Merge pull request #1 from VoidSec/main

fix VoidSec#15
fengjixuchui · Apr 30, 2022 · fb91ab1 · fb91ab1
2 parents 1b7b104 + aa9f394
commit fb91ab1
Show file tree

Hide file tree

Showing 8 changed files with 1,000 additions and 705 deletions.
diff --git a/DriverBuddyReloaded.py b/DriverBuddyReloaded.py
@@ -213,9 +213,8 @@ def find_all_ioctls():
             # if the penultimate instruction is cmp or sub or mov against an immediate value
             if idc.print_insn_mnem(instr) in ['cmp', 'sub', 'mov'] and idc.get_operand_type(instr, 1) == 5:
                 value = get_operand_value(instr)
-                digits = utils.check_digits(value)
-                # value has 10 digits and is not a known NTSTATUS value
-                if digits == 10 and value not in NTSTATUS.ntstatus_values:
+                # value >= 0x10000 (lower false positives) and is not a known NTSTATUS value; check issue #15
+                if value >= 0x10000 and value not in NTSTATUS.ntstatus_values:
                     ioctls.append((instr, value))
                     ioctl_tracker.add_ioctl(instr, value)
     return ioctls
@@ -259,8 +258,8 @@ def get_position_and_translate():
         return
 
     value = get_operand_value(pos)
-    digits = utils.check_digits(value)
-    if digits == 10 and value not in NTSTATUS.ntstatus_values:
+    # value >= 0x10000 (lower false positives) and is not a known NTSTATUS value; check issue #15
+    if value >= 0x10000 and value not in NTSTATUS.ntstatus_values:
         ioctl_tracker.add_ioctl(pos, value)
         define = ioctl_decoder.get_define(value)
         make_comment(pos, define)

diff --git a/DriverBuddyReloaded/dump_pool_tags.py b/DriverBuddyReloaded/dump_pool_tags.py
@@ -10,9 +10,19 @@ def find_pool_tags():
     """
 
     funcs = [
-        'ExAllocatePoolWithTag',
-        'ExFreePoolWithTag',
-        'ExAllocatePoolWithTagPriority'
+        "ExAllocatePoolWithTag",
+        "ExFreePoolWithTag",
+        "ExAllocatePool2",
+        "ExFreePool2",
+        "ExAllocatePool3",
+        "ExAllocatePoolWithTagPriority",
+        "ExAllocatePoolWithQuotaTag",
+        "ExAllocatePoolZero",
+        "ExAllocatePoolQuotaZero",
+        "ExAllocatePoolQuotaUninitialized",
+        "ExAllocatePoolPriorityZero",
+        "ExAllocatePoolPriorityUninitialized",
+        "ExAllocatePoolUninitialized",
     ]
 
     tags = {}

diff --git a/DriverBuddyReloaded/ioctl_decoder.py b/DriverBuddyReloaded/ioctl_decoder.py
@@ -84,11 +84,29 @@ def get_ioctl_code(ioctl_code):
         "FILE_DEVICE_MT_TRANSPORT",  # 0x00000043
         "FILE_DEVICE_BIOMETRIC",  # 0x00000044
         "FILE_DEVICE_PMI",  # 0x00000045
+        "FILE_DEVICE_EHSTOR",  # 0x00000046
+        "FILE_DEVICE_DEVAPI",  # 0x00000047
+        "FILE_DEVICE_GPIO",  # 0x00000048
+        "FILE_DEVICE_USBEX",  # 0x00000049
+        "FILE_DEVICE_CONSOLE",  # 0x00000050
+        "FILE_DEVICE_NFP",  # 0x00000051
+        "FILE_DEVICE_SYSENV",  # 0x00000052
+        "FILE_DEVICE_VIRTUAL_BLOCK",  # 0x00000053
+        "FILE_DEVICE_POINT_OF_SERVICE",  # 0x00000054
+        "FILE_DEVICE_STORAGE_REPLICATION",  # 0x00000055
+        "FILE_DEVICE_TRUST_ENV",  # 0x00000056
+        "FILE_DEVICE_UCM",  # 0x00000057
+        "FILE_DEVICE_UCMTCPCI",  # 0x00000058
+        "FILE_DEVICE_PERSISTENT_MEMORY",  # 0x00000059
     ]
 
     # Custom devices
     custom_devices = [
+        {"name": "FILE_DEVICE_NVDIMM", "code": 0x0000005a},
+        {"name": "FILE_DEVICE_HOLOGRAPHIC", "code": 0x0000005b},
+        {"name": "FILE_DEVICE_SDFXHCI", "code": 0x0000005c},
         {"name": "MOUNTMGRCONTROLTYPE", "code": 0x0000006d},
+        {"name": "FILE_DEVICE_IRCLASS", "code": 0x00000f60},
     ]
 
     device = (ioctl_code >> 16) & 0xffff
@@ -195,7 +213,7 @@ def find_ioctls_dumb(log_file, ioctl_file_name):
                     ioctl_code, device_name, device_code, function, method_name, method_code, access_name,
                     access_code)
                 try:
-                    with open(ioctl_file_name, "w") as IOCTL_file:
+                    with open(ioctl_file_name, "a") as IOCTL_file:
                         IOCTL_file.write("0x%-8X | %-31s 0x%-8X | 0x%-8X | %-17s %-4d | %s (%d)\n" % all_vars)
                 except IOError as e:
                     print("ERROR #{}: {}\nCan't save decoded IOCTLs to \"{}\"".format(e.errno, e.strerror,
@@ -214,7 +232,7 @@ def find_ioctls_dumb(log_file, ioctl_file_name):
                     ioctl_code, device_name, device_code, function, method_name, method_code, access_name,
                     access_code)
                 try:
-                    with open(ioctl_file_name, "w") as IOCTL_file:
+                    with open(ioctl_file_name, "a") as IOCTL_file:
                         IOCTL_file.write("0x%-8X | %-31s 0x%-8X | 0x%-8X | %-17s %-4d | %s (%d)\n" % all_vars)
                 except IOError as e:
                     print("ERROR #{}: {}\nCan't save decoded IOCTLs to \"{}\"".format(e.errno, e.strerror,

diff --git a/DriverBuddyReloaded/utils.py b/DriverBuddyReloaded/utils.py
@@ -2,7 +2,9 @@
 import time
 from datetime import date
 
+import ida_funcs
 import ida_nalt
+import ida_segment
 import idautils
 import idc
 from DriverBuddyReloaded.vulnerable_functions_lists.c import *
@@ -95,10 +97,14 @@ def populate_winapi_map():
 
     result = False
     for name, address in functions_map.items():
-        for winapi in winapi_functions:
-            if name.lower().startswith(winapi.lower()):
-                winapi_map[name] = address
-                result = True
+        if name in winapi_functions:
+            winapi_map[name] = address
+            result = True
+        else:
+            for winapi in winapi_function_prefixes:
+                if name.lower().startswith(winapi.lower()):
+                    winapi_map[name] = address
+                    result = True
     return result
 
 
@@ -177,8 +183,10 @@ def get_xrefs(func_map, log_file):
         code_refs = idautils.CodeRefsTo(int(address), 0)
         for ref in code_refs:
             # xref = "0x%08x" % ref
-            print("\t- Found {} at 0x{addr:08x}".format(name, addr=ref))
-            log_file.write("\t- Found {} at 0x{addr:08x}\n".format(name, addr=ref))
+            n = ida_funcs.get_func_name(ref) \
+                or ida_segment.get_segm_name(ida_segment.getseg(ref))
+            print("\t- Found {} in {} at 0x{addr:08x}".format(name, n, addr=ref))
+            log_file.write("\t- Found {} in {} at 0x{addr:08x}\n".format(name, n, addr=ref))
 
 
 def get_driver_id(driver_entry_addr, log_file):
@@ -236,19 +244,7 @@ def is_driver():
             func_name = idc.get_func_name(func_addr)
             if func_name == "DriverEntry":
                 return func_addr
+            elif func_name == "DriverEntry_0":
+                return func_addr
     return False
 
-
-def check_digits(n):
-    """
-    Given an integer number return how many digits it has
-    :param n: number to check digits
-    :return:
-    """
-    if n > 0:
-        digits = int(math.log10(n)) + 1
-    elif n == 0:
-        digits = 1
-    else:
-        digits = int(math.log10(-n)) + 2  # +1 if you don't count the '-'
-    return digits