Beispiel #1
0
def main():
    clist = build_color_list()

    filepath = idaapi.askfile_c(False, "*.*", "Pin log file")
    imagebase = idaapi.get_imagebase()
    try:
        f = open(filepath, "rb")
    except:
        print("Need log file to parse data...")
        return
    buff = f.read()
    functions = set()
    for index in range(0, len(buff)):
        exec_count = ord(buff[index])
        if exec_count == 0:
            continue

        exec_count = exec_count / 10
        if exec_count > 11: exec_count = 11

        ida_color = clist[exec_count]
        if (not (idc.GetFunctionName(imagebase + index) in functions)):
            func = idc.GetFunctionName(imagebase + index)
            print "hit @ 0x%08x function %s" % (imagebase + index, func)
            functions.add(func)

        idc.SetColor(imagebase + index, CIC_ITEM, ida_color)
    def get_patch_byte(self, ea, fpos, org_val, patch_val):

        # Aggregate contiguous bytes (base ea + length)
        # NOTE: Looking at the last item [-1] is sufficient
        #       since we are dealing with sorted data.
        if len(self.items_data) and (ea - self.items_data[-1][0] == self.items_data[-1][2]):

            # Increment length
            self.items_data[-1][2] += 1
            self.items[-1][2] = str(self.items_data[-1][2])

            # Append patched bytes
            self.items_data[-1][3].append(patch_val)
            self.items[-1][3] = " ".join(["%02X" % x for x in self.items_data[-1][3]])

            # Append original bytes
            self.items_data[-1][4].append(org_val)
            self.items[-1][4] =  " ".join(["%02X" % x for x in self.items_data[-1][4]])


        # Add new patch byte to the list
        else:

            name = idc.SegName(ea)

            if idc.GetFunctionName(ea) or idc.Name(ea):
                name += ": %s" % idc.GetFunctionName(ea) or idc.Name(ea)


            comment = idc.Comment(ea) or idc.RptCmt(ea) or ""
            # DATA STORAGE FORMAT:      address, function / fpos, len,    patched byte(s), original byte(s), comments
            self.items.append(     ["%08X" % ea,            name, "1", "%02X" % patch_val, "%02X" % org_val, comment])
            self.items_data.append([         ea,            fpos,   1,        [patch_val],        [org_val], None]   )

        return 0
Beispiel #3
0
def getCallGraph():
    callGraph = nx.DiGraph()
    for func_addr in idautils.Functions(MinEA(), MaxEA()):
        #print func_addr
        #coderefler bulunur ve hepsi grapha eklenir
        fn = idc.GetFunctionName(func_addr)
        #print "for function ",fn, " caller functions listed below:"
        i = 0
        callers = idautils.CodeRefsTo(func_addr, 1)
        #avoid if there is no caller
        if (len(callers) == 0):
            #print "empty set!"
            continue
        callGraph.add_node(func_addr, name=fn)
        for caller_addr in callers:
            cn = idc.GetFunctionName(caller_addr)
            #print i,".caller is ",cn, " address: 0x %x" %caller_addr
            i += 1
            #avoid circle
            if (fn == cn):
                print fn
                continue
            cf_addr = idc.GetFunctionAttr(caller_addr, FUNCATTR_START)
            if cf_addr is None:
                #print "none function -> 0x%x"%caller_addr
                continue
            if not (cf_addr in callGraph):
                callGraph.add_node(cf_addr, name=cn)
            callGraph.add_edge(cf_addr, func_addr)
    return callGraph
Beispiel #4
0
    def isCall(self, xref, tid):
        if xref in self._call_lut:
            return True
        elif idc.GetMnem(xref) == 'jmp':
            curf = idc.GetFunctionName(xref)
            if curf is not None:
                val = idc.GetOperandValue(xref, 0)
                if val is not None and val > 0:
                    tarf = idc.GetFunctionName(val)
                    if tarf is not None and tarf != curf:
                        self._call_lut.add(xref)
                        for thread in self["mem_areas"][0]['threads']:
                            if thread['tid'] == tid:
                                thread['calls'].append({
                                    "execs":
                                    1,
                                    "name":
                                    "",
                                    "target":
                                    val,
                                    "xrefs": [{
                                        "addr": xref,
                                        "execs": 1,
                                        "params": []
                                    }]
                                })
                        return True

        return False
Beispiel #5
0
def SearchCodePathDialog(ret_only=False, extended=False):
    f1 = idaapi.choose_func("Select starting function", 0)
    if not f1:
        return
    sea = f1.startEA

    f2 = idaapi.choose_func("Select target function", idc.ScreenEA())
    if not f2:
        return
    tea = f2.startEA

    nodes = SearchCodePath(sea, tea, extended)
    if len(nodes) > 0:
        if ret_only:
            return nodes
        else:
            g = PathsBrowser(
                "Code paths from %s to %s" %
                (idc.GetFunctionName(sea), idc.GetFunctionName(tea)), nodes,
                sea, tea)
            g.Show()
    else:
        idaapi.info("No codepath found between %s and %s" %
                    (idc.GetFunctionName(sea), idc.GetFunctionName(tea)))
        return nodes
def find_dispatch_by_cfg():
    """ 
    Finds the functions in the binary which are not directly called anywhere and counts how many other functions they call,
    returing all functions which call > 0 other functions but are not called themselves. As a dispatch function is not normally directly
    called but will normally many other functions this is a fairly good way to guess which function it is.
    """

    out = []
    called = set()
    caller = dict()
    # Loop through all the functions in the binary
    for function_ea in idautils.Functions():
        flags = idc.get_func_flags(function_ea)
        # skip library functions
        if flags & idc.FUNC_LIB:
            continue
        f_name = idc.GetFunctionName(function_ea)
        # For each of the incoming references
        for ref_ea in idautils.CodeRefsTo(function_ea, 0):
            called.add(f_name)
            # Get the name of the referring function
            caller_name = idc.GetFunctionName(ref_ea)
            if caller_name not in caller.keys():
                caller[caller_name] = 1
            else:
                caller[caller_name] += 1
    while True:
        if len(caller.keys()) == 0:
            break
        potential = max(caller, key=caller.get)
        if potential not in called:
            out.append(potential)
        del caller[potential]
    return out
Beispiel #7
0
def findroot(TargetFunc):
    global rootpath
    global rootfunc
    global m_rootpath
    global depth
    global dstfunc
    depth += 1
    if (depth >= 10):
        rootfunc.append(TargetFunc)
        rootpath.append(
            "It's difficult to reverse because depth is too deep!!Try: " +
            TargetFunc)
        return
    for xref in idautils.XrefsTo(idc.LocByName(TargetFunc)):
        if (idc.GetFunctionName(xref.frm) == ""):  #if root function
            for storcheck in idautils.XrefsTo(idc.LocByName(TargetFunc)):
                if (storcheck.type == 17):  #not root function
                    return
            if m_rootpath not in rootpath:
                if (depth > 7):
                    m_rootpath = dstfunc + "<--" + TargetFunc
                rootfunc.append(idc.GetFunctionName(xref.to))
                rootpath.append(m_rootpath)
            return
        else:
            g_rootpath = m_rootpath
            m_rootpath += "<--" + idc.GetFunctionName(xref.frm)
            findroot(idc.GetFunctionName(xref.frm))
            depth -= 1
            m_rootpath = g_rootpath
Beispiel #8
0
    def scan_functions(self):
        from mybase import function
        self.logger.info("For function %s:" % idc.GetFunctionName(self.ea))
        for ea in function.iterate(self.ea):
            for xref in idautils.XrefsFrom(ea, 0):
                if idautils.XrefTypeName(xref.type) == 'Code_Near_Call' or\
                    idautils.XrefTypeName(xref.type) == 'Code_Far_Call':
                    self.logger.info("found call at %s --> %s" %
                                     (hex(ea), idc.GetFunctionName(xref.to)))

                    #skip constructors
                    fn = FunctionName(idc.GetFunctionName(xref.to))
                    if fn.namespace == fn.basename:
                        continue

                    tif = idaapi.tinfo_t()
                    if idaapi.get_tinfo2(xref.to, tif):
                        funcdata = idaapi.func_type_data_t()
                        tif.get_func_details(funcdata)
                        #funcdata.get_call_method()
                        if funcdata.size() >= 1 and funcdata[0].name == "this":
                            self.funcs.add(
                                FunctionName(idc.GetFunctionName(xref.to)))
                            self.logger.info("Call to %s found" %
                                             idc.GetFunctionName(xref.to))
                    else:
                        self.logger.info("idaapi.get_tinfo2 failed")

        self.logger.info("%d subcalls found" % len(self.funcs))
Beispiel #9
0
def import_func_names(fname):
    s = idautils.Strings(False)
    s.setup(strtypes=idautils.Strings.STR_UNICODE | idautils.Strings.STR_C)
    f = open(fname)
    jsontable = json.load(f)
    f.close()

    string2ea = dict([(unicode(v), v.ea) for v in s])

    for entry in jsontable:
        if unicode(entry['string']) in string2ea.keys():

            ea = string2ea[unicode(entry['string'])]
            xrefs = [x.frm for x in idautils.XrefsTo(ea)]
            ret = [idaapi.get_func(x) for x in xrefs if idaapi.get_func(x)]

            names = []
            funcs = []
            for func in ret:
                if idc.GetFunctionName(func.startEA) not in names:
                    names.append(idc.GetFunctionName(func.startEA))
                    funcs.append(func)

            if len(funcs) == 1:
                print "%s %s -> %s\tstr: %s" % (hex(
                    funcs[0].startEA), idc.GetFunctionName(
                        funcs[0].startEA), entry['func_name'], entry['string'])
Beispiel #10
0
    def get_patch_byte(self, ea, fpos, org_val, patched_val):
        org_byte = "%02x" % org_val
        patched_byte = "%02x" % patched_val

        if self.prev_addr is None or ea != (self.prev_addr + 1):
            name = idc.SegName(ea)
            if idc.GetFunctionName(ea) or idc.Name(ea):
                name += ": %s" % idc.GetFunctionName(ea) or idc.Name(ea)

            comment = idc.Comment(ea) or idc.RptCmt(ea) or ""

            self.patched_bytes.append({
                'name': name,
                'begin_addr': ea,
                'original': org_byte,
                'patched': patched_byte,
                'comment': comment
            })

        else:
            self.patched_bytes[-1]['original'] += org_byte
            self.patched_bytes[-1]['patched'] += patched_byte

        self.prev_addr = ea

        return 0
Beispiel #11
0
    def _valid_call(self, ref_addr, target_addr):
        if ref_addr and target_addr:
            ref_func = idc.GetFunctionName(ref_addr)
            target_func = idc.GetFunctionName(target_addr)
            if ref_func == target_func:
                return False

        return True
Beispiel #12
0
 def getFunctionName(self, ea):
     """Returns the name of the function to which ea belongs"""
     demangled_name = idc.Demangle(idc.GetFunctionName(ea),
                                   idc.GetLongPrm(idc.INF_SHORT_DN))
     if not demangled_name:
         return idc.GetFunctionName(ea)
     else:
         return demangled_name
Beispiel #13
0
 def threads(self):
     for thread in self["mem_areas"][0]['threads']: 
         fname = idc.GetFunctionName(thread["tfunc"])
         if len(fname) == 0:
             if idc.MakeFunction(thread["tfunc"]) == 0:
                 fname = "0x%x" % thread["tfunc"]
             else:
                 fname = idc.GetFunctionName(thread["tfunc"])
         yield fname, thread["tfunc"], thread["tid"]
Beispiel #14
0
 def addEdges(self):
     for ea in self.result:
         refs = GetCodeRefsFrom(ea)
         for ref in refs:
             name = idc.GetFunctionName(ref)
             name2 = idc.GetFunctionName(ea)
             try:
                 if name in self.added:
                     self.AddEdge(self.nodes[idc.LocByName(name2)], self.nodes[idc.LocByName(name)])
                     self.added.append((ea, ref))
             except:
                 print "Error", sys.exc_info()[1]
Beispiel #15
0
    def is_call(self, instruction=None):
        """Return whether the last instruction processed is a call or not."""

        # If there are instructions defined as being specifically used for "calls"
        # we take those as a unique indentifier for whether the instruction is
        # if fact a call or not
        #
        if self.INSTRUCTIONS_CALL:
            if instruction.itype in self.INSTRUCTIONS_CALL:
                return True
            else:
                return False

        if not instruction.itype in self.INSTRUCTIONS_BRANCH:
            return False

        trgt = list(idautils.CodeRefsFrom(instruction.ip, 0))
        if not trgt:
            trgt = list(idautils.DataRefsFrom(instruction.ip))

        if len(trgt) > 0:

            # When getting the name there's a fall back from
            # using GetFunctionName() to Name() as sometimes
            # imported functions are not defined as functions
            # and the former will return an empty string while
            # the later will return the import name.
            #
            trgt_name = idc.GetFunctionName(trgt[0])
            if trgt_name == '':
                trgt_name = idc.Name(trgt[0])

            trgt_name_prev = idc.GetFunctionName(trgt[0] - 1)
            if trgt_name_prev == '':
                trgt_name_prev = idc.Name(trgt[0] - 1)

            # In order for the reference to be a call the following
            # must hold.
            # -There must be a valid function name
            # -The function name should be different at the target
            # address then the name in the immediately posterior
            # address (i.e. target must point to begging of function)
            # -The function name should be different than the function
            # name of the branch source
            #
            if (trgt_name is not None and trgt_name != ''
                    and trgt_name != trgt_name_prev
                    and idc.GetFunctionName(instruction.ip) != trgt_name):

                return True

        return False
Beispiel #16
0
    def getFunc(self, ea=None, next=False):
        if ea == None:
            ea = idaapi.get_screen_ea()

        if next:
            ea = idc.NextFunction(ea)
            if ea == -1:
                return (0xFFFFFFFFL, 0xFFFFFFFFL)

        if ea < 0:
            return (0xFFFFFFFFL, 0xFFFFFFFFL)
        elif idc.GetFunctionName(ea) == idc.GetFunctionName(idc.PrevAddr(ea)):
            ea = idc.PrevFunction(ea)
        return (ea, idc.FindFuncEnd(ea))
Beispiel #17
0
def GetCFG():
    SingleBBS = {}  # head -> pred_bbl
    MultiBBS = {}  # head -> [pred_bbls]
    bbls = {}  # head -> bbl
    # bbls2 = {}  # tail -> bbl
    edges = {
    }  # dict struct.  head -> of (head, ..., head)   #set()   # set of (tail, head) or (head, head)
    edges_count = 0

    #bbls_t, edges_t, count, SingleBBS_t, MultiBBS_t = GetFunEdgesAndBbls(0x08F7790)  # deubg
    #exit()

    for func in idautils.Functions():
        if IsSanFunc(func):
            continue
        print('%x %s') % (func, idc.GetFunctionName(func))
        bbls_t, edges_t, count, SingleBBS_t, MultiBBS_t = GetFunEdgesAndBbls(
            func)
        bbls.update(bbls_t)
        # bbls2.update(bbls2_t)
        edges.update(edges_t)  # union
        edges_count += count
        SingleBBS.update(SingleBBS_t)
        MultiBBS.update(MultiBBS_t)
    return bbls, edges, edges_count, SingleBBS, MultiBBS
Beispiel #18
0
def GetDataXrefString(ea):
    name = idc.GetFunctionName(ea)
    ea = idc.LocByName(name)

    f_start = ea
    f_end = idc.GetFunctionAttr(ea, idc.FUNCATTR_END)

    ret = []
    for chunk in idautils.Chunks(ea):
        astart = chunk[0]
        aend = chunk[1]
        for head in idautils.Heads(astart, aend):
            # If the element is an instruction
            if idc.isCode(idc.GetFlags(head)):
                refs = list(idautils.DataRefsFrom(head))
                for ref in refs:
                    s = idc.GetString(ref, -1, idc.ASCSTR_C)
                    if not s or len(s) <= 4:
                        s = idc.GetString(ref, -1, idc.ASCSTR_UNICODE)

                    if s:
                        if len(s) > 4:
                            ret.append(repr(s))

    if len(ret) > 0:
        return "\n\n" + "\n".join(ret)
    else:
        return ""
def format_rules(fva, rules):
    '''
    given the address of a function, and the byte signatures for basic blocks in
     the function, format a complete YARA rule that matches all of the
     basic block signatures.
    '''
    name = idc.GetFunctionName(fva)

    # some characters aren't valid for YARA rule names
    safe_name = name
    BAD_CHARS = '@ /\\!@#$%^&*()[]{};:\'",./<>?'
    for c in BAD_CHARS:
        safe_name = safe_name.replace(c, '')

    md5 = idautils.GetInputFileMD5()
    ret = []
    ret.append('rule a_%s_%s {' % (md5, safe_name))
    ret.append('  meta:')
    ret.append('    sample_md5 = "%s"' % (md5))
    ret.append('    function_address = "0x%x"' % (fva))
    ret.append('    function_name = "%s"' % (name))
    ret.append('  strings:')
    for rule in rules:
        formatted_rule = ' '.join(rule.masked_bytes)
        ret.append('    %s = { %s }' % (rule.name, formatted_rule))
    ret.append('  condition:')
    ret.append('    all of them')
    ret.append('}')
    return '\n'.join(ret)
Beispiel #20
0
    def get_current_function_xrefs_from(self):

        addr_in_func = idc.ScreenEA()
        curr_func = idc.GetFunctionName(addr_in_func)

        refs = self.find_xrefs_from(addr_in_func)
        return [ref.get_row(XrefsFromFinder.XREF_TYPE2STR) for ref in refs]
Beispiel #21
0
 def run(self, arg):
     """
     :param arg: Integer, a non-zero value enables auto-run feature for
          IDA batch (no gui) processing mode. Default is 0.
     """
     log("plugin run")
     if not is_jni_header_loaded():
         idaapi.warning('Please load jni.h first')
         load_jni_header()
     st = idc.set_ida_state(idc.IDA_STATUS_WORK)
     infos = load_methods()
     failed = []
     succ = 0
     for ea in idautils.Functions():
         fname = idc.GetFunctionName(ea)
         if fname.startswith('Java_'):
             info = infos.get(fname)
             if info is None:
                 failed.append(fname)
             else:
                 succ += 1
             apply_signature(ea, info)
         if fname == 'JNI_OnLoad':
             apply_load_unload(ea, True)
             succ += 1
         if fname == 'JNI_OnUnload':
             apply_load_unload(ea, False)
             succ += 1
     idaapi.info('JNI functions loaded, {} success. {} failed. \n{}'.format(
         succ,
         len(failed),
         '\n'.join(failed)
     ))
     idc.set_ida_state(st)
Beispiel #22
0
    def codeify(self, ea=idc.BADADDR):
        func_count = 0
        code_count = 0

        if ea == idc.BADADDR:
            ea = self.get_start_ea(self.CODE)
            if ea == idc.BADADDR:
                ea = idc.FirstSeg()

        print "\nLooking for undefined code starting at: %s:0x%X" % (
            idc.SegName(ea), ea)

        if self.get_start_ea(self.DATA) == idc.BADADDR:
            print "WARNING: No data segments defined! I don't know where the code segment ends and the data segment begins."

        while ea != idc.BADADDR:
            try:
                if idc.GetSegmentAttr(ea, idc.SEGATTR_TYPE) == self.CODE:
                    if idc.GetFunctionName(ea) != '':
                        ea = idc.FindFuncEnd(ea)
                        continue
                    else:
                        if idc.MakeFunction(ea):
                            func_count += 1
                        elif idc.MakeCode(ea):
                            code_count += 1
            except:
                pass

            ea = idc.NextAddr(ea)

        print "Created %d new functions and %d new code blocks\n" % (
            func_count, code_count)
Beispiel #23
0
def get_flow_to_name(name):
	global idx
	mflow_addrs = []
	mflow_names = []
	print "In call %x Name: %s"%(idx,name)
	idx+=1
	for flow in get_name_flow_info(name):
		print flow
		a2a = get_addr_to_addr(flow)
		n2n = get_name_to_name(flow)
		src = a2a.split()[0].strip()
		# arrows at 1
		dst = a2a.split()[2].strip()
		sname = idc.GetFunctionName(int(src,16))
		print "Obtaining flow information for: ", sname
		flow_addrs, flow_names = get_flow_to_name(sname)
		print "Obatained the following flow info for %s: %s"%(sname,str(flow_names))
		if len(flow_addrs) == 0:
			mflow_addrs.append(a2a)
		if len(flow_names) == 0:
			mflow_names.append(n2n)
		for i in flow_addrs:
			mflow_addrs.append(i + " ==> " + a2a)
		for i in flow_names:
			mflow_names.append(i + " ==> " + n2n)
	idx -= 1
	return [i for i in set(mflow_addrs)], [i for i in set(mflow_names)]
Beispiel #24
0
    def codeify(self, ea=idc.BADADDR):
        func_count = 0
        code_count = 0

        if ea == idc.BADADDR:
            ea = self.get_start_ea(self.CODE)
            if ea == idc.BADADDR:
                ea = idc.FirstSeg()

        self.say("\nLooking for undefined code starting at: %s:0x%X" %
                 (idc.SegName(ea), ea))

        while ea != idc.BADADDR:
            try:
                if idc.GetSegmentAttr(ea, idc.SEGATTR_TYPE) == self.CODE:
                    if idc.GetFunctionName(ea) != '':
                        ea = idc.FindFuncEnd(ea)
                        continue
                    else:
                        if idc.MakeFunction(ea):
                            func_count += 1
                        elif idc.MakeCode(ea):
                            code_count += 1
            except:
                pass

            ea = idc.NextAddr(ea)

        self.say("Created %d new functions and %d new code blocks\n" %
                 (func_count, code_count))
Beispiel #25
0
def push_comms():
    global skel_conn
    commBL = [
        "size_t", "int", "LPSTR", "char", "char *", "lpString", "unsigned int",
        "void *", "indirect table for switch statement", "this",
        "jump table for switch statement", "switch jump"
    ]
    for i in range(idc.MinEA(), idc.MaxEA()):
        if idc.GetCommentEx(
                i, 0) is not None and not idc.GetCommentEx(i, 0) in commBL:
            if not skel_conn.push_comment(i, idc.GetCommentEx(i, 0)):
                return -1
        elif idc.GetCommentEx(
                i, 1) is not None and not idc.GetCommentEx(i, 1) in commBL:
            if not skel_conn.push_comment(i, idc.GetCommentEx(i, 1)):
                return -1
    for function_ea in idautils.Functions(idc.MinEA(), idc.MaxEA()):
        fName = idc.GetFunctionName(function_ea)
        if hasSubNoppedPrefix(fName) is False:
            if not skel_conn.push_name(function_ea, fName):
                g_logger.error("Error sending function name %s" % (fName))
        # if idc.GetFunctionCmt(function_ea,0) != "":
        #    push_change("idc.SetFunctionCmt",shex(function_ea),idc.GetFunctionCmt(i,0))
        # elif idc.GetFunctionCmt(function_ea,1) != "":
        #    push_change("idc.SetFunctionCmt",shex(function_ea),idc.GetFunctionCmt(function_ea,1))
    return
    def PrintMsrTable(self, msr_code, function_ea, inst_ea):
        mnemonic = idc.GetMnem(inst_ea)
        call_addr = self.GetJumpAddr(inst_ea, function_ea)
        function_name = idc.GetFunctionName(function_ea) + '+' + call_addr
        dwSize = 30 - len(function_name)
        delimeter = " " * dwSize

        if (msr_code == None):
            msr_code_hex = 'Not imm value'
        else:
            msr_code_hex = self.NormalizeHexValue(msr_code)

        if (msr_code == None):
            msr_name = msr_code_hex
        else:
            msr_name = msr_list.get(int(msr_code_hex, 16))

        idc.MakeComm(inst_ea, '{}({})'.format(mnemonic, msr_name))
        idc.SetColor(inst_ea, idc.CIC_ITEM, 0xf8abef)

        msr_name_delimeter = (" " * (15 - len(msr_code_hex)))

        print '{}{}| {} | {} {} | {}'.format(function_name, delimeter,
                                             mnemonic, msr_code_hex,
                                             msr_name_delimeter, msr_name)
Beispiel #27
0
    def Create(self):
        ea = ScreenEA()
        if not idaapi.simplecustviewer_t.Create(self, '%s - Nao' % (idc.GetFunctionName(ea))):
            return False
        self.instruction_list = idautils.GetInstructionList()
        self.instruction_list.extend(['ret'])
        self.register_list = idautils.GetRegisterList()
        self.register_list.extend(['r8l', 'r9l', 'r10l', 'r11l', 'r12l', 'r13l', 'r14l', 'r15l',
                                   'r8w', 'r9w', 'r10w', 'r11w', 'r12w', 'r13w', 'r14w', 'r15w',
                                   'r8d', 'r9d', 'r10d', 'r11d', 'r12d', 'r13d', 'r14d', 'r15d',
                                   'eax', 'ebx', 'ecx', 'edx', 'edi', 'esi', 'ebp', 'esp', 
                                   'rax', 'rbx', 'rcx', 'rdx', 'rdi', 'rsi', 'rbp', 'rsp'])

        f = idaapi.get_func(ea)
        self.fc = idaapi.FlowChart(f)
        self.block_list = []
        for block in self.fc:
            self.block_list.append(format(block.startEA, 'x').upper())

        self.load(ea)

        action_desc = idaapi.action_desc_t(
            'nao:jump',     # The action name.
            'Jump',         # The action text.
            JumpHandler(self),  # The action handler.
            '',             # Optional: the action shortcut
            '',             # Optional: the action tooltip (available in menus/toolbar)
            )               # Optional: the action icon (shows when in menus/toolbars) use numbers 1-255
        idaapi.register_action(action_desc)
        idaapi.attach_action_to_popup(self.GetWidget(), None, 'nao:jump', None)
        return True
Beispiel #28
0
    def load_crash_report(self, log_file):
        with open(log_file, 'r') as f:
            log = f.read()

        traceback = process_stack_trace(log)

        self.log_txt.setText(log)

        self.stack_trace_table.clear()
        self.stack_trace_table.setHorizontalHeaderLabels(
            ["Address", "Function"])
        self.stack_trace_table.setRowCount(len(traceback))
        for i, addr in enumerate(traceback):
            func_name = idc.GetFunctionName(addr)
            func_name_demangled = idc.Demangle(
                func_name, idc.GetLongPrm(idc.INF_SHORT_DN))
            if func_name_demangled is not None:
                func_name = func_name_demangled
            self.stack_trace_table.setRowHeight(i, 20)
            self.stack_trace_table.setItem(
                i, 0, QtWidgets.QTableWidgetItem("0x{:016x}".format(addr)))
            self.stack_trace_table.setItem(
                i, 1, QtWidgets.QTableWidgetItem(func_name))

        self.log_txt.setEnabled(True)
        self.stack_trace_table.setEnabled(True)
Beispiel #29
0
def _split_basic_block(start_ea, end_ea):
    """
    IDA Pro's ``idaapi.Flowchart`` does not consider function calls as basic
    block boundaries. This function takes an address range and splits the
    basic blocks found within that range so that function calls are considered
    basic block boundaries.
    """
    split_bbs = []
    func_name = idc.GetFunctionName(start_ea)
    demangled_name = idc.Demangle(func_name, idc.GetLongPrm(idc.INF_SHORT_DN))
    if demangled_name:
        func_name = demangled_name

    bb_start_addr = start_ea
    block = idautils.Heads(start_ea, end_ea)

    for inst in block:
        mnem = idc.GetMnem(inst)
        if mnem == 'call' and inst != end_ea:
            split_bbs.append(
                dict(start_addr=bb_start_addr,
                     end_addr=idc.NextHead(inst, end_ea + 1) - 1,
                     function=func_name))
            bb_start_addr = idc.NextHead(inst, end_ea + 1)

    if bb_start_addr < end_ea:
        split_bbs.append(
            dict(start_addr=bb_start_addr,
                 end_addr=end_ea - 1,
                 function=func_name))

    return split_bbs
Beispiel #30
0
def log_stack_chains(chains):

    f = open("%s/%s" % (LOG_PATH, "stack_chains"), "wb")

    long_chains = 0

    for c in chains:
        if len(c) > 3:
            long_chains += 1
        for a in c:
            if type(a) == type("x"):
                s = a
            else:
                s = "[0x%08x] %s+0x%x" % (a, str(idc.GetFunctionName(
                    Dword(a))), Dword(a) - idaapi.get_func(Dword(a)).startEA)

            #print s
            f.write(s)
            f.write("\n")
        f.write("\n")

    print "%d chains found" % len(chains)
    print "%d long chains" % long_chains

    f.close()