Beispiel #1
0
def LoadSavedAssemblers(seg_ea=None):
    assemblers = {}

    opty_dir = idc.GetIdbPath()
    opty_dir = opty_dir[:opty_dir.rfind(
        os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile() + os.sep
    if not os.path.isdir(opty_dir):
        return None

    if seg_ea == None:
        for fname in os.listdir(opty_dir):
            if re.match(r"Assembler_[0-9ABCDEF]+\.pickle.zlib", fname) != None:
                seg_ea = re.match(r"Assembler_([0-9ABCDEF]+)\.pickle.zlib",
                                  fname).group(1)
                fp = open(opty_dir + fname, "rb")
                asm = pickle.loads(zlib.decompress(fp.read()))
                fp.close()

                assemblers[seg_ea] = asm

    else:
        fname = "Assembler_%08x.pickle.zlib" % (seg_ea)

        try:
            fp = open(opty_dir + fname, "r")
            asm = pickle.loads(zlib.decompress(fp.read()))
            assemblers[seg_ea] = asm
            fp.close()

        except:
            return None

    return assemblers
Beispiel #2
0
    def export(self):
        image_name = idc.GetInputFile()
        self.image_base = idaapi.get_imagebase()

        self.filename = "%s.db" % (image_name)

        datadir = os.path.join(RECOVERER_PATH, "data")
        if not os.path.exists(datadir):
            os.mkdir(datadir)

        self.filename = os.path.join(datadir, self.filename)

        if os.path.exists(self.filename):
            info("File %s exists, overwriting." % (self.filename))
        else:
            info("Creating database at %s." % (self.filename))

        self.fd = open(self.filename, "w")

        self.fd.write("IMAGE_BASE;0x%x\n" % (self.image_base))
        self.fd.write("IMAGE_NAME;%s\n" % (image_name))
        self.__export_functions__()
        self.__export_imports__()

        self.fd.close()
Beispiel #3
0
def analysis():
    all_funcs = idautils.Functions()
    overall_addr = dict()

    for f in all_funcs:
        f = idaapi.FlowChart(idaapi.get_func(f), flags=idaapi.FC_PREDS)
        for block in f:
            if block.startEA > idc.PrevHead(block.endEA):
                continue
            key = ''
            # overall_addr.append(hex(block.startEA))
            key += hex(block.startEA)

            key += ','
            key += hex(idc.PrevHead(block.endEA))
            sus_addr = list()
            successor = block.succs()
            for addr in successor:
                sus_addr.append(hex(addr.startEA))

            overall_addr[key] = sus_addr

    filename = idc.GetInputFile() + "_cfg"
    with open(filename, 'w') as f:
        json.dump(overall_addr, f)
Beispiel #4
0
    def OnEditLine(self, n):
        #this is "Delete Segment"
        ans = idaapi.askyn_c(
            1,
            "HIDECANCEL\nAre you sure you want to delete segment and all optimized data from disk?"
        )

        if ans == 1:
            opty_dir = idc.GetIdbPath()
            opty_dir = opty_dir[:opty_dir.rfind(
                os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile()

            print opty_dir
            if not os.path.isdir(opty_dir):
                print ">GUI_FunctionManager:OnEditLine - Error [%s] not a directory!" % opty_dir
                return 0

            shutil.rmtree(opty_dir)
            print ">GUI_FunctionManager: Optimice directory deleted: [%s]" % opty_dir

            idc.SegDelete(int(self.items[n][0], 16), 0)
            print ">GUI_FunctionManager: Optimice segment deleted: [%s]" % self.items[
                n][0]

        self.populate_items()
        return 0
Beispiel #5
0
    def inputFile(self):
        """Return the (full) path of the input file that was used to create the database.

        Return Value:
            Path to the input file
        """
        return idc.GetInputFile()
Beispiel #6
0
    def __init__(self, *args, **kwargs):
        dict.__init__(self, *args, **kwargs)
        store = idaapi.netnode(Config().idb_store, 0, True)
        maze = store.getblob(0, 'N')
        if maze is None:
            maze_file = idc.AskFile(0, '*.json', 'Select the Maze...')
            if maze_file:
                with open(maze_file, 'r') as fd:
                    ma_id = int(idc.GetInputFile().split('_')[1], 10)
                    blob = fd.read()
                    maze = json.loads(blob)
                    for i in range(len(maze["mem_areas"])):
                        if maze["mem_areas"][i]["id"] == ma_id:
                            del maze["mem_areas"][0:i]
                            del maze["mem_areas"][1:]
                            break
                    self.update(maze)

                    CallAsPushAnalysis.Analyze(self)
                    self.__mark_bbls()
                    self.__mark_calls()

                    blob = json.dumps(maze)
                    store.setblob(blob, 0, "N")
        else:
            self.update(json.loads(maze))

        self.__create_luts()
Beispiel #7
0
    def OnCreate(self, form):
        """
        Called when the plugin form is created
        """

        # Initalize Data
        exename = idc.GetInputFile()
        path = os.path.dirname(idc.GetInputFilePath())

        filename = os.path.join(path, exename)

        if False:
            self.infoparser = InfoParser(infoname)
            self.infoparser.load()

        self.flamegraph = FlameGraphReader(filename)
        self.flamegraph.parse()

        if False:
            self.infoparser.flow()

        self.canvas = None

        # Get parent widget
        self.parent = self.FormToPyQtWidget(form)
        self.PopulateForm()

        drawing = Drawing(self.flamegraph)

        for idx in xrange(0, len(self.flamegraph.roots)):
            root = self.flamegraph.roots[idx]
            self._combobox.addItem("%d: %x" % (idx, root['size']), idx)
            if drawing.activeIndex is None: drawing.activeIndex = idx

        self.canvas.setDrawing(drawing)
Beispiel #8
0
def save_results(lists_of_instr, list_of_func_names):
    ''' The function saves results in a file
    @list_of_instr - a list of instructions to save_results
    @list_of_func_name - a list of functions names to save

    '''
    one_file = "sysdlls_instr_to_instrument.txt"
    analyzed_file = idc.GetInputFile()
    analyzed_file = analyzed_file.replace(".", "_")
    current_time = strftime("%Y-%m-%d_%H-%M-%S")
    file_name = WINHE_RESULTS_DIR + "\\" + one_file
    file_log = WINHE_RESULTS_DIR + "\\" + analyzed_file + "_" + current_time + ".txt"

    file = open(file_name, 'a')
    log = open(file_log, 'w')
    analyzed_file = analyzed_file.lower()
    list_of_instr = get_unique(lists_of_instr)
    for instr in list_of_instr:
        file.write(idaapi.get_input_file_path().lower() + "!" + str(instr) +
                   "\n")
    log.write(str(len(list_of_func_names)) + "\n")
    for name in list_of_func_names:
        log.write(name + "\n")

    file.close()
    log.close()
Beispiel #9
0
    def __init__(self, **kwargs):
        super(AddFileDialog, self).__init__(title="Add File", **kwargs)

        name = idc.GetInputFile()
        md5hash = idc.GetInputMD5()

        layout = QtWidgets.QGridLayout()

        layout.addWidget(QtWidgets.QLabel("Project:"), 0, 0)
        layout.addWidget(QtWidgets.QLabel("File name:"), 1, 0)
        layout.addWidget(QtWidgets.QLabel("Description:"), 2, 0)
        layout.addWidget(QtWidgets.QLabel("MD5 hash:"), 3, 0)

        self.project_cbb = widgets.QItemSelect('projects')
        layout.addWidget(self.project_cbb, 0, 1)

        self.name_txt = QtWidgets.QLineEdit()
        self.name_txt.setText(name)
        layout.addWidget(self.name_txt, 1, 1)

        self.description_txt = QtWidgets.QTextEdit()
        layout.addWidget(self.description_txt, 2, 1)

        layout.addWidget(QtWidgets.QLabel(md5hash), 3, 1)
        self.base_layout.addLayout(layout)

        self.shareidbCkb = QtWidgets.QCheckBox("Share IDB (let others without "
                                               "the idb to participate)")
        self.base_layout.addWidget(self.shareidbCkb)

        self.bottom_layout(ok_text="&Add")
Beispiel #10
0
def main():
    disas_path = idc.AskFile(1, '*.disas', 'Save basic blocks')
    do_exit = False

    if not disas_path:
        basename = idc.GetInputFile()
        disas_path = '%s.disas' % basename
        idc.GenerateFile(idc.OFILE_ASM, '%s.asm' % basename, 0, idc.BADADDR, 0)
        idc.GenerateFile(idc.OFILE_LST, '%s.lst' % basename, 0, idc.BADADDR, 0)
        do_exit = True

    # Get basic blocks
    bbs = _get_basic_blocks()

    # Get the module's base address
    base_addr = idaapi.get_imagebase()

    # Get the module's end address
    segs = sorted(idautils.Segments())
    end_addr = idc.SegEnd(segs[-1])

    disas_info = {
        'bbs': bbs,
        'base_addr': base_addr,
        'end_addr': end_addr,
    }

    with open(disas_path, 'w') as disas_file:
        json.dump(disas_info, disas_file)

    if do_exit:
        idc.Exit(0)
Beispiel #11
0
 def activate(self, ctx):
     if ctypes.windll.shell32.IsUserAnAdmin() == 0:
         print "Admin privileges required"
         return
     name = idc.GetInputFile().split('.')[0]
     driver = driverlib.Driver(idc.GetInputFilePath(), name)
     loaded = driver.load()
     started = driver.start()
Beispiel #12
0
 def exportLib(self, **kwargs):
     file = os.path.splitext(idc.GetInputFile())[0]
     path = os.path.split(idc.GetIdbPath())[0]
     idapath = idc.GetIdaDirectory()
     tilname = os.path.join(path, file + ".til")
     outfile = os.path.join(idapath, 'til', 'pc', file + ".til")
     shutil.copy(tilname, outfile)
     os.system(os.path.join(idapath, "tilib64.exe") + " -#- " + outfile)
Beispiel #13
0
def CopyEA():
    myModuleName = idc.GetInputFile()
    MyModuleShortName = re.sub(r'\.[^.]*$', '', myModuleName)
    myModuleBase = idaapi.get_imagebase()
    myOffset = idc.ScreenEA() - myModuleBase
    pasteStr = "bp !%s + 0x%x" % (MyModuleShortName, myOffset)
    print pasteStr
    Paste(pasteStr)
Beispiel #14
0
def search():
    """
    Attempts to find potential device names in the currently opened binary, it starts by searching for Unicode device names,
    if this fails then it utilises FLOSS to search for stack based and obfuscated strings.
    """

    if not find_unicode_device_name():
        print(
            "Unicode device name not found, attempting to find obfuscated and stack based strings."
        )
        try:
            import floss
            import floss.identification_manager
            import floss.main
            import floss.stackstrings
            import viv_utils
        except ImportError:
            print(
                "Please install FLOSS to continue, see: https://github.com/fireeye/flare-floss/"
            )
            return
        logging.basicConfig(
        )  #To avoid logger handler not found errors, from https://github.com/fireeye/flare-floss/blob/66f67a49a38ae028a5e86f1de743c384d5271901/scripts/idaplugin.py#L154
        logging.getLogger('vtrace.platforms.win32').setLevel(logging.ERROR)
        sample_file_path = idc.GetInputFile()

        try:
            vw = viv_utils.getWorkspace(sample_file_path, should_save=False)
        except Exception as e:
            print("Vivisect failed to load the input file: {0}".format(
                e.message))
            return

        functions = set(vw.getFunctions())
        plugins = floss.main.get_all_plugins()
        device_names = set()

        stack_strings = floss.stackstrings.extract_stackstrings(vw,
                                                                functions,
                                                                4,
                                                                no_filter=True)
        for i in stack_strings:
            device_names.add(i)
        dec_func_candidates = floss.identification_manager.identify_decoding_functions(
            vw, plugins, functions)
        decoded_strings = floss.main.decode_strings(vw,
                                                    dec_func_candidates,
                                                    4,
                                                    no_filter=True)
        if len(decoded_strings) > 0:
            for i in decoded_strings:
                device_names.add(str(i.s))
            print("Potential device names from obfuscated or stack strings:")
            for i in device_names:
                print(i)
        else:
            print("No obfuscated or stack strings found :(")
Beispiel #15
0
def CopyEA():
  myModuleName = idc.GetInputFile()
  MyModuleShortName = re.sub(r'\.[^.]*$','',myModuleName)
  myModuleBase = idaapi.get_imagebase()
  myOffset = idc.ScreenEA() - myModuleBase
  clippy = QtGui.QClipboard()
  pasteStr = "bp !%s + 0x%x" % (MyModuleShortName, myOffset)
  print pasteStr
  clippy.setText(pasteStr)
Beispiel #16
0
 def rizzo_produce(self, arg):
     fname = idc.AskFile(1,
                         idc.GetInputFile() + ".riz",
                         "Save signature file as")
     if fname:
         if '.' not in fname:
             fname += ".riz"
         RizzoBuild(fname)
     return None
Beispiel #17
0
def backup_database():
    """ Backup the database to a file similar to IDA's snapshot function. """
    time_string = strftime('%Y%m%d%H%M%S')
    file = idc.GetInputFile()
    if not file:
        raise NoInputFileException('No input file provided')
    input_file = rsplit(file, '.', 1)[0]
    backup_file = '%s_%s.idb' % (input_file, time_string)
    g_logger.info('Backing up database to file ' + backup_file)
    idc.SaveBase(backup_file, idaapi.DBFL_BAK)
def main():
    info("Showing number of tainted hit per image.")

    # filename = idaapi.askfile_c(0, "pintool.log", "Trace file to load.")
    filename = """/Users/anon/workspace/instrumentation/CodeCoverage/trace.log"""
    if filename is None:
        info("Aborting ...")
        return

    # Get loaded binary name
    image_name = idc.GetInputFile().lower()
    info("IDB binary name '%s'" % image_name)
        
    # Get the image base
    image_base = idaapi.get_imagebase()
    info("IDB binary base 0x%.16x" % image_base)

    # Load the trace file.
    trace = TraceReader(filename)
    trace.parse(match_events="HL")

    # The IDB matches one and only one loaded image. Find it.
    traced_image = None
    for image in trace.getLoadedImages():
        if image_name.lower() in os.path.basename(image.name).lower():
            traced_image = image
            break

    if not traced_image:
        info("Error, could not find the traced image '%s' in the list of loaded images." % image_name)
        return set()

    # Collect all the hits that belong to the ida database.
    hits = set(filter(lambda x: traced_image.contains(x.address), trace.getBasicBlockHits()))
    hits = set(map(lambda x: image_base + traced_image.get_offset(x.address), hits))

    reached_functions = set()
    for hit in hits:
        f = idaapi.get_func(hit)
        if f:
            if f.startEA in reached_functions:
                continue
            
            info("Reached -> %s" % (GetFunctionName(f.startEA)))
            reached_functions.add(f.startEA)

    if idaapi.askyn_c(1, "Do you want to mark all the FUNCTIONS reached?") == 1:
        FUNCTION_COLOR = rgb_to_bgr(0xBCF5D1)
        for function in reached_functions:
            SetFunctionColor(function, FUNCTION_COLOR)
        
    if idaapi.askyn_c(0, "Do you want to mark all the BASIC BLOCKS reached?") == 1:
        BBLOCK_COLOR = rgb_to_bgr(0xf2ddda)
        for hit in hits:
            SetBasicBlockColor(hit, BBLOCK_COLOR)
Beispiel #19
0
def main():
    info("Showing number of tainted hit per image.")

    # filename = idaapi.askfile_c(0, "pintool.log", "Trace file to load.")
    filename = """/Users/anon/workspace/instrumentation/Pinnacle/taint.log"""
    if filename is None:
        info("Aborting ...")
        return

    # Get loaded binary name
    image_name = idc.GetInputFile().lower()
    info("IDB binary name '%s'" % image_name)

    # Get the image base
    image_base = idaapi.get_imagebase()
    info("IDB binary base 0x%.16x" % image_base)

    # Load the trace file.
    trace = TraceReader(filename)
    trace.parse(match_events="TL")

    # The IDB matches one and only one loaded image. Find it.
    traced_image = None
    for image in trace.getLoadedImages():
        if image_name.lower() in os.path.basename(image.name).lower():
            traced_image = image
            break

    if not traced_image:
        info(
            "Error, could not find the traced image '%s' in the list of loaded images."
            % image_name)
        return set()

    # Collect all the hits that belong to the ida database.
    hits = set(
        filter(lambda x: traced_image.contains(x.address),
               trace.getTaintedInstructions()))
    hits = set(
        map(lambda x: image_base + traced_image.get_offset(x.address), hits))

    for hit in hits:
        SetInstructionColor(hit, TAINTED_COLOR)

    reached_functions = set()
    for hit in filter(lambda x: traced_image.contains(x.address),
                      trace.getTaintedInstructions()):
        f = idaapi.get_func(hit.address)
        if f:
            if f.startEA in reached_functions:
                continue

            info("Reached -> 0x%.16x : %s " %
                 (f.startEA, GetFunctionName(f.startEA)))
            reached_functions.add(f.startEA)
Beispiel #20
0
def copy_to_clipboard(addr):
    name = os.path.splitext(idc.GetInputFile())[0]
    f = "{:s}+{:x}".format(name, addr)
    r = Tkinter.Tk()
    r.withdraw()
    r.clipboard_clear()
    r.clipboard_append("{:s}".format(f))
    r.update()
    r.destroy()
    print("[+] Copied {:s}".format(f))
    return
Beispiel #21
0
    def init(self):
        self.hook = None
        if not ".mp.dll" in idc.GetInputFile(
        ) or idaapi.ph_get_id() != idaapi.PLFM_386:
            return idaapi.PLUGIN_SKIP

        print "\n\n-->MsMpEng apicall x86 Parser Invoked!\n\n"

        self.hook = parse_apicall_hook()
        self.hook.hook()
        return idaapi.PLUGIN_KEEP
def get_define(ioctl_code):
    """Decodes an ioctl code and returns a C define for it using the CTL_CODE macro"""

    function = get_function(ioctl_code)
    device_name, device_code = get_device(ioctl_code)
    method_name, method_code = get_method(ioctl_code)
    access_name, access_code = get_access(ioctl_code)

    name = "%s_0x%08X" % (idc.GetInputFile().split('.')[0], ioctl_code)
    return "#define %s CTL_CODE(0x%X, 0x%X, %s, %s)" % (
        name, device_code, function, method_name, access_name)
Beispiel #23
0
def get_unicode_device_names():
    path = idc.GetInputFile()
    min_length = 4
    possible_names = set()
    with open(path, "rb") as f:
        b = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)

        for s in extract_unicode_strings(b, n=min_length):
            if str(s.s).startswith('\\Device\\'):
                possible_names.add(str(s.s))
    return possible_names
Beispiel #24
0
    def export(self, filename='', type='LIST'):
        if filename == '':
            filename = idc.GetInputFile() + ".lst"

        tmp_filename = 'tmp.lst'
        idc.GenerateFile(idc.OFILE_LST, tmp_filename, 0, idc.BADADDR, 0)

        rfd = open(tmp_filename, 'r')
        fd = open(filename, 'a')
        fd.write(rfd.read())
        rfd.close()
        fd.close()
Beispiel #25
0
    def __init__(self, real_dir):
        super(Plugin, self).__init__()
        self.tools = include.helper.Tools(self)
        self.config_main = ConfigParser.ConfigParser()
        self.config_theme = ConfigParser.ConfigParser()

        self._bin_md5 = idc.GetInputMD5()
        self._bin_name = re.sub(r'\.[^.]*$', '', idc.GetInputFile())

        self._read_config(real_dir)
        self.gui = None
        self.parser = None
Beispiel #26
0
 def init_sample_id(self):
     """
         test if the remote sample exists,
         if not, we upload it
     """
     if self.sample_id is None:
         self.sample_id = self.get_sample_id()
         if not self.sample_id:
             g_logger.warning("Sample not found on server, uploading it")
             self.send_sample(open(idc.GetInputFile(), 'rb'))
             self.sample_id = self.get_sample_id()
             g_logger.info("Sample ID: %d", self.sample_id)
Beispiel #27
0
def save_instrumented(list_of_addr, is_silent):
    dll_name = idc.GetInputFile()
    dll_name = dll_name[:dll_name.find(".")]
    dll_name = dll_name + "!"
    print dll_name
    if is_silent == SILENT:
        current_time = strftime("%Y-%m-%d_%H-%M-%S")
        analyzed_file = idc.GetInputFile()
        analyzed_file = analyzed_file.replace(".", "_")
        file_name = analyzed_file + "_" + current_time + ".txt"
    else:
        file_name = AskFile(1, "dllcode.in",
                            "Please specify a file to save results.")
        if file_name == -1:
            return 0

    file = open(file_name, 'w')
    for sublist in list_of_addr:
        for addr in sublist:
            #print addr
            file.write(dll_name + addr + "\n")
    file.close()
Beispiel #28
0
 def SaveState(self):
     opty_dir = idc.GetIdbPath()
     opty_dir = opty_dir[:opty_dir.rfind(os.sep)] + os.sep + "optimice_%s" % idc.GetInputFile()
     if not os.path.isdir(opty_dir):
         os.mkdir(opty_dir)
     save_fname = "%s%sAssembler_%08x.pickle.zlib" % (opty_dir, os.sep, self.segment_start)
     
     fw = open(save_fname, "wb+")
     s1 = pickle.dumps(self)
     fw.write(zlib.compress(s1))
     fw.close()
     
     print ">Assembler:SaveState - File [%s] saved" % (save_fname)
Beispiel #29
0
def get_unicode_device_names():
    """Returns all Unicode strings within the binary currently being analysed in IDA which might be device names"""

    path = idc.GetInputFile()
    min_length = 4
    possible_names = set()
    with open(path, "rb") as f:
        b = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)

        for s in extract_unicode_strings(b, n=min_length):
            s_str = str(s.s)
            if s_str.startswith('\\Device\\') or s_str.startswith('\\DosDevices\\'):
                possible_names.add(str(s.s))
    return possible_names
Beispiel #30
0
    def getProcessInfo(self):

        #Get basic information from the file being Debugged
        idainfo = idaapi.get_inf_structure()

        #Get the name of the input file we want to trace
        app_name = idc.GetInputFile()

        Print ("The input file is %s" % app_name )

        #Check to see what type of file we're tracing
        #And set up the proper debugger and input monitor
        if idainfo.filetype == idaapi.f_PE:
            Print ("Windows PE file" )
            os_type = "windows"
        
        elif idainfo.filetype == idaapi.f_MACHO:
            Print ("Mac OSX Macho file")
            os_type = "macosx"
            #debugger = "macosx"
            #checkInput = InputMonitor.checkMacLibs
        
        elif idainfo.filetype == idaapi.f_ELF:
            Print ("Linux ELF file")
            os_type = "linux"
            #debugger = "linux"
            #checkInput = InputMonitor.checkLinuxLibs
        
        else:
            Print ("Unknown binary, unable to debug")
            return None
            
        #Check the debugged executable if its 32 or 64bit
        if idainfo.is_64bit():
            Print("This binary is 64 bit")
            os_arch = "64"
        elif idainfo.is_32bit():
            Print( "This binary is 32 bit" )
            os_arch = "32"
        else:
            Print( "Bad binary. ARM processor?" )
            os_arch = "ARM"
            
        #Get the file type for the executable being debugger
        fileType = idaapi.get_file_type_name()
        #For ARM libraries returns 'ELF for ARM (Shared object)
        Print( fileType )
        
        return (app_name,os_type,os_arch)