def SetAllConditionBpt(): ea = 0x2C13000 while ea < 0x357D000: mnem = idc.GetMnem(ea) if mnem == 'retn': idc.add_bpt(ea) ea = idc.NextHead(ea)
def get_jit_function(self): esp = idc.get_reg_value("ESP") method_name = self.get_method_name(esp) function = idc.get_wide_dword(esp + 8) method_id = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x20) abc_info_pos = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x1C) method_info = get_qword(abc_info_pos) + get_qword(abc_info_pos + 8) if (self.as3dump != []): method = next((x for x in self.as3dump if x["id"] == method_id), None) if (method is not None and method["info"] == method_info): method_name = method["name"] self.set_jit_info(method_id, function) print("Resolved jit function: 0x%x - %s" % (function, method_name)) self.rename_addr(function, method_name) if ((method_name not in self.ignore and not self.ignore_all) or (method_name in self.debug_if_equals) or (any(x for x in self.debug_if_contains if method_name is not None and x in method_name))): self.traced.append({"name": method_name, "ea": function, "type": "jit", "hit": 0}) idc.add_bpt(function)
def enable_bp_ret(funcname): func_ea = idc.get_name_ea_simple(funcname) bps = [] for ea in idautils.FuncItems(func_ea): if idc.GetMnem(ea) == "retn": idc.add_bpt(ea) bps.append(ea) return bps
def hook(self, hook_addr=0): """ Args: hook_addr(int): address for inline hook code, 0 indicates bpt hook. Returns: memory size in bytes used for inline hook. """ self.hook_addr = hook_addr self.func_addr = idc.get_name_ea_simple(self.name) if self.func_addr == 0: return 0 print("Hooking %s at 0x%x" % (self.name, self.func_addr)) if self.hook_addr == 0: idc.add_bpt(self.func_addr) idc.set_bpt_cond(self.func_addr, self.bpt_cond_hook_code) return 0 else: # assemble jmp code jmp_code = "jmp 0x%x" % self.hook_addr jmp_buf, _ = assemble(jmp_code, self.func_addr) # read function prologue according to jmp code length # NOTE: instructions like 'call $+5' in prologue will # cause problems. insn = idaapi.insn_t() move_length = 0 while move_length < len(jmp_buf): idaapi.decode_insn(insn, self.func_addr + move_length) move_length += insn.size prologue = idaapi.get_bytes(self.func_addr, move_length) # write jmp code idaapi.patch_bytes(self.func_addr, jmp_buf) # assmble hook code hook_buf, _ = assemble(self.inline_hook_code, self.hook_addr) hook_buf += prologue jmp_back_code = 'jmp 0x%x' % (self.func_addr + move_length) jmp_back_buf, _ = assemble(jmp_back_code, self.hook_addr + len(hook_buf)) hook_buf += jmp_back_buf # wirte hook code idaapi.patch_bytes(self.hook_addr, hook_buf) return len(hook_buf)
def addTracebp(self, ea=None): if ea is None: ea = idc.get_screen_ea() rea = ea - self.offset self.tracebp.add(rea) if not idc.add_bpt(ea): idc.enable_bpt(ea, True)
def __call__(self): try: if self.hardware: bp_flag = idc.BPT_EXEC # default is hardware https://www.hex-rays.com/products/ida/support/sdkdoc/group___b_p_t___h.html else: bp_flag = (idc.BPT_SOFT | idc.BPT_EXEC) idc.add_bpt(self.address, bp_flag) enable_res = idc.enable_bpt(self.address, True) l.debug("bp flag value %x enable_res %s" % (bp_flag, enable_res)) self.result = enable_res except Exception as e: l.debug("set_breakpoint exception %s" % (e)) self.exception = True
def bp_recover(self, remove=True, suffix=""): bplist = DbgInfo.config_load("breakpoints" + suffix, list) if not bplist: return False if remove: nbp = idc.get_bpt_qty() bps = [] for i in range(nbp): bp = idc.get_bpt_ea(i) bps.append(bp) for bp in bps: idc.del_bpt(bp) for bp in bplist: ea = bp[0] addr = ea + self.offset idc.add_bpt(addr) idc.enable_bpt(addr, bp[1]) return True
def bp_load(self, userbp=True, tracebp=True): invalid = [] if tracebp: for ea in self.tracebp: addr = ea + self.offset if idc.get_func_off_str(addr): idc.add_bpt(addr) else: invalid.append(addr) if userbp: for ea in self.userbp: addr = ea + self.offset if idc.get_func_off_str(addr): idc.add_bpt(addr) else: invalid.append(addr) if invalid: print("invalid ea:", str(invalid)) self.invalidbp = invalid
def set_watchpoint(self, address, *args, **kwargs): """Inserts a watchpoint which is triggered when a read or a write is executed on address :param address: The name of a variable or an address to watch :param bool temporary: Temporary breakpoint :returns: True on success else False """ idc.add_bpt(address) bp_flag = idc.BPT_RDWR # BPT_RDWR = 3 https://www.hex-rays.com/products/ida/support/sdkdoc/group___b_p_t___h.html setting Read Write breakpoint because some debuggers (Linux local) doesn't support l.debug("ida target set_watchpoing at %x value" % (address)) idc.set_bpt_attr(address, idc.BPTATTR_SIZE, 1) attr_res = idc.set_bpt_attr(address, idc.BPTATTR_TYPE, bp_flag) enable_res = idc.enable_bpt(address, True) l.debug("bp flag value %x attr_res %s enable_res %s" % (bp_flag, attr_res, enable_res)) return attr_res and enable_res # return False if enable or setting attributes fails
def addReadWriteTrace(addr, bpt_size = 1): result = idc.add_bpt(addr, bpt_size, BreakpointMode.ReadWrite) if result == False: raise AddTraceError(addr, "Unable to set breakpoint at the given address.") pbpt = ida_dbg.bpt_t() ida_dbg.get_bpt(addr, pbpt) pbpt.flags = 10 result = ida_dbg.update_bpt(pbpt) if result == False: raise AddTraceError(addr, "Unable to a 'trace-breakpoint' at the given address.")
def get_native_function(self): ecx = idc.get_reg_value("ECX") esp = idc.get_reg_value("ESP") method_name = self.get_method_name(esp) if (idc.get_wide_byte(idc.get_wide_dword(ecx + 8) + 0x38) != 0): function = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x28) else: function = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x24) print("Resolved native function: 0x%x - %s" % (function, method_name)) if ((method_name not in self.ignore and not self.ignore_all) or (method_name in self.debug_if_equals) or (any(x for x in self.debug_if_contains if method_name is not None and x in method_name))): self.traced.append({"name": method_name, "ea": function, "type": "native", "hit": 0}) idc.add_bpt(function)
def addbp(self, instr, ea=None): if ea is None: ea = idc.get_screen_ea() func = idaapi.get_func(ea) start_ea = func.start_ea instrtable = self.get_func_instr(startEA) l = instrtable.get(instr) if l: for disa in l: pos = disa.offset + start_ea if not idc.add_bpt(pos): idc.enable_bpt(pos, True)
def addbp2(self, ea=None): if ea is None: ea = idc.get_screen_ea() func = idaapi.get_func(ea) start_ea = func.start_ea bps = self.get_bp2(start_ea) if bps.add(ea): if not idc.add_bpt(ea): idc.enable_bpt(ea, True) return bps else: return False
def get_interpreted_function(self, eip): if (eip == self.addr["setInterp"]): esp = idc.get_reg_value("ESP") self.method_name = self.get_method_name(esp) self.is_interpreted_state = True elif (eip == self.addr["setInterpRet"] and self.is_interpreted_state): function = idc.get_reg_value("EAX") print("Resolved interpreted function: 0x%x - %s" % (function, self.method_name)) if ((self.method_name not in self.ignore and not self.ignore_all) or (self.method_name in self.debug_if_equals) or (any(x for x in self.debug_if_contains if self.method_name is not None and x in self.method_name))): self.traced.append({"name": self.method_name, "ea": function, "type": "interp", "hit": 0}) idc.add_bpt(function) self.is_interpreted_state = False
def addcallinfo(self, called, caller, tid=0): offcaller = idc.get_func_off_str(caller) ecalled = called - self.offset calledinfo = self.get_callinfo(ecalled, tid) if not offcaller: calledinfo.ncalled += 1 return False ecaller = caller - self.offset l = offcaller.split("+") if len(l) > 1: eafn = ecaller - int(l[1], 16) else: eafn = ecaller callerinfo = self.get_callinfo(eafn, tid) callerinfo.addcall(ecalled, ecaller) if calledinfo.addcalled(ecaller): common.common_cmt(called, calledinfo.calledlist.keys(), "called by: ", self.offset, False) bpea = eafn + self.offset if self.enabletrace: if not idc.add_bpt(bpea): idc.enable_bpt(bpea, True) return True
def add_func(self): _var_debug() funcname = self.funcinput.text().encode('utf-8').strip() if funcname: afn = idc.get_name_ea_simple(funcname) # LocByName if afn & 1: self.funcinput.setText(funcname + " is not a function") return False else: ea = idc.get_screen_ea() func = idaapi.get_func(ea) if not func: return False afn = func.start_ea dbginfo = self.dbginfo arg = dbginfo.append_func_watch(afn) if not idc.add_bpt(afn): idc.enable_bpt(afn, True) # dbginfo.addbp("RET", afn) if arg: self.argtree_append(arg) return True return False
def set_breakpoint(ea, isthumb=1): idc.SetReg(ea, "T", 1) idc.MakeCode(ea) idc.add_bpt(ea)
#!/usr/bin/python import idc import idautils func_list = [ "kernelbase_VirtualAlloc", "kernelbase_VirtualProtect", "kernel32_CreateThread", "kernelbase_CreateProcessA", "kernelbase_CreateProcessInternalA" "kernelbase_CreateProcessW", "kernelbase_CreateProcessAsUserW", "kernel32_FindResourceA", "kernelbase_LoadResource", ] if __name__ == "__main__": for func in func_list: func_addr = idc.LocByName(func) print "Set BreakPoint: %X, %s" % (func_addr, func) idc.add_bpt(func_addr, 0, BPT_SOFT) idc.enable_bpt(func_addr, True)
def set_breakpoints(self): idc.add_bpt(self.addr["verifyNative"]) idc.add_bpt(self.addr["setJit"]) idc.add_bpt(self.addr["setInterp"]) idc.add_bpt(self.addr["setInterpRet"]) idc.add_bpt(self.addr["writePrologue"]) idc.add_bpt(self.addr["hasReachableExceptionsRet"])
def set_breakpoint(ea): # idc.SetReg(ea, "T", 1) idc.MakeCode(ea) idc.add_bpt(ea)