading to arbitrary code execution that the original missed. These new detections represent exploitable RCE vulnerabilities, significantly increasing the security value of the analysis.
Related Work
- Original IOCTLance repository by TeamT5
- Based on the angr symbolic execution framework
- Presented at CODE BLUE 2023: “Enhanced Vulnerability Hunting in WDM Drivers”
- Motivated by vxunderground driver project