[FEATURE] Some pooltags aren't recognized

[eranzim]

Describe the bug
Pooltags which aren't immediate values in the correct place, but possibly propagated via a register, aren't found.
Example code snippet:

...
mov     ebp, 'ABCD'
mov     rdx, rax        ; NumberOfBytes
mov     r8d, ebp        ; Tag
call    cs:ExAllocatePoolWithTag

Expected behavior
All Pooltags should be found

Desktop (please complete the following information):

• OS and version: Windows 10 21H2 (19044.1586)
• IDA version: IDA 7.7 SP1
• DriverBuddyReloaded Version: latest (1.3)
• Python Version: 3.9.5

[VoidSec]

I can see your point in having DriverBuddyReloaded recognize the above-mentioned case, unfortunately, it is easier said than done. At the beginning of the development, I've decided to exclude this case (it can also be applied to banned functions parameters) due to the added complexity that it brings in.

In order to do so, I would have to add some "backtracking" mechanism (able to work for both x86 and x64 function calling convention) that can trace the tag parameter across multiple opcodes that populate the register/push the value on the stack. In any case, it would only be able to find "hardcoded" immediate values but it will miss (AFAIK uncommon) run-time computed Tags.

While I agree that this feature would be nice to have, at the moment I do not have the time to implement that.
Plus, IDA is already able to correctly mark function's parameters as follows: