def run(self, arg):
kw.show_wait_box('Building class information')
try:
view = ClassView()
view.Show()
finally:
kw.hide_wait_box()
def run(self, arg):
"""
run function for XML Exporter plugin.
Args:
arg: Integer, non-zero value enables auto-run feature for
IDA batch (no gui) processing mode. Default is 0.
"""
st = idc.set_ida_state(idc.IDA_STATUS_WORK)
xml = idaxml.XmlExporter(arg)
try:
try:
xml.export_xml()
except idaxml.Cancelled:
ida_kernwin.hide_wait_box()
msg = "XML Export cancelled!"
print "\n" + msg
idc.warning(msg)
except:
ida_kernwin.hide_wait_box()
msg = "***** Exception occurred: XML Exporter failed! *****"
print "\n" + msg + "\n", sys.exc_type, sys.exc_value
idc.warning(msg)
finally:
xml.cleanup()
ida_auto.set_ida_state(st)
def run(self, arg):
"""
run function for XML Exporter plugin.
Args:
arg: Integer, non-zero value enables auto-run feature for
IDA batch (no gui) processing mode. Default is 0.
"""
st = idc.set_ida_state(idc.IDA_STATUS_WORK)
xml = idaxml.XmlExporter(arg)
try:
try:
xml.export_xml()
except idaxml.Cancelled:
ida_kernwin.hide_wait_box()
msg = "XML Export cancelled!"
print "\n" + msg
idc.warning(msg)
except:
ida_kernwin.hide_wait_box()
msg = "***** Exception occurred: XML Exporter failed! *****"
print "\n" + msg + "\n", sys.exc_type, sys.exc_value
idc.warning(msg)
finally:
xml.cleanup()
ida_auto.set_ida_state(st)
def symbols(self, output_file_path=None):
"""
Run find for all SIG files in currently active project.
Show an IDA waitbox while doing so
:param output_file_path: optional, save found symbols into output file
:return: dictionary of found symbols
"""
self.verify_project()
results = {}
try:
ida_kernwin.show_wait_box('Searching...')
results = super(IdaLoader, self).symbols()
ida_kernwin.replace_wait_box('Extracting...')
ida_symbols = IdaLoader.extract_all_user_names(output_file_path)
results.update(ida_symbols)
except Exception as e:
traceback.print_exc()
finally:
ida_kernwin.hide_wait_box()
return results
def run(self, arg):
print "Start to analyzing all comments in idb..."
ida_kernwin.show_wait_box(
'Analyzing comments in progress, this will take a while.')
test_choose2(False)
ida_kernwin.hide_wait_box(
'Analyzing comments in progress, this will take a while.')
print "Finished, have a good time!"
def analyze_function(self):
""" """
self.reset_function_analysis_views(is_analyze=True)
self.set_view_status_label("Loading...")
ida_kernwin.show_wait_box("capa explorer")
success = self.load_capa_function_results()
ida_kernwin.hide_wait_box()
if not success:
self.set_view_status_label("Click Analyze to get started...")
logger.info("Analysis failed.")
else:
logger.info("Analysis completed.")
def export_ida_project_to_xml():
"""
Export the current project into XML format
"""
global EXPORT_XML_FILE
xml_file_path, bin_file_path = get_ida_exported_files()
print("GhIDA:: [DEBUG] EXPORT_XML_FILE: %s" % EXPORT_XML_FILE)
# Check if files are alredy available
if os.path.isfile(xml_file_path) and \
os.path.isfile(bin_file_path) and \
not EXPORT_XML_FILE:
return xml_file_path, bin_file_path
EXPORT_XML_FILE = False
# Otherwise call the XML exporter IDA plugin
print("GhIDA:: [DEBUG] Exporting IDA project into XML format")
st = idc.set_ida_state(idc.IDA_STATUS_WORK)
xml = XmlExporter(1)
try:
xml.export_xml(xml_file_path)
print("GhIDA:: [INFO] XML exporting completed")
except Cancelled:
ida_kernwin.hide_wait_box()
msg = "GhIDA:: [!] XML Export cancelled!"
print("\n" + msg)
idc.warning(msg)
except Exception:
ida_kernwin.hide_wait_box()
msg = "GhIDA:: [!] Exception occurred: XML Exporter failed!"
excinfo = sys.exc_info()
tb = excinfo[2]
print("\n" + msg + "\n", excinfo[:2], tb)
traceback.print_tb(tb)
idc.warning(msg)
finally:
xml.cleanup()
ida_auto.set_ida_state(st)
# check if both xml and binary format exist
if not os.path.isfile(xml_file_path) or \
not os.path.isfile(bin_file_path):
raise Exception("GhIDA:: [!] XML or bytes file non existing.")
return xml_file_path, bin_file_path
def _load_img_files(self, files):
self.anim = []
i = 1
ida_kernwin.show_wait_box("HIDECANCEL\nLoading files")
try:
for file in files:
ida_kernwin.replace_wait_box("Loading file %d/%d" %
(i, len(files)))
self.anim.append(QtGui.QPixmap(file))
i += 1
except:
print("Failed loading file %d/%d" % (i, len(files)))
finally:
ida_kernwin.hide_wait_box()
return
def do_export():
st = ida_auto.set_ida_state(idc.IDA_STATUS_WORK)
xml = XmlExporter(1)
try:
try:
xml.export_xml()
FELogger.info("已导出IDA数据到XML")
except Cancelled:
ida_kernwin.hide_wait_box()
FELogger.warn("已取消XML导出")
except Exception as e:
ida_kernwin.hide_wait_box()
FELogger.warn("导出XML失败 %s" % e)
finally:
xml.cleanup()
ida_auto.set_ida_state(st)
def _process(self, i):
n = self._add_node(i)
self.n_processed += 1
if n < 0:
return n
if len(self.parents) > 1:
lp = self.parents.back().obj_id
for k_obj_id, v in self.reverse.items():
if k_obj_id == lp:
p = v
break
self.cg.add_edge(p, n)
if self.n_items:
if self.n_processed >= self.n_items:
ida_kernwin.hide_wait_box()
if ida_kernwin.user_cancelled():
return 1
return 0
def analyze_program(self, use_cache=False):
""" """
self.range_model_proxy.invalidate()
self.search_model_proxy.invalidate()
self.model_data.reset()
self.model_data.clear()
self.set_view_status_label("Loading...")
ida_kernwin.show_wait_box("capa explorer")
success = self.load_capa_results(use_cache)
ida_kernwin.hide_wait_box()
self.reset_view_tree()
if not success:
self.set_view_status_label("Click Analyze to get started...")
logger.info("Analysis failed.")
else:
logger.info("Analysis completed.")
def load_data(self):
kw.show_wait_box('Building class information')
classdump = ClassDump()
classdump.parse()
kw.hide_wait_box()
self.data = classdump
class_root = QtWidgets.QTreeWidgetItem(self.tree)
class_root.setText(0, 'Classes')
class_root.setExpanded(True)
x = lambda ea: '0x%X' % ea
for clazz in self.data.classes:
item = QtWidgets.QTreeWidgetItem(class_root)
item.setText(0, clazz.name)
item.setText(1, x(clazz.ea))
for method, imp in clazz.methods.items():
child = QtWidgets.QTreeWidgetItem(item)
child.setText(0, method)
child.setText(1, x(imp))
protocol_root = QtWidgets.QTreeWidgetItem(self.tree)
protocol_root.setText(0, 'Protocols')
# todo: refactor
for proto in self.data.protocols:
item = QtWidgets.QTreeWidgetItem(protocol_root)
item.setText(0, proto.name)
item.setText(1, x(proto.ea))
for method in proto.methods:
child = QtWidgets.QTreeWidgetItem(item)
child.setText(0, method)
# todo:
child.setText(1, x(proto.ea))
def slot_analyze(self):
"""run capa analysis and reload UI controls
called when user selects plugin reload from menu
"""
self.range_model_proxy.invalidate()
self.search_model_proxy.invalidate()
self.model_data.reset()
self.model_data.clear()
self.disable_controls()
self.set_view_status_label("Loading...")
ida_kernwin.show_wait_box("capa explorer")
success = self.load_capa_results()
ida_kernwin.hide_wait_box()
self.reset_view_tree()
if not success:
self.set_view_status_label("Click Analyze to get started...")
logger.info("Analysis failed.")
else:
logger.info("Analysis completed.")
def main():
filename, _ = QFileDialog.getOpenFileName(None, "Open file", ".", "CSV Files(*.csv)")
if filename == "":
return
processes = set()
input_file = open(filename, "r")
reader = csv.reader(input_file)
# what mode was used to produce this output?
fmt_row = next(reader, None)
mode = fmt_row[0]
# where to find the pertinent data depends upon the mode that produced it
if ("process" == mode):
id_index = 1
# process ID and thread ID are in decimal
id_radix = 10
tid_index = 2
pc_index = 4
size_index = 5
prefix = "process_"
title = "Select Process"
headers = ("Process Name", "PID")
has_tid = True
else:
id_index = 0
# ASID is in hex
id_radix = 16
tid_index = -1
pc_index = 2
size_index = 3
prefix = "ASID_"
title = "Select Address Space ID"
headers = ("Address Space ID", "ASID")
has_tid = False
binary_name = get_root_filename()
match_len = 0
matched_process = None
# skip column headers
next(reader, None)
for row in reader:
processes.add((prefix + row[0], int(row[id_index], id_radix)))
# the process names from PANDA may be truncated, so the longest one
# that is a substring (or equal to) the binary's name is probably the
# one we want
if (("process" == mode) and (len(row[0]) > match_len) and binary_name.startswith(row[0])):
match_len = len(row[0])
matched_process = prefix + row[0]
input_file.close()
selections = ProcessSelectDialog.selectProcess(
processes, matched_process, title, headers, has_tid)
if not selections:
return
if not selections['selected_id']:
return
snapshot = ida_loader.snapshot_t()
snapshot.desc = "Before coverage.py @ %s" % (datetime.datetime.now())
ida_kernwin.take_database_snapshot(snapshot)
# the next bit may take a while, if the input file is large
ida_kernwin.show_wait_box("HIDECANCEL\nProcessing file " + filename + "...")
colored_fn = False
info_for_pcs = {}
input_file = open(filename, "r")
reader = csv.reader(input_file)
# skip mode and column headers
next(reader, None)
next(reader, None)
seq_num = 0
for row in reader:
cur_id = int(row[id_index], id_radix)
pc = int(row[pc_index], 16)
size = int(row[size_index])
if (has_tid):
cur_tid = int(row[tid_index], id_radix)
if cur_id != selections['selected_id']:
continue
# get the function containing pc
fn = idaapi.get_func(pc)
if not fn:
continue
colored_fn = True
seq_num = seq_num + 1
color_blocks(fn, pc, size)
if (selections['add_tids'] or selections['add_seqs']):
if (pc not in info_for_pcs):
info_for_pcs[pc] = set()
# want to keep the thread IDs (if have them) with the matching
# sequence numbers
if (selections['add_tids'] and selections['add_seqs']):
info_pair = "(" + str(seq_num) + ", " + str(cur_tid) + ")"
info_for_pcs[pc].add(info_pair)
elif (selections['add_tids']):
info_for_pcs[pc].add(cur_tid)
else:
info_for_pcs[pc].add(seq_num)
input_file.close()
if (not colored_fn):
print("WARNING: did not find any selected functions")
else:
add_comments(info_for_pcs, selections)
ida_kernwin.hide_wait_box()
def term(self):
ida_kernwin.hide_wait_box(
'Analyzing comments in progress, this will take a while.')
def analyze_function(self):
""" """
self.reset_function_analysis_views(is_analyze=True)
self.set_view_status_label("Loading...")
f = idaapi.get_func(idaapi.get_screen_ea())
if not f:
capa.ida.helpers.inform_user_ida_ui("Invalid function")
self.set_view_status_label("Click Analyze to get started...")
logger.info(
"Please navigate to a valid function in the IDA disassembly view before starting function analysis."
)
return
if not self.rules_cache or not self.ruleset_cache:
# only reload rules if caches are empty
ida_kernwin.show_wait_box("capa explorer")
loaded = self.load_capa_rules()
ida_kernwin.hide_wait_box()
if not loaded:
self.set_view_status_label("Click Analyze to get started...")
logger.info("Analysis failed.")
return
else:
logger.info(
'Using cached ruleset, click "Reset" to reload rules from disk.'
)
# must use extractor to get function, as capa analysis requires casted object
extractor = capa.features.extractors.ida.IdaFeatureExtractor()
f = extractor.get_function(f.start_ea)
# cache current function for use elsewhere
self.rulegen_current_function = f
func_features, bb_features = find_func_features(f, extractor)
func_matches, bb_matches = find_func_matches(f, self.ruleset_cache,
func_features,
bb_features)
# cache features for use elsewhere
self.rulegen_func_features_cache = collections.defaultdict(
set, copy.copy(func_features))
self.rulegen_bb_features_cache = collections.defaultdict(
dict, copy.copy(bb_features))
# add function and bb rule matches to function features, for display purposes
for (name, res) in itertools.chain(func_matches.items(),
bb_matches.items()):
rule = self.ruleset_cache[name]
if rule.meta.get("capa/subscope-rule"):
continue
for (ea, _) in res:
func_features[capa.features.MatchedRule(name)].add(ea)
# load preview and feature tree
self.view_rulegen_preview.load_preview_meta(
f.start_ea,
settings.user.get("rulegen_author", "<insert_author>"),
settings.user.get("rulegen_scope", "function"),
)
self.view_rulegen_features.load_features(func_features)
self.view_rulegen_header_label.setText("Function Features (%s)" %
trim_function_name(f))
self.set_view_status_label(
"capa rules directory: %s (%d rules)" %
(settings.user["rule_path"], len(self.rules_cache)))
logger.info("Analysis completed.")
def cb_btn_run(self):
if self.dotnet_version_full == "unknown":
ida_kernwin.warning(".NET Native framework could not be identified.\n"\
".NIET needs it to work properly.")
return
# self.dotnet_version_full[:3] is "major.minor"
if not self.dotnet_version_full[:3] in dotnet_versions_offsets:
ida_kernwin.warning(".NIET currently does not support %s, please "\
"create an issue.")
return
instance = dotNIET(self.dotnet_version_full[:3])
instance.get_modules_info()
# if "restore" is checked, everything else is greyed out
if self.cb_restore.checkState() == QtCore.Qt.Checked:
ida_kernwin.show_wait_box("HIDECANCEL\nClearing symbol names...")
for i in range(instance.nb_symbols):
# unset name of imports
idc.set_name(instance.ordinals + i * 8, "")
idaapi.msg("%d symbols removed!\n" % instance.nb_symbols)
else:
if self.dll_input_path.text() == "":
idaapi.msg(
"Error: \"SharedLibrary.dll\" path must be selected\n")
del instance
return
# target SharedLibrary.dll .NET framework version is asked to be checked
if self.cb_verify.checkState() == QtCore.Qt.Checked:
ida_kernwin.show_wait_box("HIDECANCEL\nVerifying target dll "\
".NET Native framework version...")
dll_dotnet_version_full = utils.get_NET_Native_version(
self.dll_input_path.text())
ida_kernwin.hide_wait_box()
if dll_dotnet_version_full == "unknown" \
or dll_dotnet_version_full != self.dotnet_version_full:
answer = ida_kernwin.ask_buttons("", "","", 1, "HIDECANCEL\n"\
"Target dll .NET Native "\
"framework version is '%s' "\
"whereas current binary one "\
"is '%s'.\nProceed anyway?" \
% (dll_dotnet_version_full,\
self.dotnet_version_full))
# "No" or "cancel/escape"
if not answer:
return
# getting target SharedLibrary.dll GUID to verify that the pdb does
# exist and is the right one
ida_kernwin.show_wait_box("HIDECANCEL\nGetting pdb information...")
if not utils.find_pdb(self.dll_input_path.text()):
ida_kernwin.hide_wait_box()
del instance
return
# everything is okay, ready to import
ida_kernwin.replace_wait_box("HIDECANCEL\nImporting symbols...")
instance.resolve_symbols(self.dll_input_path.text())
idaapi.msg("%d symbols imported at 0x%x\n" %
(instance.nb_symbols, instance.ordinals))
ida_kernwin.hide_wait_box()
del instance
def OnCreate(self, form):
# get parent widget
parent = self.FormToPyQtWidget(form)
# checkboxes
self.cb_restore = QtWidgets.QCheckBox('Restore .idata section')
self.cb_restore.move(20, 20)
self.cb_restore.stateChanged.connect(self.cb_restore_toggle)
self.cb_verify = QtWidgets.QCheckBox("Verify target dll .NET Native "\
"framework version")
self.cb_verify.move(20, 20)
# default is checked
self.cb_verify.toggle()
label_sharedlibrary = QtWidgets.QLabel("Path to target dll "\
"(SharedLibrary.dll):")
# create input field for SharedLibrary.dll
self.dll_input_path = QtWidgets.QLineEdit(parent)
self.dll_input_path.setMaxLength = 256
self.dll_input_path.setFixedWidth(300)
# create buttons
self.btn_run = QtWidgets.QPushButton("Run", parent)
self.btn_run.setToolTip("Proceed to import or restore.")
self.btn_run.clicked.connect(self.cb_btn_run)
self.btn_browse = QtWidgets.QPushButton("Browse", parent)
self.btn_browse.setToolTip('Browse to "SharedLibrary.dll" location.')
self.btn_browse.clicked.connect(self.cb_btn_browse)
# we try to guess .NET Native framework version
ida_kernwin.show_wait_box("HIDECANCEL\nIdentifying .NET "\
"Native framework version...")
dotnet_version_full_text = ".NET Native framework version: "
dotnet_version_full = "unknown"
if not os.path.exists(idc.get_input_file_path()):
ida_kernwin.warning("%s could not be found.\n.NIET must identify .NET"\
" Native framework version of the original binary "\
"in order to work properly."\
% idc.get_input_file_path())
else:
dotnet_version_full = utils.get_NET_Native_version(
idc.get_input_file_path())
if dotnet_version_full == "unknown":
ida_kernwin.warning(".NET Native framework could not be identified.\n"\
".NIET needs it to work properly.")
# assume pefile raised an error
elif "Error" in dotnet_version_full:
ida_kernwin.hide_wait_box()
ida_kernwin.warning("pefile: %s" % dotnet_version_full)
self.disable_plugin_options()
dotnet_version_full = "unsupported"
self.dotnet_version_full = dotnet_version_full
dotnet_version_full_text += dotnet_version_full
ida_kernwin.hide_wait_box()
label_dotnet_version_full = QtWidgets.QLabel(dotnet_version_full_text)
# then we check if SharedLibrary.dll is an import
imported_modules = [
idaapi.get_import_module_name(i)
for i in range(idaapi.get_import_module_qty())
]
if not "SharedLibrary" in imported_modules:
ida_kernwin.warning("This binary does not import symbols from "
"'SharedLibrary.dll' at runtime.\n.NIET is not"\
" required")
self.disable_plugin_options()
# create layout
spacerItem = QtWidgets.QSpacerItem(5, 16)
layout = QtWidgets.QGridLayout()
layout.addWidget(label_dotnet_version_full, 0, 0)
layout.addItem(spacerItem)
layout.addWidget(label_sharedlibrary, 1, 0)
layout.addWidget(self.dll_input_path, 2, 0)
layout.addWidget(self.btn_browse, 2, 1)
spacerItem = QtWidgets.QSpacerItem(5, 16)
layout.addItem(spacerItem)
layout.addWidget(self.cb_restore, 4, 0)
layout.addWidget(self.btn_run, 5, 0)
layout.addWidget(self.cb_verify, 5, 1, 1, 2)
layout.setColumnStretch(4, 1)
layout.setRowStretch(6, 1)
parent.setLayout(layout)
# Note: this try/except block below is just there to
# let us (at Hex-Rays) test this script in various
# situations.
try:
perform_decompilation = under_test__perform_decompilation
except:
pass
step_sleep = 0.5
ida_kernwin.show_wait_box("Processing")
try:
all_eas = list(idautils.Functions())
neas = len(all_eas)
for i, ea in enumerate(all_eas):
if ida_kernwin.user_cancelled():
break
ida_kernwin.replace_wait_box("Processing; step %d/%d" % (i+1, neas))
if perform_decompilation:
try:
ida_hexrays.decompile(ida_funcs.get_func(ea))
except ida_hexrays.DecompilationFailure as df:
print("Decompilation failure: %s" % df)
time.sleep(step_sleep * random.random())
finally:
ida_kernwin.hide_wait_box()
