# Brandon Azad # # Functions for converting and symbolicating offsets. # import re import idc import idautils import ida_utilities as idau import internal import kernel import stub _log = idau.make_log(1, __name__) def initialize_data_offsets(): """Convert offsets in data segments into offsets in IDA. Segment names must be initialized with segments.initialize_segments() first. """ # Normally, for user-space programs, this operation would be dangerous because there's a good # chance that a valid userspace address would happen to show up in regular program data that is # not actually an address. However, since kernel addresses are numerically much larger, the # chance of this happening is much less. for seg in idautils.Segments(): name = idc.SegName(seg) if not (name.endswith('__DATA_CONST.__const') or name.endswith('__got') or name.endswith('__DATA.__data')):
# # ida_kernelcache/metaclass.py # Brandon Azad # # A module for working with OSMetaClass instances in the kernelcache. # import idc import ida_utilities as idau import classes _log = idau.make_log(0, __name__) def metaclass_name_for_class(classname): """Return the name of the C++ metaclass for the given class.""" if '::' in classname: return None return classname + '::MetaClass' def metaclass_instance_name_for_class(classname): """Return the name of the C++ metaclass instance for the given class.""" if '::' in classname: return None return classname + '::gMetaClass' def metaclass_symbol_for_class(classname): """Get the symbol name for the OSMetaClass instance for the given class name.
While it is possible to implement a very generic data flow framework, allowing custom data flows to be implemented entirely externally and with little or no knowledge of the underlying architecture, this module does not take that approach, for reasons of simplicity and efficiency. """ import collections import idc import idautils import idaapi import ida_utilities as idau _log = idau.make_log(2, __name__) _INSN_OP_CHG = [ idaapi.CF_CHG1, idaapi.CF_CHG2, idaapi.CF_CHG3, idaapi.CF_CHG4, idaapi.CF_CHG5, idaapi.CF_CHG6, ] _INSN_OP_DTYP_SZ = { idaapi.dt_byte: 1, idaapi.dt_word: 2, idaapi.dt_dword: 4, idaapi.dt_qword: 8,
# # ida_kernelcache/build_struct.py # Brandon Azad # # A module to build an IDA structure automatically from code accesses. # import collections import idc import idautils import idaapi import ida_utilities as idau _log = idau.make_log(3, __name__) def field_name(offset): """Automatically generated IDA structs have their fields named by their absolute offset.""" return 'field_{:x}'.format(offset) def create_struct_fields(sid=None, name=None, accesses=None, create=False, base=0): """Create an IDA struct with fields corresponding to the specified access pattern. Given a sequence of (offset, size) tuples designating the valid access points to the struct,