Example #1
0
def getProc_addr(idx, ctx):
    import ida_bytes
    obj = ctx.get_obj("fcnPtr")
    print "%x" % obj.addr
    name = ctx.get_obj("fcnName")
    name_str = ida_bytes.get_strlit_contents(name.addr, -1, -1)
    ida_name.set_name(obj.addr, name_str)
def main():
    for segstart, segend, segname in enum_segments():
        if segname not in ('.rdata', 'UPX1'):
            continue

        print(segname)
        for src, dst, size in find_pointers(segstart, segend):
            if idc.get_segm_name(dst) not in (".text", "UPX0"):
                continue

            if is_code(dst):
                continue

            print("new function pointer: 0x%x -> 0x%x" % (src, dst))

            ida_auto.auto_make_code(dst)
            ida_auto.auto_make_proc(dst)

            ida_bytes.del_items(src, size)
            ida_bytes.create_data(src,
                                  idc.FF_QWORD if size == 8 else idc.FF_DWORD,
                                  size, idc.BADADDR)
            # this doesn't seem to always work :-(
            idc.op_plain_offset(src, -1, 0)
            ida_name.set_name(src, "j_%s_%x" % (src, dst))
Example #3
0
def restore_x(unique_name, start=here()):

    if MD5_hash_data_file and os.path.isfile(MD5_hash_data_file):
        with open(MD5_hash_data_file, "rb") as ifile:
            received_data = pickle.loads(ifile.read())
            saved_data = received_data
            # (start_addr, end_addr, names, comms, bpts)
            if unique_name in saved_data:
                current_data = saved_data[unique_name]

                # restore names
                names = current_data[2]
                for name in names:
                    # names: (rel_addr, name)
                    ida_name.set_name(start + name[0], name[1])

                # restore comments
                # comms: (rel_addr, TYPE, comment)
                comms = current_data[3]
                for comm in comms:
                    # 1:MakeComm and 2:MakeRptCmt
                    if comm[1] == 1:
                        MakeComm(start + comm[0], comm[2])
                    else:
                        MakeRptCmt(start + comm[0], comm[2])

                # restore breakpoints
                # bpts: (rel_addr, size, type)
                bpts = current_data[4]
                for bpt in bpts:
                    ida_dbg.add_bpt(start + bpt[0], bpt[1], bpt[2])
Example #4
0
 def __call__(self):
     flags = ida_name.SN_LOCAL if self.local_name else 0
     ida_name.set_name(
         self.ea, self.new_name, flags | ida_name.SN_NOWARN
     )
     ida_kernwin.request_refresh(ida_kernwin.IWID_DISASMS)
     HexRaysEvent.refresh_pseudocode_view(self.ea)
Example #5
0
 def __call__(self):
     flags = ida_name.SN_LOCAL if self.local_name else 0
     ida_name.set_name(self.ea, Event.encode(self.new_name),
                       flags | ida_name.SN_NOWARN)
     ida_kernwin.request_refresh(ida_kernwin.IWID_DISASMS)
     if ida_hexrays.init_hexrays_plugin():
         HexRaysEvent.refresh_pseudocode_view()
Example #6
0
def PrefixRange(start, end, prefix) :
    x = start
    while x < end:
        n = ida_funcs.get_func_name(x)
        if n.startswith("sub_"):
            nn = prefix + n
            print "Renaming %s to %s\n" % (n, nn)
            ida_name.set_name(x,nn)
        x = NextFunction(x)
Example #7
0
def auto_rename_single(ca, addr, force=False):
    cfunc = ida_hexrays.decompile(addr, flags=ida_hexrays.DECOMP_NO_CACHE if force else 0)
    if not cfunc:
        return

    ca.reset()
    ca.apply_to(cfunc.body, None)
    if ca.results:
        ida_name.set_name(addr, ca.results[-1], ida_name.SN_AUTO | ida_name.SN_NOCHECK | ida_name.SN_NOWARN)
Example #8
0
def force_variable(ea, type, name):
    t = ida_typeinf.tinfo_t()
    ida_typeinf.parse_decl(t, None, '{} a;'.format(type), 0)
    ida_bytes.del_items(
        ea, ida_bytes.DELIT_EXPAND | ida_bytes.DELIT_DELNAMES
        | ida_bytes.DELIT_NOCMT, t.get_size())
    ida_name.set_name(ea, name, ida_name.SN_CHECK)
    idc.apply_type(ea, idc.parse_decl('{} a;'.format(type), 0),
                   idc.TINFO_DEFINITE)
Example #9
0
def restore_x(unique_name=None, start=None):
    ea = ida_kernwin.get_screen_ea()

    # signature
    if not unique_name:
        if not start:
            seg = ida_segment.getseg(ea)
            start = seg.start_ea
        sig_bytes = ida_bytes.get_bytes(start, SIGNATURE_SIZE)
        sig_hash = hashlib.md5(sig_bytes).hexdigest()
        unique_name = sig_hash

    if not start:
        seg = ida_segment.getseg(ea)
        start = seg.start_ea

    if MD5_hash_data_file and os.path.isfile(MD5_hash_data_file):
        with open(MD5_hash_data_file, "rb") as ifile:
            received_data = pickle.loads(ifile.read())
            saved_data = received_data

            print("dumpDyn::restore\n\
            Name: {}\n\
            Restore address: {}\n".format(unique_name, hex(start)))

            # (start_addr, end_addr, names, comms, bpts, funcs)
            if unique_name in saved_data:
                current_data = saved_data[unique_name]

                # restore names
                names = current_data[2]

                for name in names:
                    # names: (rel_addr, name, is_code)
                    ida_name.set_name(start + name[0], name[1])
                    flags = ida_bytes.get_flags(start + name[0])
                    if name[2] and not ida_bytes.is_code(flags):
                        ida_auto.auto_make_code(start + name[0])

                # restore comments
                # comms: (rel_addr, TYPE, comment)
                comms = current_data[3]
                for comm in comms:
                    # 0:MakeComm and 1:MakeRptCmt
                    ida_bytes.set_cmt(start + comm[0], comm[2], comm[1])

                # restore breakpoints
                # bpts: (rel_addr, size, type)
                bpts = current_data[4]
                for bpt in bpts:
                    ida_dbg.add_bpt(start + bpt[0], bpt[1], bpt[2])

                # restore functions
                funcs_addr = current_data[5]
                for addr in funcs_addr:
                    ida_auto.auto_make_proc(start + addr)  # make code & func
Example #10
0
def mark_string(ea, name=None):
    strlen = len(idc.get_strlit_contents(ea, -1) or '')
    ida_bytes.del_items(
        ea, ida_bytes.DELIT_EXPAND | ida_bytes.DELIT_DELNAMES
        | ida_bytes.DELIT_NOCMT, strlen + 1)
    ida_bytes.create_strlit(ea, strlen + 1, idc.get_inf_attr(idc.INF_STRTYPE))
    if name:
        ida_name.set_name(ea, name, ida_name.SN_CHECK)
    idc.apply_type(ea, idc.parse_decl('char const a[]', 0), idc.TINFO_DEFINITE)
    return get_cstring(ea)
Example #11
0
def apply_kallsyms(kallsyms):
    for address, name in kallsyms:
        if name[0] != 'A':
            new_name = str(name[1:])
            if not _is_uname(new_name):
                new_name = '_' + new_name
            if _is_uname(new_name):
                if not set_name(address, new_name):
                    del_items(address)
                    set_name(address, new_name)
Example #12
0
def find_image4_load(base_ea):
    ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x4D650000)

    if ea_list[0] != idaapi.BADADDR:
        func_ea = ida_funcs.get_func(ea_list[0]).start_ea
        print("\t[+] _image4_load = 0x%x" % (func_ea))
        ida_name.set_name(func_ea, "_image4_load")
        return func_ea

    return idaapi.BADADDR
Example #13
0
def find_load_kernelcache(ea):
    ea_list = list(idautils.XrefsTo(ea))

    if ea_list[0].frm != idaapi.BADADDR:
        func_ea = ida_funcs.get_func(ea_list[0].frm).start_ea
        print("\t[+] _load_kernelcache = 0x%x" % (func_ea))
        ida_name.set_name(func_ea, "_load_kernelcache")
        return func_ea

    return idaapi.BADADDR
Example #14
0
def auto_rename_single(ca, addr):
    cfunc = ida_hexrays.decompile(addr)
    if not cfunc:
        return

    ca.reset()
    ca.apply_to(cfunc.body, None)
    if ca.results:
        ida_name.set_name(
            addr, ca.results[-1],
            ida_name.SN_AUTO | ida_name.SN_NOCHECK | ida_name.SN_NOWARN)
Example #15
0
def find_update_device_tree(base_ea):
    udt_ea = ida_search.find_text(base_ea, 1, 1, "development-cert",
                                  ida_search.SEARCH_DOWN)

    if udt_ea != idaapi.BADADDR:
        for xref in idautils.XrefsTo(udt_ea):
            func = ida_funcs.get_func(xref.frm)
            print("\t[+] _UpdateDeviceTree = 0x%x" % (func.start_ea))
            ida_name.set_name(func.start_ea, "_UpdateDeviceTree")
            return func.start_ea
    return idaapi.BADADDR
Example #16
0
def find_panic(base_ea):
    pk_ea = ida_search.find_text(base_ea, 1, 1, "double panic in ",
                                 ida_search.SEARCH_DOWN)
    if pk_ea != idaapi.BADADDR:
        for xref in idautils.XrefsTo(pk_ea):
            func = ida_funcs.get_func(xref.frm)
            print("\t[+] _panic = 0x%x" % (func.start_ea))
            ida_name.set_name(func.start_ea, "_panic")
            return func.start_ea

    return idaapi.BADADDR
Example #17
0
    def __call__(self):
        flags = ida_name.SN_LOCAL if self.local_name else 0

        try:
            ida_name.set_name(self.ea, (self.new_name),
                              flags | ida_name.SN_NOWARN)
        except:
            raise Exception(
                repr((self.ea, (self.new_name), flags | ida_name.SN_NOWARN)))
        ida_kernwin.request_refresh(ida_kernwin.IWID_DISASMS)
        HexRaysEvent.refresh_pseudocode_view(self.ea)
Example #18
0
def find_do_printf(base_ea):
    str_ea = ida_search.find_text(base_ea, 1, 1, "<ptr>",
                                  ida_search.SEARCH_DOWN)

    if str_ea != idaapi.BADADDR:
        for xref in idautils.XrefsTo(str_ea):
            func = ida_funcs.get_func(xref.frm)
            print("\t[+] _do_printf = 0x%x" % (func.start_ea))
            ida_name.set_name(func.start_ea, "_do_printf")
            return func.start_ea

    return idaapi.BADADDR
Example #19
0
    def load(infos):
        for info in infos:
            ida_name.set_name(info['address'], info['name'])
            type = info.get('type', None)

            # TODO this code is kind of mashed together... not sure of the
            # right way.
            tid = ida_struct.get_struc_id(type) if type else BADADDR
            if type:
                ida_bytes.create_struct(info['address'], info['sz'], tid)
            ida_bytes.create_data(
                info['address'], info['flags'], info['sz'], tid)
Example #20
0
def find_aes_crypto_cmd(base_ea):
    aes_ea = ida_search.find_text(base_ea, 1, 1, "aes_crypto_cmd",
                                  ida_search.SEARCH_DOWN)

    if aes_ea != idaapi.BADADDR:
        for xref in idautils.XrefsTo(aes_ea):
            func = ida_funcs.get_func(xref.frm)
            print("\t[+] _aes_crypto_cmd = 0x%x" % (func.start_ea))
            ida_name.set_name(func.start_ea, "_aes_crypto_cmd")
            return func.start_ea

    return idaapi.BADADDR
Example #21
0
def find_pmgr_binning_mode_get_value(base_ea):
    str_ea = ida_search.find_text(base_ea, 1, 1, "Invalid low",
                                  ida_search.SEARCH_DOWN)

    if str_ea != idaapi.BADADDR:
        for xref in idautils.XrefsTo(str_ea):
            func = ida_funcs.get_func(xref.frm)
            print("\t[+] _pmgr_binning_mode_get_value = 0x%x" %
                  (func.start_ea))
            ida_name.set_name(func.start_ea, "_pmgr_binning_mode_get_value")
            return func.start_ea

    return idaapi.BADADDR
Example #22
0
    def load(infos):
        for info in infos:
            ida_name.set_name(info['address'], info['name'])

            # TODO this code is kind of mashed together... not sure of the
            # right way.
            tid = ida_struct.get_struc_id(
                info['type']) if info['type'] else BADADDR
            if info['type']:
                print(info['type'], hex(tid))
                ida_bytes.create_struct(info['address'], info['sz'], tid)
            ida_bytes.create_data(info['address'], info['flags'], info['sz'],
                                  tid)
Example #23
0
def force_array(ea, type, name, count=None):
    t = ida_typeinf.tinfo_t()
    ida_typeinf.parse_decl(t, None, '{} a;'.format(type), 0)
    ida_bytes.del_items(
        ea, ida_bytes.DELIT_EXPAND | ida_bytes.DELIT_DELNAMES
        | ida_bytes.DELIT_NOCMT,
        t.get_size() * (1 if count is None else count))
    ida_name.set_name(ea, name, ida_name.SN_CHECK)
    idc.apply_type(
        ea,
        idc.parse_decl(
            '{} a[{}];'.format(type, '' if count is None else str(count)), 0),
        idc.TINFO_DEFINITE)
Example #24
0
 def sync_ask_rename():
     """
         Dialog asking renaming confirmation to the user
     """
     rename_flag = 0
     if force or idc.ask_yn(
             rename_flag, "Replace %s by %s" %
         (get_name(), name["data"])) == 1:
         logger.debug("[x] renaming %s @ 0x%x as %s", get_name(),
                      name["address"], name["data"])
         ida_name.set_name(name["address"],
                           name["data"].encode('ascii', 'ignore'),
                           ida_name.SN_AUTO)
Example #25
0
def find_do_go(base_ea):
    str_ea = ida_search.find_text(base_ea, 1, 1, "Memory image not valid",
                                  ida_search.SEARCH_DOWN)

    if str_ea != idaapi.BADADDR:
        for xref in idautils.XrefsTo(str_ea):
            func = ida_funcs.get_func(xref.frm)
            if func is None:
                return idaapi.BADADDR
            print("\t[+] _do_go = 0x%x" % (func.start_ea))
            ida_name.set_name(func.start_ea, "_do_go")
            return func.start_ea

    return idaapi.BADADDR
Example #26
0
def find_img4decodeinit(base_ea):
    ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0x494D0000)

    if ea_list[0] != idaapi.BADADDR:
        func_ea = ida_funcs.get_func(ea_list[0]).start_ea
        ea_func_list = list(idautils.XrefsTo(func_ea))

        if ea_func_list[0].frm != idaapi.BADADDR:
            i4d_ea = ida_funcs.get_func(ea_func_list[0].frm).start_ea
            print("\t[+] _Img4DecodeInit = 0x%x" % (i4d_ea))
            ida_name.set_name(i4d_ea, "_Img4DecodeInit")
            return i4d_ea

    return idaapi.BADADDR
Example #27
0
def mark_string(ea, name=None):
    strlen = len(idc.GetString(ea, -1))
    if strlen == 0:
        raise Exception(
            'tried marking {} as string, but it isn\'t (len 0)'.format(
                hex(ea)))
    ida_bytes.del_items(
        ea, ida_bytes.DELIT_EXPAND | ida_bytes.DELIT_DELNAMES
        | ida_bytes.DELIT_NOCMT, strlen + 1)
    ida_bytes.create_strlit(ea, strlen + 1, idc.get_inf_attr(idc.INF_STRTYPE))
    if name:
        ida_name.set_name(ea, name, ida_name.SN_CHECK)
    idc.apply_type(ea, idc.parse_decl('char const a[]', 0), idc.TINFO_DEFINITE)
    return idc.GetString(ea, -1)
Example #28
0
    def __init__(self, name_funcs=[]):
        ida_dbg.DBG_Hooks.__init__(self)  # important

        for ea, func_name in name_funcs:
            log("Renaming 0x%08x to \"%s\"" % (ea, func_name))
            ida_name.set_name(ea, func_name)

        for func_name, func_proto in [
            ("ref4", "int ref4(int *);"),
            ("ref8", "int ref8(long long int *);"),
        ]:
            log("Setting '%s's prototype" % func_name)
            func_ea = ida_name.get_name_ea(ida_idaapi.BADADDR, func_name)
            assert (ida_typeinf.apply_cdecl(None, func_ea, func_proto))
Example #29
0
def find_macho_valid(base_ea):
    ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN, 0xFACF)

    if ea_list[0] == idaapi.BADADDR:
        ea_list = ida_search.find_imm(base_ea, ida_search.SEARCH_DOWN,
                                      0xFEEDFACF)

    if ea_list[0] != idaapi.BADADDR:
        func_ea = ida_funcs.get_func(ea_list[0]).start_ea
        print("\t[+] _macho_valid = 0x%x" % (func_ea))
        ida_name.set_name(func_ea, "_macho_valid")
        return func_ea

    return idaapi.BADADDR
Example #30
0
def main():
    for segstart, segend, segname in enum_segments():
        for head in idautils.Heads(segstart, segend):
            if not is_code(head):
                continue

            # pattern:
            #
            #   lea     rax, unk_6BDF88
            #   mov     [rsp+0], rax
            #   mov     qword ptr [rsp+8], 40h
            if ida_ua.ua_mnem(head) != "lea":
                continue

            next_head = ida_bytes.next_head(head, idc.BADADDR)
            if ida_ua.ua_mnem(next_head) != "mov":
                continue

            next_head2 = ida_bytes.next_head(next_head, idc.BADADDR)
            if ida_ua.ua_mnem(next_head2) != "mov":
                continue

            dst = idc.get_operand_value(head, 1)
            if idc.get_segm_name(dst) not in (".rdata", "UPX1"):
                continue

            size = idc.get_operand_value(next_head2, 1)

            if size > 0x100:
                continue
            if size <= 2:
                continue

            buf = ida_bytes.get_bytes(dst, size)
            if not buf:
                continue

            if b"\x00" in buf:
                continue

            try:
                s = buf.decode("ascii")
            except UnicodeDecodeError:
                continue

            print("string pointer: 0x%x -> 0x%x: %s" % (head, dst, s))
            ida_bytes.del_items(dst, 1)
            ida_bytes.create_data(dst, idc.FF_BYTE, 1, idc.BADADDR)
            ida_bytes.set_cmt(dst, s, True)
            ida_name.set_name(dst, "s_%x" % (dst))
Example #31
0
 def sync_ask_rename():
     """
         Dialog asking renaming confirmation to the user
     """
     rename_flag = 0
     if force or idc.ask_yn(rename_flag, "Replace %s by %s" %
                            (get_name(), name["data"])) == 1:
         logger.debug("[x] renaming %s @ 0x%x as %s",
                      get_name(),
                      name["address"],
                      name["data"])
         ida_name.set_name(
             name["address"], name["data"].encode(
                 'ascii', 'ignore'),
             ida_name.SN_AUTO)