Ida pro plugins12/27/2022 More details can be found on the projects GitHub page. This function can be ran using the " Ctrl+Alt+A" shortcut, you can see this being run on the infamous Capcom driver below. First, it will search for Unicode strings that could be valid device paths and if it doesn't find any, it will attempt to use FLOSS to find any obfuscated device names present in the driver. ![]() The plugin can also find potential device names. These can be ran using the " Ctrl+Alt+S" shortcut, as shown below: The plugin implements two basic ways of identifying an IOCTL dispatch function. This will add a comment to the instruction with the IOCTL Code represented by it's equivalent define using the CTL_CODE macro, as shown below:Īdditionally this will print a summary table with the details of all IOCTL codes decoded in the current session: Potential IOCTL codes can be decoded by selecting the value in IDA and using the " Ctrl+Alt+D" shortcut or the right-click context menu option. When launching GhIDA for the first time (Ctrl+Alt+D or Edit -> Plugins -> GhIDA Decompiler), one can choose between a local Ghidra installation. Pip install Usage Overview Decode IOCTL Codes ![]() Just drop the 'win_driver_plugin.py' file and the entire 'win_driver_plugin' folder into IDA's plugin directory. If you want FLOSS to be used when hunting for device names, you can install it with the following commands: pip install ![]() The source code is hosted on GitHub under a 3-clause BSD license. This is an IDA Pro plugin designed to assist reverse engineers when they are reversing Windows drivers or applications that interact with them.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |