def find_value(self, func_addr, instr_addr, register): """ Attempts to resolve the value of the given register at the given address. If the value cannot be resolved, None is returned. """ reg_num = idaapi.ph_get_regnames().index(register) # go back from the current instruction to the start of the function for instr_addr in list(instructions(func_addr, instr_addr))[::-1]: # look for instrucations that move a value into the desired register mnemonic = idc.GetMnem(instr_addr) if mnemonic == 'mov': op1_type = idc.get_operand_type(instr_addr, 0) op1_value = idc.get_operand_value(instr_addr, 0) if op1_type == idc.o_reg and op1_value == reg_num: op2_type = idc.get_operand_type(instr_addr, 1) op2_value = idc.get_operand_value(instr_addr, 1) # if this instruction sets the register to an immediate value if op2_type == idc.o_imm: # return that value return op2_value else: # it is not an immediate value, so we say we cannot # resolve the value return None # we did not find an allocation of the register, # so we return None to indicate that return None
def __init__(self, sploiter): self.maxRopOffset = 40 # Maximum offset from the return instruction to look for gadgets. default: 40 self.maxRopSize = 6 # Maximum number of instructions to look for gadgets. default: 6 self.maxRetnImm = 64 # Maximum imm16 value in retn. default: 64 self.maxJopImm = 255 # Maximum jop [reg + IMM] value. default: 64 self.maxRops = 0 # Maximum number of ROP chains to find. default: 0 (unlimited) self.debug = False self.regnames = idaapi.ph_get_regnames() self.sploiter = sploiter self.retns = list() self.gadgets = list() # Decoded instruction cache self.insn_cache = dict() # Extra bytes to read to ensure correct decoding of # RETN, RETN imm16, CALL /2, and JMP /4 instructions. self.dbg_read_extra = 6 # FF + ModR/M + SIB + disp32 self.insn_arithmetic_ops = ["inc","dec","neg", "add","sub","mul","imul","div","idiv","adc","sbb","lea"] self.insn_bit_ops = ["not","and","or","xor","shr","shl","sar","sal","shld","shrd","ror","rcr","rcl"]
def finish_populating_widget_popup(self, form, popup): # Or here, after the popup is done being populated by its owner. # We will attach our action to the context menu # for the 'Functions window' widget. # The action will be be inserted in a submenu of # the context menu, named 'Others'. if idaversion.get_widget_type(form) == idaapi.BWN_CALL_STACK: #line = form.GetCurrentLine() pass elif idaversion.get_widget_type(form) == idaapi.BWN_DISASM or \ idaversion.get_widget_type(form) == idaapi.BWN_DUMP: #regs =['eax', 'ebx', 'ecx', 'edx', 'esi', 'edi', 'ebp', 'esp', 'ax', 'bx', 'cx', 'dx', 'ah', 'al', 'bh', 'bl', 'ch', 'cl', 'dh', 'dl'] regs = idaapi.ph_get_regnames() idaapi.attach_action_to_popup(form, popup, "revCursor:action", 'RESim/') idaapi.attach_action_to_popup(form, popup, "dis:action", 'RESim/') highlighted = idaversion.getHighlight() if highlighted is not None: if highlighted in regs: idaapi.attach_action_to_popup(form, popup, "modReg:action", 'RESim/') else: addr = getHex(highlighted) if addr is not None or regFu.isHighlightedEffective(): idaapi.attach_action_to_popup(form, popup, "rev:action", 'RESim/') idaapi.attach_action_to_popup(form, popup, "dataWatch:action", 'RESim/') idaapi.attach_action_to_popup(form, popup, "addDataWatch:action", 'RESim/') idaapi.attach_action_to_popup(form, popup, "revData:action", 'RESim/') idaapi.attach_action_to_popup(form, popup, "modMemory:action", 'RESim/') idaapi.attach_action_to_popup(form, popup, "stringMemory:action", 'RESim/') opnum = idaapi.get_opnum() if opnum >= 0: idaapi.attach_action_to_popup(form, popup, "structField:action", 'RESim/')
def __init__(self): # Get a list of the current processor module's registers self.registers = idaapi.ph_get_regnames() # Find the list of function argument registers that fit the current processor module # TODO: Probably better to look this up based on the processor module name, as it can't # distinguish between ARM and Thumb. self.argv = None for arch in self.ARCHES: if not (set(arch.argv) - set(self.registers)): self.argv = list(arch.argv) self.delay_slot = arch.delay self.insn_size = arch.size break if self.argv is None: raise Exception("Unknown/unsupported architecture!")
def get_arch(): (arch, bits) = (None, None) for x in idaapi.ph_get_regnames(): name = x if name == 'RAX': arch = 'amd64' bits = 64 break elif name == 'EAX': arch = 'x86' bits = 32 break elif name == 'R0': arch = 'arm' bits = 32 break return (arch, bits)
def main(): # Obtain a list of the registers for the current architecture. regs = idaapi.ph_get_regnames() for i, reg in enumerate(regs): print " %-5s = %d" % (reg.upper(), i) # Add a separator print "\n TOTAL_GPR = %d" % len(regs) # Now create a list of the the previous enumerated registers and put them # under the GPR (General Porpuse Registers) name). print "\n GPR_NAMES = {" for i, reg in enumerate(regs): print " %-5s : \"%s\"," % (reg.upper(), reg) print "\n }"
def regOffsetToName(offset): """ Get register name from an offset to ph.regnames """ regName = idaapi.ph_get_regnames()[offset] if not offset in range(0, 7): return regName.upper() if get_native_size() is 16: return regName.upper() if get_native_size() is 32: return "E" + regName.upper() if get_native_size() is 64: return "R" + regName.upper() return ValueError("Failed to retrieve register name.")
def __init__(self): self.registers = idaapi.ph_get_regnames() self.argv = None for arch in self.ARCHES: if not (set(arch.argv) - set(self.registers)): self.argv = list(arch.argv) self.delay_slot = arch.delay self.insn_size = arch.size break if self.argv is None: self.argv = [] self.registers = [] self.delay_slot = False self.insn_size = 0 self.unknown = True else: self.unknown = False
def get_arch(): (arch, mode) = (None, None) for x in idaapi.ph_get_regnames(): name = x if name.upper() == 'AX': arch = KS_ARCH_X86 info = idaapi.get_inf_structure() if info.is_64bit(): mode = KS_MODE_64 elif info.is_32bit(): mode = KS_MODE_32 else: mode = KS_MODE_16 break elif name.upper() == 'R0': arch = KS_ARCH_ARM mode = KS_MODE_ARM break return (arch, mode)
def __init__(self): self.registers = idaapi.ph_get_regnames() # Find the list of function argument registers that fit the current # processor module # TODO: Probably better to look this up based on the processor module # name, as it can't distinguish between ARM and Thumb. self.argv = None for arch in self.ARCHES: if not (set(arch.argv) - set(self.registers)): self.argv = list(arch.argv) self.delay_slot = arch.delay self.insn_size = arch.size break if self.argv is None: self.argv = [] self.registers = [] self.delay_slot = False self.insn_size = 0 self.unknown = True else: self.unknown = False
def __init__(self): # Get a list of the current processor module's registers self.registers = idaapi.ph_get_regnames() # Find the list of function argument registers that fit the current processor module # TODO: Probably better to look this up based on the processor module name, as it can't # distinguish between ARM and Thumb. self.argv = None for arch in self.ARCHES: if not (set(arch.argv) - set(self.registers)): self.argv = list(arch.argv) self.delay_slot = arch.delay self.insn_size = arch.size break if self.argv is None: #print "WARNING: Unknown/unsupported architecture. Architecture specific analysis will be disabled." self.argv = [] self.registers = [] self.delay_slot = False self.insn_size = 0 self.unknown = True else: self.unknown = False
def GetRegisterList(): """Returns the register list""" return idaapi.ph_get_regnames()
def names(cls): return idaapi.ph_get_regnames()
import menuMod idaapi.require("idaSIM") idaapi.require("stackTrace") idaapi.require("bookmarkView") idaapi.require("reHooks") idaapi.require("menuMod") from idaapi import Choose ''' Ida script to reverse execution of Simics to the next breakpoint. Since Ida does not know about reverse exectution, the general approach is to tell Simics to reverse and then tell Ida to continue forward. The script installs its functions as a hotkeys. See showHelp below ''' #reg_list =['eax', 'ebx', 'ecx', 'edx', 'esi', 'edi', 'ebp', 'esp', 'ax', 'bx', 'cx', 'dx', 'ah', 'al', 'bh', 'bl', 'ch', 'cl', 'dh', 'dl'] reg_list = idaapi.ph_get_regnames() kernel_base = 0xc0000000 info = idaapi.get_inf_structure() if info.is_64bit(): print('64-bit') kernel_base = 0xFFFFFFFF00000000 else: print('32-bit') def showHelp(prompt=False): print('in showHelp') lines = {} lines['overview'] = """ CGC Monitor Ida Client Help The Ida gdb client is enhanced to support reverse execution; use of