def render_img(self, buffers, addr, mouse_offs): colors = [] cols = [qRgb(0xDC, 0xDC, 0xDC), qRgb(0x00, 0x00, 0x00)] colidx = 0 goffs = 0 for mapped, buf in buffers: if mapped: start = ea = addr + goffs end = start + len(buf) head = get_item_head(start) sz = get_item_size(head) if head < start: sz -= (start - head) while ea < end: for i in xrange(sz): colors.append((True, copy(cols[colidx]))) colidx = ((colidx + 1) & sz != 0) if ea + sz > end: sz = ea + sz - end ea += sz sz = get_item_size(ea) else: for i in xrange(len(buf)): colors.append((False, 0)) goffs += len(buf) return colors
def dump(): ret = [] for addr, name in idautils.Names(): flags = ida_bytes.get_flags(addr) # The 'a' heuristic is fairly bad but we need to filter out IDA's default # naming for strings if ida_bytes.has_dummy_name(flags) or ida_bytes.has_auto_name(flags) or not ida_bytes.is_data(flags) or name[0] == 'a': continue # Sometimes the auto-generated names don't actually usually have the # right flags set, so skip these auto-looking names. if any(name.startswith(s) for s in ['byte_', 'word_', 'dword_', 'unk_', 'jpt_']): continue sz = ida_bytes.get_item_size(addr) if ida_bytes.is_struct(flags): ti = ida_nalt.opinfo_t() ida_bytes.get_opinfo(ti, addr, 0, flags) typ = ida_struct.get_struc_name(ti.tid) else: typ = None ret.append(filter_none({ 'address': addr, 'name': name, 'type': typ, 'sz': sz, 'flags': flags, })) return ret
def on_process_buffer(self, buffers, addr, size, mouse_offs): colors = [] goffs = 0 for mapped, buf in buffers: if mapped: ip = get_ip_val() i = 0 while i < len(buf): if ip is not None and ip == addr + goffs + i and self.hook.highlighted: size = get_item_size(ip) for j in range(size): colors.append((True, qRgb(0xFF, 0x45, 0))) i += size continue else: if addr + goffs + i in self.hook.hits: data = self.hook.hits[addr + goffs + i] size = data[1] hits = data[0] for j in range(size): base = self.palette[len(self.palette)-1] col = QColor(base).darker(100+(float(hits)/self.hook.maxhits)*105).rgb() colors.append((True, col)) i += size continue else: c = buf[i] colors.append((True, self.palette[self._byte2coloridx(c)])) i += 1 else: for i in range(len(buf)): colors.append((False, None)) goffs += len(buf) return colors
def _add_hit(self): ip = get_ip_val() if ip is not None: try: data = self.hits[ip] x = data[0] if x <= self.maxhits: data[0] = x + 1 except KeyError: self.hits[ip] = [1, get_item_size(ip)]
def disasm_patched(self): result = [] offset = 0 while True: if offset >= self.length(): break instruction_addr = self.ea() + offset disasm = idc.GetDisasm(instruction_addr) disasm = re.sub("\\s+", " ", disasm) result.append(disasm) offset += ida_bytes.get_item_size(instruction_addr) return result
def render_img(self, buf, addr, mouse_offs): colors = [] start = addr end = start + len(buf) ea = start col1 = qRgb(0xDC, 0xDC, 0xDC) col2 = qRgb(0x00, 0x00, 0x00) cols = [col1, col2] pos = 0 head = get_item_head(start) sz = get_item_size(start) if head < start: sz -= (start - head) while ea < end: for i in xrange(sz): colors.append(copy(cols[pos])) pos = (pos + 1) % len(cols) if ea + sz > end: sz = ea + sz - end ea += sz sz = get_item_size(ea) return colors
def on_get_annotations(self, address, size, mouse_offs): item_ea = get_item_head(address + mouse_offs) cursor_ea = address + mouse_offs name = get_name(item_ea) if len(name): name = "(%s)" % name else: name = "" ann = [ (item_ea, self.red[0], "Item: %X" % (item_ea), self.colormap[-1]), (None, None, " Size: %d %s" % (get_item_size(get_item_head(cursor_ea)), name), self.colormap[-3]), (cursor_ea, self.colormap[-1], "Cursor: %X" % (cursor_ea), self.colormap[-1]), (None, None, " %s" % generate_disasm_line( cursor_ea, GENDSM_FORCE_CODE | GENDSM_REMOVE_TAGS), self.colormap[-3]), (None, None, " Value: %02X" % get_byte(cursor_ea), self.colormap[-3]), ] return ann
def dump(): ret = [] for addr, name in idautils.Names(): flags = ida_bytes.get_flags(addr) if ida_bytes.has_dummy_name(flags) or ida_bytes.has_auto_name( flags) or not ida_bytes.is_data(flags): print('skip auto:', name) continue # Sometimes the auto-generated names don't actually usually have the # right flags set, so skip these auto-looking names. if any( name.startswith(s) for s in ['byte_', 'word_', 'dword_', 'unk_', 'jpt_']): continue # print('%08x' % addr, '%08x' % flags, name, # ida_bytes.is_data(flags)) sz = ida_bytes.get_item_size(addr) if ida_bytes.is_struct(flags): ti = ida_nalt.opinfo_t() ida_bytes.get_opinfo(ti, addr, 0, flags) # itemsize = ida_bytes.get_data_elsize(addr, flags, ti) typ = ida_struct.get_struc_name(ti.tid) else: # itemsize = ida_bytes.get_item_size(addr) typ = None ret.append({ 'address': addr, 'name': name, 'type': typ, 'sz': sz, 'flags': flags, }) return ret
def _invent_var_type(ea, seg_ref, min_size=1): """Try to invent a variable type. This will basically be an array of bytes that spans what we need. We will, however, try to be slightly smarter and look for cross-references in the range, and when possible, use their types.""" seg = find_segment_containing_ea(ea, seg_ref) if not seg: return ea, None head_ea = ida_bytes.get_item_head(ea) if head_ea < ea: head_seg = find_segment_containing_ea(head_ea, seg_ref) if head_seg != seg: return ea, None return _invent_var_type(head_ea, seg_ref, ea - head_ea) min_size = max(min_size, ida_bytes.get_item_size(ea)) next_ea = ida_bytes.next_head(ea + 1, seg.end_ea) next_seg = find_segment_containing_ea(next_ea, seg_ref) arr = ArrayType() arr.set_element_type(IntegerType(1, False)) if not next_seg or next_seg != seg: arr.set_num_elements(min_size) return ea, arr min_size = min(min_size, next_ea - ea) # TODO(pag): Go and do a better job, e.g. find pointers inside of the global. # i = 0 # while i < min_size: # for ref_ea in xref_generator(ea + i, seg_ref): # break # i += 1 arr.set_num_elements(min_size) return ea, arr
def on_process_buffer(self, buffers, addr, total, mouse_offs): colors = [] goffs = 0 mouse_boundaries = None sp = get_sp_val() ip = get_ip_val() fi = FrameInfo() if mouse_offs is not None: mouse_boundaries = fi.get_element_boundaries(addr+mouse_offs) for mapped, buf in buffers: if mapped: i = 0 while i < len(buf): # highlight stack var pointed to by mouse if mouse_offs and mouse_boundaries: start, end = mouse_boundaries if addr + goffs + i in xrange(start, end): size = min(end - start, total-i) for j in xrange(size): colors.append((True, self.palette[3])) i += size continue # flash sp if sp is not None and self.hook.highlighted and sp == addr + goffs + i: size = get_item_size(sp) boundaries = fi.get_element_boundaries(sp) if boundaries: start, end = boundaries size = min(end - start, total-i) for j in xrange(size): colors.append((True, self.palette[4])) i += size continue # locals if goffs + addr + i in xrange(fi.ea, fi.ea + fi.framesize): size = 1 boundaries = fi.get_element_boundaries(goffs + addr + i) if boundaries: # if anything on the stackframe start, end = boundaries size = min(end - start, total-i) for j in xrange(size): colors.append((True, self.palette[2])) i += size continue else: #gap between locals colors.append((True, self.palette[1])) i += 1 continue # default bg color colors.append((True, self.palette[0])) i += 1 # unmapped, transparency else: for i in xrange(len(buf)): colors.append((False, None)) goffs += len(buf) return colors
def on_get_tooltip(self, addr, size, mouse_offs): return "%X: item size %d" % (addr, get_item_size(addr + mouse_offs))
def dump_heads(out): # out is a file like object, sys.stdout or an acual file object # There doesn't seem to a good way to determine what function a # particular address is in. Almost everyone recommends iterating # of the functions, and then getting the bytes out of each, but # that's not really what we want because it skips non function # bytes and reports them in the wrong order. It appears that the # best we can do is to build a map in advance. :-( a2fmap = build_a2fmap() min_ea = idaapi.cvar.inf.minEA max_ea = idaapi.cvar.inf.maxEA ea = min_ea while ea != ida_idaapi.BADADDR: ida_auto.show_addr(ea) isize = ida_bytes.get_item_size(ea) ibytes = ida_bytes.get_bytes(ea, isize) ihexbytes = binascii.b2a_hex(ibytes).upper() iflags = ida_bytes.get_flags(ea) # Skip the PE header? if not ida_bytes.is_head(iflags): ea = ida_bytes.next_head(ea, max_ea) continue # Loop up this address in the address-to-function map. if ea in a2fmap: faddrs = a2fmap[ea] else: faddrs = [ea] tcode = "ERROR" imnem = "???" iops = "???" if ida_bytes.is_code(iflags): tcode = "INSN" imnem = "???" iops = "???" insn = idautils.DecodeInstruction(ea) if insn == None: imnem = "BAD" iops = "" elif not insn.is_canon_insn(): imnem = "NCAN" iops = "" else: imnem = insn.get_canon_mnem() sops = [] for n in range(8): ostr = ida_ua.print_operand(ea, n) if ostr is not None: ostrnt = ida_lines.tag_remove(ostr) if ostrnt != '': sops.append(ostrnt) iops = ', '.join(sops) elif ida_bytes.is_data(iflags): tcode = "DATA" imnem = "db" iops = "???" if ida_bytes.is_align(iflags): tcode += "_ALIGN" #elif ida_bytes.is_struct(iflags): # tcode += "_STRUCT" #elif ida_bytes.is_char(iflags): # tcode += "_STR" # There are other types that IDA recognizes. elif ida_bytes.is_unknown(iflags): tcode = "UNK-%08X" % iflags imnem = "???" iops = "???" for faddr in sorted(faddrs): out.write('"PART",0x%08X,"%s",0x%08X,"%s","%s","%s"\n' % (ea, tcode, faddr, ihexbytes, imnem, iops)) ea = ida_bytes.next_head(ea, max_ea) print "Analysis complete!"
def __get_last_ins_addr(self, cur_ins_addr): ida_bytes.get_item_size(cur_ins_addr)
def size(self): """Size of data""" if self.is_stack: return ida_struct.get_member_size(self._member) else: return ida_bytes.get_item_size(self.addr)
def color_lines(self, start, end, color): address = idaapi.get_imagebase() + start while address < idaapi.get_imagebase() + end: idaapi.set_item_color(address, color) address += ida_bytes.get_item_size(address)
def _get_item_info(self, ea): head = get_item_head(ea) name = get_name(head) size = get_item_size(head) return (head, name, size)