def s_create():
db = database.get()
name = idaapi.ask_str('', idaapi.HIST_IDENT,'Enter a class name')
if name is None:
return None
if name in database.get().classes_by_name:
idaapi.warning('That name is already used.')
return None
if not Class.s_name_is_valid(name):
idaapi.warning('The class name "%s" is invalid.' % name)
return None
base_class = None
base_name = idaapi.ask_str('', idaapi.HIST_IDENT,'Enter a base class name (leave empty for none)')
if base_name is None:
return None
if base_name:
if base_name not in db.classes_by_name:
idaapi.warning('The class "%s" is not in the database.' % base_name)
return None
else:
base_class = db.classes_by_name[base_name]
if not base_class.can_be_derived():
idaapi.warning('The class %s cannot be derived because the VTable is not setup correctly' % base_class.name)
return None
return Class(name, base_class)
'''
def OnKeydown(self, vkey, shift):
"""
User pressed a key
@param vkey: Virtual key code
@param shift: Shift flag
@return: Boolean. True if you handled the event
"""
print "OnKeydown, vk=%d shift=%d" % (vkey, shift)
# ESCAPE?
if vkey == 27:
self.Close()
# VK_DELETE
elif vkey == 46:
n = self.GetLineNo()
if n is not None:
self.DelLine(n)
self.Refresh()
print "Deleted line %d" % n
# Goto?
elif vkey == ord('G'):
n = self.GetLineNo()
if n is not None:
v = idaapi.ask_long(self.GetLineNo(), "Where to go?")
if v:
self.Jump(v, 0, 5)
elif vkey == ord('R'):
print "refreshing...."
self.Refresh()
elif vkey == ord('C'):
print "refreshing current line..."
self.RefreshCurrent()
elif vkey == ord('A'):
s = idaapi.ask_str("NewLine%d" % self.Count(), 0,
"Append new line")
self.AddLine(s)
self.Refresh()
elif vkey == ord('X'):
print "Clearing all lines"
self.ClearLines()
self.Refresh()
elif vkey == ord('I'):
n = self.GetLineNo()
s = idaapi.ask_str("InsertedLine%d" % n, 0, "Insert new line")
self.InsertLine(n, s)
self.Refresh()
elif vkey == ord('E'):
l = self.GetCurrentLine(notags=1)
if not l:
return False
n = self.GetLineNo()
print "curline=<%s>" % l
l = l + idaapi.COLSTR("*", idaapi.SCOLOR_VOIDOP)
self.EditLine(n, l)
self.RefreshCurrent()
print "Edited line %d" % n
else:
return False
return True
def OnKeydown(self, vkey, shift):
"""
User pressed a key
@param vkey: Virtual key code
@param shift: Shift flag
@return: Boolean. True if you handled the event
"""
print("OnKeydown, vk=%d shift=%d" % (vkey, shift))
# ESCAPE?
if vkey == 27:
self.Close()
# VK_DELETE
elif vkey == 46:
n = self.GetLineNo()
if n is not None:
self.DelLine(n)
self.Refresh()
print("Deleted line %d" % n)
# Goto?
elif vkey == ord('G'):
n = self.GetLineNo()
if n is not None:
v = idaapi.ask_long(self.GetLineNo(), "Where to go?")
if v:
self.Jump(v, 0, 5)
elif vkey == ord('R'):
print("refreshing....")
self.Refresh()
elif vkey == ord('C'):
print("refreshing current line...")
self.RefreshCurrent()
elif vkey == ord('A'):
s = idaapi.ask_str("NewLine%d" % self.Count(), 0, "Append new line")
self.AddLine(s)
self.Refresh()
elif vkey == ord('X'):
print("Clearing all lines")
self.ClearLines()
self.Refresh()
elif vkey == ord('I'):
n = self.GetLineNo()
s = idaapi.ask_str("InsertedLine%d" % n, 0, "Insert new line")
self.InsertLine(n, s)
self.Refresh()
elif vkey == ord('E'):
l = self.GetCurrentLine(notags=1)
if not l:
return False
n = self.GetLineNo()
print("curline=<%s>" % l)
l = l + idaapi.COLSTR("*", idaapi.SCOLOR_VOIDOP)
self.EditLine(n, l)
self.RefreshCurrent()
print("Edited line %d" % n)
else:
return False
return True
def _make_item(self):
"""make custom element"""
item = [
idaapi.ask_str(str(), 0, "GUID"),
idaapi.ask_str(str(), 0, "Name"),
idaapi.ask_str(str(), 0, "Module"),
idaapi.ask_str(str(), 0, "Service"),
]
self.n += 1
return item
def _make_item(self):
"""make custom element"""
item = [
idaapi.ask_str(str(), 0, 'GUID'),
idaapi.ask_str(str(), 0, 'Name'),
idaapi.ask_str(str(), 0, 'Module'),
idaapi.ask_str(str(), 0, 'Service')
]
self.n += 1
return item
def _make_item(self):
"""make custom element"""
item = [
idaapi.ask_str('', 0, 'Address'),
idaapi.ask_str('', 0, 'Name'),
idaapi.ask_str('', 0, 'Service'),
idaapi.ask_str('', 0, 'Place'),
idaapi.ask_str('', 0, 'GUID')
]
self.n += 1
return item
def _make_item(self):
'''
make custom element
'''
item = [
idaapi.ask_str('', 0, 'GUID'),
idaapi.ask_str('', 0, 'Name'),
idaapi.ask_str('', 0, 'Module'),
idaapi.ask_str('', 0, 'Service')
]
self.n += 1
return item
def run(self, arg):
start, end = sark.get_selection()
if not sark.structure.selection_has_offsets(start, end):
message('No structure offsets in selection. Operation cancelled.')
idaapi.warning(
'No structure offsets in selection. Operation cancelled.')
return
struct_name = idaapi.ask_str(self._prev_struct_name, 0, "Struct Name")
if not struct_name:
message("No structure name provided. Operation cancelled.")
return
self._prev_struct_name = struct_name
common_reg = sark.structure.get_common_register(start, end)
reg_name = idaapi.ask_str(common_reg, 0, "Register")
if not reg_name:
message("No offsets found. Operation cancelled.")
return
try:
offsets, operands = sark.structure.infer_struct_offsets(
start, end, reg_name)
except sark.exceptions.InvalidStructOffset:
message(
"Invalid offset found. Cannot create structure.",
"Make sure there are no negative offsets in the selection.")
return
except sark.exceptions.SarkInvalidRegisterName:
message(
"Invalid register name {!r}. Cannot create structs.".format(
reg_name))
return
try:
sark.structure.create_struct_from_offsets(struct_name, offsets)
except sark.exceptions.SarkStructAlreadyExists:
yes_no_cancel = idaapi.ask_yn(
idaapi.ASKBTN_NO, "Struct already exists. Modify?\n"
"Cancel to avoid applying the struct.")
if yes_no_cancel == idaapi.ASKBTN_CANCEL:
return
elif yes_no_cancel == idaapi.ASKBTN_YES:
sid = sark.structure.get_struct(struct_name)
sark.structure.set_struct_offsets(offsets, sid)
else: # yes_no_cancel == idaapi.ASKBTN_NO:
pass
sark.structure.apply_struct(start, end, reg_name, struct_name)
def bulk_prefix():
"""
Prefix the Functions window selection with a user defined string.
"""
# prompt the user for a prefix to apply to the selected functions
tag = idaapi.ask_str(PREFIX_DEFAULT, 0, "Function Tag")
# the user closed the window... ignore
if tag == None:
return
# the user put a blank string and hit 'okay'... notify & ignore
elif tag == '':
idaapi.warning("[ERROR] Tag cannot be empty [ERROR]")
return
#
# loop through all the functions selected in the 'Functions window' and
# apply the user defined prefix tag to each one.
#
for func_name in get_selected_funcs():
# ignore functions that already have the specified prefix applied
if func_name.startswith(tag):
continue
# apply the user defined prefix to the function (rename it)
new_name = '%s%s%s' % (str(tag), PREFIX_SEPARATOR, func_name)
func_addr = idaapi.get_name_ea(idaapi.BADADDR, func_name)
idaapi.set_name(func_addr, new_name, idaapi.SN_NOWARN)
# refresh the IDA views
refresh_views()
def slot_change_rule_author(self):
""" """
author = idaapi.ask_str(str(settings.user.get("rulegen_author", "")),
0, "Enter default rule author")
if author:
settings.user["rulegen_author"] = author
idaapi.info("Run analysis again for your changes to take effect.")
def run(self, arg):
try:
self._data = dict()
fn = idaapi.get_func(idaapi.get_screen_ea())
if idaapi.IDA_SDK_VERSION >= 700:
orig_name = idaapi.get_func_name(idaapi.get_screen_ea())
addr_str = '{:x}'.format(self.start_ea_of(fn))
print("checking function start addr: ", addr_str)
#set default name
if orig_name.lower().find(addr_str):
default_name = orig_name
else:
default_name = orig_name + '_' + addr_str #append current function address as sufix as default
user_name = idaapi.ask_str(default_name, 0, 'New name:')
else:
user_name = idaapi.askstr(
0, default_name,
'New name:') #jeanfixme: check old version support
if user_name == '':
return
if orig_name == user_name:
return
#if len(fn_an['math']) < self._MIN_MAX_MATH_OPS_TO_ALLOW_RENAME: jeanfixme: check the max length can be set here
force_name(self.start_ea_of(fn), user_name)
print("rename \"" + str(orig_name) + "\" to " + str(user_name))
user_prefix = user_name.lower().replace(addr_str, '')
query = 'Use \"' + user_prefix + '\" to rename the callers\' names'
#yesno= idaapi.askyn_c(1, query) jeanfixme: check how to interact with user
yesno = idaapi.ask_str(
"yes", 0, query) #jeanfixme: check how to interact with user
#user the rename the parrents
if yesno == 'yes':
#rename the parent
print "start rename parents.."
self.rename_parents(fn, user_prefix, 1)
except:
idaapi.msg('Ancestor RE: error: %s\n' % traceback.format_exc())
def slot_change_rule_scope(self):
""" """
scope = idaapi.ask_str(
str(settings.user.get("rulegen_scope", "function")), 0,
"Enter default rule scope")
if scope:
settings.user["rulegen_scope"] = scope
idaapi.info("Run analysis again for your changes to take effect.")
def btn_dfs_test_1(self, code=0):
addr_t = idaapi.ask_str('', 0, '请输入回溯起点地址')
reg_t = idaapi.ask_str('', 0, '请输入回溯寄存器')
reg = regt2reg(reg_t)
if (addr_t and addr_t != '') and (reg != -1):
try:
addr_t = int(addr_t, 16)
except Exception:
FELogger.warn("无效地址")
return
FELogger.info("从地址%s回溯寄存器[%s]" % (hexstr(addr_t), REG[reg]))
tracer = FEArgsTracer(addr_t, reg, 256)
source_addr = tracer.run()
print('source_addr: ', source_addr)
else:
FELogger.warn("请输入起点地址和寄存器")
def autoenum(self):
common_value = get_common_value()
enum_name = idaapi.ask_str(self._last_enum, 0, "Enum Name")
if enum_name is None:
return
if not enum_name:
enum_name = None
self._last_enum = enum_name
# Can't ask with negative numbers.
if common_value >> ((8 * sark.core.get_native_size()) - 1):
common_value = 0
const_value = idaapi.ask_long(common_value, "Const Value")
if const_value is None:
return
modify = True
try:
enum = sark.add_enum(enum_name)
except sark.exceptions.EnumAlreadyExists:
enum = sark.Enum(enum_name)
yes_no_cancel = idaapi.ask_yn(idaapi.ASKBTN_NO,
"Enum already exists. Modify?\n")
if yes_no_cancel == idaapi.ASKBTN_CANCEL:
return
elif yes_no_cancel == idaapi.ASKBTN_YES:
modify = True
else: # yes_no_cancel == idaapi.ASKBTN_NO:
modify = False
member_name = const_name(enum, const_value)
if modify:
try:
enum.members.add(member_name, const_value)
except sark.exceptions.SarkErrorAddEnumMemeberFailed as ex:
idaapi.msg("[AutoEnum] Adding enum member failed: {}.".format(
ex.message))
else:
for member in enum.members:
if member.value == const_value:
member_name = member.name
break
else:
return
# Apply the enum
apply_enum_by_name(enum, member_name)
def client(self):
if self._client is None:
if not self.cfg['token']:
self.cfg['token'] = idaapi.ask_str("", 0, "{} Token:".format(self.name))
assert self.cfg['token']
if self.cfg['url']:
self._client = bai.client.Client(self.cfg['token'], self.cfg['url'])
else:
self._client = bai.client.Client(self.cfg['token'])
return self._client
def btn_dfs_test_2(self, code=0):
tgt_t = idaapi.ask_str('', 0, '请输入函数名')
reg_t = idaapi.ask_str('', 0, '请输入回溯寄存器')
reg = regt2reg(reg_t)
if (tgt_t and tgt_t != '') and (reg != -1):
for func_addr_t in idautils.Functions():
func_name_t = idaapi.get_func_name(func_addr_t)
if func_name_t == tgt_t:
for xref_addr_t in idautils.CodeRefsTo(func_addr_t, 0):
if idaapi.get_func(xref_addr_t):
FELogger.info("从地址%s回溯寄存器[%s]" %
(hexstr(xref_addr_t), REG[reg]))
tracer = FEArgsTracer(xref_addr_t,
reg,
max_node=256)
source_addr = tracer.run()
print('source_addr: ', source_addr)
break
else:
FELogger.warn("请输入函数名和寄存器")
def jump_to(self):
current = self.base_expr if self.base_expr is not None else ""
b = idaapi.ask_str(current, 0, "Sync with")
if b and len(b) > 0:
try:
self.base_expr = b
self.reload_info()
except:
idaapi.warning("Invalid expression")
else:
self.base_addr = None
def main():
dllname = idaapi.ask_str('kernel32', 0, "Enter module name")
if not dllname:
print("Cancelled")
return
imports, R = find_import_ref(dllname)
for k, v in R.items():
print(imports[k][1])
for ea in v:
print("\t%x" % ea)
def _rename_ea_requested(self, addr, name_idx):
old_name = name_idx.data()
if idaapi.IDA_SDK_VERSION >= 700:
new_name = idaapi.ask_str(str(old_name), 0, 'New name:')
else:
new_name = idaapi.askstr(0, str(old_name), 'New name:')
if new_name is None:
return
self._rename(addr, new_name)
renamed_name = idaapi.get_ea_name(addr)
name_idx.model().setData(name_idx, renamed_name)
def activate(self, temp_struct):
new_type_declaration = idaapi.ask_str(self.type_name, 0x100,
"Enter type:")
if new_type_declaration is None:
return
result = idc.parse_decl(new_type_declaration, 0)
if result is None:
return
_, tp, fld = result
tinfo = idaapi.tinfo_t()
tinfo.deserialize(idaapi.cvar.idati, tp, fld, None)
self.tinfo = tinfo
self.is_array = False
def try_set_typedef(self, t):
val = idaapi.ask_str('', idaapi.HIST_IDENT, 'Enter typedef value')
if val is None:
return
val_segs = val.split()
itanium_mangler.fix_multi_seg_types(val_segs)
if len(val_segs) != 1 or (
val_segs[0] not in itanium_mangler.BUILTIN_TYPES
and not itanium_mangler.check_identifier(val_segs[0])):
idaapi.warning('That value is invalid.')
return
database.get().typedefs[t] = val.strip()
self.update_list()
def recursive_prefix(addr):
"""
Recursively prefix a function tree with a user defined string.
"""
func_addr = idaapi.get_name_ea(idaapi.BADADDR, idaapi.get_func_name(addr))
if func_addr == idaapi.BADADDR:
idaapi.msg("Prefix: 0x%08X does not belong to a defined function\n" %
addr)
return
# NOTE / COMPAT:
# prompt the user for a prefix to apply to the selected functions
if using_ida7api:
tag = idaapi.ask_str(PREFIX_DEFAULT, 0, "Function Tag")
else:
tag = idaapi.askstr(0, PREFIX_DEFAULT, "Function Tag")
# the user closed the window... ignore
if tag == None:
return
# the user put a blank string and hit 'okay'... notify & ignore
elif tag == '':
idaapi.warning("[ERROR] Tag cannot be empty [ERROR]")
return
# recursively collect all the functions called by this function
nodes_xref_down = graph_down(func_addr, path=set([]))
# graph_down returns the int address needs to be converted
tmp = []
tmp1 = ''
for func_addr in nodes_xref_down:
tmp1 = idaapi.get_func_name(func_addr)
if tmp1:
tmp.append(tmp1)
nodes_xref_down = tmp
# prefix the tree of functions
for rename in nodes_xref_down:
func_addr = idaapi.get_name_ea(idaapi.BADADDR, rename)
if tag not in rename:
idaapi.set_name(func_addr,
'%s%s%s' % (str(tag), PREFIX_SEPARATOR, rename),
idaapi.SN_NOWARN)
# refresh the IDA views
refresh_views()
def run(self, arg=0):
jump_str = idaapi.ask_str("", 0, "Jump expression...")
if jump_str != None:
try:
open_deref = jump_str.count("[")
close_deref = jump_str.count("]")
if close_deref < open_deref:
jump_str += "]" * (open_deref - close_deref)
if open_deref < close_deref:
debug_out("mismatched dereferences")
else:
result = self.parser.parse(jump_str, lexer=self.lexer)
debug_out("resolved to %08x" % result)
idaapi.jumpto(result)
except:
debug_out("problem parsing")
def handle_add(self):
t = idaapi.ask_str('', idaapi.HIST_IDENT, 'Enter typedef name')
if t is None:
return
if t in database.get().typedefs:
idaapi.warning('That name is already used.')
return
if not itanium_mangler.check_identifier(t):
idaapi.warning('That name is invalid.')
return
# Todo: prevent overwriting builtins
self.try_set_typedef(t)
def modify_value(self):
reg = self.get_selected_reg()
if not reg:
return
reg_val = idc.get_reg_value(reg)
b = idaapi.ask_str("0x%X" % reg_val, 0, "Modify register value")
if b is not None:
try:
value = int(idaapi.str2ea(b))
idc.set_reg_value(value, reg)
self.reload_info()
if reg == dbg.registers.flags:
self.reload_flags_view()
except:
idaapi.warning("Invalid expression")
def modify_value(self):
ea = self.get_current_expr_ea()
if not ea or not idaapi.is_loaded(ea):
return
stack_val = 0
if idaapi.inf_is_64bit():
stack_val = ida_bytes.get_qword(ea)
else:
stack_val = ida_bytes.get_dword(ea)
b = idaapi.ask_str("0x%X" % stack_val, 0, "Modify value")
if b is not None:
try:
value = int(idaapi.str2ea(b))
if idaapi.inf_is_64bit():
idc.patch_qword(ea, value)
else:
idc.patch_dword(ea, value)
self.reload_info()
except:
idaapi.warning("Invalid expression")
def handle_set_name(self):
if self.edit_class is None:
return
new_name = idaapi.ask_str(self.edit_class.name, idaapi.HIST_IDENT,
'Enter a class name')
if new_name is None or new_name == self.edit_class.name:
return
if new_name in database.get().classes_by_name:
idaapi.warning('That name is already used.')
return
if not database_entries.Class.s_name_is_valid(new_name):
idaapi.warning('The class name "%s" is invalid.' % new_name)
return
self.edit_class.rename(new_name)
self.update_fields()
self.parent_gui.update_class(self.edit_class)
def IssueCommand(self):
s = idaapi.ask_str(self.last_cmd, 0, "Please enter a debugger command")
if not s:
return
# Save last command
self.last_cmd = s
# Add it using a different color
self.AddLine("debugger>" + idaapi.COLSTR(s, idaapi.SCOLOR_VOIDOP))
try:
r = SendDbgCommand(s).split("\n")
for s in r:
self.AddLine(idaapi.COLSTR(s, idaapi.SCOLOR_LIBNAME))
except:
self.AddLine(
idaapi.COLSTR(
"Debugger is not active or does not export send_dbg_command()",
idaapi.SCOLOR_ERROR))
self.Refresh()
def edit_deleted_virtual_vals(self):
db = database.get()
txt = idaapi.ask_str(
', '.join([('0x%X' % x) for x in db.deleted_virtual_vals]),
idaapi.HIST_IDENT, "Enter deleted virtual values")
if txt is None or not txt.strip():
return
new_deleted_virtual_vals = []
for s in txt.split(','):
try:
new_deleted_virtual_vals.append(int(s, 0))
except ValueError:
idaapi.warning(
'Parsing "%s" failed. Deleted virtual values were not modified.'
% s)
return
db.deleted_virtual_vals = new_deleted_virtual_vals
def rename_immediate():
highlighted = sark.get_highlighted_identifier()
try:
desired = int(highlighted, 0)
except (ValueError, TypeError):
desired = None
value = idaapi.ask_long(get_common_value(desired), "Const Value")
if value is None:
return
name = idaapi.ask_str("", 0, "Constant Name")
if name is None:
return
try:
enum = sark.Enum('GlobalConstants')
except sark.exceptions.EnumNotFound:
enum = sark.add_enum('GlobalConstants')
enum.members.add(name, value)
apply_enum_by_name(enum, name)
def run():
idc.auto_wait()
analyser = Analyser()
if analyser.valid:
analyser.print_all()
analyser.analyse_all()
if not analyser.valid:
analyser.arch = idaapi.ask_str(
'x86 / x64', 0, 'Set architecture manually (x86 or x64)')
if analyser.arch == 'x86':
analyser.BOOT_SERVICES_OFFSET = BOOT_SERVICES_OFFSET_x86
elif analyser.arch == 'x64':
analyser.BOOT_SERVICES_OFFSET = BOOT_SERVICES_OFFSET_x64
else:
return False
analyser.print_all()
analyser.analyse_all()
if analyser.Protocols['all']:
wind = ProtsWindow(f'{NAME} protocol explorer', analyser, nb=10)
wind.show()
return True
