def search_retns(self): if not self.debug: print("found %d modules" % len(self.modules)) for m in self.modules: # Iterate over segments in the module # BUG: Iterating over all loaded segments is more stable than looking up by address if not self.debug: print("found %d segments" % idaapi.get_segm_qty()) for n in xrange(idaapi.get_segm_qty()): seg = idaapi.getnseg(n) # Locate executable segments in a selected modules # NOTE: Each module may have multiple executable segments if seg and seg.startEA >= m.addr and seg.endEA <= (m.addr + m.size): # If the debugger is attached then we can check if the segment is executable, else # just check if it is code or not. if idaapi.dbg_can_query() and idaapi.get_process_state() < 0: if seg.perm & idaapi.SEGPERM_EXEC == 0: continue elif seg.type & idaapi.SEG_CODE == 0: continue ####################################################### # Search for ROP gadgets if self.searchRop: #Search all instances of BLR ea = seg.startEA while True: ea = idaapi.find_binary(ea + 1, seg.endEA, "4E 80 00 20", 16, idaapi.SEARCH_DOWN) if ea == idaapi.BADADDR: break self.retns.append((ea, m.file)) # Search all instances of BTCTR ea = seg.startEA while True: ea = idaapi.find_binary(ea + 1, seg.endEA, "4E 80 04 20", 16, idaapi.SEARCH_DOWN) if ea == idaapi.BADADDR: break self.retns.append((ea, m.file)) # Search all instances of BTCTRL ea = seg.startEA while True: ea = idaapi.find_binary(ea + 1, seg.endEA, "4E 80 04 21", 16, idaapi.SEARCH_DOWN) if ea == idaapi.BADADDR: break self.retns.append((ea, m.file))
def main(): if not idaapi.is_debugger_on(): idc.Warning("Please run the process first!") return if idaapi.get_process_state() != -1: idc.Warning("Please suspend the debugger first!") return # only avail from IdaPython r232 if hasattr(idaapi, "NearestName"): # get all debug names dn = idaapi.get_debug_names(idaapi.cvar.inf.minEA, idaapi.cvar.inf.maxEA) # initiate a nearest name search (using debug names) nn = idaapi.NearestName(dn) else: nn = None ret, callstack = CallStackWalk(nn) if ret: title = "Call stack walker (thread %X)" % (GetCurrentThreadId()) idaapi.close_chooser(title) c = CallStackWalkChoose(callstack, title) c.choose() else: idc.Warning("Failed to walk the stack:" + callstack)
def start(): process_is_suspended = False #check if process is suspended if idaapi.is_debugger_on(): if idaapi.get_process_state() == -1: process_is_suspended = True else: idaapi.warning("Please suspend the debugger!") else: idaapi.warning("Please run the process!") #then start a stack checking if process_is_suspended: is_success, call_list, call_addr_list = get_all_calls() if is_success and call_list is not None: curr_thread = ida_dbg.get_current_thread() title = "CallStack - thread: {}".format(curr_thread) idaapi.close_chooser(title) c = MyChoose(call_list, call_addr_list, title) c.Show() else: idaapi.warning( "Something wrong. There is no functions. Set DEBUG flag in the script and check what is going on" )
def main(): if not idaapi.is_debugger_on(): idc.Warning("Please run the process first!") return if idaapi.get_process_state() != -1: idc.Warning("Please suspend the debugger first!") return info = idaapi.get_inf_structure() if info.is_64bit(): long_size = 8 elif info.is_32bit(): long_size = 4 else: idc.Warning("Only 32 or 64 bit is supported!") return # only avail from IdaPython r232 if hasattr(idaapi, "NearestName"): # get all debug names dn = idaapi.get_debug_names(idaapi.cvar.inf.minEA, idaapi.cvar.inf.maxEA) # initiate a nearest name search (using debug names) nn = idaapi.NearestName(dn) else: nn = None RetAddrStackWalk(nn, long_size)
def main(): if not idaapi.is_debugger_on(): print("Please run the process first!") return if idaapi.get_process_state() != -1: print("Please suspend the debugger first!") return dn = idaapi.get_debug_names(idaapi.cvar.inf.min_ea, idaapi.cvar.inf.max_ea) for i in dn: print("%08x: %s" % (i, dn[i]))
def watchdog(): while True: process_state = idaapi.get_process_state() if process_state == idc.DSTATE_RUN: self._resume_jdb() break elif process_state == idc.DSTATE_NOTASK: break else: time.sleep(0.5) self.unhook()
def check_memory_region(is_arch64): if ida_dbg.is_debugger_on(): if ida_kernwin.ask_buttons( "Yes", "No", "Cancel", -1, "Add auto memory region (without memory region go to EIP/RIP can fail)" ) == -1: raise UICancel ida_dbg.enable_manual_regions(1) infos = ida_idd.meminfo_vec_t() info = ida_idd.memory_info_t() info.perm = 7 if is_arch64: info.end_ea = 18446744073709551614 info.bitness = 2 else: info.end_ea = 4294967294 info.bitness = 1 info.sbase = 0 info.sclass = 'UNK' info.name = 'MEMORY' info.start_ea = 0 infos.push_back(info) ida_dbg.set_manual_regions(infos) # enable manual regions workarr: ida_dbg.enable_manual_regions(0) ida_dbg.refresh_debugger_memory() ida_dbg.enable_manual_regions(1) ida_dbg.refresh_debugger_memory() ida_dbg.edit_manual_regions() if idaapi.get_process_state() == -1: if is_arch64: cipreg = idaapi.get_reg_val('RIP') else: cipreg = idaapi.get_reg_val('EIP') ida_ua.create_insn(cipreg) ida_kernwin.jumpto(cipreg) ida_kernwin.refresh_idaview_anyway()
def is_process_suspended(): return (idaapi.get_process_state() == DSTATE_SUSP)
def is_process_suspended(): return (idaapi.get_process_state() == -1)
def search_retns(self): if not self.debug: print("found %d modules" % len(self.modules)) for m in self.modules: # Iterate over segments in the module # BUG: Iterating over all loaded segments is more stable than looking up by address if not self.debug: print("found %d segments" % idaapi.get_segm_qty()) for n in xrange(idaapi.get_segm_qty()): seg = idaapi.getnseg(n) # Locate executable segments in a selected modules # NOTE: Each module may have multiple executable segments if seg and seg.startEA >= m.addr and seg.endEA <= (m.addr + m.size): # If the debugger is attached then we can check if the segment is executable, else # just check if it is code or not. if idaapi.dbg_can_query() and idaapi.get_process_state() < 0: if seg.perm & idaapi.SEGPERM_EXEC == 0: continue elif seg.type & idaapi.SEG_CODE == 0: continue ####################################################### # Search for ROP gadgets if self.searchRop: # Search all instances of RETN ea = seg.startEA while True: ea = idaapi.find_binary(ea + 1, seg.endEA, "C3", 16, idaapi.SEARCH_DOWN) if ea == idaapi.BADADDR: break self.retns.append((ea, m.file)) # Search all instances of RETN imm16 ea = seg.startEA while True: ea = idaapi.find_binary(ea + 1, seg.endEA, "C2", 16, idaapi.SEARCH_DOWN) if ea == idaapi.BADADDR: break # Read imm16 value and filter large values retn_imm16 = read_module_memory(ea + 1, 0x2) retn_imm16 = unpack("<H", retn_imm16)[0] if retn_imm16 <= self.maxRetnImm: self.retns.append((ea, m.file)) ####################################################### # Search for JOP gadgets if self.searchJop: # Search all instances of JMP reg (FF /4) and CALL reg (FF /2) ea = seg.startEA while True: ea = idaapi.find_binary(ea + 1, seg.endEA, "FF", 16, idaapi.SEARCH_DOWN) if ea == idaapi.BADADDR: break # Read possible ModR/M, SIB, and IMM8/IMM32 bytes jop = read_module_memory(ea + 1, 0x6) if jop == None or len(jop) == 0: continue ################################################### # JMP/CALL reg if jop[0] in ["\xe0", "\xe1", "\xe2", "\xe3", "\xe4", "\xe5", "\xe6", "\xe7", "\xd0", "\xd1", "\xd2", "\xd3", "\xd4", "\xd5", "\xd6", "\xd7"]: self.retns.append((ea, m.file)) ################################################### # JMP/CALL [reg] no SIB # NOTE: Do not include pure [disp] instruction. # JMP/CALL [reg] no *SP,*BP elif jop[0] in ["\x20", "\x21", "\x22", "\x23", "\x26", "\x27", "\x10", "\x11", "\x12", "\x13", "\x16", "\x17"]: self.retns.append((ea, m.file)) # JMP/CALL [reg + imm8] no *SP elif jop[0] in ["\x60", "\x61", "\x62", "\x63", "\x65", "\x66", "\x67", "\x50", "\x51", "\x52", "\x53", "\x55", "\x56", "\x57"]: jop_imm8 = jop[1] jop_imm8 = unpack("b", jop_imm8)[0] # signed if jop_imm8 <= self.maxJopImm: self.retns.append((ea, m.file)) # JMP/CALL [reg + imm32] no *SP elif jop[0] in ["\xa0", "\xa1", "\xa2", "\xa3", "\xa5", "\xa6", "\xa7", "\x90", "\x91", "\x92", "\x93", "\x95", "\x96", "\x97"]: jop_imm32 = jop[1:5] jop_imm32 = unpack("<i", jop_imm32)[0] # signed if jop_imm32 <= self.maxJopImm: self.retns.append((ea, m.file)) ################################################### # JMP/CALL [reg] with SIB # NOTE: Do no include pure [disp] instructions in SIB ([*] - none) elif (jop[0] in ["\x24", "\x64", "\xa4"] and not jop[1] in ["\x25", "\x65", "\xad", "\xe5"]) or \ (jop[0] in ["\x14", "\x54", "\x94"] and not jop[1] in ["\x25", "\x65", "\xad", "\xe5"]): # Check for displacement if jop[0] in ["\x64", "\x54"]: jop_imm8 = jop[2] jop_imm8 = unpack("b", jop_imm8)[0] # signed if jop_imm8 <= self.maxJopImm: self.retns.append((ea, m.file)) elif jop[0] in ["\xa4", "\x94"]: jop_imm32 = jop[2:6] jop_imm32 = unpack("<i", jop_imm32)[0] # signed if jop_imm32 <= self.maxJopImm: self.retns.append((ea, m.file)) else: self.retns.append((ea, m.file)) print "[idasploiter] Found %d returns" % len(self.retns)