[BUG] "IOCTL Decode All" is missing some cases - Githubissues

VoidSec / DriverBuddyReloaded

Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks

https://voidsec.com/driver-buddy-reloaded

GNU General Public License v3.0

313 stars 46 forks source link

[BUG] "IOCTL Decode All" is missing some cases #2

Closed VoidSec closed 2 years ago

VoidSec commented 2 years ago

In

https://github.com/VoidSec/DriverBuddyReloaded/blob/d272537d6cc9ff7c16eccb5aa04d101401bc203e/DriverBuddyReloaded.py#L179

"IOCTL Decode All" function is missing some cases as can be shown in the following image:

The only immediate fix I can think of is reworking the heuristic functionality:

[x] processing the entire block for cmp, mov, sub operations
[x] checking that the immediate operand has 10 digits
[x] excluding NTSTATUS values
[x] decoding the suspected IOCTL code

Will probably generate some more false positives but it will cover "switch" cases falling into "default" case and such