def disasm(ea, mem=None, size=api.MAXCMDSIZE):
if mem is None:
mem = safe_read_chunked_memory_region_as_one(ea, size)
if not mem:
print >> sys.stderr, 'Unable to read specified memory (0x%08X of size 0x%08X)' % (ea, size)
return None, None
mem = buffer(mem[1])
cmd = bytearray(mem[:min(api.MAXCMDSIZE, len(mem))])
dis = api.t_disasm()
n = api.Disasm(cmd, len(cmd), ea, None, dis, api.DISASM_CODE, 0)
if n <= 0 or dis.error:
return None, None
return n, dis
def scan_for_ref_api_calls(ea_from, ea_to, increment, rv, base, mem):
# import inspect
if ea_from > ea_to:
print >> sys.stderr, 'Invalid arguments passed'
return None
logger.info(('scan_for_ref_api_calls(ea_from=0x%08X, ea_to=0x%08X, increment=0x%08X, base=0x%08X)\n' +
'getting modules meta') % (ea_from, ea_to, increment, base))
global modules_meta
global modules_exports
logger.info('scan_for_ref_api_calls() modules_meta got')
this_module_exports = set()
for name, info in modules_meta.items():
for i in xrange(len(info['base'])):
if info['base'][i] <= ea_from < info['base'][i] + info['size'][i]:
this_module_exports = set(map(lambda x: x['ea'], info['apis'][i]))
print 'module found: %s, len of exports: %u' % (name, len(this_module_exports))
break
def isPointsToExternalDll(addr):
if addr in modules_exports and (not this_module_exports or addr not in this_module_exports):
return modules_exports[addr]
return False
for ea in xrange(ea_from, ea_to, increment):
try:
l = ea_to - ea
offs = ea - ea_from
cmd = bytearray(mem[offs: offs + min(api.MAXCMDSIZE, l)])
dis = api.t_disasm()
n = api.Disasm(cmd, len(cmd), ea, None, dis, api.DISASM_CODE, 0)
if n <= 0 or dis.error:
continue
if dis.immconst:
v = isPointsToExternalDll(dis.immconst)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_IMMCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.immconst
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.immconst points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
continue
if dis.adrconst:
v = isPointsToExternalDll(dis.adrconst)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_ADDRCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.adrconst
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.adrconst points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
continue
if dis.jmpconst:
v = isPointsToExternalDll(dis.jmpconst)
if v:
ref = rv.refs.add()
ref.ref_type = rpc.AnalyzeExternalRefsResult.RefData.REFT_JMPCONST
ref.module, ref.proc = v.split('.')
ref.v = dis.jmpconst
ref.ea = ea
ref.len = n
ref.dis = dis.result
print 'dis.jmpconst points to %s at %08X as %s bytes: %s' % (v, ea, dis.result, dis.dump)
continue
#for k, v in inspect.getmembers(dis):
# if '_' not in k:
# print "%r: %r" % (k, v)
except Exception as exc:
print >> sys.stderr, 'Exception: %r\r\n%s' % (exc, traceback.format_exc().replace('\n', '\r\n'))
def cast_rva(rva, type_):
#va = pdata + rva
return ctypes.cast(ctypes.POINTER(t).from_address(ctypes.addressof(_data) + rva), type_)
dos_header = cast_rva(0, PIMAGE_DOS_HEADER)[0]
print 'e_magic: %x, e_cblp: %08X' % (dos_header.e_magic, dos_header.e_cblp)
for i in xrange(6):
print '%02x\n' % _data[i]
del mem
# ---------------------
import ollyapi as oa
import ollyutils
name = bytearray(oa.TEXTLEN)
dis = oa.t_disasm()
mem = ollyutils.safe_read_chunked_memory_region_as_one(ea_from, ea_to - ea_from)
n = oa.Disasm(cmd, len(cmd), ea, None, dis, oa.DISASM_CODE, 0)
# ---------------------
# CRIDEX GPA enum creation
ref = idaapi.get_first_cref_to(0x004049C6) # addr of fmfu_GPA func
def getProcEnumName(idx):
e = idx * 4 + 0x410020 # addr of beginnig of procs array
l = idaapi.get_long(e)
oaep = GetEnum('OLD_API_EXTERN_CONSTS')
member = idaapi.get_enum_member(oaep, l, 0, 0)
if member == idaapi.BADADDR:
return None
n = idaapi.get_enum_member_name(member)