kmdf_re icon indicating copy to clipboard operation
kmdf_re copied to clipboard
verified publisher icon IOActive

Some mistakes

Open vbty opened this issue 4 years ago • 1 comments

Hello, I think there is a mistake in the script. The script find WdfVersionBind function firstly. Then it use WdfVersionBind function's argument to get WDF_BIND_INFO address. And get the global WDFFUNCTIONS pointer from the WDF_BIND_INFO offset 0x20.

But i noticed the type of the field 0x20 in WDF_BIND_INFO should be WDFFUNCTIONS ** not WDFFUNCTIONS*.

.text:0000000140001628                 mov     eax, 8
.text:000000014000162D                 imul    rax, 74h ; 't'
.text:0000000140001631                 mov     rcx, cs:g_WdfF_Functions
.text:0000000140001638                 mov     rax, [rcx+rax]
.text:000000014000163C                 mov     [rsp+58h+var_18], rax
...
.text:000000014000166E                 mov     rax, [rsp+58h+var_18]
.text:0000000140001673                 call    cs:__guard_dispatch_icall_fptr

vbty avatar Jul 30 '21 04:07 vbty

Is it because of the WDF version or build options?

vbty avatar Jul 30 '21 07:07 vbty