From 96be3fa7ba870466dcea9371916a8709bd15e0d7 Mon Sep 17 00:00:00 2001
From: Paolo 'VoidSec' Stagno <voidsec@voidsec.com>
Date: Mon, 25 Apr 2022 22:22:21 +0200
Subject: [PATCH] partial fix #15

---
 DriverBuddyReloaded.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/DriverBuddyReloaded.py b/DriverBuddyReloaded.py
index 0f77c4f..1f08976 100644
--- a/DriverBuddyReloaded.py
+++ b/DriverBuddyReloaded.py
@@ -214,8 +214,8 @@ def find_all_ioctls():
             if idc.print_insn_mnem(instr) in ['cmp', 'sub', 'mov'] and idc.get_operand_type(instr, 1) == 5:
                 value = get_operand_value(instr)
                 digits = utils.check_digits(value)
-                # value has 10 digits and is not a known NTSTATUS value
-                if digits == 10 and value not in NTSTATUS.ntstatus_values:
+                # value has more than 2 digits (lower false positives) and is not a known NTSTATUS value
+                if digits > 2 and value not in NTSTATUS.ntstatus_values:
                     ioctls.append((instr, value))
                     ioctl_tracker.add_ioctl(instr, value)
     return ioctls
@@ -260,7 +260,8 @@ def get_position_and_translate():
 
     value = get_operand_value(pos)
     digits = utils.check_digits(value)
-    if digits == 10 and value not in NTSTATUS.ntstatus_values:
+    # value has more than 2 digits (lower false positives) and is not a known NTSTATUS value
+    if digits > 2 and value not in NTSTATUS.ntstatus_values:
         ioctl_tracker.add_ioctl(pos, value)
         define = ioctl_decoder.get_define(value)
         make_comment(pos, define)