def LoadSavedAssemblers(seg_ea=None):
assemblers = {}
opty_dir = idc.GetIdbPath()
opty_dir = opty_dir[:opty_dir.rfind(
os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile() + os.sep
if not os.path.isdir(opty_dir):
return None
if seg_ea == None:
for fname in os.listdir(opty_dir):
if re.match(r"Assembler_[0-9ABCDEF]+\.pickle.zlib", fname) != None:
seg_ea = re.match(r"Assembler_([0-9ABCDEF]+)\.pickle.zlib",
fname).group(1)
fp = open(opty_dir + fname, "rb")
asm = pickle.loads(zlib.decompress(fp.read()))
fp.close()
assemblers[seg_ea] = asm
else:
fname = "Assembler_%08x.pickle.zlib" % (seg_ea)
try:
fp = open(opty_dir + fname, "r")
asm = pickle.loads(zlib.decompress(fp.read()))
assemblers[seg_ea] = asm
fp.close()
except:
return None
return assemblers
def export(self):
image_name = idc.GetInputFile()
self.image_base = idaapi.get_imagebase()
self.filename = "%s.db" % (image_name)
datadir = os.path.join(RECOVERER_PATH, "data")
if not os.path.exists(datadir):
os.mkdir(datadir)
self.filename = os.path.join(datadir, self.filename)
if os.path.exists(self.filename):
info("File %s exists, overwriting." % (self.filename))
else:
info("Creating database at %s." % (self.filename))
self.fd = open(self.filename, "w")
self.fd.write("IMAGE_BASE;0x%x\n" % (self.image_base))
self.fd.write("IMAGE_NAME;%s\n" % (image_name))
self.__export_functions__()
self.__export_imports__()
self.fd.close()
def analysis():
all_funcs = idautils.Functions()
overall_addr = dict()
for f in all_funcs:
f = idaapi.FlowChart(idaapi.get_func(f), flags=idaapi.FC_PREDS)
for block in f:
if block.startEA > idc.PrevHead(block.endEA):
continue
key = ''
# overall_addr.append(hex(block.startEA))
key += hex(block.startEA)
key += ','
key += hex(idc.PrevHead(block.endEA))
sus_addr = list()
successor = block.succs()
for addr in successor:
sus_addr.append(hex(addr.startEA))
overall_addr[key] = sus_addr
filename = idc.GetInputFile() + "_cfg"
with open(filename, 'w') as f:
json.dump(overall_addr, f)
def OnEditLine(self, n):
#this is "Delete Segment"
ans = idaapi.askyn_c(
1,
"HIDECANCEL\nAre you sure you want to delete segment and all optimized data from disk?"
)
if ans == 1:
opty_dir = idc.GetIdbPath()
opty_dir = opty_dir[:opty_dir.rfind(
os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile()
print opty_dir
if not os.path.isdir(opty_dir):
print ">GUI_FunctionManager:OnEditLine - Error [%s] not a directory!" % opty_dir
return 0
shutil.rmtree(opty_dir)
print ">GUI_FunctionManager: Optimice directory deleted: [%s]" % opty_dir
idc.SegDelete(int(self.items[n][0], 16), 0)
print ">GUI_FunctionManager: Optimice segment deleted: [%s]" % self.items[
n][0]
self.populate_items()
return 0
def inputFile(self):
"""Return the (full) path of the input file that was used to create the database.
Return Value:
Path to the input file
"""
return idc.GetInputFile()
def __init__(self, *args, **kwargs):
dict.__init__(self, *args, **kwargs)
store = idaapi.netnode(Config().idb_store, 0, True)
maze = store.getblob(0, 'N')
if maze is None:
maze_file = idc.AskFile(0, '*.json', 'Select the Maze...')
if maze_file:
with open(maze_file, 'r') as fd:
ma_id = int(idc.GetInputFile().split('_')[1], 10)
blob = fd.read()
maze = json.loads(blob)
for i in range(len(maze["mem_areas"])):
if maze["mem_areas"][i]["id"] == ma_id:
del maze["mem_areas"][0:i]
del maze["mem_areas"][1:]
break
self.update(maze)
CallAsPushAnalysis.Analyze(self)
self.__mark_bbls()
self.__mark_calls()
blob = json.dumps(maze)
store.setblob(blob, 0, "N")
else:
self.update(json.loads(maze))
self.__create_luts()
def OnCreate(self, form):
"""
Called when the plugin form is created
"""
# Initalize Data
exename = idc.GetInputFile()
path = os.path.dirname(idc.GetInputFilePath())
filename = os.path.join(path, exename)
if False:
self.infoparser = InfoParser(infoname)
self.infoparser.load()
self.flamegraph = FlameGraphReader(filename)
self.flamegraph.parse()
if False:
self.infoparser.flow()
self.canvas = None
# Get parent widget
self.parent = self.FormToPyQtWidget(form)
self.PopulateForm()
drawing = Drawing(self.flamegraph)
for idx in xrange(0, len(self.flamegraph.roots)):
root = self.flamegraph.roots[idx]
self._combobox.addItem("%d: %x" % (idx, root['size']), idx)
if drawing.activeIndex is None: drawing.activeIndex = idx
self.canvas.setDrawing(drawing)
def save_results(lists_of_instr, list_of_func_names):
''' The function saves results in a file
@list_of_instr - a list of instructions to save_results
@list_of_func_name - a list of functions names to save
'''
one_file = "sysdlls_instr_to_instrument.txt"
analyzed_file = idc.GetInputFile()
analyzed_file = analyzed_file.replace(".", "_")
current_time = strftime("%Y-%m-%d_%H-%M-%S")
file_name = WINHE_RESULTS_DIR + "\\" + one_file
file_log = WINHE_RESULTS_DIR + "\\" + analyzed_file + "_" + current_time + ".txt"
file = open(file_name, 'a')
log = open(file_log, 'w')
analyzed_file = analyzed_file.lower()
list_of_instr = get_unique(lists_of_instr)
for instr in list_of_instr:
file.write(idaapi.get_input_file_path().lower() + "!" + str(instr) +
"\n")
log.write(str(len(list_of_func_names)) + "\n")
for name in list_of_func_names:
log.write(name + "\n")
file.close()
log.close()
def __init__(self, **kwargs):
super(AddFileDialog, self).__init__(title="Add File", **kwargs)
name = idc.GetInputFile()
md5hash = idc.GetInputMD5()
layout = QtWidgets.QGridLayout()
layout.addWidget(QtWidgets.QLabel("Project:"), 0, 0)
layout.addWidget(QtWidgets.QLabel("File name:"), 1, 0)
layout.addWidget(QtWidgets.QLabel("Description:"), 2, 0)
layout.addWidget(QtWidgets.QLabel("MD5 hash:"), 3, 0)
self.project_cbb = widgets.QItemSelect('projects')
layout.addWidget(self.project_cbb, 0, 1)
self.name_txt = QtWidgets.QLineEdit()
self.name_txt.setText(name)
layout.addWidget(self.name_txt, 1, 1)
self.description_txt = QtWidgets.QTextEdit()
layout.addWidget(self.description_txt, 2, 1)
layout.addWidget(QtWidgets.QLabel(md5hash), 3, 1)
self.base_layout.addLayout(layout)
self.shareidbCkb = QtWidgets.QCheckBox("Share IDB (let others without "
"the idb to participate)")
self.base_layout.addWidget(self.shareidbCkb)
self.bottom_layout(ok_text="&Add")
def main():
disas_path = idc.AskFile(1, '*.disas', 'Save basic blocks')
do_exit = False
if not disas_path:
basename = idc.GetInputFile()
disas_path = '%s.disas' % basename
idc.GenerateFile(idc.OFILE_ASM, '%s.asm' % basename, 0, idc.BADADDR, 0)
idc.GenerateFile(idc.OFILE_LST, '%s.lst' % basename, 0, idc.BADADDR, 0)
do_exit = True
# Get basic blocks
bbs = _get_basic_blocks()
# Get the module's base address
base_addr = idaapi.get_imagebase()
# Get the module's end address
segs = sorted(idautils.Segments())
end_addr = idc.SegEnd(segs[-1])
disas_info = {
'bbs': bbs,
'base_addr': base_addr,
'end_addr': end_addr,
}
with open(disas_path, 'w') as disas_file:
json.dump(disas_info, disas_file)
if do_exit:
idc.Exit(0)
def activate(self, ctx):
if ctypes.windll.shell32.IsUserAnAdmin() == 0:
print "Admin privileges required"
return
name = idc.GetInputFile().split('.')[0]
driver = driverlib.Driver(idc.GetInputFilePath(), name)
loaded = driver.load()
started = driver.start()
def exportLib(self, **kwargs):
file = os.path.splitext(idc.GetInputFile())[0]
path = os.path.split(idc.GetIdbPath())[0]
idapath = idc.GetIdaDirectory()
tilname = os.path.join(path, file + ".til")
outfile = os.path.join(idapath, 'til', 'pc', file + ".til")
shutil.copy(tilname, outfile)
os.system(os.path.join(idapath, "tilib64.exe") + " -#- " + outfile)
def CopyEA():
myModuleName = idc.GetInputFile()
MyModuleShortName = re.sub(r'\.[^.]*$', '', myModuleName)
myModuleBase = idaapi.get_imagebase()
myOffset = idc.ScreenEA() - myModuleBase
pasteStr = "bp !%s + 0x%x" % (MyModuleShortName, myOffset)
print pasteStr
Paste(pasteStr)
def search():
"""
Attempts to find potential device names in the currently opened binary, it starts by searching for Unicode device names,
if this fails then it utilises FLOSS to search for stack based and obfuscated strings.
"""
if not find_unicode_device_name():
print(
"Unicode device name not found, attempting to find obfuscated and stack based strings."
)
try:
import floss
import floss.identification_manager
import floss.main
import floss.stackstrings
import viv_utils
except ImportError:
print(
"Please install FLOSS to continue, see: https://github.com/fireeye/flare-floss/"
)
return
logging.basicConfig(
) #To avoid logger handler not found errors, from https://github.com/fireeye/flare-floss/blob/66f67a49a38ae028a5e86f1de743c384d5271901/scripts/idaplugin.py#L154
logging.getLogger('vtrace.platforms.win32').setLevel(logging.ERROR)
sample_file_path = idc.GetInputFile()
try:
vw = viv_utils.getWorkspace(sample_file_path, should_save=False)
except Exception as e:
print("Vivisect failed to load the input file: {0}".format(
e.message))
return
functions = set(vw.getFunctions())
plugins = floss.main.get_all_plugins()
device_names = set()
stack_strings = floss.stackstrings.extract_stackstrings(vw,
functions,
4,
no_filter=True)
for i in stack_strings:
device_names.add(i)
dec_func_candidates = floss.identification_manager.identify_decoding_functions(
vw, plugins, functions)
decoded_strings = floss.main.decode_strings(vw,
dec_func_candidates,
4,
no_filter=True)
if len(decoded_strings) > 0:
for i in decoded_strings:
device_names.add(str(i.s))
print("Potential device names from obfuscated or stack strings:")
for i in device_names:
print(i)
else:
print("No obfuscated or stack strings found :(")
def CopyEA(): myModuleName = idc.GetInputFile() MyModuleShortName = re.sub(r'\.[^.]*$','',myModuleName) myModuleBase = idaapi.get_imagebase() myOffset = idc.ScreenEA() - myModuleBase clippy = QtGui.QClipboard() pasteStr = "bp !%s + 0x%x" % (MyModuleShortName, myOffset) print pasteStr clippy.setText(pasteStr)
def rizzo_produce(self, arg):
fname = idc.AskFile(1,
idc.GetInputFile() + ".riz",
"Save signature file as")
if fname:
if '.' not in fname:
fname += ".riz"
RizzoBuild(fname)
return None
def backup_database():
""" Backup the database to a file similar to IDA's snapshot function. """
time_string = strftime('%Y%m%d%H%M%S')
file = idc.GetInputFile()
if not file:
raise NoInputFileException('No input file provided')
input_file = rsplit(file, '.', 1)[0]
backup_file = '%s_%s.idb' % (input_file, time_string)
g_logger.info('Backing up database to file ' + backup_file)
idc.SaveBase(backup_file, idaapi.DBFL_BAK)
def main():
info("Showing number of tainted hit per image.")
# filename = idaapi.askfile_c(0, "pintool.log", "Trace file to load.")
filename = """/Users/anon/workspace/instrumentation/CodeCoverage/trace.log"""
if filename is None:
info("Aborting ...")
return
# Get loaded binary name
image_name = idc.GetInputFile().lower()
info("IDB binary name '%s'" % image_name)
# Get the image base
image_base = idaapi.get_imagebase()
info("IDB binary base 0x%.16x" % image_base)
# Load the trace file.
trace = TraceReader(filename)
trace.parse(match_events="HL")
# The IDB matches one and only one loaded image. Find it.
traced_image = None
for image in trace.getLoadedImages():
if image_name.lower() in os.path.basename(image.name).lower():
traced_image = image
break
if not traced_image:
info("Error, could not find the traced image '%s' in the list of loaded images." % image_name)
return set()
# Collect all the hits that belong to the ida database.
hits = set(filter(lambda x: traced_image.contains(x.address), trace.getBasicBlockHits()))
hits = set(map(lambda x: image_base + traced_image.get_offset(x.address), hits))
reached_functions = set()
for hit in hits:
f = idaapi.get_func(hit)
if f:
if f.startEA in reached_functions:
continue
info("Reached -> %s" % (GetFunctionName(f.startEA)))
reached_functions.add(f.startEA)
if idaapi.askyn_c(1, "Do you want to mark all the FUNCTIONS reached?") == 1:
FUNCTION_COLOR = rgb_to_bgr(0xBCF5D1)
for function in reached_functions:
SetFunctionColor(function, FUNCTION_COLOR)
if idaapi.askyn_c(0, "Do you want to mark all the BASIC BLOCKS reached?") == 1:
BBLOCK_COLOR = rgb_to_bgr(0xf2ddda)
for hit in hits:
SetBasicBlockColor(hit, BBLOCK_COLOR)
def main():
info("Showing number of tainted hit per image.")
# filename = idaapi.askfile_c(0, "pintool.log", "Trace file to load.")
filename = """/Users/anon/workspace/instrumentation/Pinnacle/taint.log"""
if filename is None:
info("Aborting ...")
return
# Get loaded binary name
image_name = idc.GetInputFile().lower()
info("IDB binary name '%s'" % image_name)
# Get the image base
image_base = idaapi.get_imagebase()
info("IDB binary base 0x%.16x" % image_base)
# Load the trace file.
trace = TraceReader(filename)
trace.parse(match_events="TL")
# The IDB matches one and only one loaded image. Find it.
traced_image = None
for image in trace.getLoadedImages():
if image_name.lower() in os.path.basename(image.name).lower():
traced_image = image
break
if not traced_image:
info(
"Error, could not find the traced image '%s' in the list of loaded images."
% image_name)
return set()
# Collect all the hits that belong to the ida database.
hits = set(
filter(lambda x: traced_image.contains(x.address),
trace.getTaintedInstructions()))
hits = set(
map(lambda x: image_base + traced_image.get_offset(x.address), hits))
for hit in hits:
SetInstructionColor(hit, TAINTED_COLOR)
reached_functions = set()
for hit in filter(lambda x: traced_image.contains(x.address),
trace.getTaintedInstructions()):
f = idaapi.get_func(hit.address)
if f:
if f.startEA in reached_functions:
continue
info("Reached -> 0x%.16x : %s " %
(f.startEA, GetFunctionName(f.startEA)))
reached_functions.add(f.startEA)
def copy_to_clipboard(addr):
name = os.path.splitext(idc.GetInputFile())[0]
f = "{:s}+{:x}".format(name, addr)
r = Tkinter.Tk()
r.withdraw()
r.clipboard_clear()
r.clipboard_append("{:s}".format(f))
r.update()
r.destroy()
print("[+] Copied {:s}".format(f))
return
def init(self):
self.hook = None
if not ".mp.dll" in idc.GetInputFile(
) or idaapi.ph_get_id() != idaapi.PLFM_386:
return idaapi.PLUGIN_SKIP
print "\n\n-->MsMpEng apicall x86 Parser Invoked!\n\n"
self.hook = parse_apicall_hook()
self.hook.hook()
return idaapi.PLUGIN_KEEP
def get_define(ioctl_code):
"""Decodes an ioctl code and returns a C define for it using the CTL_CODE macro"""
function = get_function(ioctl_code)
device_name, device_code = get_device(ioctl_code)
method_name, method_code = get_method(ioctl_code)
access_name, access_code = get_access(ioctl_code)
name = "%s_0x%08X" % (idc.GetInputFile().split('.')[0], ioctl_code)
return "#define %s CTL_CODE(0x%X, 0x%X, %s, %s)" % (
name, device_code, function, method_name, access_name)
def get_unicode_device_names():
path = idc.GetInputFile()
min_length = 4
possible_names = set()
with open(path, "rb") as f:
b = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)
for s in extract_unicode_strings(b, n=min_length):
if str(s.s).startswith('\\Device\\'):
possible_names.add(str(s.s))
return possible_names
def export(self, filename='', type='LIST'):
if filename == '':
filename = idc.GetInputFile() + ".lst"
tmp_filename = 'tmp.lst'
idc.GenerateFile(idc.OFILE_LST, tmp_filename, 0, idc.BADADDR, 0)
rfd = open(tmp_filename, 'r')
fd = open(filename, 'a')
fd.write(rfd.read())
rfd.close()
fd.close()
def __init__(self, real_dir):
super(Plugin, self).__init__()
self.tools = include.helper.Tools(self)
self.config_main = ConfigParser.ConfigParser()
self.config_theme = ConfigParser.ConfigParser()
self._bin_md5 = idc.GetInputMD5()
self._bin_name = re.sub(r'\.[^.]*$', '', idc.GetInputFile())
self._read_config(real_dir)
self.gui = None
self.parser = None
def init_sample_id(self):
"""
test if the remote sample exists,
if not, we upload it
"""
if self.sample_id is None:
self.sample_id = self.get_sample_id()
if not self.sample_id:
g_logger.warning("Sample not found on server, uploading it")
self.send_sample(open(idc.GetInputFile(), 'rb'))
self.sample_id = self.get_sample_id()
g_logger.info("Sample ID: %d", self.sample_id)
def save_instrumented(list_of_addr, is_silent):
dll_name = idc.GetInputFile()
dll_name = dll_name[:dll_name.find(".")]
dll_name = dll_name + "!"
print dll_name
if is_silent == SILENT:
current_time = strftime("%Y-%m-%d_%H-%M-%S")
analyzed_file = idc.GetInputFile()
analyzed_file = analyzed_file.replace(".", "_")
file_name = analyzed_file + "_" + current_time + ".txt"
else:
file_name = AskFile(1, "dllcode.in",
"Please specify a file to save results.")
if file_name == -1:
return 0
file = open(file_name, 'w')
for sublist in list_of_addr:
for addr in sublist:
#print addr
file.write(dll_name + addr + "\n")
file.close()
def SaveState(self):
opty_dir = idc.GetIdbPath()
opty_dir = opty_dir[:opty_dir.rfind(os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile()
if not os.path.isdir(opty_dir):
os.mkdir(opty_dir)
save_fname = "%s%sAssembler_%08x.pickle.zlib" % (opty_dir, os.sep, self.segment_start)
fw = open(save_fname, "wb+")
s1 = pickle.dumps(self)
fw.write(zlib.compress(s1))
fw.close()
print ">Assembler:SaveState - File [%s] saved" % (save_fname)
def get_unicode_device_names():
"""Returns all Unicode strings within the binary currently being analysed in IDA which might be device names"""
path = idc.GetInputFile()
min_length = 4
possible_names = set()
with open(path, "rb") as f:
b = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)
for s in extract_unicode_strings(b, n=min_length):
s_str = str(s.s)
if s_str.startswith('\\Device\\') or s_str.startswith('\\DosDevices\\'):
possible_names.add(str(s.s))
return possible_names
def getProcessInfo(self):
#Get basic information from the file being Debugged
idainfo = idaapi.get_inf_structure()
#Get the name of the input file we want to trace
app_name = idc.GetInputFile()
Print ("The input file is %s" % app_name )
#Check to see what type of file we're tracing
#And set up the proper debugger and input monitor
if idainfo.filetype == idaapi.f_PE:
Print ("Windows PE file" )
os_type = "windows"
elif idainfo.filetype == idaapi.f_MACHO:
Print ("Mac OSX Macho file")
os_type = "macosx"
#debugger = "macosx"
#checkInput = InputMonitor.checkMacLibs
elif idainfo.filetype == idaapi.f_ELF:
Print ("Linux ELF file")
os_type = "linux"
#debugger = "linux"
#checkInput = InputMonitor.checkLinuxLibs
else:
Print ("Unknown binary, unable to debug")
return None
#Check the debugged executable if its 32 or 64bit
if idainfo.is_64bit():
Print("This binary is 64 bit")
os_arch = "64"
elif idainfo.is_32bit():
Print( "This binary is 32 bit" )
os_arch = "32"
else:
Print( "Bad binary. ARM processor?" )
os_arch = "ARM"
#Get the file type for the executable being debugger
fileType = idaapi.get_file_type_name()
#For ARM libraries returns 'ELF for ARM (Shared object)
Print( fileType )
return (app_name,os_type,os_arch)