def main(): start_address = 0x63A79034 # check valid dex header. header = idaapi.dbg_read_memory(start_address, 0x08) if header == "\x64\x65\x78\x0A\x30\x33\x35\x00": dex_size = idaapi.dbg_read_memory(start_address + 0x20, 0x04) file_size = struct.unpack("i", dex_size)[0] dex_data = idaapi.dbg_read_memory(start_address, file_size) file_name = "%s_%08x_%08x.dex" % (GetIdbPath()[:-4], start_address, file_size) file_out = open(file_name, "wb") file_out.write(dex_data) file_out.close() print "Writing buffer %0x(%x) to %s" % (start_address, file_size, file_name) else: print "Invalid dex header."
def Read(addr,size): """ Converts a string to hexadecimal @param path: the string to convert to hexadecimal @return: the hexadecimal representation of a string """ import idaapi import struct byteArray = [] count = 0 while True: byte= idaapi.dbg_read_memory(addr,size) count = count+1 nullTest= struct.unpack("B",byte[0]) if nullTest[0]==0: break; else: byteArray.append(byte[0]) addr = addr+size #print byteArray return byteArray
def Read(addr, size): """ Converts a string to hexadecimal @param path: the string to convert to hexadecimal @return: the hexadecimal representation of a string """ import idaapi import struct byteArray = [] count = 0 while True: byte = idaapi.dbg_read_memory(addr, size) count = count + 1 nullTest = struct.unpack("B", byte[0]) if nullTest[0] == 0: break else: byteArray.append(byte[0]) addr = addr + size #print byteArray return byteArray
def My_freadEnd(self): numBytesRead = idc.GetRegValue("EAX") self.logger.info( "_fread read %d bytes." % (numBytesRead) ) pBuffer = self.tempStack.pop(0) pSize = self.tempStack.pop(0) stream = self.tempStack.pop(0) callerAddr = self.tempStack.pop(0) callerFuncName = self.tempStack.pop(0) threadID = self.tempStack.pop(0) _buffer = idaapi.dbg_read_memory(pBuffer,pSize) self.logger.debug( _buffer) inputLoggingList = [] inputLoggingList.append(pBuffer) inputLoggingList.append(pSize) inputLoggingList.append(_buffer) inputLoggingList.append(stream) inputLoggingList.append(callerAddr) inputLoggingList.append(callerFuncName) inputLoggingList.append(threadID) if numBytesRead > 0: self.logger.info( "_fread succeeded.") self.debuggerInstance.callbackProcessing(inputLoggingList) else: Print ("_fread failed." ) self.logger.info( "_fread failed.") return 0
def My_freadEnd(self): numBytesRead = idc.GetRegValue("EAX") self.logger.info("_fread read %d bytes." % (numBytesRead)) pBuffer = self.tempStack.pop(0) pSize = self.tempStack.pop(0) stream = self.tempStack.pop(0) callerAddr = self.tempStack.pop(0) callerFuncName = self.tempStack.pop(0) threadID = self.tempStack.pop(0) _buffer = idaapi.dbg_read_memory(pBuffer, pSize) self.logger.debug(_buffer) inputLoggingList = [] inputLoggingList.append(pBuffer) inputLoggingList.append(pSize) inputLoggingList.append(_buffer) inputLoggingList.append(stream) inputLoggingList.append(callerAddr) inputLoggingList.append(callerFuncName) inputLoggingList.append(threadID) if numBytesRead > 0: self.logger.info("_fread succeeded.") self.debuggerInstance.callbackProcessing(inputLoggingList) else: Print("_fread failed.") self.logger.info("_fread failed.") return 0
def WSOCK32Bind(self): """ int bind( _In_ SOCKET s, _In_ const struct sockaddr *name, _In_ int namelen ); struct sockaddr_in { short sin_family; u_short sin_port; struct in_addr sin_addr; char sin_zero[8]; }; """ s = Util.GetData(0x4) self.logger.info("WSOCK32Bind: SOCKET is 0x%x" % (s)) sockaddr_name = Util.GetData(0x8) self.logger.info("WSOCK32Bind: sockaddr_name is 0x%x" % (sockaddr_name)) port = struct.unpack(">H", idaapi.dbg_read_memory(sockaddr_name + 0x2, 2)) portName = str(port[0]) self.logger.info("WSOCK32Bind: port value is %s" % (portName)) namelen = Util.GetData(0xC) self.logger.info("WSOCK32Bind: namelen value is %d" % (namelen)) retAddr = Util.GetData(0x0) Print(self.filter['network']) if portName in self.filter['network']: self.tempStack = [] self.tempStack.append(s) self.tempStack.append(portName) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr, "windowsNetworkIO.checkBindEnd()") self.logger.info( "WSOCK32Bind: Netork Filter matched. Adding port to the Handle's dictionary to start logging." ) Print( "Filter matched. Add handle to the handle's dictionary to start logging." ) else: if idc.CheckBpt(retAddr) >= 0: Print("Removing un-needed breakpoint.") self.logger.info("WSOCK32Bind: Removing un-needed breakpoint.") idc.DelBpt(retAddr) self.logger.info("WSOCK32Bind: Network Filter did not match.") return 0
def read_str(ea, max=256): c = '' while True: x = idaapi.dbg_read_memory(ea, 1) ea = ea + 1 max = max - 1 if x == '\0' or max < 0: break c += x return c
def dump_so(start_address, size): fp = open("E:\\dump.so", "wb") #read elf header and decrypt header data = idaapi.dbg_read_memory(start_address, 52) header = decryptso(data, 52) fp.write(header) #read elf program header tables phnum = 9 data = idaapi.dbg_read_memory(start_address + 52, phnum * 32) pht = decryptso(data, phnum * 32) fp.write(pht) #read other part data = data = idaapi.dbg_read_memory(start_address + 52 + phnum * 32, size - phnum * 32 - 52) fp.write(data) fp.close()
def getDbgMemPage(address, length): data = [] L = 0 data.append([ idaapi.dbg_read_memory(address, 0x400 - (address & 0x3ff)), address, 0x400 - (address & 0x3ff) ]) L += data[-1][2] for ea in range((address + 0x400) & (~0x3ff), ((address + length) & (~0x3ff)), 0x400): data.append([idaapi.dbg_read_memory(ea, 0x400), ea, 0x400]) L += 0x400 data.append([ idaapi.dbg_read_memory((address + length) & (~0x3ff), (address + length) & (0x3ff)), (address + length) & (~0x3ff), (address + length) & (0x3ff) ]) L += data[-1][2] assert (L == length) return data
def dump_module(name): module_base = get_module_base(name) if None != module_base: module_size = idc.GetModuleSize(module_base) print '[*] libart.so base=>0x%08X, Size=0x%08X' % (module_base, module_size) data = idaapi.dbg_read_memory(module_base, module_size) fp = open('C:\\Users\\Administrator\\Desktop\\art.so', 'wb+') fp.write(data) fp.close()
def getdexsize(start): pos = start + 0x20 # 在调试模式下才能获取到值 mem = idaapi.dbg_read_memory(pos, 4) # 小端 < # natvie @ 和 = 或者无 # native byteorder # 大端 > 和 !; # data from a sequence, network byteorder size = struct.unpack('<I', mem)[0] print('size is ' + str(hex(size))) print('size is 0x%08x') % (size) return int(size)
def checkBind(self): """ int bind( _In_ SOCKET s, _In_ const struct sockaddr *name, _In_ int namelen ); struct sockaddr_in { short sin_family; u_short sin_port; struct in_addr sin_addr; char sin_zero[8]; }; """ s = Util.GetData(0x4) self.logger.info ("checkBind: SOCKET is 0x%x" % (s)) sockaddr_name = Util.GetData(0x8) self.logger.info ("checkBind: sockaddr_name is 0x%x" % (sockaddr_name)) port = struct.unpack(">H", idaapi.dbg_read_memory(sockaddr_name+0x2,2) ) portName = str(port[0]) self.logger.info ("checkBind: port value is %s" % (portName)) namelen = Util.GetData(0xC) self.logger.info ("checkBind: namelen value is %d" % (namelen)) retAddr = Util.GetData(0x0) Print( self.filter['network'] ) if portName in self.filter['network']: self.tempStack = [] self.tempStack.append(s) self.tempStack.append(portName) idc.AddBpt(retAddr) idc.SetBptAttr(retAddr, idc.BPT_BRK, 0) idc.SetBptCnd(retAddr,"windowsNetworkIO.checkBindEnd()") self.logger.info( "checkBind: Netork Filter matched. Adding port to the Handle's dictionary to start logging.") Print( "Filter matched. Add handle to the handle's dictionary to start logging.") else: if idc.CheckBpt(retAddr) >= 0: Print( "Removing un-needed breakpoint." ) self.logger.info("checkBind: Removing un-needed breakpoint.") idc.DelBpt(retAddr) self.logger.info( "checkBind: Network Filter did not match.") return 0
def DMA(dmau, dmal): DMA_T = (dmal >> 1) & 1 if (DMA_T): MEM_ADDR = (dmau >> 5) << 5 LC_ADDR = (dmal >> 5) << 5 MEM_ADDR |= 0x80000000 DMA_LEN_U = (dmau & 0x1F) << 8 DMA_LEN_L = (dmal >> 2) & 3 LEN = DMA_LEN_U | DMA_LEN_L if (LEN == 0): LEN = 0x80 DMA_LD = (dmal >> 4) & 1 print "DMA: mem = 0x%X, cache = 0x%X, len = 0x%X, LD = %d\n" % ( MEM_ADDR, LC_ADDR, LEN, DMA_LD) if (DMA_LD): buf = idaapi.dbg_read_memory(MEM_ADDR, LEN) for i in range(len(buf)): idaapi.dbg_write_memory(LC_ADDR + i, buf[i]) else: buf = idaapi.dbg_read_memory(LC_ADDR, LEN) for i in range(len(buf)): idaapi.dbg_write_memory(MEM_ADDR + i, buf[i])
def checkRecvEnd(self): s = self.tempStack.pop(0) buf = self.tempStack.pop(0) _len = self.tempStack.pop(0) callerAddr = self.tempStack.pop(0) callerFuncName = self.tempStack.pop(0) threadID = self.tempStack.pop(0) bytesRecv = idc.GetRegValue("EAX") self.logger.info("checkRecvEnd: Number bytes received %d" % bytesRecv) #bytesRecv is the number of bytes returned by the recv function #use it for the logging size #Get the true size of the buffer _buffer = idaapi.dbg_read_memory(buf, bytesRecv) self.logger.debug("checkRecvEnd: buffer is %s" % _buffer) inputLoggingList = [] inputLoggingList.append(buf) inputLoggingList.append(bytesRecv) inputLoggingList.append(_buffer) inputLoggingList.append(s) inputLoggingList.append(callerAddr) inputLoggingList.append(callerFuncName) inputLoggingList.append(threadID) if bytesRecv > 0: self.logger.info("checkRecvEnd: recv succeeded.") if self.socket_dict.has_key(s): self.logger.info("checkRecvEnd: Found socket 0x%x" % s) self.debuggerInstance.callbackProcessing(inputLoggingList) else: self.logger.info( "checkRecvEnd: Cannot find socket socket 0x%x" % s) else: self.logger.error("checkRecvEnd: Recv function failed.") return 0
def checkRecvEnd(self): s = self.tempStack.pop(0) buf = self.tempStack.pop(0) _len = self.tempStack.pop(0) callerAddr = self.tempStack.pop(0) callerFuncName = self.tempStack.pop(0) threadID = self.tempStack.pop(0) bytesRecv = idc.GetRegValue("EAX") self.logger.info( "checkRecvEnd: Number bytes received %d" % bytesRecv ) #bytesRecv is the number of bytes returned by the recv function #use it for the logging size #Get the true size of the buffer _buffer = idaapi.dbg_read_memory(buf,bytesRecv) self.logger.debug( "checkRecvEnd: buffer is %s" % _buffer ) inputLoggingList = [] inputLoggingList.append(buf) inputLoggingList.append(bytesRecv) inputLoggingList.append(_buffer) inputLoggingList.append(s) inputLoggingList.append(callerAddr) inputLoggingList.append(callerFuncName) inputLoggingList.append(threadID) if bytesRecv > 0: self.logger.info( "checkRecvEnd: recv succeeded." ) if self.socket_dict.has_key(s): self.logger.info( "checkRecvEnd: Found socket 0x%x" % s ) self.debuggerInstance.callbackProcessing(inputLoggingList) else: self.logger.info( "checkRecvEnd: Cannot find socket socket 0x%x" % s ) else: self.logger.error( "checkRecvEnd: Recv function failed." ) return 0
def ReadFileEnd(self): """ Monitors the the end of ReadFile function This is the function that will trigger the trace inputLoggingList is past from MyReadFile, which holds are of MyReadFile arguments """ retVal = idc.GetRegValue("EAX") self.logger.info( "Returning from ReadFile... with %d" % retVal ) lpBuffer = self.tempStack.pop(0) lpNumberOfBytesRead = self.tempStack.pop(0) hFile = self.tempStack.pop(0) callerAddr = self.tempStack.pop(0) callerFuncName = self.tempStack.pop(0) threadID = self.tempStack.pop(0) NumberOfBytesRead = idc.DbgDword(lpNumberOfBytesRead) self.logger.info( "NumberOfBytesRead is 0x%x" % NumberOfBytesRead) _buffer = idaapi.dbg_read_memory(lpBuffer,NumberOfBytesRead) self.logger.debug( _buffer ) inputLoggingList = [] inputLoggingList.append(lpBuffer) inputLoggingList.append(NumberOfBytesRead) inputLoggingList.append(_buffer) inputLoggingList.append(hFile) inputLoggingList.append(callerAddr) inputLoggingList.append(callerFuncName) inputLoggingList.append(threadID) if retVal: Print( "ReadFile succeeded." ) self.logger.info( "ReadFile succeeded.") self.debuggerInstance.callbackProcessing(inputLoggingList) else: Print ("ReadFile failed." ) self.logger.info("ReadFile failed.") return 0
def ReadFileEnd(self): """ Monitors the the end of ReadFile function This is the function that will trigger the trace inputLoggingList is past from MyReadFile, which holds are of MyReadFile arguments """ retVal = idc.GetRegValue("EAX") self.logger.info("Returning from ReadFile... with %d" % retVal) lpBuffer = self.tempStack.pop(0) lpNumberOfBytesRead = self.tempStack.pop(0) hFile = self.tempStack.pop(0) callerAddr = self.tempStack.pop(0) callerFuncName = self.tempStack.pop(0) threadID = self.tempStack.pop(0) NumberOfBytesRead = idc.DbgDword(lpNumberOfBytesRead) self.logger.info("NumberOfBytesRead is 0x%x" % NumberOfBytesRead) _buffer = idaapi.dbg_read_memory(lpBuffer, NumberOfBytesRead) self.logger.debug(_buffer) inputLoggingList = [] inputLoggingList.append(lpBuffer) inputLoggingList.append(NumberOfBytesRead) inputLoggingList.append(_buffer) inputLoggingList.append(hFile) inputLoggingList.append(callerAddr) inputLoggingList.append(callerFuncName) inputLoggingList.append(threadID) if retVal: Print("ReadFile succeeded.") self.logger.info("ReadFile succeeded.") self.debuggerInstance.callbackProcessing(inputLoggingList) else: Print("ReadFile failed.") self.logger.info("ReadFile failed.") return 0
def main(): address = AskAddr(BADADDR, "Enter address: ") if address == BADADDR: print "Invalid address." return size = AskLong(0, "Enter size: ") if size == 0: print "Invalid size." return print "Range: ", hex(address), hex(size) buffer = idaapi.dbg_read_memory(address, size) if (len(buffer)) != 0: output_file = os.path.join(os.path.dirname(GetIdbPath()), "dump_%08x_%08x.bin" % (address, size)) with open(output_file, "wb") as f: f.write(buffer) print "Saved data success", output_file
def get_sreg_base_x64(name): sdb = idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(), int(getattr(cpu, name))) if not sdb: for n in xrange(idaapi.get_segm_qty()): seg = idaapi.getnseg(n) sgname = idaapi.get_segm_name(seg, 0) if sgname.startswith('TIB['): _sdb = seg.startEA + 0x1000 sdb_self = int( base64.b16encode( idaapi.dbg_read_memory(_sdb + 0x30, 8)[::-1]), 16) if (sdb_self == _sdb): sdb = _sdb print("\nwarning: the segname:%s is zero,I give %016x" % (name, sdb)) break if not sdb: print( "\n\nwarning: the segname:%s is zero, U need set it by yourself\n" % (name)) return sdb
def dumpMemoryToFile(start_addr, size, filename): data = idaapi.dbg_read_memory(start_addr, size) fp = open(filename, 'wb') fp.write(data) fp.close()
def test_readwrite(): ea = cpu.Eip buf = idaapi.dbg_read_memory(ea, 5) print "read: ", [hex(ord(x)) for x in buf] idaapi.dbg_write_memory(ea, buf)
def writeMem(binfile, regs): segm = {} for n in xrange(idaapi.get_segm_qty()): seg = idaapi.getnseg(n) if seg: count = 0 h = '' while (idaapi.get_segm_name(seg, 0) + h) in segm.keys(): count += 1 h = str(count) name = idaapi.get_segm_name(seg, 0) + h address = seg.startEA length = seg.endEA - seg.startEA db_data = idaapi.dbg_read_memory(address, length) if db_data: print('ok ', name, seg.flags, length, 'bytes', length / 1024, 'kb') segm[name] = [address, length, db_data] else: print('faild', name, seg.flags, length, 'bytes', length / 1024, 'kb') pass nameoffset_p = 0 dataoffset_p = 0 all_ab_name = 0 register_names = { 16: 'rax', 24: 'rcx', 32: 'rdx', 40: 'rbx', 48: 'rsp', 56: 'rbp', 64: 'rsi', 72: 'rdi', 80: 'r8', 88: 'r9', 96: 'r10', 104: 'r11', 112: 'r12', 120: 'r13', 128: 'r14', 136: 'r15', 144: 'cc_op', 152: 'cc_dep1', 160: 'cc_dep2', 168: 'cc_ndep', 176: 'd', 184: 'rip', 192: 'ac', 200: 'id', 208: 'fs', 216: 'sseround', 224: 'ymm0', 256: 'ymm1', 288: 'ymm2', 320: 'ymm3', 352: 'ymm4', 384: 'ymm5', 416: 'ymm6', 448: 'ymm7', 480: 'ymm8', 512: 'ymm9', 544: 'ymm10', 576: 'ymm11', 608: 'ymm12', 640: 'ymm13', 672: 'ymm14', 704: 'ymm15', 736: 'ymm16', 768: 'ftop', 776: 'mm0', 784: "mm1", 792: "mm2", 800: "mm3", 808: "mm4", 816: "mm5", 824: "mm6", 832: "mm7", 840: 'fptag', 848: 'fpround', 856: 'fc3210', 864: 'emnote', 872: 'cmstart', 880: 'cmlen', 888: 'nraddr', 904: 'gs', 912: 'ip_at_syscall' } registers = { 'rax': (16, 8), 'eax': (16, 4), 'ax': (16, 2), 'al': (16, 1), 'ah': (17, 1), 'rcx': (24, 8), 'ecx': (24, 4), 'cx': (24, 2), 'cl': (24, 1), 'ch': (25, 1), 'rdx': (32, 8), 'edx': (32, 4), 'dx': (32, 2), 'dl': (32, 1), 'dh': (33, 1), 'rbx': (40, 8), 'ebx': (40, 4), 'bx': (40, 2), 'bl': (40, 1), 'bh': (41, 1), 'rsp': (48, 8), 'sp': (48, 8), 'esp': (48, 4), 'rbp': (56, 8), 'bp': (56, 8), 'ebp': (56, 4), 'rsi': (64, 8), 'esi': (64, 4), 'si': (64, 2), 'sil': (64, 1), 'sih': (65, 1), 'rdi': (72, 8), 'edi': (72, 4), 'di': (72, 2), 'dil': (72, 1), 'dih': (73, 1), 'r8': (80, 8), 'r9': (88, 8), 'r10': (96, 8), 'r11': (104, 8), 'r12': (112, 8), 'r13': (120, 8), 'r14': (128, 8), 'r15': (136, 8), 'cc_op': (144, 8), 'cc_dep1': (152, 8), 'cc_dep2': (160, 8), 'cc_ndep': (168, 8), 'd': (176, 8), 'dflag': (176, 8), 'rip': (184, 8), 'ip': (184, 8), 'pc': (184, 8), 'ac': (192, 8), 'acflag': (192, 8), 'id': (200, 8), 'idflag': (200, 8), 'fs': (208, 8), 'fs_const': (208, 8), 'sseround': (216, 8), 'ymm0': (224, 32), 'xmm0': (224, 16), 'ymm1': (256, 32), 'xmm1': (256, 16), 'ymm2': (288, 32), 'xmm2': (288, 16), 'ymm3': (320, 32), 'xmm3': (320, 16), 'ymm4': (352, 32), 'xmm4': (352, 16), 'ymm5': (384, 32), 'xmm5': (384, 16), 'ymm6': (416, 32), 'xmm6': (416, 16), 'ymm7': (448, 32), 'xmm7': (448, 16), 'ymm8': (480, 32), 'xmm8': (480, 16), 'ymm9': (512, 32), 'xmm9': (512, 16), 'ymm10': (544, 32), 'xmm10': (544, 16), 'ymm11': (576, 32), 'xmm11': (576, 16), 'ymm12': (608, 32), 'xmm12': (608, 16), 'ymm13': (640, 32), 'xmm13': (640, 16), 'ymm14': (672, 32), 'xmm14': (672, 16), 'ymm15': (704, 32), 'xmm15': (704, 16), 'ymm16': (736, 32), 'xmm16': (736, 16), 'ftop': (768, 4), 'fpreg': (776, 64), 'fpu_regs': (776, 64), 'mm0': (776, 8), 'mm1': (784, 8), 'mm2': (792, 8), 'mm3': (800, 8), 'mm4': (808, 8), 'mm5': (816, 8), 'mm6': (824, 8), 'mm7': (832, 8), 'fptag': (840, 8), 'fpu_tags': (840, 8), 'fpround': (848, 8), 'fc3210': (856, 8), 'emnote': (864, 4), 'cmstart': (872, 8), 'cmlen': (880, 8), 'nraddr': (888, 8), 'gs': (904, 8), 'gs_const': (904, 8), 'ip_at_syscall': (912, 8) } for regAddress in regs: INT = regs[regAddress] regName = register_names[regAddress] size = registers[regName][1] if size == 1: db_data = struct.pack("<B", INT) elif size == 2: db_data = struct.pack("<H", INT) elif size == 4: db_data = struct.pack("<I", INT) elif size == 8: db_data = struct.pack("<Q", INT) elif size == 16: db_data = struct.pack("<QQ", int(INT & 0xffffffffffffffff), int(INT >> 64)) elif size == 32: db_data = struct.pack("<QQQQ", INT & 0xffffffffffffffff, (INT >> 64) & 0xffffffffffffffff, (INT >> 128) & 0xffffffffffffffff, INT >> 192) else: continue segm['registers' + str(regAddress)] = [regAddress, len(db_data), db_data] for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') all_ab_name += len(ab_name) for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') nameoffset = len(segm) * 32 + nameoffset_p dataoffset = len(segm) * 32 + all_ab_name + dataoffset_p db1 = struct.pack("<Q", nameoffset) db2 = struct.pack("<Q", address) db3 = struct.pack("<Q", length) db4 = struct.pack("<Q", dataoffset) binfile.write(db1) binfile.write(db2) binfile.write(db3) binfile.write(db4) nameoffset_p += len(ab_name) dataoffset_p += length for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') binfile.write(ab_name) for name in segm: address, length, db_data = segm[name] binfile.write(db_data)
import idaapi start_address = 0x4B68A0 data_length = 662 data = idaapi.dbg_read_memory(start_address, data_length) fp = open('dump1.pyc', 'wb') fp.write(data) fp.close()
def read_dword(ea): val = int(binascii.hexlify(idaapi.dbg_read_memory(ea, 4)), 16) r = (val & 0xff) << 24 | (val & 0xff00) << 8 | (val & 0xff0000) >> 8 | ( val & 0xff000000) >> 24 return r
def read_bool(ea): val = int(binascii.hexlify(idaapi.dbg_read_memory(ea, 1)), 16) return val
def readMemory(address, size): if idaapi.dbg_can_query(): val = idaapi.dbg_read_memory(address, size) return val return None
def writeMem(self, binfile): regs = self.getRegs() segm = self.init_segm_mem() idaapi.refresh_debugger_memory() print( "+-------------------+----------------------+--------------------+----------+--------+" ) print( "| segment | VA | size | flag | status |" ) print( "+-------------------+----------------------+--------------------+----------+--------+" ) for n in xrange(idaapi.get_segm_qty()): seg = idaapi.getnseg(n) if seg: name = Dump.getSegName(seg, segm) address = seg.startEA length = seg.endEA - seg.startEA db_data = idaapi.dbg_read_memory(address, length) print("| %-17s | %18x | %8x -> %5dkb| %2d | " % (name, address, length, length / 1024, seg.flags), end="") if db_data: segm[name] = [address, length, db_data] print('ok |') length = len(db_data) segm[name] = [address, length, db_data] else: if (length >= 0x400): print( "war |\n+-------------------+----------------------+--------------------+----------+--------+" ) data = Dump.getDbgMemPage(address, length) data.append([b"", 0, 0]) is_unmap = False tmp = b'' begin = address fbegin = address fsize = 0 for i, d in enumerate(data): db, ea, size = d if is_unmap: if db: # 0 1 is_unmap = False begin = ea tmp = db print( "| %-17s | %18x | %8x -> %5dkb| %2d | faild |" % (name, fbegin, fsize, fsize / 1024, seg.flags)) else: # 0 0 fsize += size if (i == len(data) - 1): print( "| %-17s | %18x | %8x -> %5dkb| %2d | faild |" % (name, fbegin, fsize, fsize / 1024, seg.flags)) pass else: if db: # 1 1 is_unmap = False tmp += db else: # 1 0 fbegin = ea fsize = size is_unmap = True if tmp: name = Dump.getSegName(seg, segm) segm[name] = [begin, len(tmp), tmp] print( "| %-17s | %18x | %8x -> %5dkb| %2d | ok |" % (name, begin, len(tmp), len(tmp) / 1024, seg.flags)) else: print( "| %-17s | %18x | %8x -> %5dkb| %2d | faild |" % (name, fbegin, fsize, fsize / 1024, seg.flags)) break print( "+-------------------+----------------------+--------------------+----------+--------+" ) else: print(' faild') continue print( "+-------------------+----------------------+--------------------+----------+--------+" ) # GetBptQty() GetBptEA(n): nameoffset_p = 0 dataoffset_p = 0 all_ab_name = 0 for regAddress in regs: INT = regs[regAddress] regName = self.register_names[regAddress] size = self.registers[regName][1] up = None if INT < 0: up = lambda x: x.lower() else: up = lambda x: x try: if size == 1: db_data = struct.pack(up("<B"), INT) elif size == 2: db_data = struct.pack(up("<H"), INT) elif size == 4: db_data = struct.pack(up("<I"), INT) elif size == 8: db_data = struct.pack(up("<Q"), INT) elif size == 16: db_data = struct.pack(up("<QQ"), int(INT & 0xffffffffffffffff), int(INT >> 64)) elif size == 32: db_data = struct.pack(up("<QQQQ"), INT & 0xffffffffffffffff, (INT >> 64) & 0xffffffffffffffff, (INT >> 128) & 0xffffffffffffffff, INT >> 192) else: continue segm['registers' + str(regAddress)] = [regAddress, len(db_data), db_data] print(" (%-10s IR_offset: %-5d) (regValue: %-32x nb: %2d) " % (regName, regAddress, (INT), len(db_data))) except Exception as e: print("-=1-=1-=1-=1- error:", e, regName, hex(INT), size, "-=1-=1-=1-=1- ") def find_segm(va, length, bpt_l): global BPNORMAL for ea, bptype, hwtype_hwsize, code in bpt_l: if va <= ea and ea < va + length: if bptype == BPNORMAL: yield (code, ea - va) bpt_list = [i for i in Breakpoints()] for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') all_ab_name += len(ab_name) # 将软件断点pass掉 len_db_data = len(db_data) for code, offset in find_segm(address, length, bpt_list): db_data = db_data[:offset] + struct.pack( up("<H"), code) + db_data[offset + 2:] segm[name] = [address, length, db_data] assert (len(db_data) == len_db_data) print("bkp found: address: %x code: %s" % (address + offset, base64.b16encode(struct.pack(up("<H"), code)))) for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') nameoffset = len(segm) * 32 + nameoffset_p dataoffset = len(segm) * 32 + all_ab_name + dataoffset_p db1 = struct.pack("<Q", nameoffset) db2 = struct.pack("<Q", address) db3 = struct.pack("<Q", length) db4 = struct.pack("<Q", dataoffset) self.mem_mmap[name] = [address, dataoffset, length] binfile.write(db1) binfile.write(db2) binfile.write(db3) binfile.write(db4) nameoffset_p += len(ab_name) dataoffset_p += length for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') binfile.write(ab_name) for name in segm: address, length, db_data = segm[name] binfile.write(db_data)
import idaapi idtr_str = Eval('SendDbgCommand("r idtr")') idtr = long(idtr_str[5:-1], 16) print "idtr = 0x%x" % idtr i = 256 for i in range(0, 256): buf = idaapi.dbg_read_memory(idtr + 16 * i, 16) isr = 0 isr = isr + (ord(buf[11]) << (8 * 7)) isr = isr + (ord(buf[10]) << (8 * 6)) isr = isr + (ord(buf[9]) << (8 * 5)) isr = isr + (ord(buf[8]) << (8 * 4)) isr = isr + (ord(buf[7]) << (8 * 3)) isr = isr + (ord(buf[6]) << (8 * 2)) isr = isr + (ord(buf[1]) << (8 * 1)) isr = isr + (ord(buf[0]) << (8 * 0)) #for j in range(6,12): # isr = isr+(ord(buf[j]) << (8*(j-4))) #for j in range(0,2): # isr = isr+(ord(buf[j]) << (8*(j))) print "isr %x address = 0x" % i, hex(isr) idc.MakeCode(isr) idc.MakeFunction(isr) MakeNameEx(isr, str('mISR_') + hex(i).upper(), SN_NOWARN)
def dumpdex(start, size, target): rawdex = idaapi.dbg_read_memory(start, size) fd = open(target, 'wb') fd.write(rawdex) fd.close()
while (True): Go() PC = GetRegValue("PC") if (PC == DMAU): dmau = GetRegValue("R0") elif (PC == DMAL): dmal = GetRegValue("R0") DMA(dmau, dmal) elif (PC == CRC): R3 = GetRegValue("R3") R4 = GetRegValue("R4") print "DUMP: 0x%X 0x%X" % (R3, R4) data = idaapi.dbg_read_memory(R3, R4) f.write(data) else: break f.close()
def writeMem(self, binfile): regs = self.getRegs() segm = self.init_segm_mem() for n in xrange(idaapi.get_segm_qty()): seg = idaapi.getnseg(n) if seg: count = 0 h = '' while (idaapi.get_segm_name(seg, 0) + h) in segm.keys(): count += 1 h = str(count) name = idaapi.get_segm_name(seg, 0) + h address = seg.startEA length = seg.endEA - seg.startEA db_data = idaapi.dbg_read_memory(address, length) if db_data: print('ok ', name, seg.flags, length, 'bytes', length / 1024, 'kb') segm[name] = [address, length, db_data] else: print('faild', name, seg.flags, length, 'bytes', length / 1024, 'kb') pass nameoffset_p = 0 dataoffset_p = 0 all_ab_name = 0 for regAddress in regs: INT = regs[regAddress] regName = self.register_names[regAddress] size = self.registers[regName][1] try: if size == 1: db_data = struct.pack("<B", INT) elif size == 2: db_data = struct.pack("<H", INT) elif size == 4: db_data = struct.pack("<I", INT) elif size == 8: db_data = struct.pack("<Q", INT) elif size == 16: db_data = struct.pack("<QQ", int(INT & 0xffffffffffffffff), int(INT >> 64)) elif size == 32: db_data = struct.pack("<QQQQ", INT & 0xffffffffffffffff, (INT >> 64) & 0xffffffffffffffff, (INT >> 128) & 0xffffffffffffffff, INT >> 192) else: continue segm['registers' + str(regAddress)] = [regAddress, len(db_data), db_data] print(" (%-10s : %-5d) (%-x) (%d)" % (regName, regAddress, (INT), len(db_data))) except Exception as e: print("--------- error:", e, regName, hex(INT), size, "--------- ") for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') all_ab_name += len(ab_name) for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') nameoffset = len(segm) * 32 + nameoffset_p dataoffset = len(segm) * 32 + all_ab_name + dataoffset_p db1 = struct.pack("<Q", nameoffset) db2 = struct.pack("<Q", address) db3 = struct.pack("<Q", length) db4 = struct.pack("<Q", dataoffset) binfile.write(db1) binfile.write(db2) binfile.write(db3) binfile.write(db4) nameoffset_p += len(ab_name) dataoffset_p += length for name in segm: address, length, db_data = segm[name] ab_name = (name + '\x00').encode('utf-8') binfile.write(ab_name) for name in segm: address, length, db_data = segm[name] binfile.write(db_data)
import idaapi def fn_f9(): idaapi.continue_process() GetDebuggerEvent(WFNE_SUSP | WFNE_CONT, -1) i = 1 while (1): fn_f9() while (1): file_name = "d:\\" + str(i) if os.path.exists(file_name): i = i + 1 else: break r1 = GetRegValue("R1") r2 = GetRegValue("R2") data = idaapi.dbg_read_memory(r1, r2) fp = open(file_name, 'wb') fp.write(data) fp.close()
def read_data(ea, size): return idaapi.dbg_read_memory(ea, size)
def getdexlen(start): pos = start + 0x20 mem = idaapi.dbg_read_memory(pos, 4) len = struct.unpack('<I', mem)[0] # print 'len is ' + str(hex(len)) return int(len)
def dump_dex(start_address, size): data = idaapi.dbg_read_memory(start_address, size) fp = open('E:\\dump.dex', 'wb') fp.write(data) fp.close()