def btn_imp_ghidra_funcs(self, code=0):
"""
导入Ghidra函数列表
"""
ghidra_filepath = os.path.join(os.getcwd(), 'ghidra_func_addrs.csv')
ghidra_path = ida_kernwin.ask_str(ghidra_filepath, 0,
'导入的Ghidra导出函数文件路径')
func_addrs = list(idautils.Functions())
make_func_addrs = []
if ghidra_path and ghidra_path != '':
if os.path.exists(ghidra_path):
with open(ghidra_path, 'rb') as f:
next(f)
reader = csv.reader(f)
for row in reader:
addr = int(row[0].strip('\"'), 16)
if ida_funcs.add_func(addr) == True:
make_func_addrs.append(addr)
else:
if addr not in func_addrs:
FELogger.info("创建函数%s失败" % hexstr(addr))
FELogger.info("Ghidra导出函数文件:%s,已导入" % ghidra_path)
else:
FELogger.erro("未找到Ghidra导出函数文件:%s" % ghidra_path)
else:
FELogger.warn("请输入Ghidra导出函数文件路径")
FELogger.info("成功创建%d个新函数" % len(make_func_addrs))
def add_or_del_one_xref_bpt(self, is_add):
if is_add == True:
action = idc.add_bpt
act_info = '添加'
else:
action = idc.del_bpt
act_info = '删除'
tgt_t = ida_kernwin.ask_str('', 0, '请输入危险函数名')
if tgt_t in SINK_FUNC:
if not tgt_t in self.sink_func_xref_dict:
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
tmp_list = []
for xref_addr in xref_list:
tmp_list.append(xref_addr)
action(xref_addr)
self.sink_func_xref_dict[tgt_t] = tmp_list
else:
for xref_addr_t in self.sink_func_xref_dict[tgt_t]:
action(xref_addr_t)
FELogger.info("已%s断点:危险函数调用地址(%s)" % (act_info, tgt_t))
else:
FELogger.warn("未支持函数")
def btn_get_one_sink_func_xref(self, code=0):
"""
查看某个危险函数调用地址
"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入要查看的危险函数名')
if tgt_t in SINK_FUNC:
cols = [['', 0 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX]]
items = []
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
tmp_list = []
for xref_addr in xref_list:
data = AnalysisChooseData(vuln=0, name=tgt_t, ea=xref_addr)
items.append(data)
tmp_list.append(xref_addr)
self.sink_func_xref_dict[tgt_t] = tmp_list
chooser = AnalysisChooser(title='危险函数调用地址', cols=cols, item=items)
chooser.Show()
else:
FELogger.warn("未支持函数")
def btn_del_one_vuln_bpt(self, code=0):
"""删除断点 某个危险函数漏洞地址"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入危险函数名')
if tgt_t in SINK_FUNC:
if tgt_t in self.vuln_func_fast_dict:
for xref_addr_t in self.vuln_func_fast_dict[tgt_t]:
ida_dbg.del_bpt(xref_addr_t)
FELogger.info("已删除断点:危险函数漏洞分析(%s)" % tgt_t)
else:
FELogger.warn("未支持函数")
def btn_del_tmp_func_bpt(self, code=0):
"""删除临时函数断点"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入任意函数名')
try:
if tgt_t in self.tmp_func_dict:
for xref_addr_t in self.tmp_func_dict[tgt_t]:
ida_dbg.del_bpt(xref_addr_t)
CUSTOM_FUNC.pop(tgt_t)
FELogger.info("已删除断点:指定函数调用地址 %s" % tgt_t)
except Exception:
FELogger.warn("请输入函数名")
def jump_in_hex(self):
ea = self.ea
if not ea or not ida_bytes.is_loaded(ea):
FELogger.warn("地址错误")
return
widget = self.find_hex_view()
if not widget:
FELogger.warn("无法找到十六进制窗口")
return
self.jumpto_in_view(widget, ea)
def jump_in_new_window(self):
ea = self.ea
if not ea or not ida_bytes.is_loaded(ea):
FELogger.warn("地址错误")
return
window_name = "D-0x%x" % ea
widget = ida_kernwin.open_disasm_window(window_name)
if widget:
self.jumpto_in_view(widget, ea)
else:
FELogger.warn("创建新窗口失败")
def jump_in_disassembly(self):
ea = self.ea
if not ea or not ida_bytes.is_loaded(ea):
FELogger.warn("地址错误")
return
widget = self.find_disass_view()
if not widget:
FELogger.warn("无法找到反汇编窗口")
return
self.jumpto_in_view(widget, ea)
def btn_dfs_test_1(self, code=0):
addr_t = ida_kernwin.ask_str('', 0, '请输入回溯起点地址')
reg_t = ida_kernwin.ask_str('', 0, '请输入回溯寄存器')
if (addr_t and addr_t != '') and (reg_t and reg_t != ''):
try:
addr_t = int(addr_t, 16)
except Exception:
FELogger.warn("无效地址")
return
FELogger.info("从地址%s回溯寄存器%s" % (hexstr(addr_t), reg_t))
tracer = FEArgsTracer(addr_t, reg_t)
source_addr = tracer.run()
print('source_addr: ', source_addr)
else:
FELogger.warn("请输入起点地址和寄存器")
def do_export():
st = ida_auto.set_ida_state(idc.IDA_STATUS_WORK)
xml = XmlExporter(1)
try:
try:
xml.export_xml()
FELogger.info("已导出IDA数据到XML")
except Cancelled:
ida_kernwin.hide_wait_box()
FELogger.warn("已取消XML导出")
except Exception as e:
ida_kernwin.hide_wait_box()
FELogger.warn("导出XML失败 %s" % e)
finally:
xml.cleanup()
ida_auto.set_ida_state(st)
def btn_import_all_bpt_addr(self, code=0):
"""
导入离线断点
"""
cur_workpath = os.getcwd()
csv_filepath = os.path.join(
cur_workpath, '%s_bpt.csv' % ida_nalt.get_root_filename())
if os.path.exists(csv_filepath):
with open(csv_filepath, 'r') as f:
next(f)
reader = csv.reader(f)
for row in reader:
ida_dbg.add_bpt(int(row[0], 16), 0, idc.BPT_DEFAULT)
FELogger.info("导入断点完成:%s" % csv_filepath)
else:
FELogger.warn("文件不存在:%s" % csv_filepath)
def btn_dfs_test_2(self, code=0):
tgt_t = ida_kernwin.ask_str('', 0, '请输入函数名')
reg_t = ida_kernwin.ask_str('', 0, '请输入回溯寄存器')
if (tgt_t and tgt_t != '') and (reg_t and reg_t != ''):
for func_addr_t in idautils.Functions():
func_name_t = ida_funcs.get_func_name(func_addr_t)
if func_name_t == tgt_t:
for xref_addr_t in idautils.CodeRefsTo(func_addr_t, 0):
if ida_funcs.get_func(xref_addr_t):
FELogger.info("从地址%s回溯寄存器%s" %
(hexstr(xref_addr_t), reg_t))
tracer = FEArgsTracer(xref_addr_t,
reg_t,
max_node=256)
source_addr = tracer.run()
print('source_addr: ', source_addr)
break
else:
FELogger.warn("请输入函数名和寄存器")
def btn_add_one_vuln_bpt(self, code=0):
"""添加断点 某个危险函数漏洞地址"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入危险函数名')
if tgt_t in SINK_FUNC:
if not tgt_t in self.vuln_func_fast_dict:
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
tag = SINK_FUNC[tgt_t]['tag']
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
if tag == FUNC_TAG['PRINTF']:
items = printf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['STRING']:
items = str_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['SCANF']:
items = scanf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['SYSTEM']:
items = system_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['MEMORY']:
items = mem_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
else:
FELogger.info("未支持函数%s" % tgt_t)
if tgt_t in self.vuln_func_fast_dict:
for xref_addr_t in self.vuln_func_fast_dict[tgt_t]:
ida_dbg.add_bpt(xref_addr_t, 0, idc.BPT_DEFAULT)
FELogger.info('已添加断点:危险函数漏洞分析(%s)' % tgt_t)
else:
FELogger.warn("未支持函数")
def btn_get_one_vuln_func(self, code=0):
"""查看某个危险函数漏洞地址"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入要查看的危险函数名')
if tgt_t in SINK_FUNC:
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
tag = SINK_FUNC[tgt_t]['tag']
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
# printf系列函数
if tag == FUNC_TAG['PRINTF']:
items = printf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['格式字符串地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['格式字符串', 15 | ida_kernwin.Choose.CHCOL_PLAIN],
['长度', 10 | ida_kernwin.Choose.CHCOL_HEX]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
# str系列函数
elif tag == FUNC_TAG['STRING']:
items = str_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['来源地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['字符串', 15 | ida_kernwin.Choose.CHCOL_PLAIN],
['字符串长度', 10 | ida_kernwin.Choose.CHCOL_HEX]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
# scanf系列函数
elif tag == FUNC_TAG['SCANF']:
items = scanf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['格式字符串地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['格式字符串', 15 | ida_kernwin.Choose.CHCOL_PLAIN],
['长度', 10 | ida_kernwin.Choose.CHCOL_HEX]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
# system函数
elif tag == FUNC_TAG['SYSTEM']:
items = system_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['来源地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['命令语句', 15 | ida_kernwin.Choose.CHCOL_PLAIN]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
# mem系列函数
elif tag == FUNC_TAG['MEMORY']:
items = mem_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['来源地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['', 0 | ida_kernwin.Choose.CHCOL_PLAIN],
['字符串长度', 10 | ida_kernwin.Choose.CHCOL_HEX]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
else:
FELogger.info("未支持函数%s" % tgt_t)
else:
FELogger.warn("未支持函数")