Want to Join Us ?

you'll be able to discuss, share and send private messages.

Suggestion ida pro tool ioctl_plugin by Sam Brown

Discussion in 'Plugins' started by storm shadow, Aug 19, 2016.

Share This Page

  1. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    ioctl_plugin

    A tool to help when dealing with IOCTL codes and Windows driver IOCTL dispatch functions.
    Author

    I heavily borrowed from Satoshi Tanda (https://github.com/tandasat/WinIoCtlDecoder/blob/master/plugins/WinIoCtlDecoder.py) and 'herrcore' () while writing this.
    Usage

    Find an IOCTL code:
    [​IMG]
    By using the right click context menu and selecting 'Decode IOCTL' a comment will added after the instruction with a C define for IOCTL code, this can also achieved using 'CTRL+ALT+D'.
    [​IMG]
    Additionally once an IOCTL has been decoded a new 'Invalid IOCTL' option will appear on the right click context menu - use this to unmark an IOCTL code so it doesn't appear in any summaries.
    [​IMG]
    Each time one or more IOCTL codes are decoded a summary table will be printed in IDA's output window.
    [​IMG]
    If you right click on a function name will in the graph/asm view another new option 'Decode all IOCTLs' will appear.
    This will attempt to decode all of the IOCTL codes present in the function, this is aimed at being used in a drivers IOCTL dispatch function and is very basic so will likely fail for a lot of drivers.
    [​IMG]
    Before decode all is selected:
    [​IMG]
    After decode all is selected:
    [​IMG]
    The 'Show all IOCTLs' is present on the right click menu as well - this will open a form with a text box containing the C defines for all the IOCTL codes decoded in the current session.
    [​IMG]
    Using the shortcut 'CTRL+ALT+S' it is possible to attempt to find the IOCTL handler/dispatch function for a driver - this is done by finder the function that calls the most other (non-library) functions but is not called by any functions itself.
    [​IMG]
    Installation

    Just drop 'ioctl_plugin.py' into IDA's plugin directory.

    source
    https://github.com/sam-b/ioctl_plugin
     
    samoray and Rip Cord like this.
Top