def find_input_file():
"""
Description:
Check whether or not IDA knows where the original file used to create the IDB is.
If IDA doesn't know, check the IDA's directory for the file.
Output:
Returns True if the input file was located, False if it was not.
"""
global INPUT_FILE_PATH
ida_path = INPUT_FILE_PATH
if not os.path.exists(ida_path):
# If IDA does not know, check if the (correct) file is sitting next to the IDB.
local_path = os.path.join(idautils.GetIdbDir(),
idc.get_root_filename())
if (os.path.exists(local_path) and hashlib.md5(
open(local_path, "rb").read()).hexdigest().upper()
== idc.retrieve_input_file_md5()):
INPUT_FILE_PATH = local_path
logger.debug("Guessed the input file path: " + INPUT_FILE_PATH)
logger.debug("IDA thought it was: " + ida_path)
return True
else:
return False
else:
return True
def backup_database():
""" Backup the database to a file similar to IDA's snapshot function. """
time_string = strftime('%Y%m%d%H%M%S')
file = idc.get_root_filename()
if not file:
raise NoInputFileException('No input file provided')
input_file = file.rsplit('.', 1)[0]
backup_file = '%s_%s.idb' % (input_file, time_string)
g_logger.info('Backing up database to file ' + backup_file)
idc.save_database(backup_file, idaapi.DBFL_BAK)
def init_sample_id(self):
"""
test if the remote sample exists,
if not, we upload it
"""
if self.sample_id is None:
self.sample_id = self.get_sample_id()
if not self.sample_id:
logger.warning("Sample not found on server, uploading it")
self.send_sample(open(idc.get_root_filename(), 'rb'))
self.sample_id = self.get_sample_id()
logger.info("Sample ID: %d", self.sample_id)
def get_func_cfgs_c(ea):
binary_name = idc.get_root_filename()
raw_cfgs = raw_graphs(binary_name)
externs_eas, ea_externs = processpltSegs()
i = 0
for funcea in idautils.Functions(idc.get_segm_start(ea)):
funcname = get_unified_funcname(funcea)
func = ida_funcs.get_func(funcea)
print i
i += 1
icfg = cfg.getCfg(func, externs_eas, ea_externs)
func_f = get_discoverRe_feature(func, icfg[0])
raw_g = raw_graph(funcname, icfg, func_f)
raw_cfgs.append(raw_g)
return raw_cfgs
def get_func_cfgs_ctest(ea):
binary_name = idc.get_root_filename()
raw_cfgs = raw_graphs(binary_name)
externs_eas, ea_externs = processpltSegs()
i = 0
diffs = {}
for funcea in idautils.Functions(idc.get_segm_start(ea)):
funcname = get_unified_funcname(funcea)
func = get_func(funcea)
print i
i += 1
icfg, old_cfg = cfg.getCfg(func, externs_eas, ea_externs)
diffs[funcname] = (icfg, old_cfg)
#raw_g = raw_graph(funcname, icfg)
#raw_cfgs.append(raw_g)
return diffs
def xex_load_exports(li):
global export_table_va
export_table = HvImageExportTable()
slen = ctypes.sizeof(export_table)
bytes = ida_bytes.get_bytes(export_table_va, slen)
fit = min(len(bytes), slen)
ctypes.memmove(ctypes.addressof(export_table), bytes, fit)
if export_table.Magic[0] != XEX_EXPORT_MAGIC_0 or export_table.Magic[
1] != XEX_EXPORT_MAGIC_1 or export_table.Magic[
2] != XEX_EXPORT_MAGIC_2:
print("[+] Export table magic is invalid! (0x%X 0x%X 0x%X)" %
(export_table.Magic[0], export_table.Magic[1],
export_table.Magic[2]))
return 0
print("[+] Loading module exports...")
print(export_table)
ordinal_addrs_va = export_table_va + slen
for i in range(0, export_table.Count):
func_ord = export_table.Base + i
func_va = ida_bytes.get_dword(ordinal_addrs_va + (i * 4))
if func_va == 0:
continue
func_va = func_va + (export_table.ImageBaseAddress << 16)
func_name = x360_imports.DoNameGen(idc.get_root_filename(), 0,
func_ord)
# Add to exports list & mark as func if inside a code section
func_segmclass = ida_segment.get_segm_class(
ida_segment.getseg(func_va))
idc.add_entry(func_ord, func_va, func_name,
1 if func_segmclass == "CODE" else 0)
if func_segmclass == "CODE":
idc.add_func(func_va)
return 1
def __init__(self):
ida_kernwin.action_handler_t.__init__(self)
self.dbfilename = idc.get_root_filename() + '.xref'
if not os.path.exists(self.dbfilename):
print 'create db'
self.cx = sqlite3.connect(self.dbfilename)
self.cu = self.cx.cursor()
self.cu.execute(
'create table xref (i integer primary key, x integer, y integer, z integer, k text)'
)
analyze(self.cu)
self.cx.commit()
self.cu.execute('select count (*) from xref')
count, = self.cu.fetchone()
print 'Analyse %d xrefs ok' % (count)
else:
print 'find db'
self.cx = sqlite3.connect(self.dbfilename)
self.cu = self.cx.cursor()
print 'loaded db'
def __init__(self, cfgfile):
self.vt_cfgfile = cfgfile
self.file_path = idaapi.get_input_file_path()
self.file_name = idc.get_root_filename()
logging.getLogger(__name__).addHandler(logging.NullHandler())
if config.DEBUG:
logging.basicConfig(stream=sys.stdout,
level=logging.DEBUG,
format='%(message)s')
else:
logging.basicConfig(stream=sys.stdout,
level=logging.INFO,
format='%(message)s')
logging.info('\n** VT Plugin for IDA Pro v%s (c) Google, 2020',
VT_IDA_PLUGIN_VERSION)
logging.info(
'** VirusTotal integration plugin for Hex-Ray\'s IDA Pro 7')
logging.info('\n** Select an area in the Disassembly Window and right')
logging.info('** click to search on VirusTotal. You can also select a')
logging.info('** string in the Strings Window.\n')
def send_sample(self, filedata):
"""
Ugly wrapper for uploading a file in multipart/form-data
"""
endpoint = "/api/1.0/samples/"
headers = {"Accept-encoding": "gzip, deflate",
"X-Api-Key": self.auth_token}
method = "POST"
boundary = "70f6e331562f4b8f98e5f9590e0ffb8e"
headers["Content-type"] = "multipart/form-data; boundary=" + boundary
body = "--" + boundary
body += "\r\n"
body += "Content-Disposition: form-data; name=\"filename\"\r\n"
body += "\r\n"
body += idc.get_root_filename()
body += "\r\n\r\n"
body += "--" + boundary + "\r\n"
body += "Content-Disposition: form-data;"
body += "name=\"file\"; filename=\"file\"\r\n"
body += "\r\n"
body += filedata.read()
body += "\r\n--"
body += boundary
body += "--\r\n"
self.h_conn.request(method, endpoint, body, headers)
res = self.h_conn.getresponse()
data = res.read()
try:
result = json.loads(data)
except BaseException:
logger.exception("Cannot load json data from server")
result = None
return result
def GetInputFile(): return idc.get_root_filename()
try:
import idc
in_ida = True
except ImportError as e:
print("not run in ida python skip comment...")
in_ida = False
#
is_clean=0
if (in_ida):
trace_path = idc.AskStr("trace-jni.txt", "trace path")
is_clean = idc.AskLong(0, "clean path?")
if (not os.path.isabs(trace_path)):
script_path = os.path.split(os.path.realpath(__file__))[0]
trace_path = "%s/%s"%(script_path, trace_path)
#
filename = idc.get_root_filename()
#
else:
trace_path = sys.argv[1]
filename = sys.argv[2]
if (len(sys.argv)<3):
print("usage %s <trace-file> <filename>"%sys.argv[0])
sys.exit(-1)
#
#
dic_call = {}
with open(trace_path) as f:
for line in f:
line = line.strip()
if (line == ""):
continue
def build_graph(start_addr, type_graph, simplify=False, dontmodstack=True, loadint=False, verbose=False):
machine = guess_machine(addr=start_addr)
dis_engine, ira = machine.dis_engine, machine.ira
class IRADelModCallStack(ira):
def call_effects(self, addr, instr):
assignblks, extra = super(IRADelModCallStack, self).call_effects(addr, instr)
if not dontmodstack:
return assignblks, extra
out = []
for assignblk in assignblks:
dct = dict(assignblk)
dct = {
dst:src for (dst, src) in viewitems(dct) if dst != self.sp
}
out.append(AssignBlock(dct, assignblk.instr))
return out, extra
if verbose:
print("Arch", dis_engine)
fname = idc.get_root_filename()
if verbose:
print(fname)
bs = bin_stream_ida()
mdis = dis_engine(bs)
ir_arch = IRADelModCallStack(mdis.loc_db)
# populate symbols with ida names
for addr, name in idautils.Names():
if name is None:
continue
if (mdis.loc_db.get_offset_location(addr) or
mdis.loc_db.get_name_location(name)):
# Symbol alias
continue
mdis.loc_db.add_location(name, addr)
if verbose:
print("start disasm")
if verbose:
print(hex(start_addr))
asmcfg = mdis.dis_multiblock(start_addr)
entry_points = set([mdis.loc_db.get_offset_location(start_addr)])
if verbose:
print("generating graph")
open('asm_flow.dot', 'w').write(asmcfg.dot())
print("generating IR... %x" % start_addr)
ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg)
if verbose:
print("IR ok... %x" % start_addr)
for irb in list(viewvalues(ircfg.blocks)):
irs = []
for assignblk in irb:
new_assignblk = {
expr_simp(dst): expr_simp(src)
for dst, src in viewitems(assignblk)
}
irs.append(AssignBlock(new_assignblk, instr=assignblk.instr))
ircfg.blocks[irb.loc_key] = IRBlock(irb.loc_key, irs)
if verbose:
out = ircfg.dot()
open(os.path.join(tempfile.gettempdir(), 'graph.dot'), 'wb').write(out)
title = "Miasm IR graph"
head = list(entry_points)[0]
if simplify:
ircfg_simplifier = IRCFGSimplifierCommon(ir_arch)
ircfg_simplifier.simplify(ircfg, head)
title += " (simplified)"
if type_graph == TYPE_GRAPH_IR:
graph = GraphMiasmIR(ircfg, title, None)
graph.Show()
return
class IRAOutRegs(ira):
def get_out_regs(self, block):
regs_todo = super(IRAOutRegs, self).get_out_regs(block)
out = {}
for assignblk in block:
for dst in assignblk:
reg = self.ssa_var.get(dst, None)
if reg is None:
continue
if reg in regs_todo:
out[reg] = dst
return set(viewvalues(out))
# Add dummy dependency to uncover out regs affectation
for loc in ircfg.leaves():
irblock = ircfg.blocks.get(loc)
if irblock is None:
continue
regs = {}
for reg in ir_arch.get_out_regs(irblock):
regs[reg] = reg
assignblks = list(irblock)
new_assiblk = AssignBlock(regs, assignblks[-1].instr)
assignblks.append(new_assiblk)
new_irblock = IRBlock(irblock.loc_key, assignblks)
ircfg.blocks[loc] = new_irblock
class CustomIRCFGSimplifierSSA(IRCFGSimplifierSSA):
def do_simplify(self, ssa, head):
modified = super(CustomIRCFGSimplifierSSA, self).do_simplify(ssa, head)
if loadint:
modified |= load_from_int(ssa.graph, bs, is_addr_ro_variable)
return modified
def simplify(self, ircfg, head):
ssa = self.ircfg_to_ssa(ircfg, head)
ssa = self.do_simplify_loop(ssa, head)
if type_graph == TYPE_GRAPH_IRSSA:
ret = ssa.graph
elif type_graph == TYPE_GRAPH_IRSSAUNSSA:
ircfg = self.ssa_to_unssa(ssa, head)
ircfg_simplifier = IRCFGSimplifierCommon(self.ir_arch)
ircfg_simplifier.simplify(ircfg, head)
ret = ircfg
else:
raise ValueError("Unknown option")
return ret
head = list(entry_points)[0]
simplifier = CustomIRCFGSimplifierSSA(ir_arch)
ircfg = simplifier.simplify(ircfg, head)
open('final.dot', 'w').write(ircfg.dot())
graph = GraphMiasmIR(ircfg, title, None)
graph.Show()
######################
### ISVOID RET CODE ##
FNONVOID = 1 #
FNONVOIDWARN = 2 #
FVOID = 0 #
######################
######################
IDA_ERROR = 0x0F0F0F0F
UNKOWN_CMND = 0xF0F0F0F0
RESOLVE_NAME = 0xA0A0A0A0
COMANDS = [START, END, TYPE, DREFS, CREFS, VRET, FEND, FNAM]
COMANDS_2ARGS = [DOMIN]
IMAGE = idc.get_root_filename()
c_jumps = [
"jle", "jz", "je", "ja", "jnbe", "jne", "jnz", "jnb", "jae", "jnc", "js",
"jq", "jbe", "jna", "jnae", "jb", "jnae", "jc", "jo", "jno", "jns", "jl",
"jnge", "jge", "jnl", "jng", "jg", "jnle", "jp", "jpe", "jnp", "jpo",
"ud2", "jcxz", "jecxz", "jrcxz"
]
u_jumps = ["jmp"]
op_type = {
0: "o_void",
1: "o_reg",
2: "o_mem",
3: "o_phrase",
def main():
imp_funcs = []
xrefs = []
cg = CallGraph()
file_name = idc.get_root_filename()
file_path = idc.GetInputFilePath()
def get_file_ssdeep():
if 'ssdeep' in sys.modules:
return ssdeep.hash_from_file(file_path)
else:
return 'No ssdeep Modules. Please Install ssdeep.'
def imp_cb(ea, name, ord):
imp_funcs.append(ea)
return True
if 'batch' in idc.ARGV:
idaapi.autoWait()
for fea in Functions():
func_flags = get_func_flags(fea)
# NORMAL = 0
# LIBRARY = 1
# IMPORTED = 2
# THUNK = 3
if func_flags & FUNC_LIB:
func_type = 1
elif func_flags & FUNC_THUNK:
func_type = 3
else:
func_type = 0
cg.add_vertex(fea, func_type)
cg.add_root(fea)
items = FuncItems(fea)
for item in items:
for xref in XrefsFrom(item, 0):
# https://www.hex-rays.com/products/ida/support/idadoc/313.shtml
if xref.type != fl_F:
xrefs.append([fea, xref.to])
# List Import Functions and Add to cg
num_imp_module = idaapi.get_import_module_qty()
for i in range(0, num_imp_module):
idaapi.enum_import_names(i, imp_cb)
imp_funcs.sort()
for imp_func_ea in imp_funcs:
cg.add_vertex(imp_func_ea, 2)
for xref in xrefs:
if xref[1] in cg.vertices:
cg.connect_vertex(xref[0], xref[1])
cg.set_roots()
for root in cg.roots:
cg.build_graph_pattern(root)
if len(idc.ARGV) == 0:
print('Graph MD5: %s' % cg.get_graph_md5())
print('Graph SHA1: %s' % cg.get_graph_sha1())
print('Graph SHA256: %s' % cg.get_graph_sha256())
print('Graph SSDEEP: %s' % cg.get_graph_ssdeep())
print('File SSDEEP: %s' % get_file_ssdeep())
if 'out_pattern' in idc.ARGV:
if not os.path.isdir('./out'):
os.mkdir('./out')
f = open('./out/' + file_name + '.bin', 'wb')
f.write(cg.graph_pattern)
f.close()
if 'batch' in idc.ARGV:
if not os.path.isdir('./out'):
os.mkdir('./out')
f = open('./out/result', 'a+')
f.write('%s,%s,%s,%s\n' % (file_name, cg.get_graph_md5(),
cg.get_graph_ssdeep(), get_file_ssdeep()))
f.close()
idc.Exit(0)
