Comments (3)
I can see your point in having DriverBuddyReloaded recognize the above-mentioned case, unfortunately, it is easier said than done. At the beginning of the development, I've decided to exclude this case (it can also be applied to banned functions parameters) due to the added complexity that it brings in.
In order to do so, I would have to add some "backtracking" mechanism (able to work for both x86 and x64 function calling convention) that can trace the tag parameter across multiple opcodes that populate the register/push the value on the stack. In any case, it would only be able to find "hardcoded" immediate values but it will miss (AFAIK uncommon) run-time computed Tags.
While I agree that this feature would be nice to have, at the moment I do not have the time to implement that.
Plus, IDA is already able to correctly mark function's parameters as follows:
from driverbuddyreloaded.
On second thought, the implementation at:
On third thought, the implementation at:
already use IDA Tag information to find and report the tag, it seems an implementation bug rather than a feature.
"dump" the Tag only if it is an immediate value and contains ASCII characters, otherwise it would have to backtrace it.
In order to implement that I can think of backtracking a fixed amount of opcodes (~10?), looking for an immediate value containing one to four ASCII characters. Otherwise, I can just print the function without reporting the tag, I'll have to think about it.
from driverbuddyreloaded.
This sounds like a pretty good solution to me. I would probably backtrack to the beginning of the current basic block (whether it's short or long, to avoid problems with code that chooses the tag based on a condition, for example), maybe also print "inconclusive" on values gathered this way, and your suggestion for printing the address even if the tag is unknown sounds good to me.
from driverbuddyreloaded.
Related Issues (20)
- [FEATURE] refactor list of vulnerable functions into an external module
- [BUG] find opcodes
- DriverBuddy entry does not shown in plugins menu HOT 2
- [BUG] Deprecated `ExAllocatePoolWithTag` function
- [BUG] IOCTLs with less than 10 decimal digits aren't found HOT 7
- [FEATURE] Print the address where IOCTLs have been found
- [BUG] `parse_binpat_str` expected at least 4 arguments HOT 3
- [BUG] TypeError: in method 'get_struc', argument 1 of type 'ea_t'
- [BUG] TypeError: %d format: a number is required, not struc_t
- [BUG] WDF Structures HOT 4
- [FEATURE] enumeration of MajorCodes HOT 2
- [BUG] module 'idaapi' has no attribute 'compiled_binpat_vec_t' HOT 14
- [BUG] WDF/KMDF detection HOT 1
- [FEATURE] Print the address where DeviceName has been found HOT 1
- [BUG] IDA will automatically identifies the driver entry as "GsDriverEntry".
- [FEATURE]add someting like his add
- [FEATURE] Shortcut for "Decode All" action
- [FEATURE] Save the analysis results
- [FEATURE] print addr/sub location of DeviceName HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from driverbuddyreloaded.