The CTREE is built from the optimized microcode (maturity at CMAT_FINAL), it represents an AST-like tree with C statements and expressions. It can be printed as C code.
daaximus
/ idapython_ctree.md
Created
October 20, 2022 19:20
— forked from trietptm/idapython_ctree.md
Notes on CTREE usage with IDAPython
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <string> | |
| #include <atlbase.h> | |
| #include <imapi2fs.h> | |
| void create_iso( std::wstring_view src, std::wstring_view iso_path ) | |
| { | |
| HRESULT hr; | |
| IFileSystemImage* fsimg; | |
| IFsiDirectoryItem* fsdir; | |
| IFileSystemImageResult* fsresult; |
daaximus
/ ioctl_names.cpp
Last active
November 16, 2025 05:47
Most IOCTLs mapped to their code names
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef struct _ioctl_t | |
| { | |
| const char* ioctl_name; | |
| uint64_t ctl_code; | |
| } ioctl_t; | |
| // This would likely be better used in some unordered map. This is just a temporary data structure for testing resolution. | |
| // | |
| // Results from NtDeviceIoControlFile hook: | |
| // utweb.exe (14916) :: NtDeviceIoControlFile( 0x65c (\Device\Afd), 0x694, 0x0000000000000000, 0x0000000000000000, 0x00000000044DEE90, 0x12024 (IOCTL_AFD_SELECT), 0x0000000004A3FC18, 0x34, 0x0000000004A3FC18, 0x34 ) |
NewerOlder