def match_funcs(self, funcs):
if not self.check_before_use():
return
i, fail, skip, succ = 0, 0, 0, 0
def stop():
idaapi.hide_wait_box()
BinaryAILog.summary(succ, skip, fail, "matched")
funcs_len = len(funcs)
idaapi.show_wait_box("Matching... (0/{})".format(funcs_len))
for ea in funcs:
# refresh process status
i += 1
idaapi.replace_wait_box("Matching... ({}/{})".format(i, funcs_len))
# check cancelled or not
if idaapi.user_cancelled():
stop()
return
status = None
try:
status = self._match_with_check(ea)
finally:
if status == 1:
succ += 1
elif status == 0:
skip += 1
else:
fail += 1
stop()
def run_query(qf, ea_list, qs):
subtitle = qs.help
title = subtitle if len(subtitle) < 80 else "%s..." % subtitle[:77]
ch = hxtb.ic_t(title="Shell [%s]" % title)
mode = qs.ast_type == 1
idaapi.show_wait_box("Processing")
try:
nfuncs = len(ea_list)
for j, ea in enumerate(ea_list):
if idaapi.user_cancelled():
break
idaapi.replace_wait_box("Processing function %d/%d" %
(j + 1, nfuncs))
r = list()
try:
r = hxtb.exec_query(qf, [ea],
mode,
parents=True,
flags=idaapi.DECOMP_NO_WAIT)
for x in r:
ch.append(x)
except Exception as e:
print("%s: %s" % (SCRIPT_NAME, e))
finally:
idaapi.hide_wait_box()
return ch
def retrieve_selected_functions(self, funcs):
if not self.check_before_use():
return
funcset_ids = [self.funcset] if not self.cfg['usepublic'] else None
i, succ, skip, fail = 0, 0, 0, 0
_funcs = [ea for ea in funcs]
funcs_len = len(_funcs)
idaapi.show_wait_box("Matching... (0/{})".format(funcs_len))
for ea in _funcs:
i += 1
idaapi.replace_wait_box("Matching... ({}/{})".format(i, funcs_len))
if idaapi.user_cancelled():
idaapi.hide_wait_box()
print(
"[{}] {} functions successfully matched, {} functions failed, {} functions skipped"
.format(self.name, succ, fail, skip))
return
code = self.retrieve_function_with_check(ea, 1, funcset_ids)
if code == 0:
succ += 1
elif code == 1:
skip += 1
else:
fail += 1
idaapi.hide_wait_box()
print(
"[{}] {} functions successfully matched, {} functions failed, {} functions skipped"
.format(self.name, succ, fail, skip))
def main():
global indent_cmd
x = CSrcDiffDialog()
x.Compile()
x.iMinLevel.value = "0.0"
x.iMinDisplayLevel.value = "0.0"
indent_cmd = reg_read_string("PIGAIOS", "indent-cmd", "indent -kr -ci2 -cli2 -i2 -l80 -nut")
x.iIndentCommand.value = indent_cmd
if not x.Execute():
return
show_wait_box("Finding matches...")
try:
database = x.iFileOpen.value
min_level = float(x.iMinLevel.value)
min_display_level = float(x.iMinDisplayLevel.value)
reg_write_string("PIGAIOS", x.iIndentCommand.value, "indent-cmd")
lexer = shlex.shlex(x.iIndentCommand.value)
lexer.wordchars += "\:-."
indent_cmd = list(lexer)
importer = CIDABinaryToSourceImporter()
importer.min_level = min_level
importer.min_display_level = min_display_level
importer.use_decompiler = x.rUseDecompiler.checked
importer.import_src(database)
finally:
hide_wait_box()
def init(self):
idaapi.show_wait_box("REDB Plugin is loading, please wait...")
# initialize self.red_functions
self._make_run_prepereations()
print "REDB Plugin loaded, press Ctrl-Shift-I for a list of commands"
return idaapi.PLUGIN_KEEP
def term(self):
""" On IDA's close event, export the Rop gadget list in a default csv file"""
idaapi.show_wait_box("Saving gadgets ...")
try:
idarop_manager.save_internal_db()
except Exception as e:
pass
idaapi.hide_wait_box()
def init(self):
idaapi.show_wait_box("REDB Plugin is loading, please wait...")
# initialize self.red_functions
self._make_run_prepereations()
print "REDB Plugin loaded, press Ctrl-Shift-I for a list of commands"
return idaapi.PLUGIN_KEEP
def __init__(self, project_script):
self.hooks = None
self.project_script = project_script
CBinaryToSourceImporter.__init__(self, GetIdbPath())
show_wait_box("Finding matches...")
self.src_db = None
self.use_decompiler = False
def refreshitems(self):
# Pb : rop engine has not been init
if self.idarop.rop == None:
return
# No new data present
if self.rop_list_cache == self.idarop.rop.gadgets:
return
self.items = []
# No data present
if len(self.idarop.rop.gadgets) == 0:
return
if len(self.idarop.rop.gadgets) > 10000:
idaapi.show_wait_box("Ida rop : loading rop list ...")
for i, g in enumerate(self.idarop.rop.gadgets):
# reconstruct disas
if g.opcodes == "":
bad_gadget = False
opcodes = idc.GetManyBytes(g.address,
g.ret_address - g.address + 1)
instructions = list()
ea = g.address
while ea <= g.ret_address:
instructions.append(
idc.GetDisasmEx(ea, idaapi.GENDSM_FORCE_CODE))
ea += idaapi.decode_insn(ea)
# Badly decoded gadget
if idaapi.decode_insn(ea) == 0:
bad_gadget = True
break
if not bad_gadget:
h = Gadget(address=g.address,
ret_address=g.ret_address,
instructions=instructions,
opcodes=opcodes,
size=len(opcodes))
self.idarop.rop.gadgets[i] = h
self.items.append(
h.get_display_list(self.idarop.addr_format))
else:
self.items.append(g.get_display_list(self.idarop.addr_format))
self.rop_list_cache = self.idarop.rop.gadgets
if len(self.idarop.rop.gadgets) > 10000:
idaapi.hide_wait_box()
def __init__(self):
idaapi.show_wait_box("REDB Plugin is loading, please wait...")
self.functions = {}
utils._backup_idb_file()
utils.Configuration.assert_config_file_validity()
self._collect_string_addresses()
self.cur_history_item_index = 0
self.first_undo = 1
print "*** REDB Plugin loaded. ***"
idaapi.hide_wait_box()
def ghidraaas_checkin(bin_file_path, filename, ghidra_server_url):
"""
Upload the .bytes files in ghidraaas.
One time only (until IDA is restarted...)
"""
idaapi.show_wait_box("Connecting to Ghidraaas. Sending bytes file...")
try:
md5_hash = idautils.GetInputFileMD5()
queue = Queue.Queue()
my_args = (bin_file_path, filename, ghidra_server_url, md5_hash, queue)
t1 = threading.Thread(target=ghidraaas_checkin_thread,
args=my_args)
t1.start()
counter = 0
stop = False
while not stop:
time.sleep(SLEEP_LENGTH)
counter += 1
# User terminated action
if idaapi.user_cancelled():
stop = True
print("GhIDA:: [!] Check-in interrupted.")
continue
# Reached TIIMEOUT
if counter > COUNTER_MAX:
stop = True
print("GhIDA:: [!] Timeout reached.")
continue
# Thread terminated
if not t1.isAlive():
stop = True
print("GhIDA:: [DEBUG] Thread terminated.")
continue
print("GhIDA:: [DEBUG] Joining check-in thread.")
t1.join(0)
q_result = queue.get_nowait()
print("GhIDA:: [DEBUG] Thread joined. Got queue result.")
idaapi.hide_wait_box()
return q_result
except Exception:
idaapi.hide_wait_box()
print("GhIDA:: [!] Check-in error.")
idaapi.warning("GhIDA check-in error")
return False
def show_rop_view(self):
""" Show the list of rop gadgets found """
# If the default csv exist but has not been loaded, load here
if self.defered_loading == True:
idaapi.show_wait_box("loading gadgets db ...")
self.load_default_csv(force=True)
idaapi.hide_wait_box()
self.defered_loading = False
# Show the ROP gadgets view
self.ropView.refreshitems()
self.ropView.show()
def _submit_all_handled(self):
"""
Submit user description for all handled functions.
"""
num_of_funcs = str(len(self._handled_functions))
idaapi.show_wait_box("Submitting " + num_of_funcs + " function...")
try:
for function in self._handled_functions:
self._handled_functions[function].submit_description()
except Exception as e:
print "REDB: Unexpected exception thrown while submitting:"
print e
idaapi.hide_wait_box()
def _submit_one(self):
"""
Submits the user's description.
"""
if self._assert_currently_pointing_at_a_function():
if self._assert_current_function_is_handled():
idaapi.show_wait_box("Submitting...")
try:
self._cur_func.submit_description()
except Exception as e:
print "REDB: Unexpected exception thrown while submitting:"
print e
idaapi.hide_wait_box()
def _submit_all_handled(self):
"""
Submit user description for all handled functions.
"""
num_of_funcs = str(len(self._handled_functions))
idaapi.show_wait_box("Submitting " + num_of_funcs + " function...")
try:
for function in self._handled_functions:
self._handled_functions[function].submit_description()
except Exception as e:
print "REDB: Unexpected exception thrown while submitting:"
print e
idaapi.hide_wait_box()
def _submit_one(self):
"""
Submits the user's description.
"""
if self._assert_currently_pointing_at_a_function():
if self._assert_current_function_is_handled():
idaapi.show_wait_box("Submitting...")
try:
self._cur_func.submit_description()
except Exception as e:
print "REDB: Unexpected exception thrown while submitting:"
print e
idaapi.hide_wait_box()
def _request_one(self):
"""
Request descriptions for a function.
"""
if self._assert_currently_pointing_at_a_function():
if self._assert_current_function_is_handled():
idaapi.show_wait_box("Requesting...")
try:
self._cur_func.request_descriptions()
except Exception as e:
print "REDB: Unexpected exception thrown while requesting:"
print e
idaapi.hide_wait_box()
def _request_one(self):
"""
Request descriptions for a function.
"""
if self._assert_currently_pointing_at_a_function():
if self._assert_current_function_is_handled():
idaapi.show_wait_box("Requesting...")
try:
self._cur_func.request_descriptions()
except Exception as e:
print "REDB: Unexpected exception thrown while requesting:"
print e
idaapi.hide_wait_box()
def ghidraaas_checkout(ghidra_server_url):
"""
That's all. Remove .bytes file from Ghidraaas server.
"""
if not GLOBAL_CHECKIN:
return
idaapi.show_wait_box(
"Connecting to Ghidraaas. Removing temporary files...")
try:
md5_hash = idautils.GetInputFileMD5()
aargs = (md5_hash, ghidra_server_url)
t1 = threading.Thread(target=ghidraaas_checkout_thread,
args=aargs)
t1.start()
counter = 0
stop = False
while not stop:
# print("waiting check-out 1 zzz")
# idaapi.request_refresh(idaapi.IWID_DISASMS)
time.sleep(0.1)
if wasbreak():
print("GhIDA:: [!] Check-out interrupted.")
stop = True
continue
if counter > COUNTER_MAX * 10:
print("GhIDA:: [!] Timeout reached.")
stop = True
continue
if not t1.isAlive():
stop = True
print("GhIDA:: [DEBUG] Thread terminated.")
continue
print("GhIDA:: [DEBUG] Joining check-out thread.")
t1.join(0)
print("GhIDA:: [DEBUG] Thread joined")
idaapi.hide_wait_box()
return
except Exception:
idaapi.hide_wait_box()
print("GhIDA:: [!] Check-out error")
idaapi.warning("GhIDA check-out error")
return
def _request_all_handled(self):
"""
Request descriptions for all handled functions.
"""
num_of_funcs = str(len(self._handled_functions))
idaapi.show_wait_box("Requesting Descriptions for " + num_of_funcs + \
" function...")
try:
for function in self._handled_functions:
self._handled_functions[function].\
request_descriptions()
except Exception as e:
print "REDB: Unexpected exception thrown while requesting:"
print e
idaapi.hide_wait_box()
def _request_all_handled(self):
"""
Request descriptions for all handled functions.
"""
num_of_funcs = str(len(self._handled_functions))
idaapi.show_wait_box("Requesting Descriptions for " + num_of_funcs + \
" function...")
try:
for function in self._handled_functions:
self._handled_functions[function].\
request_descriptions()
except Exception as e:
print "REDB: Unexpected exception thrown while requesting:"
print e
idaapi.hide_wait_box()
def run(self, argument):
"""Execute the script when invoked."""
try:
# Remove the modal dialogue
old = idaapi.disable_script_timeout()
idaapi.show_wait_box("Decompiling function...")
self.decompiler.set_screen_address_to_decompile()
self.decompiler.decompile()
# Re-enable the original timeout.
idaapi.set_script_timeout(old)
except PointSourceException, err:
print "[-] Unable to run decompiler : %s" % err
def run(self):
idaapi.show_wait_box("Running analysis")
# Create a timer to allow for cancellation
self.timer = LocalAnalyzerTimer(self)
cmdline = ["bincat", [self.initfname, self.outfname, self.logfname]]
# start the process
bc_log.debug("Analyzer cmdline: [%s %s]", cmdline[0],
" ".join(cmdline[1]))
try:
self.start(*cmdline)
except Exception as e:
bc_log.error("BinCAT failed to launch the analyzer.py")
bc_log.warning("Exception: %s\n%s", str(e), traceback.format_exc())
else:
bc_log.info("Analyzer started.")
def submit_description(self):
# Preparing Post
post = utils.Post()
post.add_data('type', 'submit')
post.add_data('attributes', self._attributes)
cur_desc = descriptions.DescriptionUtils.get_all(self._first_addr)
post.add_data('description', cur_desc)
# Submitting
idaapi.show_wait_box("Submitting...")
res_data = post.send()
idaapi.hide_wait_box()
# Handling response
if isinstance(res_data, str): # a message from the server
return res_data
else:
return "Error: Illegal response format."
def revert_selected_functions(self, funcs):
i, succ, skip, fail = 0, 0, 0, 0
_funcs = [ea for ea in funcs]
funcs_len = len(_funcs)
idaapi.show_wait_box("reverting... (0/{})".format(funcs_len))
for ea in _funcs:
i += 1
idaapi.replace_wait_box("reverting... ({}/{})".format(
i, funcs_len))
pfn = idaapi.get_func(ea)
res = bai_mark.revert_bai_func(pfn.start_ea)
if res:
succ += 1
else:
skip += 1
idaapi.hide_wait_box()
print(
"[{}] {} functions successfully reverted, {} functions failed, {} functions skipped"
.format(self.name, succ, fail, skip))
def upload_funcs(self, funcs):
if not self.check_before_use(check_funcset=True):
return
i, succ, skip, fail = 0, 0, 0, 0
def stop():
idaapi.hide_wait_box()
BinaryAILog.summary(succ, skip, fail, "uploaded")
funcs_len = len(funcs)
idaapi.show_wait_box("Uploading... (0/{})".format(funcs_len))
for ea in funcs:
i += 1
idaapi.replace_wait_box("Uploading... ({}/{})".format(
i, funcs_len))
if idaapi.user_cancelled():
stop()
return
# < minsize
pfn = idaapi.get_func(ea)
if idaapi.FlowChart(pfn).size < bai_config['minsize']:
skip += 1
continue
# try upload
func_id = None
try:
func_id = self.mgr.upload(ea, self.mgr.funcset)
except DecompilationFailure as e:
BinaryAILog.fail(idaapi.get_func_name(ea), str(e))
fail += 1
continue
except BinaryAIException as e:
stop()
BinaryAILog.fatal(e)
# fail
if not func_id:
fail += 1
continue
succ += 1
stop()
def init(self):
idaapi.show_wait_box("Looking for classes...")
all_virtual_functions.clear()
all_virtual_tables.clear()
classes = []
for ordinal in range(1, idaapi.get_ordinal_qty(idaapi.cvar.idati)):
result = Class.create_class(ordinal)
if result:
classes.append(result)
for class_row, class_ in enumerate(classes):
class_item = TreeItem(class_, class_row, None)
for vtable_row, vtable in class_.vtables.items():
vtable_item = TreeItem(vtable, vtable_row, class_item)
vtable_item.children = [TreeItem(function, 0, vtable_item) for function in vtable.virtual_functions]
class_item.children.append(vtable_item)
self.tree_data.append(class_item)
idaapi.hide_wait_box()
def activate(self, ctx):
print("Suggesting variable names...")
idaapi.show_wait_box("Suggesting variable names... please wait")
ea = idaapi.get_screen_ea()
vuu = ida_hexrays.get_widget_vdui(ctx.widget)
if ea is None:
idaapi.warning("Current function not found.")
else:
f = StringIO()
with jsonlines.Writer(f) as writer:
try:
info, cfunc = func(ea, vuu)
# We must set the working directory to the dire dir to open the model correctly
os.chdir(dire_dir)
p = subprocess.Popen(['python', '-m', 'DIRE.prediction_plugin.run_one', '--model', MODEL], stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE, encoding=sys.getdefaultencoding())
#print(info)
writer.write(info)
comm = p.communicate(input=f.getvalue())
json_results = comm[0]
stderr = comm[1]
if p.returncode != 0:
print(stderr)
raise ValueError("Variable prediction failed")
results = json.loads(json_results)
best_results = results[0][0]
#print("best: ", best_results)
tuples = map(lambda x: (varnames[x[0]] if x[0] in varnames else x[0], x[1]['new_name']), best_results.items())
FinalRename(dict(tuples), cfunc, vuu).apply_to(cfunc.body, None)
# Force the UI to update
#vuu.refresh_ctext()
except ida_hexrays.DecompilationFailure:
idaapi.warning("Decompilation failed")
except ValueError as e:
idaapi.warning(str(e) + ". See output window for more details.")
idaapi.hide_wait_box()
return 1
def StartDump(self):
# print self.start
# print self.endorlen
self.filepath = idaapi.ask_file(1, "*.dump", "save dump file")
if self.dumptype == 0:
ea = self.getHexNum(self.start)
len = self.getHexNum(self.endorlen)
if not idaapi.is_loaded(ea) or not idaapi.is_loaded(ea + len):
idaapi.warning("arrary is out of bound")
return -1
if len <= 0:
idaapi.warning("len is <= 0")
return -1
print("start read bytes")
self.Close(0)
idaapi.show_wait_box("read bytes")
self.memdata = idaapi.get_bytes(ea, len)
print("read bytes end")
#idaapi.hide_wait_box("read end")
idaapi.hide_wait_box()
elif self.dumptype == 1:
ea = self.getHexNum(self.start)
len = self.getHexNum(self.endorlen) - self.getHexNum(self.start)
if not idaapi.is_loaded(ea) or not idaapi.is_loaded(ea + len):
idaapi.warning("arrary is out of bound")
return -1
if len <= 0:
idaapi.warning("len is <= 0")
return -1
print("start read bytes")
self.Close(0)
idaapi.show_wait_box("read bytes")
self.memdata = idaapi.get_bytes(ea, len)
print("read bytes end")
#idaapi.hide_wait_box("read end")
idaapi.hide_wait_box()
fp = open(self.filepath, 'wb')
fp.write(self.memdata)
fp.close()
idaapi.msg("save:" + self.filepath)
return 1
def setupModelData(self, root):
idaapi.show_wait_box("Looking for classes...")
all_virtual_functions.clear()
all_virtual_tables.clear()
classes = []
for ordinal in range(1, idaapi.get_ordinal_qty(idaapi.cvar.idati)):
result = Class.create_class(ordinal)
if result:
classes.append(result)
for class_ in classes:
class_item = TreeItem(class_, root)
for vtable in class_.vtables.values():
vtable_item = TreeItem(vtable, class_item)
vtable_item.children = [TreeItem(function, vtable_item) for function in vtable.virtual_functions]
class_item.appendChild(vtable_item)
root.appendChild(class_item)
idaapi.hide_wait_box()
def upload_selected_functions(self, funcs):
if not self.check_before_use(check_funcset=True):
return
i, succ, skip, fail = 0, 0, 0, 0
_funcs = [ea for ea in funcs]
funcs_len = len(_funcs)
idaapi.show_wait_box("Uploading... (0/{})".format(funcs_len))
for ea in _funcs:
i += 1
idaapi.replace_wait_box("Uploading... ({}/{})".format(
i, funcs_len))
if idaapi.user_cancelled():
idaapi.hide_wait_box()
print(
"[{}] {} functions successfully uploaded, {} functions failed, {} functions skipped"
.format(self.name, succ, fail, skip))
return
pfn = idaapi.get_func(ea)
if idaapi.FlowChart(pfn).size < self.cfg['minsize']:
skip += 1
continue
func_id = None
try:
func_id = self.upload_function(ea, self.funcset)
except DecompilationFailure:
pass
except BinaryAIException as e:
idaapi.hide_wait_box()
assert False, "[BinaryAI] {}".format(e._msg)
func_name = idaapi.get_func_name(ea)
if not func_id:
print("[{}] {} failed because upload error".format(
self.name, func_name))
fail += 1
continue
succ += 1
idaapi.hide_wait_box()
print(
"[{}] {} functions successfully uploaded, {} functions failed, {} functions skipped"
.format(self.name, succ, fail, skip))
def revert_funcs(self, funcs):
i, succ, skip = 0, 0, 0
def stop():
idaapi.hide_wait_box()
BinaryAILog.summary(succ, skip, 0, "reverted")
funcs_len = len(funcs)
idaapi.show_wait_box("Reverting... (0/{})".format(funcs_len))
for ea in funcs:
i += 1
idaapi.replace_wait_box("Reverting... ({}/{})".format(i, funcs_len))
if idaapi.user_cancelled():
stop()
return
if bai_mark.revert_bai_func(ea):
succ += 1
else:
skip += 1
stop()
def button_chart_on_click(self):
try:
idaapi.show_wait_box("Making chart...")
tab_title = self.get_tab_title()
if self.config.chart_type == ChartTypes.ENTROPY:
if self.config.use_disk_binary and not self.config.entropy['segm_exists']:
msg1 = "Do you want to create new segment with the binary content?\n"
msg2 = "This will allow you to navigate over the file by double-clicking on the chart"
if idaapi.ask_yn(1, "HIDECANCEL\n" + msg1 + msg2) == 1:
self.create_segment_with_binary()
self.parent.tabs.addTab(Entropy(self), tab_title)
elif self.config.chart_type == ChartTypes.HISTOGRAM:
self.parent.tabs.addTab(Histogram(self), tab_title)
except Exception as e:
idaapi.warning("%s" % traceback.format_exc())
idaapi.hide_wait_box()
def request_descriptions(self):
# Making room for new descriptions
self._public_descriptions = []
# Preparing Post
post = utils.Post()
post.add_data('type', 'request')
post.add_data('attributes', self._attributes)
# Requesting
idaapi.show_wait_box("Requesting...")
res_data = post.send()
idaapi.hide_wait_box()
# Handling response
if isinstance(res_data, str): # a message from the server
return res_data
elif isinstance(res_data, list):
for description in res_data:
self._add_description(description)
return "Received " + str(len(res_data)) + " descriptions."
else:
return "Error: Illegal response format."
def PopulateItems(self):
min_entropy = self.config['min_entropy']
cur_ea = self.config['start_addr']
idaapi.show_wait_box("Searching xrefs...")
while cur_ea < self.config['end_addr']:
xrefs = list(idautils.XrefsTo(cur_ea))
if len(xrefs) > 0 and xrefs[0].type != idaapi.fl_F: # discard ordinary flow
data = idaapi.get_bytes(cur_ea, self.config['block_size'])
assert len(data) == self.config['block_size']
ent = entropy(data)
if ent >= min_entropy:
self.items.append([
"%08X" % cur_ea,
"%.04f" % ent,
"%d" % len(xrefs),
"%d" % xrefs[0].iscode,
"%s" % idautils.XrefTypeName(xrefs[0].type)
])
cur_ea += 1
idaapi.hide_wait_box()
def search_pointers(self):
# HACK: A separate flag is used to track user canceling the search,
# because multiple calls to idaapi.wasBreak() do not properly
# detect cancellations.
breakFlag = False
# Show wait dialog
idaapi.show_wait_box("Searching writable function pointers...")
for m in self.modules:
###################################################################
# Locate all of the CALL and JMP instructions in the current module
# which use an immediate operand.
# List of call/jmp pointer calls in a given module
ptr_calls = list()
# Iterate over segments in the module
# BUG: Iterating over all loaded segments is more stable than looking up by address
for n in xrange(idaapi.get_segm_qty()):
seg = idaapi.getnseg(n)
# Segment in a selected modules
if seg and seg.startEA >= m.addr and seg.endEA <= (m.addr + m.size):
# Locate executable segments
# NOTE: Each module may have multiple executable segments
# TODO: Search for "MOV REG, PTR # CALL REG"
if seg.perm & idaapi.SEGPERM_EXEC:
# Search all instances of CALL /2 imm32/64 - FF 15
# TODO: Alternative pointer calls using SIB: FF 14 E5 11 22 33 44 - call dword/qword ptr [0x44332211]
# FF 14 65 11 22 33 44
# FF 14 25 11 22 33 44
call_ea = seg.startEA
while True:
call_ea = idaapi.find_binary(call_ea + 1, seg.endEA, "FF 15", 16, idaapi.SEARCH_DOWN)
if call_ea == idaapi.BADADDR: break
ptr_calls.append(call_ea)
# Search all instances of JMP /2 imm32/64 - FF 25
# TODO: Alternative pointer calls using SIB: FF 24 E5 11 22 33 44 - jmp dword/qword ptr [0x44332211]
# FF 24 65 11 22 33 44
# FF 24 25 11 22 33 44
call_ea = seg.startEA
while True:
call_ea = idaapi.find_binary(call_ea + 1, seg.endEA, "FF 25", 16, idaapi.SEARCH_DOWN)
if call_ea == idaapi.BADADDR: break
ptr_calls.append(call_ea)
###################################################################
# Extract all of the function pointers and make sure they are
# are writable.
# List of writable function pointer objects in a given module
ptrs = list()
for call_ea in ptr_calls:
# Decode CALL/JMP instruction
# NOTE: May result in invalid disassembly of split instructions
insn_size = idaapi.decode_insn(call_ea)
if insn_size:
insn = idaapi.cmd
insn_op1 = insn.Operands[0].type
# Verify first operand is a direct memory reference
if insn.Operands[0].type == idaapi.o_mem:
# Get operand address
ptr_ea = insn.Operands[0].addr
# Apply pointer offset
ptr_ea -= self.ptrOffset
# Locate segment where the pointer is located
ptr_seg = idaapi.getseg(ptr_ea)
# Make sure a valid segment writeable segment was found
if ptr_seg and ptr_seg.perm & idaapi.SEGPERM_WRITE:
# Get pointer charset
ptr_charset = self.sploiter.get_ptr_charset(ptr_ea)
# Filter the pointer
if not self.filterP2P:
if ptr_charset == None: continue
if self.ptrNonull and not "nonull" in ptr_charset: continue
if self.ptrUnicode and not "unicode" in ptr_charset: continue
if self.ptrAscii and not "ascii" in ptr_charset: continue
if self.ptrAsciiPrint and not "asciiprint" in ptr_charset: continue
if self.ptrAlphaNum and not "alphanum" in ptr_charset: continue
if self.ptrNum and not "numeric" in ptr_charset: continue
if self.ptrAlpha and not "alpha" in ptr_charset: continue
# Increment the fptr counter
# Get pointer disassembly
insn_disas = idc.GetDisasmEx(call_ea, idaapi.GENDSM_FORCE_CODE)
# Add pointer to the list
ptr = Ptr(m.file, ptr_ea, self.ptrOffset, ptr_charset, call_ea, insn_disas)
ptrs.append(ptr)
###################################################################
# Cache Pointers to Pointers
ptr_ea_prefix_cache = dict()
if self.searchP2P:
# CACHE: Running repeated searches over the entire memory space is
# very expensive. Let's cache all of the addresses containing
# bytes corresponding to discovered function pointers in a
# single search and simply reference this cache for each
# function pointer. Specifically running idaapi.find_binary()
# is much more expensive than idaapi.dbg_read_memory().
#
# NOTE: For performance considerations, the cache works on a per
# module basis, but could be expanded for the entire memory
# space.
#
# prefix_offset - how many bytes of discovered function
# pointers to cache.
#
# Example: For function pointers 0x00401234, 0x00404321, 0x000405678
# we are going to use prefix_offset 2, so we will cache all of the
# values located at addresses 0x0040XXXX
if self.sploiter.addr64:
pack_format = "<Q"
addr_bytes = 8
prefix_offset = 6
else:
pack_format = "<I"
addr_bytes = 4
prefix_offset = 2
# Set of unique N-byte address prefixes to search in memory
ea_prefix_set = set()
for ptr in ptrs:
ptr_ea = ptr.ptr_ea
ptr_bytes = struct.pack(pack_format, ptr_ea)
ptr_bytes = ptr_bytes[-prefix_offset:]
ea_prefix_set.add(ptr_bytes)
# Search the module for all bytes corresponding to the prefix
# and use them as candidates for pointers-to-pointers
for ea_prefix in ea_prefix_set:
# NOTE: Make sure you search using 44 33 22 11 format and not 11223344
ea_prefix_str = " ".join(["%02x" % ord(b) for b in ea_prefix])
# Initialize search parameters for a given module
ea = m.addr
maxea = m.addr + m.size
while True:
ea = idaapi.find_binary(ea + 1, maxea, ea_prefix_str, 16, idaapi.SEARCH_DOWN)
if ea == idaapi.BADADDR: break
p2p_ea = ea - (addr_bytes - prefix_offset)
dbg_mem = read_module_memory(p2p_ea, addr_bytes)
ptr_ea_prefix = unpack(pack_format, dbg_mem)[0]
if ptr_ea_prefix in ptr_ea_prefix_cache:
ptr_ea_prefix_cache[ptr_ea_prefix].add(p2p_ea)
else:
ptr_ea_prefix_cache[ptr_ea_prefix] = set([p2p_ea, ])
# Detect search cancellation, but allow the loop below
# to run to create already cached/found function pointers
# Canceled
if breakFlag or idaapi.wasBreak():
breakFlag = True
break
# Canceled
if breakFlag or idaapi.wasBreak():
breakFlag = True
break
###################################################################
# Locate Pointer to Pointers
for ptr in ptrs:
ptr_ea = ptr.ptr_ea
# Locate pointers-to-pointers for a given function pointer in the cache
if self.searchP2P and ptr_ea in ptr_ea_prefix_cache:
for p2p_ea in ptr_ea_prefix_cache[ptr_ea]:
# Apply pointer-to-pointer offset
p2p_ea -= self.p2pOffset
p2p_charset = self.sploiter.get_ptr_charset(p2p_ea)
# Filter the pointer
if self.filterP2P:
if p2p_charset == None: continue
if self.ptrNonull and not "nonull" in p2p_charset: continue
if self.ptrUnicode and not "unicode" in p2p_charset: continue
if self.ptrAscii and not "ascii" in p2p_charset: continue
if self.ptrAsciiPrint and not "asciiprint" in p2p_charset: continue
if self.ptrAlphaNum and not "alphanum" in p2p_charset: continue
if self.ptrNum and not "numeric" in p2p_charset: continue
if self.ptrAlpha and not "alpha" in p2p_charset: continue
# Copy existing pointer object to modify it for the particular p
p2p = copy.copy(ptr)
p2p.p2p_ea = p2p_ea
p2p.p2p_offset = self.p2pOffset
p2p.p2p_charset = p2p_charset
# Apppend p2p specific pointer object to the global list
self.ptrs.append(p2p)
# Exceeded maximum number of pointers
if self.maxPtrs and len(self.ptrs) >= self.maxPtrs:
breakFlag = True
print "[idasploiter] Maximum number of pointers exceeded."
break
# Simply append pointer object to the global list
else:
self.ptrs.append(ptr)
# Exceeded maximum number of pointers
if self.maxPtrs and len(self.ptrs) >= self.maxPtrs:
breakFlag = True
print "[idasploiter] Maximum number of pointers exceeded."
break
if breakFlag or idaapi.wasBreak():
breakFlag = True
break
# Canceled
# NOTE: Only works when started from GUI not script.
if breakFlag or idaapi.wasBreak():
breakFlag = True
print "[idasploiter] Canceled."
break
print "[idasploiter] Found %d total pointers." % len(self.ptrs)
idaapi.hide_wait_box()
def ghidraaas_decompile(address, xml_file_path, bin_file_path,
ghidra_server_url):
"""
Send the xml file to ghidraaas
and ask to decompile a function
"""
global GLOBAL_CHECKIN
# Filename without the .xml extension
filename = GLOBAL_FILENAME
if not GLOBAL_CHECKIN:
if ghidraaas_checkin(bin_file_path, filename, ghidra_server_url):
GLOBAL_CHECKIN = True
else:
raise Exception("[!] Ghidraaas Check-in error")
idaapi.show_wait_box("Connecting to Ghidraaas. Decompiling function %s" %
address)
try:
md5_hash = idautils.GetInputFileMD5()
queue = Queue.Queue()
aargs = (address, xml_file_path, bin_file_path, ghidra_server_url,
filename, md5_hash, queue)
t1 = threading.Thread(target=ghidraaas_decompile_thread, args=aargs)
t1.start()
counter = 0
stop = False
while not stop:
# idaapi.request_refresh(idaapi.IWID_DISASMS)
# print("waiting decompile 1 zzz")
time.sleep(0.1)
if idaapi.wasBreak():
print("GhIDA:: [!] decompilation interrupted.")
stop = True
continue
if counter > COUNTER_MAX * 10:
print("GhIDA:: [!] Timeout reached.")
stop = True
continue
if not t1.isAlive():
stop = True
print("GhIDA:: [DEBUG] Thread terminated.")
continue
print("GhIDA:: [DEBUG] Joining decompilation thread.")
t1.join(0)
q_result = queue.get_nowait()
print("GhIDA:: [DEBUG] Thread joined. Got queue result.")
idaapi.hide_wait_box()
return q_result
except Exception:
idaapi.hide_wait_box()
print("GhIDA:: [!] Unexpected decompilation error")
idaapi.warning("GhIDA decompilation error")
return None
def ghidra_headless(address, xml_file_path, bin_file_path,
ghidra_headless_path, ghidra_plugins_path):
"""
Call Ghidra in headless mode and run the plugin
FunctionDecompile.py to decompile the code of the function.
"""
try:
if not os.path.isfile(ghidra_headless_path):
print("GhIDA:: [!] ghidra analyzeHeadless not found.")
raise Exception("analyzeHeadless not found")
decompiled_code = None
idaapi.show_wait_box("Ghida decompilation started")
prefix = "%s_" % address
output_temp = tempfile.NamedTemporaryFile(prefix=prefix, delete=False)
output_path = output_temp.name
# print("GhIDA:: [DEBUG] output_path: %s" % output_path)
output_temp.close()
cmd = [
ghidra_headless_path, ".", "Temp", "-import", xml_file_path,
'-scriptPath', ghidra_plugins_path, '-postScript',
'FunctionDecompile.py', address, output_path, "-noanalysis",
"-deleteProject"
]
# Options to 'safely' terminate the process
if os.name == 'posix':
kwargs = {'preexec_fn': os.setsid}
else:
kwargs = {
'creationflags': subprocess.CREATE_NEW_PROCESS_GROUP,
'shell': True
}
p = subprocess.Popen(cmd,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT,
**kwargs)
stop = False
counter = 0
print("GhIDA:: [INFO] Ghidra headless (timeout: %ds)" % TIMEOUT)
print("GhIDA:: [INFO] Waiting Ghidra headless analysis to finish...")
while not stop:
time.sleep(0.1)
counter += 1
subprocess.Popen.poll(p)
# Process terminated
if p.returncode is not None:
stop = True
print("GhIDA:: [INFO] Ghidra analysis completed!")
continue
# User terminated action
if idaapi.wasBreak():
# Termiante the process!
if os.name == 'posix':
os.killpg(os.getpgid(p.pid), signal.SIGTERM)
else:
os.kill(p.pid, -9)
stop = True
print("GhIDA:: [!] Ghidra analysis interrupted.")
continue
# Process timeout
if counter > COUNTER_MAX * 10:
os.killpg(os.getpgid(p.pid), signal.SIGTERM)
stop = True
print("GhIDA:: [!] Decompilation error - timeout reached")
continue
# Check if JSON response is available
if os.path.isfile(output_path):
with open(output_path) as f_in:
j = json.load(f_in)
if j['status'] == "completed":
decompiled_code = j['decompiled']
else:
print("GhIDA:: [!] Decompilation error -",
" JSON response is malformed")
# Remove the temporary JSON response file
os.remove(output_path)
else:
print("GhIDA:: [!] Decompilation error - JSON response not found")
idaapi.warning("Ghidra headless decompilation error")
except Exception as e:
print("GhIDA:: [!] %s" % e)
print("GhIDA:: [!] Ghidra headless analysis failed")
idaapi.warning("Ghidra headless analysis failed")
decompiled_code = None
finally:
idaapi.hide_wait_box()
return decompiled_code
def __init__(self):
CBinaryToSourceImporter.__init__(self, GetIdbPath())
show_wait_box("Finding matches...")
self.src_db = None
self.use_decompiler = False
def search_gadgets(self):
count_total = len(self.retns)
count_notify = 0
count_curr = 0
# BUG: A separate flag is used to track user canceling the search,
# because multiple calls to idaapi.wasBreak() do not properly
# detect cancellations.
breakFlag = False
# Show wait dialog
if not self.debug: idaapi.show_wait_box("Searching gadgets: 00%%%%")
for (ea_end, module) in self.retns:
# Flush the gadgets cache for each new retn pointer
self.gadgets_cache = dict()
# Flush memory cache for each new retn pointer
self.dbg_mem_cache = None
# CACHE: It is faster to read as much memory in one blob than to make incremental reads backwards.
# Try to read and cache self.maxRopOffset bytes back. In cases where it is not possible,
# then simply try to read the largest chunk.
# NOTE: Read a bit extra to cover correct decoding of RETN, RETN imm16, CALL /2, and JMP /4 instructions.
for i in range(self.maxRopOffset):
self.dbg_mem_cache = read_module_memory(ea_end - self.maxRopOffset + i,
self.maxRopOffset - i + self.dbg_read_extra)
if self.dbg_mem_cache != None:
break
# Check to make sure we have actual data to work with.
if self.dbg_mem_cache == None:
continue
# Search all possible gadgets up to maxoffset bytes back
# NOTE: Try all byte combinations to capture longer/more instructions
# even with bad bytes in the middle.
for i in range(1, len(self.dbg_mem_cache) - self.dbg_read_extra):
ea = ea_end - i
# Get pointer charset
ptr_charset = self.sploiter.get_ptr_charset(ea)
# Filter the pointer
if ptr_charset == None: continue
if self.ptrNonull and not "nonull" in ptr_charset: continue
if self.ptrUnicode and not "unicode" in ptr_charset: continue
if self.ptrAscii and not "ascii" in ptr_charset: continue
if self.ptrAsciiPrint and not "asciiprint" in ptr_charset: continue
if self.ptrAlphaNum and not "alphanum" in ptr_charset: continue
if self.ptrNum and not "numeric" in ptr_charset: continue
if self.ptrAlpha and not "alpha" in ptr_charset: continue
# Try to build a gadget at the pointer
gadget = self.build_gadget(ea, ea_end)
# Successfully built the gadget
if gadget:
# Populate gadget object with more data
gadget.address = ea
gadget.module = module
gadget.ptr_charset = ptr_charset
# Filter gadgets with too many instruction
if gadget.size > self.maxRopSize:
break
# Append newly built gadget
self.gadgets.append(gadget)
self.gadgets_cache[ea] = gadget
# Exceeded maximum number of gadgets
if self.maxRops and len(self.gadgets) >= self.maxRops:
breakFlag = True
print "[idasploiter] Maximum number of gadgets exceeded."
break
else:
self.gadgets_cache[ea] = None
if breakFlag or idaapi.wasBreak():
breakFlag = True
break
# Canceled
# NOTE: Only works when started from GUI not script.
if breakFlag or idaapi.wasBreak():
breakFlag = True
print "[idasploiter] Canceled."
break
# Progress report
if not self.debug and count_curr >= count_notify:
# NOTE: Need to use %%%% to escape both Python and IDA's format strings
idaapi.replace_wait_box("Searching gadgets: %02d%%%%" % (count_curr * 100 / count_total))
count_notify += 0.10 * count_total
count_curr += 1
print "[idasploiter] Found %d gadgets." % len(self.gadgets)
if not self.debug: idaapi.hide_wait_box()
PORT = 8666
def pickle_sendz(host, port, var):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
d = zlib.compress(pickle.dumps(var))
s.send(d)
s.close()
return None
except Exception, e:
return str(e)
idaapi.info("Please run the Hiew-Names-Server script and press OK")
idaapi.show_wait_box("Gathering and sending names to %s:%d" % (HOST, PORT))
info = []
for ea, name in idautils.Names():
offs = idaapi.get_fileregion_offset(ea)
if offs == idaapi.BADADDR:
continue
is_func = False if idaapi.get_func(ea) is None else True
info.append((offs, name, is_func))
ok = pickle_sendz(HOST, PORT, info)
idaapi.hide_wait_box()
if ok is not None:
