fix #2, updated NTSTATUS known values

VoidSec · Oct 27, 2021 · 71d907b · 71d907b
1 parent 26b9b1e
commit 71d907b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 15 deletions.
diff --git a/DriverBuddyReloaded.py b/DriverBuddyReloaded.py
@@ -173,19 +173,18 @@ def find_all_ioctls():
     f = idaapi.get_func(addr)
     fc = idaapi.FlowChart(f, flags=idaapi.FC_PREDS)
     for block in fc:
-        # grab the last two instructions in the block
-        last_inst = idc.prev_head(block.end_ea)
-        penultimate_inst = idc.prev_head(last_inst)
-        # If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz'
-        # then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
-        if idc.print_insn_mnem(penultimate_inst) in ['cmp', 'sub'] and idc.get_operand_type(penultimate_inst, 1) == 5:
-            if idc.print_insn_mnem(last_inst) == 'jz':
-                value = get_operand_value(penultimate_inst)
+        start = block.start_ea
+        end = block.end_ea
+        # print("Block: {} - {}".format(start, end))
+        for instr in range(start, end):
+            # if the penultimate instruction is cmp or sub or mov against an immediate value
+            if idc.print_insn_mnem(instr) in ['cmp', 'sub', 'mov'] and idc.get_operand_type(instr, 1) == 5:
+                value = get_operand_value(instr)
                 digits = utils.check_digits(value)
-                if digits == 10:
-                    if value not in utils.ntstatus_values:
-                        ioctls.append((penultimate_inst, value))
-                        ioctl_tracker.add_ioctl(penultimate_inst, value)
+                # value has 10 digits and is not a known NTSTATUS value
+                if digits == 10 and value not in utils.ntstatus_values:
+                    ioctls.append((instr, value))
+                    ioctl_tracker.add_ioctl(instr, value)
     return ioctls
 
 
@@ -228,8 +227,7 @@ def get_position_and_translate():
 
     value = get_operand_value(pos)
     digits = utils.check_digits(value)
-    if digits == 10:
-        if value not in utils.ntstatus_values:
+    if digits == 10 and value not in utils.ntstatus_values:
             ioctl_tracker.add_ioctl(pos, value)
             define = ioctl_decoder.get_define(value)
             make_comment(pos, define)

diff --git a/DriverBuddyReloaded/utils.py b/DriverBuddyReloaded/utils.py
@@ -210,6 +210,7 @@
 driver_map = {}
 
 # List of known NTSTATUS values to filter out from possible IOCTL codes
+# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
 ntstatus_values = [
     0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x0000003F, 0x00000080, 0x000000BF, 0x000000C0, 0x00000101,
     0x00000102, 0x00000103, 0x00000104, 0x00000105, 0x00000106, 0x00000107, 0x00000108, 0x00000109, 0x0000010A,
@@ -410,7 +411,7 @@
     0xC0232001, 0xC0232002, 0xC0232003, 0xC0232004, 0xC0360001, 0xC0360002, 0xC0360003, 0xC0360004, 0xC0360005,
     0xC0360006, 0xC0360007, 0xC0360008, 0xC0360009, 0xC0368000, 0xC0368001, 0xC0368002, 0xC0368003, 0xC0368004,
     0xC0368005, 0xC0368006, 0xC038005B, 0xC038005C, 0xC03A0014, 0xC03A0015, 0xC03A0016, 0xC03A0017, 0xC03A0018,
-    0xC03A0019
+    0xC03A0019, 0xE0000001, 0xE0000002, 0xE0000004
 ]