The Tag<\/em> parameter that these 2 functions take is defined as:<\/p>\n\n\n\n The tag is a non-zero character literal of one to to four characters delimited by single quotation marks (for example, ‘Tag1’). The string is usually specified in reverse order (for example, ‘1gaT’). Each ASCII character in the tag must be a value in the range 0x20 (space) to 0x7E (tilde). Each allocation code path should use a unique pool tag to help debuggers and verifiers identify the code path.<\/p><\/blockquote>\n\n\n\n While I am not a kernel mode driver developer, and somehow kernel mode was never even that interesting to me, I did a fair amount of code reading over the years… primarily focused on snippets from Microsoft Documentation (DDK\/WDM), and rootkits’ source codes. And if there was one thing that stuck with me after reading all this code good\/bad-ness… it was that most of the developers rarely changed the tags used by these two memory allocation functions from the tags used in Microsoft samples – that is, ‘Ddk ‘, and ‘Wdm ‘.<\/p>\n\n\n\n So… assuming everyone does it… I went on an adventure to find out what actual tags are being used out there apart from these memorable two.<\/p>\n\n\n\n To address the question I looked at the corpora of 60K+ signed drivers for both 32- and 64- bit architectures, did some automation, data crunching, and eventually came up with a list of which exempt is presented below. And in fairness, I did hope I can find some interesting, playful tags, but reality was actually pretty boring…<\/p>\n\n\n\n So, without further ado, these are the top 20 tags I found:<\/p>\n\n\n\n Yup. Boooooring!<\/p>\n\n\n\n ‘Wdm ‘ is there on position 8, and the ‘Ddk ‘ was on position 40 (not shown on the list above).<\/p>\n\n\n\n Booooooring intensifies.<\/p>\n\n\n\n Unhappy, after not finding any groundbreaking results, I turned into the ‘scandalous’ area. I skimmed the list looking for obscenities, and lo and behold, I quickly discovered a driver that used the following tags:<\/p>\n\n\n\n and<\/p>\n\n\n\n Hooray. Thank you ‘O&O Software GmbH’. Finally this post has some meaning after all.<\/p>\n\n\n\n The hashes you are thinking of now are:<\/p>\n\n\n\n But it was still booooooring.<\/p>\n\n\n\n Then the other thing caught my eye. I was certainly perplexed by the findings that suggested a lot of tags are being reused by more than one, two companies. For instance, ‘AzCm’, ‘PcNw’, ‘AECB’, ‘MUgz’, ‘AzAd’, ‘QCDM’, ‘BtSS’, ‘AzWd’, and many more. I won’t list the companies, because I don’t want to get sued, but it is an interesting conundrum indeed. How come all of these companies use that particular tag, huh? The other striking discovery was that there is a lot of vendor-specific drivers that are re-using these tags and are at the same time signed by the ‘Microsoft Windows Hardware Compatibility Publisher’. I guess the latter phenomenon can be attributed to the Windows Hardware Compatibility Program (anyone knows?).<\/p>\n\n\n\n Back to these shared tags though… Is it possible that vendors either share code, get access to it via acquisition, or hire the same third party company to write their drivers? <\/p>\n\n\n\n This is a very important question… <\/p>\n\n\n\n If the answer is YES, then the same memory tags, code habits, and … bugs… propagate across a whole bunch of drivers. And this leads to a question: is hfiref0x<\/a> right? His research is pretty much killing it when it comes to buggy driver analysis. As he is constantly, continuously and consistently pointing out…. the copypasta in a driver industry is a a HUGE driver (pun intended) for many drivers exhibiting the same buggy ‘features’…<\/p>\n\n\n\n Perhaps it’s time I run my corpora via the ScrewedDrivers<\/a>…<\/p>\n\n\n\n Update<\/strong><\/p>\n\n\n\n After I posted it, I got some feedback on Twitter which I am posting below (Thx @attrc<\/a>!)<\/p>\n\n\n\n After cross-referencing with the ‘pooltag.txt’ file from the latest win10 sdk I I got the following result:<\/p>\n\n\n\n Developers of kernel drivers rely on these two memory allocation functions: ExAllocatePoolWithTag ExFreePoolWithTag The Tag parameter that these 2 functions take is defined as: The tag is a non-zero character literal of one to to four characters delimited by single … Continue reading ![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/04\/tag_1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/04\/tag_2.png\")
<\/figure>\n\n\n\n