def get_virtual_func_address(name, tinfo=None, offset=None):
"""
:param name: method name
:param tinfo: class tinfo
:param offset: virtual table offset
:return: address of the method
"""
# address = idaapi.BADADDR
# if name in idautils.Functions():
address = idc.LocByName(name) #f*****g idaapi. It's function work incorrectly. This returned 0xFF005BE7 instead BADADDR in some cases. get_name_ea problem.
if address != idaapi.BADADDR:
return address
address = Cache.demangled_names.get(name, idaapi.BADADDR)
if address != idaapi.BADADDR:
return address + idaapi.get_imagebase()
if tinfo is None or offset is None:
return
offset *= 8
udt_member = idaapi.udt_member_t()
while tinfo.is_struct():
address = Cache.demangled_names.get(tinfo.dstr() + '::' + name, idaapi.BADADDR)
if address != idaapi.BADADDR:
return address + idaapi.get_imagebase()
udt_member.offset = offset
tinfo.find_udt_member(idaapi.STRMEM_OFFSET, udt_member)
tinfo = udt_member.type
offset = offset - udt_member.offset
def load_internal_db(self, force=False):
""" Load the rop gadgets list from the internal db """
if self.blob_manager == None:
return
internal_repr = self.blob_manager["db"].split(";")
if internal_repr == None:
return
for item in internal_repr:
offset, ret_offset = item.split(':')
# Reconstruct linear address based on binary base address and offset
address = int(offset, 16) + idaapi.get_imagebase()
ret_address = int(ret_offset, 16) + idaapi.get_imagebase()
gadget = Gadget(address=address,
ret_address=ret_address,
instructions=list(),
opcodes="",
size=0)
self.engine.rop.gadgets.append(gadget)
if idaapi.wasBreak():
print("[IdaRopLoad] Load csv file interrupted.")
break
def NameToRVA(s):
addr = LocByName(s)
if addr == ERROR_MINUS_1:
print("[ida_helper] Error: NameToRVA: Failed to find '%s' symbol" % s)
return None
print("[ida_helper] image base 0x%x" % idaapi.get_imagebase())
return addr - idaapi.get_imagebase()
def MakeEnum(enumName, offsetArray):
print("enum class %s\r\n{" % enumName)
for offset in offsetArray:
if len(offset[0]) == 0:
print("")
continue
if type(offset[1]) is str:
print(" %s = %s," % (offset[0], offset[1]))
continue
fncValue = offset[1] if offset[1] != -1 else 0x0
locByName = idc.get_name_ea_simple(offset[0])
isMismatch = locByName == 0x0
if locByName == BADADDR:
locByName = fncValue
if locByName > idaapi.get_imagebase():
set_name(locByName, offset[0])
locByName = locByName - idaapi.get_imagebase()
print(" %s = %s,%s" % (offset[0], hex(locByName),
'// Possible mismatch' if isMismatch else ''))
print("};\r\n")
def get_virtual_func_address(name, tinfo=None, offset=None):
"""
:param name: method name
:param tinfo: class tinfo
:param offset: virtual table offset
:return: address of the method
"""
address = idc.LocByName(name)
if address != idaapi.BADADDR:
return address
address = demangled_names.get(name, idaapi.BADADDR)
if address != idaapi.BADADDR:
return address + idaapi.get_imagebase()
if tinfo is None or offset is None:
return
offset *= 8
udt_member = idaapi.udt_member_t()
while tinfo.is_struct():
address = demangled_names.get(tinfo.dstr() + '::' + name,
idaapi.BADADDR)
if address != idaapi.BADADDR:
return address + idaapi.get_imagebase()
udt_member.offset = offset
tinfo.find_udt_member(idaapi.STRMEM_OFFSET, udt_member)
tinfo = udt_member.type
offset = offset - udt_member.offset
def save_internal_db(self):
""" store the found rop gadget in the default internal db """
if len(self.engine.rop.gadgets) == 0 or self.blob_manager == None:
return
cancel_flag = False
internal_repr = list()
for item in self.engine.rop.gadgets:
address, ret_addres = item.address, item.ret_address
offset = "0x%x" % (address - idaapi.get_imagebase())
ret_offset = "0x%x" % (ret_addres - idaapi.get_imagebase())
internal_repr.append((offset, ret_offset))
if idaapi.wasBreak():
cancel_flag = True
print("[IdaRop] save internal db interrupted.")
break
# save only on success
if not cancel_flag:
txt_repr = ";".join("%s:%s" % (g[0], g[1]) for g in internal_repr)
self.blob_manager["db"] = txt_repr
def name_to_rva(s):
addr = get_name_ea_simple(s)
if addr == ERROR_MINUS_1:
logmsg("Error: name_to_rva: Failed to find '%s' symbol" % s)
return None
logmsg("image base 0x%x" % idaapi.get_imagebase())
return addr - idaapi.get_imagebase()
def check_vals(self):
visual_style.set_alarmed_if(self.addr_edit,
self.addr < idaapi.get_imagebase())
visual_style.set_alarmed_if(self.length_edit, self.length <= 0)
visual_style.set_alarmed_if(self.filename_edit, not self.filename)
is_ok = bool(self.addr >= idaapi.get_imagebase() and self.length > 0
and self.filename)
self.ok_btn.setEnabled(is_ok)
print "idaapi getimage base %s" % idaapi.get_imagebase()
print "addr %s" % self.addr
print "length %s" % self.length
print "filename %s" % self.filename
def ida_hook_rebase(self, meta, post=False):
"""function hook for IDA "RebaseProgram" action
called twice, once before action and once after action completes
@param meta: dict of key/value pairs set when action first called (may be empty)
@param post: False if action first call, True if action second call
"""
if post:
if idaapi.get_imagebase() != meta.get("prev_base", -1):
capa.ida.helpers.inform_user_ida_ui("Running capa analysis again after program rebase")
self.slot_analyze()
else:
meta["prev_base"] = idaapi.get_imagebase()
self.model_data.reset()
def _get_service_table_info():
name = GetInputFile().lower()
if name not in SERVICE_TABLE_NAME_SYMBOL_MAP:
return None
stride = 8
table_name, limit_name = SERVICE_TABLE_NAME_SYMBOL_MAP[name]
table_address = LocByName(table_name)
if table_address == BADADDR:
table_name = '_' + table_name
limit_name = '_' + limit_name
table_address = LocByName(table_name)
stride = 4
if table_address == BADADDR:
print 'table address failure'
return None
limit_address = LocByName(limit_name)
limit = Dword(limit_address)
base_id = SERVICE_TABLE_NAME_BASE_MAP[name]
offset_base = 0
if stride == 8:
for x in DataRefsFrom(table_address):
# Ideally we would test out the reference here
# There is a chance IDA made a mistake as it seems to treat the
# contents of the table as code when it contains 4-byte offsets
break
else:
stride = 4
offset_base = get_imagebase()
return table_address, limit, stride, base_id, offset_base
def export(self):
image_name = idc.GetInputFile()
self.image_base = idaapi.get_imagebase()
self.filename = "%s.db" % (image_name)
datadir = os.path.join(RECOVERER_PATH, "data")
if not os.path.exists(datadir):
os.mkdir(datadir)
self.filename = os.path.join(datadir, self.filename)
if os.path.exists(self.filename):
info("File %s exists, overwriting." % (self.filename))
else:
info("Creating database at %s." % (self.filename))
self.fd = open(self.filename, "w")
self.fd.write("IMAGE_BASE;0x%x\n" % (self.image_base))
self.fd.write("IMAGE_NAME;%s\n" % (image_name))
self.__export_functions__()
self.__export_imports__()
self.fd.close()
def __init__(self, parser):
self.color = False
self.prev_loc = None
self.prev_node = None
self.name = idaapi.get_root_filename()
print "[sync] name %s" % self.name
self.base = idaapi.get_imagebase()
print "[sync] module base 0x%x" % self.base
self.base_remote = None
self.gm = GraphManager()
self.parser = parser
self.broker_sock = None
self.is_active = False
self.dbg_dialect = None
self.req_handlers = {
"broker": self.req_broker,
"loc": self.req_loc,
"cmd": self.req_cmd,
"cmt": self.req_cmt,
"rcmt": self.req_rcmt,
"fcmt": self.req_fcmt,
"raddr": self.req_raddr,
"rln": self.req_rln,
"lbl": self.req_lbl,
"bc": self.req_bc,
"bps_get": self.req_bps_get,
"bps_set": self.req_bps_set,
"modcheck": self.req_modcheck,
"dialect": self.req_set_dbg_dialect,
}
def __init__(self, parser, form):
self.form = form
self.color = False
self.prev_loc = None
self.prev_node = None
self.name = idaapi.get_root_filename()
print "[sync] name %s" % self.name
self.base = idaapi.get_imagebase()
print "[sync] module base 0x%x" % self.base
self.base_remote = None
self.gm = GraphManager()
self.parser = parser
self.broker_sock = None
self.is_active = False
self.dbg_dialect = None
self.req_handlers = {
'broker': self.req_broker,
'loc': self.req_loc,
'cmd': self.req_cmd,
'cmt': self.req_cmt,
'rcmt': self.req_rcmt,
'fcmt': self.req_fcmt,
'raddr': self.req_raddr,
'rln': self.req_rln,
'lbl': self.req_lbl,
'bc': self.req_bc,
'bps_get': self.req_bps_get,
'bps_set': self.req_bps_set,
'modcheck': self.req_modcheck,
'dialect': self.req_set_dbg_dialect
}
def collect_metadata():
md5 = idautils.GetInputFileMD5()
if not isinstance(md5, six.string_types):
md5 = capa.features.bytes_to_str(md5)
sha256 = idaapi.retrieve_input_file_sha256()
if not isinstance(sha256, six.string_types):
sha256 = capa.features.bytes_to_str(sha256)
return {
"timestamp": datetime.datetime.now().isoformat(),
# "argv" is not relevant here
"sample": {
"md5": md5,
"sha1": "", # not easily accessible
"sha256": sha256,
"path": idaapi.get_input_file_path(),
},
"analysis": {
"format": idaapi.get_file_type_name(),
"extractor": "ida",
"base_address": idaapi.get_imagebase(),
},
"version": capa.version.__version__,
}
def __init__(self, parser):
self.color = False
self.prev_loc = None
self.prev_node = None
self.name = idaapi.get_root_filename()
self.base = idaapi.get_imagebase()
rs_log("module base 0x%x" % self.base)
self.base_remote = None
self.gm = GraphManager()
self.hexsync = Syncrays()
self.parser = parser
self.broker_sock = None
self.is_active = False
self.dbg_dialect = None
self.req_handlers = {
'broker': self.req_broker,
'loc': self.req_loc,
'cmd': self.req_cmd,
'cmt': self.req_cmt,
'rcmt': self.req_rcmt,
'fcmt': self.req_fcmt,
'raddr': self.req_raddr,
'rbase': self.req_rbase,
'cursor': self.req_cursor,
'patch': self.req_patch,
'rln': self.req_rln,
'rrln': self.req_rrln,
'lbl': self.req_lbl,
'bc': self.req_bc,
'bps_get': self.req_bps_get,
'bps_set': self.req_bps_set,
'modcheck': self.req_modcheck,
'dialect': self.req_set_dbg_dialect
}
self.prev_req = "" # used as a cache if json is not completely received
def collect_metadata():
""" """
md5 = get_file_md5()
sha256 = get_file_sha256()
return {
"timestamp": datetime.datetime.now().isoformat(),
# "argv" is not relevant here
"sample": {
"md5": md5,
"sha1": "", # not easily accessible
"sha256": sha256,
"path": idaapi.get_input_file_path(),
},
"analysis": {
"format": idaapi.get_file_type_name(),
"extractor": "ida",
"base_address": idaapi.get_imagebase(),
"layout": {
# this is updated after capabilities have been collected.
# will look like:
#
# "functions": { 0x401000: { "matched_basic_blocks": [ 0x401000, 0x401005, ... ] }, ... }
},
},
"version": capa.version.__version__,
}
def find_bbls(function_ea):
'''
yields all basic blocks that belong to the
given function. The blocks are returned in
a 2-tuple like:
(start_address, end_address)
Both start and end address are RELATIVE offsets
from the image base.
'''
# get image base from IDA
image_base = idaapi.get_imagebase()
function_ea += image_base
# get flow chart from IDA
flow_chart = idaapi.FlowChart(idaapi.get_func(function_ea),
flags=idaapi.FC_PREDS)
# iterate through all basic blocks in
# the current routine
for block in flow_chart:
start_addr = block.startEA - image_base
end_addr = block.endEA - image_base
if start_addr != end_addr:
yield start_addr, end_addr
def __init__(self, dotnet_version):
self.dotnet_version = dotnet_version
self.imagebase = idaapi.get_imagebase()
self.module_header_struct = idaapi.get_segm_by_name(".rdata").start_ea
self.nb_custom_modules = idaapi.get_dword(self.module_header_struct + \
dotnet_versions_offsets[self.dotnet_version]\
["nbCustomModules"])
def main():
idaapi.auto_wait()
base = idaapi.get_imagebase()
tif = idaapi.tinfo_t()
f = open(os.environ.get("DESTPATH", "functype_"), 'w')
for ea in Segments():
# only code segment
if idaapi.segtype(ea) != idaapi.SEG_CODE:
continue
for fva in Functions(get_segm_start(ea), get_segm_end(ea)):
func_name = get_func_name(fva)
has_type = idaapi.get_tinfo(tif, fva) or idaapi.guess_tinfo(
tif, fva)
if not has_type:
continue
info = serialize(tif)
if info is None:
continue
print(
hex(fva - base)[:-1], "|", func_name, "|", tif, "|",
len(info['args']))
f.write("0x%x|%s|%s\n" % (fva - base, func_name, json.dumps(info)))
f.close()
idaapi.qexit(0)
def main():
clist = build_color_list();
filepath = idaapi.askfile_c(False, "*.*", "Pin log file");
imagebase = idaapi.get_imagebase();
try:
f = open(filepath, "rb");
except:
print("Need log file to parse data...");
return;
buff = f.read();
functions = set()
for index in range(0, len(buff)):
exec_count = ord(buff[index]);
if exec_count == 0:
continue;
exec_count = exec_count / 10;
if exec_count > 11: exec_count = 11;
ida_color = clist[exec_count];
if (not (idc.GetFunctionName(imagebase+index) in functions)):
func = idc.GetFunctionName(imagebase+index)
print "hit @ 0x%08x function %s"%(imagebase+index, func)
functions.add(func)
idc.SetColor(imagebase + index, CIC_ITEM, ida_color);
def m32_mmpagingfile(self):
"""
The MmPagingFile pointer can be defined as PVOID *MMPAGING_FILE[16]. Support for locating this
pointer is not mandatory, but essential to verify if an MMPAGING_FILE structure corresponds
to a virtual store. Although this pointer was previously exported as nt!MmPagingFile in Windows
7, the pointer has not been exported by any Windows 10 kernel to date. This function traverses
MiVaIsPageFileHash and stops at the first instance of an memory dereference by index. The
signature appears to be fragile but has worked from 1607-1809. Disassembly snippet from
Windows 10 1809 x86 shown below.
MiVaIsPageFileHash(x,x) _MiVaIsPageFileHash@8 proc near ;
MiVaIsPageFileHash(x,x) mov edi, edi
MiVaIsPageFileHash(x,x)+2 push ebx
MiVaIsPageFileHash(x,x)+3 push esi
MiVaIsPageFileHash(x,x)+4 push edi
MiVaIsPageFileHash(x,x)+5 mov edi, Count
MiVaIsPageFileHash(x,x)+B xor ecx, ecx
MiVaIsPageFileHash(x,x)+D mov ebx, edx
MiVaIsPageFileHash(x,x)+F test edi, edi
MiVaIsPageFileHash(x,x)+11 jnz short loc_4DC5C7
MiVaIsPageFileHash(x,x)+19 loc_4DC5C7: ;
MiVaIsPageFileHash(x,x)+19 mov esi, dword_6A8614[ecx*4]
"""
(addr, name) = self.find_ida_name("MiVaIsPageFileHash")
for insn_addr, insn, op0, op1 in self.iter_fn(addr):
if "*4]" in op1:
return idc.get_operand_value(insn_addr,
1) - idaapi.get_imagebase()
self.logger.error("MmPagingFile could not be resolved.")
return None
def main():
disas_path = idc.AskFile(1, '*.disas', 'Save basic blocks')
do_exit = False
if not disas_path:
basename = idc.GetInputFile()
disas_path = '%s.disas' % basename
idc.GenerateFile(idc.OFILE_ASM, '%s.asm' % basename, 0, idc.BADADDR, 0)
idc.GenerateFile(idc.OFILE_LST, '%s.lst' % basename, 0, idc.BADADDR, 0)
do_exit = True
# Get basic blocks
bbs = _get_basic_blocks()
# Get the module's base address
base_addr = idaapi.get_imagebase()
# Get the module's end address
segs = sorted(idautils.Segments())
end_addr = idc.SegEnd(segs[-1])
disas_info = {
'bbs': bbs,
'base_addr': base_addr,
'end_addr': end_addr,
}
with open(disas_path, 'w') as disas_file:
json.dump(disas_info, disas_file)
if do_exit:
idc.Exit(0)
def _rebase_datastore(self, undo: bool = False) -> None:
"""
Rebase all the addresses in the datastore.
:param undo: Revert a rebasing instead
:return: None
"""
current_image_base = idaapi.get_imagebase()
if self.STANDARD_IMAGE_BASE == current_image_base:
return
rebase_offset = current_image_base - self.STANDARD_IMAGE_BASE
if undo:
rebase_offset *= -1
self.__rebase_dict(self.DATASTORE.globals, rebase_offset)
self.__rebase_dict(self.DATASTORE.functions, rebase_offset)
class_data: GameClass
for (class_name, class_data) in self.DATASTORE.classes.items():
if not class_data:
continue
self.__rebase_dict(class_data.funcs, rebase_offset)
for vtbl in class_data.vtbls:
vtbl.ea += rebase_offset
if class_data.g_pointer:
class_data.g_pointer += rebase_offset
if class_data.g_instance:
class_data.g_instance += rebase_offset
def MakeNamespace(name, offsetArray):
# type: (object, object) -> object
print("namespace %s \n{" % name)
for offset in offsetArray:
print("\tconst auto %-20s = 0x%X;\t//0x%X" %
(offset[0], offset[1] - idaapi.get_imagebase(), offset[1]))
print("};\r\n")
def get_inverted(func_ea):
# Returns set of relative virtual addresses which are tied to IF and swapped
internal_name = _ARRAY_STORAGE_PREFIX + hex(
int(func_ea - idaapi.get_imagebase()))
internal_id = idc.get_array_id(internal_name)
array = idc.get_array_element(idc.AR_STR, internal_id, 0)
return set(map(int, array.split()))
def custom_base_changed(self, s):
try:
self.custom_base = int(self.le_custom_base.text(), 16)
self.lbl_diff.setText('%x' %
(idaapi.get_imagebase() - self.custom_base))
except:
self.lbl_diff.setText('<invalid>')
def main():
wow_imagebase = idc.AskAddr(idc.BADADDR, "Enter WoW's base address.")
if wow_imagebase and wow_imagebase is not idc.BADADDR:
delta = wow_imagebase - idaapi.get_imagebase()
status = rebase_program(delta, idc.MSF_NOFIX)
if status is not idc.MOVE_SEGM_OK:
print "rebase_program failed %d." % (status)
def __init__(self, parser):
self.color = False
self.prev_loc = None
self.prev_node = None
self.name = idaapi.get_root_filename()
print "[sync] name %s" % self.name
self.base = idaapi.get_imagebase()
print "[sync] module base 0x%x" % self.base
self.base_remote = None
self.gm = GraphManager()
self.parser = parser
self.broker_sock = None
self.is_active = False
self.dbg_dialect = None
self.req_handlers = {
'broker': self.req_broker,
'loc': self.req_loc,
'cmd': self.req_cmd,
'cmt': self.req_cmt,
'rcmt': self.req_rcmt,
'fcmt': self.req_fcmt,
'raddr': self.req_raddr,
'rln': self.req_rln,
'lbl': self.req_lbl,
'bc': self.req_bc,
'bps_get': self.req_bps_get,
'bps_set': self.req_bps_set,
'modcheck': self.req_modcheck,
'dialect': self.req_set_dbg_dialect
}
def Sync(self, offset, added, removed):
""" Sync(offset, added, removed) => None
Synchronize debug info with gef. This is an internal function. It is
not recommended using it from the command line.
"""
global _breakpoints, _current_instruction, _current_instruction_color
if _current_instruction > 0:
idc.SetColor(_current_instruction, CIC_ITEM, _current_instruction_color)
base_addr = idaapi.get_imagebase()
pc = base_addr + int(offset, 16)
_current_instruction = long(pc)
_current_instruction_color = GetColor(_current_instruction, CIC_ITEM)
idc.SetColor(_current_instruction, CIC_ITEM, 0x00ff00)
print("PC @ " + hex(_current_instruction).strip('L'))
# post it to the ida main thread to prevent race conditions
idaapi.execute_sync(lambda: idc.Jump(_current_instruction), idaapi.MFF_WRITE)
cur_bps = set([ idc.GetBptEA(n)-base_addr for n in range(idc.GetBptQty()) ])
ida_added = cur_bps - _breakpoints
ida_removed = _breakpoints - cur_bps
_breakpoints = cur_bps
# update bp from gdb
for bp in added:
idc.AddBpt(base_addr+bp)
_breakpoints.add(bp)
for bp in removed:
if bp in _breakpoints:
_breakpoints.remove(bp)
idc.DelBpt(base_addr+bp)
return [list(ida_added), list(ida_removed)]
def Label_Dynamically_Resolved_Iat_Addresses(iatList, labeledIatDumpFileName):
with open(labeledIatDumpFileName, 'r') as fp:
labeledIatList = fp.read().splitlines()
imageBase = idaapi.get_imagebase()
labeledIatDict = dict()
for i in labeledIatList:
curRva, curIatLabel = i.split('\t')
labeledIatDict[imageBase + int(curRva, 16)] = curIatLabel
labeledCount = 0
unresolvedList = []
for entry in iatList:
ea = idaapi.get_name_ea(0, entry)
curIatLabel = labeledIatDict.get(ea, None)
if curIatLabel != None:
idc.set_name(ea, curIatLabel, 0)
labeledCount += 1
else:
unresolvedList.append(
'could not resolve address 0x{:x}'.format(ea))
print('labeled {:x} dynamically resolved IAT entries'.format(labeledCount))
if len(unresolvedList) != 0:
print('[*] ERROR, was not able to resolve {:x} entries'.format(
len(unresolvedList)))
print('\n'.join(unresolvedList))
def m64_mmpagingfile(self):
"""
The MmPagingFile pointer can be defined as PVOID *MMPAGING_FILE[16]. Support for locating this
pointer is not mandatory, but essential to verify if an MMPAGING_FILE structure corresponds
to a virtual store. Although this pointer was previously exported as nt!MmPagingFile in Windows
7, the pointer has not been exported by any Windows 10 kernel to date. This function traverses
MmStorecheckPagefiles. The same signature as x86 could not be used due to compiler optimzations
using the LEA instruction to get the address of the global variable. Disassembly snippet from
Windows 10 1809 x64 shown below.
MmStoreCheckPagefiles MmStoreCheckPagefiles proc near ;
MmStoreCheckPagefiles mov r9d, cs:Count
MmStoreCheckPagefiles+7 xor r8d, r8d
MmStoreCheckPagefiles+A test r9d, r9d
MmStoreCheckPagefiles+D jz short loc_14072F307
MmStoreCheckPagefiles+F lea eax, [r8+1]
MmStoreCheckPagefiles+13 lea r10, unk_14043E5E0
"""
(addr, name) = self.find_ida_name("MmStoreCheckPagefiles")
for insn_addr, insn, op0, op1 in self.iter_fn(addr):
if insn == "lea":
if idc.get_operand_type(insn_addr, 1) == idc.o_mem:
return idc.get_operand_value(insn_addr,
1) - idaapi.get_imagebase()
self.logger.error("MmPagingFile could not be resolved.")
return None
def prepCMDLine(self):
cmd = [
self.PIN_PATH, '-t', self.TA_PATH, '-sib',
"0x{0:x}".format(idaapi.get_imagebase()), "-bt",
"0x{0:x}".format(self.__taintStart), "-et",
"0x{0:x}".format(self.__taintStop)
]
if len(self.__tpargs) > 1:
cmd.append("-tp")
cmd.append(self.__tpargs)
if len(self.__trargs) > 1:
cmd.append("-tr")
cmd.append(self.__trargs)
if len(self.__taargs) > 1:
cmd.append("-ta")
cmd.append(self.__taargs)
if len(self.__sffargs) > 1:
cmd.append("-sff")
cmd.append(self.__sffargs)
if len(self.__sfrargs) > 1:
cmd.append("-sfr")
cmd.append(self.__sfrargs)
cmd.append("--")
cmd.append(self.TARGET_PATH + self.TARGET_FILE)
return cmd + self.__programArguments
def find_bbls(function_ea):
'''
yields all basic blocks that belong to the
given function. The blocks are returned in
a 2-tuple like:
(start_address, end_address)
Both start and end address are RELATIVE offsets
from the image base.
'''
# get image base from IDA
image_base = idaapi.get_imagebase()
function_ea += image_base
# get flow chart from IDA
flow_chart = idaapi.FlowChart(
idaapi.get_func(function_ea),
flags=idaapi.FC_PREDS
)
# iterate through all basic blocks in
# the current routine
for block in flow_chart:
start_addr = block.startEA - image_base
end_addr = block.endEA - image_base
if start_addr != end_addr:
yield start_addr, end_addr
def find_vftable_msvc(seg):
seg_start = idc.SegStart(seg)
seg_end = idc.SegEnd(seg)
cur_addr = seg
symbol = ""
while cur_addr <= seg_end - 8: #32 is 4
data = idc.Qword(cur_addr) #32 is Dword
# 检测data是否在.text段
# check if the data in .text
if text_start <= data < text_end:
xrefs = list(idautils.XrefsTo(cur_addr))
rttiptr = idc.Qword(cur_addr - 8)
nameptr = idaapi.get_imagebase() + idc.Dword(rttiptr + 0x10)
if (len(xrefs) != 0) and (rdata_start <= rttiptr < rdata_end) and (
nameptr not in rtti_list):
symbol = idc.GetOpnd(rttiptr + 0x10, 0)
symbol = re.sub(r'^rva ', '', symbol)
class_hierarchy_addr = nameptr
class_list[symbol] = dict()
class_list[symbol]["addr"] = class_hierarchy_addr
class_list[symbol]["base"] = list()
class_list[symbol]["function_list"] = [hex(data).strip("L")]
rtti_list.append(nameptr)
elif symbol != "":
class_list[symbol]["function_list"].append(
hex(data).strip("L"))
cur_addr += 8 #32 is 4
def run(self, arg):
# Get form and widget
form = idaapi.create_empty_widget(self.comment)
widget = sip.wrapinstance(int(form), QtWidgets.QWidget)
runtime = IDARuntime(form)
# Try to find the IDA input file
filename = idaapi.get_input_file_path()
if not filename:
return
if not os.path.isfile(filename):
filename = os.path.basename(filename)
if not os.path.isfile(filename):
filename = runtime.ask_file(os.path.basename(filename),
"Where is the input file?")
if not filename:
return
# Map input file
self.pe_tree_form = pe_tree.form.PETreeForm(widget, None, runtime)
self.pe_tree_form.map_pe(image_base=idaapi.get_imagebase(),
filename=filename)
self.pe_tree_form.show()
def CopyEA(): myModuleName = idc.GetInputFile() MyModuleShortName = re.sub(r'\.[^.]*$','',myModuleName) myModuleBase = idaapi.get_imagebase() myOffset = idc.ScreenEA() - myModuleBase pasteStr = "bp !%s + 0x%x" % (MyModuleShortName, myOffset) print pasteStr Paste(pasteStr)
def __init__(self):
self.image_base = idaapi.get_imagebase();
self.code_coverage_total = 0.0
self.loc_executed_total = 0
self.bbls_executed_total = 0
self.functions_executed_total = 0
self.calls_executed_total = 0
self.functions = dict()
def CopyEA(): myModuleName = idc.GetInputFile() MyModuleShortName = re.sub(r'\.[^.]*$','',myModuleName) myModuleBase = idaapi.get_imagebase() myOffset = idc.ScreenEA() - myModuleBase clippy = QtGui.QClipboard() pasteStr = "bp !%s + 0x%x" % (MyModuleShortName, myOffset) print pasteStr clippy.setText(pasteStr)
def rebaseProgramToDynamicBase(processBaseAddress):
delta = processBaseAddress - ida.get_imagebase()
rebaseStatus = idc.rebase_program(delta, MSF_FIXONCE)
if rebaseStatus < 0:
errstr = ( "Error: Problem rebasing program, error code {0}. Check "
"MOVE_SEGM_ error codes. ida_taint.py is now exiting...\n" )
fatalError(errstr.format(rebaseStatus))
return -1
return 0
def find_functions():
'''
yields all functions in the form a 2-tuple:
(function_address, function_name)
function_address is a RELATIVE offset from the
image base.
'''
# get image base from IDA
image_base = idaapi.get_imagebase()
# iterate through all functions in the executable.
for func_ea in Functions(MinEA(), MaxEA()):
# craft the routine record
func_name = GetFunctionName(func_ea)
funcaddr = func_ea - image_base
yield funcaddr, func_name
def main():
filepath = idaapi.askfile_c(False, "*.*", "Pin log file");
imagebase = idaapi.get_imagebase();
try:
f = open(filepath, "rb");
except:
print("Need log file to parse data...");
return;
buff = f.read();
ida_color = 0xFFFFFFFF;
for index in range(0, len(buff)):
exec_count = ord(buff[index]);
if exec_count == 0:
continue;
exec_count = exec_count / 10;
if exec_count > 11: exec_count = 11;
idc.SetColor(imagebase + index, CIC_ITEM, ida_color);
def get_list_of_function_instr(addr, mode):
#TODO follow subcalls MODE_INSTRUMENT_SUBCALLS
f_start = addr
f_end = idc.FindFuncEnd(addr)
chunks = enumerate_function_chunks(f_start)
list_of_addr = list()
image_base = idaapi.get_imagebase(addr)
for chunk in chunks:
for head in idautils.Heads(chunk[0], chunk[1]):
# If the element is an instruction
if head == hex(0xffffffffL):
raise Exception("Invalid head for parsing")
if isCode(idc.GetFlags(head)):
head = head - image_base
head = str(hex(head))
head = head.replace("L", "")
head = head.replace("0x", "")
list_of_addr.append(head)
return list_of_addr
def prepCMDLine(self):
cmd = [
self.PIN_PATH,
'-t',
self.TA_PATH,
'-sib',
"0x{0:x}".format(idaapi.get_imagebase()),
"-bt",
"0x{0:x}".format(self.__taintStart),
"-et",
"0x{0:x}".format(self.__taintStop)]
if len(self.__tpargs) > 1:
cmd.append("-tp")
cmd.append(self.__tpargs)
if len(self.__trargs) > 1:
cmd.append("-tr")
cmd.append(self.__trargs)
if len(self.__taargs) > 1:
cmd.append("-ta")
cmd.append(self.__taargs)
if len(self.__sffargs) > 1:
cmd.append("-sff")
cmd.append(self.__sffargs)
if len(self.__sfrargs) > 1:
cmd.append("-sfr")
cmd.append(self.__sfrargs)
cmd.append("--")
cmd.append(self.TARGET_PATH + self.TARGET_FILE)
return cmd + self.__programArguments
def get_rva():
rva = here() - idaapi.get_imagebase()
return rva
def queryFile(comFile, tMan, iMan, coClassCLSID=None, coClassName=None):
success = False
imgBase = idaapi.get_imagebase()
class tmpCoClass(object):
def __init__(self, name, iid):
self.iid = iid
self.name = self.entryName = coClassName
if not os.access(comFile, os.R_OK|os.X_OK):
print "Bad file permissions on %s, can't RX" % (comFile)
return False
try:
tlb = pyTypeLibs.typeLib(comFile)
tMan.addLib(tlb)
classes = tlb.getClasses()
except OSError:
if not coClassCLSID:
print "%s has no typelib, but we need a CLSID to create an instance" % comFile
print "Try passing the -C argument with a clsid to instantiate"
return False
else:
tmpClass = tmpCoClass("obj", coClassCLSID)
print "Using CLSID %s to instantiate" % (coClassCLSID)
classes = [tmpClass]
#
if coClassCLSID:
tmpClass = tmpCoClass("obj", coClassCLSID)
print "Using CLSID %s to instantiate" % (coClassCLSID)
classes = [tmpClass]
#
for coclass in classes:
#try and instantiate each coclass we find
try:
iuk = iquery.iQuery()
if iuk.coCreateUnknown(comFile, coclass.iid):
success = True
print "Class %s (%s)" % (coclass.entryName, coclass.iid)
del iuk
else:
print "Failed to CoCreate class %s %s" % (coclass.entryName, coClass.iid)
continue
#
for iFace in iMan.getInterfaceList():
#any exception caught by the outside try{}
iuk = iquery.iQuery()
if not iuk.coCreateUnknown(comFile, coclass.iid):
break
#
try:
if iuk.isInterfaceSupported(iFace.iid):
iMan.resolveBase(iFace)
print " Interface %s %s" % (iFace.entryName, iFace.iid)
print " Inheritance hierarchy: %s" % (iFace.hierStr())
vtOffset = imgBase + iuk.getIFaceVTOffset(iFace.iid)
iName = coclass.entryName + "::" + iFace.entryName
if not idaapi.set_name(int(vtOffset), str(iName)):
print "ERROR:Failed to set interface name, (%#x, %s)" % (vtOffset, iName)
print " %s - VT addr %#x" % (iFace.entryName, vtOffset)
offset = 0
for func in iFace.getVtable():
fName = iName + "::" + func.name
fAddr = idc.Dword(vtOffset + offset)
if not idaapi.set_name(int(fAddr), str(fName)):
print "ERROR:Failed to set function name, (%#x, %s)" % (fAddr, fName)
break
#print " (%#x) %s" % (vtOffset + offset, str(func))
offset += 4
else:
#print "%s (%s) not supported" % (iFace.iid, iFace.entryName)
pass
except RuntimeError, exc:
#print "EXC %s" % (exc)
#print "%s (%s) not supported (EXC)" % (iFace.iid, iFace.entryName)
pass
del iuk
except RuntimeError, exc:
if not isinstance(coclass, pyTypeLibs.tCoClass) or coclass.canCreate():
print "INFO:Failed to CoCreate class %s %s, %s" % (coclass.entryName, coclass.iid, str(exc))
print("If LoadLibrary() failed, it may be because the DLL tried load a resource\n"
"DLL that is based on the current module name. msxml3.dll tries to do this\n"
"when it tries to load msxml3r.dll\n")
def get_image():
name = idc.GetInputFile()
base = idaapi.get_imagebase()
return base, name
def baseaddress():
return ida.get_imagebase()
from sets import Set
import json
import idaapi
import idc
print('My Script is now running...')
print('Waiting for idapro...')
idaapi.autoWait()
print('start persisting...')
idaapi.rebase_program(-1*idaapi.get_imagebase(), 0)
ss = idaapi.get_input_file_path()
pn = os.path.splitext(ss)[0]
callees = dict()
funcmap = dict()
data = dict()
data['name'] = pn
for seg_ea in Segments():
for function_ea in Functions(SegStart(seg_ea), SegEnd(seg_ea)):
#fill call graph
# For each of the incoming references
for ref_ea in CodeRefsTo(function_ea, 0):
# Get the name of the referring function
caller_name = GetFunctionName(ref_ea)
# Add the current function to the list of functions called by the referring function
callees[caller_name] = callees.get(caller_name, Set())
callees[caller_name].add(function_ea)
data['functions'] = list()
import idaapi
import idautils
# Global variables
IMG_BASE = idaapi.get_imagebase()
list_seg = []
for seg in idautils.Segments():
list_seg.append(seg)
IMG_END = idc.SegEnd(list_seg[len(list_seg)-1])
def decrypt(ea, key):
# Virtual address to IMAGE_IMPORT_DESCRIPTOR->FirstThunk
va_iat = 0
# Virtual address to IMAGE_IMPORT_DESCRIPTOR->OriginalFirstThunk
va_int = 0
tmp_ea = ea
# Back-tracing to locate the IMAGE_IMPORT_DESCRIPTOR from import address table passed from the callback
for xref in idautils.XrefsTo(ea, 0):
if XrefTypeName(xref.type) == 'Data_Offset':
va_iat = xref.frm - 0x10
if va_iat != 0:
print "Import Name Table->%08x" % (idaapi.get_long(va_iat) + IMG_BASE)
va_int = idaapi.get_long(va_iat) + IMG_BASE
else:
return
if va_int != 0:
va_itd = idaapi.get_long(va_int)
binary_path = GetInputFilePath()
#Create the object from its GUID/ClassID
newobj = comtypes.client.CreateObject(get_guid(binary_path))
#Gross way to parse out the actual interface name
interface_name = newobj.__class__.__name__.split('(')[1].strip(')')
#Lets cast it to a real ctypes pointer so we can get the pointer to interface vtbl
#This feels like a dirty hack, but seems to be easiest way to get the actual pointer
#http://blogs.msdn.com/b/oldnewthing/archive/2004/02/05/68017.aspx
vtbl_ptr = ctypes.cast(newobj, ctypes.POINTER(ctypes.c_void_p)).contents.value
#Lets get our module base address using ctypes/win32 api
mod_base = kernel32.GetModuleHandleA(binary_path)
#Get the base address of the binary loaded in IDA
base = idaapi.get_imagebase()
#Get the delta of the actual module load address vs what the binary is currently loaded at in IDA
delta = mod_base - base
#Now rebase, we do this so our vtable ptr is accurate in the IDA display
rebase_program(delta, 0x0008)
#Bring focus to the vtable
idaapi.jumpto(vtbl_ptr)
#Name it after the interface name
MakeName(vtbl_ptr, interface_name + '_vtable')
#Now skip down the vtable past the stuff inherited from IDispatch etc.
#Not 100% sure this will always be the same....
c_addr = str_addr
MakeUnknown(str_addr, str_sz, DOUNK_DELNAMES)
while c_addr < str_sz+str_addr:
string = get_data_string(c_addr, str_sz+str_addr)
if len(string) == 0:
#MakeAlign(c_addr, 4, 0)
c_addr += 1
continue
MakeStr(c_addr, c_addr+len(string)+1)
#a = get_align(len(string)+1, 4)
#MakeAlign(c_addr+len(string)+1, a, 0)
#c_addr += a+len(string)+1
c_addr += len(string)+1
#elf_file = AskString("C:\\code\\elf.h", "Enter path to the ELF header file.")
start = AskAddr(idaapi.get_imagebase(), "Enter start address of the file.")
if start == 0xFFFFFFFF:
print "Error, bad address."
exit(-1)
# elf header structure
file_start = start
print "Processing Ehdr", hex(file_start)
ehdr_id = process_ehdr(file_start)
# phdr structure
phdr_off = Dword(file_start+GetMemberOffset(ehdr_id, "e_phoff"))
phdr_num = Word(file_start+GetMemberOffset(ehdr_id, "e_phnum"))
process_phdrs(file_start+phdr_off, phdr_num)
def main():
global tm_start
for mod in ('metapc', 'ppc', 'arm'):
arch_mod = __import__('arch.%s' % mod, globals(), locals(), ['*'])
arch = arch_mod.Arch()
if arch:
if arch.check_arch():
# This is a valid module for the current architecure
# so the search has finished
log_message('Using architecture module [%s]' % mod)
break
else:
log_message('No module found to process the current architecure [%s]. Exiting.' % (arch.processor_name))
return
global instrumentation
log_message('Initialization sucessful.')
db_engine, db_host, db_name, db_user, db_password = (None,)*5
batch_mode = False
module_comment = ''
process_sections = False
# If the configuration filename has been fetched from the
# environment variables, then use that.
#
if CONFIG_FILE_NAME:
config_file_path = CONFIG_FILE_NAME
# Otherwise fallback into the one expected in the IDA directory
#
else:
config_file_path = os.path.join(idaapi.idadir(''), 'ida2sql.cfg')
if os.path.exists(config_file_path):
cfg = ConfigParser.ConfigParser()
cfg.read(config_file_path)
if cfg.has_section('database'):
if cfg.has_option('database', 'engine'):
db_engine = getattr(DB_ENGINE, cfg.get('database', 'engine'))
if cfg.has_option('database', 'host'):
db_host = cfg.get('database', 'host')
if cfg.has_option('database', 'schema'):
db_name = cfg.get('database', 'schema')
if cfg.has_option('database', 'user'):
db_user = cfg.get('database', 'user')
if cfg.has_option('database', 'password'):
db_password = cfg.get('database', 'password')
if cfg.has_option('importing', 'mode'):
batch_mode = cfg.get('importing', 'mode')
if batch_mode.lower() in ('batch', 'auto'):
batch_mode = True
if cfg.has_option('importing', 'comment'):
module_comment = cfg.get('importing', 'comment')
if cfg.has_option('importing', 'process_sections'):
process_sections = cfg.get('importing', 'process_sections')
if process_sections.lower() in ('no', 'false'):
process_sections = False
else:
process_sections = True
if None in (db_engine, db_host, db_name, db_user, db_password):
(db_engine, db_host,
db_name, db_user,
db_password) = query_configuration()
if None in (db_engine, db_host, db_name, db_user, db_password):
log_message('User cancelled the exporting.')
return
failed = False
try:
sqlexporter = SQLExporter(arch, db_engine, db=db_name,
user=db_user, passwd=db_password, host=db_host, use_new_schema=USE_NEW_SCHEMA)
except ImportError:
print "Error connecting to the database, error importing required module: %s" % sys.exc_info()[0]
failed = True
except Exception:
print "Error connecting to the database, Reason: %s" % sys.exc_info()[0]
failed = True
if failed:
# Can't connect to the database, indicate that to BinNavi
if batch_mode is True:
idc.Exit(FATAL_CANNOT_CONNECT_TO_DATABASE)
else:
return
if not sqlexporter.is_database_ready():
if batch_mode is False:
result = idc.AskYN(1, 'Database has not been initialized yet. Do you want to create now the basic tables? (This step is performed only once)')
else:
result = 1
if result == 1:
sqlexporter.init_database()
else:
log_message('User requested abort.')
return
iteration = os.environ.get('EXPORT_ITERATION', None)
module_id = os.environ.get('MODULE_ID', None)
if iteration is None and module_id == None:
# Export manually
print "Exporting manually ..."
iteration = -1
sqlexporter.set_callgraph_only(False)
sqlexporter.set_exporting_manually(True)
status = sqlexporter.new_module(
idc.GetInputFilePath(), arch.get_architecture_name(), idaapi.get_imagebase(), module_comment, batch_mode)
elif iteration is not None and module_id is not None:
# Export the next k functions or the call graph
sqlexporter.set_exporting_manually(False)
sqlexporter.set_callgraph_only(int(iteration) == -1)
sqlexporter.set_module_id(int(module_id))
status = True
else:
sqlexporter.set_exporting_manually(False)
status = sqlexporter.new_module(
idc.GetInputFilePath(), arch.get_architecture_name(), idaapi.get_imagebase(), module_comment, batch_mode)
sqlexporter.set_callgraph_only(False)
if status is False:
log_message('Export aborted')
return
elif status is None:
log_message('The database appears to contain data exported with different schemas, exporting not allowed.')
if batch_mode:
idc.Exit(FATAL_INVALID_SCHEMA_VERSION)
instrumentation = Instrumentation()
instrumentation.new_function_callable(sqlexporter.process_function)
instrumentation.new_packet_callable(sqlexporter.process_packet)
instrumentation.new_section_callable(sqlexporter.process_section)
tm_start = time.time()
already_imported = sqlexporter.db.get_already_imported()
incomplete = process_binary(arch, process_sections, int(iteration), already_imported)
sqlexporter.finish()
log_message('Results: %d functions, %d instructions, %d basic blocks, %d address references' % (
len(sqlexporter.exported_functions), len(sqlexporter.exported_instructions),
sqlexporter.basic_blocks_next_id-1, sqlexporter.address_references_values_count ))
log_message('Results: %d expression substitutions, %d operand expressions, %d operand tuples' % (
sqlexporter.expression_substitutions_values_count, sqlexporter.operand_expressions_values_count,
sqlexporter.operand_tuples___operands_values_count ) )
log_message('Exporting completed in %s' % get_time_delta_string())
# If running in batch mode, exit when done
if batch_mode:
if incomplete:
shiftedModule = (sqlexporter.db.module_id << 0x10) | 0xFF
idc.Exit(shiftedModule)
elif not sqlexporter.callgraph_only:
shiftedModule = (sqlexporter.db.module_id << 0x10) | 0xFE
idc.Exit(shiftedModule)
else:
idc.Exit(0)
def MakeRva(name):
return construct.Embed(construct.Struct('EmbeddedRva',
construct.ULInt32(name),
construct.Value('VA', lambda ctx: idaapi.get_imagebase() + ctx[name])
))
def baseaddress():
'''returns the baseaddress of the database'''
return idaapi.get_imagebase()
