Results 1 to 9 of 9

Thread: IDA Structure Definitions

Hybrid View

  1. #1
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15

    IDA Structure Definitions

    SPLIT THREAD

    way off topic

    hey k cant find the rom file isn't it there are trillions of datasheets in Google but not a bin file for nec v40 isnt it ?

    anyway i ended up downloading roms and bins of bbc / microbee / atari / zilog / z80 /and whatnot due to this thread

    btw way more offtopic but on ida

    i thought let me try ida (nothing fancy the free 5.0 one ) on a driver which seemed to crash on me so i could learn a trick or two
    but i cant seem to fathom the mighty yeti can you see the pic below and tell me how to make it legible
    no i can understand the opcodes/ mnemonic crap i want ida to tell me hey b
    this is driver_object
    now ebx takes the Driver_Object->MajorFunction[IRP_MJ_DEVICE_CONTROL] and shoots it down to
    KiIntrap01 and plays hell with interrupt 1 single stepping on its own kind of thing
    not stare back at me with mov ebx,[eax+70]

    Name:  idarename.JPG
Views: 6873
Size:  77.9 KB

    and the crashing Handler

    Code:
    .text:00010A5C ; ---------------------------------------------------------------------------
    .text:00010A5C
    .text:00010A5C loc_10A5C:                              ; DATA XREF: start-91Fo
    .text:00010A5C                 mov     edi, edi
    .text:00010A5E                 push    ebp
    .text:00010A5F                 mov     ebp, esp
    .text:00010A61                 push    ebx
    .text:00010A62                 push    esi
    .text:00010A63                 push    edi
    .text:00010A64                 xor     esi, esi
    .text:00010A66                 xor     eax, eax
    .text:00010A68                 push    edx
    .text:00010A69                 sidt    fword ptr [esp-2]
    .text:00010A6E                 pop     edx
    .text:00010A6F                 add     edx, 0Ch        ; kiIntTrap01 ?
    .text:00010A72                 mov     ebx, [edx]
    .text:00010A74                 mov     bx, [edx-4]
    .text:00010A78                 mov     ebx, dword_10EB0
    .text:00010A7E                 cmp     ebx, 0
    .text:00010A81                 jnz     short loc_10A8E
    .text:00010A83                 mov     bx, [edx+2]
    .text:00010A87                 ror     ebx, 10h
    .text:00010A8A                 mov     bx, [edx-4]
    .text:00010A8E
    .text:00010A8E loc_10A8E:                              ; CODE XREF: .text:00010A81j
    .text:00010A8E                 mov     dword_10EB0, ebx
    .text:00010A94                 mov     edi, offset word_109AA
    .text:00010A99                 mov     [edx-4], di
    .text:00010A9D                 ror     edi, 10h
    .text:00010AA0                 mov     [edx+2], di     ; seems to crash here ?
    .text:00010AA4                 mov     ecx, [ebp+0Ch]
    .text:00010AA7                 mov     edi, [ecx+60h]
    .text:00010AAA                 mov     edx, [edi+0Ch]
    .text:00010AAD                 cmp     edx, 0C07FE000h ; ioctlcode
    .text:00010AB3                 jz      loc_10C8D
    .text:00010AB9                 cmp     edx, 0C07FE004h 
                                                                  ; CALL    NEAR DWORD PTR DS:[EAX]          ; getproc(Devictl)
    .text:00010AB9                                         ; PUSH    0                                ; ioOverLapped
    .text:00010AB9                                         ; MOV     DWORD PTR SS:[EBP+354], 0
    .text:00010AB9                                         ; MOV     EBX, EBP
    .text:00010AB9                                         ; ADD     EBX, 354
    .text:00010AB9                                         ; PUSH    EBX                              ; LpBytesRet
    .text:00010AB9                                         ; PUSH    4                                ; OutBuffSize
    .text:00010AB9                                         ; MOV     EBX, EBP
    .text:00010AB9                                         ; ADD     EBX, 348
    .text:00010AB9                                         ; PUSH    EBX                              ; OutBuff
    .text:00010AB9                                         ; PUSH    20                               ; InBuffSize
    .text:00010AB9                                         ; MOV     EBX, EBP
    .text:00010AB9                                         ; ADD     EBX, 9E4
    .text:00010AB9                                         ; PUSH    EBX                              ; inBuff
    .text:00010AB9                                         ; MOV     EBX, C07FE000
    .text:00010AB9                                         ; PUSH    EBX                              ; ioCtlCode
    .text:00010AB9                                         ; PUSH    DWORD PTR SS:[EBP+A08]           ; hdevice
    .text:00010AB9                                         ; CALL    NEAR EAX                         ; devictl()
    .text:00010AB9                                         ;
    .text:00010AB9                                         ;
    .text:00010ABF                 jz      loc_10C2C
    .text:00010AC5                 cmp     edx, 0C07FE018h
    .text:00010ACB                 jz      loc_10BC2
    .text:00010AD1                 cmp     edx, 0C07FE020h
    .text:00010AD7                 jz      loc_10B5F
    .text:00010ADD                 cmp     edx, 0C07FE024h
    .text:00010AE3                 jz      short loc_10AEF
    .text:00010AE5                 mov     esi, 0C000000Dh
    .text:00010AEA                 jmp     loc_10D10
    .text:00010AEF ; ---------------------------------------------------------------------------
    .text:00010AEF
    .text:00010AEF loc_10AEF:                              ; CODE XREF: .text:00010AE3j

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    I was looking for a rom file split over segments too, to see if one could derive the segment sections just from the code itself, which I'm sure isn't the easiest thing to do.

    A wee bit off topic yes, sorry for the thread hijacking, but to answer the question, what I do is create a custom DRIVER_OBJECT header file where the IRP MajorFunction definition is a structure within itself, so IDA can easily recognize what [eax+70h] stands for. IDA has its own standard DRIVER_OBJECT structure definition, but that won't get you the individual IRP defs.

    Here is the header file I use, modified from wdm.h, loaded into IDA with Load File/Parse C header file, then added in the Structures window and now recognized as a Standard Structure (generally added to the very end of the list).

    Code:
    typedef struct _myDRIVER_DISPATCH {
    
    // Define the major function codes for IRPs.
     
    ULONG IRP_MJ_CREATE                   ; // 0x00
    ULONG IRP_MJ_CREATE_NAMED_PIPE        ; // 0x01
    ULONG IRP_MJ_CLOSE                    ; // 0x02
    ULONG IRP_MJ_READ                     ; // 0x03
    ULONG IRP_MJ_WRITE                    ; // 0x04
    ULONG IRP_MJ_QUERY_INFORMATION        ; // 0x05
    ULONG IRP_MJ_SET_INFORMATION          ; // 0x06
    ULONG IRP_MJ_QUERY_EA                 ; // 0x07
    ULONG IRP_MJ_SET_EA                   ; // 0x08
    ULONG IRP_MJ_FLUSH_BUFFERS            ; // 0x09
    ULONG IRP_MJ_QUERY_VOLUME_INFORMATION ; // 0x0a
    ULONG IRP_MJ_SET_VOLUME_INFORMATION   ; // 0x0b
    ULONG IRP_MJ_DIRECTORY_CONTROL        ; // 0x0c
    ULONG IRP_MJ_FILE_SYSTEM_CONTROL      ; // 0x0d
    ULONG IRP_MJ_DEVICE_CONTROL           ; // 0x0e
    ULONG IRP_MJ_INTERNAL_DEVICE_CONTROL  ; // 0x0f
    ULONG IRP_MJ_SHUTDOWN                 ; // 0x10
    ULONG IRP_MJ_LOCK_CONTROL             ; // 0x11
    ULONG IRP_MJ_CLEANUP                  ; // 0x12
    ULONG IRP_MJ_CREATE_MAILSLOT          ; // 0x13
    ULONG IRP_MJ_QUERY_SECURITY           ; // 0x14
    ULONG IRP_MJ_SET_SECURITY             ; // 0x15
    ULONG IRP_MJ_POWER                    ; // 0x16
    ULONG IRP_MJ_SYSTEM_CONTROL           ; // 0x17
    ULONG IRP_MJ_DEVICE_CHANGE            ; // 0x18
    ULONG IRP_MJ_QUERY_QUOTA              ; // 0x19
    ULONG IRP_MJ_SET_QUOTA                ; // 0x1a
    ULONG IRP_MJ_PNP                      ; // 0x1b
    // ULONG IRP_MJ_PNP_POWER                IRP_MJ_PNP      // Obsolete....
    // ULONG IRP_MJ_MAXIMUM_FUNCTION           0x1b
        
    } myDRIVER_DISPATCH, *PmyDRIVER_DISPATCH;
    
    
    typedef struct _myDRIVER_OBJECT {
        CSHORT Type;
        CSHORT Size;
        PDEVICE_OBJECT DeviceObject;
        ULONG Flags;
        PVOID DriverStart;
        ULONG DriverSize;
        PVOID DriverSection;
        PDRIVER_EXTENSION DriverExtension;
        UNICODE_STRING DriverName;
        PUNICODE_STRING HardwareDatabase;
        PFAST_IO_DISPATCH FastIoDispatch;
        PDRIVER_INITIALIZE DriverInit;
        PDRIVER_STARTIO DriverStartIo;
        PDRIVER_UNLOAD DriverUnload;
    
        // PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
        myDRIVER_DISPATCH MajorFunction;
    
    } myDRIVER_OBJECT;
    typedef struct _myDRIVER_OBJECT *PmyDRIVER_OBJECT;

    Using beep.sys as an example, this

    Code:
    .text:00011389                 mov     eax, [ebp+DriverObject]
    .text:0001138C                 mov     dword ptr [eax+30h], offset sub_11248
    .text:00011393                 mov     dword ptr [eax+34h], offset sub_112C6
    .text:0001139A                 mov     dword ptr [eax+38h], offset sub_111AC
    .text:000113A1                 mov     dword ptr [eax+40h], offset sub_111FE
    .text:000113A8                 mov     dword ptr [eax+70h], offset sub_11116
    .text:000113AF                 mov     dword ptr [eax+80h], offset sub_11060
    becomes this.

    Code:
    .text:00011389                 mov     eax, [ebp+DriverObject]
    .text:0001138C                 mov     [eax+DRIVER_OBJECT.DriverStartIo], offset sub_11248
    .text:00011393                 mov     [eax+DRIVER_OBJECT.DriverUnload], offset sub_112C6
    .text:0001139A                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CREATE], offset sub_111AC
    .text:000113A1                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CLOSE], offset sub_111FE
    .text:000113A8                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_DEVICE_CONTROL], offset sub_11116
    .text:000113AF                 mov     [eax+myDRIVER_OBJECT.MajorFunction.IRP_MJ_CLEANUP], offset sub_11060
    I use a similar custom C header file for IRP and IO_STACK_LOCATION structure definitions as I had mentioned in this thread. This would be the next step to sleuthing IRP_MJ_DEVICE_CONTROL. In your case you easily found the IOCTL_CODE without it, but further structure definitions can also point out the usermode buffers which can clarify the full disassembly if that's what you're going for.

    http://www.woodmann.com/forum/showthread.php?14561-Had-to-say-(Driver-Debugging-Basics)&p=91470#post91470

  3. #3
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    i think the lady thinks that i want to buy her a sip of orange juice

    didn't you say that paste was what you use (explicitly implying i ought not meddle with it ? )

    the beautiful inebriated lady refuses to dance and wants to drink nine more errors

    Code:
    The initial autoanalysis has been finished.
    Command "LoadHeaderFile" failed              
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,5: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,6: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,7: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,8: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,9: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,10: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,11: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,12: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,13: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,14: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,15: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,16: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,17: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,18: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,19: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,20: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,21: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,22: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,23: Syntax error near: ULONG
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,24: Syntax error near: ULONG
    Total 20 errors      <---------------- need to setup compiler <------opt->compil->vc++->done
    Plan  FLIRT signature: Microsoft VisualC 2-8/net runtime
    autoload.cfg: vc32rtf.sig autoloads vc6win.til
    Using FLIRT signature: Microsoft VisualC 2-8/net runtime
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,40: Syntax error near: CSHORT  <--- ? need USHORT works 
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,41: Syntax error near: CSHORT
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,42: Syntax error near: PDEVICE_OBJECT        ? need PULONG works for 
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,47: Syntax error near: PDRIVER_EXTENSION  ]b]   all below [/b]
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,50: Syntax error near: PFAST_IO_DISPATCH
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,51: Syntax error near: PDRIVER_INITIALIZE
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,52: Syntax error near: PDRIVER_STARTIO
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,53: Syntax error near: PDRIVER_UNLOAD
    Error C:\Documents and Settings\Admin\My Documents\Driver\origdrvobjstrct.h,58: Syntax error near: }
    Total 9 errors
    
    
    
    C:\Documents and Settings\Admin\My Documents\\Driver>fc origdrvobjstrct.h d
    rvobjstrct.h
    Comparing files origdrvobjstrct.h and DRVOBJSTRCT.H
    ***** origdrvobjstrct.h
    typedef struct _myDRIVER_OBJECT {
        CSHORT Type;
        CSHORT Size;
        PDEVICE_OBJECT DeviceObject;
        ULONG Flags;
    ***** DRVOBJSTRCT.H
    typedef struct _myDRIVER_OBJECT {
        USHORT Type;
        USHORT Size;
        PULONG DeviceObject;
        ULONG Flags;
    *****
    
    ***** origdrvobjstrct.h
        PVOID DriverSection;
        PDRIVER_EXTENSION DriverExtension;
        UNICODE_STRING DriverName;
    ***** DRVOBJSTRCT.H
        PVOID DriverSection;
        PULONG DriverExtension;
        UNICODE_STRING DriverName;
    *****
    
    ***** origdrvobjstrct.h
        PUNICODE_STRING HardwareDatabase;
        PFAST_IO_DISPATCH FastIoDispatch;
        PDRIVER_INITIALIZE DriverInit;
        PDRIVER_STARTIO DriverStartIo;
        PDRIVER_UNLOAD DriverUnload;
    
    ***** DRVOBJSTRCT.H
        PUNICODE_STRING HardwareDatabase;
        PULONG FastIoDispatch;
        PULONG DriverInit;
        PULONG DriverStartIo;
        PULONG DriverUnload;
    
    *****
    
    ***** origdrvobjstrct.h
    
    typedef struct DEVICE_OBJECT *PDEVICE_OBJECT;
    ***** DRVOBJSTRCT.H
    *****
    
    C:\Documents and Settings\Admin\My Documents\Driver\drvobjstrct.h: successfully compiled

    btw maybe we should cut paste this into a separate thread what do you say

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    She has a limp, you built her a crutch, good on ya. The more expensive ladies don't limp

  5. #5
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    i can live with her holding the pulong crutch at least i can cut the long into a short
    but what about Cshort ? how can i u@#$%^s shorts

    also after i select one +70 wont 68 6c etc get the other IoCtl defs ? ( i mean do i have to find 28 places and set each of them with XXX.YYY[zzz]

    also if mov [ebx+70] , 0xXXXXXXX this dword which is a handler and does have a standard function definition like

    RetWhatever DoSomething ( Do1 this , Do2 that ,DoNot What) ;

    so is automatic propogation possible

    like mov [ebx+70],0xXXXXXXXX becomes

    mov [ebx+Driver_object->MajorFunction[IRP_MJ_DEVICE_CONTROL] , _DispatchXXX ( PDEVICE_OBJECT DeviceObject, PIRP Irp)


    and at

    XXXXXXXX

    it becomes a function its arg_0 transformed into *devobj and arg_1 transformed to *irp

    and

    you also posted ida has its own definition of DRIVER_OBJECT how to load it ?

    and thanks for splitting the thread

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    IDA Free doesn't have a Type Library (*.til) for ntddk.h, thus no driver defs or useful function type propagation. As for some of the other stuff to fancy up the disassembly, there's a lot you can do with IDC scripts as well.

    Try this format instead for the header file.

    Code:
    struct UNICODE_STRING
    {
      __int16 Length;
      __int16 MaximumLength;
      void *Buffer;
    };
    
    struct DRIVER_OBJECT
    {
      __int16 Type;
      __int16 Size;
      void *DeviceObject;
      int Flags;
      void *DriverStart;
      int DriverSize;
      void *DriverSection;
      void *DriverExtension;
      UNICODE_STRING DriverName;
      void *HardwareDatabase;
      void *FastIoDispatch;
      void *DriverInit;
      void *DriverStartIo;
      void *DriverUnload;
      void *MajorFunction[28];
    };

Similar Threads

  1. Find Structure
    By Behdadsoft in forum The Newbie Forum
    Replies: 0
    Last Post: March 4th, 2013, 05:43
  2. System Structure Tools
    By Kayaker in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: February 19th, 2013, 00:26
  3. Replies: 0
    Last Post: April 24th, 2008, 09:42
  4. Replies: 0
    Last Post: October 19th, 2007, 20:27
  5. SoftIce Breakpoint Table Structure
    By naides in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: October 15th, 2004, 02:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •