• Search by Module
• Search by Words
• Search Projects

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

• win_driver_plugin-master
  • win_driver_plugin.py
  • LICENSE.md
  • win_driver_plugin
    • create_tab_table.py
    • device_finder.py
    • dump_pool_tags.py
    • angr_analysis.py
    • ioctl_decoder.py
    • __init__.py
    • driverlib.py
    • device_type.py
  • README.md
  • screenshots
    • decode_ioctl_summary_table.PNG
    • decode_ioctl_mark_invalid_only_delete_define.PNG
    • find_device_random_avg_driver.PNG
    • decode_ioctl_display_all_defines.PNG
    • define_tab_right_click.PNG
    • find_device_name_capcom.PNG
    • decode_ioctl_capcom_decoded.PNG
    • decode_all_ioctls_fail.PNG
    • dump_pool_tags.PNG
    • define_tab.PNG
    • find_dispatch_different_avg_driver_fail.PNG
    • find_dispatch_random_avg_driver.PNG
  • .gitignore

import idc 
import idaapi
import idautils

def find_pool_tags():
	""" Dirty hack around IDA's type information, find references to tag using functions then the comment marking the tag 
	then add the function caller/tag to output dictionary.
	"""
	
	funcs = [
		'ExAllocatePoolWithTag',
		'ExFreePoolWithTag',
		'ExAllocatePoolWithTagPriority'
	]

	tags = {}

	def imp_cb(ea, name, ord):
		if name in funcs:
			for xref in idautils.XrefsTo(ea):
				call_addr = xref.frm
				caller_name = idc.GetFunctionName(call_addr)
				prev = idc.PrevHead(call_addr)
				for _ in range(10):
					if idc.Comment(prev) == 'Tag' and idc.GetOpType(prev, 1) == 5:
						tag_raw = idc.GetOperandValue(prev, 1)
						tag = ''
						for i in range(3, -1, -1):
							tag += chr((tag_raw >> 8 * i) & 0xFF)
						if tag in tags.keys():
							tags[tag].add(caller_name)
						else:
							tags[tag] = set([caller_name])
						break
					prev = idc.PrevHead(prev)
		return True
	
	nimps = idaapi.get_import_module_qty()

	for i in xrange(0, nimps):
		name = idaapi.get_import_module_name(i)
		if not name:
			continue

		idaapi.enum_import_names(i, imp_cb)
	return tags 
	
def get_all_pooltags():
	""" Returns a string with a 'pooltags.txt' formatted string of 'pool tag' - 'driver' - 'functions which use it'.
	"""
	
	tags = find_pool_tags()
	out = ''
	file_name = idaapi.get_root_filename()
	for tag in tags.keys():
		desc = 'Called by: '
		desc += ', '.join(tags[tag])
		out += '{} - {} - {}\n'.format(tag, file_name, desc)
	return out