├── README.md
└── code
    ├── WDFStructs.h
    ├── kmdf_re_ida_68.py
    └── kmdf_re_ida_74.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Reverse Engineering and Bug Hunting on KMDF Drivers
 2 | 
 3 | Link to slides: https://ioactive.com/wp-content/uploads/2018/09/Reverse_Engineering_and_Bug_Hunting_On_KMDF_Drivers.pdf
 4 | 
 5 | kmdf_re is a small idapython code that attempts to rename common structures and find usages of interesting kmdf callbacks.
 6 | 
 7 | Presentation given at AsiaSecWest 2018 (https://www.asiasecwest.com) and 44Con 2018 (https://44con.com/)
 8 | 
 9 | ## Author
10 | * [Enrique Nissim](https://twitter.com/kiqueNissim)


--------------------------------------------------------------------------------
/code/WDFStructs.h:
--------------------------------------------------------------------------------
   1 | 
   2 | /*
   3 | In KMDF, the first parameter into the pfnWdfCallbacks is the WdfDriverGlobals object (goes in RCX), so when we say:
   4 | 
   5 | NTSTATUS pfnWdfDriverCreate(PDRIVER_OBJECT DriverObject, PCUNICODE_STRING RegistryPath, PVOID DriverAttributes, PWDF_DRIVER_CONFIG DriverConfig, PVOID WdfDriver);
   6 | 
   7 | WdfDriverGlobals goes in RCX 
   8 | DriverObject goes in RDX
   9 | RegistryPath goes in R8
  10 | and so on
  11 | 
  12 | 
  13 | This doesn't apply to Evt*Routines like EvtIoDeviceControl.
  14 | */
  15 | 
  16 | typedef enum _MAJOR_FUNCTIONS {
  17 | 	 DispatchCreate,
  18 | 	 DispatchCreateNamedPipe,
  19 | 	 DispatchCLose,
  20 | 	 DispatchRead,
  21 | 	 DispatchWrite,
  22 | 	 DispatchQueryInformation,
  23 | 	 DispatchSetInformation,
  24 | 	 DispatchQueryEA,
  25 | 	 DispatchSetEA,
  26 | 	 DispatchFlushBuffers,
  27 | 	 DispatchQueryVolumeInformation,
  28 | 	 DispatchSetVolumeInformation,
  29 | 	 DispatchDirectoryControl,
  30 | 	 DispatchFileSystemControl,
  31 | 	 DispatchDeviceIOControl,
  32 | 	 DispatchInternalDeviceControl,
  33 | 	 DispatchShutdown,
  34 | 	 DispatchLockControl,
  35 | 	 DispatchCleanup,
  36 | 	 DispatchCreateMailslot,
  37 | 	 DispatchQuerySecurity,
  38 | 	 DispatchSetSecurity,
  39 | 	 DispatchPower,
  40 | 	 DispatchSystemControl,
  41 | 	 DispatchDeviceChange,
  42 | 	 DispatchQueryQuota,
  43 | 	 DispatchSetQuota,
  44 | 	 DispatchPNP,
  45 | } MAJOR_FUNCTIONS;
  46 | 
  47 | typedef struct _DRIVER_OBJECT
  48 | {
  49 |      SHORT Type;
  50 |      SHORT Size;
  51 |      PVOID DeviceObject;
  52 |      ULONG Flags;
  53 |      PVOID DriverStart;
  54 |      ULONG DriverSize;
  55 |      PVOID DriverSection;
  56 |      PVOID DriverExtension;
  57 |      UNICODE_STRING DriverName;
  58 |      PUNICODE_STRING HardwareDatabase;
  59 |      PVOID FastIoDispatch;
  60 |      PVOID DriverInit;
  61 |      PVOID DriverStartIo;
  62 |      PVOID DriverUnload;
  63 | 	 PVOID DispatchCreate;
  64 | 	 PVOID DispatchCreateNamedPipe;
  65 | 	 PVOID DispatchClose;
  66 | 	 PVOID DispatchRead;
  67 | 	 PVOID DispatchWrite;
  68 | 	 PVOID DispatchQueryInformation;
  69 | 	 PVOID DispatchSetInformation;
  70 | 	 PVOID DispatchQueryEA;
  71 | 	 PVOID DispatchSetEA;
  72 | 	 PVOID DispatchFlushBuffers;
  73 | 	 PVOID DispatchQueryVolumeInformation;
  74 | 	 PVOID DispatchSetVolumeInformation;
  75 | 	 PVOID DispatchDirectoryControl;
  76 | 	 PVOID DispatchFileSystemControl;
  77 | 	 PVOID DispatchDeviceIOControl;
  78 | 	 PVOID DispatchInternalDeviceControl;
  79 | 	 PVOID DispatchShutdown;
  80 | 	 PVOID DispatchLockControl;
  81 | 	 PVOID DispatchCleanup;
  82 | 	 PVOID DispatchCreateMailslot;
  83 | 	 PVOID DispatchQuerySecurity;
  84 | 	 PVOID DispatchSetSecurity;
  85 | 	 PVOID DispatchPower;
  86 | 	 PVOID DispatchSystemControl;
  87 | 	 PVOID DispatchDeviceChange;
  88 | 	 PVOID DispatchQueryQuota;
  89 | 	 PVOID DispatchSetQuota;
  90 | 	 PVOID DispatchPNP;
  91 | } DRIVER_OBJECT, *PDRIVER_OBJECT;
  92 | 
  93 | typedef struct _IO_STACK_LOCATION {
  94 | 		UCHAR MajorFunction;
  95 | 		UCHAR MinorFunction;
  96 | 		UCHAR Flags;
  97 | 		UCHAR Control;
  98 | 		PVOID OutputBufferLength;
  99 | 		PVOID InputBufferLength;
 100 | 		DWORD IOControlCode;
 101 | 		PVOID Type3InputBuffer;
 102 | 		PVOID DeviceObject;
 103 | 		PVOID FileObject;
 104 | 		PVOID CompletionRoutine;
 105 | 		PVOID Context;
 106 | 	} IO_STACK_LOCATION, *PIO_STACK_LOCATION;
 107 | 
 108 | typedef enum  { 
 109 |   DevicePropertyDeviceDescription            = 0x0,
 110 |   DevicePropertyHardwareID                   = 0x1,
 111 |   DevicePropertyCompatibleIDs                = 0x2,
 112 |   DevicePropertyBootConfiguration            = 0x3,
 113 |   DevicePropertyBootConfigurationTranslated  = 0x4,
 114 |   DevicePropertyClassName                    = 0x5,
 115 |   DevicePropertyClassGuid                    = 0x6,
 116 |   DevicePropertyDriverKeyName                = 0x7,
 117 |   DevicePropertyManufacturer                 = 0x8,
 118 |   DevicePropertyFriendlyName                 = 0x9,
 119 |   DevicePropertyLocationInformation          = 0xa,
 120 |   DevicePropertyPhysicalDeviceObjectName     = 0xb,
 121 |   DevicePropertyBusTypeGuid                  = 0xc,
 122 |   DevicePropertyLegacyBusType                = 0xd,
 123 |   DevicePropertyBusNumber                    = 0xe,
 124 |   DevicePropertyEnumeratorName               = 0xf,
 125 |   DevicePropertyAddress                      = 0x10,
 126 |   DevicePropertyUINumber                     = 0x11,
 127 |   DevicePropertyInstallState                 = 0x12,
 128 |   DevicePropertyRemovalPolicy                = 0x13,
 129 |   DevicePropertyResourceRequirements         = 0x14,
 130 |   DevicePropertyAllocatedResources           = 0x15,
 131 |   DevicePropertyContainerID                  = 0x16
 132 | } DEVICE_REGISTRY_PROPERTY;
 133 | 
 134 | typedef struct _WDF_VERSION {
 135 |     UINT  Major;
 136 |     UINT  Minor;
 137 |     UINT   Build;
 138 | } WDF_VERSION;
 139 | 	
 140 | typedef struct _WDF_BIND_INFO {
 141 | 	ULONG              Size;
 142 | 	PWCHAR             Component;
 143 | 	WDF_VERSION        Version;
 144 | 	ULONG              FuncCount;
 145 | 	PVOID 			   FuncTable;
 146 | 	PVOID    Module;     // Mgmt and diagnostic use only
 147 | } WDF_BIND_INFO, * PWDF_BIND_INFO;
 148 | 
 149 | /*
 150 | WdfVersionBind(
 151 |     __in    PDRIVER_OBJECT DriverObject,
 152 |     __in    PUNICODE_STRING RegistryPath,
 153 |     __inout PWDF_BIND_INFO BindInfo,
 154 |     __out   PWDF_COMPONENT_GLOBALS* ComponentGlobals
 155 |     );
 156 | */
 157 | 
 158 | typedef struct _WDF_PNPPOWER_EVENT_CALLBACKS {
 159 |   ULONG                                           Size;
 160 |   PVOID                         EvtDeviceD0Entry;
 161 |   PVOID EvtDeviceD0EntryPostInterruptsEnabled;
 162 |   PVOID                          EvtDeviceD0Exit;
 163 |   PVOID  EvtDeviceD0ExitPreInterruptsDisabled;
 164 |   PVOID                 EvtDevicePrepareHardware;
 165 |   PVOID                 EvtDeviceReleaseHardware;
 166 |   PVOID          EvtDeviceSelfManagedIoCleanup;
 167 |   PVOID            EvtDeviceSelfManagedIoFlush;
 168 |   PVOID             EvtDeviceSelfManagedIoInit;
 169 |   PVOID          EvtDeviceSelfManagedIoSuspend;
 170 |   PVOID          EvtDeviceSelfManagedIoRestart;
 171 |   PVOID                 EvtDeviceSurpriseRemoval;
 172 |   PVOID                     EvtDeviceQueryRemove;
 173 |   PVOID                       EvtDeviceQueryStop;
 174 |   PVOID               EvtDeviceUsageNotification;
 175 |   PVOID                  EvtDeviceRelationsQuery;
 176 |   PVOID            EvtDeviceUsageNotificationEx;
 177 | } WDF_PNPPOWER_EVENT_CALLBACKS, *PWDF_PNPPOWER_EVENT_CALLBACKS;
 178 | 
 179 | /*
 180 | NTSTATUS EvtWdfDevicePrepareHardware(
 181 |   WDFDEVICE Device,
 182 |   WDFCMRESLIST ResourcesRaw,
 183 |   WDFCMRESLIST ResourcesTranslated
 184 | )
 185 | 
 186 | The EvtDevicePrepareHardware callback function accesses the device's raw and translated hardware resources by using the ResourcesRaw and ResourcesTranslated handles that it receives. The callback function can call WdfCmResourceListGetCount and WdfCmResourceListGetDescriptor to traverse the resource lists. This callback function cannot modify the resource lists.
 187 | 
 188 | For more information about resource lists and the order in which the resources appear, see raw and translated hardware resources.
 189 | 
 190 | Typically, your driver's EvtDevicePrepareHardware callback function does the following, if necessary:
 191 | 
 192 | - Maps physical memory addresses to virtual addresses so the driver can access memory that is assigned to the device
 193 | - Determines the device's revision number
 194 | - Configures USB devices
 195 | - Obtains driver-defined interfaces from other drivers
 196 | 
 197 | Optionally, EvtDevicePrepareHardware callback function might queue a work item to complete any other time-intensive configuration tasks.
 198 | */
 199 | 
 200 | 
 201 | // pfnWdfDeviceInitSetPnpPowerEventCallbacks
 202 | 
 203 | typedef struct _WDF_DRIVER_CONFIG {
 204 |   ULONG                     Size;
 205 |   PVOID EvtDriverDeviceAdd;
 206 |   PVOID     EvtDriverUnload;
 207 |   ULONG                     DriverInitFlags;
 208 |   ULONG                     DriverPoolTag;
 209 | } WDF_DRIVER_CONFIG, *PWDF_DRIVER_CONFIG;
 210 | 
 211 | typedef enum _WDF_SYNCHRONIZATION_SCOPE { 
 212 |   WdfSynchronizationScopeInvalid            = 0x00,
 213 |   WdfSynchronizationScopeInheritFromParent  = 0x1,
 214 |   WdfSynchronizationScopeDevice             = 0x2,
 215 |   WdfSynchronizationScopeQueue              = 0x3,
 216 |   WdfSynchronizationScopeNone               = 0x4
 217 | } WDF_SYNCHRONIZATION_SCOPE;
 218 | 
 219 | typedef enum _WDF_EXECUTION_LEVEL { 
 220 |   WdfExecutionLevelInvalid            = 0x00,
 221 |   WdfExecutionLevelInheritFromParent  = 0x1,
 222 |   WdfExecutionLevelPassive            = 0x2,
 223 |   WdfExecutionLevelDispatch           = 0x3
 224 | } WDF_EXECUTION_LEVEL;
 225 | 
 226 | typedef struct _WDF_OBJECT_CONTEXT_TYPE_INFO {
 227 |   ULONG                          Size;
 228 |   PCHAR                          ContextName;
 229 |   UINT                         ContextSize;
 230 |   PVOID UniqueType;
 231 |   PVOID    EvtDriverGetUniqueContextType;
 232 | } WDF_OBJECT_CONTEXT_TYPE_INFO, *PWDF_OBJECT_CONTEXT_TYPE_INFO;
 233 | 
 234 | typedef struct _WDF_OBJECT_ATTRIBUTES {
 235 |   ULONG                          Size;
 236 |   PVOID EvtCleanupCallback;
 237 |   PVOID EvtDestroyCallback;
 238 |   WDF_EXECUTION_LEVEL            ExecutionLevel;
 239 |   WDF_SYNCHRONIZATION_SCOPE      SynchronizationScope;
 240 |   HANDLE                      ParentObject;
 241 |   UINT                         ContextSizeOverride;
 242 |   PWDF_OBJECT_CONTEXT_TYPE_INFO ContextTypeInfo;
 243 | } WDF_OBJECT_ATTRIBUTES, *PWDF_OBJECT_ATTRIBUTES;
 244 | 
 245 | 
 246 | 	
 247 | /*
 248 | pfnWdfObjectGetTypedContextWorker() -> receives a handle in RDX and returns a pointer into the private object context
 249 | */
 250 | 
 251 | /*
 252 | NTSTATUS WdfIoQueueCreate(
 253 |   _In_      WDFDEVICE              Device,
 254 |   _In_      PWDF_IO_QUEUE_CONFIG   Config,
 255 |   _In_opt_  PWDF_OBJECT_ATTRIBUTES QueueAttributes,
 256 |   _Out_opt_ WDFQUEUE               *Queue
 257 | );
 258 | 
 259 | void EvtWdfIoQueueIoDeviceControl(
 260 |   WDFQUEUE Queue,
 261 |   WDFREQUEST Request,
 262 |   UINT OutputBufferLength,
 263 |   UINT InputBufferLength,
 264 |   ULONG IoControlCode
 265 | )
 266 | 
 267 | void EvtWdfIoQueueIoDeviceControl(
 268 |   PVOID Queue,
 269 |   PVOID Request,
 270 |   UINT OutputBufferLength,
 271 |   UINT InputBufferLength,
 272 |   ULONG IoControlCode
 273 | )
 274 | 
 275 | 
 276 | void EvtWdfIoQueueIoRead(
 277 |   WDFQUEUE Queue,
 278 |   WDFREQUEST Request,
 279 |   size_t Length
 280 | )
 281 | 
 282 | void EvtWdfIoQueueIoWrite(
 283 |   WDFQUEUE Queue,
 284 |   WDFREQUEST Request,
 285 |   size_t Length
 286 | )
 287 | 
 288 | void EvtWdfIoQueueIoInternalDeviceControl(
 289 |   WDFQUEUE Queue,
 290 |   WDFREQUEST Request,
 291 |   size_t OutputBufferLength,
 292 |   size_t InputBufferLength,
 293 |   ULONG IoControlCode
 294 | )
 295 | */
 296 | 
 297 | typedef enum _WDF_DEVICE_IO_TYPE { 
 298 |   WdfDeviceIoUndefined         = 0,
 299 |   WdfDeviceIoNeither           = 1,
 300 |   WdfDeviceIoBuffered          = 2,
 301 |   WdfDeviceIoDirect            = 3,
 302 |   WdfDeviceIoBufferedOrDirect  = 4
 303 | } WDF_DEVICE_IO_TYPE, *PWDF_DEVICE_IO_TYPE;
 304 | 
 305 | typedef enum _WDF_IO_QUEUE_DISPATCH_TYPE { 
 306 |   WdfIoQueueDispatchInvalid     = 0,
 307 |   WdfIoQueueDispatchSequential  = 1,
 308 |   WdfIoQueueDispatchParallel    = 2,
 309 |   WdfIoQueueDispatchManual      = 3,
 310 |   WdfIoQueueDispatchMax         = 4
 311 | } WDF_IO_QUEUE_DISPATCH_TYPE;
 312 | 
 313 | typedef enum _WDF_TRI_STATE { 
 314 |   WdfFalse       = FALSE,
 315 |   WdfTrue        = TRUE,
 316 |   WdfUseDefault  = 2
 317 | } WDF_TRI_STATE, *PWDF_TRI_STATE;
 318 | 
 319 | typedef struct _WDF_IO_QUEUE_CONFIG {
 320 |   ULONG                                       Size;
 321 |   WDF_IO_QUEUE_DISPATCH_TYPE                  DispatchType;
 322 |   WDF_TRI_STATE                               PowerManaged;
 323 |   BOOLEAN                                     AllowZeroLengthRequests;
 324 |   BOOLEAN                                     DefaultQueue;
 325 |   PVOID                 EvtIoDefault;
 326 |   PVOID                    EvtIoRead;
 327 |   PVOID                   EvtIoWrite;
 328 |   PVOID          EvtIoDeviceControl;
 329 |   PVOID EvtIoInternalDeviceControl;
 330 |   PVOID                    EvtIoStop;
 331 |   PVOID                  EvtIoResume;
 332 |   PVOID       EvtIoCanceledOnQueue;
 333 |   union {
 334 |     struct {
 335 |       ULONG NumberOfPresentedRequests;
 336 |     } Parallel;
 337 |   } Settings;
 338 |   HANDLE                                   Driver;
 339 | } WDF_IO_QUEUE_CONFIG, *PWDF_IO_QUEUE_CONFIG;
 340 | 
 341 | 
 342 | /*
 343 | VOID WdfDeviceInitSetFileObjectConfig(
 344 |   _In_     PWDFDEVICE_INIT        DeviceInit,
 345 |   _In_     PWDF_FILEOBJECT_CONFIG FileObjectConfig,
 346 |   _In_opt_ PWDF_OBJECT_ATTRIBUTES FileObjectAttributes
 347 | );
 348 | */
 349 | 
 350 | typedef enum _WDF_FILEOBJECT_CLASS { 
 351 |   WdfFileObjectInvalid                 = 0,
 352 |   WdfFileObjectNotRequired             = 1,
 353 |   WdfFileObjectWdfCanUseFsContext      = 2,
 354 |   WdfFileObjectWdfCanUseFsContext2     = 3,
 355 |   WdfFileObjectWdfCannotUseFsContexts  = 4,
 356 |   WdfFileObjectCanBeOptional           = 0x80000000
 357 | } WDF_FILEOBJECT_CLASS, *PWDF_FILEOBJECT_CLASS;
 358 | 
 359 | typedef struct _WDF_FILEOBJECT_CONFIG {
 360 |   ULONG                      Size;
 361 |   PVOID EvtDeviceFileCreate;
 362 |   PVOID         EvtFileClose;
 363 |   PVOID       EvtFileCleanup;
 364 |   WDF_TRI_STATE              AutoForwardCleanupClose;
 365 |   WDF_FILEOBJECT_CLASS       FileObjectClass;
 366 | } WDF_FILEOBJECT_CONFIG, *PWDF_FILEOBJECT_CONFIG;
 367 | 
 368 | /*
 369 | NTSTATUS WdfRequestRetrieveInputBuffer(
 370 |   _In_      WDFREQUEST Request,
 371 |   _In_      size_t     MinimumRequiredSize,
 372 |   _Out_     PVOID      *Buffer,
 373 |   _Out_opt_ size_t     *Length
 374 | );
 375 | */
 376 | 
 377 | /*
 378 | WDF Request buffers (input and output) are hold in a structure like the follows
 379 | */
 380 | typedef struct _BuffRequest {
 381 | 	PVOID InputBuffer;
 382 | 	PVOID OutputBuffer;
 383 | 	DWORD64 InputBuffLen;
 384 | 	DWORD64 OutputBuffLen;
 385 | } BuffRequest, *PBuffRequest;
 386 | 
 387 | 
 388 | typedef enum _WDF_REQUEST_TYPE { 
 389 |   WdfRequestTypeCreate                  = 0x0,
 390 |   WdfRequestTypeCreateNamedPipe         = 0x1,
 391 |   WdfRequestTypeClose                   = 0x2,
 392 |   WdfRequestTypeRead                    = 0x3,
 393 |   WdfRequestTypeWrite                   = 0x4,
 394 |   WdfRequestTypeQueryInformation        = 0x5,
 395 |   WdfRequestTypeSetInformation          = 0x6,
 396 |   WdfRequestTypeQueryEA                 = 0x7,
 397 |   WdfRequestTypeSetEA                   = 0x8,
 398 |   WdfRequestTypeFlushBuffers            = 0x9,
 399 |   WdfRequestTypeQueryVolumeInformation  = 0xa,
 400 |   WdfRequestTypeSetVolumeInformation    = 0xb,
 401 |   WdfRequestTypeDirectoryControl        = 0xc,
 402 |   WdfRequestTypeFileSystemControl       = 0xd,
 403 |   WdfRequestTypeDeviceControl           = 0xe,
 404 |   WdfRequestTypeDeviceControlInternal   = 0xf,
 405 |   WdfRequestTypeShutdown                = 0x10,
 406 |   WdfRequestTypeLockControl             = 0x11,
 407 |   WdfRequestTypeCleanup                 = 0x12,
 408 |   WdfRequestTypeCreateMailSlot          = 0x13,
 409 |   WdfRequestTypeQuerySecurity           = 0x14,
 410 |   WdfRequestTypeSetSecurity             = 0x15,
 411 |   WdfRequestTypePower                   = 0x16,
 412 |   WdfRequestTypeSystemControl           = 0x17,
 413 |   WdfRequestTypeDeviceChange            = 0x18,
 414 |   WdfRequestTypeQueryQuota              = 0x19,
 415 |   WdfRequestTypeSetQuota                = 0x1A,
 416 |   WdfRequestTypePnp                     = 0x1B,
 417 |   WdfRequestTypeOther                   = 0x1C,
 418 |   WdfRequestTypeUsb                     = 0x40,
 419 |   WdfRequestTypeNoFormat                = 0xFF,
 420 |   WdfRequestTypeMax                     = 0x100
 421 | } WDF_REQUEST_TYPE;
 422 | 
 423 | 
 424 | /*
 425 | WDF_REQUEST_PARAMETERS  requestParameters;
 426 |  
 427 | // Get the Request parameters
 428 | WDF_REQUEST_PARAMETERS_INIT(&requestParameters);
 429 | WdfRequestGetParameters(Request, &requestParameters);
 430 | */
 431 | 
 432 | typedef struct _WDF_REQUEST_PARAMETERS {
 433 |   USHORT           Size;
 434 |   UCHAR            MinorFunction;
 435 |   WDF_REQUEST_TYPE Type;
 436 |   union {
 437 |     struct {
 438 |       PVOID     SecurityContext;
 439 |       ULONG                    Options;
 440 |       UINT64 FileAttributes;
 441 |       USHORT                   ShareAccess;
 442 |       UINT64  EaLength;
 443 |     } Create;
 444 |     struct {
 445 |       UINT                  Length;
 446 |       UINT64 Key;
 447 |       UINT64                DeviceOffset;
 448 |     } Read;
 449 |     struct {
 450 |       UINT                  Length;
 451 |       UINT64 Key;
 452 |       LONGLONG                DeviceOffset;
 453 |     } Write;
 454 |     struct {
 455 |       UINT                   OutputBufferLength;
 456 |       UINT64 InputBufferLength;
 457 |       UINT64  IoControlCode;
 458 |       PVOID                    Type3InputBuffer;
 459 |     } DeviceIoControl;
 460 |     struct {
 461 |       PVOID                   Arg1;
 462 |       PVOID                   Arg2;
 463 |       UINT64 IoControlCode;
 464 |       PVOID                   Arg4;
 465 |     } Others;
 466 |   } Parameters;
 467 | } WDF_REQUEST_PARAMETERS, *PWDF_REQUEST_PARAMETERS;
 468 | 
 469 | 
 470 | 
 471 | /*
 472 | NTSTATUS WdfDeviceAddQueryInterface(
 473 |   _In_ WDFDEVICE                   Device,
 474 |   _In_ PWDF_QUERY_INTERFACE_CONFIG InterfaceConfig
 475 | );
 476 | */
 477 | 
 478 | typedef struct _INTERFACE {
 479 |   USHORT                 Size;
 480 |   USHORT                 Version;
 481 |   PVOID                  Context;
 482 |   PVOID   InterfaceReference;
 483 |   PVOID InterfaceDereference;
 484 | } INTERFACE, *PINTERFACE;
 485 | 
 486 | typedef struct _WDF_QUERY_INTERFACE_CONFIG {
 487 |   ULONG                                          Size;
 488 |   PINTERFACE                                     Interface;
 489 |   PVOID                                     GUIDInterfaceType;
 490 |   BOOLEAN                                        SendQueryToParentStack;
 491 |   PVOID  EvtDeviceProcessQueryInterfaceRequest;
 492 |   BOOLEAN                                        ImportInterface;
 493 | } WDF_QUERY_INTERFACE_CONFIG, *PWDF_QUERY_INTERFACE_CONFIG;
 494 | 
 495 | 
 496 | 
 497 | 
 498 | typedef struct _WDF_WORKITEM_CONFIG {
 499 |   ULONG            Size;
 500 |   PVOID EvtWorkItemFunc;
 501 |   BOOLEAN          AutomaticSerialization;
 502 | } WDF_WORKITEM_CONFIG, *PWDF_WORKITEM_CONFIG;
 503 | 
 504 | /*
 505 | NTSTATUS WdfWorkItemCreate(
 506 |   _In_  PWDF_WORKITEM_CONFIG   Config,
 507 |   _In_  PWDF_OBJECT_ATTRIBUTES Attributes,
 508 |   _Out_ WDFWORKITEM            *WorkItem
 509 | );
 510 | 
 511 | */
 512 | 
 513 | 
 514 | /*
 515 | IO Targets:
 516 | 
 517 | A WDF driver can forward an I/O request or create and send a new request to another driver, called an I/O target.
 518 | 
 519 | The framework initializes a driver's local I/O target for a device when the driver calls WdfDeviceCreate. To retrieve a handle to a device's local I/O target, the driver calls WdfDeviceGetIoTarget.
 520 | 
 521 | NTSTATUS WdfDeviceCreate(
 522 |   PWDFDEVICE_INIT        *DeviceInit,
 523 |   PWDF_OBJECT_ATTRIBUTES DeviceAttributes,
 524 |   WDFDEVICE              *Device
 525 | );
 526 | 
 527 | 
 528 | Most drivers send requests only to their local I/O target.
 529 | 
 530 | To initialize a remote I/O target for a device, the driver must:
 531 |  1) Call WdfIoTargetCreate to create an I/O target object.
 532 |  2) Call WdfIoTargetOpen to open an I/O target so that the driver can send requests to it.
 533 | 
 534 |  
 535 | When the driver calls WdfIoTargetOpen, it typically identifies the remote I/O target by supplying a Unicode string that represents an object name. This name can identify a device, file, or device interface.
 536 | 
 537 | The framework sends I/O requests to the top of the driver stack that supports the object name.
 538 | 
 539 | 
 540 | 
 541 | NTSTATUS WdfIoTargetOpen(
 542 |   _In_ WDFIOTARGET                IoTarget,
 543 |   _In_ PWDF_IO_TARGET_OPEN_PARAMS OpenParams
 544 | );
 545 | */
 546 | 
 547 | 
 548 | typedef enum _WDF_IO_TARGET_OPEN_TYPE { 
 549 |   WdfIoTargetOpenUndefined          = 0,
 550 |   WdfIoTargetOpenUseExistingDevice  = 1,
 551 |   WdfIoTargetOpenByName             = 2,
 552 |   WdfIoTargetOpenReopen             = 3,
 553 |   WdfIoTargetOpenLocalTargetByFile  = 4
 554 | } WDF_IO_TARGET_OPEN_TYPE;
 555 | 
 556 | typedef struct _WDF_IO_TARGET_OPEN_PARAMS {
 557 |   ULONG                             Size;
 558 |   WDF_IO_TARGET_OPEN_TYPE           Type;
 559 |   PVOID    EvtIoTargetQueryRemove;
 560 |   PVOID EvtIoTargetRemoveCanceled;
 561 |   PVOID EvtIoTargetRemoveComplete;
 562 |   PDEVICE_OBJECT                    TargetDeviceObject;
 563 |   PVOID                      TargetFileObject;
 564 |   UNICODE_STRING                    TargetDeviceName;
 565 |   DWORD                       DesiredAccess;
 566 |   ULONG                             ShareAccess;
 567 |   ULONG                             FileAttributes;
 568 |   ULONG                             CreateDisposition;
 569 |   ULONG                             CreateOptions;
 570 |   PVOID                             EaBuffer;
 571 |   ULONG                             EaBufferLength;
 572 |   PVOID                         AllocationSize;
 573 |   ULONG                             FileInformation;
 574 |   UNICODE_STRING                    FileName;
 575 | } WDF_IO_TARGET_OPEN_PARAMS, *PWDF_IO_TARGET_OPEN_PARAMS;
 576 | 
 577 | typedef struct _WDF_INTERRUPT_CONFIG {
 578 |   ULONG                           Size;
 579 |   PVOID                     SpinLock;
 580 |   WDF_TRI_STATE                   ShareVector;
 581 |   BOOLEAN                         FloatingSave;
 582 |   BOOLEAN                         AutomaticSerialization;
 583 |   PVOID           EvtInterruptIsr;
 584 |   PVOID           EvtInterruptDpc;
 585 |   PVOID        EvtInterruptEnable;
 586 |   PVOID       EvtInterruptDisable;
 587 |   PVOID      EvtInterruptWorkItem;
 588 |   PVOID InterruptRaw;
 589 |   PVOID InterruptTranslated;
 590 |   PVOID                     WaitLock;
 591 |   BOOLEAN                         PassiveHandling;
 592 |   WDF_TRI_STATE                   ReportInactiveOnPowerDown;
 593 |   BOOLEAN                         CanWakeDevice;
 594 | } WDF_INTERRUPT_CONFIG, *PWDF_INTERRUPT_CONFIG;
 595 | 
 596 | /*
 597 | NTSTATUS WdfInterruptCreate(
 598 |   _In_     WDFDEVICE              Device,
 599 |   _In_     PWDF_INTERRUPT_CONFIG  Configuration,
 600 |   _In_opt_ PWDF_OBJECT_ATTRIBUTES Attributes,
 601 |   _Out_    WDFINTERRUPT           *Interrupt
 602 | );
 603 | */
 604 | 
 605 | 
 606 | /*
 607 | The WdfFdoInitSetDefaultChildListConfig method configures a bus driver's default child list.
 608 | 
 609 | VOID WdfFdoInitSetDefaultChildListConfig(
 610 |   _Inout_  PWDFDEVICE_INIT        DeviceInit,
 611 |   _In_     PWDF_CHILD_LIST_CONFIG Config,
 612 |   _In_opt_ PWDF_OBJECT_ATTRIBUTES DefaultChildListAttributes
 613 | );
 614 | */
 615 | 
 616 | typedef struct _WDF_CHILD_LIST_CONFIG {
 617 |   ULONG                                                   Size;
 618 |   ULONG                                                   IdentificationDescriptionSize;
 619 |   ULONG                                                   AddressDescriptionSize;
 620 |   PVOID                        EvtChildListCreateDevice;
 621 |   PVOID                    EvtChildListScanForChildren;
 622 |   PVOID      EvtChildListIdentificationDescriptionCopy;
 623 |   PVOID EvtChildListIdentificationDescriptionDuplicate;
 624 |   PVOID   EvtChildListIdentificationDescriptionCleanup;
 625 |   PVOID   EvtChildListIdentificationDescriptionCompare;
 626 |   PVOID             EvtChildListAddressDescriptionCopy;
 627 |   PVOID        EvtChildListAddressDescriptionDuplicate;
 628 |   PVOID          EvtChildListAddressDescriptionCleanup;
 629 |   PVOID                  EvtChildListDeviceReenumerated;
 630 | } WDF_CHILD_LIST_CONFIG, *PWDF_CHILD_LIST_CONFIG;
 631 | 
 632 | 
 633 | typedef struct _WDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER {
 634 |     //
 635 |     // Size in bytes of the entire description, including this header.
 636 |     //
 637 |     // Same value as WDF_CHILD_LIST_CONFIG::IdentificationDescriptionSize
 638 |     // Used as a sanity check.
 639 |     //
 640 |     ULONG IdentificationDescriptionSize;
 641 | }   WDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER,
 642 |   *PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER;
 643 | 
 644 | /*
 645 | NTSTATUS EvtWdfChildListCreateDevice(
 646 |   PVOID ChildList,
 647 |   PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER IdentificationDescription,
 648 |   PVOID ChildInit
 649 | )
 650 | 
 651 | NTSTATUS EvtWdfChildListIdentificationDescriptionDuplicate(
 652 |   PVOID ChildList,
 653 |   PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER SourceIdentificationDescription,
 654 |   PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER DestinationIdentificationDescription
 655 | )
 656 | 
 657 | 
 658 | EVT_WDF_CHILD_LIST_IDENTIFICATION_DESCRIPTION_COMPARE EvtWdfChildListIdentificationDescriptionCompare;
 659 | 
 660 | BOOLEAN EvtWdfChildListIdentificationDescriptionCompare(
 661 |   PVOID ChildList,
 662 |   PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER FirstIdentificationDescription,
 663 |   PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER SecondIdentificationDescription
 664 | )
 665 | 
 666 | 
 667 | void EvtWdfChildListIdentificationDescriptionCleanup(
 668 |   WDFCHILDLIST ChildList,
 669 |   PWDF_CHILD_IDENTIFICATION_DESCRIPTION_HEADER IdentificationDescription
 670 | )
 671 | 
 672 | */
 673 | 
 674 | 
 675 | /*
 676 | PIRP WdfRequestWdmGetIrp(
 677 |   _In_ WDFREQUEST Request
 678 | );
 679 | Returns the WDM IRP structure that is associated with a specified framework request object.
 680 | */
 681 | 
 682 | 
 683 | // WdfDeviceInitAssignWdmIrpPreprocessCallback
 684 | /*
 685 | NTSTATUS WdfDeviceInitAssignWdmIrpPreprocessCallback(
 686 |   PVOID                  DeviceInit,
 687 |   PVOID EvtDeviceWdmIrpPreprocess,
 688 |   UCHAR                            MajorFunction,
 689 |   PUCHAR                           MinorFunctions,
 690 |   ULONG                            NumMinorFunctions
 691 | );
 692 | */
 693 | 
 694 | 
 695 | // Stripped version of this structure so it fits most binaries out there
 696 | typedef struct _WDFFUNCTIONS {
 697 |     PVOID                                    pfnWdfChildListCreate;
 698 |     PVOID                                 pfnWdfChildListGetDevice;
 699 |     PVOID                               pfnWdfChildListRetrievePdo;
 700 |     PVOID                pfnWdfChildListRetrieveAddressDescription;
 701 |     PVOID                                 pfnWdfChildListBeginScan;
 702 |     PVOID                                   pfnWdfChildListEndScan;
 703 |     PVOID                            pfnWdfChildListBeginIteration;
 704 |     PVOID                        pfnWdfChildListRetrieveNextDevice;
 705 |     PVOID                              pfnWdfChildListEndIteration;
 706 |     PVOID      pfnWdfChildListAddOrUpdateChildDescriptionAsPresent;
 707 |     PVOID           pfnWdfChildListUpdateChildDescriptionAsMissing;
 708 |     PVOID       pfnWdfChildListUpdateAllChildDescriptionsAsPresent;
 709 |     PVOID                         pfnWdfChildListRequestChildEject;
 710 |     PVOID                                   pfnWdfCollectionCreate;
 711 |     PVOID                                 pfnWdfCollectionGetCount;
 712 |     PVOID                                      pfnWdfCollectionAdd;
 713 |     PVOID                                   pfnWdfCollectionRemove;
 714 |     PVOID                               pfnWdfCollectionRemoveItem;
 715 |     PVOID                                  pfnWdfCollectionGetItem;
 716 |     PVOID                             pfnWdfCollectionGetFirstItem;
 717 |     PVOID                              pfnWdfCollectionGetLastItem;
 718 |     PVOID                                 pfnWdfCommonBufferCreate;
 719 |     PVOID               pfnWdfCommonBufferGetAlignedVirtualAddress;
 720 |     PVOID               pfnWdfCommonBufferGetAlignedLogicalAddress;
 721 |     PVOID                              pfnWdfCommonBufferGetLength;
 722 |     PVOID                          pfnWdfControlDeviceInitAllocate; // 0xC8
 723 |     PVOID           pfnWdfControlDeviceInitSetShutdownNotification;
 724 |     PVOID                          pfnWdfControlFinishInitializing;
 725 |     PVOID                               pfnWdfDeviceGetDeviceState;
 726 |     PVOID                               pfnWdfDeviceSetDeviceState;
 727 |     PVOID                        pfnWdfWdmDeviceGetWdfDeviceHandle;
 728 |     PVOID                           pfnWdfDeviceWdmGetDeviceObject;
 729 |     PVOID                         pfnWdfDeviceWdmGetAttachedDevice;
 730 |     PVOID                         pfnWdfDeviceWdmGetPhysicalDevice;
 731 |     PVOID                   pfnWdfDeviceWdmDispatchPreprocessedIrp;
 732 |     PVOID                pfnWdfDeviceAddDependentUsageDeviceObject;
 733 |     PVOID            pfnWdfDeviceAddRemovalRelationsPhysicalDevice;
 734 |     PVOID         pfnWdfDeviceRemoveRemovalRelationsPhysicalDevice;
 735 |     PVOID                 pfnWdfDeviceClearRemovalRelationsDevices;
 736 |     PVOID                                    pfnWdfDeviceGetDriver;
 737 |     PVOID                           pfnWdfDeviceRetrieveDeviceName;
 738 |     PVOID                        pfnWdfDeviceAssignMofResourceName;
 739 |     PVOID                                  pfnWdfDeviceGetIoTarget;
 740 |     PVOID                            pfnWdfDeviceGetDevicePnpState;
 741 |     PVOID                          pfnWdfDeviceGetDevicePowerState;
 742 |     PVOID                    pfnWdfDeviceGetDevicePowerPolicyState;
 743 |     PVOID                         pfnWdfDeviceAssignS0IdleSettings;
 744 |     PVOID                         pfnWdfDeviceAssignSxWakeSettings;
 745 |     PVOID                              pfnWdfDeviceOpenRegistryKey;
 746 |     PVOID                        pfnWdfDeviceSetSpecialFileSupport;
 747 |     PVOID                           pfnWdfDeviceSetCharacteristics;
 748 |     PVOID                           pfnWdfDeviceGetCharacteristics;
 749 |     PVOID                      pfnWdfDeviceGetAlignmentRequirement;
 750 |     PVOID                      pfnWdfDeviceSetAlignmentRequirement;
 751 |     PVOID                                     pfnWdfDeviceInitFree;
 752 |     PVOID                pfnWdfDeviceInitSetPnpPowerEventCallbacks;
 753 |     PVOID             pfnWdfDeviceInitSetPowerPolicyEventCallbacks;
 754 |     PVOID                  pfnWdfDeviceInitSetPowerPolicyOwnership;
 755 |     PVOID           pfnWdfDeviceInitRegisterPnpStateChangeCallback;
 756 |     PVOID         pfnWdfDeviceInitRegisterPowerStateChangeCallback;
 757 |     PVOID    pfnWdfDeviceInitRegisterPowerPolicyStateChangeCallback;
 758 |     PVOID                                pfnWdfDeviceInitSetIoType;
 759 |     PVOID                             pfnWdfDeviceInitSetExclusive;
 760 |     PVOID                      pfnWdfDeviceInitSetPowerNotPageable;
 761 |     PVOID                         pfnWdfDeviceInitSetPowerPageable;
 762 |     PVOID                           pfnWdfDeviceInitSetPowerInrush;
 763 |     PVOID                            pfnWdfDeviceInitSetDeviceType;
 764 |     PVOID                               pfnWdfDeviceInitAssignName;
 765 |     PVOID                         pfnWdfDeviceInitAssignSDDLString; //0x220
 766 |     PVOID                           pfnWdfDeviceInitSetDeviceClass;
 767 |     PVOID                       pfnWdfDeviceInitSetCharacteristics;
 768 |     PVOID                      pfnWdfDeviceInitSetFileObjectConfig;
 769 |     PVOID                     pfnWdfDeviceInitSetRequestAttributes;
 770 |     PVOID           pfnWdfDeviceInitAssignWdmIrpPreprocessCallback; // 248h
 771 |     PVOID             pfnWdfDeviceInitSetIoInCallerContextCallback; // 250h
 772 |     PVOID                                       pfnWdfDeviceCreate; // 258h
 773 |     PVOID                          pfnWdfDeviceSetStaticStopRemove;
 774 |     PVOID                        pfnWdfDeviceCreateDeviceInterface; // 268h
 775 |     PVOID                      pfnWdfDeviceSetDeviceInterfaceState;
 776 |     PVOID                pfnWdfDeviceRetrieveDeviceInterfaceString;
 777 |     PVOID                           pfnWdfDeviceCreateSymbolicLink; // 0x280
 778 |     PVOID                                pfnWdfDeviceQueryProperty;
 779 |     PVOID                        pfnWdfDeviceAllocAndQueryProperty;
 780 |     PVOID                           pfnWdfDeviceSetPnpCapabilities;
 781 |     PVOID                         pfnWdfDeviceSetPowerCapabilities;
 782 |     PVOID                 pfnWdfDeviceSetBusInformationForChildren;
 783 |     PVOID                           pfnWdfDeviceIndicateWakeStatus;
 784 |     PVOID                                    pfnWdfDeviceSetFailed;
 785 |     PVOID                              pfnWdfDeviceStopIdleNoTrack;
 786 |     PVOID                            pfnWdfDeviceResumeIdleNoTrack;
 787 |     PVOID                                pfnWdfDeviceGetFileObject;
 788 |     PVOID                               pfnWdfDeviceEnqueueRequest;
 789 |     PVOID                              pfnWdfDeviceGetDefaultQueue;
 790 |     PVOID                  pfnWdfDeviceConfigureRequestDispatching;
 791 |     PVOID                                   pfnWdfDmaEnablerCreate;
 792 |     PVOID                         pfnWdfDmaEnablerGetMaximumLength;
 793 |     PVOID          pfnWdfDmaEnablerGetMaximumScatterGatherElements;
 794 |     PVOID          pfnWdfDmaEnablerSetMaximumScatterGatherElements;
 795 |     PVOID                               pfnWdfDmaTransactionCreate;
 796 |     PVOID                           pfnWdfDmaTransactionInitialize;
 797 |     PVOID               pfnWdfDmaTransactionInitializeUsingRequest;
 798 |     PVOID                              pfnWdfDmaTransactionExecute;
 799 |     PVOID                              pfnWdfDmaTransactionRelease;
 800 |     PVOID                         pfnWdfDmaTransactionDmaCompleted;
 801 |     PVOID               pfnWdfDmaTransactionDmaCompletedWithLength;
 802 |     PVOID                    pfnWdfDmaTransactionDmaCompletedFinal;
 803 |     PVOID                  pfnWdfDmaTransactionGetBytesTransferred;
 804 |     PVOID                     pfnWdfDmaTransactionSetMaximumLength;
 805 |     PVOID                           pfnWdfDmaTransactionGetRequest;
 806 |     PVOID          pfnWdfDmaTransactionGetCurrentDmaTransferLength;
 807 |     PVOID                            pfnWdfDmaTransactionGetDevice;
 808 |     PVOID                                          pfnWdfDpcCreate;
 809 |     PVOID                                         pfnWdfDpcEnqueue;
 810 |     PVOID                                          pfnWdfDpcCancel;
 811 |     PVOID                                 pfnWdfDpcGetParentObject;
 812 |     PVOID                                       pfnWdfDpcWdmGetDpc;
 813 |     PVOID                                       pfnWdfDriverCreate;
 814 |     PVOID                              pfnWdfDriverGetRegistryPath;
 815 |     PVOID                           pfnWdfDriverWdmGetDriverObject;
 816 |     PVOID                    pfnWdfDriverOpenParametersRegistryKey;
 817 |     PVOID                        pfnWdfWdmDriverGetWdfDriverHandle;
 818 |     PVOID                            pfnWdfDriverRegisterTraceInfo;
 819 |     PVOID                        pfnWdfDriverRetrieveVersionString;
 820 |     PVOID                           pfnWdfDriverIsVersionAvailable;
 821 |     PVOID                        pfnWdfFdoInitWdmGetPhysicalDevice;
 822 |     PVOID                             pfnWdfFdoInitOpenRegistryKey;
 823 |     PVOID                               pfnWdfFdoInitQueryProperty;
 824 |     PVOID                       pfnWdfFdoInitAllocAndQueryProperty;
 825 |     PVOID                           pfnWdfFdoInitSetEventCallbacks;
 826 |     PVOID                                   pfnWdfFdoInitSetFilter;
 827 |     PVOID                   pfnWdfFdoInitSetDefaultChildListConfig;
 828 |     PVOID                               pfnWdfFdoQueryForInterface;
 829 |     PVOID                             pfnWdfFdoGetDefaultChildList;
 830 |     PVOID                                  pfnWdfFdoAddStaticChild;
 831 |     PVOID                 pfnWdfFdoLockStaticChildListForIteration;
 832 |     PVOID                         pfnWdfFdoRetrieveNextStaticChild;
 833 |     PVOID              pfnWdfFdoUnlockStaticChildListFromIteration;
 834 |     PVOID                              pfnWdfFileObjectGetFileName;
 835 |     PVOID                                 pfnWdfFileObjectGetFlags;
 836 |     PVOID                                pfnWdfFileObjectGetDevice;
 837 |     PVOID                         pfnWdfFileObjectWdmGetFileObject;
 838 |     PVOID                                    pfnWdfInterruptCreate;
 839 |     PVOID                            pfnWdfInterruptQueueDpcForIsr;
 840 |     PVOID                               pfnWdfInterruptSynchronize;
 841 |     PVOID                               pfnWdfInterruptAcquireLock;
 842 |     PVOID                               pfnWdfInterruptReleaseLock;
 843 |     PVOID                                    pfnWdfInterruptEnable;
 844 |     PVOID                                   pfnWdfInterruptDisable;
 845 |     PVOID                           pfnWdfInterruptWdmGetInterrupt;
 846 |     PVOID                                   pfnWdfInterruptGetInfo;
 847 |     PVOID                                 pfnWdfInterruptSetPolicy;
 848 |     PVOID                                 pfnWdfInterruptGetDevice;
 849 |     PVOID                                      pfnWdfIoQueueCreate; // 4C0h
 850 |     PVOID                                    pfnWdfIoQueueGetState;
 851 |     PVOID                                       pfnWdfIoQueueStart;
 852 |     PVOID                                        pfnWdfIoQueueStop;
 853 |     PVOID                           pfnWdfIoQueueStopSynchronously;
 854 |     PVOID                                   pfnWdfIoQueueGetDevice;
 855 |     PVOID                         pfnWdfIoQueueRetrieveNextRequest;
 856 |     PVOID                 pfnWdfIoQueueRetrieveRequestByFileObject;
 857 |     PVOID                                 pfnWdfIoQueueFindRequest;
 858 |     PVOID                        pfnWdfIoQueueRetrieveFoundRequest;
 859 |     PVOID                          pfnWdfIoQueueDrainSynchronously;
 860 |     PVOID                                       pfnWdfIoQueueDrain;
 861 |     PVOID                          pfnWdfIoQueuePurgeSynchronously;
 862 |     PVOID                                       pfnWdfIoQueuePurge;
 863 |     PVOID                                 pfnWdfIoQueueReadyNotify;
 864 |     PVOID                                     pfnWdfIoTargetCreate;
 865 |     PVOID                                       pfnWdfIoTargetOpen;
 866 |     PVOID                        pfnWdfIoTargetCloseForQueryRemove;
 867 |     PVOID                                      pfnWdfIoTargetClose;
 868 |     PVOID                                      pfnWdfIoTargetStart;
 869 |     PVOID                                       pfnWdfIoTargetStop;
 870 |     PVOID                                   pfnWdfIoTargetGetState;
 871 |     PVOID                                  pfnWdfIoTargetGetDevice;
 872 |     PVOID                        pfnWdfIoTargetQueryTargetProperty;
 873 |     PVOID                pfnWdfIoTargetAllocAndQueryTargetProperty;
 874 |     PVOID                          pfnWdfIoTargetQueryForInterface;
 875 |     PVOID                   pfnWdfIoTargetWdmGetTargetDeviceObject;
 876 |     PVOID                 pfnWdfIoTargetWdmGetTargetPhysicalDevice;
 877 |     PVOID                     pfnWdfIoTargetWdmGetTargetFileObject;
 878 |     PVOID                     pfnWdfIoTargetWdmGetTargetFileHandle;
 879 |     PVOID                      pfnWdfIoTargetSendReadSynchronously;
 880 |     PVOID                       pfnWdfIoTargetFormatRequestForRead;
 881 |     PVOID                     pfnWdfIoTargetSendWriteSynchronously;
 882 |     PVOID                      pfnWdfIoTargetFormatRequestForWrite;
 883 |     PVOID                     pfnWdfIoTargetSendIoctlSynchronously;
 884 |     PVOID                      pfnWdfIoTargetFormatRequestForIoctl;
 885 |     PVOID             pfnWdfIoTargetSendInternalIoctlSynchronously;
 886 |     PVOID              pfnWdfIoTargetFormatRequestForInternalIoctl;
 887 |     PVOID       pfnWdfIoTargetSendInternalIoctlOthersSynchronously;
 888 |     PVOID        pfnWdfIoTargetFormatRequestForInternalIoctlOthers;
 889 |     PVOID                                       pfnWdfMemoryCreate;
 890 |     PVOID                           pfnWdfMemoryCreatePreallocated;
 891 |     PVOID                                    pfnWdfMemoryGetBuffer;
 892 |     PVOID                                 pfnWdfMemoryAssignBuffer;
 893 |     PVOID                                 pfnWdfMemoryCopyToBuffer;
 894 |     PVOID                               pfnWdfMemoryCopyFromBuffer;
 895 |     PVOID                                pfnWdfLookasideListCreate;
 896 |     PVOID                          pfnWdfMemoryCreateFromLookaside;
 897 |     PVOID                               pfnWdfDeviceMiniportCreate;
 898 |     PVOID                               pfnWdfDriverMiniportUnload;
 899 |     PVOID                        pfnWdfObjectGetTypedContextWorker;
 900 |     PVOID                              pfnWdfObjectAllocateContext;
 901 |     PVOID                             pfnWdfObjectContextGetObject;
 902 |     PVOID                              pfnWdfObjectReferenceActual;
 903 |     PVOID                            pfnWdfObjectDereferenceActual;
 904 |     PVOID                                       pfnWdfObjectCreate;
 905 |     PVOID                                       pfnWdfObjectDelete;
 906 |     PVOID                                        pfnWdfObjectQuery;
 907 |     PVOID                                    pfnWdfPdoInitAllocate;
 908 |     PVOID                           pfnWdfPdoInitSetEventCallbacks;
 909 |     PVOID                              pfnWdfPdoInitAssignDeviceID;
 910 |     PVOID                            pfnWdfPdoInitAssignInstanceID;
 911 |     PVOID                               pfnWdfPdoInitAddHardwareID;
 912 |     PVOID                             pfnWdfPdoInitAddCompatibleID;
 913 |     PVOID                               pfnWdfPdoInitAddDeviceText;
 914 |     PVOID                            pfnWdfPdoInitSetDefaultLocale;
 915 |     PVOID                             pfnWdfPdoInitAssignRawDevice;
 916 |     PVOID                                     pfnWdfPdoMarkMissing;
 917 |     PVOID                                    pfnWdfPdoRequestEject;
 918 |     PVOID                                       pfnWdfPdoGetParent;
 919 |     PVOID               pfnWdfPdoRetrieveIdentificationDescription;
 920 |     PVOID                      pfnWdfPdoRetrieveAddressDescription;
 921 |     PVOID                        pfnWdfPdoUpdateAddressDescription;
 922 |     PVOID              pfnWdfPdoAddEjectionRelationsPhysicalDevice;
 923 |     PVOID           pfnWdfPdoRemoveEjectionRelationsPhysicalDevice;
 924 |     PVOID                   pfnWdfPdoClearEjectionRelationsDevices;
 925 |     PVOID                            pfnWdfDeviceAddQueryInterface;
 926 |     PVOID                                    pfnWdfRegistryOpenKey;
 927 |     PVOID                                  pfnWdfRegistryCreateKey;
 928 |     PVOID                                      pfnWdfRegistryClose;
 929 |     PVOID                               pfnWdfRegistryWdmGetHandle;
 930 |     PVOID                                  pfnWdfRegistryRemoveKey;
 931 |     PVOID                                pfnWdfRegistryRemoveValue;
 932 |     PVOID                                 pfnWdfRegistryQueryValue;
 933 |     PVOID                                pfnWdfRegistryQueryMemory;
 934 |     PVOID                           pfnWdfRegistryQueryMultiString;
 935 |     PVOID                         pfnWdfRegistryQueryUnicodeString;
 936 |     PVOID                                pfnWdfRegistryQueryString;
 937 |     PVOID                                 pfnWdfRegistryQueryULong;
 938 |     PVOID                                pfnWdfRegistryAssignValue;
 939 |     PVOID                               pfnWdfRegistryAssignMemory;
 940 |     PVOID                          pfnWdfRegistryAssignMultiString;
 941 |     PVOID                        pfnWdfRegistryAssignUnicodeString;
 942 |     PVOID                               pfnWdfRegistryAssignString;
 943 |     PVOID                                pfnWdfRegistryAssignULong;
 944 |     PVOID                                      pfnWdfRequestCreate;
 945 |     PVOID                               pfnWdfRequestCreateFromIrp;
 946 |     PVOID                                       pfnWdfRequestReuse;
 947 |     PVOID                                pfnWdfRequestChangeTarget;
 948 |     PVOID               pfnWdfRequestFormatRequestUsingCurrentType;
 949 |     PVOID                 pfnWdfRequestWdmFormatUsingStackLocation;
 950 |     PVOID                                        pfnWdfRequestSend;
 951 |     PVOID                                   pfnWdfRequestGetStatus;
 952 |     PVOID                              pfnWdfRequestMarkCancelable;
 953 |     PVOID                            pfnWdfRequestUnmarkCancelable;
 954 |     PVOID                                  pfnWdfRequestIsCanceled;
 955 |     PVOID                           pfnWdfRequestCancelSentRequest;
 956 |     PVOID                          pfnWdfRequestIsFrom32BitProcess;
 957 |     PVOID                        pfnWdfRequestSetCompletionRoutine;
 958 |     PVOID                         pfnWdfRequestGetCompletionParams;
 959 |     PVOID                               pfnWdfRequestAllocateTimer;
 960 |     PVOID                                    pfnWdfRequestComplete;
 961 |     PVOID                   pfnWdfRequestCompleteWithPriorityBoost;
 962 |     PVOID                     pfnWdfRequestCompleteWithInformation;
 963 |     PVOID                               pfnWdfRequestGetParameters;
 964 |     PVOID                         pfnWdfRequestRetrieveInputMemory;
 965 |     PVOID                        pfnWdfRequestRetrieveOutputMemory;
 966 |     PVOID                         pfnWdfRequestRetrieveInputBuffer;
 967 |     PVOID                        pfnWdfRequestRetrieveOutputBuffer;
 968 |     PVOID                         pfnWdfRequestRetrieveInputWdmMdl;
 969 |     PVOID                        pfnWdfRequestRetrieveOutputWdmMdl;
 970 |     PVOID               pfnWdfRequestRetrieveUnsafeUserInputBuffer;
 971 |     PVOID              pfnWdfRequestRetrieveUnsafeUserOutputBuffer;
 972 |     PVOID                              pfnWdfRequestSetInformation;
 973 |     PVOID                              pfnWdfRequestGetInformation;
 974 |     PVOID                               pfnWdfRequestGetFileObject;
 975 |     PVOID               pfnWdfRequestProbeAndLockUserBufferForRead;
 976 |     PVOID              pfnWdfRequestProbeAndLockUserBufferForWrite;
 977 |     PVOID                            pfnWdfRequestGetRequestorMode;
 978 |     PVOID                            pfnWdfRequestForwardToIoQueue;
 979 |     PVOID                                  pfnWdfRequestGetIoQueue;
 980 |     PVOID                                     pfnWdfRequestRequeue;
 981 |     PVOID                             pfnWdfRequestStopAcknowledge;
 982 |     PVOID                                   pfnWdfRequestWdmGetIrp;
 983 |     PVOID            pfnWdfIoResourceRequirementsListSetSlotNumber;
 984 |     PVOID         pfnWdfIoResourceRequirementsListSetInterfaceType;
 985 |     PVOID          pfnWdfIoResourceRequirementsListAppendIoResList;
 986 |     PVOID          pfnWdfIoResourceRequirementsListInsertIoResList;
 987 |     PVOID                 pfnWdfIoResourceRequirementsListGetCount;
 988 |     PVOID             pfnWdfIoResourceRequirementsListGetIoResList;
 989 |     PVOID                   pfnWdfIoResourceRequirementsListRemove;
 990 |     PVOID        pfnWdfIoResourceRequirementsListRemoveByIoResList;
 991 |     PVOID                               pfnWdfIoResourceListCreate;
 992 |     PVOID                     pfnWdfIoResourceListAppendDescriptor;
 993 |     PVOID                     pfnWdfIoResourceListInsertDescriptor;
 994 |     PVOID                     pfnWdfIoResourceListUpdateDescriptor;
 995 |     PVOID                             pfnWdfIoResourceListGetCount;
 996 |     PVOID                        pfnWdfIoResourceListGetDescriptor;
 997 |     PVOID                               pfnWdfIoResourceListRemove;
 998 |     PVOID                   pfnWdfIoResourceListRemoveByDescriptor;
 999 |     PVOID                     pfnWdfCmResourceListAppendDescriptor;
1000 |     PVOID                     pfnWdfCmResourceListInsertDescriptor;
1001 |     PVOID                             pfnWdfCmResourceListGetCount;
1002 |     PVOID                        pfnWdfCmResourceListGetDescriptor;
1003 |     PVOID                               pfnWdfCmResourceListRemove;
1004 |     PVOID                   pfnWdfCmResourceListRemoveByDescriptor;
1005 |     PVOID                                       pfnWdfStringCreate;
1006 |     PVOID                             pfnWdfStringGetUnicodeString;
1007 |     PVOID                                  pfnWdfObjectAcquireLock;
1008 |     PVOID                                  pfnWdfObjectReleaseLock;
1009 |     PVOID                                     pfnWdfWaitLockCreate;
1010 |     PVOID                                    pfnWdfWaitLockAcquire;
1011 |     PVOID                                    pfnWdfWaitLockRelease;
1012 |     PVOID                                     pfnWdfSpinLockCreate;
1013 |     PVOID                                    pfnWdfSpinLockAcquire;
1014 |     PVOID                                    pfnWdfSpinLockRelease;
1015 |     PVOID                                        pfnWdfTimerCreate;
1016 |     PVOID                                         pfnWdfTimerStart;
1017 |     PVOID                                          pfnWdfTimerStop;
1018 |     PVOID                               pfnWdfTimerGetParentObject;
1019 |     PVOID                              pfnWdfUsbTargetDeviceCreate;
1020 |     PVOID                 pfnWdfUsbTargetDeviceRetrieveInformation;
1021 |     PVOID                 pfnWdfUsbTargetDeviceGetDeviceDescriptor;
1022 |     PVOID            pfnWdfUsbTargetDeviceRetrieveConfigDescriptor;
1023 |     PVOID                         pfnWdfUsbTargetDeviceQueryString;
1024 |     PVOID                 pfnWdfUsbTargetDeviceAllocAndQueryString;
1025 |     PVOID              pfnWdfUsbTargetDeviceFormatRequestForString;
1026 |     PVOID                    pfnWdfUsbTargetDeviceGetNumInterfaces;
1027 |     PVOID                        pfnWdfUsbTargetDeviceSelectConfig;
1028 |     PVOID           pfnWdfUsbTargetDeviceWdmGetConfigurationHandle;
1029 |     PVOID          pfnWdfUsbTargetDeviceRetrieveCurrentFrameNumber;
1030 |     PVOID    pfnWdfUsbTargetDeviceSendControlTransferSynchronously;
1031 |     PVOID     pfnWdfUsbTargetDeviceFormatRequestForControlTransfer;
1032 |     PVOID              pfnWdfUsbTargetDeviceIsConnectedSynchronous;
1033 |     PVOID              pfnWdfUsbTargetDeviceResetPortSynchronously;
1034 |     PVOID              pfnWdfUsbTargetDeviceCyclePortSynchronously;
1035 |     PVOID           pfnWdfUsbTargetDeviceFormatRequestForCyclePort;
1036 |     PVOID                pfnWdfUsbTargetDeviceSendUrbSynchronously;
1037 |     PVOID                 pfnWdfUsbTargetDeviceFormatRequestForUrb;
1038 |     PVOID                        pfnWdfUsbTargetPipeGetInformation;
1039 |     PVOID                          pfnWdfUsbTargetPipeIsInEndpoint;
1040 |     PVOID                         pfnWdfUsbTargetPipeIsOutEndpoint;
1041 |     PVOID                               pfnWdfUsbTargetPipeGetType;
1042 |     PVOID           pfnWdfUsbTargetPipeSetNoMaximumPacketSizeCheck;
1043 |     PVOID                    pfnWdfUsbTargetPipeWriteSynchronously;
1044 |     PVOID                 pfnWdfUsbTargetPipeFormatRequestForWrite;
1045 |     PVOID                     pfnWdfUsbTargetPipeReadSynchronously;
1046 |     PVOID                  pfnWdfUsbTargetPipeFormatRequestForRead;
1047 |     PVOID                pfnWdfUsbTargetPipeConfigContinuousReader;
1048 |     PVOID                    pfnWdfUsbTargetPipeAbortSynchronously;
1049 |     PVOID                 pfnWdfUsbTargetPipeFormatRequestForAbort;
1050 |     PVOID                    pfnWdfUsbTargetPipeResetSynchronously;
1051 |     PVOID                 pfnWdfUsbTargetPipeFormatRequestForReset;
1052 |     PVOID                  pfnWdfUsbTargetPipeSendUrbSynchronously;
1053 |     PVOID                   pfnWdfUsbTargetPipeFormatRequestForUrb;
1054 |     PVOID                     pfnWdfUsbInterfaceGetInterfaceNumber;
1055 |     PVOID                        pfnWdfUsbInterfaceGetNumEndpoints;
1056 |     PVOID                          pfnWdfUsbInterfaceGetDescriptor;
1057 |     PVOID                          pfnWdfUsbInterfaceSelectSetting;
1058 |     PVOID                 pfnWdfUsbInterfaceGetEndpointInformation;
1059 |     PVOID                        pfnWdfUsbTargetDeviceGetInterface;
1060 |     PVOID              pfnWdfUsbInterfaceGetConfiguredSettingIndex;
1061 |     PVOID                  pfnWdfUsbInterfaceGetNumConfiguredPipes;
1062 |     PVOID                      pfnWdfUsbInterfaceGetConfiguredPipe;
1063 |     PVOID                      pfnWdfUsbTargetPipeWdmGetPipeHandle;
1064 |     PVOID                              pfnWdfVerifierDbgBreakPoint;
1065 |     PVOID                                 pfnWdfVerifierKeBugCheck;
1066 |     PVOID                                  pfnWdfWmiProviderCreate;
1067 |     PVOID                               pfnWdfWmiProviderGetDevice;
1068 |     PVOID                               pfnWdfWmiProviderIsEnabled;
1069 |     PVOID                        pfnWdfWmiProviderGetTracingHandle;
1070 | } WDFFUNCTIONS, *PWDFFUNCTIONS;
1071 | 
1072 | 
1073 | #define FILE_DEVICE_8042_PORT           0x00000027
1074 | #define FILE_DEVICE_ACPI                0x00000032
1075 | #define FILE_DEVICE_BATTERY             0x00000029
1076 | #define FILE_DEVICE_BEEP                0x00000001
1077 | #define FILE_DEVICE_BUS_EXTENDER        0x0000002a
1078 | #define FILE_DEVICE_CD_ROM              0x00000002
1079 | #define FILE_DEVICE_CD_ROM_FILE_SYSTEM  0x00000003
1080 | #define FILE_DEVICE_CHANGER             0x00000030
1081 | #define FILE_DEVICE_CONTROLLER          0x00000004
1082 | #define FILE_DEVICE_DATALINK            0x00000005
1083 | #define FILE_DEVICE_DFS                 0x00000006
1084 | #define FILE_DEVICE_DFS_FILE_SYSTEM     0x00000035
1085 | #define FILE_DEVICE_DFS_VOLUME          0x00000036
1086 | #define FILE_DEVICE_DISK                0x00000007
1087 | #define FILE_DEVICE_DISK_FILE_SYSTEM    0x00000008
1088 | #define FILE_DEVICE_DVD                 0x00000033
1089 | #define FILE_DEVICE_FILE_SYSTEM         0x00000009
1090 | #define FILE_DEVICE_FIPS                0x0000003a
1091 | #define FILE_DEVICE_FULLSCREEN_VIDEO    0x00000034
1092 | #define FILE_DEVICE_INPORT_PORT         0x0000000a
1093 | #define FILE_DEVICE_KEYBOARD            0x0000000b
1094 | #define FILE_DEVICE_KS                  0x0000002f
1095 | #define FILE_DEVICE_KSEC                0x00000039
1096 | #define FILE_DEVICE_MAILSLOT            0x0000000c
1097 | #define FILE_DEVICE_MASS_STORAGE        0x0000002d
1098 | #define FILE_DEVICE_MIDI_IN             0x0000000d
1099 | #define FILE_DEVICE_MIDI_OUT            0x0000000e
1100 | #define FILE_DEVICE_MODEM               0x0000002b
1101 | #define FILE_DEVICE_MOUSE               0x0000000f
1102 | #define FILE_DEVICE_MULTI_UNC_PROVIDER  0x00000010
1103 | #define FILE_DEVICE_NAMED_PIPE          0x00000011
1104 | #define FILE_DEVICE_NETWORK             0x00000012
1105 | #define FILE_DEVICE_NETWORK_BROWSER     0x00000013
1106 | #define FILE_DEVICE_NETWORK_FILE_SYSTEM 0x00000014
1107 | #define FILE_DEVICE_NETWORK_REDIRECTOR  0x00000028
1108 | #define FILE_DEVICE_NULL                0x00000015
1109 | #define FILE_DEVICE_PARALLEL_PORT       0x00000016
1110 | #define FILE_DEVICE_PHYSICAL_NETCARD    0x00000017
1111 | #define FILE_DEVICE_PRINTER             0x00000018
1112 | #define FILE_DEVICE_SCANNER             0x00000019
1113 | #define FILE_DEVICE_SCREEN              0x0000001c
1114 | #define FILE_DEVICE_SERENUM             0x00000037
1115 | #define FILE_DEVICE_SERIAL_MOUSE_PORT   0x0000001a
1116 | #define FILE_DEVICE_SERIAL_PORT         0x0000001b
1117 | #define FILE_DEVICE_SMARTCARD           0x00000031
1118 | #define FILE_DEVICE_SMB                 0x0000002e
1119 | #define FILE_DEVICE_SOUND               0x0000001d
1120 | #define FILE_DEVICE_STREAMS             0x0000001e
1121 | #define FILE_DEVICE_TAPE                0x0000001f
1122 | #define FILE_DEVICE_TAPE_FILE_SYSTEM    0x00000020
1123 | #define FILE_DEVICE_TERMSRV             0x00000038
1124 | #define FILE_DEVICE_TRANSPORT           0x00000021
1125 | #define FILE_DEVICE_UNKNOWN             0x00000022
1126 | #define FILE_DEVICE_VDM                 0x0000002c
1127 | #define FILE_DEVICE_VIDEO               0x00000023
1128 | #define FILE_DEVICE_VIRTUAL_DISK        0x00000024
1129 | #define FILE_DEVICE_WAVE_IN             0x00000025
1130 | #define FILE_DEVICE_WAVE_OUT            0x00000026


--------------------------------------------------------------------------------
/code/kmdf_re_ida_68.py:
--------------------------------------------------------------------------------
  1 | #https://zairon.wordpress.com/2008/02/15/idc-script-and-stack-frame-variables-length/
  2 | 
  3 | import idautils
  4 | import idaapi
  5 | import idc
  6 | import struct
  7 | 
  8 | g_vars = {} # Global variables
  9 | g_functions_stack = set() # Keep track of function addresses whose stack members were erased
 10 | 
 11 | OFFSET_WdfControlDeviceInitAllocate = 0xC8
 12 | OFFSET_WdfDeviceInitSetIoIncallerContextCallback = 0x250
 13 | OFFSET_WdfDeviceCreateDeviceInterface = 0x268
 14 | OFFSET_WdfDeviceCreateSymbolicLink = 0x280
 15 | OFFSET_WdfDriverCreate = 0x3a0
 16 | OFFSET_WdfIoQueueCreate = 0x4c0
 17 | OFFSET_WdfRequestRetrieveInputMemory = 0x858
 18 | OFFSET_WdfRequestRetrieveOutputMemory = 0x860
 19 | OFFSET_WdfRequestRetrieveInputBuffer = 0x868
 20 | OFFSET_WdfRequestRetrieveOutputBuffer = 0x870
 21 | OFFSET_WdfRequestRetrieveInputWdmMdl = 0x878
 22 | OFFSET_WdfRequestRetrieveOutputWdmMdl = 0x880
 23 | OFFSET_WdfRequestRetrieveUnsafeUserInputBuffer = 0x888
 24 | OFFSET_WdfRequestRetrieveUnsafeUserOutputBuffer = 0x890
 25 | 
 26 | 
 27 | def print_guid(guid):
 28 |     data = "GUID("
 29 |     part1 = struct.unpack("<I", guid[0:4])[0]
 30 |     data += "{:#08x},".format(part1)
 31 |     part2 = struct.unpack("<H", guid[4:6])[0]
 32 |     data += "{:#04x},".format(part2)
 33 |     part3 = struct.unpack("<H", guid[6:8])[0]
 34 |     data += "{:#04x},".format(part3)
 35 |     data += ",".join(["{:#02x}".format(ord(_)) for _ in guid[8:]])
 36 |     data += ")"
 37 |     print data
 38 | 
 39 | def function_stack_erased(func_ea):
 40 |     if func_ea.startEA in g_functions_stack:
 41 |         return True
 42 |     return False
 43 | 
 44 | def delete_all_function_stack_members(func_ea, force=False):
 45 |     if g_vars["ERASE_STACK_MEMBERS"] or force:
 46 |         members, base = retrieve_stack_members(func_ea)
 47 |         stack_id = idc.GetFrame(func_ea)
 48 |         for k, v in members.items():
 49 |             if k != base and "arg_" not in v:
 50 |                 idc.DelStrucMember(stack_id, k)
 51 |         g_functions_stack.add(func_ea.startEA)
 52 | 
 53 | 
 54 | # https://gist.github.com/nirizr/fe0ce9948b3db05555da42bbfe0e5a1e
 55 | def retrieve_stack_members(func_ea):
 56 |     members = {}
 57 |     base = None
 58 |     frame = idc.GetFrame(func_ea)
 59 |     for frame_member in idautils.StructMembers(frame):
 60 |         member_offset, member_name, _ = frame_member
 61 |         members[member_offset] = member_name
 62 |         if member_name == ' r':
 63 |             base = member_offset
 64 |     if not base:
 65 |         raise ValueError("Failed identifying the stack's base address using the return address hidden stack member")
 66 |     return members, base
 67 | 
 68 | 
 69 | 
 70 | def get_struct_idx(name):
 71 |     for idx in range(1, idc.GetMaxLocalType()):
 72 |         if name == idc.GetLocalTypeName(idx):
 73 |             return idx
 74 |     return None
 75 | 
 76 | def get_Tinfo_from_name(name):
 77 |     target_idx = 0
 78 |     for idx in range(1, idc.GetMaxLocalType()):
 79 |         if name in idc.GetLocalTypeName(idx):
 80 |             target_idx = idx
 81 |             break
 82 |     if target_idx != 0:
 83 |         #idc.GetLocalType(target_idx,0)
 84 |         return idc.GetLocalTinfo(target_idx)
 85 |     return None
 86 | 
 87 | def get_type_from_name(name):
 88 |     target_idx = 0
 89 |     for idx in range(1, idc.GetMaxLocalType()):
 90 |         if name in idc.GetLocalTypeName(idx):
 91 |             target_idx = idx
 92 |             break
 93 |     if target_idx != 0:
 94 |         return idc.GetLocalType(target_idx, 0)
 95 |     return None
 96 | 
 97 | def get_local_type_idx(name):
 98 |     for idx in range(1, idc.GetMaxLocalType()):
 99 |         if name in idc.GetLocalTypeName(idx):
100 |             return idx
101 |     return None
102 | 
103 | def assign_struct_to_address(address, struct_name):
104 |     idc.ApplyType(address, get_Tinfo_from_name(struct_name))
105 |     struct_id = idaapi.get_struc_id(struct_name)
106 |     if struct_id != 0xffffffffffffffff:
107 |         struct_size = idaapi.get_struc_size(struct_id)
108 |         for i in range(struct_size):
109 |             idc.MakeUnkn(address+i, 0)
110 |         return idaapi.doStruct(address, struct_size, struct_id)
111 |     return False
112 | 
113 | def find_function_arg(addr, mnemonic, operand, idx_operand):
114 |     """
115 |     The function looks backwards to find an specific argument
116 |     :param addr: the address from which to start looking backwards
117 |     :param mnemonic: the instruction mnemonic that we're looking
118 |     :param operand: an operand to compare
119 |     :param idx_operand: the operand idx --> mov ebx, eax -> ebx = idx0; eax = idx1
120 |     :return: the address where the argument is being set
121 |     """
122 |     for _ in range(20): # looks up to 20 instructions behind
123 |         addr = idc.PrevHead(addr)
124 |         if idc.GetMnem(addr) == mnemonic and idc.GetOpnd(addr, idx_operand) == operand:
125 |             return addr
126 |     return None
127 | 
128 | def find_function_arg_with_operand_value(addr, mnemonic, register, value, idx_operand):
129 |     """
130 |     00000000000167FC mov     [rsp+20h], rax
131 |     idc.GetOperandValue(0x167FC, 0) ==> 0x20
132 |     """
133 | 
134 |     for _ in range(20): # looks up to 20 instructions behind
135 |         addr = idc.PrevHead(addr)
136 |         if idc.GetMnem(addr) == mnemonic and register in idc.GetOpnd(addr, idx_operand)\
137 |                 and idc.GetOperandValue(addr, idx_operand) == value:
138 |             return addr
139 |     return None
140 | 
141 | 
142 | def find_wdf_callback_through_immediate(mnemonic, operand, val):
143 |     for i in range(10):
144 |         addr, operand_ = idc.FindImmediate(idc.MinEA(), idc.SEARCH_DOWN|idc.SEARCH_NEXT, val)
145 |         if addr != idc.BADADDR:
146 |             #print hex(addr), idc.GetDisasm(addr), "Operand ", operand_
147 |             if operand_ == operand and idc.GetMnem(addr) == mnemonic:
148 |                 return addr
149 |         else:
150 |             break
151 |     return None
152 | 
153 | """
154 |     There are three cases:
155 |     1) The driver calls the WDF Function using the WDFFUNCTION struct directly
156 |             INIT:000000000000A129 call    Wdffunctions.pfnWdfCreateDriver
157 | 
158 |      2) The driver calls the WDF Function in an indirect way
159 |             000000000000A106 mov     rax, cs:WdfFunctions_01015
160 |             INIT:000000000000A122 mov     rax, [rax+3A0h]
161 |             INIT:000000000000A129 call    cs:__guard_dispatch_icall
162 | 
163 |     3)  000000000002A50B mov     rax, cs:WDFFUNCTIONS
164 |         000000000002A528 call    qword ptr [rax+268h]
165 | """
166 | def list_xref_to_wdf_callback(function_offset):
167 |     calls_to_pfn_list = []
168 |     try:
169 |         for xref in idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset):
170 |             calls_to_pfn_list.append(xref.frm)
171 |     except StopIteration:
172 |         # this is case 2 or 3
173 |         pass
174 |     if len(calls_to_pfn_list) == 0:
175 |         call_pfn = find_wdf_callback_through_immediate("call", 0, function_offset)
176 |         if call_pfn != None:
177 |             calls_to_pfn_list.append(call_pfn)
178 |     if len(calls_to_pfn_list) == 0:
179 |         call_pfn = find_wdf_callback_through_immediate("mov", 1,function_offset)
180 |         if call_pfn != None:
181 |             calls_to_pfn_list.append(call_pfn)
182 |     return calls_to_pfn_list
183 | 
184 | 
185 | 
186 | def find_WdfDeviceInitSetIoInCallerContextCallback():
187 |     function_offset = OFFSET_WdfDeviceInitSetIoIncallerContextCallback
188 |     try:
189 |         call_pfn = idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset).next().frm
190 |     except StopIteration:
191 |         # this is case 2!
192 |         call_pfn = find_wdf_callback_through_immediate("mov", 1,function_offset)
193 |         if call_pfn is None:
194 |             call_pfn = find_wdf_callback_through_immediate("call", 0, function_offset)
195 | 
196 |     if call_pfn != None:
197 |         idc.OpStroffEx(call_pfn,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
198 |         lea_addr = find_function_arg(call_pfn, "lea", "r8", 0)
199 |         EvtWdfIoInCallerContext = idc.GetOperandValue(lea_addr, 1)
200 |         idc.MakeName(EvtWdfIoInCallerContext, 'EvtWdfIoInCallerContext')
201 | 
202 | 
203 | 
204 | def find_WdfDeviceCreateDeviceInterface():
205 |     function_offset = OFFSET_WdfDeviceCreateDeviceInterface
206 | 
207 |     calls_to_pfn_list = []
208 |     try:
209 |         for xref in idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset):
210 |             call_pfnWdfDeviceCreateDeviceInterface = xref.frm
211 |             calls_to_pfn_list.append(call_pfnWdfDeviceCreateDeviceInterface)
212 |     except StopIteration:
213 |         # this is case 2 or 3
214 |         pass
215 |     if len(calls_to_pfn_list) == 0:
216 |         call_pfnWdfDeviceCreateDeviceInterface = find_wdf_callback_through_immediate("call", 0, function_offset)
217 |         if call_pfnWdfDeviceCreateDeviceInterface:
218 |             calls_to_pfn_list.append(call_pfnWdfDeviceCreateDeviceInterface)
219 |             idc.OpStroffEx(call_pfnWdfDeviceCreateDeviceInterface,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
220 | 
221 |     if len(calls_to_pfn_list) == 0:
222 |         call_pfnWdfDeviceCreateDeviceInterface = find_wdf_callback_through_immediate("mov", 1,function_offset)
223 |         if call_pfnWdfDeviceCreateDeviceInterface:
224 |             calls_to_pfn_list.append(call_pfnWdfDeviceCreateDeviceInterface)
225 |             idc.OpStroffEx(call_pfnWdfDeviceCreateDeviceInterface,1,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
226 | 
227 |     for k, pfn_call in enumerate(calls_to_pfn_list):
228 |         lea_guid = find_function_arg(pfn_call, "lea", "r8", 0)
229 |         interface_guid = idc.GetOperandValue(lea_guid, 1)
230 |         idc.MakeName(interface_guid, '_InterfaceGUID' + str(k))
231 |         assign_struct_to_address(interface_guid, "GUID")
232 |         g_vars["_InterfaceGUID" + str(k)] = interface_guid
233 |         print("_InterfaceGUID: ", hex(interface_guid))
234 |         guid_bytes = idc.GetManyBytes(interface_guid, 0x10)
235 |         print_guid(guid_bytes)
236 | 
237 | 
238 | def find_WdfDriverCreate():
239 |     function_offset = OFFSET_WdfDriverCreate
240 | 
241 |     # If the XREF to wdfFunctions + function_offset exists.. then we're in case 1!
242 |     try:
243 |         call_pfnWdfDriverCreate = idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset).next().frm
244 |     except StopIteration:
245 |         # this is case 2!
246 |         call_pfnWdfDriverCreate = find_wdf_callback_through_immediate("mov", 1,function_offset)
247 |         if call_pfnWdfDriverCreate != None:
248 |             idc.OpStroffEx(call_pfnWdfDriverCreate,1,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
249 |         else:
250 |             call_pfnWdfDriverCreate = find_wdf_callback_through_immediate("call", 0, function_offset)
251 |             idc.OpStroffEx(call_pfnWdfDriverCreate,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
252 | 
253 |     if call_pfnWdfDriverCreate != None:
254 |         # First identify the RealDriverEntry :)
255 |         current_func = idaapi.get_func(call_pfnWdfDriverCreate)
256 |         idc.MakeName(current_func.startEA, "_DriverEntry_")
257 | 
258 |         argument_DriverConfig_addr = find_function_arg_with_operand_value(call_pfnWdfDriverCreate, "mov", "rsp", 0x20, 0)
259 |         register_DriverConfig = idc.GetOpnd(argument_DriverConfig_addr, 1)
260 |         lea_DriverConfig_addr = find_function_arg(argument_DriverConfig_addr, "lea", register_DriverConfig, 0)
261 | 
262 |         # Get stack and the stack operand offset
263 |         current_func = idaapi.get_func(lea_DriverConfig_addr)
264 |         stack_id = idc.GetFrame(current_func)
265 |         opnd = idc.GetOpnd(lea_DriverConfig_addr, 1)
266 |         if "rsp" in opnd:
267 |             stack_member_offset = idc.GetOperandValue(lea_DriverConfig_addr, 1)
268 |         elif "rbp" in opnd:
269 |             var_x = opnd.split("+")[-1][:-1] # [rbp+57h+var_80] -> var_80
270 |             members, _ = retrieve_stack_members(current_func)
271 |             inverted_members = {v:k for k, v in members.items()}
272 |             try:
273 |                 stack_member_offset = inverted_members[var_x]
274 |             except KeyError as msg:
275 |                 print msg
276 |                 return
277 | 
278 |         else:
279 |             print("+] WdfDriverCreate() Unidentified register stack layout")
280 |             return
281 | 
282 |         #idc.SetMemberName(stack_id, stack_member_offset, "_DriverConfig")
283 |         struct_id = idaapi.get_struc_id("_WDF_DRIVER_CONFIG")
284 |         struct_size = idc.GetStrucSize(struct_id)
285 | 
286 |         # First check if we have already touch this function stack before
287 |         #if function_stack_erased(current_func):
288 |             # need to take care of the already defined structs
289 |         #    pass
290 |         #else:
291 |         delete_all_function_stack_members(current_func, force=True)
292 |         idc.AddStrucMember(stack_id, "driver_config",
293 |                            stack_member_offset, idc.FF_BYTE|idc.FF_DATA,
294 |                            -1, struct_size)
295 |         idc.SetMemberType(stack_id, stack_member_offset, idc.FF_STRU|idc.FF_DATA, struct_id, 1)
296 | 
297 | 
298 | def find_WdfIoQueueCreate():
299 |     function_offset = OFFSET_WdfIoQueueCreate
300 | 
301 |     calls_to_pfn_list = []
302 |     try:
303 |         for xref in idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset):
304 |             call_pfnWdfIoQueueCreate = xref.frm
305 |             calls_to_pfn_list.append(call_pfnWdfIoQueueCreate)
306 |     except StopIteration:
307 |         # this is case 2 or 3
308 |         pass
309 |     if len(calls_to_pfn_list) == 0:
310 |         call_pfnWdfIoQueueCreate = find_wdf_callback_through_immediate("call", 0, function_offset)
311 |         if call_pfnWdfIoQueueCreate:
312 |             calls_to_pfn_list.append(call_pfnWdfIoQueueCreate)
313 |             idc.OpStroffEx(call_pfnWdfIoQueueCreate,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
314 | 
315 |     if len(calls_to_pfn_list) == 0:
316 |         call_pfnWdfIoQueueCreate = find_wdf_callback_through_immediate("mov", 1,function_offset)
317 |         if call_pfnWdfIoQueueCreate:
318 |             calls_to_pfn_list.append(call_pfnWdfIoQueueCreate)
319 |             idc.OpStroffEx(call_pfnWdfIoQueueCreate,1,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
320 | 
321 |     for pfn_call in calls_to_pfn_list:
322 |         lea_argument_addr = find_function_arg(pfn_call, "lea", "r8", 0)
323 | 
324 |         # Get stack and the stack operand offset
325 |         current_func = idaapi.get_func(lea_argument_addr)
326 |         stack_id = idc.GetFrame(current_func)
327 |         stack_member_offset = idc.GetOperandValue(lea_argument_addr, 1)
328 | 
329 |         struct_id = idaapi.get_struc_id("_WDF_IO_QUEUE_CONFIG")
330 |         struct_size = idc.GetStrucSize(struct_id)
331 | 
332 |         # First check if we have already touch this function stack before
333 |         if function_stack_erased(current_func):
334 |             # need to take care of the already defined structs
335 |             # If the arguments collide then this will fail
336 |             pass
337 |         else:
338 |             delete_all_function_stack_members(current_func)
339 |             print("Erased the stack members")
340 | 
341 |         idc.AddStrucMember(stack_id, "queue_config",
342 |                            stack_member_offset, idc.FF_BYTE|idc.FF_DATA,
343 |                            -1, struct_size)
344 |         idc.SetMemberType(stack_id, stack_member_offset, idc.FF_STRU|idc.FF_DATA, struct_id, 1)
345 |         print("IOQueue Creation at: " + hex(pfn_call))
346 | 
347 | 
348 | def find_WdfControlDeviceInitAllocate():
349 |     function_offset = OFFSET_WdfControlDeviceInitAllocate
350 |     call_pfn = None
351 |     try:
352 |         for xref in idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset):
353 |             call_pfn = xref.frm
354 |     except StopIteration:
355 |         # this is case 2 or 3
356 |         pass
357 |     if call_pfn is None:
358 |         call_pfn = find_wdf_callback_through_immediate("call", 0, function_offset)
359 |         if call_pfn:
360 |             idc.OpStroffEx(call_pfn,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
361 | 
362 |     if call_pfn is None:
363 |         call_pfn = find_wdf_callback_through_immediate("mov", 1,function_offset)
364 |         if call_pfn:
365 |             idc.OpStroffEx(call_pfn,1,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
366 | 
367 |     lea_sddl = find_function_arg(call_pfn, "lea", "r8", 0)
368 |     unicode_sddl = idc.GetOperandValue(lea_sddl, 1)
369 |     idc.MakeName(unicode_sddl, 'control_device_sddl')
370 |     assign_struct_to_address(unicode_sddl, "_UNICODE_STRING")
371 |     print("Control Device SDDL at: ", hex(unicode_sddl))
372 | 
373 | 
374 | 
375 | def assign_kmdf_structure_types(address):
376 |     # Get the jmp to de import
377 |     jmp_import_ea = idautils.XrefsTo(address).next().frm
378 |     # There is only one XREF to WdfVersionBind
379 |     call_wdfVersionBind = idautils.XrefsTo(jmp_import_ea).next().frm
380 |     print(hex(call_wdfVersionBind))
381 |     argument_WdfBindInfo = find_function_arg(call_wdfVersionBind, "lea", "r8", 0)
382 |     if argument_WdfBindInfo is None:
383 |         print("Error: Argument WdfBindInfo wasn't found!")
384 |         return
385 |     wdfBindInfo = idc.GetOperandValue(argument_WdfBindInfo, 1)
386 |     idc.MakeName(wdfBindInfo, '_WdfBindInfo')
387 |     print("WdfBindInfo Struct: ", hex(wdfBindInfo))
388 |     if not assign_struct_to_address(wdfBindInfo, "_WDF_BIND_INFO"):
389 |         print("The _WDF_BIND_INFO struct wasn't found in the database")
390 |         return
391 |     g_vars["_WDF_BIND_INFO"] = wdfBindInfo
392 | 
393 |     # Assign ComponentGlobals Name
394 |     argument_WdfComponentGlobals = find_function_arg(call_wdfVersionBind, "lea", "r9", 0)
395 |     wdfComponentGlobals = idc.GetOperandValue(argument_WdfComponentGlobals, 1)
396 |     g_vars["_WDF_COMPONENT_GLOBALS"] = wdfComponentGlobals
397 |     idc.MakeName(wdfComponentGlobals, '_WdfComponentGlobals')
398 | 
399 |     # Now assign the WDFFUNCTIONS to FuncTable
400 |     wdfFunctions = idc.Qword(wdfBindInfo+0x20)
401 |     g_vars["_WDFFUNCTIONS"] = wdfFunctions
402 |     assign_struct_to_address(wdfFunctions, "_WDFFUNCTIONS")
403 |     idc.MakeName(wdfFunctions, 'g_WdfF_Functions')
404 |     #if not assign_struct_to_address(wdfFunctions, "_WDFFUNCTIONS"):
405 |     #    print("The _WDFFUNCTIONS struct wasn't found in the database")
406 |     #    return
407 | 
408 | 
409 | 
410 | # Callback to get the EA of WdfVersionBind
411 | def imp_cb(ea, name, ord):
412 |     if not name:
413 |         print("%08x: ord#%d" % (ea, ord))
414 |     else:
415 |         print("%08x: %s (ord#%d)" % (ea, name, ord))
416 |     if name == "WdfVersionBind":
417 |         assign_kmdf_structure_types(ea)
418 |         return False
419 |     # True -> Continue enumeration
420 |     # False -> Stop enumeration
421 |     return True
422 | 
423 | ##############################################################################
424 | 
425 | def load_kmdf_types_into_idb():
426 |     header_path = idautils.GetIdbDir()
427 |     idaapi.idc_parse_types("".join([header_path, "WDFStructs.h"]), idc.PT_FILE)
428 |     for idx in range(1, idc.GetMaxLocalType()):
429 |         print(idx, idc.GetLocalTypeName(idx))
430 |         idc.Til2Idb(idx, idc.GetLocalTypeName(idx))
431 | 
432 | ##############################################################################
433 | 
434 | 
435 | ##############################################################################
436 | 
437 | load_kmdf_types_into_idb()
438 | for module_idx in range(idaapi.get_import_module_qty()):
439 |     if idaapi.get_import_module_name(module_idx) == "WDFLDR":
440 |         idaapi.enum_import_names(module_idx, imp_cb)
441 | 
442 | if len(list_xref_to_wdf_callback(OFFSET_WdfDeviceCreateDeviceInterface)) == 0:
443 |     print("The driver is not exposing any DeviceInterface")
444 | if len(list_xref_to_wdf_callback(OFFSET_WdfDeviceCreateSymbolicLink)) == 0:
445 |     print("The driver is not creating a Symbolic Link")
446 | if len(list_xref_to_wdf_callback(OFFSET_WdfIoQueueCreate)) == 0:
447 |     print("The driver is not creating an IOQueue")
448 | if len(list_xref_to_wdf_callback(OFFSET_WdfDeviceInitSetIoIncallerContextCallback)) == 0:
449 |     print("The driver is not setting an EvtInCallerContextCallback")
450 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveInputMemory):
451 |     print "Call To WdfRequestRetrieveInputMemory: " + hex(i)
452 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveOutputMemory):
453 |     print "Call To WdfRequestRetrieveOutputMemory: " + hex(i)
454 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveInputBuffer):
455 |     print "Call To WdfRequestRetrieveInputBuffer: " + hex(i)
456 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveOutputBuffer):
457 |     print "Call To WdfRequestRetrieveOutputBuffer: " + hex(i)
458 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveInputWdmMdl):
459 |     print "Call To WdfRequestRetrieveInputWdmMdl: " + hex(i)
460 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveOutputWdmMdl):
461 |     print "Call To WdfRequestRetrieveOutputWdmMdl: " + hex(i)
462 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveUnsafeUserInputBuffer):
463 |     print "Call To WdfRequestRetrieveUnsafeUserInputBuffer: " + hex(i)
464 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveUnsafeUserOutputBuffer):
465 |     print "Call To WdfRequestRetrieveUnsafeUserOutputBuffer: " + hex(i)
466 | 
467 | 
468 | def supress_exception(cb):
469 |     try:
470 |         cb()
471 |     except:
472 |         pass
473 | 
474 | g_vars["ERASE_STACK_MEMBERS"] = True
475 | 
476 | supress_exception(find_WdfDriverCreate)
477 | supress_exception(find_WdfIoQueueCreate)
478 | supress_exception(find_WdfDeviceInitSetIoInCallerContextCallback)
479 | supress_exception(find_WdfDeviceCreateDeviceInterface)
480 | supress_exception(find_WdfControlDeviceInitAllocate)
481 | 
482 | 
483 | 
484 | 
485 | 
486 | 
487 | 
488 | """
489 | # 00000000167ED lea     r8, [rbp+190h+var_170]
490 | 
491 | lea_addr = 0x167ED
492 | # Get the stack struct
493 | current_func = idaapi.get_func(lea_addr)
494 | stack_id = idc.GetFrame(current_func)
495 | stack_struc = idaapi.get_struc(stack_id)
496 | 
497 | # Get the stack operand offset value and stack member
498 | stack_member_offset = idc.GetOperandValue(lea_addr, 1)
499 | stack_member = stack_struc.get_member(stack_member_offset)
500 | 
501 | target_struct_id = idaapi.get_struc_id("_WDF_DRIVER_CONFIG")
502 | target_struc = idaapi.get_struc(target_struct_id )
503 | 
504 | idc.DelStrucMember(stack_id, stack_member_offset)
505 | AddStrucMember(stack_id, "driver_config", stack_member_offset, FF_BYTE|FF_DATA, -1, GetStrucSize(target_struct_id))
506 | idc.SetMemberType(stack_id, stack_member_offset, idc.FF_STRU|idc.FF_DATA, target_struct_id, 1)
507 | 
508 | 
509 | idc.SetMemberType(stack_id, stack_member_offset, idc.FF_BYTE|idc.FF_DATA, target_struct_id, 0x20)
510 | 
511 | set_member_tinfo(None, stack_struc ,stack_member ,0, target_struc, 0, 0)
512 | 
513 | 
514 | 
515 | tinfo = idaapi.tinfo_t()
516 | idaapi.parse_decl2(idaapi.cvar.idati, '_WDF_DRIVER_CONFIG;', '_WDF_DRIVER_CONFIG', tinfo, idaapi.PT_TYP)
517 | idaapi.set_member_tinfo2(stack_struc, stack_member, 0, tinfo, idaapi.SET_MEMTI_COMPATIBLE)
518 | 
519 | """


--------------------------------------------------------------------------------
/code/kmdf_re_ida_74.py:
--------------------------------------------------------------------------------
  1 | # Port by @M4x_1997
  2 | 
  3 | #https://zairon.wordpress.com/2008/02/15/idc-script-and-stack-frame-variables-length/
  4 | 
  5 | import idautils
  6 | import idaapi
  7 | import idc
  8 | import struct
  9 | import ida_bytes
 10 | import ida_search
 11 | import ida_ida
 12 | 
 13 | g_vars = {} # Global variables
 14 | g_functions_stack = set() # Keep track of function addresses whose stack members were erased
 15 | 
 16 | OFFSET_WdfControlDeviceInitAllocate = 0xC8
 17 | OFFSET_WdfDeviceInitSetIoIncallerContextCallback = 0x250
 18 | OFFSET_WdfDeviceCreateDeviceInterface = 0x268
 19 | OFFSET_WdfDeviceCreateSymbolicLink = 0x280
 20 | OFFSET_WdfDriverCreate = 0x3a0
 21 | OFFSET_WdfIoQueueCreate = 0x4c0
 22 | OFFSET_WdfRequestRetrieveInputMemory = 0x858
 23 | OFFSET_WdfRequestRetrieveOutputMemory = 0x860
 24 | OFFSET_WdfRequestRetrieveInputBuffer = 0x868
 25 | OFFSET_WdfRequestRetrieveOutputBuffer = 0x870
 26 | OFFSET_WdfRequestRetrieveInputWdmMdl = 0x878
 27 | OFFSET_WdfRequestRetrieveOutputWdmMdl = 0x880
 28 | OFFSET_WdfRequestRetrieveUnsafeUserInputBuffer = 0x888
 29 | OFFSET_WdfRequestRetrieveUnsafeUserOutputBuffer = 0x890
 30 | 
 31 | 
 32 | def print_guid(guid):
 33 |     data = "GUID("
 34 |     part1 = struct.unpack("<I", guid[0:4])[0]
 35 |     data += "{:#08x},".format(part1)
 36 |     part2 = struct.unpack("<H", guid[4:6])[0]
 37 |     data += "{:#04x},".format(part2)
 38 |     part3 = struct.unpack("<H", guid[6:8])[0]
 39 |     data += "{:#04x},".format(part3)
 40 |     data += ",".join(["{:#02x}".format(ord(_)) for _ in guid[8:]])
 41 |     data += ")"
 42 |     print(data)
 43 | 
 44 | def function_stack_erased(func_ea):
 45 |     if func_ea.startEA in g_functions_stack:
 46 |         return True
 47 |     return False
 48 | 
 49 | def delete_all_function_stack_members(func_ea, force=False):
 50 |     if g_vars["ERASE_STACK_MEMBERS"] or force:
 51 |         members, base = retrieve_stack_members(func_ea)
 52 |         stack_id = idc.GetFrame(func_ea)
 53 |         for k, v in members.items():
 54 |             if k != base and "arg_" not in v:
 55 |                 idc.DelStrucMember(stack_id, k)
 56 |         g_functions_stack.add(func_ea.startEA)
 57 | 
 58 | 
 59 | # https://gist.github.com/nirizr/fe0ce9948b3db05555da42bbfe0e5a1e
 60 | def retrieve_stack_members(func_ea):
 61 |     members = {}
 62 |     base = None
 63 |     frame = idc.GetFrame(func_ea)
 64 |     for frame_member in idautils.StructMembers(frame):
 65 |         member_offset, member_name, _ = frame_member
 66 |         members[member_offset] = member_name
 67 |         if member_name == ' r':
 68 |             base = member_offset
 69 |     if not base:
 70 |         raise ValueError("Failed identifying the stack's base address using the return address hidden stack member")
 71 |     return members, base
 72 | 
 73 | 
 74 | 
 75 | def get_struct_idx(name):
 76 |     for idx in range(1, idc.get_ordinal_qty()):
 77 |         if name == idc.get_numbered_type_name(idx):
 78 |             return idx
 79 |     return None
 80 | 
 81 | def get_Tinfo_from_name(name):
 82 |     target_idx = 0
 83 |     for idx in range(1, idc.get_ordinal_qty()):
 84 |         if name in idc.get_numbered_type_name(idx):
 85 |             target_idx = idx
 86 |             break
 87 |     if target_idx != 0:
 88 |         #idc.GetLocalType(target_idx,0)
 89 |         return idc.get_local_tinfo(target_idx)
 90 |     return None
 91 | 
 92 | def get_type_from_name(name):
 93 |     target_idx = 0
 94 |     for idx in range(1, idc.get_ordinal_qty()):
 95 |         if name in idc.get_numbered_type_name(idx):
 96 |             target_idx = idx
 97 |             break
 98 |     if target_idx != 0:
 99 |         return idc.GetLocalType(target_idx, 0)
100 |     return None
101 | 
102 | def get_local_type_idx(name):
103 |     for idx in range(1, idc.get_ordinal_qty()):
104 |         if name in idc.get_numbered_type_name(idx):
105 |             return idx
106 |     return None
107 | 
108 | def assign_struct_to_address(address, struct_name):
109 |     idc.apply_type(address, get_Tinfo_from_name(struct_name))
110 |     struct_id = idaapi.get_struc_id(struct_name)
111 |     if struct_id != 0xffffffffffffffff:
112 |         struct_size = idaapi.get_struc_size(struct_id)
113 |         for i in range(struct_size):
114 |             ida_bytes.del_items(address+i, 0)
115 |         return idaapi.create_struct(address, struct_size, struct_id)
116 |     return False
117 | 
118 | def find_function_arg(addr, mnemonic, operand, idx_operand):
119 |     """
120 |     The function looks backwards to find an specific argument
121 |     :param addr: the address from which to start looking backwards
122 |     :param mnemonic: the instruction mnemonic that we're looking
123 |     :param operand: an operand to compare
124 |     :param idx_operand: the operand idx --> mov ebx, eax -> ebx = idx0; eax = idx1
125 |     :return: the address where the argument is being set
126 |     """
127 |     for _ in range(20): # looks up to 20 instructions behind
128 |         addr = idc.prev_head(addr)
129 |         if idc.print_insn_mnem(addr) == mnemonic and idc.print_operand(addr, idx_operand) == operand:
130 |             return addr
131 |     return None
132 | 
133 | def find_function_arg_with_operand_value(addr, mnemonic, register, value, idx_operand):
134 |     """
135 |     00000000000167FC mov     [rsp+20h], rax
136 |     idc.get_operand_value(0x167FC, 0) ==> 0x20
137 |     """
138 | 
139 |     for _ in range(20): # looks up to 20 instructions behind
140 |         addr = idc.prev_head(addr)
141 |         if idc.print_insn_mnem(addr) == mnemonic and register in idc.print_operand(addr, idx_operand)\
142 |                 and idc.get_operand_value(addr, idx_operand) == value:
143 |             return addr
144 |     return None
145 | 
146 | 
147 | def find_wdf_callback_through_immediate(mnemonic, operand, val):
148 |     for i in range(10):
149 |         addr, operand_ = ida_search.find_imm(ida_ida.inf_get_min_ea(), idc.SEARCH_DOWN|idc.SEARCH_NEXT, val)
150 |         if addr != idc.BADADDR:
151 |             #print hex(addr), idc.GetDisasm(addr), "Operand ", operand_
152 |             if operand_ == operand and idc.print_insn_mnem(addr) == mnemonic:
153 |                 return addr
154 |         else:
155 |             break
156 |     return None
157 | 
158 | """
159 |     There are three cases:
160 |     1) The driver calls the WDF Function using the WDFFUNCTION struct directly
161 |             INIT:000000000000A129 call    Wdffunctions.pfnWdfCreateDriver
162 | 
163 |      2) The driver calls the WDF Function in an indirect way
164 |             000000000000A106 mov     rax, cs:WdfFunctions_01015
165 |             INIT:000000000000A122 mov     rax, [rax+3A0h]
166 |             INIT:000000000000A129 call    cs:__guard_dispatch_icall
167 | 
168 |     3)  000000000002A50B mov     rax, cs:WDFFUNCTIONS
169 |         000000000002A528 call    qword ptr [rax+268h]
170 | """
171 | def list_xref_to_wdf_callback(function_offset):
172 |     calls_to_pfn_list = []
173 |     try:
174 |         for xref in idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset):
175 |             calls_to_pfn_list.append(xref.frm)
176 |     except StopIteration:
177 |         # this is case 2 or 3
178 |         pass
179 |     if len(calls_to_pfn_list) == 0:
180 |         call_pfn = find_wdf_callback_through_immediate("call", 0, function_offset)
181 |         if call_pfn != None:
182 |             calls_to_pfn_list.append(call_pfn)
183 |     if len(calls_to_pfn_list) == 0:
184 |         call_pfn = find_wdf_callback_through_immediate("mov", 1,function_offset)
185 |         if call_pfn != None:
186 |             calls_to_pfn_list.append(call_pfn)
187 |     return calls_to_pfn_list
188 | 
189 | 
190 | 
191 | def find_WdfDeviceInitSetIoInCallerContextCallback():
192 |     function_offset = OFFSET_WdfDeviceInitSetIoIncallerContextCallback
193 |     try:
194 |         call_pfn = idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset).next().frm
195 |     except StopIteration:
196 |         # this is case 2!
197 |         call_pfn = find_wdf_callback_through_immediate("mov", 1,function_offset)
198 |         if call_pfn is None:
199 |             call_pfn = find_wdf_callback_through_immediate("call", 0, function_offset)
200 | 
201 |     if call_pfn != None:
202 |         idc.OpStroffEx(call_pfn,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
203 |         lea_addr = find_function_arg(call_pfn, "lea", "r8", 0)
204 |         EvtWdfIoInCallerContext = idc.get_operand_value(lea_addr, 1)
205 |         idc.set_name(EvtWdfIoInCallerContext, 'EvtWdfIoInCallerContext')
206 | 
207 | 
208 | 
209 | def find_WdfDeviceCreateDeviceInterface():
210 |     function_offset = OFFSET_WdfDeviceCreateDeviceInterface
211 | 
212 |     calls_to_pfn_list = []
213 |     try:
214 |         for xref in idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset):
215 |             call_pfnWdfDeviceCreateDeviceInterface = xref.frm
216 |             calls_to_pfn_list.append(call_pfnWdfDeviceCreateDeviceInterface)
217 |     except StopIteration:
218 |         # this is case 2 or 3
219 |         pass
220 |     if len(calls_to_pfn_list) == 0:
221 |         call_pfnWdfDeviceCreateDeviceInterface = find_wdf_callback_through_immediate("call", 0, function_offset)
222 |         if call_pfnWdfDeviceCreateDeviceInterface:
223 |             calls_to_pfn_list.append(call_pfnWdfDeviceCreateDeviceInterface)
224 |             idc.OpStroffEx(call_pfnWdfDeviceCreateDeviceInterface,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
225 | 
226 |     if len(calls_to_pfn_list) == 0:
227 |         call_pfnWdfDeviceCreateDeviceInterface = find_wdf_callback_through_immediate("mov", 1,function_offset)
228 |         if call_pfnWdfDeviceCreateDeviceInterface:
229 |             calls_to_pfn_list.append(call_pfnWdfDeviceCreateDeviceInterface)
230 |             idc.OpStroffEx(call_pfnWdfDeviceCreateDeviceInterface,1,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
231 | 
232 |     for k, pfn_call in enumerate(calls_to_pfn_list):
233 |         lea_guid = find_function_arg(pfn_call, "lea", "r8", 0)
234 |         interface_guid = idc.get_operand_value(lea_guid, 1)
235 |         idc.set_name(interface_guid, '_InterfaceGUID' + str(k))
236 |         assign_struct_to_address(interface_guid, "GUID")
237 |         g_vars["_InterfaceGUID" + str(k)] = interface_guid
238 |         print("_InterfaceGUID: ", hex(interface_guid))
239 |         guid_bytes = idc.GetManyBytes(interface_guid, 0x10)
240 |         print_guid(guid_bytes)
241 | 
242 | 
243 | def find_WdfDriverCreate():
244 |     function_offset = OFFSET_WdfDriverCreate
245 | 
246 |     # If the XREF to wdfFunctions + function_offset exists.. then we're in case 1!
247 |     try:
248 |         call_pfnWdfDriverCreate = idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset).next().frm
249 |     except StopIteration:
250 |         # this is case 2!
251 |         call_pfnWdfDriverCreate = find_wdf_callback_through_immediate("mov", 1,function_offset)
252 |         if call_pfnWdfDriverCreate != None:
253 |             idc.OpStroffEx(call_pfnWdfDriverCreate,1,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
254 |         else:
255 |             call_pfnWdfDriverCreate = find_wdf_callback_through_immediate("call", 0, function_offset)
256 |             idc.OpStroffEx(call_pfnWdfDriverCreate,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
257 | 
258 |     if call_pfnWdfDriverCreate != None:
259 |         # First identify the RealDriverEntry :)
260 |         current_func = idaapi.get_func(call_pfnWdfDriverCreate)
261 |         idc.set_name(current_func.startEA, "_DriverEntry_")
262 | 
263 |         argument_DriverConfig_addr = find_function_arg_with_operand_value(call_pfnWdfDriverCreate, "mov", "rsp", 0x20, 0)
264 |         register_DriverConfig = idc.print_operand(argument_DriverConfig_addr, 1)
265 |         lea_DriverConfig_addr = find_function_arg(argument_DriverConfig_addr, "lea", register_DriverConfig, 0)
266 | 
267 |         # Get stack and the stack operand offset
268 |         current_func = idaapi.get_func(lea_DriverConfig_addr)
269 |         stack_id = idc.GetFrame(current_func)
270 |         opnd = idc.print_operand(lea_DriverConfig_addr, 1)
271 |         if "rsp" in opnd:
272 |             stack_member_offset = idc.get_operand_value(lea_DriverConfig_addr, 1)
273 |         elif "rbp" in opnd:
274 |             var_x = opnd.split("+")[-1][:-1] # [rbp+57h+var_80] -> var_80
275 |             members, _ = retrieve_stack_members(current_func)
276 |             inverted_members = {v:k for k, v in members.items()}
277 |             try:
278 |                 stack_member_offset = inverted_members[var_x]
279 |             except KeyError as msg:
280 |                 print(msg)
281 |                 return
282 | 
283 |         else:
284 |             print("+] WdfDriverCreate() Unidentified register stack layout")
285 |             return
286 | 
287 |         #idc.SetMemberName(stack_id, stack_member_offset, "_DriverConfig")
288 |         struct_id = idaapi.get_struc_id("_WDF_DRIVER_CONFIG")
289 |         struct_size = idc.GetStrucSize(struct_id)
290 | 
291 |         # First check if we have already touch this function stack before
292 |         #if function_stack_erased(current_func):
293 |             # need to take care of the already defined structs
294 |         #    pass
295 |         #else:
296 |         delete_all_function_stack_members(current_func, force=True)
297 |         idc.AddStrucMember(stack_id, "driver_config",
298 |                            stack_member_offset, idc.FF_BYTE|idc.FF_DATA,
299 |                            -1, struct_size)
300 |         idc.SetMemberType(stack_id, stack_member_offset, idc.FF_STRU|idc.FF_DATA, struct_id, 1)
301 | 
302 | 
303 | def find_WdfIoQueueCreate():
304 |     function_offset = OFFSET_WdfIoQueueCreate
305 | 
306 |     calls_to_pfn_list = []
307 |     try:
308 |         for xref in idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset):
309 |             call_pfnWdfIoQueueCreate = xref.frm
310 |             calls_to_pfn_list.append(call_pfnWdfIoQueueCreate)
311 |     except StopIteration:
312 |         # this is case 2 or 3
313 |         pass
314 |     if len(calls_to_pfn_list) == 0:
315 |         call_pfnWdfIoQueueCreate = find_wdf_callback_through_immediate("call", 0, function_offset)
316 |         if call_pfnWdfIoQueueCreate:
317 |             calls_to_pfn_list.append(call_pfnWdfIoQueueCreate)
318 |             idc.OpStroffEx(call_pfnWdfIoQueueCreate,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
319 | 
320 |     if len(calls_to_pfn_list) == 0:
321 |         call_pfnWdfIoQueueCreate = find_wdf_callback_through_immediate("mov", 1,function_offset)
322 |         if call_pfnWdfIoQueueCreate:
323 |             calls_to_pfn_list.append(call_pfnWdfIoQueueCreate)
324 |             idc.OpStroffEx(call_pfnWdfIoQueueCreate,1,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
325 | 
326 |     for pfn_call in calls_to_pfn_list:
327 |         lea_argument_addr = find_function_arg(pfn_call, "lea", "r8", 0)
328 | 
329 |         # Get stack and the stack operand offset
330 |         current_func = idaapi.get_func(lea_argument_addr)
331 |         stack_id = idc.GetFrame(current_func)
332 |         stack_member_offset = idc.get_operand_value(lea_argument_addr, 1)
333 | 
334 |         struct_id = idaapi.get_struc_id("_WDF_IO_QUEUE_CONFIG")
335 |         struct_size = idc.GetStrucSize(struct_id)
336 | 
337 |         # First check if we have already touch this function stack before
338 |         if function_stack_erased(current_func):
339 |             # need to take care of the already defined structs
340 |             # If the arguments collide then this will fail
341 |             pass
342 |         else:
343 |             delete_all_function_stack_members(current_func)
344 |             print("Erased the stack members")
345 | 
346 |         idc.AddStrucMember(stack_id, "queue_config",
347 |                            stack_member_offset, idc.FF_BYTE|idc.FF_DATA,
348 |                            -1, struct_size)
349 |         idc.SetMemberType(stack_id, stack_member_offset, idc.FF_STRU|idc.FF_DATA, struct_id, 1)
350 |         print("IOQueue Creation at: " + hex(pfn_call))
351 | 
352 | 
353 | def find_WdfControlDeviceInitAllocate():
354 |     function_offset = OFFSET_WdfControlDeviceInitAllocate
355 |     call_pfn = None
356 |     try:
357 |         for xref in idautils.XrefsTo(g_vars["_WDFFUNCTIONS"]+function_offset):
358 |             call_pfn = xref.frm
359 |     except StopIteration:
360 |         # this is case 2 or 3
361 |         pass
362 |     if call_pfn is None:
363 |         call_pfn = find_wdf_callback_through_immediate("call", 0, function_offset)
364 |         if call_pfn:
365 |             idc.OpStroffEx(call_pfn,0,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
366 | 
367 |     if call_pfn is None:
368 |         call_pfn = find_wdf_callback_through_immediate("mov", 1,function_offset)
369 |         if call_pfn:
370 |             idc.OpStroffEx(call_pfn,1,(idaapi.get_struc_id("_WDFFUNCTIONS")),0)
371 | 
372 |     lea_sddl = find_function_arg(call_pfn, "lea", "r8", 0)
373 |     unicode_sddl = idc.get_operand_value(lea_sddl, 1)
374 |     idc.set_name(unicode_sddl, 'control_device_sddl')
375 |     assign_struct_to_address(unicode_sddl, "_UNICODE_STRING")
376 |     print("Control Device SDDL at: ", hex(unicode_sddl))
377 | 
378 | 
379 | 
380 | def assign_kmdf_structure_types(address):
381 |     # Get the jmp to de import
382 |     jmp_import_ea = next(idautils.XrefsTo(address)).frm
383 |     # There is only one XREF to WdfVersionBind
384 |     call_wdfVersionBind = next(idautils.XrefsTo(jmp_import_ea)).frm
385 |     print(hex(call_wdfVersionBind))
386 |     argument_WdfBindInfo = find_function_arg(call_wdfVersionBind, "lea", "r8", 0)
387 |     if argument_WdfBindInfo is None:
388 |         print("Error: Argument WdfBindInfo wasn't found!")
389 |         return
390 |     wdfBindInfo = idc.get_operand_value(argument_WdfBindInfo, 1)
391 |     idc.set_name(wdfBindInfo, '_WdfBindInfo')
392 |     print("WdfBindInfo Struct: ", hex(wdfBindInfo))
393 |     if not assign_struct_to_address(wdfBindInfo, "_WDF_BIND_INFO"):
394 |         print("The _WDF_BIND_INFO struct wasn't found in the database")
395 |         return
396 |     g_vars["_WDF_BIND_INFO"] = wdfBindInfo
397 | 
398 |     # Assign ComponentGlobals Name
399 |     argument_WdfComponentGlobals = find_function_arg(call_wdfVersionBind, "lea", "r9", 0)
400 |     wdfComponentGlobals = idc.get_operand_value(argument_WdfComponentGlobals, 1)
401 |     g_vars["_WDF_COMPONENT_GLOBALS"] = wdfComponentGlobals
402 |     idc.set_name(wdfComponentGlobals, '_WdfComponentGlobals')
403 | 
404 |     # Now assign the WDFFUNCTIONS to FuncTable
405 |     wdfFunctions = idc.get_qword(wdfBindInfo+0x20)
406 |     g_vars["_WDFFUNCTIONS"] = wdfFunctions
407 |     assign_struct_to_address(wdfFunctions, "_WDFFUNCTIONS")
408 |     idc.set_name(wdfFunctions, 'g_WdfF_Functions')
409 |     #if not assign_struct_to_address(wdfFunctions, "_WDFFUNCTIONS"):
410 |     #    print("The _WDFFUNCTIONS struct wasn't found in the database")
411 |     #    return
412 | 
413 | 
414 | 
415 | # Callback to get the EA of WdfVersionBind
416 | def imp_cb(ea, name, ord):
417 |     if not name:
418 |         print("%08x: ord#%d" % (ea, ord))
419 |     else:
420 |         print("%08x: %s (ord#%d)" % (ea, name, ord))
421 |     if name == "WdfVersionBind":
422 |         assign_kmdf_structure_types(ea)
423 |         return False
424 |     # True -> Continue enumeration
425 |     # False -> Stop enumeration
426 |     return True
427 | 
428 | ##############################################################################
429 | 
430 | def load_kmdf_types_into_idb():
431 |     header_path = idautils.GetIdbDir()
432 |     idaapi.idc_parse_types("".join([header_path, "WDFStructs.h"]), idc.PT_FILE)
433 |     for idx in range(1, idc.get_ordinal_qty()):
434 |         print(idx, idc.get_numbered_type_name(idx))
435 |         idc.import_type(idx, idc.get_numbered_type_name(idx))
436 | 
437 | ##############################################################################
438 | 
439 | 
440 | ##############################################################################
441 | 
442 | load_kmdf_types_into_idb()
443 | for module_idx in range(idaapi.get_import_module_qty()):
444 |     if idaapi.get_import_module_name(module_idx) == "WDFLDR":
445 |         idaapi.enum_import_names(module_idx, imp_cb)
446 | 
447 | if len(list_xref_to_wdf_callback(OFFSET_WdfDeviceCreateDeviceInterface)) == 0:
448 |     print("The driver is not exposing any DeviceInterface")
449 | if len(list_xref_to_wdf_callback(OFFSET_WdfDeviceCreateSymbolicLink)) == 0:
450 |     print("The driver is not creating a Symbolic Link")
451 | if len(list_xref_to_wdf_callback(OFFSET_WdfIoQueueCreate)) == 0:
452 |     print("The driver is not creating an IOQueue")
453 | if len(list_xref_to_wdf_callback(OFFSET_WdfDeviceInitSetIoIncallerContextCallback)) == 0:
454 |     print("The driver is not setting an EvtInCallerContextCallback")
455 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveInputMemory):
456 |     print("Call To WdfRequestRetrieveInputMemory: " + hex(i))
457 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveOutputMemory):
458 |     print("Call To WdfRequestRetrieveOutputMemory: " + hex(i))
459 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveInputBuffer):
460 |     print("Call To WdfRequestRetrieveInputBuffer: " + hex(i))
461 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveOutputBuffer):
462 |     print("Call To WdfRequestRetrieveOutputBuffer: " + hex(i))
463 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveInputWdmMdl):
464 |     print("Call To WdfRequestRetrieveInputWdmMdl: " + hex(i))
465 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveOutputWdmMdl):
466 |     print("Call To WdfRequestRetrieveOutputWdmMdl: " + hex(i))
467 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveUnsafeUserInputBuffer):
468 |     print("Call To WdfRequestRetrieveUnsafeUserInputBuffer: " + hex(i))
469 | for i in list_xref_to_wdf_callback(OFFSET_WdfRequestRetrieveUnsafeUserOutputBuffer):
470 |     print("Call To WdfRequestRetrieveUnsafeUserOutputBuffer: " + hex(i))
471 | 
472 | 
473 | def supress_exception(cb):
474 |     try:
475 |         cb()
476 |     except:
477 |         pass
478 | 
479 | g_vars["ERASE_STACK_MEMBERS"] = True
480 | 
481 | supress_exception(find_WdfDriverCreate)
482 | supress_exception(find_WdfIoQueueCreate)
483 | supress_exception(find_WdfDeviceInitSetIoInCallerContextCallback)
484 | supress_exception(find_WdfDeviceCreateDeviceInterface)
485 | supress_exception(find_WdfControlDeviceInitAllocate)
486 | 
487 | 
488 | 
489 | 
490 | 
491 | 
492 | 
493 | """
494 | # 00000000167ED lea     r8, [rbp+190h+var_170]
495 | 
496 | lea_addr = 0x167ED
497 | # Get the stack struct
498 | current_func = idaapi.get_func(lea_addr)
499 | stack_id = idc.GetFrame(current_func)
500 | stack_struc = idaapi.get_struc(stack_id)
501 | 
502 | # Get the stack operand offset value and stack member
503 | stack_member_offset = idc.get_operand_value(lea_addr, 1)
504 | stack_member = stack_struc.get_member(stack_member_offset)
505 | 
506 | target_struct_id = idaapi.get_struc_id("_WDF_DRIVER_CONFIG")
507 | target_struc = idaapi.get_struc(target_struct_id )
508 | 
509 | idc.DelStrucMember(stack_id, stack_member_offset)
510 | AddStrucMember(stack_id, "driver_config", stack_member_offset, FF_BYTE|FF_DATA, -1, GetStrucSize(target_struct_id))
511 | idc.SetMemberType(stack_id, stack_member_offset, idc.FF_STRU|idc.FF_DATA, target_struct_id, 1)
512 | 
513 | 
514 | idc.SetMemberType(stack_id, stack_member_offset, idc.FF_BYTE|idc.FF_DATA, target_struct_id, 0x20)
515 | 
516 | set_member_tinfo(None, stack_struc ,stack_member ,0, target_struc, 0, 0)
517 | 
518 | 
519 | 
520 | tinfo = idaapi.tinfo_t()
521 | idaapi.parse_decl2(idaapi.cvar.idati, '_WDF_DRIVER_CONFIG;', '_WDF_DRIVER_CONFIG', tinfo, idaapi.PT_TYP)
522 | idaapi.set_member_tinfo2(stack_struc, stack_member, 0, tinfo, idaapi.SET_MEMTI_COMPATIBLE)
523 | 
524 | """
525 | 


--------------------------------------------------------------------------------