Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

fail to analyze DriverEntry and other recognized library functions

See original GitHub issue

While we want to skip over most library functions for analysis, certain functions should be analyzed!

See 493167e85e45363d09495d0841c30648.sys_:0x401000 == DriverEntry.

This should include the below strings and their variations

DriverEntry
main
wmain
WinMain
DllMain

Maybe we can just look for the main substring although that will also capture functions like _domain_err or ___tmainCRTStartup.

Issue Analytics

State:
Created 2 years ago
Comments:9

Top GitHub Comments

1reaction

mr-tzcommented, May 19, 2021

it fails on the second example which appears to really be a library function

0reactions

williballenthincommented, May 19, 2021

capa ignores the example function

Top Results From Across the Web

DriverEntry for WDF Drivers routine - Windows - Microsoft Learn

DriverEntry is the first driver-supplied routine that is called after a driver is loaded. It is responsible for initializing the driver.

Issues linking Aux_Klib.h - c++ - Stack Overflow

The error I get for this is: error LNK2019: unresolved external symbol AuxKlibInitialize referenced in function DriverEntry.

windows-driver-docs/using-static-driver-verifier-to-find-defects ...

If the driver does not declare functions by using the function role types, SDV will be unable to analyze and find defects in...

Microsoft Windows Server 2008 R2 Kernel Mode ...

Primitives Library (cng.sys) Security Policy Document ... Count, Io Write Transfer Count, Io Other Transfer Count, Io Read Operation Count, ...

man pages section 9: DDI and DKI Driver Entry Points

The new environment may include a different processor, operating system, ... Driver developers did not use existing kernel functions where available, ...