win_driver_plugin - A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers
An IDA Pro plugin to help when working with IOCTL codes or reversing Windows drivers. By right-clicking on a potential IOCTL code a context menu option can be used to decode the value, alternatively Ctrl+Alt+D can be used. This will print a table with all decoded IOCTL codes each time a new one is decoded: By right-clicking on a decoded IOCTL code it's possible to mark it as invalid: This will leave any non-IOCTL define based comment contents intact. The right-click menu also included a display all defines option which display the CTL_CODE definitions for all IOCTL codes decoded in the current session: If you right click on the first instruction of the function you believe to be the IOCTL dispatcher a decode all options appears, this attempt to decode all IOCTL codes it can find in the function. This is super hacky but can speed things up most of the time. If you want to do this in a smarter way and can get Angr installed successfully, the 'Decode IOCTLs using Angr' option shown below will use symbolic execution to attempt to recover all IOCTL codes. This will deal with jump tables, optimizations etc whereas the dumb method is just looking for comparisons to constants.