fix #15

Author: VoidSec

DriverBuddyReloaded.py

@@ -213,9 +213,8 @@ def find_all_ioctls():
             # if the penultimate instruction is cmp or sub or mov against an immediate value
             if idc.print_insn_mnem(instr) in ['cmp', 'sub', 'mov'] and idc.get_operand_type(instr, 1) == 5:
                 value = get_operand_value(instr)
-                digits = utils.check_digits(value)
-                # value has more than 2 digits (lower false positives) and is not a known NTSTATUS value
-                if digits > 2 and value not in NTSTATUS.ntstatus_values:
+                # value >= 0x10000 (lower false positives) and is not a known NTSTATUS value; check issue #15
+                if value >= 0x10000 and value not in NTSTATUS.ntstatus_values:
                     ioctls.append((instr, value))
                     ioctl_tracker.add_ioctl(instr, value)
     return ioctls
@@ -259,9 +258,8 @@ def get_position_and_translate():
         return
 
     value = get_operand_value(pos)
-    digits = utils.check_digits(value)
-    # value has more than 2 digits (lower false positives) and is not a known NTSTATUS value
-    if digits > 2 and value not in NTSTATUS.ntstatus_values:
+    # value >= 0x10000 (lower false positives) and is not a known NTSTATUS value; check issue #15
+    if value >= 0x10000 and value not in NTSTATUS.ntstatus_values:
         ioctl_tracker.add_ioctl(pos, value)
         define = ioctl_decoder.get_define(value)
         make_comment(pos, define)

DriverBuddyReloaded/utils.py

@@ -248,17 +248,3 @@ def is_driver():
                 return func_addr
     return False
 
-
-def check_digits(n):
-    """
-    Given an integer number return how many digits it has
-    :param n: number to check digits
-    :return:
-    """
-    if n > 0:
-        digits = int(math.log10(n)) + 1
-    elif n == 0:
-        digits = 1
-    else:
-        digits = int(math.log10(-n)) + 2  # +1 if you don't count the '-'
-    return digits

README.MD

@@ -2,18 +2,20 @@
 
 ## Table of Contents
 
-1. [Installation](#Installation)
-2. [Quick Usage](#Quick-Usage)
-    1. [Advanced Usage](#Advanced-Usage)
-3. [About Driver Buddy Reloaded](#About-Driver-Buddy-Reloaded)
-    1. [Finding DispatchDeviceControl](#Finding-DispatchDeviceControl)
-    2. [Labelling WDM & WDF Structures](#Labelling-WDM-and-WDF-Structures)
-    3. [Finding & Decoding IOCTL Codes](#Finding-and-Decoding-IOCTL-Codes)
-    4. [Flagging Functions](#Flagging-Functions)
-    5. [Finding DeviceName](#Finding-DeviceName)
-    6. [Dumping Pooltags](#Dumping-Pooltags)
-4. [Known Caveats & Limitations](#Known-Caveats-and-Limitations)
-5. [Credits & Acknowledgements](#Credits-and-Acknowledgements)
+- [Driver Buddy Reloaded Quickstart](#driver-buddy-reloaded-quickstart)
+  - [Table of Contents](#table-of-contents)
+  - [Installation](#installation)
+  - [Quick Usage](#quick-usage)
+    - [Advanced Usage](#advanced-usage)
+  - [About Driver Buddy Reloaded](#about-driver-buddy-reloaded)
+    - [Finding DispatchDeviceControl](#finding-dispatchdevicecontrol)
+    - [Labelling WDM and WDF Structures](#labelling-wdm-and-wdf-structures)
+    - [Finding and Decoding IOCTL Codes](#finding-and-decoding-ioctl-codes)
+    - [Flagging Functions](#flagging-functions)
+    - [Finding DeviceName](#finding-devicename)
+    - [Dumping Pooltags](#dumping-pooltags)
+  - [Known Caveats and Limitations](#known-caveats-and-limitations)
+  - [Credits and Acknowledgements](#credits-and-acknowledgements)
 
 ## Installation
 
@@ -158,6 +160,7 @@ with `pooltags.txt`. The output can then be copy-pasted at the end of the file a
 
 ## Known Caveats and Limitations
 
+- Only IOCTL values >= 0x10000 will be automatically decoded, thus to prevent an high number of false positives. [Issue #15](https://github.com/VoidSec/DriverBuddyReloaded/issues/15)
 - Experimental `DispatchDeviceControl` searching works only for x64 drivers
 - Shortcuts are incompatible with F-Secure's [win_driver_plugin](https://github.com/FSecureLABS/win_driver_plugin)
 - Shortcuts are incompatible with [findcrypt-yara](https://github.com/polymorf/findcrypt-yara)