uf0o/find_ioctls.py

## find_ioctls.py
"""
Author: Matteo 'uf0' Malvica @matteomalvica
Tested with IDA 7.5 and Py3
Original plugin: https://github.com/FSecureLABS/win_driver_plugin
"""

def getopvalue(addr):
    """Returns the value of the second operand to the instruction at `addr` masked to be a 32 bit value"""
    return idc.get_operand_value(addr, 1) & 0xffffffff


def print_table(ioctls):
    print("{:10s} | {:10s}".format("Address", "IOCTL Code"))
    for (addr, ioctl_code) in ioctls:
        print("0x{:8x} | 0x{:8x}".format(addr,ioctl_code))

def find_all_ioctls():
    """
    From the currently selected address attempts to traverse all blocks inside the current function to find all immediate values which
    are used for a comparison/sub immediately before a jz. Returns a list of address, second operand pairs.
    """
    ioctls = []
    # Find the currently selected function and get a list of all of it's basic blocks
    addr = idc.get_screen_ea()
    f = idaapi.get_func(addr)
    fc = idaapi.FlowChart(f, flags=idaapi.FC_PREDS)
    for block in fc:
        # grab the last two instructions in the block
        last_inst = idc.prev_head(block.end_ea)
        penultimate_inst = idc.prev_head(last_inst)
        # If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz'
        # then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
        if idc.print_insn_mnem(penultimate_inst) in ['cmp', 'sub'] and idc.get_operand_type(penultimate_inst, 1) == 5:
            if idc.print_insn_mnem(last_inst) == 'jz':
                value = getopvalue(penultimate_inst)
                ioctls.append((penultimate_inst, value))
    return ioctls

final_ioctls = []
final_ioctls = find_all_ioctls()
print_table(final_ioctls)
	"""
	Author: Matteo 'uf0' Malvica @matteomalvica
	Tested with IDA 7.5 and Py3
	Original plugin: https://github.com/FSecureLABS/win_driver_plugin
	"""

	def getopvalue(addr):
	"""Returns the value of the second operand to the instruction at `addr` masked to be a 32 bit value"""
	return idc.get_operand_value(addr, 1) & 0xffffffff


	def print_table(ioctls):
	print("{:10s} \| {:10s}".format("Address", "IOCTL Code"))
	for (addr, ioctl_code) in ioctls:
	print("0x{:8x} \| 0x{:8x}".format(addr,ioctl_code))

	def find_all_ioctls():
	"""
	From the currently selected address attempts to traverse all blocks inside the current function to find all immediate values which
	are used for a comparison/sub immediately before a jz. Returns a list of address, second operand pairs.
	"""
	ioctls = []
	# Find the currently selected function and get a list of all of it's basic blocks
	addr = idc.get_screen_ea()
	f = idaapi.get_func(addr)
	fc = idaapi.FlowChart(f, flags=idaapi.FC_PREDS)
	for block in fc:
	# grab the last two instructions in the block
	last_inst = idc.prev_head(block.end_ea)
	penultimate_inst = idc.prev_head(last_inst)
	# If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz'
	# then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
	if idc.print_insn_mnem(penultimate_inst) in ['cmp', 'sub'] and idc.get_operand_type(penultimate_inst, 1) == 5:
	if idc.print_insn_mnem(last_inst) == 'jz':
	value = getopvalue(penultimate_inst)
	ioctls.append((penultimate_inst, value))
	return ioctls

	final_ioctls = []
	final_ioctls = find_all_ioctls()
	print_table(final_ioctls)