choice = AskYN(1, "Enumerate RPC interfaces and dispatch routines?")
if choice == 1:
analysis |= pida.ANALYSIS_RPC
output_file = AskFile(1, GetInputFile() + ".pida", "Save PIDA file to?")
if not output_file:
Warning("Cancelled.")
else:
print "Analyzing IDB..."
start = time.time()
try:
signature = pida.signature(GetInputFilePath())
except:
print "PIDA.DUMP> Could not calculate signature for %s, perhaps the file was moved?" % GetInputFilePath()
signature = ""
module = pida.module(GetInputFile(), signature, depth, analysis)
print "Done. Completed in %f seconds.\n" % round(time.time() - start, 3)
print "Saving to file...",
start = time.time()
pida.dump(output_file, module, progress_bar="ascii")
print "Done. Completed in %f seconds." % round(time.time() - start, 3)
# clean up memory.
# XXX - this is not working...
del(module)
def set_bps(self, module, last_dll=None):
"""
Set breakpoints in the specified module.
@type module: String
@param module: Name of module (exe or dll) to set breakpoints in
@type last_dll: PyDbg System DLL Object
@param last_dll: (Optional, def=None) System DLL instance, required for setting breakpoints in a DLL.
"""
if module in self.pida_modules.keys():
# if we are setting breakpoints in a DLL.
if last_dll:
# if a signature is available, ensure we have a match before we start setting breakpoints in the loaded DLL.
if self.pida_modules[module].signature:
if self.pida_modules[module].signature != pida.signature(last_dll.path):
self.log("Signature match failed, ignoring DLL")
return
# ensure the pida module is at the appropriate base address.
self.pida_modules[module].rebase(last_dll.base)
# otherwise we are setting breakpoints in the main module. determine the base address of the main module
# and rebase if necessary.
else:
for mod32 in self.pydbg.iterate_modules():
if mod32.szModule.lower() == module.lower():
self.pida_modules[module].rebase(mod32.modBaseAddr)
#
# function level tracking.
#
if self.depth == self.FUNCTIONS:
functions = []
for f in self.pida_modules[module].nodes.values():
if f.is_import:
continue
if self.filtered.has_key(module):
if self.filtered[module].count(f.ea_start - self.pida_modules[module].base):
continue
functions.append(f.ea_start)
if last_dll:
self.log("Setting %d breakpoints on functions in %s" % (len(functions), last_dll.name))
else:
self.log("Setting %d breakpoints on functions in main module" % len(functions))
self.pydbg.bp_set(functions, restore=self.restore)
#
# basic block level tracking.
#
elif self.depth == self.BASIC_BLOCKS:
basic_blocks = []
for f in self.pida_modules[module].nodes.values():
for bb in f.nodes.values():
if self.filtered.has_key(module):
if self.filtered[module].count(bb.ea_start - self.pida_modules[module].base):
continue
basic_blocks.append(bb.ea_start)
if last_dll:
self.log("Setting %d breakpoints on basic blocks in %s" % (len(basic_blocks), last_dll.name))
else:
self.log("Setting %d breakpoints on basic blocks in main module" % len(basic_blocks))
self.pydbg.bp_set(basic_blocks, restore=self.restore)
def set_bps(self, module, last_dll=None):
'''
Set breakpoints in the specified module.
@type module: String
@param module: Name of module (exe or dll) to set breakpoints in
@type last_dll: PyDbg System DLL Object
@param last_dll: (Optional, def=None) System DLL instance, required for setting breakpoints in a DLL.
'''
if module in self.pida_modules.keys():
# if we are setting breakpoints in a DLL.
if last_dll:
# if a signature is available, ensure we have a match before we start setting breakpoints in the loaded DLL.
if self.pida_modules[module].signature:
if self.pida_modules[module].signature != pida.signature(
last_dll.path):
self.log("Signature match failed, ignoring DLL")
return
# ensure the pida module is at the appropriate base address.
self.pida_modules[module].rebase(last_dll.base)
# otherwise we are setting breakpoints in the main module. determine the base address of the main module
# and rebase if necessary.
else:
for mod32 in self.pydbg.iterate_modules():
if mod32.szModule.lower() == module.lower():
self.pida_modules[module].rebase(mod32.modBaseAddr)
break
#
# function level tracking.
#
if self.depth == self.FUNCTIONS:
functions = []
for f in self.pida_modules[module].nodes.values():
if f.is_import:
continue
if self.filtered.has_key(module):
if self.filtered[module].count(
f.ea_start - self.pida_modules[module].base):
continue
functions.append(f.ea_start)
if last_dll:
self.log("Setting %d breakpoints on functions in %s" %
(len(functions), last_dll.name))
else:
self.log(
"Setting %d breakpoints on functions in main module" %
len(functions))
self.pydbg.bp_set(functions, restore=self.restore)
#
# basic block level tracking.
#
elif self.depth == self.BASIC_BLOCKS:
basic_blocks = []
for f in self.pida_modules[module].nodes.values():
for bb in f.nodes.values():
if self.filtered.has_key(module):
if self.filtered[module].count(
bb.ea_start -
self.pida_modules[module].base):
continue
basic_blocks.append(bb.ea_start)
if last_dll:
self.log("Setting %d breakpoints on basic blocks in %s" %
(len(basic_blocks), last_dll.name))
else:
self.log(
"Setting %d breakpoints on basic blocks in main module"
% len(basic_blocks))
self.pydbg.bp_set(basic_blocks, restore=self.restore)
choice = AskYN(1, "Enumerate RPC interfaces and dispatch routines?")
if choice == 1:
analysis |= pida.ANALYSIS_RPC
output_file = AskFile(1, GetInputFile() + ".pida", "Save PIDA file to?")
if not output_file:
Warning("Cancelled.")
else:
print "Analyzing IDB..."
start = time.time()
try:
signature = pida.signature(GetInputFilePath())
except:
print "PIDA.DUMP> Could not calculate signature for %s, perhaps the file was moved?" % GetInputFilePath(
)
signature = ""
module = pida.module(GetInputFile(), signature, depth, analysis)
print "Done. Completed in %f seconds.\n" % round(time.time() - start, 3)
print "Saving to file...",
start = time.time()
pida.dump(output_file, module, progress_bar="ascii")
print "Done. Completed in %f seconds." % round(time.time() - start, 3)
# clean up memory.
# XXX - this is not working...