def create_object(obj,
overwrite_names,
offset,
dummy_names=True,
always_thumb=True):
name = obj.get("name")
addr = int(obj.get("addr"))
addr = int(addr)
size = int(obj.get("size"))
if dummy_names:
if IDAtools.is_dummy_name(name):
return
if type(addr) == int:
if ida_bytes.is_unknown(ida_bytes.get_full_flags(addr)):
if size:
ok = idaapi.create_data(addr, idc.FF_BYTE, size, 0)
else:
ok = idc.create_byte(addr)
if not ok:
if not ok:
reason = "Could not create data at {addr:#x}".format(
addr=addr)
print(reason)
if overwrite_names and IDAtools.is_dummy_name_by_addr(addr):
ok = idc.set_name(addr, name, idc.SN_CHECK)
if not ok:
reason = "Could not add name {name} at {addr:#x}".format(
name=name, addr=addr)
print(reason)
IDAtools.ida_wait()
def Undefs(*args):
"""
Enumerate undefined bytes
@param <range>: see getrange
@return: list of addresses of undefined bytes
Example::
for ea in Undefs((FirstSeg(), BADADDR)):
if isCode(GetFlags(PrevHead(ea))) and (ea%4)!=0 and iszero(ea, 4-(ea%4)):
MakeAlign(ea, 4-(ea%4), 2)
Will add alignment directives after code.
"""
(first, last) = getrange(args)
ea = first
# explicitly testing first byte, since find_unknown
# implicitly sets SEARCH_NEXT flag
if ea < last and not ida_bytes.is_unknown(idaapi.get_full_flags(ea)):
ea = idaapi.find_unknown(ea, idaapi.SEARCH_DOWN)
while ea != idaapi.BADADDR and ea < last:
yield ea
ea = idaapi.find_unknown(ea, idaapi.SEARCH_DOWN)
def postprocess_action(self):
self._plugin.logger.debug("postprocess_action()")
if len(self.actions):
name, ea = self.actions.pop()
if name == "MakeUnknown":
flags = ida_bytes.get_full_flags(ea)
if ida_bytes.is_unknown(flags):
self._send_packet(evt.MakeUnknown(ea))
elif name == "MakeCode":
flags = ida_bytes.get_full_flags(ea)
if ida_bytes.is_code(flags):
self._send_packet(evt.MakeCodeEvent(ea))
def is_dummy_name_by_addr(addr):
name = idc.get_name(addr)
dummyList = {
"", "sub_", "locret_", "loc_", "off_", "seg_", "asc_", "byte_",
"word_", "dword_", "qword_", "byte3_", "xmmword", "_ymmword_",
"packreal_", "flt_", "dbl_", "tbyte_", "stru_", "custdata_",
"algn_", "unk_"
}
if ida_bytes.is_unknown(ida_bytes.get_full_flags(addr)):
return True
for items in dummyList:
if name.startswith(items):
return True
return False
def is_unknown(va):
return ida_bytes.is_unknown(idc.get_full_flags(va))
def dump_heads(out):
# out is a file like object, sys.stdout or an acual file object
# There doesn't seem to a good way to determine what function a
# particular address is in. Almost everyone recommends iterating
# of the functions, and then getting the bytes out of each, but
# that's not really what we want because it skips non function
# bytes and reports them in the wrong order. It appears that the
# best we can do is to build a map in advance. :-(
a2fmap = build_a2fmap()
min_ea = idaapi.cvar.inf.minEA
max_ea = idaapi.cvar.inf.maxEA
ea = min_ea
while ea != ida_idaapi.BADADDR:
ida_auto.show_addr(ea)
isize = ida_bytes.get_item_size(ea)
ibytes = ida_bytes.get_bytes(ea, isize)
ihexbytes = binascii.b2a_hex(ibytes).upper()
iflags = ida_bytes.get_flags(ea)
# Skip the PE header?
if not ida_bytes.is_head(iflags):
ea = ida_bytes.next_head(ea, max_ea)
continue
# Loop up this address in the address-to-function map.
if ea in a2fmap:
faddrs = a2fmap[ea]
else:
faddrs = [ea]
tcode = "ERROR"
imnem = "???"
iops = "???"
if ida_bytes.is_code(iflags):
tcode = "INSN"
imnem = "???"
iops = "???"
insn = idautils.DecodeInstruction(ea)
if insn == None:
imnem = "BAD"
iops = ""
elif not insn.is_canon_insn():
imnem = "NCAN"
iops = ""
else:
imnem = insn.get_canon_mnem()
sops = []
for n in range(8):
ostr = ida_ua.print_operand(ea, n)
if ostr is not None:
ostrnt = ida_lines.tag_remove(ostr)
if ostrnt != '':
sops.append(ostrnt)
iops = ', '.join(sops)
elif ida_bytes.is_data(iflags):
tcode = "DATA"
imnem = "db"
iops = "???"
if ida_bytes.is_align(iflags):
tcode += "_ALIGN"
#elif ida_bytes.is_struct(iflags):
# tcode += "_STRUCT"
#elif ida_bytes.is_char(iflags):
# tcode += "_STR"
# There are other types that IDA recognizes.
elif ida_bytes.is_unknown(iflags):
tcode = "UNK-%08X" % iflags
imnem = "???"
iops = "???"
for faddr in sorted(faddrs):
out.write('"PART",0x%08X,"%s",0x%08X,"%s","%s","%s"\n' %
(ea, tcode, faddr, ihexbytes, imnem, iops))
ea = ida_bytes.next_head(ea, max_ea)
print "Analysis complete!"
def apply_signatures(self, start_addr: int, end_addr: int) -> None:
total_objs = len(self._signatures)
idaapi.msg('Applying obj symbols...\n')
objs_list = dict()
for sig in self._signatures:
bytes_data = sig.get_sig()
low_entropy = (not bytes_data.is_bios_call()) and (sig.get_entropy() < self.min_entropy)
labels = sig.get_labels()
search_addr = start_addr
while search_addr < end_addr:
addr, _ = masked_search(search_addr, end_addr, bytes_data.get_bytes(), bytes_data.get_masks())
if addr == idaapi.BADADDR:
break
if not sig.is_applied():
objs_list[sig.get_name()] = (addr, sig.get_entropy())
for lb in labels:
lb_name = lb[0]
lb_offs = lb[1]
if lb_name == '': # removed label
continue
lb_addr = addr + lb_offs
if ida_bytes.is_unknown(ida_bytes.get_flags(lb_addr) and not low_entropy and not (sig.is_applied() and self.only_first)):
ida_auto.auto_make_code(lb_addr)
is_func = not lb_name.startswith('loc_')
new_name = '%s_' % sig.get_name().replace('.', '_')
new_lb_name = lb_name.replace('text_', new_name).replace('loc_', new_name)
new_lb_name = ('_%s' % new_lb_name) if ('0' <= new_lb_name[0] <= '9') else new_lb_name
if not low_entropy and not (sig.is_applied() and self.only_first) and not self.has_non_default_name(lb_addr, new_lb_name):
SigApplier.set_function(lb_addr, new_lb_name, is_func, False)
idaapi.msg('Symbol %s at 0x%08X\n' % (new_lb_name, lb_addr))
else:
prev_comment = ida_bytes.get_cmt(lb_addr, False)
prev_comment = ('%s\n' % prev_comment) if prev_comment else ''
new_comment = 'Possible %s/%s' % (sig.get_name(), new_lb_name)
if prev_comment.find(new_comment) == -1:
ida_bytes.set_cmt(lb_addr, '%s%s' % (prev_comment, new_comment), False)
idaapi.msg('Possible symbol %s at 0x%08X\n' % (new_lb_name, lb_addr))
sig.set_applied(True)
search_addr = addr + 4
idaapi.msg('Applied OBJs for %s: %d/%d:\n' % (self.short_lib_name, len(objs_list), total_objs))
for k, v in objs_list.items():
idaapi.msg('\t0x%08X: %s, %.02f entropy\n' % (v[0], k, v[1]))