def _searchFunctionByHeuristic( self, search, functionhash=None, firstcallhash=None, exact=None, heuristic=90, module=None, firstbb=None ): """ Search memory to find a function that fullfit the options. @type search: STRING @param search: searchCommand string to make the first selection @type functionhash: STRING @param functionhash: the primary function hash (use makeFunctionHash to generate this value) @type firstcallhash: STRING @param firstcallhash: the hash of the first call on single BB functions (use makeFunctionHash to generate this value) @type exact: STRING @param exact: an exact function hash, this's a binary byte-per-byte hash (use makeFunctionHash to generate this value) @type heuristic: INTEGER @param heuristic: heuristic threasold to consider a real function match @type module: STRING @param module: name of a module to restrict the search @type firstbb: STRING @param firstbb: generalized assembler of the first BB (to search function begin) @rtype: LIST @return: a list of tuples with possible function's addresses and the heauristic match percentage """ # if the first argument is a LIST, decode it to each real argument of the function, following the order in the CSV file. # this give us a simple support for copy 'n paste from the CSV file. if isinstance(search, list): search.reverse() tmp = search[:] if tmp: search = tmp.pop() if tmp: functionhash = tmp.pop() if tmp: firstcallhash = tmp.pop() if tmp: exact = tmp.pop() if tmp: version = tmp.pop() if tmp: file = tmp.pop() if tmp: firstbb = tmp.pop() # this arguments are mandatory if not search or not functionhash: return None if not firstcallhash: firstcallhash = "" heu_addy = None heu_perc = 0 poss_functions = [] poss_return = [] search = string.replace(search, "\\n", "\n") if search: if module: # XXX: access directly isn't the best way to do this for key, mod in debugger.get_all_modules().iteritems(): if module.lower() in key.lower(): poss_functions += self.imm.searchCommandsOnModule(mod[0], search) else: poss_functions = self.imm.searchCommands(search) if poss_functions: for poss in poss_functions: # self.imm.log("possible funct: %08X" % poss[0]) addy = self.imm.getFunctionBegin(poss[0]) if not addy: # check entrypoint routine for mod in self.imm.getAllModules().values(): if mod.getMainentry(): # self.imm.log("mainentry: %08X" % mod.getMainentry()) f = StackFunction(self.imm, mod.getMainentry()) if f.isInsideFunction(poss[0]): addy = mod.getMainentry() break if not addy and firstbb: # self.imm.log("Trying with the new firstbb") addy = self.findBasicBlockHeuristically(poss[0], firstbb) if not addy and firstbb: tmp = self.findFirstBB(poss[0]) if tmp: # self.imm.log("Trying with the new firstbb 2nd try:%X"%tmp,tmp) addy = self.findBasicBlockHeuristically(tmp, firstbb) if not addy: addy = poss[0] # self.imm.log("possible start: %08X" % addy) # Make a comparision using an Exact Hash if exact: test = self.makeFunctionHashExact(addy) if exact == test and not firstcallhash: # self.imm.log("EXACT match") # when we find an exact match, we don't need to search anymore return [(addy, 100)] perc = self.checkHeuristic(addy, functionhash, firstcallhash) # self.imm.log("function %08X similar in %d%%" % (addy, perc)) if perc >= heuristic: poss_return.append((addy, perc)) # self.imm.log("HEURISTIC match") return poss_return
def _searchFunctionByHeuristic(self, search, functionhash=None, firstcallhash=None, exact=None, heuristic=90, module=None, firstbb=None): """ Search memory to find a function that fullfit the options. @type search: STRING @param search: searchCommand string to make the first selection @type functionhash: STRING @param functionhash: the primary function hash (use makeFunctionHash to generate this value) @type firstcallhash: STRING @param firstcallhash: the hash of the first call on single BB functions (use makeFunctionHash to generate this value) @type exact: STRING @param exact: an exact function hash, this's a binary byte-per-byte hash (use makeFunctionHash to generate this value) @type heuristic: INTEGER @param heuristic: heuristic threasold to consider a real function match @type module: STRING @param module: name of a module to restrict the search @type firstbb: STRING @param firstbb: generalized assembler of the first BB (to search function begin) @rtype: LIST @return: a list of tuples with possible function's addresses and the heauristic match percentage """ #if the first argument is a LIST, decode it to each real argument of the function, following the order in the CSV file. #this give us a simple support for copy 'n paste from the CSV file. if isinstance(search, list): search.reverse() tmp = search[:] if tmp: search = tmp.pop() if tmp: functionhash = tmp.pop() if tmp: firstcallhash = tmp.pop() if tmp: exact = tmp.pop() if tmp: version = tmp.pop() if tmp: file = tmp.pop() if tmp: firstbb = tmp.pop() #this arguments are mandatory if not search or not functionhash: return None if not firstcallhash: firstcallhash = "" heu_addy = None heu_perc = 0 poss_functions = [] poss_return = [] search = string.replace(search, "\\n", "\n") if search: if module: #XXX: access directly isn't the best way to do this for key, mod in debugger.get_all_modules().iteritems(): if module.lower() in key.lower(): poss_functions += self.imm.searchCommandsOnModule( mod[0], search) else: poss_functions = self.imm.searchCommands(search) if poss_functions: for poss in poss_functions: #self.imm.log("possible funct: %08X" % poss[0]) addy = self.imm.getFunctionBegin(poss[0]) if not addy: #check entrypoint routine for mod in self.imm.getAllModules().values(): if mod.getMainentry(): #self.imm.log("mainentry: %08X" % mod.getMainentry()) f = StackFunction(self.imm, mod.getMainentry()) if f.isInsideFunction(poss[0]): addy = mod.getMainentry() break if not addy and firstbb: #self.imm.log("Trying with the new firstbb") addy = self.findBasicBlockHeuristically(poss[0], firstbb) if not addy and firstbb: tmp = self.findFirstBB(poss[0]) if tmp: #self.imm.log("Trying with the new firstbb 2nd try:%X"%tmp,tmp) addy = self.findBasicBlockHeuristically(tmp, firstbb) if not addy: addy = poss[0] #self.imm.log("possible start: %08X" % addy) #Make a comparision using an Exact Hash if exact: test = self.makeFunctionHashExact(addy) if exact == test and not firstcallhash: #self.imm.log("EXACT match") #when we find an exact match, we don't need to search anymore return [(addy, 100)] perc = self.checkHeuristic(addy, functionhash, firstcallhash) #self.imm.log("function %08X similar in %d%%" % (addy, perc)) if perc >= heuristic: poss_return.append((addy, perc)) #self.imm.log("HEURISTIC match") return poss_return
def QueryAllModules(self): return debugger.get_all_modules()