def parse_impexp(self, top, end, cls, callback): arr = [] cur = top while cur < end: impexp_foffset = self.phdr_modinfo.p_offset + cur impexp_addr = idaapi.get_fileregion_ea(impexp_foffset) self.fin.seek(impexp_foffset) impexp = cls(self.fin.read(cls.SIZE)) if impexp.library_name_ptr: library_name_foffset = self.phdr_modinfo.p_offset + impexp.library_name_ptr - self.phdr_modinfo.p_vaddr self.fin.seek(library_name_foffset) # create a library name string idc.MakeStr(idaapi.get_fileregion_ea(library_name_foffset), idc.BADADDR) data = self.fin.read(256) impexp.library_name = c_str(data) # apply struct apply_struct(impexp_addr, cls._find_or_create_struct()) #idc.MakeComm(impexp_addr, "{}".format(impexp.library_name)) arr.append(impexp) cur += impexp.size for impexp in arr: for x in xrange(impexp.num_syms_funcs): self.fin.seek(self.phdr_modinfo.p_offset + impexp.nid_table - self.phdr_modinfo.p_vaddr + x * 4) nid = u32(self.fin.read(4)) self.fin.seek(self.phdr_modinfo.p_offset + impexp.entry_table - self.phdr_modinfo.p_vaddr + x * 4) func = u32(self.fin.read(4)) callback(impexp, func, nid)
def goto_file_ofs(): fofs = 0 txt = clip_text() if txt.isdigit(): try: fofs = int(txt, 10) except: pass elif txt.isalnum(): try: fofs = int(txt, 16) except: pass fofs = ida_kernwin.ask_addr(fofs, "Enter the file offset to jump to") if fofs is None: return 0 ea = idaapi.get_fileregion_ea(fofs) if ea != idc.BADADDR: plg_print("File offset = 0x%X -> EA = 0x%X" % (fofs, ea)) idc.jumpto(ea) return 1 else: plg_print("Invalid file offset 0x%X" % fofs) return 0
def find_kernel_base(): """Find the kernel base.""" base = idaapi.get_fileregion_ea(0) if base != 0xffffffffffffffff: return base seg = [seg for seg in map(idaapi.get_segm_by_name, ['__TEXT.HEADER', '__TEXT:HEADER']) if seg] if not seg: raise RuntimeError("unable to find kernel base") return seg[0].start_ea
def strings(self): # Before returning strings, fixup the offsets to be virtual addresses. if self._strings is None: self._strings = [] for offset, identifier, data in self._match.strings: if self._offset is not None: offset += self._offset if self._file_offset: offset = idaapi.get_fileregion_ea(offset) self._strings.append((idc.get_item_head(offset), identifier, data)) return self._strings
def jump_addr(self, row, column): addr = int(self.tableWidget.item(row, 0).text(), 16) # RAW RVA = 0 for i in range(len(self.Seg)-1): if self.Seg[i][0] < addr < self.Seg[i+1][0]: ## https://reverseengineering.stackexchange.com/questions/2835/how-to-extract-the-input-file-offset-of-a-byte-in-idapython RVA = idaapi.get_fileregion_ea(addr) break jumpto(RVA)
def _yara_callback(data): """ Description: Generic yara callback. Input: As defined by YARA. See YARA's documentation for more info. Output: A list of tuples: (offset, identifier) """ if not data['matches']: return False for datum in data['strings']: _YARA_MATCHES.append((idc.ItemHead(idaapi.get_fileregion_ea(datum[0])), datum[1])) return yara.CALLBACK_CONTINUE
def Search(self): result = [] if self.CheckButton.isChecked(): rule = yara.compile(source=self.rule) else: rulepath = open(self.path.text(), "r") rule = yara.compile(source=rulepath.read()) rulepath.close() matches = rule.match(data=self.data) for match in matches: for i in match.strings: result.append([hex(i[0]).replace("L",""), match.rule, i[1], i[2]]) self.tableWidget.setRowCount(len(result)) for idx, i in enumerate(result): self.tableWidget.setItem(idx, 0, QTableWidgetItem(hex(int(i[0], 16)).replace("L",""))) self.tableWidget.setItem(idx, 1, QTableWidgetItem(i[1])) self.tableWidget.setItem(idx, 2, QTableWidgetItem(i[2])) text_endea = idaapi.get_segm_by_name(".text").endEA size = idaapi.get_fileregion_ea(int(i[0], 16)) if size < text_endea: a = [] info = idaapi.get_inf_structure() if info.is_64bit(): md = Cs(CS_ARCH_X86, CS_MODE_64) elif info.is_32bit(): md = Cs(CS_ARCH_X86, CS_MODE_32) for i in md.disasm(i[3], 0x1000): a.append(i.mnemonic + " " + i.op_str) self.tableWidget.setItem(idx, 3, QTableWidgetItem(' || '.join(a))) else: self.tableWidget.setItem(idx, 3, QTableWidgetItem(i[3])) self.layout.addWidget(self.tableWidget)
def _yara_callback(data): ''' Description: Generic yara callback. Input: As defined by YARA. See YARA's documentation for more info. Output: A list of tuples: (offset, identifier) where offsets are always item heads ''' if not data['matches']: return False for datum in data['strings']: if FROM_FILE: _YARA_MATCHES.append( (idc.ItemHead(idaapi.get_fileregion_ea(datum[0])), datum[1])) else: _YARA_MATCHES.append( (idc.ItemHead(datum[0] + SECTION_START), datum[1])) return yara.CALLBACK_CONTINUE
def find_kernel_base(): """Find the kernel base.""" return idaapi.get_fileregion_ea(0)
def go(self): print "0) Building cache..." self.load_nids() # Vita is ARM idaapi.set_processor_type("arm", idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL) # Set compiler info cinfo = idaapi.compiler_info_t() cinfo.id = idaapi.COMP_GNU cinfo.cm = idaapi.CM_CC_CDECL | idaapi.CM_N32_F48 cinfo.size_s = 2 cinfo.size_i = cinfo.size_b = cinfo.size_e = cinfo.size_l = cinfo.defalign = 4 cinfo.size_ll = cinfo.size_ldbl = 8 idaapi.set_compiler(cinfo, 0) # Import types self.import_types() self.load_proto() print "1) Loading ELF segments" self.fin.seek(0) header = Ehdr(self.fin.read(Ehdr.SIZE)) self.fin.seek(header.e_phoff) phdrs = [Phdr(self.fin.read(header.e_phentsize)) for _ in xrange(header.e_phnum)] phdr_text = phdrs[0] for phdr in phdrs: if phdr.p_type == Phdr.PT_LOAD: idaapi.add_segm(0, phdr.p_vaddr, phdr.p_vaddr + phdr.p_memsz, ".text" if phdr.x else ".data", "CODE" if phdr.x else "DATA") seg = idaapi.getseg(phdr.p_vaddr) if phdr.x: seg.perm = idaapi.SEGPERM_EXEC | idaapi.SEGPERM_READ phdr_text = phdr else: seg.perm = idaapi.SEGPERM_READ | idaapi.SEGPERM_WRITE self.fin.file2base(phdr.p_offset, phdr.p_vaddr, phdr.p_vaddr + phdr.p_filesz, 1) if header.e_type == Ehdr.ET_SCE_EXEC: self.phdr_modinfo = phdr_text modinfo_off = phdr_text.p_offset + header.e_entry else: self.phdr_modinfo = phdrs[(header.e_entry & (0b11 << 30)) >> 30] modinfo_off = self.phdr_modinfo.p_offset + (header.e_entry & 0x3FFFFFFF) self.fin.seek(modinfo_off) modinfo = SceModuleInfo(self.fin.read(SceModuleInfo.SIZE)) modinfo_ea = idaapi.get_fileregion_ea(modinfo_off) apply_struct(modinfo_ea, SceModuleInfo._find_or_create_struct()) print "" print " Module: " + str(modinfo.name) print " NID: 0x{:08X}".format(modinfo.nid) print "" print "2) Parsing export tables" self.parse_impexp(modinfo.export_top, modinfo.export_end, SceModuleExports, self.cb_exp) print "3) Parsing import tables" self.parse_impexp(modinfo.import_top, modinfo.import_end, SceModuleImports, self.cb_imp) print "4) Waiting for IDA to analyze the program" idc.Wait() print "5) Analyzing system instructions" from highlight_arm_system_insn import run_script run_script() print "6) Adding MOVT/MOVW pair xrefs" add_xrefs()