def parse_strings(f, hdr, file_hdr, rule_start, off):
str_size = GetStrucSize(structs.YR_STRING)
str_count = 0
while True:
cur = off + str_count * str_size
f.seek(cur + 0x0c)
set_ea_to_struc(cur, structs.YR_STRING)
str_flags = unpack('I', f.read(4))[0]
if str_flags & 0x1000: # STRING_GFLAGS_NULL
MakeName(cur, 'null_string_%x' % rule_start)
break
str_count += 1
strlen, idntf, _, str_val_off = unpack('4I', f.read(16))
if str_flags & 0x400 and str_flags & 0x08: # type string literal and ascii, respectively
idaapi.make_ascii_string(str_val_off, 0, ASCSTR_C)
str_val = get_name(str_val_off, 0x0004) # GN_DEMANGLED
if not str_val:
MakeArray(str_val_off, strlen)
MakeName(str_val_off, 'pattern_%s' % str_count)
str_val = '%d' % str_count
else:
str_val = '%d' % str_count
str_val = 'string_%s_%x' % (str_val, rule_start)
MakeNameEx(cur, str_val, 0x22) # SN_PUBLIC | SN_NOCHECK
def read_string(ea):
s = idc.get_strlit_contents(ea, -1, idc.ASCSTR_C)
if s:
slen = len(s)+1
idc.del_items(ea, idc.DOUNK_SIMPLE, slen)
idaapi.make_ascii_string(ea, slen, idc.ASCSTR_C)
return s, ea + slen
else:
return s, ea
def read_string(ea):
s = idc.get_strlit_contents(ea, -1, idc.ASCSTR_C)
if s:
slen = len(s) + 1
idc.del_items(ea, idc.DOUNK_SIMPLE, slen)
idaapi.make_ascii_string(ea, slen, idc.ASCSTR_C)
return s, ea + slen
else:
return s, ea
def parse_ns(f, hdr, file_hdr, rule_start, off):
f.seek(off + 0X0C + 4 * hdr.max_threads)
set_ea_to_struc(off, structs.YR_NAMESPACE)
nsname_off = unpack('<I', f.read(4))[0]
if valid_struct_ptr(nsname_off):
idaapi.make_ascii_string(nsname_off, 0, ASCSTR_C)
f.seek(nsname_off + 0x0c)
MakeName(off, 'ns_%s' % read_cstr(f))
def define(self):
"""
Defines the string in the IDB.
"""
try:
idc.MakeUnknown(self.startEA, self.byte_length, idc.DOUNK_SIMPLE)
idaapi.make_ascii_string(self.startEA, self.byte_length, self.string_type)
except:
append_debug('Unable to define string at 0x%X' % self.startEA)
def read_string(ea):
s = idc.GetString(ea, -1, idc.ASCSTR_C)
if s:
slen = len(s)+1
idc.MakeUnknown(ea, slen, idc.DOUNK_SIMPLE)
idaapi.make_ascii_string(ea, slen, idc.ASCSTR_C)
return s, ea + slen
else:
return s, ea
def read_string(ea):
s = idc.GetString(ea, -1, idc.ASCSTR_C)
if s:
slen = len(s) + 1
idc.MakeUnknown(ea, slen, idc.DOUNK_SIMPLE)
idaapi.make_ascii_string(ea, slen, idc.ASCSTR_C)
return s, ea + slen
else:
return s, ea
def parse_tags(f, hdr, file_hdr, rule_start, off):
f.seek(off + 0X0C)
while True:
tag_name_off = f.tell() - 0x0c
tag = read_cstr(f)
if not tag:
break
idaapi.make_ascii_string(tag_name_off, 0, ASCSTR_C)
MakeName(tag_name_off,
'tag_%s_%x' % (tag, rule_start)) # tag names can repeat
def convert_to_korean_string(self):
startea = ScreenEA()
endea, ch_str = self.get_ch_str(startea)
if endea == -1:
return
self.present_inline(startea, ch_str)
#MakeStr(startea, endea+1)
idaapi.make_ascii_string(startea, endea + 1 - startea, ASCSTR_C)
return
def define_string(decoded_string):
'''
Defines a string object in the IDB for the provided string.
Input:
decoded_string - The EncodedString object to define in IDA
'''
try:
idc.MakeUnknown(decoded_string.startEA, decoded_string.byte_length,
idc.DOUNK_SIMPLE)
idaapi.make_ascii_string(decoded_string.startEA,
decoded_string.byte_length,
decoded_string.string_type)
except:
append_debug('Unable to define string at 0x%X' %
decoded_string.startEA)
def handle_string(self, offb, op, addr):
sym_addr = addr
symbols = self.get_string_symbols(addr)
if symbols:
for i, symbol in enumerate(symbols):
if symbol.is_var():
var_addr = self.rebase_var_addr(symbol.nvar)
ua_add_dref(offb, var_addr, dr_R)
sym_addr += 4
elif symbol.is_string():
n = str_to_number(symbol)
if n is None:
ua_add_dref(offb, sym_addr, dr_R)
string_name = canonize_name(symbol)
idaapi.make_ascii_string(sym_addr, len(symbol), ASCSTR_C)
idaapi.do_name_anyway(sym_addr, string_name[:15])
sym_addr += len(symbol)
else:
sym_addr += 4
def defineAsciiString(self, ea):
r"""Define an ascii string at the given address.
Args:
ea (int): effective start address of the wanted ascii string
Return Value:
The length of the defined string + 1 for the '\0' terminator
"""
content = idc.GetString(ea, -1, -1)
if not sark.Line(ea).is_string:
self._analyzer.logger.debug("Defined a unique ascii string at: 0x%x (Length of %d)", ea, len(content) + 1)
idc.MakeUnknown(ea, len(content) + 1, 0)
# Backward compatibility is always fun
if idaapi.IDA_SDK_VERSION <= 700:
idaapi.make_ascii_string(ea, len(content) + 1, idc.ASCSTR_C)
else:
idc.MakeStr(ea, ea + len(content) + 1)
return len(content) + 1
def handle_string(self, offb, op, addr):
sym_addr = addr
symbols = self.get_string_symbols(addr)
if symbols:
for i, symbol in enumerate(symbols):
if symbol.is_var():
var_addr = self.rebase_var_addr(symbol.nvar)
ua_add_dref(offb, var_addr, dr_R)
sym_addr += 4
elif symbol.is_string():
n = str_to_number(symbol)
if n is None:
ua_add_dref(offb, sym_addr, dr_R)
string_name = canonize_name(symbol)
idaapi.make_ascii_string(sym_addr, len(symbol),
ASCSTR_C)
idaapi.do_name_anyway(sym_addr, string_name[:15])
sym_addr += len(symbol)
else:
sym_addr += 4
def parse_metas(f, hdr, file_hdr, rule_start, off):
f.seek(off + 0X0C)
metas_start = f.tell()
meta_size = GetStrucSize(structs.YR_META)
meta_count = 0
while True:
curr_meta = off + meta_count * meta_size
set_ea_to_struc(curr_meta, structs.YR_META)
meta_type, _, meta_integer, meta_name_off, _, meta_string, _ = unpack(
'<IIQIIII', f.read(meta_size))
if meta_type == 0:
MakeName(curr_meta, 'meta_null_%x' % rule_start)
break
idaapi.make_ascii_string(meta_name_off, 0, ASCSTR_C)
f.seek(meta_name_off + 0x0c)
MakeName(curr_meta, 'meta_%s_%x' % (read_cstr(f), rule_start))
if meta_type == 2:
idaapi.make_ascii_string(meta_string, 0, ASCSTR_C)
meta_count += 1
f.seek(metas_start + meta_count * meta_size)
def parse_external(f, hdr, file_hdr):
ext_start = f.tell() - 0x0c
ext_size = GetStrucSize(structs.YR_EXTERNAL_VARIABLE)
set_ea_to_struc(ext_start, structs.YR_EXTERNAL_VARIABLE)
xtype, __, val, val64, idntfier_off, __ = unpack('<2I 2I 2I',
f.read(ext_size))
if xtype == 0:
MakeName(ext_start, 'ext_null')
return True
f.seek(idntfier_off + 0x0c)
MakeName(ext_start, 'ext_%s_%x' % (read_cstr(f), ext_start))
if xtype in [
EXTERNAL_VARIABLE_TYPE_STRING, EXTERNAL_VARIABLE_TYPE_MALLOC_STRING
] and valid_struct_ptr(val):
idaapi.make_ascii_string(val, 0, ASCSTR_C)
elif xtype: # TODO: handle other cases
MakeQword(ext_start + 8)
f.seek(ext_size + ext_start + 0x0c)
def MyMakeStr(a, b):
idaapi.make_ascii_string(a, b, GetLongPrm(INF_STRTYPE))
def to_str(self, ea):
max_len = idaapi.get_max_ascii_length(ea, ASCSTR_C, 0)
idaapi.make_ascii_string(ea, max_len, ASCSTR_C)
return idc.GetString(ea, max_len, ASCSTR_C)
