def LoadSavedAssemblers(seg_ea=None): assemblers = {} opty_dir = idc.GetIdbPath() opty_dir = opty_dir[:opty_dir.rfind( os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile() + os.sep if not os.path.isdir(opty_dir): return None if seg_ea == None: for fname in os.listdir(opty_dir): if re.match(r"Assembler_[0-9ABCDEF]+\.pickle.zlib", fname) != None: seg_ea = re.match(r"Assembler_([0-9ABCDEF]+)\.pickle.zlib", fname).group(1) fp = open(opty_dir + fname, "rb") asm = pickle.loads(zlib.decompress(fp.read())) fp.close() assemblers[seg_ea] = asm else: fname = "Assembler_%08x.pickle.zlib" % (seg_ea) try: fp = open(opty_dir + fname, "r") asm = pickle.loads(zlib.decompress(fp.read())) assemblers[seg_ea] = asm fp.close() except: return None return assemblers
def export(self): image_name = idc.GetInputFile() self.image_base = idaapi.get_imagebase() self.filename = "%s.db" % (image_name) datadir = os.path.join(RECOVERER_PATH, "data") if not os.path.exists(datadir): os.mkdir(datadir) self.filename = os.path.join(datadir, self.filename) if os.path.exists(self.filename): info("File %s exists, overwriting." % (self.filename)) else: info("Creating database at %s." % (self.filename)) self.fd = open(self.filename, "w") self.fd.write("IMAGE_BASE;0x%x\n" % (self.image_base)) self.fd.write("IMAGE_NAME;%s\n" % (image_name)) self.__export_functions__() self.__export_imports__() self.fd.close()
def analysis(): all_funcs = idautils.Functions() overall_addr = dict() for f in all_funcs: f = idaapi.FlowChart(idaapi.get_func(f), flags=idaapi.FC_PREDS) for block in f: if block.startEA > idc.PrevHead(block.endEA): continue key = '' # overall_addr.append(hex(block.startEA)) key += hex(block.startEA) key += ',' key += hex(idc.PrevHead(block.endEA)) sus_addr = list() successor = block.succs() for addr in successor: sus_addr.append(hex(addr.startEA)) overall_addr[key] = sus_addr filename = idc.GetInputFile() + "_cfg" with open(filename, 'w') as f: json.dump(overall_addr, f)
def OnEditLine(self, n): #this is "Delete Segment" ans = idaapi.askyn_c( 1, "HIDECANCEL\nAre you sure you want to delete segment and all optimized data from disk?" ) if ans == 1: opty_dir = idc.GetIdbPath() opty_dir = opty_dir[:opty_dir.rfind( os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile() print opty_dir if not os.path.isdir(opty_dir): print ">GUI_FunctionManager:OnEditLine - Error [%s] not a directory!" % opty_dir return 0 shutil.rmtree(opty_dir) print ">GUI_FunctionManager: Optimice directory deleted: [%s]" % opty_dir idc.SegDelete(int(self.items[n][0], 16), 0) print ">GUI_FunctionManager: Optimice segment deleted: [%s]" % self.items[ n][0] self.populate_items() return 0
def inputFile(self): """Return the (full) path of the input file that was used to create the database. Return Value: Path to the input file """ return idc.GetInputFile()
def __init__(self, *args, **kwargs): dict.__init__(self, *args, **kwargs) store = idaapi.netnode(Config().idb_store, 0, True) maze = store.getblob(0, 'N') if maze is None: maze_file = idc.AskFile(0, '*.json', 'Select the Maze...') if maze_file: with open(maze_file, 'r') as fd: ma_id = int(idc.GetInputFile().split('_')[1], 10) blob = fd.read() maze = json.loads(blob) for i in range(len(maze["mem_areas"])): if maze["mem_areas"][i]["id"] == ma_id: del maze["mem_areas"][0:i] del maze["mem_areas"][1:] break self.update(maze) CallAsPushAnalysis.Analyze(self) self.__mark_bbls() self.__mark_calls() blob = json.dumps(maze) store.setblob(blob, 0, "N") else: self.update(json.loads(maze)) self.__create_luts()
def OnCreate(self, form): """ Called when the plugin form is created """ # Initalize Data exename = idc.GetInputFile() path = os.path.dirname(idc.GetInputFilePath()) filename = os.path.join(path, exename) if False: self.infoparser = InfoParser(infoname) self.infoparser.load() self.flamegraph = FlameGraphReader(filename) self.flamegraph.parse() if False: self.infoparser.flow() self.canvas = None # Get parent widget self.parent = self.FormToPyQtWidget(form) self.PopulateForm() drawing = Drawing(self.flamegraph) for idx in xrange(0, len(self.flamegraph.roots)): root = self.flamegraph.roots[idx] self._combobox.addItem("%d: %x" % (idx, root['size']), idx) if drawing.activeIndex is None: drawing.activeIndex = idx self.canvas.setDrawing(drawing)
def save_results(lists_of_instr, list_of_func_names): ''' The function saves results in a file @list_of_instr - a list of instructions to save_results @list_of_func_name - a list of functions names to save ''' one_file = "sysdlls_instr_to_instrument.txt" analyzed_file = idc.GetInputFile() analyzed_file = analyzed_file.replace(".", "_") current_time = strftime("%Y-%m-%d_%H-%M-%S") file_name = WINHE_RESULTS_DIR + "\\" + one_file file_log = WINHE_RESULTS_DIR + "\\" + analyzed_file + "_" + current_time + ".txt" file = open(file_name, 'a') log = open(file_log, 'w') analyzed_file = analyzed_file.lower() list_of_instr = get_unique(lists_of_instr) for instr in list_of_instr: file.write(idaapi.get_input_file_path().lower() + "!" + str(instr) + "\n") log.write(str(len(list_of_func_names)) + "\n") for name in list_of_func_names: log.write(name + "\n") file.close() log.close()
def __init__(self, **kwargs): super(AddFileDialog, self).__init__(title="Add File", **kwargs) name = idc.GetInputFile() md5hash = idc.GetInputMD5() layout = QtWidgets.QGridLayout() layout.addWidget(QtWidgets.QLabel("Project:"), 0, 0) layout.addWidget(QtWidgets.QLabel("File name:"), 1, 0) layout.addWidget(QtWidgets.QLabel("Description:"), 2, 0) layout.addWidget(QtWidgets.QLabel("MD5 hash:"), 3, 0) self.project_cbb = widgets.QItemSelect('projects') layout.addWidget(self.project_cbb, 0, 1) self.name_txt = QtWidgets.QLineEdit() self.name_txt.setText(name) layout.addWidget(self.name_txt, 1, 1) self.description_txt = QtWidgets.QTextEdit() layout.addWidget(self.description_txt, 2, 1) layout.addWidget(QtWidgets.QLabel(md5hash), 3, 1) self.base_layout.addLayout(layout) self.shareidbCkb = QtWidgets.QCheckBox("Share IDB (let others without " "the idb to participate)") self.base_layout.addWidget(self.shareidbCkb) self.bottom_layout(ok_text="&Add")
def main(): disas_path = idc.AskFile(1, '*.disas', 'Save basic blocks') do_exit = False if not disas_path: basename = idc.GetInputFile() disas_path = '%s.disas' % basename idc.GenerateFile(idc.OFILE_ASM, '%s.asm' % basename, 0, idc.BADADDR, 0) idc.GenerateFile(idc.OFILE_LST, '%s.lst' % basename, 0, idc.BADADDR, 0) do_exit = True # Get basic blocks bbs = _get_basic_blocks() # Get the module's base address base_addr = idaapi.get_imagebase() # Get the module's end address segs = sorted(idautils.Segments()) end_addr = idc.SegEnd(segs[-1]) disas_info = { 'bbs': bbs, 'base_addr': base_addr, 'end_addr': end_addr, } with open(disas_path, 'w') as disas_file: json.dump(disas_info, disas_file) if do_exit: idc.Exit(0)
def activate(self, ctx): if ctypes.windll.shell32.IsUserAnAdmin() == 0: print "Admin privileges required" return name = idc.GetInputFile().split('.')[0] driver = driverlib.Driver(idc.GetInputFilePath(), name) loaded = driver.load() started = driver.start()
def exportLib(self, **kwargs): file = os.path.splitext(idc.GetInputFile())[0] path = os.path.split(idc.GetIdbPath())[0] idapath = idc.GetIdaDirectory() tilname = os.path.join(path, file + ".til") outfile = os.path.join(idapath, 'til', 'pc', file + ".til") shutil.copy(tilname, outfile) os.system(os.path.join(idapath, "tilib64.exe") + " -#- " + outfile)
def CopyEA(): myModuleName = idc.GetInputFile() MyModuleShortName = re.sub(r'\.[^.]*$', '', myModuleName) myModuleBase = idaapi.get_imagebase() myOffset = idc.ScreenEA() - myModuleBase pasteStr = "bp !%s + 0x%x" % (MyModuleShortName, myOffset) print pasteStr Paste(pasteStr)
def search(): """ Attempts to find potential device names in the currently opened binary, it starts by searching for Unicode device names, if this fails then it utilises FLOSS to search for stack based and obfuscated strings. """ if not find_unicode_device_name(): print( "Unicode device name not found, attempting to find obfuscated and stack based strings." ) try: import floss import floss.identification_manager import floss.main import floss.stackstrings import viv_utils except ImportError: print( "Please install FLOSS to continue, see: https://github.com/fireeye/flare-floss/" ) return logging.basicConfig( ) #To avoid logger handler not found errors, from https://github.com/fireeye/flare-floss/blob/66f67a49a38ae028a5e86f1de743c384d5271901/scripts/idaplugin.py#L154 logging.getLogger('vtrace.platforms.win32').setLevel(logging.ERROR) sample_file_path = idc.GetInputFile() try: vw = viv_utils.getWorkspace(sample_file_path, should_save=False) except Exception as e: print("Vivisect failed to load the input file: {0}".format( e.message)) return functions = set(vw.getFunctions()) plugins = floss.main.get_all_plugins() device_names = set() stack_strings = floss.stackstrings.extract_stackstrings(vw, functions, 4, no_filter=True) for i in stack_strings: device_names.add(i) dec_func_candidates = floss.identification_manager.identify_decoding_functions( vw, plugins, functions) decoded_strings = floss.main.decode_strings(vw, dec_func_candidates, 4, no_filter=True) if len(decoded_strings) > 0: for i in decoded_strings: device_names.add(str(i.s)) print("Potential device names from obfuscated or stack strings:") for i in device_names: print(i) else: print("No obfuscated or stack strings found :(")
def CopyEA(): myModuleName = idc.GetInputFile() MyModuleShortName = re.sub(r'\.[^.]*$','',myModuleName) myModuleBase = idaapi.get_imagebase() myOffset = idc.ScreenEA() - myModuleBase clippy = QtGui.QClipboard() pasteStr = "bp !%s + 0x%x" % (MyModuleShortName, myOffset) print pasteStr clippy.setText(pasteStr)
def rizzo_produce(self, arg): fname = idc.AskFile(1, idc.GetInputFile() + ".riz", "Save signature file as") if fname: if '.' not in fname: fname += ".riz" RizzoBuild(fname) return None
def backup_database(): """ Backup the database to a file similar to IDA's snapshot function. """ time_string = strftime('%Y%m%d%H%M%S') file = idc.GetInputFile() if not file: raise NoInputFileException('No input file provided') input_file = rsplit(file, '.', 1)[0] backup_file = '%s_%s.idb' % (input_file, time_string) g_logger.info('Backing up database to file ' + backup_file) idc.SaveBase(backup_file, idaapi.DBFL_BAK)
def main(): info("Showing number of tainted hit per image.") # filename = idaapi.askfile_c(0, "pintool.log", "Trace file to load.") filename = """/Users/anon/workspace/instrumentation/CodeCoverage/trace.log""" if filename is None: info("Aborting ...") return # Get loaded binary name image_name = idc.GetInputFile().lower() info("IDB binary name '%s'" % image_name) # Get the image base image_base = idaapi.get_imagebase() info("IDB binary base 0x%.16x" % image_base) # Load the trace file. trace = TraceReader(filename) trace.parse(match_events="HL") # The IDB matches one and only one loaded image. Find it. traced_image = None for image in trace.getLoadedImages(): if image_name.lower() in os.path.basename(image.name).lower(): traced_image = image break if not traced_image: info("Error, could not find the traced image '%s' in the list of loaded images." % image_name) return set() # Collect all the hits that belong to the ida database. hits = set(filter(lambda x: traced_image.contains(x.address), trace.getBasicBlockHits())) hits = set(map(lambda x: image_base + traced_image.get_offset(x.address), hits)) reached_functions = set() for hit in hits: f = idaapi.get_func(hit) if f: if f.startEA in reached_functions: continue info("Reached -> %s" % (GetFunctionName(f.startEA))) reached_functions.add(f.startEA) if idaapi.askyn_c(1, "Do you want to mark all the FUNCTIONS reached?") == 1: FUNCTION_COLOR = rgb_to_bgr(0xBCF5D1) for function in reached_functions: SetFunctionColor(function, FUNCTION_COLOR) if idaapi.askyn_c(0, "Do you want to mark all the BASIC BLOCKS reached?") == 1: BBLOCK_COLOR = rgb_to_bgr(0xf2ddda) for hit in hits: SetBasicBlockColor(hit, BBLOCK_COLOR)
def main(): info("Showing number of tainted hit per image.") # filename = idaapi.askfile_c(0, "pintool.log", "Trace file to load.") filename = """/Users/anon/workspace/instrumentation/Pinnacle/taint.log""" if filename is None: info("Aborting ...") return # Get loaded binary name image_name = idc.GetInputFile().lower() info("IDB binary name '%s'" % image_name) # Get the image base image_base = idaapi.get_imagebase() info("IDB binary base 0x%.16x" % image_base) # Load the trace file. trace = TraceReader(filename) trace.parse(match_events="TL") # The IDB matches one and only one loaded image. Find it. traced_image = None for image in trace.getLoadedImages(): if image_name.lower() in os.path.basename(image.name).lower(): traced_image = image break if not traced_image: info( "Error, could not find the traced image '%s' in the list of loaded images." % image_name) return set() # Collect all the hits that belong to the ida database. hits = set( filter(lambda x: traced_image.contains(x.address), trace.getTaintedInstructions())) hits = set( map(lambda x: image_base + traced_image.get_offset(x.address), hits)) for hit in hits: SetInstructionColor(hit, TAINTED_COLOR) reached_functions = set() for hit in filter(lambda x: traced_image.contains(x.address), trace.getTaintedInstructions()): f = idaapi.get_func(hit.address) if f: if f.startEA in reached_functions: continue info("Reached -> 0x%.16x : %s " % (f.startEA, GetFunctionName(f.startEA))) reached_functions.add(f.startEA)
def copy_to_clipboard(addr): name = os.path.splitext(idc.GetInputFile())[0] f = "{:s}+{:x}".format(name, addr) r = Tkinter.Tk() r.withdraw() r.clipboard_clear() r.clipboard_append("{:s}".format(f)) r.update() r.destroy() print("[+] Copied {:s}".format(f)) return
def init(self): self.hook = None if not ".mp.dll" in idc.GetInputFile( ) or idaapi.ph_get_id() != idaapi.PLFM_386: return idaapi.PLUGIN_SKIP print "\n\n-->MsMpEng apicall x86 Parser Invoked!\n\n" self.hook = parse_apicall_hook() self.hook.hook() return idaapi.PLUGIN_KEEP
def get_define(ioctl_code): """Decodes an ioctl code and returns a C define for it using the CTL_CODE macro""" function = get_function(ioctl_code) device_name, device_code = get_device(ioctl_code) method_name, method_code = get_method(ioctl_code) access_name, access_code = get_access(ioctl_code) name = "%s_0x%08X" % (idc.GetInputFile().split('.')[0], ioctl_code) return "#define %s CTL_CODE(0x%X, 0x%X, %s, %s)" % ( name, device_code, function, method_name, access_name)
def get_unicode_device_names(): path = idc.GetInputFile() min_length = 4 possible_names = set() with open(path, "rb") as f: b = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ) for s in extract_unicode_strings(b, n=min_length): if str(s.s).startswith('\\Device\\'): possible_names.add(str(s.s)) return possible_names
def export(self, filename='', type='LIST'): if filename == '': filename = idc.GetInputFile() + ".lst" tmp_filename = 'tmp.lst' idc.GenerateFile(idc.OFILE_LST, tmp_filename, 0, idc.BADADDR, 0) rfd = open(tmp_filename, 'r') fd = open(filename, 'a') fd.write(rfd.read()) rfd.close() fd.close()
def __init__(self, real_dir): super(Plugin, self).__init__() self.tools = include.helper.Tools(self) self.config_main = ConfigParser.ConfigParser() self.config_theme = ConfigParser.ConfigParser() self._bin_md5 = idc.GetInputMD5() self._bin_name = re.sub(r'\.[^.]*$', '', idc.GetInputFile()) self._read_config(real_dir) self.gui = None self.parser = None
def init_sample_id(self): """ test if the remote sample exists, if not, we upload it """ if self.sample_id is None: self.sample_id = self.get_sample_id() if not self.sample_id: g_logger.warning("Sample not found on server, uploading it") self.send_sample(open(idc.GetInputFile(), 'rb')) self.sample_id = self.get_sample_id() g_logger.info("Sample ID: %d", self.sample_id)
def save_instrumented(list_of_addr, is_silent): dll_name = idc.GetInputFile() dll_name = dll_name[:dll_name.find(".")] dll_name = dll_name + "!" print dll_name if is_silent == SILENT: current_time = strftime("%Y-%m-%d_%H-%M-%S") analyzed_file = idc.GetInputFile() analyzed_file = analyzed_file.replace(".", "_") file_name = analyzed_file + "_" + current_time + ".txt" else: file_name = AskFile(1, "dllcode.in", "Please specify a file to save results.") if file_name == -1: return 0 file = open(file_name, 'w') for sublist in list_of_addr: for addr in sublist: #print addr file.write(dll_name + addr + "\n") file.close()
def SaveState(self): opty_dir = idc.GetIdbPath() opty_dir = opty_dir[:opty_dir.rfind(os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile() if not os.path.isdir(opty_dir): os.mkdir(opty_dir) save_fname = "%s%sAssembler_%08x.pickle.zlib" % (opty_dir, os.sep, self.segment_start) fw = open(save_fname, "wb+") s1 = pickle.dumps(self) fw.write(zlib.compress(s1)) fw.close() print ">Assembler:SaveState - File [%s] saved" % (save_fname)
def get_unicode_device_names(): """Returns all Unicode strings within the binary currently being analysed in IDA which might be device names""" path = idc.GetInputFile() min_length = 4 possible_names = set() with open(path, "rb") as f: b = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ) for s in extract_unicode_strings(b, n=min_length): s_str = str(s.s) if s_str.startswith('\\Device\\') or s_str.startswith('\\DosDevices\\'): possible_names.add(str(s.s)) return possible_names
def getProcessInfo(self): #Get basic information from the file being Debugged idainfo = idaapi.get_inf_structure() #Get the name of the input file we want to trace app_name = idc.GetInputFile() Print ("The input file is %s" % app_name ) #Check to see what type of file we're tracing #And set up the proper debugger and input monitor if idainfo.filetype == idaapi.f_PE: Print ("Windows PE file" ) os_type = "windows" elif idainfo.filetype == idaapi.f_MACHO: Print ("Mac OSX Macho file") os_type = "macosx" #debugger = "macosx" #checkInput = InputMonitor.checkMacLibs elif idainfo.filetype == idaapi.f_ELF: Print ("Linux ELF file") os_type = "linux" #debugger = "linux" #checkInput = InputMonitor.checkLinuxLibs else: Print ("Unknown binary, unable to debug") return None #Check the debugged executable if its 32 or 64bit if idainfo.is_64bit(): Print("This binary is 64 bit") os_arch = "64" elif idainfo.is_32bit(): Print( "This binary is 32 bit" ) os_arch = "32" else: Print( "Bad binary. ARM processor?" ) os_arch = "ARM" #Get the file type for the executable being debugger fileType = idaapi.get_file_type_name() #For ARM libraries returns 'ELF for ARM (Shared object) Print( fileType ) return (app_name,os_type,os_arch)