DriverBuddyReloaded
DriverBuddyReloaded copied to clipboard
VoidSec
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks
It will be useful add the enumeration of `MajorCodes` ```c++ enum Major_Codes { IRP_MJ_CREATE = 0x0, IRP_MJ_CREATE_NAMED_PIPE = 0x1, IRP_MJ_CLOSE = 0x2, IRP_MJ_READ = 0x3, IRP_MJ_WRITE = 0x4, IRP_MJ_QUERY_INFORMATION =...
At the moment the table being printed does not contain the function/address where the specific "dumb" IOCTL values have been found. Adding it to the output will improve the navigability...
**Describe the bug** Pooltags which aren't immediate values in the correct place, but possibly propagated via a register, aren't found. Example code snippet: ``` ... mov ebp, 'ABCD' mov rdx,...
https://github.com/alexander-pick/win_driver_plugin It seems that you can refer to the functions he added. For example, the function of executing IOCTL is added to the interface menu.
```Failed while executing plugin_t.run(): Traceback (most recent call last): File "C:/Program Files/IDA 7.0/plugins/DriverBuddyReloaded.py", line 465, in run driver_type = utils.get_driver_id(driver_entry_addr, log_file) File "C:/Program Files/IDA 7.0/plugins\DriverBuddyReloaded\utils.py", line 209, in get_driver_id populate_wdf()...
In IDA Pro 8.2, IDA automatically identifies the driver entry as "GsDriverEntry". However, this can cause a bug as DriverBuddyReloaded might mistakenly determine it is not a driver. To resolve...
At the moment the output does not contain the function/address where the `DeviceName` has been found. Adding it to the output will improve the navigability and augment the information value
**Describe the bug** WDF detection library correctly detect a KmdfLibrary but the driver is marked as WSF anyway **To Reproduce** ``` [WDF]: Found KmdfLibrary string at 0x14000f388 [WDF]: Creating struct...