def activate(self, ctx): if self.action == ACTION_HX_REMOVERETTYPE: if IDA7: vdui = idaapi.get_widget_vdui(ctx.widget) else: vdui = idaapi.get_tform_vdui(ctx.form) self.remove_rettype(vdui) vdui.refresh_ctext() elif self.action == ACTION_HX_COPYEA: ea = idaapi.get_screen_ea() if ea != idaapi.BADADDR: copy_to_clip("0x%X" % ea) print("Address 0x%X has been copied to clipboard" % ea) elif self.action == ACTION_HX_COPYNAME: if IDA7: name = idaapi.get_highlight(idaapi.get_current_viewer())[0] else: name = idaapi.get_highlighted_identifier() if name: copy_to_clip(name) print("%s has been copied to clipboard" % name) elif self.action == ACTION_HX_GOTOCLIP: loc = parse_location(clip_text()) print("Goto location 0x%x" % loc) Jump(loc) else: return 0 return 1
def finish_populating_widget_popup(self, form, popup): form_type = idaapi.get_widget_type(form) if form_type == idaapi.BWN_DISASM or form_type == idaapi.BWN_DUMP: idaapi.attach_action_to_popup(form, popup, ACTION_PASTE, None) idaapi.attach_action_to_popup(form, popup, ACTION_DUMPER, None) idaapi.attach_action_to_popup(form, popup, ACTION_JMP, None) t0, t1, view = idaapi.twinpos_t(), idaapi.twinpos_t( ), idaapi.get_current_viewer() if idaapi.read_selection( view, t0, t1) or idc.get_item_size(idc.get_screen_ea()) > 1: idaapi.attach_action_to_popup(form, popup, ACTION_XORDATA, None) idaapi.attach_action_to_popup(form, popup, ACTION_FILLNOP, None) for action in ACTION_CONVERT: idaapi.attach_action_to_popup(form, popup, action, "Convert/") if form_type == idaapi.BWN_DISASM and (ARCH, BITS) in [ (idaapi.PLFM_386, 32), (idaapi.PLFM_386, 64), (idaapi.PLFM_ARM, 32), ]: idaapi.attach_action_to_popup(form, popup, ACTION_SCANVUL, None)
def activate(self, ctx): if self.action == ACTION_HX_REMOVERETTYPE: if IDA7: vdui = idaapi.get_widget_vdui(ctx.widget) else: vdui = idaapi.get_tform_vdui(ctx.form) self.remove_rettype(vdui) vdui.refresh_ctext() elif self.action == ACTION_HX_COPYEA: ea = idaapi.get_screen_ea() if ea != idaapi.BADADDR: copy_to_clip("0x%X" % ea) print "Address 0x%X has been copied to clipboard" % ea elif self.action == ACTION_HX_COPYNAME: if IDA7: name = idaapi.get_highlight(idaapi.get_current_viewer())[0] else: name = idaapi.get_highlighted_identifier() if name: copy_to_clip(name) print "%s has been copied to clipboard" % name else: return 0 return 1
def get_ea_from_highlight(): view = idaapi.get_current_viewer() thing = ida_kernwin.get_highlight(view) if thing and thing[1]: # we have a highligh, is it a valid name ? ea = idc.get_name_ea_simple(thing[0]) if ea != idaapi.BADADDR: return ea # get name at screen ea ea = idc.get_screen_ea() name = idc.get_name(ea, idaapi.GN_DEMANGLED) if name and thing[0] in name: return ea # Try to get full highlight name place = idaapi.get_custom_viewer_place(view, False) if place and len(place) == 3: # (plate_t, x, y) ea = place[0].toea() far_code_refs = [xref.to for xref in idautils.XrefsFrom(ea, ida_xref.XREF_FAR)] if far_code_refs: return far_code_refs[0] # First xref # Reach now, we do not have any valid name, return current screen ea return idc.get_screen_ea()
def get_highlighted_identifier(): if not hasattr(idaapi, "get_highlighted_identifier"): thing = idaapi.get_highlight(idaapi.get_current_viewer()) if thing and thing[1]: return thing[0] else: return idaapi.get_highlighted_identifier()
def get_selected_text(): """ Get the highlight text. If none, force IDA copy text and we will get from clipboard """ text = "" old_text = clip_text() view = idaapi.get_current_viewer() if view: thing = ida_kernwin.get_highlight(view) if thing and thing[1]: text = thing[0] # We not have a highlight text if not text: for action in idaapi.get_registered_actions(): if "Copy" in action: shortcut = idaapi.get_action_shortcut(action) state = idaapi.get_action_state(action) if ("Ctrl-C" in shortcut) and (state and state[0] and (state[1] <= idaapi.AST_ENABLE)): idaapi.process_ui_action(action) text = clip_text() if text != old_text: break if not text: plg_print("Could not get any highlight/auto copied text\n" \ "Search with old clipboard text: '%s'" % old_text) text = old_text return text
def jump_to_line(ea, line, col): idc.Jump(ea) viewer = idaapi.get_current_viewer() (pl, x, y) = idaapi.get_custom_viewer_place(viewer, False) pl2 = idaapi.place_t_as_simpleline_place_t(pl.clone()) pl2.n = line x = col y = 10 idaapi.jumpto(viewer, pl2, x, y)
def selection(cls): '''Return the current address range of whatever is selected''' view = idaapi.get_current_viewer() left, right = idaapi.twinpos_t(), idaapi.twinpos_t() ok = idaapi.read_selection(view, left, right) if not ok: raise internal.exceptions.DisassemblerError("{:s}.selection() : Unable to read the current selection.".format('.'.join((__name__, cls.__name__)))) pl_l, pl_r = left.place(view), right.place(view) return _database.address.head(pl_l.ea), _database.address.tail(pl_r.ea)
def selection(cls): '''Return the current address range of whatever is selected''' view = idaapi.get_current_viewer() left, right = idaapi.twinpos_t(), idaapi.twinpos_t() ok = idaapi.read_selection(view, left, right) if not ok: raise internal.exceptions.DisassemblerError(u"{:s}.selection() : Unable to read the current selection.".format('.'.join((__name__, cls.__name__)))) pl_l, pl_r = left.place(view), right.place(view) ea_l, ea_r = internal.interface.address.inside(pl_l.ea, pl_r.ea) return internal.interface.bounds_t(ea_l, ea_r)
def symbol(cls): '''Return the current highlighted symbol name.''' if idaapi.__version__ < 7.0: return idaapi.get_highlighted_identifier() # IDA 7.0 way of getting the currently selected text viewer = idaapi.get_current_viewer() res = idaapi.get_highlight(viewer) if res and res[1]: return res[0] return res
def finish_populating_widget_popup(self, form, popup): form_type = idaapi.get_widget_type(form) if form_type == idaapi.BWN_DISASM or form_type == idaapi.BWN_DUMP: t0, t1, view = idaapi.twinpos_t(), idaapi.twinpos_t( ), idaapi.get_current_viewer() if idaapi.read_selection(view, t0, t1) \ or idc.get_item_size(idc.get_screen_ea()) > 1: idaapi.attach_action_to_popup(form, popup, GOLANG_FUNC, None) idaapi.attach_action_to_popup(form, popup, GOLANG_STRING, None) idaapi.attach_action_to_popup(form, popup, RENAME_POINTER, None)
def activate(self, ctx): t0, t1, view = idaapi.twinpos_t(), idaapi.twinpos_t( ), idaapi.get_current_viewer() if idaapi.read_selection(view, t0, t1): start, end = t0.place(view).toea(), t1.place(view).toea() end += idaapi.get_item_size(end) else: start = idaapi.get_screen_ea() if start == idaapi.BADADDR: print('Easy Nop :: Screen EA == idaapi.BADADDR') return 0 end = start + idaapi.get_item_size(start) if start == idaapi.BADADDR: print('Easy Nop :: Selection EA == idaapi.BADADDR') return 0 if start == end: print('Easy Nop :: Nothing to nop') return 0 for x in range(start, end): # Maybe theres a smarter way to get the nop value for different archs e.g. Assemble('nop') -> 0x90 idaapi.patch_byte(x, 0x90) for x in range(start + 1, end): idaapi.hide_item(x) # Must do this else it bugs out on 2x 1 byte instructions being nopped idaapi.hide_item(start) idaapi.unhide_item(start) # Search for hidden nops and add to count while idaapi.get_byte(end) == 0x90 and idaapi.is_hidden_item( end) == True: end += 1 count = end - start if count > 1: idaapi.set_cmt(start, "truncated nops (%d)" % (count), False) print(end) print(start) return 1
def handle_set_vtable_range(self): if self.edit_class is None: return p0 = idaapi.twinpos_t() p1 = idaapi.twinpos_t() view = idaapi.get_current_viewer() success = idaapi.read_selection(view, p0, p1) if not success: idaapi.warning('Please, select region in ida dissasembler') ea0 = p0.place(view).ea ea1 = p1.place(view).ea # Check selection if ea0 == idc.BADADDR or ea1 == idc.BADADDR: return if ea0 > ea1: return if ea0 != idc.get_screen_ea() and ea1 != idc.get_screen_ea(): return # Warning for large ranges if (ea1 - ea0) > 0x1000: if not util.ask_yes_no( 'Warning: The VTable range is longer than 0x1000 bytes. Continue?', False): return try: self.edit_class.set_vtable_range(ea0, ea1) self.update_fields() except ValueError as e: idaapi.warning(str(e))
def run(self, arg): # Get the highlighted identifier v = idaapi.get_current_viewer() id = ida_kernwin.get_highlight(v)[0] if not id: print "No identifier was highlighted" return import webbrowser try: import feedparser except: idaapi.warning('Feedparser package not installed') return id = self.sanitize_name(id) print "Looking up '%s' in MSDN online" % id d = feedparser.parse("http://social.msdn.microsoft.com/Search/Feed.aspx?locale=en-us&format=RSS&Query=%s" % id) if len(d['entries']) > 0: url = d['entries'][0].link webbrowser.open_new_tab(url) else: print "API documentation not found for: %s" % id
def fun(): idaapi.set_view_renderer_type(idaapi.get_current_viewer(), idaapi.TCCRT_FLAT)
def get_highlighted_identifier(): thing = idaapi.get_highlight(idaapi.get_current_viewer()) if thing and thing[1]: return thing[0]
def F**k(): InitFn() name, _ = idaapi.get_highlight(idaapi.get_current_viewer()) if name in funcDB.keys(): os.startfile(funcDB[name], 'open')
def activate(self, ctx): if self.action in ACTION_CONVERT: # convert t0, t1, view = idaapi.twinpos_t(), idaapi.twinpos_t( ), idaapi.get_current_viewer() if idaapi.read_selection(view, t0, t1): start, end = t0.place(view).toea(), t1.place(view).toea() size = end - start elif idc.get_item_size(idc.get_screen_ea()) > 1: start = idc.get_screen_ea() size = idc.get_item_size(start) end = start + size else: return False data = idc.get_bytes(start, size) if isinstance(data, str): # python2 compatibility data = bytearray(data) name = idc.get_name(start, idc.GN_VISIBLE) if not name: name = "data" if data: print("\n[+] Dump 0x%X - 0x%X (%u bytes) :" % (start, end, size)) if self.action == ACTION_CONVERT[0]: # escaped string print('"%s"' % "".join("\\x%02X" % b for b in data)) elif self.action == ACTION_CONVERT[1]: # hex string print("".join("%02X" % b for b in data)) elif self.action == ACTION_CONVERT[2]: # C array output = "unsigned char %s[%d] = {" % (name, size) for i in range(size): if i % 16 == 0: output += "\n " output += "0x%02X, " % data[i] output = output[:-2] + "\n};" print(output) elif self.action == ACTION_CONVERT[3]: # C array word data += b"\x00" array_size = (size + 1) // 2 output = "unsigned short %s[%d] = {" % (name, array_size) for i in range(0, size, 2): if i % 16 == 0: output += "\n " output += "0x%04X, " % u16(data[i:i + 2]) output = output[:-2] + "\n};" print(output) elif self.action == ACTION_CONVERT[4]: # C array dword data += b"\x00" * 3 array_size = (size + 3) // 4 output = "unsigned int %s[%d] = {" % (name, array_size) for i in range(0, size, 4): if i % 32 == 0: output += "\n " output += "0x%08X, " % u32(data[i:i + 4]) output = output[:-2] + "\n};" print(output) elif self.action == ACTION_CONVERT[5]: # C array qword data += b"\x00" * 7 array_size = (size + 7) // 8 output = "unsigned long %s[%d] = {" % (name, array_size) for i in range(0, size, 8): if i % 32 == 0: output += "\n " output += "%#018X, " % u64(data[i:i + 8]) output = output[:-2] + "\n};" print(output.replace("0X", "0x")) elif self.action == ACTION_CONVERT[6]: # python list print("[%s]" % ", ".join("0x%02X" % b for b in data)) elif self.action == ACTION_CONVERT[7]: # python list word data += b"\x00" print("[%s]" % ", ".join("0x%04X" % u16(data[i:i + 2]) for i in range(0, size, 2))) elif self.action == ACTION_CONVERT[8]: # python list dword data += b"\x00" * 3 print("[%s]" % ", ".join("0x%08X" % u32(data[i:i + 4]) for i in range(0, size, 4))) elif self.action == ACTION_CONVERT[9]: # python list qword data += b"\x00" * 7 print("[%s]" % ", ".join( "%#018X" % u64(data[i:i + 8]) for i in range(0, size, 8)).replace("0X", "0x")) elif self.action == ACTION_XORDATA: t0, t1, view = idaapi.twinpos_t(), idaapi.twinpos_t( ), idaapi.get_current_viewer() if idaapi.read_selection(view, t0, t1): start, end = t0.place(view).toea(), t1.place(view).toea() else: if idc.get_item_size(idc.get_screen_ea()) > 1: start = idc.get_screen_ea() end = start + idc.get_item_size(start) else: return False data = idc.get_bytes(start, end - start) if isinstance(data, str): # python2 compatibility data = bytearray(data) x = idaapi.ask_long(0, "Xor with...") if x: x &= 0xFF print("\n[+] Xor 0x%X - 0x%X (%u bytes) with 0x%02X:" % (start, end, end - start, x)) print(repr("".join(chr(b ^ x) for b in data))) elif self.action == ACTION_FILLNOP: t0, t1, view = idaapi.twinpos_t(), idaapi.twinpos_t( ), idaapi.get_current_viewer() if idaapi.read_selection(view, t0, t1): start, end = t0.place(view).toea(), t1.place(view).toea() idaapi.patch_bytes(start, b"\x90" * (end - start)) print("\n[+] Fill 0x%X - 0x%X (%u bytes) with NOPs" % (start, end, end - start)) elif self.action == ACTION_SCANVUL: print("\n[+] Finding Format String Vulnerability...") found = [] for addr in idautils.Functions(): name = idc.get_func_name(addr) if "printf" in name and "v" not in name and idc.get_segm_name( addr) in (".text", ".plt", ".idata"): xrefs = idautils.CodeRefsTo(addr, False) for xref in xrefs: vul = self.check_fmt_function(name, xref) if vul: found.append(vul) if found: print("[!] Done! %d possible vulnerabilities found." % len(found)) ch = VulnChoose("Vulnerability", found, None, False) ch.Show() else: print("[-] No format string vulnerabilities found.") else: return 0 return 1
def viewer(cls): '''Return the current viewer.''' return idaapi.get_current_viewer()
def cb(user_data, notification_code, va_list): ''' example hook_cb_t function that handles custom viewer hints. Args: user_data (ctypes.c_void_p): context supplied to callback registration notification_code (int): one of the UI_NOTIFICATIONS enum values va_list (ctypes.c_void_p): varargs that must be manually parsed Returns: int: see notifiication code documentation for interpretation Notes: - This is a closure that expects to have ''' # this function is called *a lot*, so don't do any heavy lifting # until you know its the event you want. # ctypes doesn't support varargs in callback functions. # so, we need to parse the remaining arguments ourselves. # # on windows, varargs are sequential stack locations. # so, lets access the members like an array of ints/pointers. # # WARNING: the following section that manually parses varargs is # probably architecture and platfrom dependent! va_list = ctypes.cast(va_list, c_long_p) if notification_code == UI_NOTIFICATIONS.UI_GET_EA_HINT: # ea is just a number: # # typedef uint32 ea_t # # via: https://www.hex-rays.com/products/ida/support/sdkdoc/pro_8h.html#a7b0aeaed04e477c02cf8ea3452002d1a ea = va_list[0] buf = ctypes.cast(va_list[1], ctypes.c_char_p) bufsize = va_list[2] print('ui_get_ea_hint:') print('>.. notification code: %s' % (notification_code)) print('>.. ea: %s' % (hex(ea))) print('>.. buf: %s' % (buf)) print('>.. bufsize: %s' % (hex(bufsize))) the_hint = datetime.datetime.now().isoformat(' ') self.dll.qstrncpy(buf, ctypes.c_char_p(the_hint), bufsize) print('<.. buf: %s' % (buf)) return 1 elif notification_code == UI_NOTIFICATIONS.UI_GET_CUSTOM_VIEWER_HINT: viewer = ctypes.cast(va_list[0], c_long_p) place = ctypes.cast(va_list[1], c_long_p) important_lines = ctypes.cast(va_list[2], c_long_p) hint = ctypes.cast(va_list[3], c_char_pp) if not place: print('ui_get_custom_viewer_hint: invalid place') return 0 print('ui_get_custom_viewer_hint:') print('>.. notification code: %s' % (notification_code)) print('>.. important lines: %s %s' % (important_lines, important_lines.contents)) print('>.. hint: %s %s' % (hint, hint.contents)) # so, we'd like to fetch the EA of the current view. # ideally, we'd do: # # ea = place.toea() # # but `place` is a raw c++ object pointer, and ctypes isn't that smart. # next best would be to do something like: # # place = self.dll.get_custom_viewer_place(viewer); # # however, this doesn't work because `get_custom_viewer_place` is not an exported routine. # it seems to be part of the IDA SDK static lib to which plugins link. # # next best would be to use `idaapi.get_custom_viewer_place`: # # place = idaapi.get_custom_viewer_place(viewer); # # but, this doesn't work because we're mixing a ctypes pointer with a swig function. # so, we'll fall back to querying the current viewer, and fetching the place from there. # let's only display for disassembly listings # # i only know how to test the view/form type using the `get_tform_type` function. # therefore, we'll first query the current tform, and subsequently the current custom_viewer. tform = idaapi.get_current_tform() if idaapi.get_tform_type(tform) != idaapi.BWN_DISASM: return 0 viewer = idaapi.get_current_viewer() # `place` is a tuple (though techincally, a list), with elements: # - place_t proxy # - x position in characters # - y position in characters from top of screen/form (-1 in graph view) place, x, y = idaapi.get_custom_viewer_place(viewer, True) the_hint = '0x%08X: %s' % ( place.toea(), datetime.datetime.now().isoformat(' ')) important_lines[0] = ctypes.c_long(1) # we don't have access to the qstring c++ class methods, # so we'll use a dummy routine to correctly set our qstring contents. # `replace_tabs` assigns from a char * to a qstring *. # # relevant idasdk documentation: # # idaman THREAD_SAFE bool ida_export # replace_tabs ( # qstring *out, # const char *str, # int tabsize) self.dll.replace_tabs(hint, ctypes.c_char_p(the_hint), 4) print('<.. important lines: %s %s' % (important_lines, important_lines.contents)) print('<.. hint: %s %s' % (hint, hint.contents)) return 1 return 0
def get_highlight(): highlight_result = idaapi.get_highlight(idaapi.get_current_viewer()) return highlight_result[ 0] if highlight_result and highlight_result[1] else ''