def _process_possible_stub(stub, make_thunk, next_stub):
"""Try to process a stub function."""
# First, make sure this is a stub format we recognize.
target = stub_target(stub)
if not target:
_log(0, 'Unrecognized stub format at {:#x}', stub)
return False
# Next, check if IDA sees this as a function chunk rather than a function, and correct it if
# reasonable.
if not idau.force_function(stub):
_log(1, 'Could not convert stub to function at {:#x}', stub)
return False
# Next, set the appropriate flags on the stub. Make the stub a thunk if that was requested.
flags = idc.GetFunctionFlags(stub)
if flags == -1:
_log(1, 'Could not get function flags for stub at {:#x}', stub)
return False
target_flags = idc.GetFunctionFlags(target)
if target_flags != -1 and target_flags & idc.FUNC_NORET:
flags |= idc.FUNC_NORET
if make_thunk:
flags |= idc.FUNC_THUNK
if idc.SetFunctionFlags(stub, flags | idc.FUNC_THUNK) == 0:
_log(1, 'Could not set function flags for stub at {:#x}', stub)
return False
# Next, ensure that IDA sees the target as a function, but continue anyway if that fails.
if not idau.force_function(target):
_log(1, 'Stub {:#x} has target {:#x} that is not a function', stub,
target)
# Finally symbolicate the stub.
if not _symbolicate_stub(stub, target, next_stub):
return False
return True
def jtool2_information():
print("[-] Other method information construction")
fd = open(kernelcache_path)
data = fd.readlines()
fd.close()
for line in data:
t = line[:-1].strip()
addr = int(t.split("|")[0], 0)
sym = t.split("|")[1]
segName = idc.get_segm_name(addr)
if segName != "__TEXT_EXEC:__text" or "." in sym:
if "__DATA" in segName:
idaapi.set_name(addr, sym, idaapi.SN_FORCE)
continue
if not idau.is_function_start(addr):
print("[jtool2] Current '{}'' - [{}] is not defined as function".
format(sym, hex(addr)))
if not idau.force_function(addr):
print("[jtool2] Can't convert '{}' - [{}] to function".format(
sym, hex(addr)))
continue
curSym = idc.get_func_name(addr)
if "sub_" in curSym:
idaapi.set_name(addr, sym, idaapi.SN_FORCE)
print("[-] Done")
def iometa_information():
print("[-] UserClient Method construction")
fd = open(iometa_path)
data = fd.readlines()
fd.close()
# Current
className = ""
for line in data:
t = line[:-1].strip()
if "vtab" in t and "meta" in t:
className = t.split(" ")[5]
#print(className)
continue
#offset = int(t.split(" ")[0])
addr = int(t.split(" ")[1][5:], 0)
sym = idc.get_func_name(addr)
name = t.split(" ")[4].split("(")[0]
if not idau.is_function_start(addr):
print("[iometa] Current '{}'' - [{}] is not defined as function".
format(name, hex(addr)))
if not idau.force_function(addr):
print("[iometa] Can't convert '{}' - [{}] to function".format(
name, hex(addr)))
if "sub_" in sym:
idaapi.set_name(addr, name, idaapi.SN_FORCE)
if "externalMethod" in name:
sid = ida_struct.get_struc_id(className)
if sid == 0xffffffffffffffff and className != "IOUserClient":
print("[iometa] can't resolve class {}, create one".format(
className))
construct_class(className)
tu = (
'\x0c0=\tIOReturn\x07\xffA\n=\rIOUserClient=\tuint32_t\n=\x1aIOExternalMethodArguments\n=\x19IOExternalMethodDispatch\n=\tOSObject\n\x01',
'\x05this\tselector\narguments\tdispatch\x07target\nreference')
if not idc.apply_type(addr, tu):
print(
"[iometa] externalMethod type propagation failure '{}' - [{}]"
.format(name, hex(addr)))
print("[-] Done")
def _convert_vtable_methods_to_functions(vtable, length):
"""Convert each virtual method in the vtable into an IDA function."""
for vmethod in vtable_methods(vtable, length=length):
if not idau.force_function(vmethod):
_log(0, 'Could not convert virtual method {:#x} into a function', vmethod)
