def _collect_data(self, collect_args): for data_ref in list(idautils.DataRefsFrom(collect_args["func_item"])): if data_ref in self._string_addresses: str_type = idc.GetStringType(data_ref) if idc.GetStringType(data_ref) is not None: string = idc.GetString(data_ref, -1, str_type) self._list_of_strings.append(string)
def _collect_data(self, collect_args): for data_ref in list(idautils.DataRefsFrom(collect_args["func_item"])): if data_ref in self._string_addresses: str_type = idc.GetStringType(data_ref) if idc.GetStringType(data_ref) is not None: string = idc.GetString(data_ref, -1, str_type) if not (string in self._string_counters): self._string_counters[string] = 0 self._string_counters[string] += 1
def CompileTextFromRange(start,end,sep): x = start s = "" while (x<=end): #print "Function %x" % x faddr = list(idautils.FuncItems(x)) for c in range(len(faddr)): for d in idautils.DataRefsFrom(faddr[c]): #print "Found ref at %x" % faddr[c] if idc.GetStringType(d) == 0 and idc.GetString(d): s += " "+ sep + " " + idc.GetString(d) elif idc.GetStringType(d) == 3 and idc.GetString(d, -1, idc.ASCSTR_UNICODE): s += " " + sep + " " + idc.GetString(d,-1,idc.ASCSTR_UNICODE) x = idc.NextFunction(x) return s
def create_string(addr, string_len): # if idaapi.get_segm_name(addr) is None: if idc.get_segm_name(addr) is None: common._debug( 'Cannot load a string which has no segment - not creating string @ 0x%02x' % addr) return False common._debug('Found string load @ 0x%x with length of %d' % (addr, string_len)) # This may be overly aggressive if we found the wrong area... if idc.GetStringType(addr) is not None and idc.GetString( addr) is not None and len(idc.GetString(addr)) != string_len: common._debug( 'It appears that there is already a string present @ 0x%x' % addr) idc.MakeUnknown(addr, string_len, idc.DOUNK_SIMPLE) idaapi.autoWait() if idc.GetString(addr) is None and idc.MakeStr(addr, addr + string_len): idaapi.autoWait() return True else: # If something is already partially analyzed (incorrectly) we need to MakeUnknown it idc.MakeUnknown(addr, string_len, idc.DOUNK_SIMPLE) idaapi.autoWait() if idc.MakeStr(addr, addr + string_len): idaapi.autoWait() return True common._debug('Unable to make a string @ 0x%x with length of %d' % (addr, string_len)) return False
def visit_expr(self, i): """ From FLARE article Search for dw1234 = GetProcAddress("LoadLibrary") """ if i.op == idaapi.cot_call: # look for calls to GetProcAddress if idc.Name(i.x.obj_ea) == "GetProcAddress": # ASCSTR_C == 0 # Check to see if the second argument is a C string if idc.GetStringType(i.a[1].obj_ea) == 0: targetName = idc.GetString(i.a[1].obj_ea, -1, 0) # Found function name # Look for global assignment parent = self.cfunc.body.find_parent_of(i) if parent.op == idaapi.cot_cast: # Ignore casts and look for the parent parent = self.cfunc.body.find_parent_of(parent) if parent.op == idaapi.cot_asg: # We want to find the left hand side (x) self.results[targetName] = parent.cexpr.x.obj_ea idc.MakeName(parent.cexpr.x.obj_ea, targetName) return 0
def is_string(ea): string_type = idc.GetStringType(idaapi.get_item_head(ea)) if string_type is None: return False return True
def CompileTextFromFunction(f,sep): s="" faddr = list(idautils.FuncItems(f)) for c in range(len(faddr)): for d in idautils.DataRefsFrom(faddr[c]): if idc.GetStringType(d) == 0 and idc.GetString(d): s += " "+ sep + " " + idc.GetString(d) return s
def get_string(ea): """ Returns a string from the given location. :param ea: starting address of string :return: A string """ stype = idc.GetStringType(ea) return idc.GetString(ea, strtype=stype)
def ADR(self, mnem, ops): out = self.processOp(ops[0], out=True) addr = idc.LocByName(ops[1]) type = idc.GetStringType(addr) if type == 0: data = self.ida.getString(addr) data = '"%s"' % ` "'" + data ` [2:-1] else: data = ops[1] return '%s = %s;' % (out, data)
def get_string(ea): string_type = idc.GetStringType(ea) if string_type is None: raise NoString("No string at 0x{:08X}".format(ea)) string = idc.GetString(ea, strtype=string_type) if not string: raise NoString("No string at 0x{:08X}".format(ea)) return string
def stringAt(self, ea): """Return the string that was found on the given address, regardless of it's type. Args: ea (int): effective address of the wanted string Return Value: A python string that contains the found string (or None on error) """ str_type = idc.GetStringType(ea) if str_type is None: return None return idc.GetString(ea, -1, str_type)
def __init__(self, xref, addr): type = idc.GetStringType(addr) if type < 0 or type >= len(String.ASCSTR): raise StringParsingException() CALC_MAX_LEN = -1 string = str(idc.GetString(addr, CALC_MAX_LEN, type)) self.xref = xref self.addr = addr self.type = type self.string = string
def get_string_ref(ea=None): # from https://gist.github.com/w4kfu/4252f4c19be573eaaecceb76e1dc0c1c """ Get the string references in the given function from current effective address or desired one """ if ea == None: ea = idc.here() func_ea = idc.GetFunctionAttr(ea, FUNCATTR_START) for item_ea in idautils.FuncItems(func_ea): for ref in idautils.DataRefsFrom(item_ea): type = idc.GetStringType(ref) if type not in range(0, 7) and type != 0x2000001: continue yield (item_ea, str(idc.GetString(ref, -1, type)))
def get_string(ea): """Read the string at the given ea. This function uses IDA's string APIs and does not implement any special logic. """ # We get the item-head because the `GetStringType` function only works on the head of an item. string_type = idc.GetStringType(idaapi.get_item_head(ea)) if string_type is None: raise exceptions.SarkNoString("No string at 0x{:08X}".format(ea)) string = idc.GetString(ea, strtype=string_type) if not string: raise exceptions.SarkNoString("No string at 0x{:08X}".format(ea)) return string
def format_string(call_addr, format_name, index): string = '' # 获取对应的格式化字符串 format_addr = idc.LocByName(format_name) # 判断对应地址是否为一个字符串 if idc.GetStringType(format_addr) == 0: fmt_str = idc.GetString(format_addr).decode() # 如果有回车,不要换行,打印`\n`字符 string = "'%s'" % fmt_str.replace('\n', '\\n') # 格式化字符串对应%对应的参数 fmt_num = fmt_str.count('%') if fmt_num > 0: string += ", %d" % fmt_num string += "%s" % format_args(call_addr, fmt_num, index) # 不是字符串可能存在格式化字符串漏洞 else: string += "null! A dangerous address, may have a format string vulnerability" return [string]
def LDR(self, mnem, ops): out = self.processOp(ops[0], out=True) outlower = out.lower() if outlower not in self.regs: outlower = 'trash' right = self.processOp(ops[1], noRef=True) addr = idc.LocByName(ops[1][1:]) type = idc.GetStringType(addr) if type == 0: right = self.ida.getString(addr) right = ('"%s"' % ` "'" + right ` [2:-1], ) if right.__class__ == tuple: right = right[0] else: right = '*' + right self.regs[outlower] = right return '%s = %s;' % (out, right)
def visit_expr(self, i): if i.op == idaapi.cot_call: # look for calls to GetProcAddress if idc.Name(i.x.obj_ea) == "GetProcAddress": # ASCSTR_C == 0 # Check to see if the second argument is a C string if idc.GetStringType(i.a[1].obj_ea) == 0: targetName = idc.GetString(i.a[1].obj_ea, -1, 0) # Found function name # Look for global assignment parent = self.cfunc.body.find_parent_of(i) if parent.op == idaapi.cot_cast: # Ignore casts and look for the parent parent = self.cfunc.body.find_parent_of(parent) if parent.op == idaapi.cot_asg: # We want to find the left hand side (x) idc.MakeName(parent.cexpr.x.obj_ea, targetName + "_") return 0
def enum_string_refs_in_function(fva): ''' yield the string references in the given function. Args: fva (int): the starting address of a function Returns: sequence[tuple[int, int, str]]: tuples of metadata, including: - the address of the instruction referencing a string - the address of the string - the string ''' for ea in enum_function_addrs(fva): for ref in idautils.DataRefsFrom(ea): stype = idc.GetStringType(ref) if stype < 0 or stype > 7: continue CALC_MAX_LEN = -1 s = str(idc.GetString(ref, CALC_MAX_LEN, stype)) yield ea, ref, s
def type(self): # TODO: export idc enum ? """ The type of the string """ return idc.GetStringType(self.addr)
def get_string_type(self, addr): type_s = idc.GetStringType(addr) if type_s >= len(self.string_types) or type_s < 0: raise StringException() return str(idc.GetString(addr, -1, type_s))
def getString(self, ea): stype = idc.GetStringType(ea) #if idaapi.is_unicode(stype): # res = idc.GetString(ea, ) return idc.GetString(ea, strtype=stype)