[BUG] WDF/KMDF detection

VoidSec / DriverBuddyReloaded

Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks

https://voidsec.com/driver-buddy-reloaded

GNU General Public License v3.0

319 stars 47 forks source link

[BUG] WDF/KMDF detection #29

Open VoidSec opened 1 year ago

VoidSec commented 1 year ago

Describe the bug WDF detection library correctly detect a KmdfLibrary but the driver is marked as WSF anyway

To Reproduce

[WDF]: Found KmdfLibrary string at 0x14000f388
[WDF]: Creating struct for KmdfLibrary Functions version 1.11
[WDF]: doStruct (size=0xdb0) at 0x140010430
[WDF]: Success
[+] Driver type detected: WDF

Expected behavior [+] Driver type detected: KMDF

VoidSec commented 1 year ago

Possible solution: If there's any import from WDFLDR.sys they are KMDF drivers