def run(self, arg): kw.show_wait_box('Building class information') try: view = ClassView() view.Show() finally: kw.hide_wait_box()
def symbols(self, output_file_path=None): """ Run find for all SIG files in currently active project. Show an IDA waitbox while doing so :param output_file_path: optional, save found symbols into output file :return: dictionary of found symbols """ self.verify_project() results = {} try: ida_kernwin.show_wait_box('Searching...') results = super(IdaLoader, self).symbols() ida_kernwin.replace_wait_box('Extracting...') ida_symbols = IdaLoader.extract_all_user_names(output_file_path) results.update(ida_symbols) except Exception as e: traceback.print_exc() finally: ida_kernwin.hide_wait_box() return results
def run(self, arg): print "Start to analyzing all comments in idb..." ida_kernwin.show_wait_box( 'Analyzing comments in progress, this will take a while.') test_choose2(False) ida_kernwin.hide_wait_box( 'Analyzing comments in progress, this will take a while.') print "Finished, have a good time!"
def __init__(self, cg, cf=None): ida_hexrays.ctree_parentee_t.__init__(self) self.cg = cg self.n_items = len(cf.treeitems) if cf else None self.n_processed = 0 self.cg.reinit() self.reverse = {} # citem_t -> node# if self.n_items: ida_kernwin.show_wait_box("%s: building graph" % PLUGIN_NAME)
def analyze_function(self): """ """ self.reset_function_analysis_views(is_analyze=True) self.set_view_status_label("Loading...") ida_kernwin.show_wait_box("capa explorer") success = self.load_capa_function_results() ida_kernwin.hide_wait_box() if not success: self.set_view_status_label("Click Analyze to get started...") logger.info("Analysis failed.") else: logger.info("Analysis completed.")
def _load_img_files(self, files): self.anim = [] i = 1 ida_kernwin.show_wait_box("HIDECANCEL\nLoading files") try: for file in files: ida_kernwin.replace_wait_box("Loading file %d/%d" % (i, len(files))) self.anim.append(QtGui.QPixmap(file)) i += 1 except: print("Failed loading file %d/%d" % (i, len(files))) finally: ida_kernwin.hide_wait_box() return
def analyze_program(self, use_cache=False): """ """ self.range_model_proxy.invalidate() self.search_model_proxy.invalidate() self.model_data.reset() self.model_data.clear() self.set_view_status_label("Loading...") ida_kernwin.show_wait_box("capa explorer") success = self.load_capa_results(use_cache) ida_kernwin.hide_wait_box() self.reset_view_tree() if not success: self.set_view_status_label("Click Analyze to get started...") logger.info("Analysis failed.") else: logger.info("Analysis completed.")
def load_data(self): kw.show_wait_box('Building class information') classdump = ClassDump() classdump.parse() kw.hide_wait_box() self.data = classdump class_root = QtWidgets.QTreeWidgetItem(self.tree) class_root.setText(0, 'Classes') class_root.setExpanded(True) x = lambda ea: '0x%X' % ea for clazz in self.data.classes: item = QtWidgets.QTreeWidgetItem(class_root) item.setText(0, clazz.name) item.setText(1, x(clazz.ea)) for method, imp in clazz.methods.items(): child = QtWidgets.QTreeWidgetItem(item) child.setText(0, method) child.setText(1, x(imp)) protocol_root = QtWidgets.QTreeWidgetItem(self.tree) protocol_root.setText(0, 'Protocols') # todo: refactor for proto in self.data.protocols: item = QtWidgets.QTreeWidgetItem(protocol_root) item.setText(0, proto.name) item.setText(1, x(proto.ea)) for method in proto.methods: child = QtWidgets.QTreeWidgetItem(item) child.setText(0, method) # todo: child.setText(1, x(proto.ea))
def slot_analyze(self): """run capa analysis and reload UI controls called when user selects plugin reload from menu """ self.range_model_proxy.invalidate() self.search_model_proxy.invalidate() self.model_data.reset() self.model_data.clear() self.disable_controls() self.set_view_status_label("Loading...") ida_kernwin.show_wait_box("capa explorer") success = self.load_capa_results() ida_kernwin.hide_wait_box() self.reset_view_tree() if not success: self.set_view_status_label("Click Analyze to get started...") logger.info("Analysis failed.") else: logger.info("Analysis completed.")
def main(): filename, _ = QFileDialog.getOpenFileName(None, "Open file", ".", "CSV Files(*.csv)") if filename == "": return processes = set() input_file = open(filename, "r") reader = csv.reader(input_file) # what mode was used to produce this output? fmt_row = next(reader, None) mode = fmt_row[0] # where to find the pertinent data depends upon the mode that produced it if ("process" == mode): id_index = 1 # process ID and thread ID are in decimal id_radix = 10 tid_index = 2 pc_index = 4 size_index = 5 prefix = "process_" title = "Select Process" headers = ("Process Name", "PID") has_tid = True else: id_index = 0 # ASID is in hex id_radix = 16 tid_index = -1 pc_index = 2 size_index = 3 prefix = "ASID_" title = "Select Address Space ID" headers = ("Address Space ID", "ASID") has_tid = False binary_name = get_root_filename() match_len = 0 matched_process = None # skip column headers next(reader, None) for row in reader: processes.add((prefix + row[0], int(row[id_index], id_radix))) # the process names from PANDA may be truncated, so the longest one # that is a substring (or equal to) the binary's name is probably the # one we want if (("process" == mode) and (len(row[0]) > match_len) and binary_name.startswith(row[0])): match_len = len(row[0]) matched_process = prefix + row[0] input_file.close() selections = ProcessSelectDialog.selectProcess( processes, matched_process, title, headers, has_tid) if not selections: return if not selections['selected_id']: return snapshot = ida_loader.snapshot_t() snapshot.desc = "Before coverage.py @ %s" % (datetime.datetime.now()) ida_kernwin.take_database_snapshot(snapshot) # the next bit may take a while, if the input file is large ida_kernwin.show_wait_box("HIDECANCEL\nProcessing file " + filename + "...") colored_fn = False info_for_pcs = {} input_file = open(filename, "r") reader = csv.reader(input_file) # skip mode and column headers next(reader, None) next(reader, None) seq_num = 0 for row in reader: cur_id = int(row[id_index], id_radix) pc = int(row[pc_index], 16) size = int(row[size_index]) if (has_tid): cur_tid = int(row[tid_index], id_radix) if cur_id != selections['selected_id']: continue # get the function containing pc fn = idaapi.get_func(pc) if not fn: continue colored_fn = True seq_num = seq_num + 1 color_blocks(fn, pc, size) if (selections['add_tids'] or selections['add_seqs']): if (pc not in info_for_pcs): info_for_pcs[pc] = set() # want to keep the thread IDs (if have them) with the matching # sequence numbers if (selections['add_tids'] and selections['add_seqs']): info_pair = "(" + str(seq_num) + ", " + str(cur_tid) + ")" info_for_pcs[pc].add(info_pair) elif (selections['add_tids']): info_for_pcs[pc].add(cur_tid) else: info_for_pcs[pc].add(seq_num) input_file.close() if (not colored_fn): print("WARNING: did not find any selected functions") else: add_comments(info_for_pcs, selections) ida_kernwin.hide_wait_box()
import idautils perform_decompilation=False # Note: this try/except block below is just there to # let us (at Hex-Rays) test this script in various # situations. try: perform_decompilation = under_test__perform_decompilation except: pass step_sleep = 0.5 ida_kernwin.show_wait_box("Processing") try: all_eas = list(idautils.Functions()) neas = len(all_eas) for i, ea in enumerate(all_eas): if ida_kernwin.user_cancelled(): break ida_kernwin.replace_wait_box("Processing; step %d/%d" % (i+1, neas)) if perform_decompilation: try: ida_hexrays.decompile(ida_funcs.get_func(ea)) except ida_hexrays.DecompilationFailure as df: print("Decompilation failure: %s" % df) time.sleep(step_sleep * random.random())
def OnCreate(self, form): # get parent widget parent = self.FormToPyQtWidget(form) # checkboxes self.cb_restore = QtWidgets.QCheckBox('Restore .idata section') self.cb_restore.move(20, 20) self.cb_restore.stateChanged.connect(self.cb_restore_toggle) self.cb_verify = QtWidgets.QCheckBox("Verify target dll .NET Native "\ "framework version") self.cb_verify.move(20, 20) # default is checked self.cb_verify.toggle() label_sharedlibrary = QtWidgets.QLabel("Path to target dll "\ "(SharedLibrary.dll):") # create input field for SharedLibrary.dll self.dll_input_path = QtWidgets.QLineEdit(parent) self.dll_input_path.setMaxLength = 256 self.dll_input_path.setFixedWidth(300) # create buttons self.btn_run = QtWidgets.QPushButton("Run", parent) self.btn_run.setToolTip("Proceed to import or restore.") self.btn_run.clicked.connect(self.cb_btn_run) self.btn_browse = QtWidgets.QPushButton("Browse", parent) self.btn_browse.setToolTip('Browse to "SharedLibrary.dll" location.') self.btn_browse.clicked.connect(self.cb_btn_browse) # we try to guess .NET Native framework version ida_kernwin.show_wait_box("HIDECANCEL\nIdentifying .NET "\ "Native framework version...") dotnet_version_full_text = ".NET Native framework version: " dotnet_version_full = "unknown" if not os.path.exists(idc.get_input_file_path()): ida_kernwin.warning("%s could not be found.\n.NIET must identify .NET"\ " Native framework version of the original binary "\ "in order to work properly."\ % idc.get_input_file_path()) else: dotnet_version_full = utils.get_NET_Native_version( idc.get_input_file_path()) if dotnet_version_full == "unknown": ida_kernwin.warning(".NET Native framework could not be identified.\n"\ ".NIET needs it to work properly.") # assume pefile raised an error elif "Error" in dotnet_version_full: ida_kernwin.hide_wait_box() ida_kernwin.warning("pefile: %s" % dotnet_version_full) self.disable_plugin_options() dotnet_version_full = "unsupported" self.dotnet_version_full = dotnet_version_full dotnet_version_full_text += dotnet_version_full ida_kernwin.hide_wait_box() label_dotnet_version_full = QtWidgets.QLabel(dotnet_version_full_text) # then we check if SharedLibrary.dll is an import imported_modules = [ idaapi.get_import_module_name(i) for i in range(idaapi.get_import_module_qty()) ] if not "SharedLibrary" in imported_modules: ida_kernwin.warning("This binary does not import symbols from " "'SharedLibrary.dll' at runtime.\n.NIET is not"\ " required") self.disable_plugin_options() # create layout spacerItem = QtWidgets.QSpacerItem(5, 16) layout = QtWidgets.QGridLayout() layout.addWidget(label_dotnet_version_full, 0, 0) layout.addItem(spacerItem) layout.addWidget(label_sharedlibrary, 1, 0) layout.addWidget(self.dll_input_path, 2, 0) layout.addWidget(self.btn_browse, 2, 1) spacerItem = QtWidgets.QSpacerItem(5, 16) layout.addItem(spacerItem) layout.addWidget(self.cb_restore, 4, 0) layout.addWidget(self.btn_run, 5, 0) layout.addWidget(self.cb_verify, 5, 1, 1, 2) layout.setColumnStretch(4, 1) layout.setRowStretch(6, 1) parent.setLayout(layout)
def cb_btn_run(self): if self.dotnet_version_full == "unknown": ida_kernwin.warning(".NET Native framework could not be identified.\n"\ ".NIET needs it to work properly.") return # self.dotnet_version_full[:3] is "major.minor" if not self.dotnet_version_full[:3] in dotnet_versions_offsets: ida_kernwin.warning(".NIET currently does not support %s, please "\ "create an issue.") return instance = dotNIET(self.dotnet_version_full[:3]) instance.get_modules_info() # if "restore" is checked, everything else is greyed out if self.cb_restore.checkState() == QtCore.Qt.Checked: ida_kernwin.show_wait_box("HIDECANCEL\nClearing symbol names...") for i in range(instance.nb_symbols): # unset name of imports idc.set_name(instance.ordinals + i * 8, "") idaapi.msg("%d symbols removed!\n" % instance.nb_symbols) else: if self.dll_input_path.text() == "": idaapi.msg( "Error: \"SharedLibrary.dll\" path must be selected\n") del instance return # target SharedLibrary.dll .NET framework version is asked to be checked if self.cb_verify.checkState() == QtCore.Qt.Checked: ida_kernwin.show_wait_box("HIDECANCEL\nVerifying target dll "\ ".NET Native framework version...") dll_dotnet_version_full = utils.get_NET_Native_version( self.dll_input_path.text()) ida_kernwin.hide_wait_box() if dll_dotnet_version_full == "unknown" \ or dll_dotnet_version_full != self.dotnet_version_full: answer = ida_kernwin.ask_buttons("", "","", 1, "HIDECANCEL\n"\ "Target dll .NET Native "\ "framework version is '%s' "\ "whereas current binary one "\ "is '%s'.\nProceed anyway?" \ % (dll_dotnet_version_full,\ self.dotnet_version_full)) # "No" or "cancel/escape" if not answer: return # getting target SharedLibrary.dll GUID to verify that the pdb does # exist and is the right one ida_kernwin.show_wait_box("HIDECANCEL\nGetting pdb information...") if not utils.find_pdb(self.dll_input_path.text()): ida_kernwin.hide_wait_box() del instance return # everything is okay, ready to import ida_kernwin.replace_wait_box("HIDECANCEL\nImporting symbols...") instance.resolve_symbols(self.dll_input_path.text()) idaapi.msg("%d symbols imported at 0x%x\n" % (instance.nb_symbols, instance.ordinals)) ida_kernwin.hide_wait_box() del instance
def analyze_function(self): """ """ self.reset_function_analysis_views(is_analyze=True) self.set_view_status_label("Loading...") f = idaapi.get_func(idaapi.get_screen_ea()) if not f: capa.ida.helpers.inform_user_ida_ui("Invalid function") self.set_view_status_label("Click Analyze to get started...") logger.info( "Please navigate to a valid function in the IDA disassembly view before starting function analysis." ) return if not self.rules_cache or not self.ruleset_cache: # only reload rules if caches are empty ida_kernwin.show_wait_box("capa explorer") loaded = self.load_capa_rules() ida_kernwin.hide_wait_box() if not loaded: self.set_view_status_label("Click Analyze to get started...") logger.info("Analysis failed.") return else: logger.info( 'Using cached ruleset, click "Reset" to reload rules from disk.' ) # must use extractor to get function, as capa analysis requires casted object extractor = capa.features.extractors.ida.IdaFeatureExtractor() f = extractor.get_function(f.start_ea) # cache current function for use elsewhere self.rulegen_current_function = f func_features, bb_features = find_func_features(f, extractor) func_matches, bb_matches = find_func_matches(f, self.ruleset_cache, func_features, bb_features) # cache features for use elsewhere self.rulegen_func_features_cache = collections.defaultdict( set, copy.copy(func_features)) self.rulegen_bb_features_cache = collections.defaultdict( dict, copy.copy(bb_features)) # add function and bb rule matches to function features, for display purposes for (name, res) in itertools.chain(func_matches.items(), bb_matches.items()): rule = self.ruleset_cache[name] if rule.meta.get("capa/subscope-rule"): continue for (ea, _) in res: func_features[capa.features.MatchedRule(name)].add(ea) # load preview and feature tree self.view_rulegen_preview.load_preview_meta( f.start_ea, settings.user.get("rulegen_author", "<insert_author>"), settings.user.get("rulegen_scope", "function"), ) self.view_rulegen_features.load_features(func_features) self.view_rulegen_header_label.setText("Function Features (%s)" % trim_function_name(f)) self.set_view_status_label( "capa rules directory: %s (%d rules)" % (settings.user["rule_path"], len(self.rules_cache))) logger.info("Analysis completed.")