def find_input_file(): """ Description: Check whether or not IDA knows where the original file used to create the IDB is. If IDA doesn't know, check the IDA's directory for the file. Output: Returns True if the input file was located, False if it was not. """ global INPUT_FILE_PATH ida_path = INPUT_FILE_PATH if not os.path.exists(ida_path): # If IDA does not know, check if the (correct) file is sitting next to the IDB. local_path = os.path.join(idautils.GetIdbDir(), idc.get_root_filename()) if (os.path.exists(local_path) and hashlib.md5( open(local_path, "rb").read()).hexdigest().upper() == idc.retrieve_input_file_md5()): INPUT_FILE_PATH = local_path logger.debug("Guessed the input file path: " + INPUT_FILE_PATH) logger.debug("IDA thought it was: " + ida_path) return True else: return False else: return True
def backup_database(): """ Backup the database to a file similar to IDA's snapshot function. """ time_string = strftime('%Y%m%d%H%M%S') file = idc.get_root_filename() if not file: raise NoInputFileException('No input file provided') input_file = file.rsplit('.', 1)[0] backup_file = '%s_%s.idb' % (input_file, time_string) g_logger.info('Backing up database to file ' + backup_file) idc.save_database(backup_file, idaapi.DBFL_BAK)
def init_sample_id(self): """ test if the remote sample exists, if not, we upload it """ if self.sample_id is None: self.sample_id = self.get_sample_id() if not self.sample_id: logger.warning("Sample not found on server, uploading it") self.send_sample(open(idc.get_root_filename(), 'rb')) self.sample_id = self.get_sample_id() logger.info("Sample ID: %d", self.sample_id)
def get_func_cfgs_c(ea): binary_name = idc.get_root_filename() raw_cfgs = raw_graphs(binary_name) externs_eas, ea_externs = processpltSegs() i = 0 for funcea in idautils.Functions(idc.get_segm_start(ea)): funcname = get_unified_funcname(funcea) func = ida_funcs.get_func(funcea) print i i += 1 icfg = cfg.getCfg(func, externs_eas, ea_externs) func_f = get_discoverRe_feature(func, icfg[0]) raw_g = raw_graph(funcname, icfg, func_f) raw_cfgs.append(raw_g) return raw_cfgs
def get_func_cfgs_ctest(ea): binary_name = idc.get_root_filename() raw_cfgs = raw_graphs(binary_name) externs_eas, ea_externs = processpltSegs() i = 0 diffs = {} for funcea in idautils.Functions(idc.get_segm_start(ea)): funcname = get_unified_funcname(funcea) func = get_func(funcea) print i i += 1 icfg, old_cfg = cfg.getCfg(func, externs_eas, ea_externs) diffs[funcname] = (icfg, old_cfg) #raw_g = raw_graph(funcname, icfg) #raw_cfgs.append(raw_g) return diffs
def xex_load_exports(li): global export_table_va export_table = HvImageExportTable() slen = ctypes.sizeof(export_table) bytes = ida_bytes.get_bytes(export_table_va, slen) fit = min(len(bytes), slen) ctypes.memmove(ctypes.addressof(export_table), bytes, fit) if export_table.Magic[0] != XEX_EXPORT_MAGIC_0 or export_table.Magic[ 1] != XEX_EXPORT_MAGIC_1 or export_table.Magic[ 2] != XEX_EXPORT_MAGIC_2: print("[+] Export table magic is invalid! (0x%X 0x%X 0x%X)" % (export_table.Magic[0], export_table.Magic[1], export_table.Magic[2])) return 0 print("[+] Loading module exports...") print(export_table) ordinal_addrs_va = export_table_va + slen for i in range(0, export_table.Count): func_ord = export_table.Base + i func_va = ida_bytes.get_dword(ordinal_addrs_va + (i * 4)) if func_va == 0: continue func_va = func_va + (export_table.ImageBaseAddress << 16) func_name = x360_imports.DoNameGen(idc.get_root_filename(), 0, func_ord) # Add to exports list & mark as func if inside a code section func_segmclass = ida_segment.get_segm_class( ida_segment.getseg(func_va)) idc.add_entry(func_ord, func_va, func_name, 1 if func_segmclass == "CODE" else 0) if func_segmclass == "CODE": idc.add_func(func_va) return 1
def __init__(self): ida_kernwin.action_handler_t.__init__(self) self.dbfilename = idc.get_root_filename() + '.xref' if not os.path.exists(self.dbfilename): print 'create db' self.cx = sqlite3.connect(self.dbfilename) self.cu = self.cx.cursor() self.cu.execute( 'create table xref (i integer primary key, x integer, y integer, z integer, k text)' ) analyze(self.cu) self.cx.commit() self.cu.execute('select count (*) from xref') count, = self.cu.fetchone() print 'Analyse %d xrefs ok' % (count) else: print 'find db' self.cx = sqlite3.connect(self.dbfilename) self.cu = self.cx.cursor() print 'loaded db'
def __init__(self, cfgfile): self.vt_cfgfile = cfgfile self.file_path = idaapi.get_input_file_path() self.file_name = idc.get_root_filename() logging.getLogger(__name__).addHandler(logging.NullHandler()) if config.DEBUG: logging.basicConfig(stream=sys.stdout, level=logging.DEBUG, format='%(message)s') else: logging.basicConfig(stream=sys.stdout, level=logging.INFO, format='%(message)s') logging.info('\n** VT Plugin for IDA Pro v%s (c) Google, 2020', VT_IDA_PLUGIN_VERSION) logging.info( '** VirusTotal integration plugin for Hex-Ray\'s IDA Pro 7') logging.info('\n** Select an area in the Disassembly Window and right') logging.info('** click to search on VirusTotal. You can also select a') logging.info('** string in the Strings Window.\n')
def send_sample(self, filedata): """ Ugly wrapper for uploading a file in multipart/form-data """ endpoint = "/api/1.0/samples/" headers = {"Accept-encoding": "gzip, deflate", "X-Api-Key": self.auth_token} method = "POST" boundary = "70f6e331562f4b8f98e5f9590e0ffb8e" headers["Content-type"] = "multipart/form-data; boundary=" + boundary body = "--" + boundary body += "\r\n" body += "Content-Disposition: form-data; name=\"filename\"\r\n" body += "\r\n" body += idc.get_root_filename() body += "\r\n\r\n" body += "--" + boundary + "\r\n" body += "Content-Disposition: form-data;" body += "name=\"file\"; filename=\"file\"\r\n" body += "\r\n" body += filedata.read() body += "\r\n--" body += boundary body += "--\r\n" self.h_conn.request(method, endpoint, body, headers) res = self.h_conn.getresponse() data = res.read() try: result = json.loads(data) except BaseException: logger.exception("Cannot load json data from server") result = None return result
def GetInputFile(): return idc.get_root_filename()
try: import idc in_ida = True except ImportError as e: print("not run in ida python skip comment...") in_ida = False # is_clean=0 if (in_ida): trace_path = idc.AskStr("trace-jni.txt", "trace path") is_clean = idc.AskLong(0, "clean path?") if (not os.path.isabs(trace_path)): script_path = os.path.split(os.path.realpath(__file__))[0] trace_path = "%s/%s"%(script_path, trace_path) # filename = idc.get_root_filename() # else: trace_path = sys.argv[1] filename = sys.argv[2] if (len(sys.argv)<3): print("usage %s <trace-file> <filename>"%sys.argv[0]) sys.exit(-1) # # dic_call = {} with open(trace_path) as f: for line in f: line = line.strip() if (line == ""): continue
def build_graph(start_addr, type_graph, simplify=False, dontmodstack=True, loadint=False, verbose=False): machine = guess_machine(addr=start_addr) dis_engine, ira = machine.dis_engine, machine.ira class IRADelModCallStack(ira): def call_effects(self, addr, instr): assignblks, extra = super(IRADelModCallStack, self).call_effects(addr, instr) if not dontmodstack: return assignblks, extra out = [] for assignblk in assignblks: dct = dict(assignblk) dct = { dst:src for (dst, src) in viewitems(dct) if dst != self.sp } out.append(AssignBlock(dct, assignblk.instr)) return out, extra if verbose: print("Arch", dis_engine) fname = idc.get_root_filename() if verbose: print(fname) bs = bin_stream_ida() mdis = dis_engine(bs) ir_arch = IRADelModCallStack(mdis.loc_db) # populate symbols with ida names for addr, name in idautils.Names(): if name is None: continue if (mdis.loc_db.get_offset_location(addr) or mdis.loc_db.get_name_location(name)): # Symbol alias continue mdis.loc_db.add_location(name, addr) if verbose: print("start disasm") if verbose: print(hex(start_addr)) asmcfg = mdis.dis_multiblock(start_addr) entry_points = set([mdis.loc_db.get_offset_location(start_addr)]) if verbose: print("generating graph") open('asm_flow.dot', 'w').write(asmcfg.dot()) print("generating IR... %x" % start_addr) ircfg = ir_arch.new_ircfg_from_asmcfg(asmcfg) if verbose: print("IR ok... %x" % start_addr) for irb in list(viewvalues(ircfg.blocks)): irs = [] for assignblk in irb: new_assignblk = { expr_simp(dst): expr_simp(src) for dst, src in viewitems(assignblk) } irs.append(AssignBlock(new_assignblk, instr=assignblk.instr)) ircfg.blocks[irb.loc_key] = IRBlock(irb.loc_key, irs) if verbose: out = ircfg.dot() open(os.path.join(tempfile.gettempdir(), 'graph.dot'), 'wb').write(out) title = "Miasm IR graph" head = list(entry_points)[0] if simplify: ircfg_simplifier = IRCFGSimplifierCommon(ir_arch) ircfg_simplifier.simplify(ircfg, head) title += " (simplified)" if type_graph == TYPE_GRAPH_IR: graph = GraphMiasmIR(ircfg, title, None) graph.Show() return class IRAOutRegs(ira): def get_out_regs(self, block): regs_todo = super(IRAOutRegs, self).get_out_regs(block) out = {} for assignblk in block: for dst in assignblk: reg = self.ssa_var.get(dst, None) if reg is None: continue if reg in regs_todo: out[reg] = dst return set(viewvalues(out)) # Add dummy dependency to uncover out regs affectation for loc in ircfg.leaves(): irblock = ircfg.blocks.get(loc) if irblock is None: continue regs = {} for reg in ir_arch.get_out_regs(irblock): regs[reg] = reg assignblks = list(irblock) new_assiblk = AssignBlock(regs, assignblks[-1].instr) assignblks.append(new_assiblk) new_irblock = IRBlock(irblock.loc_key, assignblks) ircfg.blocks[loc] = new_irblock class CustomIRCFGSimplifierSSA(IRCFGSimplifierSSA): def do_simplify(self, ssa, head): modified = super(CustomIRCFGSimplifierSSA, self).do_simplify(ssa, head) if loadint: modified |= load_from_int(ssa.graph, bs, is_addr_ro_variable) return modified def simplify(self, ircfg, head): ssa = self.ircfg_to_ssa(ircfg, head) ssa = self.do_simplify_loop(ssa, head) if type_graph == TYPE_GRAPH_IRSSA: ret = ssa.graph elif type_graph == TYPE_GRAPH_IRSSAUNSSA: ircfg = self.ssa_to_unssa(ssa, head) ircfg_simplifier = IRCFGSimplifierCommon(self.ir_arch) ircfg_simplifier.simplify(ircfg, head) ret = ircfg else: raise ValueError("Unknown option") return ret head = list(entry_points)[0] simplifier = CustomIRCFGSimplifierSSA(ir_arch) ircfg = simplifier.simplify(ircfg, head) open('final.dot', 'w').write(ircfg.dot()) graph = GraphMiasmIR(ircfg, title, None) graph.Show()
###################### ### ISVOID RET CODE ## FNONVOID = 1 # FNONVOIDWARN = 2 # FVOID = 0 # ###################### ###################### IDA_ERROR = 0x0F0F0F0F UNKOWN_CMND = 0xF0F0F0F0 RESOLVE_NAME = 0xA0A0A0A0 COMANDS = [START, END, TYPE, DREFS, CREFS, VRET, FEND, FNAM] COMANDS_2ARGS = [DOMIN] IMAGE = idc.get_root_filename() c_jumps = [ "jle", "jz", "je", "ja", "jnbe", "jne", "jnz", "jnb", "jae", "jnc", "js", "jq", "jbe", "jna", "jnae", "jb", "jnae", "jc", "jo", "jno", "jns", "jl", "jnge", "jge", "jnl", "jng", "jg", "jnle", "jp", "jpe", "jnp", "jpo", "ud2", "jcxz", "jecxz", "jrcxz" ] u_jumps = ["jmp"] op_type = { 0: "o_void", 1: "o_reg", 2: "o_mem", 3: "o_phrase",
def main(): imp_funcs = [] xrefs = [] cg = CallGraph() file_name = idc.get_root_filename() file_path = idc.GetInputFilePath() def get_file_ssdeep(): if 'ssdeep' in sys.modules: return ssdeep.hash_from_file(file_path) else: return 'No ssdeep Modules. Please Install ssdeep.' def imp_cb(ea, name, ord): imp_funcs.append(ea) return True if 'batch' in idc.ARGV: idaapi.autoWait() for fea in Functions(): func_flags = get_func_flags(fea) # NORMAL = 0 # LIBRARY = 1 # IMPORTED = 2 # THUNK = 3 if func_flags & FUNC_LIB: func_type = 1 elif func_flags & FUNC_THUNK: func_type = 3 else: func_type = 0 cg.add_vertex(fea, func_type) cg.add_root(fea) items = FuncItems(fea) for item in items: for xref in XrefsFrom(item, 0): # https://www.hex-rays.com/products/ida/support/idadoc/313.shtml if xref.type != fl_F: xrefs.append([fea, xref.to]) # List Import Functions and Add to cg num_imp_module = idaapi.get_import_module_qty() for i in range(0, num_imp_module): idaapi.enum_import_names(i, imp_cb) imp_funcs.sort() for imp_func_ea in imp_funcs: cg.add_vertex(imp_func_ea, 2) for xref in xrefs: if xref[1] in cg.vertices: cg.connect_vertex(xref[0], xref[1]) cg.set_roots() for root in cg.roots: cg.build_graph_pattern(root) if len(idc.ARGV) == 0: print('Graph MD5: %s' % cg.get_graph_md5()) print('Graph SHA1: %s' % cg.get_graph_sha1()) print('Graph SHA256: %s' % cg.get_graph_sha256()) print('Graph SSDEEP: %s' % cg.get_graph_ssdeep()) print('File SSDEEP: %s' % get_file_ssdeep()) if 'out_pattern' in idc.ARGV: if not os.path.isdir('./out'): os.mkdir('./out') f = open('./out/' + file_name + '.bin', 'wb') f.write(cg.graph_pattern) f.close() if 'batch' in idc.ARGV: if not os.path.isdir('./out'): os.mkdir('./out') f = open('./out/result', 'a+') f.write('%s,%s,%s,%s\n' % (file_name, cg.get_graph_md5(), cg.get_graph_ssdeep(), get_file_ssdeep())) f.close() idc.Exit(0)