def extractField(self, ofsOrName, idxOrNone=None, size=None):
size = size or self.align
flds = self.fields()
ofs = ofsOrName
fld = None
for x in flds:
if idxOrNone is None:
if x <= ofs and x + flds[x]['size'] > ofs and idxOrNone is None:
fld = x
break
else:
if x == ofsOrName or flds[x]['name'] == ofsOrName:
fld = x
ofs = x + idxOrNone * util.getTypeSize(flds[x]['type'])
break
if fld is None:
raise Exception("Field not found: " + str(ofs))
idc.DelStrucMember(self.id, fld)
cnt = 1
if size > self.align:
cnt = size / self.align
size = self.align
self.mkfld(ofs, size, cnt)
flds = self.fields(True)
self.fixFields()
def delete_all_function_stack_members(func_ea, force=False):
if g_vars["ERASE_STACK_MEMBERS"] or force:
members, base = retrieve_stack_members(func_ea)
stack_id = idc.GetFrame(func_ea)
for k, v in members.items():
if k != base and "arg_" not in v:
idc.DelStrucMember(stack_id, k)
g_functions_stack.add(func_ea.startEA)
def get_function_sid(self, in_stack, local_size=1):
if not in_stack:
return 'create_struct_complex', idc.AddStrucEx(0, 'create_struct_complex', 0)
ea = yaunit.get_next_function(lambda ea : yaunit.has_locals(ea, local_size))
frame = idaapi.get_frame(ea)
self.assertNotEqual(frame, None)
offset = idc.GetFirstMember(frame.id)
while offset != idaapi.BADADDR:
idc.DelStrucMember(frame.id, offset)
offset = idc.GetFirstMember(frame.id)
return ea, frame.id
def clear_struc_fields(self,
struc_id,
struc_size,
xref_keys,
is_union=False,
member_type=ya.OBJECT_TYPE_STRUCT_MEMBER,
name_offset=0):
idc.BeginTypeUpdating(idc.UTP_STRUCT)
last_offset = idc.GetLastMember(struc_id)
# get existing member offsets
field_offsets = set()
for (xref_offset, xref_operand) in xref_keys:
field_offsets.add(xref_offset)
new_offsets = set()
struc = idaapi.get_struc(struc_id)
# create missing members first (prevent from deleting all members)
for offset in field_offsets:
member = idaapi.get_member(struc, offset)
if member is not None and member.soff < offset:
# we have a member above this member that is too big and contain this member
# clear it!
if DEBUG_EXPORTER:
logger.debug(
"reduce field : set_member_type(0x%08X, 0x%08X), overlapping 0x%08X",
struc_id, member.soff, offset)
idaapi.set_member_type(struc, member.soff, idc.FF_BYTE, None,
1)
member = idaapi.get_member(struc, offset)
if member is None or idaapi.get_member_name(member.id) is None:
new_offsets.add(offset)
member_name = YaToolIDATools.get_default_struc_member_name(
member_type, offset, name_offset)
if offset == last_offset and offset == struc_size:
field_size = 0
else:
field_size = 1
if DEBUG_EXPORTER:
logger.debug(
"AddStrucMember(0x%08X, '%s', 0x%08X, idc.FF_BYTE, -1, 0x%08X), name_offset=%d",
struc_id, member_name, offset, field_size, name_offset)
retval = idc.AddStrucMember(struc_id, member_name, offset,
idc.FF_BYTE, -1, field_size)
if retval != 0:
logger.error(
"Error %d with idc.AddStrucMember(0x%08X, '%s', 0x%08X,"
"idc.FF_BYTE, -1, 0x%08X), name_offset=%d", retval,
struc_id, member_name, offset, field_size, name_offset)
elif DEBUG_EXPORTER:
logger.debug("Member exists : (0x%08X, '%s', 0x%08X, 0x%08X)",
struc_id, idc.GetMemberName(struc_id,
offset), offset,
idc.GetMemberSize(struc_id, offset))
kept_offsets = field_offsets - new_offsets
# clear kept members
# split the loop since we will modify the structure while iterating
offsets = set()
for (offset, member_name) in YaToolIDATools.struc_member_list(
struc_id, is_union):
offsets.add(offset)
for offset in offsets:
if offset in kept_offsets:
# This member already existed and is kept
if offset == last_offset and offset == struc_size:
# this is the last field, and it is a variable sized structure
field_size = 0
else:
field_size = 1
if member_type == ya.OBJECT_TYPE_STRUCT_MEMBER:
strucmember_id = self.hash_provider.get_struc_member_id(
struc_id, offset)
elif member_type == ya.OBJECT_TYPE_STACKFRAME_MEMBER:
strucmember_id = self.hash_provider.get_stackframe_member_object_id(
struc_id, offset)
else:
logger.error("Bad member_type : %d" % member_type)
if strucmember_id not in self.strucmember_ids:
# It is not necessary to clear the member if it is presnet in the resolved_objects
if DEBUG_EXPORTER:
logger.debug(
"SetStrucmember(0x%08X, None, 0x%08X, idc.FF_BYTE, -1, 0x%08X, name_offset=%s)",
struc_id, offset, field_size, name_offset)
YaToolIDATools.SetStrucmember(struc_id,
None,
offset,
idc.FF_BYTE,
-1,
field_size,
member_type=member_type,
name_offset=name_offset)
idc.SetMemberComment(struc_id, offset, "", 0)
idc.SetMemberComment(struc_id, offset, "", 1)
elif offset not in new_offsets:
if (member_type != ya.OBJECT_TYPE_STACKFRAME_MEMBER
or not idaapi.is_special_member(
idc.GetMemberId(struc_id, offset))):
if DEBUG_EXPORTER:
logger.debug(
"DelStrucMember(0x%08X, 0x%08X) (=%s:%s)",
struc_id, offset, idc.GetStrucName(struc_id),
idc.GetMemberName(struc_id, offset))
idc.DelStrucMember(struc_id, offset)
else:
# in new_offsets : just created
pass
idc.EndTypeUpdating(idc.UTP_STRUCT)
def supress_exception(cb):
try:
cb()
except:
pass
g_vars["ERASE_STACK_MEMBERS"] = True
supress_exception(find_WdfDriverCreate)
supress_exception(find_WdfIoQueueCreate)
supress_exception(find_WdfDeviceInitSetIoInCallerContextCallback)
supress_exception(find_WdfDeviceCreateDeviceInterface)
supress_exception(find_WdfControlDeviceInitAllocate)
"""
# 00000000167ED lea r8, [rbp+190h+var_170]
lea_addr = 0x167ED
# Get the stack struct
current_func = idaapi.get_func(lea_addr)
stack_id = idc.GetFrame(current_func)
stack_struc = idaapi.get_struc(stack_id)
# Get the stack operand offset value and stack member
stack_member_offset = idc.get_operand_value(lea_addr, 1)
stack_member = stack_struc.get_member(stack_member_offset)
target_struct_id = idaapi.get_struc_id("_WDF_DRIVER_CONFIG")
target_struc = idaapi.get_struc(target_struct_id )
