def run_query(qf, ea_list, qs):
subtitle = qs.help
title = subtitle if len(subtitle) < 80 else "%s..." % subtitle[:77]
ch = hxtb.ic_t(title="Shell [%s]" % title)
mode = qs.ast_type == 1
idaapi.show_wait_box("Processing")
try:
nfuncs = len(ea_list)
for j, ea in enumerate(ea_list):
if idaapi.user_cancelled():
break
idaapi.replace_wait_box("Processing function %d/%d" %
(j + 1, nfuncs))
r = list()
try:
r = hxtb.exec_query(qf, [ea],
mode,
parents=True,
flags=idaapi.DECOMP_NO_WAIT)
for x in r:
ch.append(x)
except Exception as e:
print("%s: %s" % (SCRIPT_NAME, e))
finally:
idaapi.hide_wait_box()
return ch
def fc(func_name, fuzzy=False):
"""find function calls to 'func_name'
"""
if fuzzy:
name = func_name.lower()
query = lambda cf, e: (e.op is cot_call and e.x.op is cot_obj and name
in get_name(e.x.obj_ea).lower())
return hxtb.exec_query(query, Functions(), False)
# else...
ea = get_name_ea(BADADDR, func_name)
if ea != BADADDR:
query = lambda cf, e: (e.op is cot_call and e.x.op is cot_obj and
get_name(e.x.obj_ea) == func_name)
return hxtb.exec_query(query, list(set(CodeRefsTo(ea, True))), False)
return list()
def find_memcpy():
"""find calls to memcpy() where the 'n' argument is signed
we're going through all functions in order to pick up inlined memcpy() calls
"""
query = lambda cf, e: (e.op is cot_call and e.x.op is cot_obj and 'memcpy'
in get_name(e.x.obj_ea) and len(e.a) == 3 and e.a[
2].op is cot_var and cf.lvars[e.a[2].v.idx
].tif.is_signed())
return hxtb.exec_query(query, Functions(), False)
def find_gpa():
"""find dynamically imported functions (Windows)
example function to be passed to hr_toolbox.ic_t()
"""
func_name = 'GetProcAddress'
query = lambda cfunc, e: (e.op is cot_call and e.x.op is cot_obj and
get_name(e.x.obj_ea) == func_name and len(e.a) ==
2 and e.a[1].op is cot_obj and is_strlit(
get_flags(e.a[1].obj_ea)))
gpa = get_name_ea_simple(func_name)
ea_set = set([
f.start_ea
for f in [get_func(xref.frm) for xref in XrefsTo(gpa, XREF_FAR)] if f
])
return hxtb.exec_query(query, ea_set, False)
def find_malloc():
"""calls to malloc() with a size argument that is anything
but a variable or an immediate number.
"""
func_name = 'malloc'
query = lambda cf, e: (e.op is cot_call and e.x.op is cot_obj and get_name(
e.x.obj_ea) == func_name and len(e.a) == 1 and e.a[0].op not in
[cot_num, cot_var])
ea_malloc = get_name_ea_simple(func_name)
ea_set = set([
f.start_ea
for f in [get_func(xref.frm) for xref in XrefsTo(ea_malloc, XREF_FAR)]
if f
])
return hxtb.exec_query(query, ea_set, False)
def find_sprintf():
"""find calls to sprintf() where the format string argument contains '%s'
"""
func_name = 'sprintf'
query = lambda cfunc, e: (
e.op is cot_call and e.x.op is cot_obj and func_name in get_name(
e.x.obj_ea) and len(e.a) >= 2 and e.a[1].op is cot_obj and
is_strlit(get_flags(e.a[1].obj_ea)) and b'%s' in get_strlit_contents(
e.a[1].obj_ea, -1, 0, STRCONV_ESCAPE))
ea_malloc = get_name_ea_simple(func_name)
ea_set = set([
f.start_ea
for f in [get_func(xref.frm) for xref in XrefsTo(ea_malloc, XREF_FAR)]
if f
])
return hxtb.exec_query(query, ea_set, False)