[FEATURE] enumeration of MajorCodes

[ricnar456]

It will be useful add the enumeration of MajorCodes

enum Major_Codes
{
  IRP_MJ_CREATE = 0x0,
  IRP_MJ_CREATE_NAMED_PIPE = 0x1,
  IRP_MJ_CLOSE = 0x2,
  IRP_MJ_READ = 0x3,
  IRP_MJ_WRITE = 0x4,
  IRP_MJ_QUERY_INFORMATION = 0x5,
  IRP_MJ_SET_INFORMATION = 0x6,
  IRP_MJ_QUERY_EA = 0x7,
  IRP_MJ_SET_EA = 0x8,
  IRP_MJ_FLUSH_BUFFERS = 0x9,
  IRP_MJ_QUERY_VOLUME_INFORMATION = 0xA,
  IRP_MJ_SET_VOLUME_INFORMATION = 0xB,
  IRP_MJ_DIRECTORY_CONTROL = 0xC,
  IRP_MJ_FILE_SYSTEM_CONTROL = 0xD,
  IRP_MJ_DEVICE_CONTROL = 0xE,
  IRP_MJ_INTERNAL_DEVICE_CONTROL = 0xF,
  IRP_MJ_SHUTDOWN = 0x10,
  IRP_MJ_LOCK_CONTROL = 0x11,
  IRP_MJ_CLEANUP = 0x12,
  IRP_MJ_CREATE_MAILSLOT = 0x13,
  IRP_MJ_QUERY_SECURITY = 0x14,
  IRP_MJ_SET_SECURITY = 0x15,
  IRP_MJ_QUERY_POWER = 0x16,
  IRP_MJ_SET_POWER = 0x17,
  IRP_MJ_DEVICE_CHANGE = 0x18,
  IRP_MJ_QUERY_QUOTA = 0x19,
  IRP_MJ_SET_QUOTA = 0x1A,
  IRP_MJ_PNP_POWER = 0x1B,
  IRP_MJ_MAXIMUM_FUNCTION = 0x1C,
};

If this enumeration exists in localtypes and is syncronized, you can press M in the code numbers and add the MJ function name.

This can be converted from

NTSTATUS __stdcall DriverEntry(_DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath)
{
  int v3; // ebx
  _QWORD *v4; // rcx
  __int64 v5; // rax
  struct _UNICODE_STRING DestinationString; // [rsp+40h] [rbp-28h] BYREF
  struct _UNICODE_STRING SymbolicLinkName; // [rsp+50h] [rbp-18h] BYREF
  PDEVICE_OBJECT DeviceObject; // [rsp+70h] [rbp+8h] BYREF

  DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0;
  DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0;
  DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0;
  DriverObject->DriverStartIo = 0i64;
  DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_11520;

to

NTSTATUS __stdcall DriverEntry(_DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath)
{
  int v3; // ebx
  _QWORD *v4; // rcx
  __int64 v5; // rax
  struct _UNICODE_STRING DestinationString; // [rsp+40h] [rbp-28h] BYREF
  struct _UNICODE_STRING SymbolicLinkName; // [rsp+50h] [rbp-18h] BYREF
  PDEVICE_OBJECT DeviceObject; // [rsp+70h] [rbp+8h] BYREF

+  DriverObject->MajorFunction[IRP_MJ_CREATE] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0;
+  DriverObject->MajorFunction[IRP_MJ_CLOSE] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0;
+  DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH)&Possible_DispatchDeviceControl_0;
  DriverObject->DriverStartIo = 0i64;

Thanks for a good tool

[VoidSec]

Thank you, it would be a really good idea to have something like that! I do not have any timeframe yet to implement that but I'll try.

• https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/irp-major-function-codes

Enums

• Macro IRP

Structs

• DRIVERSTATUS
• DRIVER_OBJECT
• IRP
• IO_STACK_LOCATION

[HongThatCong]

IRP_MJ_XXX already declared as MACRO_IRP in ntddkxx_yyy .til type libraries of IDA xxx = 64 or not yyy = win7, win8, win81, vista, win10 When open an .sys file on IDA, IDA auto import on of til file above. We can auto import MACRO_IRP to IDA by a line of code: idaapi.import_type(idaapi.cvar.idati, 0, "MACRO_IRP") Same as another structs: idaapi.import_type(idaapi.cvar.idati, 0, "DRIVERSTATUS") ....