def find_binary_instruction_start(
search_start_location,
search_direction,
target,
min_location=idc.get_inf_attr(idc.INF_MIN_EA),
max_location=idc.get_inf_attr(idc.INF_MAX_EA)):
"""
Description:
Given a starting location, target, and direction, find an instruction starting with the target bytes.
Input:
search_start_location - The EA to start searching at
search_direction - either idc.SEARCH_UP or idc.SEARCH_DOWN
target - The target as space separated bytes (i.e. '55' for 'push ebp')
min_location - The minimum EA to accept results for (default: idc.get_inf_attr(idc.INF_MIN_EA))
max_location - The maximum EA to accept results for (default: idc.get_inf_attr(idc.INF_MAX_EA))
Output:
Returns the first matching location if found, otherwise idc.BADADDR
"""
target = target.upper()
while search_start_location < max_location:
ea = idc.find_binary(search_start_location, search_direction, target)
if (min_location <= ea < max_location
and ea == idc.get_item_head(ea) and idc.get_bytes(
ea,
idc.get_item_size(ea)).encode('hex').upper().startswith(
target.replace(' ', ''))):
return ea
else:
search_start_location = ea + (1 if search_direction
== idc.SEARCH_DOWN else -1)
return idc.BADADDR
def try_make_function(function_start,
function_end=idc.BADADDR,
target_location=None,
require_term=True,
end_mnem_bytes=None):
"""
Description:
Given a function location, attempt to create a function.
If function creation fails, delete any partially created functions.
If function creation succeeds, ensure all of the function's bytes are analyzed as code.
Input:
function_start - The start_ea of the function to create
function_end - The end_ea of the function to create. IDA will calculate if not provided.
target_location - If provided, fail function creation if it does not include this EA
require_term - If provided, fail function creation if the last instruction is not a ret or jmp
end_mnem_bytes - If provided, fail function creation if the last instruction is not the provided bytes
Instructions are entered as space separated bytes (i.e. '55' for 'push ebp')
Output:
Returns a tuple (function_start, function_end) for the created function if successful, None otherwise
"""
if function_start <= function_end:
if idc.add_func(function_start, function_end):
logger.debug('Created a function 0x%X - 0x%X.' %
(function_start, function_end))
if require_term:
last_mnem_ea = idc.get_item_head(
idaapi.get_func(function_start).end_ea - 1)
last_mnem = idc.print_insn_mnem(last_mnem_ea)
if (end_mnem_bytes is None and 'ret' not in last_mnem and 'jmp' not in last_mnem) or \
(end_mnem_bytes and idc.get_bytes(last_mnem_ea, idc.get_item_size(last_mnem_ea)).encode('hex').upper() != end_mnem_bytes.upper()):
idc.del_func(function_start)
logger.debug(
'Deleted function at 0x%X - the function didn\'t end with the correct mnem/bytes.'
% function_start)
return
if target_location is not None:
if function_start <= target_location < idaapi.get_func(
function_start).end_ea:
idc.plan_and_wait(function_start,
idaapi.get_func(function_start).end_ea)
return function_start, function_end
else:
idc.del_func(function_start)
logger.debug(
'Deleted function at 0x%X - the function didn\'t contain the target location.'
% function_start)
return
else:
logger.debug(
'Tried to create a function 0x%X - 0x%X, but IDA wouldn\'t do it.'
% (function_start, function_end))
else:
logger.debug('The end address was not greater than the start address!')
def _yara_callback(data):
"""
Description:
Generic yara callback.
Input:
As defined by YARA. See YARA's documentation for more info.
Output:
A list of tuples: (offset, identifier) where offsets are always item heads
"""
if not data['matches']:
return False
for datum in data['strings']:
if FROM_FILE:
_YARA_MATCHES.append(
(idc.get_item_head(idaapi.get_fileregion_ea(datum[0])),
datum[1]))
else:
_YARA_MATCHES.append(
(idc.get_item_head(datum[0] + SECTION_START), datum[1]))
return yara.CALLBACK_CONTINUE
def is_block_or_instruction_head(ea): """Returns `True` if `ea` looks like it's the beginning of an actual instruction.""" return is_internal_code(ea) and idc.get_item_head(ea) == ea
def caller(self):
return get_item_head(DbgDword(GetRegValue('ESP')) - 1)
