def analyze_external_refs(ea_from, ea_to, increment, analysing_base, analysing_size):
# print >> sys.stderr, 'analyze_external_refs(%08X, %08X, %08X, %08X, %08X)' % \
# (ea_from, ea_to, increment, analysing_base, analysing_size)
rv = rpc.AnalyzeExternalRefsResult()
if ea_from > ea_to:
print >> sys.stderr, 'Invalid arguments passed'
return rv
mem = safe_read_chunked_memory_region_as_one(ea_from, ea_to - ea_from)
if not mem:
print >> sys.stderr, 'Unable to read specified memory (0x%08X - 0x%08X)' % (ea_from, ea_to)
return rv
mem = buffer(mem[1])
intptr_size = struct.calcsize("<I")
main_module_name = api.Findmodule(analysing_base)
if main_module_name is None:
main_module_name = ''
else:
main_module_name = path.splitext(path.basename(main_module_name.path))[0].lower()
th = api.Findthread(api.Getcputhreadid())
r = api.ulongArray.frompointer(th.reg.r)
rv.context.eax = r[api.REG_EAX]
rv.context.ecx = r[api.REG_ECX]
rv.context.edx = r[api.REG_EDX]
rv.context.ebx = r[api.REG_EBX]
rv.context.esp = r[api.REG_ESP]
rv.context.ebp = r[api.REG_EBP]
rv.context.esi = r[api.REG_ESI]
rv.context.edi = r[api.REG_EDI]
rv.context.rip = th.reg.ip
global modules_exports
scan_for_ref_api_calls(ea_from, ea_to, increment, rv=rv, mem=mem, base=analysing_base)
used_addrs = set([])
for ea in xrange(ea_from, ea_to, increment):
try:
if ea in used_addrs:
continue
l = ea_to - ea
off = ea - ea_from
if l < intptr_size:
break
addr = struct.unpack_from("<I", mem, off)[0]
if addr not in modules_exports:
continue
symb = modules_exports[addr]
module_name, proc_name = symb.split('.')
if module_name == main_module_name:
continue
v = rv.api_constants.add()
v.ea = ea
v.module = module_name
v.proc = proc_name
except Exception as exc:
print >> sys.stderr, 'Exception: %r\r\n%s' % (exc, traceback.format_exc().replace('\n', '\r\n'))
print 'AnalyzeExternalRefs: found %u' % len(rv.api_constants)
print rv
return rv
def analyze_external_refs(ea_from, ea_to, increment, analysing_base,
analysing_size):
# print >> sys.stderr, 'analyze_external_refs(%08X, %08X, %08X, %08X, %08X)' % \
# (ea_from, ea_to, increment, analysing_base, analysing_size)
# import labeless.rdebug
rv = rpc.AnalyzeExternalRefsResult()
if ea_from > ea_to:
print >> sys.stderr, 'Invalid arguments passed'
return rv
mem = safe_read_chunked_memory_region_as_one(ea_from, ea_to - ea_from)
if not mem:
print >> sys.stderr, 'Unable to read specified memory (0x%08X - 0x%08X)' % (
ea_from, ea_to)
return rv
mem = buffer(mem[1])
unpack_fmt = '<I' if int(
py_olly.get_backend_info()['bitness']) == 32 else '<Q'
intptr_size = struct.calcsize(unpack_fmt)
main_module_name = bridgemain.DbgGetModuleAt(analysing_base)
if main_module_name:
main_module_name = path.splitext(
path.basename(main_module_name))[0].lower()
rv.context.eax = api.Register_GetEAX()
rv.context.ecx = api.Register_GetECX()
rv.context.edx = api.Register_GetEDX()
rv.context.ebx = api.Register_GetEBX()
rv.context.esp = api.Register_GetESP()
rv.context.ebp = api.Register_GetEBP()
rv.context.esi = api.Register_GetESI()
rv.context.edi = api.Register_GetEDI()
rv.context.rip = api.Register_GetCIP()
if int(py_olly.get_backend_info()['bitness']) == 64:
rv.context.rax = api.Register_GetRAX()
rv.context.rbx = api.Register_GetRBX()
rv.context.rcx = api.Register_GetRCX()
rv.context.rdx = api.Register_GetRDX()
rv.context.rsi = api.Register_GetRSI()
rv.context.rdi = api.Register_GetRDI()
rv.context.rbp = api.Register_GetRBP()
rv.context.rsp = api.Register_GetRSP()
# thread_list = xd.THREADLIST()
# xd.DbgGetThreadList(thread_list)
# try:
# current = thread_list.CurrentThread
# if thread_list.count <= current:
# print >> sys.stderr, '[-] Invalid thread info got'
# return rv
# rv.context.eax = xd.Register_GetEAX()
# rv.context.ecx = xd.Register_GetECX()
# rv.context.edx = xd.Register_GetEDX()
# rv.context.ebx = xd.Register_GetEBX()
# rv.context.esp = xd.Register_GetESP()
# rv.context.ebp = xd.Register_GetEBP()
# rv.context.esi = xd.Register_GetESI()
# rv.context.edi = xd.Register_GetEDI()
# rv.context.eip = xd.Register_GetEIP()
#
# finally:
# if thread_list.list:
# xd.BridgeFree(thread_list.list)
global modules_exports
scan_for_ref_api_calls(ea_from,
ea_to,
increment,
rv=rv,
mem=mem,
base=analysing_base,
size=analysing_size)
used_addrs = set([])
for ea in long_xrange(ea_from, ea_to, increment):
try:
if ea in used_addrs:
continue
l = ea_to - ea
off = ea - ea_from
if l < intptr_size:
break
addr = struct.unpack_from(unpack_fmt, mem, off)[0]
if addr not in modules_exports:
continue
symb = modules_exports[addr]
module_name, proc_name = symb.split('.')
if module_name == main_module_name:
continue
v = rv.api_constants.add()
v.ea = ea
v.module = module_name
v.proc = proc_name
except Exception as exc:
print >> sys.stderr, 'Exception: %r\r\n%s' % (
exc, traceback.format_exc().replace('\n', '\r\n'))
print 'AnalyzeExternalRefs(ea_from=0x%x, ea_to=0x%x): api consts found %u, refs found: %u' % (
ea_from, ea_to, len(rv.api_constants), len(rv.refs))
# print rv
return rv