Exemple #1
0
def process(start_at = MAKE_SIG_AT['fn']):
	fm = currentProgram.getFunctionManager()
	fn = fm.getFunctionContaining(currentAddress)
	cm = currentProgram.getCodeManager()

	if start_at == MAKE_SIG_AT['fn']:
		ins = cm.getInstructionAt(fn.getEntryPoint())
	elif start_at == MAKE_SIG_AT['cursor']:
		ins = cm.getInstructionContaining(currentAddress)
	
	if not ins:
		raise Exception("Could not find entry point to function")

	pattern = "" # contains pattern string (supports regular expressions)
	byte_pattern = [] # contains BytePattern instances
	
	# keep track of our matches
	matches = []
	match_limit = 128
	
	while fm.getFunctionContaining(ins.getAddress()) == fn:
		for entry in getMaskedInstruction(ins):
			byte_pattern.append(entry)
			if entry.is_wildcard:
				pattern += '.'
			else:
				pattern += r'\x{:02x}'.format(entry.byte)
		
		expected_next = ins.getAddress().add(ins.length)
		ins = ins.getNext()
		
		if ins.getAddress() != expected_next:
			# we don't have a good way to deal with alignment bytes
			# raise an exception for now
			raise Exception("Instruction at %s is not adjacent"
					" to previous (expected %s)" % (expected_next, ins.getAddress()))
		
		if 0 < len(matches) < match_limit:
			# we have all the remaining matches, start only searching those addresses
			match_set = AddressSet()
			for addr in matches:
				match_set.add(addr, addr.add(len(byte_pattern)))
			matches = findBytes(match_set, pattern, match_limit, 1)
		else:
			# the matches are sorted in ascending order, so the first match will be the start
			matches = findBytes(matches[0] if len(matches) else None, pattern, match_limit)
		
		if len(matches) < 2:
			break
	
	if not len(matches) == 1:
		print(*(b.ida_str() for b in byte_pattern))
		print('Signature matched', len(matches), 'locations:', *(matches))
		raise Exception("Could not find unique signature")
	else:
		print("Signature for", fn.getName())
		print(*(b.ida_str() for b in byte_pattern))
		print("".join(b.sig_str() for b in byte_pattern))
Exemple #2
0
def _check_and_create_memory(startAddr, endAddr):
    memory_range = AddressSet(toAddr(startAddr), toAddr(endAddr))
    # we look for the missing part of the range
    # in existing memory
    memory_missing = memory_range.subtract(memory)

    if not memory_missing.isEmpty():
        print "creating memory block for range %s" % memory_missing
        _create_memory(memory_missing.getMinAddress().getOffset(),
                       memory_missing.getMaxAddress().getOffset())
Exemple #3
0
def move_block(start, end, destination):
    # move block [start, end) to function of destination
    print("moving [0x%x, 0x%x) to function at 0x%x" %
          (start, end, destination))

    # Ghidra needs the last byte to be inclusive
    end -= 1

    g_start = toAddr(start)
    g_end = toAddr(end)
    g_destination = toAddr(destination)

    function_mgr = currentProgram.getFunctionManager()

    # get the original function
    original_function = function_mgr.getFunctionContaining(g_start)
    removed_original_function = False
    if original_function:
        # need to remove the range from the original function

        # special care when the entry point is in range
        original_entry = original_function.getEntryPoint()
        new_original_body = original_function.getBody().subtract(
            AddressSet(g_start, g_end))

        if (g_start <= original_entry) and (original_entry < g_end):
            # PROBLEM: entry point of function is in block,
            # remove the entire function
            print("removing function...")
            removed_original_function = function_mgr.removeFunction(
                original_entry)
            assert removed_original_function

            new_entrypoint = new_original_body.getMinAddress()
            print("recreating function at 0x%x" % (new_entrypoint.getOffset()))
            listing.createFunction(None, new_entrypoint, new_original_body,
                                   SourceType.DEFAULT)
        else:
            # remove this block from the function
            original_function.setBody(new_original_body)
        #endif
    #endif

    # move the block to the destination function
    destination_function = function_mgr.getFunctionContaining(g_destination)
    assert destination_function

    # original body
    destination_entry = destination_function.getEntryPoint()
    print("adding to destination function at 0x%x" %
          destination_entry.getOffset())
    destination_body = destination_function.getBody()
    destination_function.setBody(
        destination_body.union(AddressSet(g_start, g_end)))
def setColor(direccion, mnemonico):
    addresses = AddressSet()
    addresses.add(direccion)
    vcolor = Color.WHITE  # Por defecto colorea a blanco para borrar colores anteriores

    # busca mnemonico en el array
    for nem in aMnemonics:
        if mnemonico == nem[C_MNEMONICO]:
            nem[C_CONTADOR] += 1

            if nem[C_SETCOLOR] == True:
                vcolor = nem[C_COLOR]

            if nem[C_SHOWLOG]:
                label = str(getSymbolAt(direccion))
                if not label == "None":
                    print(label) + ": "
                msg = "  " + str(direccion) + " : " + mnemonico + " "
                print(msg)

    setBackgroundColor(direccion, vcolor)
Exemple #5
0
def colorize_test(address):
    anotherAddress = currentAddress.add(10)
    setBackgroundColor(anotherAddress, Color.YELLOW)

    # create an address set with values you want to change
    addresses = AddressSet()
    addresses.add(currentAddress.add(10))
    addresses.add(currentAddress.add(11))
    addresses.add(currentAddress.add(12))
    setBackgroundColor(addresses, Color(100, 100, 200))
Exemple #6
0
    def functions(self, start=None, end=None) -> Iterable[GhidraFunction]:
        if start is None and end is None:
            iterator = self._listing.getFunctions(True)
        elif start is not None and end is None:
            iterator = self._listing.getFunctions(self._to_addr(start), True)
        elif start is None and end is not None:
            iterator = self._listing.getFunctions(self._to_addr(end), False)
        else:
            from ghidra.program.model.address import AddressSet
            address_set = AddressSet(
                self._to_addr(start),
                self._to_addr(end),
            )
            iterator = self._listing.getFunctions(address_set, True)

        for function in iterator:
            yield GhidraFunction(self, function)
Exemple #7
0
def process_section(memory_block):
    global block_uid, function_uid, edge_uid

    section_range = AddressSet(memory_block.getStart(), memory_block.getEnd())

    # functionless instructions
    process_functionless(section_range)

    function_mgr = currentProgram.getFunctionManager()

    # functionless instructions
    nr_functionless = 0
    hanging_insn_it = listing.getInstructions(section_range, True)
    while hanging_insn_it.hasNext():
        insn = hanging_insn_it.next()
        func = function_mgr.getFunctionContaining(insn.getAddress())

        if not func:
            # functionless
            ifile.write(
                "0x%x:%d:%d:%d:0x%x:%d:%d:%d\n" %
                (insn.getAddress().getOffset(), INVALID, INVALID, INVALID,
                 InsGetAssembled(insn), InsIsThumb(insn), 0, 0))

            nr_functionless += 1
        #endif
    #endwhile
    logfile.write("Found %d functionless instructions\n" % nr_functionless)

    # functions
    function_it = function_mgr.getFunctions(section_range, True)
    while function_it.hasNext():
        f = function_it.next()
        logfile.write("Doing function %s\n" % f.toString())

        # basic blocks
        bms = state.getTool().getService(BlockModelService)
        cbm = bms.getActiveBlockModel()
        cbi = cbm.getCodeBlocksContaining(f.getBody(), monitor)
        while cbi.hasNext():
            cb = cbi.next()

            bbl_first_byte = cb.getFirstStartAddress()
            bbl_last_byte = cb.getAddresses(False).next()

            logfile.write("  block %x\n" % bbl_first_byte.getOffset())

            insn_it = listing.getInstructions(
                AddressSet(bbl_first_byte, bbl_last_byte), True)
            insn = None
            bbl_nins = 0
            while insn_it.hasNext():
                insn = insn_it.next()
                logfile.write("    instruction %s\n" % insn.toString())

                ifile.write(
                    "0x%x:%d:%d:%d:0x%x:%d:%d:%d\n" %
                    (insn.getAddress().getOffset(), block_uid, function_uid,
                     INVALID, InsGetAssembled(insn), InsIsThumb(insn), 0, 0))

                # switch instructions
                is_switch, switch_destinations, default_switch_destination = InsIsSwitch(
                    insn)
                if is_switch and len(switch_destinations) > 0:
                    #TODO: instruction can be marked as switch with length 0
                    #      this is probably an unanalysed switch

                    # take note of the switch instruction
                    sfile.write(
                        "0x%x:%d:0x%x:" %
                        (insn.getAddress().getOffset(),
                         len(switch_destinations), default_switch_destination))
                    for d in switch_destinations:
                        sfile.write("0x%x," % d.getOffset())
                    sfile.write("\n")
                #endif

                bbl_nins += 1
            #endwhile

            # last instruction determines control flow
            block_addr = bbl_first_byte.getOffset()
            branch_addr = insn.getAddress().getOffset()

            ft = insn.getFallThrough()
            non_ft = insn.getFlows()

            flow_type = insn.getFlowType()

            jump_type = Tool.EDGE_JUMP
            ft_type = Tool.EDGE_FALLTHROUGH
            if flow_type.isCall():
                # call
                logfile.write("CALL 0x%x %s\n" %
                              (insn.getAddress().getOffset(), insn.toString()))

                jump_type = Tool.EDGE_CALL
                ft_type = Tool.EDGE_CALLFALLTHROUGH
            #endif

            if ft:
                # fallthrough edge
                logfile.write("  ft: 0x%x->0x%x\n" %
                              (insn.getAddress().getOffset(), ft.getOffset()))
                efile.write("%d:0x%x:0x%x:0x%x:%d:%d:%d\n" %
                            (edge_uid, block_addr, branch_addr, ft.getOffset(),
                             AddressInPLT(ft), ft_type, 0))
                edge_uid += 1
            #endif

            if non_ft:
                # flow edges
                for i in non_ft:
                    logfile.write(
                        "  jp: 0x%x->0x%x\n" %
                        (insn.getAddress().getOffset(), i.getOffset()))
                    efile.write("%d:0x%x:0x%x:0x%x:%d:%d:%d\n" %
                                (edge_uid, block_addr, branch_addr,
                                 i.getOffset(), AddressInPLT(i), jump_type, 0))
                    edge_uid += 1
                #endfor
            #endif

            bfile.write("%d:0x%x:%d:%d:%d\n" %
                        (block_uid, bbl_first_byte.getOffset(), bbl_nins,
                         function_uid, INVALID))
            block_uid += 1
        #endwhile

        ffile.write(
            "%d:%s:%d:%d\n" %
            (function_uid, f.getName().replace(':', '_'), INVALID, INVALID))
        function_uid += 1
Exemple #8
0
#@category Examples.Python

from ghidra.app.plugin.core.colorizer import ColorizingService
from ghidra.app.script import GhidraScript
from ghidra.program.model.address import Address
from ghidra.program.model.address import AddressSet

from java.awt import Color

service = state.getTool().getService(ColorizingService)
if service is None:
    print "Can't find ColorizingService service"
if currentSelection is not None:
    service.setBackgroundColor(currentSelection, Color(255, 200, 200))
elif currentAddress is not None:
    service.setBackgroundColor(currentAddress, currentAddress,
                               Color(255, 200, 200))
else:
    print "No selection or current address to color"

anotherAddress = currentAddress.add(10)
setBackgroundColor(anotherAddress, Color.YELLOW)

# create an address set with values you want to change
addresses = AddressSet()
addresses.add(currentAddress.add(10))
addresses.add(currentAddress.add(11))
addresses.add(currentAddress.add(12))
setBackgroundColor(addresses, Color(100, 100, 200))
Exemple #9
0
    namespaceSymbol = namespaceSymbols.pop(0)
    namespace = symdb.getNamespace(namespaceSymbol.name,
                                   namespaceSymbol.getParentNamespace())
    if namespace is None: continue
    namespaceSymbols.extend(symdb.getChildren(namespaceSymbol))
    for sym in symdb.getSymbols(namespace):
        if sym.name != u'__vt': continue

        addr = sym.address.next()
        if addr is None: continue
        while len(symdb.getSymbols(addr)) == 0:
            addr = addr.next()

        while addr.subtract(sym.address) % 4 != 0:
            addr = addr.previous()

        length = addr.subtract(sym.address)
        startAddr = sym.address
        endAddr = addr.previous()
        print namespace, sym, startAddr, length

        adt = ArrayDataType(PointerDataType.dataType, length / 4, 4,
                            currentProgram.getDataTypeManager())
        assert length == adt.getLength()
        adset = AddressSet(startAddr, endAddr)
        if listing.getInstructions(adset, True).hasNext():
            print "Can't create data because the current selection contains instructions"
            continue
        listing.clearCodeUnits(startAddr, endAddr, False)
        listing.createData(startAddr, adt, length)
Exemple #10
0
    script_path = getSourceFile().getAbsolutePath()

    print("call angr:")

    if DEBUG:
        import utils
        utils.open_in_ipython(script_path, fn)
    else:
        call_angr = os.popen("python3 %s %s" % (script_path, fn))
        print(call_angr.read())
    print("===================================")
    with open(fn,"r") as fno:
        config = json.load(fno)
    
    addressSet = AddressSet()
    for [addr,value] in config["def_infos"]:
        #print(addr,value)
        if addr == None:
            continue
        addressSet.add(toAddr(addr))
        print("@ %x :%s" % (addr, value))
        setEOLComment(toAddr(addr), value)
    createHighlight(addressSet)

else:
    #we are in normal python context
    import sys
    import json

    print("Enter angr part.")
Exemple #11
0
 def syncView(self, address=None):
     if address is None: address = self.state.getCurrentAddress()
     self.state.setCurrentAddress(address)
     self.state.setCurrentSelection(ProgramSelection(AddressSet(address)))
def get_data(block):
    addr_set = AddressSet(block.start, block.end)
    return [d for d in currentProgram.getListing().getData(addr_set, True)]
Exemple #13
0
 def get_bb_instructions(self, bb):
     ar = bb.getLastRange()
     return FakeIter(self.cm.getCodeUnits(AddressSet(ar), True))
Exemple #14
0
#Colors all calls along the call graph to the current address
#@author
#@category
#@keybinding
#@menupath
#@toolbar

from ghidra.program.model.address import Address
from ghidra.program.model.address import AddressSet
from java.awt import Color


def collect_calls(addresses, address):
    f = getFunctionContaining(address)
    if f == None:
        return
    print f.getName()
    e = f.getEntryPoint()
    for r in getReferencesTo(e):
        if r.getReferenceType().isCall():
            a = r.getFromAddress()
            addresses.add(a)
            collect_calls(addresses, a)


addresses = AddressSet()

collect_calls(addresses, currentAddress)

setBackgroundColor(addresses, Color.RED)
if debug:
    logger.setLevel(logging.DEBUG)

#global variables
refList = []
addresses = []
parent_functions = []
parent_function_params = []
vuln_parent = []
vuln_params = []
malloc_list = []
branches_found = []
malloc_from_list = []
service = state.getTool().getService(ColorizingService)
addresses_to_color = AddressSet()


def find_malloc(func_addr, fun_obj):
    currentInstr = getInstructionContaining(func_addr)
    print("In a new function!!")
    while (getFunctionContaining(currentInstr.getAddress()) == fun_obj):
        search_string = currentInstr.toString()
        #looking for all the bl instructions then comparing the address
        #of that instruction to the addresses of all the mallocs
        if search_string.find('bl') != -1:

            branches_found.append(str(currentInstr.getAddress()))

            if str(currentInstr.getAddress()) in malloc_from_list:
                print("Malloc found")