WDK 10.0.26100.0 GDT for Ghidra 12

WDK 10.0.26100.0 GDT for Ghidra 12 using clang preprocessing and sanitization so Ghidra’s parser accepts all kernel/CRT prototypes. 

Coming from IDA Pro that does this automatically, in Ghidra is not as easy.
If you decompile a .sys driver in Ghidra without the correct kernel/driver prototypes, structs, enums, and constants, decompilation does not show real signatures (IoCreateDevice, IRP handlers, etc.) instead it will show undefined*.

This can be solved by generating a .gdt file with the aggregated kernel headers (ntddk, wdm, ntifs, fltKernel, etc.) + CRT/UM/UCRT + MSVC

How to use it: Load the  pre-generated .gdt in Data Type Manager, set it as the program data types. Then right click on the archive and select “Apply Data Archives”, after that run the Autoanalyze again.

This .gdt targets kernel driver analysis (x64) and was generated from WDK 10.0.26100.0 headers with VS2022 MSVC includes. 

Download the pre-generated file or the script itself from here: https://github.com/jsacco/ghidraGDT

Happy Hacking!