Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some mistakes #2

Open
vbty opened this issue Jul 30, 2021 · 1 comment
Open

Some mistakes #2

vbty opened this issue Jul 30, 2021 · 1 comment

Comments

@vbty
Copy link

vbty commented Jul 30, 2021

Hello,
I think there is a mistake in the script.
The script find WdfVersionBind function firstly.
Then it use WdfVersionBind function's argument to get WDF_BIND_INFO address.
And get the global WDFFUNCTIONS pointer from the WDF_BIND_INFO offset 0x20.

But i noticed the type of the field 0x20 in WDF_BIND_INFO should be WDFFUNCTIONS ** not WDFFUNCTIONS*.

.text:0000000140001628                 mov     eax, 8
.text:000000014000162D                 imul    rax, 74h ; 't'
.text:0000000140001631                 mov     rcx, cs:g_WdfF_Functions
.text:0000000140001638                 mov     rax, [rcx+rax]
.text:000000014000163C                 mov     [rsp+58h+var_18], rax
...
.text:000000014000166E                 mov     rax, [rsp+58h+var_18]
.text:0000000140001673                 call    cs:__guard_dispatch_icall_fptr
@vbty
Copy link
Author

vbty commented Jul 30, 2021

Is it because of the WDF version or build options?

@bash-c bash-c mentioned this issue Jul 20, 2022
Closed
bash-c added a commit to bash-c/kmdf_re that referenced this issue Jul 20, 2022
@bash-c
Update kmdf_re_ida_74.py
7a8b7d6 
This pull request made the following changes:

port all API to IDA 7.4+, fixed port to IDA pro 7.4+ IOActive#1
fixed some bugs, including Some mistakes IOActive#2
move WDFStruct.h to the plugin directory so we don't have to copy it everywhere
bash-c added a commit to bash-c/kmdf_re that referenced this issue Jul 20, 2022
@bash-c
Update kmdf_re_ida_74.py
cb2e7e5 
This pull request made the following changes:

port all API to IDA 7.4+, fixed port to IDA pro 7.4+ IOActive#1
fixed some bugs, including Some mistakes IOActive#2
move WDFStruct.h to the plugin directory so we don't have to copy it everywhere
@bash-c bash-c mentioned this issue Jul 20, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vbty