def parse_func_pointer(): renamed = 0 for segea in idautils.Segments(): for addr in idautils.Functions(segea, idc.SegEnd(segea)): #for addr in idautils.Functions(text_seg.startEA, text_seg.endEA): name = idc.GetFunctionName(addr) # Look at data xrefs to the function - find the pointer that is located in .rodata data_ref = idaapi.get_first_dref_to(addr) while data_ref != idc.BADADDR: if 'rodata' in idc.get_segm_name(data_ref): # Only rename things that are currently listed as an offset; eg. off_9120B0 if 'off_' in idc.GetTrueName(data_ref): if idc.MakeNameEx(data_ref, ('%s_ptr' % name), flags=idaapi.SN_FORCE): idaapi.autoWait() renamed += 1 else: common._error( 'Failed to name pointer @ 0x%02x for %s' % (data_ref, name)) data_ref = idaapi.get_next_dref_to(addr, data_ref) common._info("\nRename %d function pointers.\n" % renamed)
def prepare_parse_type(typestr, addr): """ idc.ParseType doesnt accept types without func / local name as exported by default GetType this is an ugly hack to fix it """ lname = idc.GetTrueName(addr) if lname is None: lname = "Default" # func pointers conventions = [ "__cdecl *", "__stdcall *", "__fastcall *", # "__usercall *", # "__userpurge *", "__thiscall *", "__cdecl", "__stdcall", "__fastcall", # "__usercall", # "__userpurge", "__thiscall" ] mtype = None for conv in conventions: if conv in typestr: mtype = typestr.replace(conv, conv + " " + lname) break return mtype
def is_start_of_function(ea): """Returns `True` if `ea` is the start of a function.""" if not is_code(ea): return False name = idc.GetFunctionName(ea) or idc.GetTrueName(ea) return ea == idc.LocByName(name)
def activate(self, ctx): hx_view = idaapi.get_tform_vdui(ctx.form) var_type = ShallowScanVariable.check(hx_view.item) if var_type == "LOCAL": variable = hx_view.item.get_lvar() # lvar_t index = list(hx_view.cfunc.get_lvars()).index(variable) scanner = ShallowSearchVisitor(hx_view.cfunc, 0, index) elif var_type == "GLOBAL": variable = hx_view.item.it.to_specific_type name = idc.GetTrueName(variable.obj_ea) tinfo = variable.type scanner = ShallowSearchVisitor(hx_view.cfunc, 0, global_variable=(name, tinfo)) else: return scanner.process() structure = TemporaryStructureModel() for field in scanner.candidates: structure.add_row(field) tinfo = structure.get_recognized_shape() if tinfo: tinfo.create_ptr(tinfo) if var_type == "LOCAL": hx_view.set_lvar_type(variable, tinfo) elif var_type == "GLOBAL": idaapi.apply_tinfo2(variable.obj_ea, tinfo, idaapi.TINFO_DEFINITE) hx_view.refresh_view(True)
def activate(self, ctx): hx_view = idaapi.get_tform_vdui(ctx.form) origin = self.temporary_structure.main_offset var_type = self.check(hx_view.item) if var_type == "LOCAL": variable = hx_view.item.get_lvar() # lvar_t index = list(hx_view.cfunc.get_lvars()).index(variable) scanner = ShallowSearchVisitor(hx_view.cfunc, origin, index) elif var_type == "GLOBAL": gvar = hx_view.item.it.to_specific_type name = idc.GetTrueName(gvar.obj_ea) tinfo = gvar.type scanner = ShallowSearchVisitor(hx_view.cfunc, origin, global_variable=(name, tinfo)) else: return scanner.process() for field in scanner.candidates: self.temporary_structure.add_row(field) scanner.clear()
def _get_best_name(ea): try: return sark.Function(ea).demangled except exceptions.SarkNoFunction: name = idc.GetTrueName(ea) if name: return name return '0x{:X}'.format(ea)
def sync_names(full_synchro=False): global sample_id, skel_conn, last_timestamp if not skel_conn.is_online: return 0 comments = skel_conn.get_comments() for comment in comments: execute_comment(comment) names = skel_conn.get_names() for name in names: if "sub_" in idc.GetTrueName(name["address"]): print "[x] renaming %s @0x%x as %s" % (idc.GetTrueName( name["address"]), name["address"], name["data"]) idc.MakeName(name["address"], name["data"].encode('ascii', 'ignore')) # Here, parse the new commands and execute them print "[+] IDB synchronized" return 0
def visit_expr(self, expression): if expression.op == idaapi.cot_var: index = expression.v.idx elif expression.op == idaapi.cot_obj: index = idc.GetTrueName(expression.obj_ea) else: return 0 if index in self.variables: result = self.check_member_assignment(expression, index) if result: self.candidates.append(result) return 0
def prepare_parse_type(typestr, addr): """ idc.ParseType doesnt accept types without func / local name as exported by default GetType this is an ugly hack to fix it FIXME : parsing usercall (@<XXX>) """ lname = idc.GetTrueName(addr) if lname is None: lname = "Default" # func pointers fpconventions = [ "__cdecl *", "__stdcall *", "__fastcall *", #"__usercall *", #"__userpurge *", "__thiscall *" ] cconventions = [ "__cdecl", "__stdcall", "__fastcall", #"__usercall", #"__userpurge", "__thiscall" ] flag = False mtype = None for conv in fpconventions: if conv in typestr: mtype = typestr.replace(conv, conv + lname) flag = True if not flag: # replace prototype for conv in cconventions: if conv in typestr: mtype = typestr.replace(conv, conv + " " + lname) flag = True return mtype
def auto_string_naming(self): idaStrings = idautils.Strings() for cstring in idaStrings: stringValue = idc.GetString(cstring.ea, cstring.length, cstring.type) currentName = idc.GetTrueName(cstring.ea) if len(stringValue) > 6: objFileValues = re.findall(r"[a-zA-Z]+(?=\.obj)", currentName) objFile = "" idc.MakeComm(cstring.ea, currentName) if len(objFileValues) > 0: objFile = objFileValues[0].upper() newName = stringValue.title() for repl in [x for x in string.punctuation]: newName = newName.replace(repl, "") newName = newName.replace(" ", "") newName = "s{objFile}{currentName}".format(objFile=objFile, currentName=newName) idc.MakeNameEx(cstring.ea, newName, idc.SN_AUTO)
def activate(self, ctx): hx_view = idaapi.get_tform_vdui(ctx.form) origin = self.temporary_structure.main_offset var_type = ShallowScanVariable.check(hx_view.item) if var_type == "LOCAL": variable = hx_view.item.get_lvar() # lvar_t index = list(hx_view.cfunc.get_lvars()).index(variable) definition_address = None if variable.is_arg_var else variable.defea # index = list(hx_view.cfunc.get_lvars()).index(variable) if FunctionTouchVisitor(hx_view.cfunc).process(): hx_view.refresh_view(True) # Because index of the variable can be changed after touching, we would like to calculate it appropriately lvars = hx_view.cfunc.get_lvars() if definition_address: index = next(x for x in xrange(len(lvars)) if lvars[x].defea == definition_address) scanner = DeepSearchVisitor(hx_view.cfunc, origin, index=index) elif var_type == "GLOBAL": gvar = hx_view.item.it.to_specific_type name = idc.GetTrueName(gvar.obj_ea) tinfo = gvar.type if FunctionTouchVisitor(hx_view.cfunc).process(): hx_view.refresh_view(True) scanner = DeepSearchVisitor(hx_view.cfunc, origin, global_variable=(name, tinfo)) else: return scanner.process() for field in scanner.candidates: self.temporary_structure.add_row(field) scanner.clear()
def populate_table(self): """ Download the list of proposed names and display it """ functions = self.skel_conn.get_proposed_names() items = [] for func in functions: func_name = idc.GetTrueName(func["address"]) for name in func["proposed_names"]: item = self.SkelFuncListItem(hex(func["address"]), func_name, hex(func["machoc_hash"]), name) items.append(item) self.setRowCount(len(items)) for item_index, item in enumerate(items): widgets = item.get_widgets() self.setItem(item_index, 0, widgets["address"]) self.setItem(item_index, 1, widgets["curname"]) self.setItem(item_index, 2, widgets["machoc"]) self.setItem(item_index, 3, widgets["proposed"])
def get_offset_name(ea): # Try and get the function name try: func = get_func(ea) name = idc.GetTrueName(func.startEA) name = demangle(name, 0x60) # MNG_NOTYPE | MNG_NORETTYPE if name: offset = ea - func.startEA if offset: return '{}+{:X}'.format(name, offset) return name except exceptions.SarkNoFunction: pass # If that failed, use the segment name instead. segment = idaapi.getseg(ea) name = idaapi.get_true_segm_name(segment) offset_format = '{{:0{}X}}'.format(get_native_size() * 2) ea_text = offset_format.format(ea) if name: return '{}:{}'.format(name, ea_text) # Nothing found, simply return the address return ea_text
def name(self): """Function's Name""" return idc.GetTrueName(self.startEA)
def postprocess(self): global skel_conn try: if self.cmdname == "MakeComment": if idc.GetCommentEx(self.addr, 0) is not None: skel_conn.push_comment(self.addr, idc.GetCommentEx((self.addr), 0)) elif idc.GetCommentEx(self.addr, 1) is not None: skel_conn.push_comment(self.addr, idc.GetCommentEx((self.addr), 1)) elif idc.GetFunctionCmt(self.addr, 0) != "": skel_conn.push_comment(self.addr, idc.GetCommentEx((self.addr), 0)) elif idc.GetFunctionCmt(self.addr, 1) != "": skel_conn.push_comment( self.addr, idc.GetFunctionCmt(self.addr, 1).replace("\n", "\\n").replace( "\"", "\\\"")) if self.cmdname == "MakeRptCmt": if idc.GetCommentEx(self.addr, 0) is not None: skel_conn.push_comment( self.addr, idc.GetCommentEx(self.addr, 0).replace("\n", "\\n").replace( "\"", "\\\"")) elif idc.GetCommentEx(self.addr, 1) is not None: skel_conn.push_comment( self.addr, idc.GetCommentEx(self.addr, 1).replace("\n", "\\n").replace( "\"", "\\\"")) elif idc.GetFunctionCmt(self.addr, 0) != "": skel_conn.push_comment( self.addr, idc.GetFunctionCmt(self.addr, 0).replace("\n", "\\n").replace( "\"", "\\\"")) elif idc.GetFunctionCmt(self.addr, 1) != "": skel_conn.push_comment( self.addr, idc.GetFunctionCmt(self.addr, 1).replace("\n", "\\n").replace( "\"", "\\\"")) elif self.cmdname == "MakeName": # idc.Jump(self.addr) if (idc.GetFunctionAttr(self.addr, 0) == self.addr): fname = GetFunctionName(self.addr) if fname != "": if not CheckDefaultValue(fname): skel_conn.push_name(self.addr, fname) else: fname = idc.GetTrueName(self.addr) if fname != "" and not CheckDefaultValue(fname): skel_conn.push_name( self.addr, fname.replace("\n", "\\n").replace("\"", "\\\"")) else: # ok, on regarde ce qui est pointe if GetOpType(self.addr, 0) in [o_near, o_imm, o_mem]: if GetOpType(self.addr, 1) in [o_near, o_imm, o_mem]: print "[P] You must be on the top of function or at the global address to set the name in log file" else: add = idc.GetOperandValue(self.addr, 0) fname = idc.GetTrueName(add) if fname != "" and not CheckDefaultValue( fname): skel_conn.push_name( add, fname.replace("\n", "\\n").replace( "\"", "\\\"")) else: print "[P] You must be on the top of function or at the global address to set the name in log file" elif GetOpType(self.addr, 1) in [o_near, o_imm, o_mem]: add = idc.GetOperandValue(self.addr, 1) fname = idc.GetTrueName(add) if fname != "" and not CheckDefaultValue(fname): skel_conn.push_name( add, fname.replace("\n", "\\n").replace("\"", "\\\"")) else: print "[P] You must be on the top of function or at the global address to set the name in log file" elif self.cmdname == "MakeFunction": if idc.GetFunctionAttr(self.addr, 0) is not None: pass #push_change("idc.MakeFunction", shex(idc.GetFunctionAttr( # self.addr, 0)), shex(idc.GetFunctionAttr(self.addr, 4))) elif self.cmdname == "DeclareStructVar": print "Fixme : declare Struct variable" elif self.cmdname == "AddStruct": print "Fixme : adding structure" elif self.cmdname == "SetType": newtype = idc.GetType(self.addr) if newtype is None: newtype = "" else: newtype = prepare_parse_type(newtype, self.addr) push_change("idc.SetType", shex(self.addr), newtype) elif self.cmdname == "OpStructOffset": print "Fixme, used when typing a struct member/stack var/data pointer to a struct offset " except KeyError: pass return 0
def execute_rename(name): if "sub_" in idc.GetTrueName(name["address"]): g_logger.debug( "[x] renaming %s @ 0x%x as %s" % (idc.GetTrueName(name["address"]), name["address"], name["data"])) idc.MakeName(name["address"], name["data"].encode('ascii', 'ignore'))
def get_name(): return idc.GetTrueName(name["address"])
def on_get_text(self, value, attrs): name = idc.GetTrueName(value) demangle = getattr(idaapi, 'demangle_name2', idaapi.demangle_name) name = demangle(name, 0) or name return name or "0x{:08X}".format(value)
def GetName(ea, resolve_imports=True): name = idc.GetFunctionName(ea) if not name and resolve_imports: name = idc.GetTrueName(ea) return name
def name(self): """Name of the line (the label shown in IDA).""" return idc.GetTrueName(self.ea)