def _install_open_coverage_xref(self): PluginCommand.register_for_address( self.ACTION_COVERAGE_XREF, "Open the coverage xref window", self._open_coverage_xref, self._is_xref_valid )
def create_binja_menu(): # Binja does not really support menu in its GUI just yet PluginCommand.register_for_address( "gef : add breakpoint", "Add a breakpoint in gef at the specified location.", add_gef_breakpoint) PluginCommand.register_for_address( "gef : delete breakpoint", "Remove a breakpoint in gef at the specified location.", delete_gef_breakpoint) return
def register_gef_breakpoint_menu(): # Binja does not really support menu in its GUI just yet PluginCommand.register_for_address( "GEF\\Set breakpoint", "Add a breakpoint in gef at the specified location.", gef_add_breakpoint, is_valid=lambda view, addr: is_service_started()) PluginCommand.register_for_address( "GEF\\Delete breakpoint", "Remove a breakpoint in gef at the specified location.", gef_del_breakpoint, is_valid=lambda view, addr: is_service_started()) return
return calculate_offset(vtable, bv, call_il.dest, defs.get(call_il.instr_index, {}), defs) def navigate_to_virtual_function(bv, addr): constructor = find_constructor(bv) if constructor is None: return vtable = find_vtable(bv, constructor.low_level_il) if vtable is None: log_alert("Couldn't find vtable for {}".format( constructor.symbol.full_name)) return function_pointer = find_function_offset(vtable, bv, addr) if function_pointer is None: log_alert("Couldn't find vtable offset for this call!") return bv.file.navigate(bv.file.view, function_pointer) PluginCommand.register_for_address( "Navigate to Virtual Function", ("Navigate to the virtual function called by " "an indirect call, given the class name"), navigate_to_virtual_function)
code += " " value = str(ii) if str(ii.type) == "InstructionTextTokenType.PossibleAddressToken": last = int(str(ii), 16) if last in fmap: value = fmap[last] else: value = bv.get_symbol_at(last).name code += value f1.write(code) f1.write("\n") f1.close() # for block in f.low_level_il: # print(dir(block)) # for instr in block: # if first: # f1.write("{0:s}: {1:x}\n".format(name,instr.address)) # first = False #print instr.address, instr.instr_index, instr # {0:x} {1:d} instr.address, instr.instr_index, # f1.write("{0:s}\n".format(instr)) #print("END") # f1.close() #show_message_box("Do Something", "Congratulations! You have successfully done nothing.\n\n" + # "Pat yourself on the Rump.", MessageBoxButtonSet.OKButtonSet, MessageBoxIcon.ErrorIcon) PluginCommand.register_for_address("Function Writer", "Writes Function Data", do_nothing)
PluginCommand.register( "Ethersplay-4byte\\Rename functions", "Perform lookup of all hash signatures on 4byte.directory to rename unknown functions", rename_all_functions, is_valid=is_valid_evm) PluginCommand.register( "Ethersplay-4byte\\update cashed function hashes", "Re-do lookup of all hash signatures on 4byte.directory, which are stored in the local cache.", update_cache_bn, is_valid=is_valid_evm) PluginCommand.register_for_address( "Ethersplay-4byte\\Lookup 4byte hash", "Perform lookup of one hash signature on 4byte.directory", lookup_one_inst, is_valid=is_valid_evm) PluginCommand.register_for_function( "Ethersplay-4byte\\Lookup 4byte hash for all PUSH4", "Perform lookup of one hash signature on 4byte.directory", lookup_all_push4, is_valid=is_valid_evm) PluginCommand.register_for_address( "Ethersplay\\Lookup 4byte hash (4byte.directory)", "Perform lookup of one hash signature on 4byte.directory", lookup_one_inst, is_valid=is_valid_evm)
def check_view_platform(view, *platforms): platform = view.platform if platform is None: return False return platform.name in platforms PluginCommand.register( 'Windows\\Scan for RTTI', 'Scans for MSVC RTTI', lambda view: command_scan_for_rtti(view), lambda view: check_view_platform(view, 'windows-x86', 'windows-x86_64')) PluginCommand.register_for_address( 'Windows\\Create vftable', 'Creates a vftable at the current address', lambda view, address: command_create_vtable(view, address), lambda view, address: check_view_platform(view, 'windows-x86', 'windows-x86_64')) PluginCommand.register( 'Windows\\Parse exception handlers', 'Create functions based on exception handlers', lambda view: command_parse_unwind_info(view), lambda view: check_view_platform(view, 'windows-x86_64')) PluginCommand.register( 'Windows\\Fix thiscall\'s', 'Convert appropriate stdcall\'s and fastcall\'s into thiscall\'s', lambda view: command_fix_x86_conventions(view), lambda view: check_view_platform(view, 'windows-x86')) PluginCommand.register(
] else: # By default, we just use the LLIL explanation # We append the line number if we're displaying a conditional. explain_window().description = [explain_llil(bv, llil) for llil in parse_il] # Display the MLIL and LLIL, dereferencing anything that looks like a hex number into a symbol if possible explain_window().llil = [dereference_symbols(bv, llil) for llil in llil_list] explain_window().mlil = [dereference_symbols(bv, mlil) for mlil in mlil_list] # Pass in the flags, straight from the API. We don't do much with these, but they might make things more clear explain_window().flags = [ ( func.get_flags_read_by_lifted_il_instruction(lifted.instr_index), func.get_flags_written_by_lifted_il_instruction(lifted.instr_index), lifted, ) for lifted in lifted_il_list ] # Display what information we can calculate about the program state before the instruction is executed try: explain_window().state = get_state(bv, addr) except AttributeError: log_error("No instruction state support for this architecture") explain_window().show() PluginCommand.register_for_address("Explain Instruction", "", explain_instruction)
def register_logger(address, func): if not __check_executor(): return executor.user_loggers[address] = func def reload_settings(): if not __check_executor(): return executor.bncache.settings = {} PluginCommand.register_for_address( "SENinja\\0 - Start symbolic execution", "create the first state for symbolic execution at current address", _async_start_se) PluginCommand.register_for_address( "SENinja\\1 - Change current state", "change current state with the deferred one at current address (if any)", _async_change_current_state) PluginCommand.register("SENinja\\2 - Step", "execute one instruction with the current state", _async_step) PluginCommand.register( "SENinja\\3 - Continue until branch", "execute instructions in the current state until a fork occurs", _async_continue_until_branch) PluginCommand.register_for_address( "SENinja\\4 - Continue until address", "execute instructions in the current state until the currently selected address is reached",
for visited_instruction in visited_instructions: function.source_function.set_user_instr_highlight( function[visited_instruction].address, color) bv.commit_undo_actions() def backward_slice(bv, addr): function = bv.get_basic_blocks_at(addr)[0].function instruction = function.get_low_level_il_at(addr).mapped_medium_level_il program_slice(instruction, 'backward') def forward_slice(bv, addr): function = bv.get_basic_blocks_at(addr)[0].function instruction = function.get_low_level_il_at(addr).mapped_medium_level_il program_slice(instruction, 'forward') PluginCommand.register_for_address('Slice backwards', 'Slice variable backwards from this point', backward_slice) PluginCommand.register_for_address('Slice forward', 'Slice variable forward from this point', forward_slice)
rows_selected = set() for i in select.selectedIndexes(): rows_selected.add(i.row()) assert len(rows_selected) >= 1 # Hopefully this sort is enough to delete the correct rows. sorted_rows_selected = sorted(list(rows_selected), reverse=True) for row in sorted_rows_selected: self.table_model.removeRows(row) else: log_error("No selection to remove") def set_indirect_branches_clicked(self): branches = self.table_model.branches log_debug("Setting 0x%x's indirect branches to: %s" % (self.indirect_jmp_addr, branches)) self.func.set_user_indirect_branches(self.indirect_jmp_addr, branches) self.accept() def launch_plugin(bv, addr): widget = IndirectBranchSetterWidget(bv, addr) widget.exec_() _name = "Indirect branches setter" _description = "A plugin for setting indirect branches more easily, when binja fails to recognized a jump table" PluginCommand.register_for_address(_name, _description, launch_plugin)
import time import hashlib import binaryninja from binaryninja import PluginCommandContext, PluginCommand from binaryninja import SymbolType, Symbol def do_nothing(bv,function): badnames = "" bn = [] nmap ={} for f in bv.functions: badnames+=f.name + "\n" bn.append(f.name) nmap[f.name] = f.start x = {"input":badnames} r = requests.post("https://demangler.com/raw", data=x) index = 0 lines = r.text.split("\n") for l in lines: if (index < len(bn)-1): name = bn[index] if l != name: #print(" {0:s}\n->{1:s}".format(l,bn[index])) address = nmap[name] symbol_type = SymbolType.FunctionSymbol symbol = l bv.define_user_symbol(Symbol(symbol_type, address, symbol)) index += 1 PluginCommand.register_for_address("Rename C++ functions", "Renames the functions by demangling", do_nothing)
) == "InstructionTextTokenType.PossibleAddressToken": last = int(str(ii), 16) if last in fmap: value = fmap[last] else: value = bv.get_symbol_at(last).name code += value f1.write(code) f1.write("\n") f1.close() # for block in f.low_level_il: # print(dir(block)) # for instr in block: # if first: # f1.write("{0:s}: {1:x}\n".format(name,instr.address)) # first = False #print instr.address, instr.instr_index, instr # {0:x} {1:d} instr.address, instr.instr_index, # f1.write("{0:s}\n".format(instr)) #print("END") # f1.close() #show_message_box("Do Something", "Congratulations! You have successfully done nothing.\n\n" + # "Pat yourself on the Rump.", MessageBoxButtonSet.OKButtonSet, MessageBoxIcon.ErrorIcon) PluginCommand.register_for_address("Function Writer", "Writes Function Data", do_nothing)
from . import settings from .apis_ui import (_async_start_se, _async_change_current_state, _async_step, _async_continue_until_branch, _async_continue_until_address, _async_merge_states, _async_save_active_state, _async_change_active_state_ip, _set_run_target, _set_run_avoid, _async_run_dfs_searcher, _async_run_dfs_searcher_findall, _async_run_bfs_searcher, _async_reset_se, _async_toggle_state_history, sync_ui) from .apis import (start_se, reset_se, continue_until_branch, continue_until_address, setup_argv, execute_one_instruction, stop, get_current_state, get_executor, register_hook, register_logger, get_stdin_bv, get_stdout_bv, reload_settings) PluginCommand.register_for_address( "SENinja\\0 Start symbolic execution", "create the first state for symbolic execution at current address", _async_start_se) PluginCommand.register_for_address( "SENinja\\1 Change current state", "change current state with the deferred one at current address (if any)", _async_change_current_state) PluginCommand.register("SENinja\\2 Step", "execute one instruction with the current state", _async_step) PluginCommand.register_for_address( "SENinja\\3 Merge states", "merge all states at current address in one state", _async_merge_states) PluginCommand.register("SENinja\\4 Save active state", "save active state in deferred queue", _async_save_active_state) PluginCommand.register_for_address(