Beispiel #1
0
def main():
    try:
        # e.g. /path/to/asadbg/asadb.json
        dbname = os.environ["ASADBG_DB"]
    except:
        logmsg("You need to define ASADBG_DB first")
        sys.exit()

    if ida_helper.get_idb_name() == "lina":
        logmsg("Hunting lina...")
        main_lina(dbname)
    elif ida_helper.get_idb_name() == "lina_monitor":
        logmsg("Hunting lina_monitor...")
        main_lina_monitor(dbname)
    elif ida_helper.get_idb_name() == "libc.so":
        logmsg("Hunting libc...")
        main_libc(dbname)
    else:
        logmsg("ERROR: Unsupported filename")

    # This allows us to cleanly exit IDA upon completion
    if "DO_EXIT" in os.environ:
        # XXX - Was Exit(1)
        idc.qexit(1)
Beispiel #2
0
###################### libc ######################
##################################################


def main_libc():
    # We currently only rely on __libc_free, which is exported
    pass
    print("[+] Done")


##################################################
###################### main ######################
##################################################

if __name__ == '__main__':
    if ida_helper.get_idb_name() == "lina":
        logmsg("Analyzing lina...")
        main_lina()
    elif ida_helper.get_idb_name() == "lina_monitor":
        logmsg("Analyzing lina_monitor...")
        main_lina_monitor()
    elif ida_helper.get_idb_name() == "libc.so":
        logmsg("Analyzing libc...")
        main_libc()
    else:
        logmsg("ERROR: Unsupported filename")

    # Note that this script is called automatically from the command line
    # Consequently, we cannot call sys.exit(), otherwise the temporary files
    # (.id0, .id1, etc.) will not packed and nothing is saved into the .idb.
    # This allows us to cleanly exit IDA upon completion
Beispiel #3
0
import sys
import json
import pathlib

script_args = len(idc.ARGV)
print("script_args", script_args)

if script_args > 0:
    ida_auto.auto_wait()

current_dir = str(pathlib.Path(__file__).parent.resolve())

sys.path.append(current_dir + "\\idahunt\\")
import ida_helper

idb_name = ida_helper.get_idb_name()

hvcall_dict = {}
hvcall_dict_unknown = {}

# hvcall_file_path = current_dir + "\\hvcalls_dict.json"

hvcall_dir_saving = current_dir + "\\hvcalls_json_files\\"
hvcall_unknown_dir_saving = hvcall_dir_saving + "\\unknown\\"

if not os.path.exists(hvcall_dir_saving):
    os.makedirs(hvcall_dir_saving)

if not os.path.exists(hvcall_unknown_dir_saving):
    os.makedirs(hvcall_unknown_dir_saving)
Beispiel #4
0
def extract_hvcalls():
    #
    # winhvr.sys, winhv.sys
    #

    if (g_idb_name == "winhvr.sys") or (g_idb_name == "winhv.sys"):
        find_hvcall_by_aux_function_name(
            'WinHvpSimplePoolHypercall_CallViaMacro', 1, "decompile")
        find_hvcall_by_aux_function_name('WinHvpRangeRepHypercall', 0,
                                         "decompile")
        find_hvcall_by_aux_function_name('WinHvpSpecialListRepHypercall', 0,
                                         "decompile")

    #
    # securekernel.exe, securekernella57.exe
    #

    if (g_idb_name == "securekernel.exe") or (g_idb_name
                                              == "securekernella57.exe"):
        find_hvcall_by_aux_function_name('ShvlpInitiateFastHypercall', 0,
                                         "decompile")
        find_hvcall_by_aux_function_name('ShvlpInitiateRepListHypercall', 0,
                                         "decompile")

    #
    # ntoskrnl.exe, ntkrla57.exe
    #

    if (g_idb_name == "ntoskrnl.exe") or (g_idb_name == "ntkrla57.exe"):
        find_hvcall_by_aux_function_name('HvcallFastExtended', 0, "decompile")
        find_hvcall_by_aux_function_name('HvcallInitiateHypercall', 0,
                                         "decompile")

    print_hvcall(g_hvcall_dict, False)

    print("saving g_hvcall_dict to json ...")

    fv = get_file_version()

    #
    # if you copy idb from another place you can have error with pathM which are stored in idb file
    #

    filename = g_hvcall_dir_saving + ida_helper.get_idb_name(
    ) + "_" + fv + ".json"
    hvcall_dict = str_key_to_int_with_sorting(g_hvcall_dict)
    save_dict_to_file(filename, hvcall_dict)

    #
    # save file with uknown hypercalls
    #

    if len(g_hvcall_dict_unknown) > 0:
        unknown_filename = g_hvcall_unknown_dir_saving + "unknown_" + ida_helper.get_idb_name(
        ) + "_" + fv + ".json"
        save_dict_to_file(unknown_filename, g_hvcall_dict_unknown)
        print(
            "hvcalls with unknown result of analysis  - need manual analysis")
        print_hvcall(g_hvcall_dict_unknown, True)

    print("g_hvcall_dict lenght:", len(g_hvcall_dict))
    print("g_hvcall_dict_unknown lenght:", len(g_hvcall_dict_unknown))
    print("db file:", ida_nalt.get_input_file_path())
    print("idb", g_idb_name)
Beispiel #5
0
#
#   directories for searching and saving
#

g_hvcall_dir_saving = g_current_dir + "\\hvcalls_json_files\\"
g_hvcall_unknown_dir_saving = g_hvcall_dir_saving + "\\unknown\\"

#
# import Idahunt module
#

sys.path.append(g_current_dir + "\\idahunt\\")
import ida_helper

g_idb_name = ida_helper.get_idb_name()

g_hvcall_dict = {}
g_hvcall_dict_unknown = {}
g_hvcall_dict_unknown_index = 0

# hvcall_file_path = g_current_dir + "\\hvcalls_dict.json"

if not os.path.exists(g_hvcall_dir_saving):
    os.makedirs(g_hvcall_dir_saving)

if not os.path.exists(g_hvcall_unknown_dir_saving):
    os.makedirs(g_hvcall_unknown_dir_saving)


def save_dict_to_file(file_path, t_dict):