def trace_val(self):
expr = '{}'
obj = self
while True:
obj = idafind.find(obj.ea,
obj,
is_recur=False,
is_bwd=True,
is_trace=False)
mnem = idc.GetMnem(obj.ea)
if mnem in ['mov', 'lea']:
expr = expr.format(opnd.raw)
break
# TODO: What about xor rcx, rcx?
elif mnem == 'xor':
expr = expr.format(0)
break
try:
FMT = '({{}}) {} {}'
OP_DICT = {
'imul': '*',
}
expr = expr.format(FMT.format(OP_DICT[mnem], obj.raw))
except KeyError:
raise NotImplementedError
try:
return eval(expr)
except:
return expr
def find_dispatch_dev_ctrl(self):
print idabuty.beautify_title('DriverObject:'), self.find_drv_obj()
for ea in idautils.Heads(self.f.startEA, self.f.endEA):
if idc.GetMnem(ea) == 'mov':
opnd = idaobj.Opnd(ea=ea, oi=0)
if opnd.ot == idc.o_displ:
parsed_opnd = opnd.parse()
if len(parsed_opnd) == 2:
pass
#print idabuty.beautify_ea(ea)
if len(parsed_opnd) == 3:
base_reg, idx, displ = parsed_opnd
# ['rcx', 'rax', '70h']
if ('*' not in idx) and (not idx.endswith('h')):
idx_reg = idx
opnd1 = self.find_drv_obj(
) # mov [rsp+drv_obj], rcx
opnd2 = idafind.find(
ea,
idaobj.Opnd(ot=idc.o_reg, od=base_reg),
is_bwd=1) # mov rcx, [rsp+48h+drv_obj]
is_drv_obj = idaobj.cmp_od_displ(opnd1, opnd2)
opnd = idafind.find(ea,
idaobj.Opnd(ot=idc.o_reg,
od=idx_reg),
is_bwd=True)
is_mj_dev_ctrl = '0Eh' == idaobj.parse_opnd(opnd)
is_mj_func = '70h' == displ
if is_drv_obj and is_mj_dev_ctrl and is_mj_func:
return idafind.get_func_from_opnd(
idaobj.Opnd(ea=ea, oi=1))
raise idafind.NotFoundError
def find_io_stack_loc(self):
irp_opnd = self.find_irp()
print beautify_title('IRP:'), irp_opnd
call_eas = self.find_mnem_eas('call')
call_eas = filter(
lambda ea: idafind.is_func_call_arg(self.f, ea, 0, irp_opnd),
call_eas)
call_eas = filter(
lambda ea: 'IofCompleteRequest' not in idcnew.GetOpnd(ea, 0),
call_eas)
assert len(call_eas) == 1 # TODO: check +0B8h
return idafind.find(call_eas[0], idaobj.Opnd(ot=idc.o_reg, od='rax'))
def find_arg(self, arg_idx):
return idafind.find(self.ea, self.get_arg_opnd(arg_idx), is_bwd=True)
def find_stack_base(self):
from_ea = idcnew.GetBB(self.f.startEA).endEA
target_opnd = idaobj.Opnd(ot=idc.o_reg, od='rsp')
return idafind.find(from_ea, target_opnd, is_bwd=True)
def find_nth_arg(self, arg_idx):
return idafind.find(idc.PrevHead(self.f.startEA),
self.make_arg_opnd(arg_idx))