Describe the bug Any IOCTL with a code that has less than 10 decimal digits (e.g. 0x222003) won't be found by the current code.

Expected behavior All IOCTLs should be found

Desktop (please complete the following information):

• OS and version: Windows 10 21H2 (19044.1586)
• IDA version: IDA 7.7 SP1
• DriverBuddyReloaded Version: latest (1.3)
• Python Version: 3.9.5

Traceback (most recent call last):
  File "C:/Program Files/IDA 7.0/plugins/DriverBuddyReloaded.py", line 465, in run
    driver_type = utils.get_driver_id(driver_entry_addr, log_file)
  File "C:/Program Files/IDA 7.0/plugins\DriverBuddyReloaded\utils.py", line 209, in get_driver_id
    populate_wdf()
  File "C:/Program Files/IDA 7.0/plugins\DriverBuddyReloaded\wdf.py", line 102, in populate_wdf
    binpat = idaapi.compiled_binpat_vec_t()
AttributeError: module 'idaapi' has no attribute 'compiled_binpat_vec_t'

Version 7.5.201028 Windows x64 (64-bit address size)

7.6 minimum required?

In commit https://github.com/VoidSec/DriverBuddyReloaded/commit/43eba17ae4eaa9fca8fbaab42a8e3c273676bdf0 I've finished updating IDA's APIs and fixing breaking code changes.

Unfortunately, despite the script is not breaking anymore, it seems that it still fails this condition at: https://github.com/VoidSec/DriverBuddyReloaded/blob/43eba17ae4eaa9fca8fbaab42a8e3c273676bdf0/DriverBuddyReloaded/wdf.py#L770

for a reason that, at the moment, is unknown. The logic behind https://github.com/VoidSec/DriverBuddyReloaded/blob/main/DriverBuddyReloaded/wdf.py is pretty "hacky" and somewhat "obscure". In addition to that, I'm not sure that the logic detecting the WDF version at https://github.com/VoidSec/DriverBuddyReloaded/blob/43eba17ae4eaa9fca8fbaab42a8e3c273676bdf0/DriverBuddyReloaded/wdf.py#L759 makes complete sense.

We should also update the WDF structures in order to include updated ones and keep them updated as I'm pretty sure the latest WDF version is >= 1.13.

Describe the bug When I try to decode cdrom.sys, it will occur python warning.

To Reproduce Steps to reproduce the behavior:

1. use ida to reverse cdrom.sys
2. Ctrl+Alt+A

Traceback (most recent call last):
  File "C:/Users/raven/Desktop/ida77sp1/x64_idapronw_hexarm64w_hexarmw_hexmipsw_hexppc64w_hexppcw_hexx64w_hexx86w_220118/plugins/DriverBuddyReloaded.py", line 466, in run
    driver_type = utils.get_driver_id(driver_entry_addr, log_file)
  File "C:/Users/raven/Desktop/ida77sp1/x64_idapronw_hexarm64w_hexarmw_hexmipsw_hexppc64w_hexppcw_hexx64w_hexx86w_220118/plugins\DriverBuddyReloaded\utils.py", line 205, in get_driver_id
    populate_wdf()
  File "C:/Users/raven/Desktop/ida77sp1/x64_idapronw_hexarm64w_hexarmw_hexmipsw_hexppc64w_hexppcw_hexx64w_hexx86w_220118/plugins\DriverBuddyReloaded\wdf.py", line 753, in populate_wdf
    idx = ida_bytes.bin_search(ea, idaapi.BADADDR, ida_bytes.parse_binpat_str("KmdfLibrary"),
  File "C:\Users\raven\Desktop\ida77sp1\x64_idapronw_hexarm64w_hexarmw_hexmipsw_hexppc64w_hexppcw_hexx64w_hexx86w_220118\python\3\ida_bytes.py", line 3903, in parse_binpat_str
    return _ida_bytes.parse_binpat_str(*args)
TypeError: parse_binpat_str expected at least 4 arguments, got 1

Expected behavior

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS and version: Windows 11
• IDA version IDA 7.7
• DriverBuddyReloaded Version: HEad
• Python Version 3.9

Additional context Add any other context about the problem here.

I use IDA Pro 7.6 and Python 3.10, after copying the folder and py script, it should be appeared in Edit->Plugins, but I cannot see the plugin listed?, exact for which IDA and Python versions, will this work?

find opcode sometimes print out opcodes not related with the searching

[>] Searching for interesting opcodes...
	- Found mov     al, [rdi+rcx] in sub_231C4 at 0x0002327d

It will become more convinient to have addresses where we find IOCTLs.

Get

[>] Searching for IOCTLs found by IDA...
0x14000b6e8        : 0x2D1400   | FILE_DEVICE_MASS_STORAGE        0x2D       | 0x500      | METHOD_BUFFERED   0    | FILE_ANY_ACCESS (0)

instead of

[>] Searching for IOCTLs found by IDA...
0x2D1400   | FILE_DEVICE_MASS_STORAGE        0x2D       | 0x500      | METHOD_BUFFERED   0    | FILE_ANY_ACCESS (0)

Failed while executing plugin_t.run():
Traceback (most recent call last):
  File "D:/IDA/plugins/DriverBuddyReloaded.py", line 466, in run
    driver_type = utils.get_driver_id(driver_entry_addr, log_file)
  File "D:\IDA/plugins\DriverBuddyReloaded\utils.py", line 209, in get_driver_id
    populate_wdf()
  File "D:\IDA/plugins\DriverBuddyReloaded\wdf.py", line 759, in populate_wdf
    id = add_struct(version)
  File "D:\IDA/plugins\DriverBuddyReloaded\wdf.py", line 50, in add_struct
    idc.add_struc_member(struc, "pfnWdfChildListCreate", idc.BADADDR, idc.FF_DATA | FF_PTR, None, ptr_size)
  File "D:\IDA\python\3\idc.py", line 3919, in add_struc_member
    return eval_idc('add_struc_member(%d, "%s", %d, %d, %d, %d);' % (sid, ida_kernwin.str2user(name or ""), offset, flag, typeid, nbytes))
TypeError: %d format: a number is required, not struc_t

Testing cdrom.sys

Failed while executing plugin_t.run():
Traceback (most recent call last):
  File "D:/IDA/plugins/DriverBuddyReloaded.py", line 466, in run
    driver_type = utils.get_driver_id(driver_entry_addr, log_file)
  File "D:\IDA/plugins\DriverBuddyReloaded\utils.py", line 208, in get_driver_id
    populate_wdf()
  File "D:\IDA/plugins\DriverBuddyReloaded\wdf.py", line 759, in populate_wdf
    id = add_struct(version)
  File "D:\IDA/plugins\DriverBuddyReloaded\wdf.py", line 45, in add_struct
    idc.del_struc(idaapi.get_struc(id))
  File "D:\IDA\python\3\idc.py", line 3855, in del_struc
    s = ida_struct.get_struc(sid)
  File "D:\IDA\python\3\ida_struct.py", line 532, in get_struc
    return _ida_struct.get_struc(*args)
TypeError: in method 'get_struc', argument 1 of type 'ea_t'

Fixed using ida_bytes.bin_search with parse_binpat_str.

I tried to find out how to use the ida_bytes.bin_search function and parse_binpat_str and the only thing I could find was this, as soon as I found out how use it I sent this pr

Added deprecated/banned/dangerous functions to the list, based on existing entries and on: https://github.com/x509cert/banned/blob/master/banned.h https://github.com/tpn/winsdk-10/blob/master/Include/10.0.16299.0/shared/dontuse.h

It will be useful add the enumeration of MajorCodes

enum Major_Codes { IRP_MJ_CREATE = 0x0, IRP_MJ_CREATE_NAMED_PIPE = 0x1, IRP_MJ_CLOSE = 0x2, IRP_MJ_READ = 0x3, IRP_MJ_WRITE = 0x4, IRP_MJ_QUERY_INFORMATION = 0x5, IRP_MJ_SET_INFORMATION = 0x6, IRP_MJ_QUERY_EA = 0x7, IRP_MJ_SET_EA = 0x8, IRP_MJ_FLUSH_BUFFERS = 0x9, IRP_MJ_QUERY_VOLUME_INFORMATION = 0xA, IRP_MJ_SET_VOLUME_INFORMATION = 0xB, IRP_MJ_DIRECTORY_CONTROL = 0xC, IRP_MJ_FILE_SYSTEM_CONTROL = 0xD, IRP_MJ_DEVICE_CONTROL = 0xE, IRP_MJ_INTERNAL_DEVICE_CONTROL = 0xF, IRP_MJ_SHUTDOWN = 0x10, IRP_MJ_LOCK_CONTROL = 0x11, IRP_MJ_CLEANUP = 0x12, IRP_MJ_CREATE_MAILSLOT = 0x13, IRP_MJ_QUERY_SECURITY = 0x14, IRP_MJ_SET_SECURITY = 0x15, IRP_MJ_QUERY_POWER = 0x16, IRP_MJ_SET_POWER = 0x17, IRP_MJ_DEVICE_CHANGE = 0x18, IRP_MJ_QUERY_QUOTA = 0x19, IRP_MJ_SET_QUOTA = 0x1A, IRP_MJ_PNP_POWER = 0x1B, IRP_MJ_MAXIMUM_FUNCTION = 0x1C, };

If this enumeration exists in localtypes and is syncronized, you can press M in the code numbers and add the MJ function name.

This can be converted to

NTSTATUS __stdcall DriverEntry(_DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath) { int v3; // ebx _QWORD *v4; // rcx __int64 v5; // rax struct _UNICODE_STRING DestinationString; // [rsp+40h] [rbp-28h] BYREF struct _UNICODE_STRING SymbolicLinkName; // [rsp+50h] [rbp-18h] BYREF PDEVICE_OBJECT DeviceObject; // [rsp+70h] [rbp+8h] BYREF

DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0; DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0; DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0; DriverObject->DriverStartIo = 0i64; DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_11520;

to

NTSTATUS __stdcall DriverEntry(_DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath) { int v3; // ebx _QWORD *v4; // rcx __int64 v5; // rax struct _UNICODE_STRING DestinationString; // [rsp+40h] [rbp-28h] BYREF struct _UNICODE_STRING SymbolicLinkName; // [rsp+50h] [rbp-18h] BYREF PDEVICE_OBJECT DeviceObject; // [rsp+70h] [rbp+8h] BYREF

DriverObject->MajorFunction[IRP_MJ_CREATE] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0; DriverObject->MajorFunction[IRP_MJ_CLOSE] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0; DriverObject->DriverStartIo = 0i64;

Thanks for a good tool

At the moment the table being printed does not contain the function/address where the specific "dumb" IOCTL values have been found. Adding it to the output will improve the navigability and augment the information value

Describe the bug Pooltags which aren't immediate values in the correct place, but possibly propagated via a register, aren't found. Example code snippet:

...
mov     ebp, 'ABCD'
mov     rdx, rax        ; NumberOfBytes
mov     r8d, ebp        ; Tag
call    cs:ExAllocatePoolWithTag

Expected behavior All Pooltags should be found

Desktop (please complete the following information):

• OS and version: Windows 10 21H2 (19044.1586)
• IDA version: IDA 7.7 SP1
• DriverBuddyReloaded Version: latest (1.3)
• Python Version: 3.9.5