def check(ctree_item):
lvar = ctree_item.get_lvar()
if lvar is not None:
return "LOCAL" if Helper.is_legal_type(lvar.type()) else None
if ctree_item.citype == idaapi.VDI_EXPR:
gvar = ctree_item.it.to_specific_type
if gvar.op == idaapi.cot_obj and Helper.is_legal_type(gvar.type):
return "GLOBAL"
def activate(self, ctx):
hx_view = idaapi.get_tform_vdui(ctx.form)
variable = hx_view.item.get_lvar() # lvar_t
if variable and Helper.is_legal_type(variable.type()):
index = list(hx_view.cfunc.get_lvars()).index(variable)
scanner = ShallowSearchVisitor(
hx_view.cfunc, self.temporary_structure.main_offset, index)
scanner.process()
for field in scanner.candidates:
self.temporary_structure.add_row(field)
scanner.clear()
def activate(self, ctx):
for idx in ctx.chooser_selection:
func_ea = idaapi.getn_func(idx - 1).startEA
try:
cfunc = idaapi.decompile(func_ea)
if cfunc is None:
continue
FunctionTouchVisitor(cfunc).process()
lvars = cfunc.get_lvars()
if not (lvars and lvars[0].is_arg_var and Helper.is_legal_type(lvars[0].type())):
continue
scanner = DeepSearchVisitor(cfunc, 0, 0)
scanner.process()
for field in scanner.candidates:
self.temporary_structure.add_row(field)
except idaapi.DecompilationFailure:
print "[Warning] Failed to decompile function at 0x{0:08X}".format(func_ea)
def scan(self, hx_view, variable):
if variable and Helper.is_legal_type(variable.type()):
definition_address = None if variable.is_arg_var else variable.defea
index = list(hx_view.cfunc.get_lvars()).index(variable)
# index = list(hx_view.cfunc.get_lvars()).index(variable)
if FunctionTouchVisitor(hx_view.cfunc).process():
hx_view.refresh_view(True)
# Because index of the variable can be changed after touching, we would like to calculate it appropriately
lvars = hx_view.cfunc.get_lvars()
if definition_address:
index = next(x for x in xrange(len(lvars))
if lvars[x].defea == definition_address)
scanner = DeepSearchVisitor(hx_view.cfunc,
self.temporary_structure.main_offset,
index)
scanner.process()
for field in scanner.candidates:
self.temporary_structure.add_row(field)
scanner.clear()
def hexrays_events_callback(*args):
global potential_negatives
hexrays_event = args[0]
if hexrays_event == idaapi.hxe_populating_popup:
form, popup, hx_view = args[1:]
item = hx_view.item # current ctree_item_t
if Actions.RecastItemRight.check(hx_view.cfunc, item):
idaapi.attach_action_to_popup(form, popup, Actions.RecastItemRight.name, None)
if Actions.RecastItemLeft.check(hx_view.cfunc, item):
idaapi.attach_action_to_popup(form, popup, Actions.RecastItemLeft.name, None)
if Actions.RenameOther.check(hx_view.cfunc, item):
idaapi.attach_action_to_popup(form, popup, Actions.RenameOther.name, None)
if Actions.RenameInside.check(hx_view.cfunc, item):
idaapi.attach_action_to_popup(form, popup, Actions.RenameInside.name, None)
if Actions.RenameOutside.check(hx_view.cfunc, item):
idaapi.attach_action_to_popup(form, popup, Actions.RenameOutside.name, None)
if hx_view.item.get_lvar() and Helper.is_legal_type(hx_view.item.get_lvar().type()):
idaapi.attach_action_to_popup(form, popup, Actions.ShallowScanVariable.name, None)
idaapi.attach_action_to_popup(form, popup, Actions.DeepScanVariable.name, None)
idaapi.attach_action_to_popup(form, popup, Actions.RecognizeShape.name, None)
if item.citype == idaapi.VDI_FUNC:
# If we clicked on function
if not hx_view.cfunc.entry_ea == idaapi.BADADDR: # Probably never happen
idaapi.attach_action_to_popup(form, popup, Actions.AddRemoveReturn.name, None)
idaapi.attach_action_to_popup(form, popup, Actions.ConvertToUsercall.name, None)
idaapi.attach_action_to_popup(form, popup, Actions.DeepScanReturn.name, None)
elif item.citype == idaapi.VDI_LVAR:
# If we clicked on argument
local_variable = hx_view.item.get_lvar() # idaapi.lvar_t
if local_variable.is_arg_var:
idaapi.attach_action_to_popup(form, popup, Actions.RemoveArgument.name, None)
elif item.citype == idaapi.VDI_EXPR:
if item.e.op == idaapi.cot_num:
# number_format = item.e.n.nf # idaapi.number_format_t
# print "(number) flags: {0:#010X}, type_name: {1}, opnum: {2}".format(
# number_format.flags,
# number_format.type_name,
# number_format.opnum
# )
idaapi.attach_action_to_popup(form, popup, Actions.GetStructureBySize.name, None)
elif item.e.op == idaapi.cot_var:
# Check if we clicked on variable that is a pointer to a structure that is potentially part of
# containing structure
if item.e.v.idx in potential_negatives:
idaapi.attach_action_to_popup(form, popup, Actions.SelectContainingStructure.name, None)
if Actions.ResetContainingStructure.check(hx_view.cfunc.get_lvars()[item.e.v.idx]):
idaapi.attach_action_to_popup(form, popup, Actions.ResetContainingStructure.name, None)
elif hexrays_event == idaapi.hxe_double_click:
hx_view = args[1]
item = hx_view.item
if item.citype == idaapi.VDI_EXPR and item.e.op == idaapi.cot_memptr:
# Look if we double clicked on expression that is member pointer. Then get tinfo_t of the structure.
# After that remove pointer and get member name with the same offset
if item.e.x.op == idaapi.cot_memref and item.e.x.x.op == idaapi.cot_memptr:
vtable_tinfo = item.e.x.type.get_pointed_object()
method_offset = item.e.m
class_tinfo = item.e.x.x.x.type.get_pointed_object()
vtable_offset = item.e.x.x.m
elif item.e.x.op == idaapi.cot_memptr:
vtable_tinfo = item.e.x.type.get_pointed_object()
method_offset = item.e.m
class_tinfo = item.e.x.x.type.get_pointed_object()
vtable_offset = item.e.x.m
else:
return 0
udt_member = idaapi.udt_member_t()
udt_member.offset = method_offset * 8
vtable_tinfo.find_udt_member(idaapi.STRMEM_OFFSET, udt_member)
func_ea = Helper.get_virtual_func_address(udt_member.name, class_tinfo, vtable_offset)
if func_ea:
idaapi.open_pseudocode(func_ea, 0)
return 1
elif hexrays_event == idaapi.hxe_maturity:
cfunc, level_of_maturity = args[1:]
if level_of_maturity == idaapi.CMAT_BUILT:
# print '=' * 40
# print '=' * 15, "LEVEL", level_of_maturity, '=' * 16
# print '=' * 40
# print cfunc
# First search for CONTAINING_RECORD made by Ida
visitor = NegativeOffsets.SearchVisitor(cfunc)
visitor.apply_to(cfunc.body, None)
negative_lvars = visitor.result
# Second get saved information from comments
lvars = cfunc.get_lvars()
for idx in xrange(len(lvars)):
result = NegativeOffsets.parse_lvar_comment(lvars[idx])
if result and result.tinfo.equals_to(lvars[idx].type().get_pointed_object()):
negative_lvars[idx] = result
# Third make an analysis of local variables that a structure pointers and have reference that pass
# through structure boundaries. This variables will be considered as potential pointers to substructure
# and will get a menu on right click that helps to select Containing Structure from different libraries
structure_pointer_variables = {}
for idx in set(range(len(lvars))) - set(negative_lvars.keys()):
if lvars[idx].type().is_ptr():
pointed_tinfo = lvars[idx].type().get_pointed_object()
if pointed_tinfo.is_udt():
structure_pointer_variables[idx] = pointed_tinfo
if structure_pointer_variables:
visitor = NegativeOffsets.AnalyseVisitor(structure_pointer_variables, potential_negatives)
visitor.apply_to(cfunc.body, None)
if negative_lvars:
visitor = NegativeOffsets.ReplaceVisitor(negative_lvars)
visitor.apply_to(cfunc.body, None)
elif level_of_maturity == idaapi.CMAT_TRANS2:
# print '=' * 40
# print '=' * 15, "LEVEL", level_of_maturity, '=' * 16
# print '=' * 40
# print cfunc
visitor = SpaghettiVisitor()
visitor.apply_to(cfunc.body, None)
return 0
