def extractField(self, ofsOrName, idxOrNone=None, size=None): size = size or self.align flds = self.fields() ofs = ofsOrName fld = None for x in flds: if idxOrNone is None: if x <= ofs and x + flds[x]['size'] > ofs and idxOrNone is None: fld = x break else: if x == ofsOrName or flds[x]['name'] == ofsOrName: fld = x ofs = x + idxOrNone * util.getTypeSize(flds[x]['type']) break if fld is None: raise Exception("Field not found: " + str(ofs)) idc.DelStrucMember(self.id, fld) cnt = 1 if size > self.align: cnt = size / self.align size = self.align self.mkfld(ofs, size, cnt) flds = self.fields(True) self.fixFields()
def delete_all_function_stack_members(func_ea, force=False): if g_vars["ERASE_STACK_MEMBERS"] or force: members, base = retrieve_stack_members(func_ea) stack_id = idc.GetFrame(func_ea) for k, v in members.items(): if k != base and "arg_" not in v: idc.DelStrucMember(stack_id, k) g_functions_stack.add(func_ea.startEA)
def get_function_sid(self, in_stack, local_size=1): if not in_stack: return 'create_struct_complex', idc.AddStrucEx(0, 'create_struct_complex', 0) ea = yaunit.get_next_function(lambda ea : yaunit.has_locals(ea, local_size)) frame = idaapi.get_frame(ea) self.assertNotEqual(frame, None) offset = idc.GetFirstMember(frame.id) while offset != idaapi.BADADDR: idc.DelStrucMember(frame.id, offset) offset = idc.GetFirstMember(frame.id) return ea, frame.id
def clear_struc_fields(self, struc_id, struc_size, xref_keys, is_union=False, member_type=ya.OBJECT_TYPE_STRUCT_MEMBER, name_offset=0): idc.BeginTypeUpdating(idc.UTP_STRUCT) last_offset = idc.GetLastMember(struc_id) # get existing member offsets field_offsets = set() for (xref_offset, xref_operand) in xref_keys: field_offsets.add(xref_offset) new_offsets = set() struc = idaapi.get_struc(struc_id) # create missing members first (prevent from deleting all members) for offset in field_offsets: member = idaapi.get_member(struc, offset) if member is not None and member.soff < offset: # we have a member above this member that is too big and contain this member # clear it! if DEBUG_EXPORTER: logger.debug( "reduce field : set_member_type(0x%08X, 0x%08X), overlapping 0x%08X", struc_id, member.soff, offset) idaapi.set_member_type(struc, member.soff, idc.FF_BYTE, None, 1) member = idaapi.get_member(struc, offset) if member is None or idaapi.get_member_name(member.id) is None: new_offsets.add(offset) member_name = YaToolIDATools.get_default_struc_member_name( member_type, offset, name_offset) if offset == last_offset and offset == struc_size: field_size = 0 else: field_size = 1 if DEBUG_EXPORTER: logger.debug( "AddStrucMember(0x%08X, '%s', 0x%08X, idc.FF_BYTE, -1, 0x%08X), name_offset=%d", struc_id, member_name, offset, field_size, name_offset) retval = idc.AddStrucMember(struc_id, member_name, offset, idc.FF_BYTE, -1, field_size) if retval != 0: logger.error( "Error %d with idc.AddStrucMember(0x%08X, '%s', 0x%08X," "idc.FF_BYTE, -1, 0x%08X), name_offset=%d", retval, struc_id, member_name, offset, field_size, name_offset) elif DEBUG_EXPORTER: logger.debug("Member exists : (0x%08X, '%s', 0x%08X, 0x%08X)", struc_id, idc.GetMemberName(struc_id, offset), offset, idc.GetMemberSize(struc_id, offset)) kept_offsets = field_offsets - new_offsets # clear kept members # split the loop since we will modify the structure while iterating offsets = set() for (offset, member_name) in YaToolIDATools.struc_member_list( struc_id, is_union): offsets.add(offset) for offset in offsets: if offset in kept_offsets: # This member already existed and is kept if offset == last_offset and offset == struc_size: # this is the last field, and it is a variable sized structure field_size = 0 else: field_size = 1 if member_type == ya.OBJECT_TYPE_STRUCT_MEMBER: strucmember_id = self.hash_provider.get_struc_member_id( struc_id, offset) elif member_type == ya.OBJECT_TYPE_STACKFRAME_MEMBER: strucmember_id = self.hash_provider.get_stackframe_member_object_id( struc_id, offset) else: logger.error("Bad member_type : %d" % member_type) if strucmember_id not in self.strucmember_ids: # It is not necessary to clear the member if it is presnet in the resolved_objects if DEBUG_EXPORTER: logger.debug( "SetStrucmember(0x%08X, None, 0x%08X, idc.FF_BYTE, -1, 0x%08X, name_offset=%s)", struc_id, offset, field_size, name_offset) YaToolIDATools.SetStrucmember(struc_id, None, offset, idc.FF_BYTE, -1, field_size, member_type=member_type, name_offset=name_offset) idc.SetMemberComment(struc_id, offset, "", 0) idc.SetMemberComment(struc_id, offset, "", 1) elif offset not in new_offsets: if (member_type != ya.OBJECT_TYPE_STACKFRAME_MEMBER or not idaapi.is_special_member( idc.GetMemberId(struc_id, offset))): if DEBUG_EXPORTER: logger.debug( "DelStrucMember(0x%08X, 0x%08X) (=%s:%s)", struc_id, offset, idc.GetStrucName(struc_id), idc.GetMemberName(struc_id, offset)) idc.DelStrucMember(struc_id, offset) else: # in new_offsets : just created pass idc.EndTypeUpdating(idc.UTP_STRUCT)
def supress_exception(cb): try: cb() except: pass g_vars["ERASE_STACK_MEMBERS"] = True supress_exception(find_WdfDriverCreate) supress_exception(find_WdfIoQueueCreate) supress_exception(find_WdfDeviceInitSetIoInCallerContextCallback) supress_exception(find_WdfDeviceCreateDeviceInterface) supress_exception(find_WdfControlDeviceInitAllocate) """ # 00000000167ED lea r8, [rbp+190h+var_170] lea_addr = 0x167ED # Get the stack struct current_func = idaapi.get_func(lea_addr) stack_id = idc.GetFrame(current_func) stack_struc = idaapi.get_struc(stack_id) # Get the stack operand offset value and stack member stack_member_offset = idc.get_operand_value(lea_addr, 1) stack_member = stack_struc.get_member(stack_member_offset) target_struct_id = idaapi.get_struc_id("_WDF_DRIVER_CONFIG") target_struc = idaapi.get_struc(target_struct_id )