def singleStep(segfault_addr):
# add breakpoint on segfault addr
idc.AddBpt(segfault_addr)
# move debugger
idc.GetDebuggerEvent(idc.WFNE_SUSP | idc.WFNE_CONT, -1)
rip = idc.GetRegValue("RIP")
# now single step through segfault code
while True:
# print instruction
addr = idc.GetRegValue("RIP")
disasm = idc.GetDisasm(addr)
msg = "{}: {}".format(hex(addr), disasm)
# step through loaded code
idc.StepInto()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
addr = idc.GetRegValue("RIP")
if addr < begin or addr > (begin + size):
break
idc.DelBpt(segfault_addr)
def tracing():
global PRE_ADDR
event = idc.GetDebuggerEvent(idc.WFNE_ANY, -1)
if event <= 1:
idc.RunTo(idc.BeginEA())
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
idc.EnableTracing(idc.TRACE_STEP, 1)
idc.GetDebuggerEvent(idc.WFNE_ANY | idc.WFNE_CONT, -1)
while True:
event = idc.GetDebuggerEvent(idc.WFNE_ANY, -1)
if event <= 1:
break
addr = idc.GetEventEa()
print event, "==>", hex(addr)
# judge breakpoint and same addr
if PRE_ADDR != addr:
PRE_ADDR = addr
else: # same addr
if event == idc.BREAKPOINT: # and now is breakpoint
break
current_color = idc.GetColor(addr, idc.CIC_ITEM)
new_color = get_new_color(current_color)
idc.SetColor(addr, idc.CIC_ITEM, new_color)
def get_dbg_brk_linux64():
'''
Return the current brk value in the debugged process (only x86_64 Linux)
'''
#TODO this method is so weird, find a unused address to inject code not the base address
code = ""
code += 'H\xc7\xc0\x0c\x00\x00\x00' #mov rax, sys_brk ; 12
code += 'H1\xff' #xor rdi, rdi
code += '\x0f\x05' #syscall
rax = idc.get_reg_value("rax")
rdi = idc.get_reg_value("rdi")
rip = idc.get_reg_value("rip")
efl = idc.get_reg_value("efl")
base = idaapi.get_imagebase()
#inj = idc.next_head(rip) #skip current instr
inj = base
save = idc.get_bytes(inj, len(code), use_dbg=True)
for i in xrange(len(code)):
idc.patch_dbg_byte(inj + i, ord(code[i]))
#idc.MakeCode(inj)
idc.set_reg_value(inj, "rip")
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
brk_res = idc.get_reg_value("rax")
idc.set_reg_value(rax, "rax")
idc.set_reg_value(rdi, "rdi")
idc.set_reg_value(rip, "rip")
idc.set_reg_value(efl, "efl")
for i in xrange(len(save)):
idc.patch_dbg_byte(inj + i, ord(save[i]))
save = idc.get_bytes(inj, len(code), use_dbg=True)
#idc.MakeCode(inj)
return brk_res
def get_dbg_brk_linux32():
'''
Return the current brk value in the debugged process (only x86 Linux)
'''
#TODO this method is so weird, find a unused address to inject code not the base address
code = ""
code += '\xb8-\x00\x00\x00' #mov eax, sys_brk ; 45
code += '1\xdb' #xor ebx, ebx
code += '\xcd\x80' #int 0x80
eax = idc.get_reg_value("eax")
ebx = idc.get_reg_value("ebx")
eip = idc.get_reg_value("eip")
efl = idc.get_reg_value("efl")
base = idaapi.get_imagebase()
#inj = idc.next_head(eip) #skip current instr
inj = base
save = idc.get_bytes(inj, len(code), use_dbg=True)
for i in xrange(len(code)):
idc.patch_dbg_byte(inj + i, ord(code[i]))
#idc.MakeCode(inj)
idc.set_reg_value(inj, "eip")
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
brk_res = idc.get_reg_value("eax")
idc.set_reg_value(eax, "eax")
idc.set_reg_value(ebx, "ebx")
idc.set_reg_value(eip, "eip")
idc.set_reg_value(efl, "efl")
for i in xrange(len(save)):
idc.patch_dbg_byte(inj + i, ord(save[i]))
save = idc.get_bytes(inj, len(code), use_dbg=True)
#idc.MakeCode(inj)
return brk_res
def doStepInto(self):
#print('in doInto')
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
cur_addr = idc.GetRegValue(self.PC)
if cur_addr > self.kernel_base:
self.runToUserSpace()
def signalClient(self, norev=False):
start_eip = idc.GetRegValue(self.PC)
#print('signalClient eip was at 0x%x, then after rev 1 0x%x call setAndDisable string is %s' % (start_eip, eip, simicsString))
if norev:
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.printRegJson()");')
try:
regs = json.loads(simicsString)
except:
print('failed to get regs from %s' % simicsString)
return
for reg in regs:
r = str(reg.upper())
if r == 'EFLAGS':
r = 'EFL'
#print('set %s to 0x%x' % (r, regs[reg]))
idc.SetRegValue(regs[reg], r)
idc.RefreshDebuggerMemory()
new_eip = idc.GetRegValue(self.PC)
#print('signalClient back from cont new_eip is 0x%x' % new_eip)
if new_eip >= self.kernel_base:
print('in kernel, run to user')
self.updateStackTrace()
def prepare_debug_noui():
target_pid = -1
idaapi.msg("[%s] waiting...\n" % (PLUGNAME))
filename = ida_nalt.get_root_filename()
pis = ida_idd.procinfo_vec_t()
ida_dbg.get_processes(pis)
for proc in pis:
proc_name = proc.name.split(" ")[1]
idx = proc_name.rfind("/")
if idx != -1:
proc_name = proc_name[idx + 1:]
if filename == proc_name:
target_pid = proc.pid
break
if target_pid != -1:
idaapi.msg("[%s] start debug (PID: %d)\n" % (PLUGNAME, target_pid))
ida_dbg.attach_process(target_pid, -1)
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
ida_dbg.continue_process()
else:
idaapi.msg("[%s] exit waiting\n" % (PLUGNAME))
def __call__(self):
try:
idaapi.continue_process()
idc.GetDebuggerEvent(self.mode, self.flag)
l.debug("Debugger stopped at " + hex(idc.get_reg_value('eip')))
except Exception:
self.exception = True
def _sync_getStatus(self):
status = idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
if status == None:
return Status.NONE
elif status == idc.NOTASK:
return Status.TERMINATED
else:
return Status.RUNNING
def off(self):
idc.StopDebugger()
print('gogo exit')
while not self.exited:
idc.GetDebuggerEvent(idc.WFNE_ANY, 1)
self.unhook()
def WaitForDebugger(self):
'''
Waits for the debugger event (WFNE_CONT | WFNE_SUSP).
Called internally by StartDebugger and AttachDebugger.
Returns None.
'''
idc.GetDebuggerEvent(idc.WFNE_CONT | idc.WFNE_SUSP, -1)
def off(self):
idc.StopDebugger()
print('gogo exit')
while not self.exited:
idc.GetDebuggerEvent(idc.WFNE_ANY, 1)
self.unhook()
idc.DelBpt(self.start_code_ea)
idc.DelBpt(self.ret_pad_ea)
def wait_for_breakpoint():
while True:
x = idc.GetDebuggerEvent(idc.WFNE_SUSP | idc.WFNE_CONT, -1)
if x == idc.DBG_TIMEOUT:
return x
bp_addr = idc.GetEventEa()
if bp_addr not in all_breakpoint:
print "Ignore event at {0}".format(hex(bp_addr))
continue
return all_breakpoint[bp_addr]
def doStepOver(self):
#print('in doStepOver')
idaapi.step_over()
#print('back from step over')
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
#print('back getDebuggerEvent')
cur_addr = idc.GetRegValue(self.PC)
#print('cur_addr is 0x%x' % cur_addr)
if cur_addr > self.kernel_base:
print('run to user space')
self.runToUserSpace()
def beginAnalysis(self):
if (self.rangeStart == 0) or (self.rangeEnd == 0):
activeFuncScopeAddr = idc.ScreenEA()
self.rangeStart = activeFuncScopeAddr
self.rangeEnd = GetFuncEndAddr(activeFuncScopeAddr)
# begin automatic debugging
while idc.GetRegValue(x64Regs.RIP.value) != self.rangeEnd:
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
self.analyseStep()
def prepare_debug_ui(self):
wd = WaitDialog()
idaapi.msg("[%s] waiting...\n" % (PLUGNAME))
wd.thread.start()
wd.exec_()
target_pid = wd.get_target_pid()
if target_pid != -1:
ida_dbg.attach_process(target_pid, -1)
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
ida_dbg.continue_process()
else:
idaapi.msg("[%s] exit waiting\n" % (PLUGNAME))
def Call(self, function, arguments=[], retaddr=0, block_until_return=True):
'''
Call a given function. Arguments must already be configured.
This should not be used to call functions hooked with IDASimulator or it likely won't work.
@function - The name or address of the function to call.
@arguments - A list of function arguments.
@retaddr - The address to return to.
@block_until_return - If set to True, this method will not return until the function does.
If set to False, this method will return immediately after calling the function.
Returns the return value of the function on success.
Returns None on failure, or if block_until_return is False.
'''
retval = None
# Process should already be paused, but just in case...
idc.PauseProcess()
# If a function name was specified, get its address
if isinstance(function, type('')):
function = idc.LocByName('.' + function)
if function == idc.BADADDR:
function = idc.LocByName(function)
if function != idc.BADADDR:
if not retaddr:
retaddr = self.cpu.ProgramCounter()
# Set the specified function arguments
self.cpu.SetArguments(arguments)
# Do any arch-specific initialization before the function call
self.cpu.PreFunctionCall(function)
# Set up the return address and point the program counter to the start of the target function
self.cpu.ReturnAddress(value=retaddr)
self.cpu.ProgramCounter(value=function)
idc.Jump(function)
if block_until_return:
# Resume process and wait for the target function to return
idc.StepUntilRet()
idc.GetDebuggerEvent(idc.WFNE_CONT | idc.WFNE_SUSP, -1)
idc.Jump(retaddr)
retval = self.cpu.ReturnValue()
else:
idc.ResumeProcess()
return retval
def XXXXXXXXXXXXXXXsignalClient(self, norev=False):
start_eip = idc.GetRegValue(self.PC)
if not norev:
simicsString = gdbProt.Evalx('SendGDBMonitor("@cgc.rev1()");')
eip = gdbProt.getEIPWhenStopped()
if eip is None or not (type(eip) is int or type(eip) is long):
print('signalClient got wrong stuff? %s from getEIP' % str(eip))
return
#print('signalClient eip was at 0x%x, then after rev 1 0x%x call setAndDisable string is %s' % (start_eip, eip, simicsString))
idaapi.step_into()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
new_eip = idc.GetRegValue(self.PC)
#print('signalClient back from cont new_eip is 0x%x' % new_eip)
if new_eip >= self.kernel_base:
print('in kernel, run to user')
self.updateStackTrace()
def __init__(self, headless=False, binary_path=None):
'''
Initialize the IdaConcreteTarget. Nothing has to be done if the target is used inside the IDA Debugger but when
using IDA in headless mode (without the GUI) we need to start the debugger by ourselves.
:param :bool headless: headless mode is used when IDA is launched without the GUI
:param :str binary_path: optional path to the binary needed only
Example
To run a script in IDA headless mode use:
> idat.exe -c -A -S"angr_script.py" -t
> idat -c -A -S"angr_script.py" -t
'''
self.headless = headless
if binary_path and not self.headless:
l.warn(
"The binary path is needed only when using IDA in headless mode"
)
if self.headless:
if binary_path is None:
l.warn(
"You should provide a binary path when running IDA in headless mode"
)
self.exit()
idc.SetInputFilePath(binary_path)
l.debug("Running IDA in headless mode. Initializing the debugger")
idaapi.autoWait()
if sys.platform is "win32":
idc.LoadDebugger("win32", 0)
else:
idc.LoadDebugger("linux", 0)
# entry_point = idc.GetLongPrm(INF_START_IP)
# print("adding breakpoint at %x"%(entry_point))
idc.SetInputFilePath(binary_path)
# idc.AddBpt(entry_point)
idc.SetDebuggerOptions(idc.DOPT_START_BPT)
idc.StartDebugger("", "", "")
idc.ResumeProcess()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
l.debug("Debugger initialized")
super(IDAConcreteTarget, self).__init__()
def go(addr):
while idc.GetRegValue('eip') != addr:
idc.GetDebuggerEvent(idc.WFNE_CONT | idc.WFNE_SUSP, -1)
def wait_for_next_event(kind, flag):
if idaapi.IDA_SDK_VERSION <= 699:
event = idc.GetDebuggerEvent(kind, flag)
else:
event = ida_dbg.wait_for_next_event(kind, flag)
def ida_continue():
idc.GetDebuggerEvent(idc.WFNE_CONT, 0)
def go(addr):
while True:
idc.GetDebuggerEvent(idc.WFNE_CONT | idc.WFNE_SUSP, -1)
if idc.GetRegValue('eip') == addr:
break
def wait_susp():
while True:
res = idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
if res == idc.WFNE_NOWAIT:
break
def stop_debugger():
idc.StopDebugger()
print('gogo exit')
while not self.exited:
idc.GetDebuggerEvent(idc.WFNE_ANY, 1)
def waitForDebuggerEvent():
return idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
def _sync_stopDebugger(self):
idc.StopDebugger()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
def _sync_resume(self):
return idc.GetDebuggerEvent(idc.WFNE_CONT | idc.WFNE_SUSP, -1)
def _sync_wait(self):
return idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
def _sync_stepInto(self):
idc.StepInto()
idc.GetDebuggerEvent(idc.WFNE_SUSP, -1)
