Beispiel #1
0
    def run(self):
        '''Public function.'''

        self.symbol_path = idc.AskFile(0, '*.pdb', 'Choose PDB file...')
        self.image_base = idaapi.get_imagebase()

        print "IPL: Loading PDB data, might take a while..."
        self.PDBLookup = Lookup([(self.symbol_path, self.image_base)])

        if not self.PDBLookup:
            print "IPL: PDBLookup failed to initialize, exiting."
            return

        self._rename_functions()
        return
Beispiel #2
0
class Plugin(object):
    '''IDA Pro Plugin'''
    def __init__(self):
        super(Plugin, self).__init__()
        self.symbol_path = ''
        self.image_base = 0
        self.PDBLookup = None

    def run(self):
        '''Public function.'''

        self.symbol_path = idc.AskFile(0, '*.pdb', 'Choose PDB file...')
        self.image_base = idaapi.get_imagebase()

        print "IPL: Loading PDB data, might take a while..."
        self.PDBLookup = Lookup([(self.symbol_path, self.image_base)])

        if not self.PDBLookup:
            print "IPL: PDBLookup failed to initialize, exiting."
            return

        self._rename_functions()
        return

    def _rename_functions(self):
        '''Rename functions.'''

        print "IPL: Started to rename functions..."

        failed = 0
        total = 0
        for function in idautils.Functions():
            total += 1
            pdb_mangled_name = self.PDBLookup.lookup(function, True)
            if not pdb_mangled_name:
                failed += 1
                print "IPL: Failed to find symbol for function: 0x{:08x}".format(
                    function)
                continue
            _, mangled_function_name = pdb_mangled_name.split('!')
            # https://www.hex-rays.com/products/ida/support/idadoc/203.shtml
            idc.MakeNameEx(function, mangled_function_name,
                           idc.SN_AUTO | idc.SN_NOCHECK)
        print "IPL: Total {} functions, {} failed to rename.".format(
            total, failed)
Beispiel #3
0
from subprocess import check_output
from sha3 import sha3_256


def inject(pe, sym, name):
    if name not in pe.symbols:
        pe.symbols[name] = next(sym.locs[base,
                                         limit][sym.names[base,
                                                          limit].index(name)]
                                for base, limit in sym.addrs
                                if name in sym.names[base, limit])


DEBUG = False
binary = PE(r'..\dist\winsanity.exe')
binary_sym = Lookup([(r'..\dist\winsanity.pdb', 0)])
inject(binary, binary_sym, 'main')

if DEBUG:
    ntdll = PE(r'C:\Windows\System32\ntdll.dll')
    kernel32 = PE(r'C:\Windows\System32\kernel32.dll')
else:
    ntdll = PE(r'..\dist\libs\ntdll.dll')
    kernel32 = PE(r'..\dist\libs\kernel32.dll')

# downloadable from Microsoft Symbol Server given ntdll.dll
ntdll_sym = Lookup([(r'.\ntdll.pdb', 0)])
inject(ntdll, ntdll_sym, 'RtlpStaticDebugInfo')
inject(ntdll, ntdll_sym, 'TlsExpansionBitMap')

while True:
Beispiel #4
0
import sys, os

from pdbparse.symlookup import Lookup

if __name__ == "__main__":
    try:
        from IPython.frontend.terminal.embed import InteractiveShellEmbed
        ipy = True
    except ImportError:
        import code
        ipy = False

    if len(sys.argv) < 3 or len(sys.argv[1:]) % 2 != 0:
        print("usage: %s <pdb> <base> [[<pdb> <base>] ...]" % sys.argv[0],
              file=sys.stderr)
        sys.exit(1)

    mods = [(sys.argv[i], int(sys.argv[i + 1], 0))
            for i in range(1,
                           len(sys.argv) - 1, 2)]

    lobj = Lookup(mods)
    lookup = lobj.lookup

    banner = "Use lookup(addr) to resolve an address to its nearest symbol"
    if ipy:
        shell = InteractiveShellEmbed(banner2=banner)
        shell()
    else:
        code.interact(banner=banner, local=locals())
Beispiel #5
0
import os


def inject(pe, sym, name):
    if name not in pe.symbols:
        pe.symbols[name] = next(sym.locs[base,
                                         limit][sym.names[base,
                                                          limit].index(name)]
                                for base, limit in sym.addrs
                                if name in sym.names[base, limit])


binary = PE('./binary.exe')
ntdll = PE('./ntdll.dll')
ucrtbase = PE('./ucrtbase.dll')
ntdll_sym = Lookup([(r'.\ntdll.pdb', 0)])
inject(ntdll, ntdll_sym, 'TlsExpansionBitMap')

os.environ["_NO_DEBUG_HEAP"] = "1"

DEBUG = False


def launch():
    global p
    if DEBUG:
        p = Process('./binary.exe')
    else:
        p = Remote('125.129.121.42', 55555)
        p.timeout = 5000
    p.newline = '\r\n'
Beispiel #6
0
import sys, os
from pdbparse.symlookup import Lookup
import pefile
import yaml
import json

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print >> sys.stderr, "usage : %s <exe-file> <pdb-file> <yaml-file>" % sys.argv[
            0]
    PeFile = sys.argv[1]
    PdbFile = sys.argv[2]
    YamlFile = sys.argv[3]
    pe = pefile.PE(PeFile)
    BaseAddr = pe.OPTIONAL_HEADER.ImageBase
    lobj = Lookup([(PdbFile, BaseAddr)])
    lookup = lobj.lookup

    #####################################################3
    OriginalclassInfoYaml = yaml.load(open(YamlFile, "r"))
    classInfoYaml = sorted(OriginalclassInfoYaml,
                           key=lambda classinfo: classinfo['id'])
    finalClassInfo = []
    for classInfo in classInfoYaml:
        eachClass = {}
        eachClass["id"] = classInfo["id"]
        eachClass["instance"] = []
        for instance in classInfo["Instances "]:
            eachClass["instance"].append(lookup(instance))
        eachClass["constructors"] = []
        for constructor in classInfo["Constructors "]: