Introduction to Kartoffel
We may sum up the goal of Kartoffel as follows:
+ Build the I/O request
+ Send the I/O request
+ Analyze the response received.
There is a variety of factors that make these tasks a bit harder to accomplish.
One of the most important is that we are using an user-mode application for testing drivers, therefore we are, in some way, limited.
In order to address this issue, Kartoffel comprises of user-mode and kernel-mode components as well.
User-mode:
+ Kartoffel.exe+ Kartolib
+ K-plugins
Kernel-mode:
+ Kartoffel.sys
Kartoffel in the userland
Kartoffel.exe is the command-line tool from which you can load your plugin, launch a bunch of tests/attacks against your driver, et cetera..Most of the Kartoffel's features are exposed via kartolib. Thus, you can build your own applications to test drivers or create your own customized K-plugin.
Kartoffel can be improved/customized by using K-plugins. K-plugins are common DLLs which export certain Callbacks that open up a communication channel between the K-plugin and Kartoffel. According to the main purpose of the K-plugin we may distinguise two types of K-plugins:
Content-Generator Plugins
This type of plugins are intended as a method for generating data to be sent to the driver . For instance, let's imagine you are developing a driver that, as part of its "daily" basis, receives data from an user process.
You may want to test whether the driver is handling this data correctly, not only from a security standpoint but to test the reliability as well.You can easily connect your external source of data into the plugin, send it to the driver, log the response and see the outcome. Just a dozen of lines are needed.
This type of plugins should export, at least, one of the following callbacks: Callback_Buffer,Callback_Response or Callback_Information.
Direct Plugins
On the other hand, we have these sort of plugins whose function is a little bit more specific.In this case, Kartoffel acts merely like a "trigger", just calling "Callback_Direct". There is not interaction between the plugin and Kartoffel beyond invoking that Callback. This type of plugins are intented as a method for developing and testing PoC/Exploits without having to repeat the same lines of code all over again.
Anyway,both K-plugins should export the "Callback_Overview" which returns information about the plugin.