daaximus

#include <windows.h>
#include <gdiplus.h>
#include <string>
#include <iostream>
#include <fstream>

using namespace Gdiplus;
#pragma comment (lib,"Gdiplus.lib")

int get_encoder_clsid( const WCHAR* format, CLSID* clsid )

daaximus

import idautils
import idaapi
import idc

def get_func_prototype(ea):
    tinfo = idaapi.tinfo_t()
    if idaapi.get_tinfo(tinfo, ea):
        return idaapi.print_tinfo("", 0, 0, idaapi.PRTYPE_1LINE, tinfo, "", "")
    else:
        return None

daaximus

import idaapi
import idc
import idautils
import ida_auto
import ida_bytes

def is_call_instruction(ea):
    return 'call' in idc.generate_disasm_line(ea, idc.GENDSM_FORCE_CODE)

def is_rsp_add_instruction(ea):

daaximus

0000:0000=Device
0000:0002=USB Implementer Forum Mass Storage
0000:3825=USB Mouse
0000:7777=USB Flash Drive
0001:0001=Gaming Optical Mouse5
0001:142b=Arbiter Systems, Inc.
0001:7778=Fry's Electronics Counterfeit flash drive [Kingston]
0002:0002=Ingram passport00
0002:7007=Ingram HPRT XT300
0009:21e7=Sagemcom

daaximus

[WINDOWS 11 22621.1105]

"Type", 0x2
"Directory", 0x3
"SymbolicLink", 0x4
"Token", 0x5  
"Job", 0x6  
"Process", 0x7  
"Thread", 0x8  

daaximus

IDAPython CTREE

Important links

• Hex-Rays Decompiler Primer
• hexrays.hpp

Description

The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.

daaximus

#include <string>
#include <atlbase.h>
#include <imapi2fs.h>

void create_iso( std::wstring_view src, std::wstring_view iso_path )
{
    HRESULT hr;
    IFileSystemImage* fsimg;
    IFsiDirectoryItem* fsdir;
    IFileSystemImageResult* fsresult;

daaximus

typedef struct _ioctl_t
{
	const char* ioctl_name;
	uint64_t ctl_code;
} ioctl_t;

// This would likely be better used in some unordered map. This is just a temporary data structure for testing resolution.
//
// Results from NtDeviceIoControlFile hook:
// utweb.exe (14916)   ::  NtDeviceIoControlFile( 0x65c (\Device\Afd), 0x694, 0x0000000000000000, 0x0000000000000000, 0x00000000044DEE90, 0x12024 (IOCTL_AFD_SELECT), 0x0000000004A3FC18, 0x34, 0x0000000004A3FC18, 0x34 )