我是勤劳的搬运工，送给需要的人

from idaapi import *
from idc import *
import idautils

EXTERNALMETHOD             = "__ZN12IOUserClient14externalMethodEjP25IOExternalMethodArgumentsP24IOExternalMethodDispatchP8OSObjectPv"
GETNOTIFICATIONSEMAPHORE   =
"__ZN12IOUserClient24getNotificationSemaphoreEmPP9semaphore"
GETTARGETANDMETHODFORINDEX =
"__ZN12IOUserClient26getTargetAndMethodForIndexEPP9IOServicem"
EXTERNALMETHOD_OFFSET             = -8;
GETTARGETANDMETHODFORINDEX_OFFSET = 7;

def find_sMethods():
    func_ea = LocByName(GETNOTIFICATIONSEMAPHORE)
    print "IOUserClient::getNotificationSemaphore at %08x" % func_ea

    xrefs = XrefsTo(func_ea)    for xref in xrefs:
        extra_msg = ""
        external_method_ea = xref.frm + EXTERNALMETHOD_OFFSET * 4;
        content_ea = Dword(external_method_ea) & 0xFFFFFFFE;
        if content_ea & 0xFFFFFFFE != LocByName(EXTERNALMETHOD):
            extra_msg += "IOUserClient::externalMethod overriden (%08x - %s) " % (content_ea & 0xFFFFFFFE, GetFunctionName(content_ea))

        gettarget_method_ea = xref.frm + GETTARGETANDMETHODFORINDEX_OFFSET * 4;
        content_ea = Dword(gettarget_method_ea) & 0xFFFFFFFE;
        if content_ea != LocByName(GETTARGETANDMETHODFORINDEX):
            extra_msg += "IOUserClient::getTargetAndMethodFromIndex overriden (%08x - %s) " % (content_ea & 0xFFFFFFFE, GetFunctionName(content_ea))

        driver=SegName(xref.frm)
        driver=driver[:driver.index(':')]

        print "%s - %s" % (driver, extra_msg)

if __name__ == '__main__':
    find_sMethods()
    print "Done!"

好像很牛逼的样子，完全看不懂。

额，这是在寻找ht公司泄露文件时发现的某人写的寻找UserClient sMethods IDA脚本，我看不懂所以转给大家看看

好像很牛逼的样子，完全看不懂。