From securityonline.info
Furious Beaver is a distributed tool for capturing IRPs sent to any Windows driver. It operates in 2 parts:
- the “Broker” combines both a user-land agent and a self-extractable driver (
IrpDumper.sys) that will install itself on the targeted system. Once running it will expose (depending on the compilation options) a remote named pipe (reachable from\\target.ip.address\pipe\cfb), or a TCP port listening on TCP/1337. The communication protocol was made to be simple by design (i.e. not secure) allowing any 3rd party tool to dump the driver IRPs from the same Broker easily (via simple JSON messages). - the GUI is a Windows 10 UWP app made in a
ProcMon-style: it will connect to wherever the broker is, and provide a convenient GUI for manipulating the broker (driver enumeration, hooking and IRP capturing). It also offers facilities for forging/replaying IRPs, auto-fuzzing (i.e. apply specific fuzzing policies on each IRP captured), or extract IRP in various formats (raw, as a Python script, as a PowerShell script) for further analysis. The captured data can be saved on disk in an easily parsable format (*.cfb= SQLite) for further analysis, and/or reload afterward in the GUI.