def _install_open_coverage_xref(self):
PluginCommand.register_for_address(
self.ACTION_COVERAGE_XREF,
"Open the coverage xref window",
self._open_coverage_xref,
self._is_xref_valid
)
def create_binja_menu():
# Binja does not really support menu in its GUI just yet
PluginCommand.register_for_address(
"gef : add breakpoint",
"Add a breakpoint in gef at the specified location.",
add_gef_breakpoint)
PluginCommand.register_for_address(
"gef : delete breakpoint",
"Remove a breakpoint in gef at the specified location.",
delete_gef_breakpoint)
return
def register_gef_breakpoint_menu():
# Binja does not really support menu in its GUI just yet
PluginCommand.register_for_address(
"GEF\\Set breakpoint",
"Add a breakpoint in gef at the specified location.",
gef_add_breakpoint,
is_valid=lambda view, addr: is_service_started())
PluginCommand.register_for_address(
"GEF\\Delete breakpoint",
"Remove a breakpoint in gef at the specified location.",
gef_del_breakpoint,
is_valid=lambda view, addr: is_service_started())
return
return calculate_offset(vtable, bv, call_il.dest,
defs.get(call_il.instr_index, {}), defs)
def navigate_to_virtual_function(bv, addr):
constructor = find_constructor(bv)
if constructor is None:
return
vtable = find_vtable(bv, constructor.low_level_il)
if vtable is None:
log_alert("Couldn't find vtable for {}".format(
constructor.symbol.full_name))
return
function_pointer = find_function_offset(vtable, bv, addr)
if function_pointer is None:
log_alert("Couldn't find vtable offset for this call!")
return
bv.file.navigate(bv.file.view, function_pointer)
PluginCommand.register_for_address(
"Navigate to Virtual Function",
("Navigate to the virtual function called by "
"an indirect call, given the class name"), navigate_to_virtual_function)
code += " "
value = str(ii)
if str(ii.type) == "InstructionTextTokenType.PossibleAddressToken":
last = int(str(ii), 16)
if last in fmap:
value = fmap[last]
else:
value = bv.get_symbol_at(last).name
code += value
f1.write(code)
f1.write("\n")
f1.close()
# for block in f.low_level_il:
# print(dir(block))
# for instr in block:
# if first:
# f1.write("{0:s}: {1:x}\n".format(name,instr.address))
# first = False
#print instr.address, instr.instr_index, instr
# {0:x} {1:d} instr.address, instr.instr_index,
# f1.write("{0:s}\n".format(instr))
#print("END")
# f1.close()
#show_message_box("Do Something", "Congratulations! You have successfully done nothing.\n\n" +
# "Pat yourself on the Rump.", MessageBoxButtonSet.OKButtonSet, MessageBoxIcon.ErrorIcon)
PluginCommand.register_for_address("Function Writer", "Writes Function Data", do_nothing)
PluginCommand.register(
"Ethersplay-4byte\\Rename functions",
"Perform lookup of all hash signatures on 4byte.directory to rename unknown functions",
rename_all_functions,
is_valid=is_valid_evm)
PluginCommand.register(
"Ethersplay-4byte\\update cashed function hashes",
"Re-do lookup of all hash signatures on 4byte.directory, which are stored in the local cache.",
update_cache_bn,
is_valid=is_valid_evm)
PluginCommand.register_for_address(
"Ethersplay-4byte\\Lookup 4byte hash",
"Perform lookup of one hash signature on 4byte.directory",
lookup_one_inst,
is_valid=is_valid_evm)
PluginCommand.register_for_function(
"Ethersplay-4byte\\Lookup 4byte hash for all PUSH4",
"Perform lookup of one hash signature on 4byte.directory",
lookup_all_push4,
is_valid=is_valid_evm)
PluginCommand.register_for_address(
"Ethersplay\\Lookup 4byte hash (4byte.directory)",
"Perform lookup of one hash signature on 4byte.directory",
lookup_one_inst,
is_valid=is_valid_evm)
def check_view_platform(view, *platforms):
platform = view.platform
if platform is None:
return False
return platform.name in platforms
PluginCommand.register(
'Windows\\Scan for RTTI', 'Scans for MSVC RTTI',
lambda view: command_scan_for_rtti(view),
lambda view: check_view_platform(view, 'windows-x86', 'windows-x86_64'))
PluginCommand.register_for_address(
'Windows\\Create vftable', 'Creates a vftable at the current address',
lambda view, address: command_create_vtable(view, address), lambda view,
address: check_view_platform(view, 'windows-x86', 'windows-x86_64'))
PluginCommand.register(
'Windows\\Parse exception handlers',
'Create functions based on exception handlers',
lambda view: command_parse_unwind_info(view),
lambda view: check_view_platform(view, 'windows-x86_64'))
PluginCommand.register(
'Windows\\Fix thiscall\'s',
'Convert appropriate stdcall\'s and fastcall\'s into thiscall\'s',
lambda view: command_fix_x86_conventions(view),
lambda view: check_view_platform(view, 'windows-x86'))
PluginCommand.register(
]
else:
# By default, we just use the LLIL explanation
# We append the line number if we're displaying a conditional.
explain_window().description = [explain_llil(bv, llil) for llil in parse_il]
# Display the MLIL and LLIL, dereferencing anything that looks like a hex number into a symbol if possible
explain_window().llil = [dereference_symbols(bv, llil) for llil in llil_list]
explain_window().mlil = [dereference_symbols(bv, mlil) for mlil in mlil_list]
# Pass in the flags, straight from the API. We don't do much with these, but they might make things more clear
explain_window().flags = [
(
func.get_flags_read_by_lifted_il_instruction(lifted.instr_index),
func.get_flags_written_by_lifted_il_instruction(lifted.instr_index),
lifted,
)
for lifted in lifted_il_list
]
# Display what information we can calculate about the program state before the instruction is executed
try:
explain_window().state = get_state(bv, addr)
except AttributeError:
log_error("No instruction state support for this architecture")
explain_window().show()
PluginCommand.register_for_address("Explain Instruction", "", explain_instruction)
def register_logger(address, func):
if not __check_executor():
return
executor.user_loggers[address] = func
def reload_settings():
if not __check_executor():
return
executor.bncache.settings = {}
PluginCommand.register_for_address(
"SENinja\\0 - Start symbolic execution",
"create the first state for symbolic execution at current address",
_async_start_se)
PluginCommand.register_for_address(
"SENinja\\1 - Change current state",
"change current state with the deferred one at current address (if any)",
_async_change_current_state)
PluginCommand.register("SENinja\\2 - Step",
"execute one instruction with the current state",
_async_step)
PluginCommand.register(
"SENinja\\3 - Continue until branch",
"execute instructions in the current state until a fork occurs",
_async_continue_until_branch)
PluginCommand.register_for_address(
"SENinja\\4 - Continue until address",
"execute instructions in the current state until the currently selected address is reached",
for visited_instruction in visited_instructions:
function.source_function.set_user_instr_highlight(
function[visited_instruction].address, color)
bv.commit_undo_actions()
def backward_slice(bv, addr):
function = bv.get_basic_blocks_at(addr)[0].function
instruction = function.get_low_level_il_at(addr).mapped_medium_level_il
program_slice(instruction, 'backward')
def forward_slice(bv, addr):
function = bv.get_basic_blocks_at(addr)[0].function
instruction = function.get_low_level_il_at(addr).mapped_medium_level_il
program_slice(instruction, 'forward')
PluginCommand.register_for_address('Slice backwards',
'Slice variable backwards from this point',
backward_slice)
PluginCommand.register_for_address('Slice forward',
'Slice variable forward from this point',
forward_slice)
rows_selected = set()
for i in select.selectedIndexes():
rows_selected.add(i.row())
assert len(rows_selected) >= 1
# Hopefully this sort is enough to delete the correct rows.
sorted_rows_selected = sorted(list(rows_selected), reverse=True)
for row in sorted_rows_selected:
self.table_model.removeRows(row)
else:
log_error("No selection to remove")
def set_indirect_branches_clicked(self):
branches = self.table_model.branches
log_debug("Setting 0x%x's indirect branches to: %s" %
(self.indirect_jmp_addr, branches))
self.func.set_user_indirect_branches(self.indirect_jmp_addr, branches)
self.accept()
def launch_plugin(bv, addr):
widget = IndirectBranchSetterWidget(bv, addr)
widget.exec_()
_name = "Indirect branches setter"
_description = "A plugin for setting indirect branches more easily, when binja fails to recognized a jump table"
PluginCommand.register_for_address(_name, _description, launch_plugin)
import time
import hashlib
import binaryninja
from binaryninja import PluginCommandContext, PluginCommand
from binaryninja import SymbolType, Symbol
def do_nothing(bv,function):
badnames = ""
bn = []
nmap ={}
for f in bv.functions:
badnames+=f.name + "\n"
bn.append(f.name)
nmap[f.name] = f.start
x = {"input":badnames}
r = requests.post("https://demangler.com/raw", data=x)
index = 0
lines = r.text.split("\n")
for l in lines:
if (index < len(bn)-1):
name = bn[index]
if l != name:
#print(" {0:s}\n->{1:s}".format(l,bn[index]))
address = nmap[name]
symbol_type = SymbolType.FunctionSymbol
symbol = l
bv.define_user_symbol(Symbol(symbol_type, address, symbol))
index += 1
PluginCommand.register_for_address("Rename C++ functions", "Renames the functions by demangling", do_nothing)
) == "InstructionTextTokenType.PossibleAddressToken":
last = int(str(ii), 16)
if last in fmap:
value = fmap[last]
else:
value = bv.get_symbol_at(last).name
code += value
f1.write(code)
f1.write("\n")
f1.close()
# for block in f.low_level_il:
# print(dir(block))
# for instr in block:
# if first:
# f1.write("{0:s}: {1:x}\n".format(name,instr.address))
# first = False
#print instr.address, instr.instr_index, instr
# {0:x} {1:d} instr.address, instr.instr_index,
# f1.write("{0:s}\n".format(instr))
#print("END")
# f1.close()
#show_message_box("Do Something", "Congratulations! You have successfully done nothing.\n\n" +
# "Pat yourself on the Rump.", MessageBoxButtonSet.OKButtonSet, MessageBoxIcon.ErrorIcon)
PluginCommand.register_for_address("Function Writer", "Writes Function Data",
do_nothing)
from . import settings
from .apis_ui import (_async_start_se, _async_change_current_state,
_async_step, _async_continue_until_branch,
_async_continue_until_address, _async_merge_states,
_async_save_active_state, _async_change_active_state_ip,
_set_run_target, _set_run_avoid, _async_run_dfs_searcher,
_async_run_dfs_searcher_findall, _async_run_bfs_searcher,
_async_reset_se, _async_toggle_state_history, sync_ui)
from .apis import (start_se, reset_se, continue_until_branch,
continue_until_address, setup_argv, execute_one_instruction,
stop, get_current_state, get_executor, register_hook,
register_logger, get_stdin_bv, get_stdout_bv,
reload_settings)
PluginCommand.register_for_address(
"SENinja\\0 Start symbolic execution",
"create the first state for symbolic execution at current address",
_async_start_se)
PluginCommand.register_for_address(
"SENinja\\1 Change current state",
"change current state with the deferred one at current address (if any)",
_async_change_current_state)
PluginCommand.register("SENinja\\2 Step",
"execute one instruction with the current state",
_async_step)
PluginCommand.register_for_address(
"SENinja\\3 Merge states",
"merge all states at current address in one state", _async_merge_states)
PluginCommand.register("SENinja\\4 Save active state",
"save active state in deferred queue",
_async_save_active_state)
PluginCommand.register_for_address(
