def _search_for_immediates(self):
      for immediate in self..IMMEDIATES.keys():
         ea = 0
         while ea != idc.BADADDR:
            (ea, n) = idc.FindImmediate(ea, idc.SEARCH_DOWN, self._twos_compliment(immediate))
            if ea != idc.BADADDR:
               func = idaapi.get_func(ea)
               if func:
                  self.IMMEDIATES[immediate].add(func.startEA)
Beispiel #2
0
def find_wdf_callback_through_immediate(mnemonic, operand, val):
    for i in range(10):
        addr, operand_ = idc.FindImmediate(idc.MinEA(), idc.SEARCH_DOWN|idc.SEARCH_NEXT, val)
        if addr != idc.BADADDR:
            #print hex(addr), idc.GetDisasm(addr), "Operand ", operand_
            if operand_ == operand and idc.GetMnem(addr) == mnemonic:
                return addr
        else:
            break
    return None
Beispiel #3
0
 def _search_for_immediates(self):
     self.funcs = {}
     for immediate in constants.constants.keys():
         ea = 0
         while ea != idc.BADADDR:
             (ea, n) = idc.FindImmediate(ea, idc.SEARCH_DOWN,
                                         self._twos_compliment(immediate))
             if ea != idc.BADADDR:
                 func = idaapi.get_func(ea)
                 if func:
                     s = self.funcs.get(func.startEA, set())
                     s.add(immediate)
                     self.funcs[func.startEA] = s
                 else:
                     for xref in idautils.XrefsTo(ea):
                         func = idaapi.get_func(xref.frm)
                         if func:
                             s = self.funcs.get(func.startEA, set())
                             s.add(immediate)
                             self.funcs[func.startEA] = s
Beispiel #4
0
    def findImmediate(self, range_start, range_end, value):
        """Return all of the places (in the range) in which the immediate value was found.

        Args:
            range_start (int): ea of the range's start
            range_end (int): ea of the range's end
            value (int): value of the searched immediate

        Return Value:
            collection of ea's in which the value was found
        """
        search_pos = range_start
        while search_pos < range_end:
            match_ea, garbage = idc.FindImmediate(search_pos, idc.SEARCH_DOWN, value)
            search_pos = match_ea + 1
            # Filter out mismatches
            if match_ea == idc.BADADDR:
                break
            # return the correct result to the caller
            yield match_ea
Beispiel #5
0
print hex(ea), idc.GetDisasm(ea)
addr = idc.FindData(ea, SEARCH_UP | SEARCH_NEXT)
print hex(addr), idc.GetDisasm(addr)

# idc.FindUnexplored(ea, flag) 该函数用于查找IDA未识别为代码或者数据的字节地址. 未知类型需要通过观察或者脚本进一步分析
ea = here()
print hex(ea), idc.GetDisasm(ea)
addr = idc.FindUnexplored(ea, SEARCH_DOWN)
print hex(addr), idc.GetDisasm(addr)

# idc.FindExplored(ea, flag) 用于查找IDA标识为代码或者数据的地址
ea = here()
addr = idc.FindExplored(ea, SEARCH_UP)
print hex(addr), idc.GetDisasm(addr)

for xref in idautils.XrefsTo(addr, 1):
    print hex(xref.frm), idc.GetDisasm(xref.frm)

# idc.FindImmediate(ea, flag, value) 用于寻找确定的数值  例如rand()函数使用的随机种子
addr = idc.FindImmediate(MinEA(), SEARCH_DOWN, 0x343FD)
print "0x%x %s %x" % (addr[0], idc.GetDisasm(addr[0]), addr[1])

# 查找所有的指定立即数
addr = MinEA()
while True:
    addr, operand = idc.FindImmediate(addr, SEARCH_DOWN | SEARCH_NEXT, 0x5c)
    if addr != idc.BADADDR:
        print hex(addr), idc.GetDisasm(addr), "Operand", operand
    else:
        break