cs_driver.c File Reference

#include <ntddk.h>
#include <capstone/capstone.h>

Go to the source code of this file.

Functions
static NTSTATUS	cs_driver_hello ()
EXTERN_C NTSTATUS	DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
_Use_decl_annotations_ int __cdecl	printf (const char *const _Format,...)

Variables
DRIVER_INITIALIZE	DriverEntry

Function Documentation

cs_driver_hello()

static NTSTATUS cs_driver_hello ( )

static

Definition at line 46 of file cs_driver.c.

                                  {
  csh handle;
  cs_insn *insn;
  size_t count;
  KFLOATING_SAVE float_save;
  NTSTATUS status = STATUS_UNSUCCESSFUL;
 
  // Any of Capstone APIs cannot be called at IRQL higher than DISPATCH_LEVEL
  // since our malloc implementation based on ExAllocatePoolWithTag() is not able
  // to allocate memory at higher IRQL than the DISPATCH_LEVEL level.
  NT_ASSERT(KeGetCurrentIrql() <= DISPATCH_LEVEL);
 
  // On a 32bit driver, KeSaveFloatingPointState() is required before using any
  // Capstone function because Capstone can access to the MMX/x87 registers and
  // 32bit Windows requires drivers to use KeSaveFloatingPointState() before and
  // KeRestoreFloatingPointState() after accessing them. See "Using Floating
  // Point or MMX in a WDM Driver" on MSDN for more details.
  status = KeSaveFloatingPointState(&float_save);
  if (!NT_SUCCESS(status)) {
    return status;
  }
 
  // Do stuff just like user-mode. All functionalities are supported.
  if (cs_open(CS_ARCH_X86, (sizeof(void *) == 4) ? CS_MODE_32 : CS_MODE_64,
              &handle) != CS_ERR_OK) {
    goto exit;
  }
 
  count = cs_disasm(handle, (uint8_t *)&cs_driver_hello, 0x80,
                    (uint64_t)&cs_driver_hello, 0, &insn);
  if (count > 0) {
    printf("cs_driver!cs_driver_hello:\n");
    for (size_t j = 0; j < count; j++) {
      printf("0x%p\t%s\t\t%s\n", (void *)(uintptr_t)insn[j].address,
             insn[j].mnemonic, insn[j].op_str);
    }
    cs_free(insn, count);
  }
  cs_close(&handle);
 
exit:;
  // Restores the nonvolatile floating-point context.
  KeRestoreFloatingPointState(&float_save);
  return status;
}

References count, CS_ARCH_X86, cs_close(), cs_disasm(), capstone::CS_ERR_OK, cs_free(), CS_MODE_32, CS_MODE_64, cs_open(), test-lz4-list::exit, handle, KeGetCurrentIrql, KeRestoreFloatingPointState, KeSaveFloatingPointState, NT_SUCCESS, printf(), status, and STATUS_UNSUCCESSFUL.

Referenced by DriverEntry().

DriverEntry()

EXTERN_C NTSTATUS DriverEntry	(	PDRIVER_OBJECT	DriverObject,
		PUNICODE_STRING	RegistryPath
	)

Definition at line 35 of file cs_driver.c.

                                                            {
  printf("Entering DriverEntry()\n");
 
  cs_driver_hello();
 
  printf("Leaving DriverEntry()\n");
  return STATUS_CANCELLED;
}

References cs_driver_hello(), printf(), and STATUS_CANCELLED.

printf()

_Use_decl_annotations_ int __cdecl printf	(	const char *const	_Format,
			...
	)

Definition at line 93 of file cs_driver.c.

                                                                           {
  NTSTATUS status;
  va_list args;
 
  va_start(args, _Format);
  status = vDbgPrintEx(DPFLTR_DEFAULT_ID, DPFLTR_ERROR_LEVEL, _Format, args);
  va_end(args);
  return NT_SUCCESS(status);
}

References args, NT_SUCCESS, and status.

Referenced by __dumpSections(), __listPlugins(), __print_prompt(), __rtr_shell(), __system(), _main(), aarch64_decode_insn(), ARG_CALLBACK(), base36_decode(), bench(), build_hash_table(), build_opcode_table(), cabinfo(), calculate_luhn(), check_multi_info(), compare_zip(), compress_file(), compress_file_internal(), confirm_replace(), count_extra(), count_extra_by_id(), cs_driver_hello(), dbdiff_cb(), decode_ins(), decode_unknown(), decompress_file(), decompress_file_allocDst(), decompress_file_internal(), determine_disassembling_preference(), diff_output(), diff_output_file(), diffrow(), Display64BitsSize(), display_byte_table(), display_polynomial(), display_table(), do_banner(), do_decode(), do_extract(), do_extract_currentfile(), do_extract_onefile(), do_help(), do_list(), do_read(), DriverEntry(), drx_list(), dump_ARC_extmap(), enough(), ensure_header(), extract_binobj(), format_output(), fullSpeedBench(), FUZ_test(), FUZ_unitTests(), get_archive_comment(), get_block_size(), get_extra(), get_extra_by_id(), get_file_comment(), get_hash_code(), get_ins_bits(), get_ins_part(), get_num_entries(), get_token_decoded(), getFileCrc(), getinfo(), getopt(), gprobe_get_reply_sp(), gprobe_getdeviceid(), graph_construct_edges(), graph_construct_nodes(), hardware_memlimit_show(), hash_context_compare_hashes(), hash_context_run(), hash_print_crypto(), hash_print_digest(), help(), hexdump(), hit(), idle_cb(), interact(), is_seekable(), isLargeFile(), list(), LLVMFuzzerTestOneInput(), load_spanning_cabinets(), lzma_attribute(), lzmainfo(), mach_headerfields(), main(), main_help(), main_print_var(), makedir(), memlimit_show(), message_help(), message_version(), mpc_print(), mpc_print_unretained(), mpc_stats(), mpc_test_pass(), name_locate(), nios2_init_opcode_hash(), on_type(), prep_cb(), print_adv_helper(), print_and_check_il(), print_ascii_table(), print_assembly_output(), print_bin_string(), print_buf(), print_color_node(), print_crc32_table(), print_crc64_table(), print_demangler_info(), print_details(), print_hex_from_base2(), print_info_adv(), print_info_basic(), print_info_robot(), print_insn(), print_insn_detail(), print_insn_detail_arm(), print_insn_detail_arm64(), print_insn_detail_evm(), print_insn_detail_m680x(), print_insn_detail_m68k(), print_insn_detail_mips(), print_insn_detail_ppc(), print_insn_detail_sparc(), print_insn_detail_sysz(), print_insn_detail_tms320c64x(), print_insn_detail_x86(), print_insn_detail_xcore(), print_label(), print_log(), print_lz_table(), print_new_results(), print_price_table(), print_read_write_regs(), print_result_diff(), print_runner(), print_state(), print_state_counts(), print_string(), print_string_hex(), print_string_hex_short(), print_totals_adv(), print_totals_basic(), print_totals_robot(), process_cabinet(), processNode(), progress_callback(), PUT_CALLBACK(), rabin_dump_symbols(), rabin_show_help(), rabin_show_srcline(), rasm_asm(), rasm_disasm(), rasm_show_help(), rax(), read_name(), reader(), rip(), run(), run_f_list(), run_screaming(), rz_asm_list_directives(), rz_bin_new(), rz_bp_new(), rz_cf_value_array_print(), rz_cf_value_bool_print(), rz_cf_value_data_print(), rz_cf_value_dict_print(), rz_cf_value_integer_print(), rz_cf_value_null_print(), rz_cf_value_string_print(), rz_cmd_macro_init(), rz_cons_fgets(), rz_cons_hud(), rz_core_diff_show(), rz_core_diff_show_function(), rz_debug_gdb_reg_read(), rz_debug_new(), rz_diff_calculate_distance(), rz_diff_show_help(), rz_diff_unified_files(), rz_egg_Cfile_parser(), rz_hash_show_algorithms(), rz_hash_show_help(), rz_lang_new(), rz_lang_prompt(), rz_lib_list(), rz_lib_open_ptr(), rz_line_readline_cb(), rz_main_rizin(), rz_main_rz_agent(), rz_main_rz_asm(), rz_main_rz_bin(), rz_main_rz_find(), rz_main_rz_gg(), rz_main_rz_run(), rz_main_version_print(), rz_main_version_verify(), rz_print_bytes(), rz_range_list(), rz_range_percent(), rz_sign_show_help(), rz_socket_http_post(), rz_test_main(), rzfind_open_file(), sdb_grep_dump(), search(), selection_widget_draw(), selection_widget_erase(), show_analinfo(), show_help(), showanalysis(), showcount(), showusage(), signal_handler(), spp_help(), spp_proc_eval(), spp_proc_list(), spp_proc_list_kw(), spp_proc_set(), TAG_CALLBACK(), tar(), test(), test_invalids(), test_or(), test_valids(), ts_query__analyze_patterns(), ts_subtree_get_changed_ranges(), usage(), writer(), and zstat().

Variable Documentation

DriverEntry

DRIVER_INITIALIZE DriverEntry

Definition at line 30 of file cs_driver.c.