def parse_func_pointer():
renamed = 0
for segea in idautils.Segments():
for addr in idautils.Functions(segea, idc.SegEnd(segea)):
#for addr in idautils.Functions(text_seg.startEA, text_seg.endEA):
name = idc.GetFunctionName(addr)
# Look at data xrefs to the function - find the pointer that is located in .rodata
data_ref = idaapi.get_first_dref_to(addr)
while data_ref != idc.BADADDR:
if 'rodata' in idc.get_segm_name(data_ref):
# Only rename things that are currently listed as an offset; eg. off_9120B0
if 'off_' in idc.GetTrueName(data_ref):
if idc.MakeNameEx(data_ref, ('%s_ptr' % name),
flags=idaapi.SN_FORCE):
idaapi.autoWait()
renamed += 1
else:
common._error(
'Failed to name pointer @ 0x%02x for %s' %
(data_ref, name))
data_ref = idaapi.get_next_dref_to(addr, data_ref)
common._info("\nRename %d function pointers.\n" % renamed)
def prepare_parse_type(typestr, addr):
"""
idc.ParseType doesnt accept types without func / local name
as exported by default GetType
this is an ugly hack to fix it
"""
lname = idc.GetTrueName(addr)
if lname is None:
lname = "Default"
# func pointers
conventions = [
"__cdecl *",
"__stdcall *",
"__fastcall *",
# "__usercall *",
# "__userpurge *",
"__thiscall *",
"__cdecl",
"__stdcall",
"__fastcall",
# "__usercall",
# "__userpurge",
"__thiscall"
]
mtype = None
for conv in conventions:
if conv in typestr:
mtype = typestr.replace(conv, conv + " " + lname)
break
return mtype
def is_start_of_function(ea):
"""Returns `True` if `ea` is the start of a function."""
if not is_code(ea):
return False
name = idc.GetFunctionName(ea) or idc.GetTrueName(ea)
return ea == idc.LocByName(name)
def activate(self, ctx):
hx_view = idaapi.get_tform_vdui(ctx.form)
var_type = ShallowScanVariable.check(hx_view.item)
if var_type == "LOCAL":
variable = hx_view.item.get_lvar() # lvar_t
index = list(hx_view.cfunc.get_lvars()).index(variable)
scanner = ShallowSearchVisitor(hx_view.cfunc, 0, index)
elif var_type == "GLOBAL":
variable = hx_view.item.it.to_specific_type
name = idc.GetTrueName(variable.obj_ea)
tinfo = variable.type
scanner = ShallowSearchVisitor(hx_view.cfunc, 0, global_variable=(name, tinfo))
else:
return
scanner.process()
structure = TemporaryStructureModel()
for field in scanner.candidates:
structure.add_row(field)
tinfo = structure.get_recognized_shape()
if tinfo:
tinfo.create_ptr(tinfo)
if var_type == "LOCAL":
hx_view.set_lvar_type(variable, tinfo)
elif var_type == "GLOBAL":
idaapi.apply_tinfo2(variable.obj_ea, tinfo, idaapi.TINFO_DEFINITE)
hx_view.refresh_view(True)
def activate(self, ctx):
hx_view = idaapi.get_tform_vdui(ctx.form)
origin = self.temporary_structure.main_offset
var_type = self.check(hx_view.item)
if var_type == "LOCAL":
variable = hx_view.item.get_lvar() # lvar_t
index = list(hx_view.cfunc.get_lvars()).index(variable)
scanner = ShallowSearchVisitor(hx_view.cfunc, origin, index)
elif var_type == "GLOBAL":
gvar = hx_view.item.it.to_specific_type
name = idc.GetTrueName(gvar.obj_ea)
tinfo = gvar.type
scanner = ShallowSearchVisitor(hx_view.cfunc,
origin,
global_variable=(name, tinfo))
else:
return
scanner.process()
for field in scanner.candidates:
self.temporary_structure.add_row(field)
scanner.clear()
def _get_best_name(ea):
try:
return sark.Function(ea).demangled
except exceptions.SarkNoFunction:
name = idc.GetTrueName(ea)
if name:
return name
return '0x{:X}'.format(ea)
def sync_names(full_synchro=False):
global sample_id, skel_conn, last_timestamp
if not skel_conn.is_online:
return 0
comments = skel_conn.get_comments()
for comment in comments:
execute_comment(comment)
names = skel_conn.get_names()
for name in names:
if "sub_" in idc.GetTrueName(name["address"]):
print "[x] renaming %s @0x%x as %s" % (idc.GetTrueName(
name["address"]), name["address"], name["data"])
idc.MakeName(name["address"],
name["data"].encode('ascii', 'ignore'))
# Here, parse the new commands and execute them
print "[+] IDB synchronized"
return 0
def visit_expr(self, expression):
if expression.op == idaapi.cot_var:
index = expression.v.idx
elif expression.op == idaapi.cot_obj:
index = idc.GetTrueName(expression.obj_ea)
else:
return 0
if index in self.variables:
result = self.check_member_assignment(expression, index)
if result:
self.candidates.append(result)
return 0
def prepare_parse_type(typestr, addr):
"""
idc.ParseType doesnt accept types without func / local name
as exported by default GetType
this is an ugly hack to fix it
FIXME : parsing usercall (@<XXX>)
"""
lname = idc.GetTrueName(addr)
if lname is None:
lname = "Default"
# func pointers
fpconventions = [
"__cdecl *",
"__stdcall *",
"__fastcall *",
#"__usercall *",
#"__userpurge *",
"__thiscall *"
]
cconventions = [
"__cdecl",
"__stdcall",
"__fastcall",
#"__usercall",
#"__userpurge",
"__thiscall"
]
flag = False
mtype = None
for conv in fpconventions:
if conv in typestr:
mtype = typestr.replace(conv, conv + lname)
flag = True
if not flag:
# replace prototype
for conv in cconventions:
if conv in typestr:
mtype = typestr.replace(conv, conv + " " + lname)
flag = True
return mtype
def auto_string_naming(self):
idaStrings = idautils.Strings()
for cstring in idaStrings:
stringValue = idc.GetString(cstring.ea, cstring.length,
cstring.type)
currentName = idc.GetTrueName(cstring.ea)
if len(stringValue) > 6:
objFileValues = re.findall(r"[a-zA-Z]+(?=\.obj)", currentName)
objFile = ""
idc.MakeComm(cstring.ea, currentName)
if len(objFileValues) > 0:
objFile = objFileValues[0].upper()
newName = stringValue.title()
for repl in [x for x in string.punctuation]:
newName = newName.replace(repl, "")
newName = newName.replace(" ", "")
newName = "s{objFile}{currentName}".format(objFile=objFile,
currentName=newName)
idc.MakeNameEx(cstring.ea, newName, idc.SN_AUTO)
def activate(self, ctx):
hx_view = idaapi.get_tform_vdui(ctx.form)
origin = self.temporary_structure.main_offset
var_type = ShallowScanVariable.check(hx_view.item)
if var_type == "LOCAL":
variable = hx_view.item.get_lvar() # lvar_t
index = list(hx_view.cfunc.get_lvars()).index(variable)
definition_address = None if variable.is_arg_var else variable.defea
# index = list(hx_view.cfunc.get_lvars()).index(variable)
if FunctionTouchVisitor(hx_view.cfunc).process():
hx_view.refresh_view(True)
# Because index of the variable can be changed after touching, we would like to calculate it appropriately
lvars = hx_view.cfunc.get_lvars()
if definition_address:
index = next(x for x in xrange(len(lvars))
if lvars[x].defea == definition_address)
scanner = DeepSearchVisitor(hx_view.cfunc, origin, index=index)
elif var_type == "GLOBAL":
gvar = hx_view.item.it.to_specific_type
name = idc.GetTrueName(gvar.obj_ea)
tinfo = gvar.type
if FunctionTouchVisitor(hx_view.cfunc).process():
hx_view.refresh_view(True)
scanner = DeepSearchVisitor(hx_view.cfunc,
origin,
global_variable=(name, tinfo))
else:
return
scanner.process()
for field in scanner.candidates:
self.temporary_structure.add_row(field)
scanner.clear()
def populate_table(self):
"""
Download the list of proposed names and display it
"""
functions = self.skel_conn.get_proposed_names()
items = []
for func in functions:
func_name = idc.GetTrueName(func["address"])
for name in func["proposed_names"]:
item = self.SkelFuncListItem(hex(func["address"]), func_name,
hex(func["machoc_hash"]), name)
items.append(item)
self.setRowCount(len(items))
for item_index, item in enumerate(items):
widgets = item.get_widgets()
self.setItem(item_index, 0, widgets["address"])
self.setItem(item_index, 1, widgets["curname"])
self.setItem(item_index, 2, widgets["machoc"])
self.setItem(item_index, 3, widgets["proposed"])
def get_offset_name(ea):
# Try and get the function name
try:
func = get_func(ea)
name = idc.GetTrueName(func.startEA)
name = demangle(name, 0x60) # MNG_NOTYPE | MNG_NORETTYPE
if name:
offset = ea - func.startEA
if offset:
return '{}+{:X}'.format(name, offset)
return name
except exceptions.SarkNoFunction:
pass
# If that failed, use the segment name instead.
segment = idaapi.getseg(ea)
name = idaapi.get_true_segm_name(segment)
offset_format = '{{:0{}X}}'.format(get_native_size() * 2)
ea_text = offset_format.format(ea)
if name:
return '{}:{}'.format(name, ea_text)
# Nothing found, simply return the address
return ea_text
def name(self):
"""Function's Name"""
return idc.GetTrueName(self.startEA)
def postprocess(self):
global skel_conn
try:
if self.cmdname == "MakeComment":
if idc.GetCommentEx(self.addr, 0) is not None:
skel_conn.push_comment(self.addr,
idc.GetCommentEx((self.addr), 0))
elif idc.GetCommentEx(self.addr, 1) is not None:
skel_conn.push_comment(self.addr,
idc.GetCommentEx((self.addr), 1))
elif idc.GetFunctionCmt(self.addr, 0) != "":
skel_conn.push_comment(self.addr,
idc.GetCommentEx((self.addr), 0))
elif idc.GetFunctionCmt(self.addr, 1) != "":
skel_conn.push_comment(
self.addr,
idc.GetFunctionCmt(self.addr,
1).replace("\n", "\\n").replace(
"\"", "\\\""))
if self.cmdname == "MakeRptCmt":
if idc.GetCommentEx(self.addr, 0) is not None:
skel_conn.push_comment(
self.addr,
idc.GetCommentEx(self.addr,
0).replace("\n", "\\n").replace(
"\"", "\\\""))
elif idc.GetCommentEx(self.addr, 1) is not None:
skel_conn.push_comment(
self.addr,
idc.GetCommentEx(self.addr,
1).replace("\n", "\\n").replace(
"\"", "\\\""))
elif idc.GetFunctionCmt(self.addr, 0) != "":
skel_conn.push_comment(
self.addr,
idc.GetFunctionCmt(self.addr,
0).replace("\n", "\\n").replace(
"\"", "\\\""))
elif idc.GetFunctionCmt(self.addr, 1) != "":
skel_conn.push_comment(
self.addr,
idc.GetFunctionCmt(self.addr,
1).replace("\n", "\\n").replace(
"\"", "\\\""))
elif self.cmdname == "MakeName":
# idc.Jump(self.addr)
if (idc.GetFunctionAttr(self.addr, 0) == self.addr):
fname = GetFunctionName(self.addr)
if fname != "":
if not CheckDefaultValue(fname):
skel_conn.push_name(self.addr, fname)
else:
fname = idc.GetTrueName(self.addr)
if fname != "" and not CheckDefaultValue(fname):
skel_conn.push_name(
self.addr,
fname.replace("\n", "\\n").replace("\"", "\\\""))
else:
# ok, on regarde ce qui est pointe
if GetOpType(self.addr, 0) in [o_near, o_imm, o_mem]:
if GetOpType(self.addr,
1) in [o_near, o_imm, o_mem]:
print "[P] You must be on the top of function or at the global address to set the name in log file"
else:
add = idc.GetOperandValue(self.addr, 0)
fname = idc.GetTrueName(add)
if fname != "" and not CheckDefaultValue(
fname):
skel_conn.push_name(
add,
fname.replace("\n", "\\n").replace(
"\"", "\\\""))
else:
print "[P] You must be on the top of function or at the global address to set the name in log file"
elif GetOpType(self.addr, 1) in [o_near, o_imm, o_mem]:
add = idc.GetOperandValue(self.addr, 1)
fname = idc.GetTrueName(add)
if fname != "" and not CheckDefaultValue(fname):
skel_conn.push_name(
add,
fname.replace("\n",
"\\n").replace("\"", "\\\""))
else:
print "[P] You must be on the top of function or at the global address to set the name in log file"
elif self.cmdname == "MakeFunction":
if idc.GetFunctionAttr(self.addr, 0) is not None:
pass
#push_change("idc.MakeFunction", shex(idc.GetFunctionAttr(
# self.addr, 0)), shex(idc.GetFunctionAttr(self.addr, 4)))
elif self.cmdname == "DeclareStructVar":
print "Fixme : declare Struct variable"
elif self.cmdname == "AddStruct":
print "Fixme : adding structure"
elif self.cmdname == "SetType":
newtype = idc.GetType(self.addr)
if newtype is None:
newtype = ""
else:
newtype = prepare_parse_type(newtype, self.addr)
push_change("idc.SetType", shex(self.addr), newtype)
elif self.cmdname == "OpStructOffset":
print "Fixme, used when typing a struct member/stack var/data pointer to a struct offset "
except KeyError:
pass
return 0
def execute_rename(name):
if "sub_" in idc.GetTrueName(name["address"]):
g_logger.debug(
"[x] renaming %s @ 0x%x as %s" %
(idc.GetTrueName(name["address"]), name["address"], name["data"]))
idc.MakeName(name["address"], name["data"].encode('ascii', 'ignore'))
def get_name():
return idc.GetTrueName(name["address"])
def on_get_text(self, value, attrs):
name = idc.GetTrueName(value)
demangle = getattr(idaapi, 'demangle_name2', idaapi.demangle_name)
name = demangle(name, 0) or name
return name or "0x{:08X}".format(value)
def GetName(ea, resolve_imports=True):
name = idc.GetFunctionName(ea)
if not name and resolve_imports:
name = idc.GetTrueName(ea)
return name
def name(self):
"""Name of the line (the label shown in IDA)."""
return idc.GetTrueName(self.ea)
