def getAllStrings(self): strings = idautils.Strings(default_setup=False) strings.setup(strtypes=Strings.STR_C | Strings.STR_UNICODE, ignore_instructions=True, display_only_existing_strings=True, minlen=1) for string in strings: self.allStrings[string.ea] = str(string)
def get_all_strings(): """ Get a list of strings stored in that segment """ list_of_strings = idautils.Strings() for string in list_of_strings: if not str(string).endswith("\n"): f.write(str(string) + '\n') else: f.write(str(string))
def make_strings_const(): s = idautils.Strings(False) s.setup(strtypes=idautils.Strings.STR_UNICODE | idautils.Strings.STR_C) for v in s: gt = idc.GetType(v.ea) if not gt: gt = idc.GuessType(v.ea) if gt and not gt.startswith("const "): idc.SetType(v.ea, "const " + gt)
def refresh_strings(): # pylint: disable=global-statement global strings strings = {} for i in idautils.Strings(): s = str(i) if s not in strings: strings[s] = [i] else: strings[s].append(i)
def getAllStrings(self): strings = idautils.Strings(default_setup = False) strings.setup(strtypes=Strings.STR_C | Strings.STR_UNICODE, ignore_instructions = True, display_only_existing_strings = True,minlen=4) for string in strings: self.allStrings.append(str(string)) output = {"Strings": self.allStrings} output["FileName"] = self.fileName output["FileMD5"] = self.fileMD5 output["Author Name"] = self.authorName return output
def is_packed_upx(): strings = idautils.Strings() count = 0 for s in strings: if "upx.sf.net" in str(s): return True if count >= 2: break count += 1 return False
def stringsInner(self): """Create a collection / generator of all of the strings in the program (will be called only once). Note: A string object should have the following methods: str(str_obj) := string content str_obj.ea := definition address (ea) of the string Return Value: sorted (by address) collection of all of the used strings in the program (as string objects) """ return idautils.Strings()
def xrefs(self): # Identify functions that reference the WPS checksum functions and resolve their string xrefs. # Returns a dictionary of function EAs and a list of their string xrefs. self._generate_checksum_xrefs_table() for string in idautils.Strings(): for xref in idautils.XrefsTo(string.ea): func = idaapi.get_func(xref.frm) if func and self.funcs.has_key(func.startEA): self.funcs[func.startEA].add(str(string)) return self.funcs
def get_strings(): tags = [] export_tag = {} strings_ida = idautils.Strings(False) strings_ida.setup(strtypes=[idc.STRTYPE_C, idc.STRTYPE_C_16]) for string in strings_ida: export_tag = { 'offset': (string.ea - idaapi.get_imagebase()), 'tag': 'String', 'feeder': 'TagString' } tags.append(export_tag) export_tags(tags)
def update(self, **kwargs): oids = Oids() sc = idautils.Strings() r = re.compile(r"^[012]\.\d+(\.\d+)+$") for s in sc: if r.match(str(s)): val = oids.getOid(str(s), False) if val != str(s): val = val.replace('/', '').replace(' ', '_').replace( '-', '_').replace('.', '_') nm = 'oid_' + val.encode('ascii') if not idc.Name(s.ea).startswith(nm): idc.MakeName(s.ea, nm) oids.save()
def _build_string_xrefs(self): for string in idautils.Strings(): key_string = str(string) for xref in idautils.XrefsTo(string.ea): func = idaapi.get_func(xref.frm) if func: start_ea = ida_shims.start_ea(func) if not self.functions.has_key(start_ea): self.functions[start_ea] = list() xref = IDAProfilerXref(ea=string.ea, string=key_string, xref=xref.frm, type=str) self.functions[start_ea].append(xref)
def get_strings(): for strinfo in idautils.Strings(): strcont = GetString(strinfo.ea, strinfo.length, strinfo.strtype) straddr = hex(strinfo.ea) straddr = straddr[:-1] print('%s:\t%s' % (straddr, strcont)) #sc = idaapi.string_info_t() #count = idaapi.get_strlist_qty() #for i in range(count): #idaapi.get_strlist_item(i,sc) #print(idaapi.get_ascii_contents(sc.ea,sc.length,sc.type)) return
def get_strings(self): """ Get all strings from the binary >>> saram.get_strings().send() """ self._comment = inspect.stack()[0][3] strings = '\n'.join([ '{offset} {value}'.format(offset=hex(x.ea), value=x) for x in idautils.Strings() ]) self.command = 'Strings from binary' self.output = strings print(self.output) return self
def _find_format_string_functions(self): processed_func_eas = set() for string in idautils.Strings(): if '%' in str(string): for xref in idautils.XrefsTo(string.ea): (func_ea, argn, regname) = self.argp.trace(xref.frm) if func_ea is not None and \ func_ea not in processed_func_eas: self.functions.append( Function(start=func_ea, argc=argn, fmtarg=argn)) processed_func_eas.add(func_ea) # Sort format string functions by xref count, largest first self.functions.sort(key=lambda f: f.xrefs, reverse=True)
def __init__(self, sigfile=None): if sigfile: self.sigfile = sigfile else: self.sigfile = self.DEFAULT_SIGNATURE_FILE # Useful for quickly identifying string xrefs from individual instructions self.strings = {} for string in idautils.Strings(): self.strings[string.ea] = RizzoStringDescriptor(string) start = time.time() self.signatures = self.generate() end = time.time() print("Generated %d formal signatures and %d fuzzy signatures for %d functions in %.2f seconds." % (len(self.signatures.formal), len(self.signatures.fuzzy), len(self.signatures.functions), (end-start)))
def stringify(self): n = 0 ea = self.get_start_ea(self.DATA) if ea == idc.BADADDR: ea = ida_shims.get_first_seg() print "Looking for possible strings starting at: 0x%X..." % ea, for s in idautils.Strings(): if s.ea > ea: if not ida_shims.is_strlit(ida_shims.get_full_flags(s.ea)) \ and ida_shims.create_strlit(s.ea, 0): n += 1 print "created %d new ASCII strings" % n
def stringify(self): n = 0 ea = self.get_start_ea(self.DATA) if ea == idc.BADADDR: ea = idc.FirstSeg() print("Looking for possible strings starting at: %s:0x%X..." % (idc.SegName(ea), ea)), for s in idautils.Strings(): if s.ea > ea: if not idc.isASCII(idc.GetFlags(s.ea)) and idc.MakeStr( s.ea, idc.BADADDR): n += 1 print "created %d new ASCII strings" % n
def go_version(self): sc = idautils.Strings() tmp = "" version = "go1." idx = -1 for s in sc: idx = str(s).find("go1.") if (idx+1): tmp = str(s) break take = 5 if len(tmp) > 5 else len(tmp)-4 for i in range(take): # 5 bcoz, max version could be go1.XX.XX (enumerate XX.XX) if tmp[idx+4+i] in ".0123456789": version += tmp[idx+4+i] else: break return version
def _build_string_xrefs(self): #print "Building string profiles..." #orig_functions_len = len(self.functions) for string in idautils.Strings(): keystr = str(string) for xref in idautils.XrefsTo(string.ea): func = idaapi.get_func(xref.frm) if func: if not self.functions.has_key(func.startEA): self.functions[func.startEA] = list() self.functions[func.startEA].append( IDAProfilerXref(ea=string.ea, string=keystr, xref=xref.frm, type=str))
def get_func_str_hack(ea): """ get all referenced strings within a function, actually works :param ea: offset within a function :return: return list of strings referenced in function """ offsets = [] status, ea_st = get_func_addr(ea) if status: status, ea_end = get_func_addr_end(ea) if status: for _str in idautils.Strings(): s_ea = _str.ea xref = idautils.XrefsTo(s_ea) for x in xref: temp_addr = x.frm if ea_st <= temp_addr <= ea_end: offsets.append((temp_addr, _str)) return offsets
def main(): s = idautils.Strings(False) s.setup(strtypes=Strings.STR_UNICODE | Strings.STR_C) hex_str_addr_list = [] for i, v in enumerate(s): if v is None: print("Failed to retrieve string index %d" % i) else: if (v.length + 1) % 2 != 0: continue # print("%x: len=%d type=%d index=%d-> '%s'" % (v.ea, v.length, v.type, i, str(v))) str_value = str(v) try: str_value = str_value.decode("hex") hex_str_addr_list.append(v.ea) except Exception, e: pass
def auto_string_naming(self): idaStrings = idautils.Strings() for cstring in idaStrings: stringValue = idc.GetString(cstring.ea, cstring.length, cstring.type) currentName = idc.GetTrueName(cstring.ea) if len(stringValue) > 6: objFileValues = re.findall(r"[a-zA-Z]+(?=\.obj)", currentName) objFile = "" idc.MakeComm(cstring.ea, currentName) if len(objFileValues) > 0: objFile = objFileValues[0].upper() newName = stringValue.title() for repl in [x for x in string.punctuation]: newName = newName.replace(repl, "") newName = newName.replace(" ", "") newName = "s{objFile}{currentName}".format(objFile=objFile, currentName=newName) idc.MakeNameEx(cstring.ea, newName, idc.SN_AUTO)
def export_func_names(fname): s = idautils.Strings(False) s.setup(strtypes=idautils.Strings.STR_UNICODE | idautils.Strings.STR_C) jsontable = [] for v in s: if v is None: print("Failed to retrieve string index") else: xrefs = [x.frm for x in idautils.XrefsTo(v.ea)] ret = [idaapi.get_func(x) for x in xrefs if idaapi.get_func(x)] names = [] funcs = [] for func in ret: if idc.GetFunctionName(func.startEA) not in names: names.append(idc.GetFunctionName(func.startEA)) funcs.append(func) if (len(funcs) != 1): continue func = funcs[0] if idc.GetFunctionName(func.startEA).startswith("sub_"): continue print("%x: len=%d type=%d -> '%s'" % (v.ea, v.length, v.type, unicode(v))) d = {} d['string'] = unicode(v) d['str_type'] = v.type d['func_name'] = idc.GetFunctionName(func.startEA) d['func_demangled'] = demangle(d['func_name']) d['func_c_decl'] = idc.GetType(func.startEA) d['func_comment'] = idaapi.get_func_cmt(func, 1) jsontable.append(d) f = open(fname, 'w') json.dump(jsontable, f, indent=4) f.close()
def main(): root = {} for s in idautils.Strings(): root[str(s)] = {} for xref in idautils.XrefsTo(s.ea): funcname = ida_funcs.get_func_name(xref.frm) if (funcname is None): continue demangled = idc.demangle_name(funcname, idc.get_inf_attr(idc.INF_SHORT_DN)) if demangled is None: demangled = funcname root[str(s)][demangled] = funcname with open("data.json", "w") as f: print("Dumping {} strings to data.json".format(len(root.items()))) json.dump(root, f, ensure_ascii=False, indent=4, separators=(",", ":"))
def FindStringEA(self): searchstr = str("mkbundle: Error %d decompressing data for %s\n") searchstr2 = str("Error %d decompresing data for %s\n") #Do not use default set up, we'll call setup(). s = idautils.Strings(default_setup = False) # we want C & Unicode strings, and *only* existing strings. s.setup(strtypes=Strings.STR_C | Strings.STR_UNICODE, ignore_instructions = True, display_only_existing_strings = True) #loop through strings for i, v in enumerate(s): if not v: #print("Failed to retrieve string at index {}".format(i)) return -1 else: #print("[{}] ea: {:#x} ; length: {}; type: {}; '{}'".format(i, v.ea, #v.length, string_type_map.get(v.type, None), str(v))) if str(v) == searchstr or str(v) == searchstr2: return v.ea return -1
def get_sources(): tags = [] export_tag = {} string_refs = {} strings_ida = idautils.Strings(False) strings_ida.setup(strtypes=[idc.STRTYPE_C, idc.STRTYPE_C_16]) r = re.compile(r".*\.(c|cpp|h|hpp)") for string in strings_ida: string_refs[string.__str__()] = string.ea strings = string_refs.keys() matched = filter(r.match, strings) for string in matched: export_tag = { 'offset': (string_refs[string] - idaapi.get_imagebase()), 'tag': 'Source', 'feeder': 'TagSource' } tags.append(export_tag) export_tags(tags)
def observerGlobalStrings(self, sds): """Observe and (hopefully) detect a pattern in all of the global strings. Args: sds (list): List of (sark) Data segments. """ pattern = AlignmentPattern() for sd in sds: self._analzyer.logger.debug("Data Segment: 0x%x - 0x%x", sd.startEA, sd.endEA) # collect the data from all of the global strings for cur_string in idautils.Strings(): string_ea = cur_string.ea for sd in sds: if sd.startEA <= string_ea and string_ea < sd.endEA: if self.isGlobalAsciiString(string_ea): pattern.add(string_ea, len(self.getAsciiString(string_ea))) break # find the pattern result = pattern.decide() # set out features accordingly if result is not None: self.setGlobalAlignment(result[0], result[1])
def main(): action = get_action() if action == Mode_Invalid: return file = get_file(action) if file is None: ida_kernwin.warning("Invalid file specified!") return # strings = get_strs() strings = list(idautils.Strings()) if action == Mode_Read: read_strs(strings, file) print("Done!") else: c1, c2, c3 = write_symbols(strings, file) print("Successfully typed {} functions".format(len(FOUND_FUNCS))) print("\t- {} Exact\n\t- {} Symboled in stripped\n\t- {} Stripped in symboled".format(c1, c2, c3)) ida_kernwin.hide_wait_box() file.close()
def get_strings(min_len=5, display_only_existing_strings=False, debug=False): strs = idautils.Strings() #Do we export the other Strings.setup parameters ? strs.setup(0xffffffff, minlen=min_len, display_only_existing_strings=display_only_existing_strings) res = [] fails = [] for s in strs: try: res.append(data.ASCIIData(s.ea, True)) except ValueError as e: if (s.ea < res[-1].addr + len(data.ASCIIData(res[-1].addr))): print("Pass substring") continue print("String list error : {0}".format(e)) fails.append(s.ea) raise if debug: return res, fails return res #auto str construction ?
def has_string_entry(addr): ''' Check whether the provided address is being tracked by IDA as a string. In order to attempt to speed up subsequent lookups, string addresses will be cached into a dictionary on first use. Data returned will be a dictionary of strings, keyed by the address of the string with the length as the value. Args: addr (int): The address to check. Returns: A dictionary of string lengths keyed by their address. ''' if len(string_addrs) == 0: for s in idautils.Strings(): string_addrs[s.ea] = s.length try: return string_addrs[addr] except KeyError: return None