@@ -173,19 +173,18 @@ def find_all_ioctls():
173173 f = idaapi .get_func (addr )
174174 fc = idaapi .FlowChart (f , flags = idaapi .FC_PREDS )
175175 for block in fc :
176- # grab the last two instructions in the block
177- last_inst = idc .prev_head (block .end_ea )
178- penultimate_inst = idc .prev_head (last_inst )
179- # If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz'
180- # then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
181- if idc .print_insn_mnem (penultimate_inst ) in ['cmp' , 'sub' ] and idc .get_operand_type (penultimate_inst , 1 ) == 5 :
182- if idc .print_insn_mnem (last_inst ) == 'jz' :
183- value = get_operand_value (penultimate_inst )
176+ start = block .start_ea
177+ end = block .end_ea
178+ # print("Block: {} - {}".format(start, end))
179+ for instr in range (start , end ):
180+ # if the penultimate instruction is cmp or sub or mov against an immediate value
181+ if idc .print_insn_mnem (instr ) in ['cmp' , 'sub' , 'mov' ] and idc .get_operand_type (instr , 1 ) == 5 :
182+ value = get_operand_value (instr )
184183 digits = utils .check_digits (value )
185- if digits == 10 :
186- if value not in utils .ntstatus_values :
187- ioctls .append ((penultimate_inst , value ))
188- ioctl_tracker .add_ioctl (penultimate_inst , value )
184+ # value has 10 digits and is not a known NTSTATUS value
185+ if digits == 10 and value not in utils .ntstatus_values :
186+ ioctls .append ((instr , value ))
187+ ioctl_tracker .add_ioctl (instr , value )
189188 return ioctls
190189
191190
@@ -228,8 +227,7 @@ def get_position_and_translate():
228227
229228 value = get_operand_value (pos )
230229 digits = utils .check_digits (value )
231- if digits == 10 :
232- if value not in utils .ntstatus_values :
230+ if digits == 10 and value not in utils .ntstatus_values :
233231 ioctl_tracker .add_ioctl (pos , value )
234232 define = ioctl_decoder .get_define (value )
235233 make_comment (pos , define )
0 commit comments