def _collect_data(self, collect_args):
for data_ref in list(idautils.DataRefsFrom(collect_args["func_item"])):
if data_ref in self._string_addresses:
str_type = idc.GetStringType(data_ref)
if idc.GetStringType(data_ref) is not None:
string = idc.GetString(data_ref, -1, str_type)
self._list_of_strings.append(string)
def _collect_data(self, collect_args):
for data_ref in list(idautils.DataRefsFrom(collect_args["func_item"])):
if data_ref in self._string_addresses:
str_type = idc.GetStringType(data_ref)
if idc.GetStringType(data_ref) is not None:
string = idc.GetString(data_ref, -1, str_type)
if not (string in self._string_counters):
self._string_counters[string] = 0
self._string_counters[string] += 1
def CompileTextFromRange(start,end,sep): x = start s = "" while (x<=end): #print "Function %x" % x faddr = list(idautils.FuncItems(x)) for c in range(len(faddr)): for d in idautils.DataRefsFrom(faddr[c]): #print "Found ref at %x" % faddr[c] if idc.GetStringType(d) == 0 and idc.GetString(d): s += " "+ sep + " " + idc.GetString(d) elif idc.GetStringType(d) == 3 and idc.GetString(d, -1, idc.ASCSTR_UNICODE): s += " " + sep + " " + idc.GetString(d,-1,idc.ASCSTR_UNICODE) x = idc.NextFunction(x) return s
def create_string(addr, string_len):
# if idaapi.get_segm_name(addr) is None:
if idc.get_segm_name(addr) is None:
common._debug(
'Cannot load a string which has no segment - not creating string @ 0x%02x'
% addr)
return False
common._debug('Found string load @ 0x%x with length of %d' %
(addr, string_len))
# This may be overly aggressive if we found the wrong area...
if idc.GetStringType(addr) is not None and idc.GetString(
addr) is not None and len(idc.GetString(addr)) != string_len:
common._debug(
'It appears that there is already a string present @ 0x%x' % addr)
idc.MakeUnknown(addr, string_len, idc.DOUNK_SIMPLE)
idaapi.autoWait()
if idc.GetString(addr) is None and idc.MakeStr(addr, addr + string_len):
idaapi.autoWait()
return True
else:
# If something is already partially analyzed (incorrectly) we need to MakeUnknown it
idc.MakeUnknown(addr, string_len, idc.DOUNK_SIMPLE)
idaapi.autoWait()
if idc.MakeStr(addr, addr + string_len):
idaapi.autoWait()
return True
common._debug('Unable to make a string @ 0x%x with length of %d' %
(addr, string_len))
return False
def visit_expr(self, i):
"""
From FLARE article
Search for dw1234 = GetProcAddress("LoadLibrary")
"""
if i.op == idaapi.cot_call:
# look for calls to GetProcAddress
if idc.Name(i.x.obj_ea) == "GetProcAddress":
# ASCSTR_C == 0
# Check to see if the second argument is a C string
if idc.GetStringType(i.a[1].obj_ea) == 0:
targetName = idc.GetString(i.a[1].obj_ea, -1, 0)
# Found function name
# Look for global assignment
parent = self.cfunc.body.find_parent_of(i)
if parent.op == idaapi.cot_cast:
# Ignore casts and look for the parent
parent = self.cfunc.body.find_parent_of(parent)
if parent.op == idaapi.cot_asg:
# We want to find the left hand side (x)
self.results[targetName] = parent.cexpr.x.obj_ea
idc.MakeName(parent.cexpr.x.obj_ea, targetName)
return 0
def is_string(ea):
string_type = idc.GetStringType(idaapi.get_item_head(ea))
if string_type is None:
return False
return True
def CompileTextFromFunction(f,sep): s="" faddr = list(idautils.FuncItems(f)) for c in range(len(faddr)): for d in idautils.DataRefsFrom(faddr[c]): if idc.GetStringType(d) == 0 and idc.GetString(d): s += " "+ sep + " " + idc.GetString(d) return s
def get_string(ea):
"""
Returns a string from the given location.
:param ea: starting address of string
:return: A string
"""
stype = idc.GetStringType(ea)
return idc.GetString(ea, strtype=stype)
def ADR(self, mnem, ops):
out = self.processOp(ops[0], out=True)
addr = idc.LocByName(ops[1])
type = idc.GetStringType(addr)
if type == 0:
data = self.ida.getString(addr)
data = '"%s"' % ` "'" + data ` [2:-1]
else:
data = ops[1]
return '%s = %s;' % (out, data)
def get_string(ea):
string_type = idc.GetStringType(ea)
if string_type is None:
raise NoString("No string at 0x{:08X}".format(ea))
string = idc.GetString(ea, strtype=string_type)
if not string:
raise NoString("No string at 0x{:08X}".format(ea))
return string
def stringAt(self, ea):
"""Return the string that was found on the given address, regardless of it's type.
Args:
ea (int): effective address of the wanted string
Return Value:
A python string that contains the found string (or None on error)
"""
str_type = idc.GetStringType(ea)
if str_type is None:
return None
return idc.GetString(ea, -1, str_type)
def __init__(self, xref, addr):
type = idc.GetStringType(addr)
if type < 0 or type >= len(String.ASCSTR):
raise StringParsingException()
CALC_MAX_LEN = -1
string = str(idc.GetString(addr, CALC_MAX_LEN, type))
self.xref = xref
self.addr = addr
self.type = type
self.string = string
def get_string_ref(ea=None):
# from https://gist.github.com/w4kfu/4252f4c19be573eaaecceb76e1dc0c1c
"""
Get the string references in the given function from current effective
address or desired one
"""
if ea == None:
ea = idc.here()
func_ea = idc.GetFunctionAttr(ea, FUNCATTR_START)
for item_ea in idautils.FuncItems(func_ea):
for ref in idautils.DataRefsFrom(item_ea):
type = idc.GetStringType(ref)
if type not in range(0, 7) and type != 0x2000001:
continue
yield (item_ea, str(idc.GetString(ref, -1, type)))
def get_string(ea):
"""Read the string at the given ea.
This function uses IDA's string APIs and does not implement any special logic.
"""
# We get the item-head because the `GetStringType` function only works on the head of an item.
string_type = idc.GetStringType(idaapi.get_item_head(ea))
if string_type is None:
raise exceptions.SarkNoString("No string at 0x{:08X}".format(ea))
string = idc.GetString(ea, strtype=string_type)
if not string:
raise exceptions.SarkNoString("No string at 0x{:08X}".format(ea))
return string
def format_string(call_addr, format_name, index):
string = ''
# 获取对应的格式化字符串
format_addr = idc.LocByName(format_name)
# 判断对应地址是否为一个字符串
if idc.GetStringType(format_addr) == 0:
fmt_str = idc.GetString(format_addr).decode()
# 如果有回车,不要换行,打印`\n`字符
string = "'%s'" % fmt_str.replace('\n', '\\n')
# 格式化字符串对应%对应的参数
fmt_num = fmt_str.count('%')
if fmt_num > 0:
string += ", %d" % fmt_num
string += "%s" % format_args(call_addr, fmt_num, index)
# 不是字符串可能存在格式化字符串漏洞
else:
string += "null! A dangerous address, may have a format string vulnerability"
return [string]
def LDR(self, mnem, ops):
out = self.processOp(ops[0], out=True)
outlower = out.lower()
if outlower not in self.regs:
outlower = 'trash'
right = self.processOp(ops[1], noRef=True)
addr = idc.LocByName(ops[1][1:])
type = idc.GetStringType(addr)
if type == 0:
right = self.ida.getString(addr)
right = ('"%s"' % ` "'" + right ` [2:-1], )
if right.__class__ == tuple:
right = right[0]
else:
right = '*' + right
self.regs[outlower] = right
return '%s = %s;' % (out, right)
def visit_expr(self, i):
if i.op == idaapi.cot_call:
# look for calls to GetProcAddress
if idc.Name(i.x.obj_ea) == "GetProcAddress":
# ASCSTR_C == 0
# Check to see if the second argument is a C string
if idc.GetStringType(i.a[1].obj_ea) == 0:
targetName = idc.GetString(i.a[1].obj_ea, -1, 0)
# Found function name
# Look for global assignment
parent = self.cfunc.body.find_parent_of(i)
if parent.op == idaapi.cot_cast:
# Ignore casts and look for the parent
parent = self.cfunc.body.find_parent_of(parent)
if parent.op == idaapi.cot_asg:
# We want to find the left hand side (x)
idc.MakeName(parent.cexpr.x.obj_ea,
targetName + "_")
return 0
def enum_string_refs_in_function(fva):
'''
yield the string references in the given function.
Args:
fva (int): the starting address of a function
Returns:
sequence[tuple[int, int, str]]: tuples of metadata, including:
- the address of the instruction referencing a string
- the address of the string
- the string
'''
for ea in enum_function_addrs(fva):
for ref in idautils.DataRefsFrom(ea):
stype = idc.GetStringType(ref)
if stype < 0 or stype > 7:
continue
CALC_MAX_LEN = -1
s = str(idc.GetString(ref, CALC_MAX_LEN, stype))
yield ea, ref, s
def type(self): # TODO: export idc enum ?
""" The type of the string """
return idc.GetStringType(self.addr)
def get_string_type(self, addr):
type_s = idc.GetStringType(addr)
if type_s >= len(self.string_types) or type_s < 0:
raise StringException()
return str(idc.GetString(addr, -1, type_s))
def getString(self, ea):
stype = idc.GetStringType(ea)
#if idaapi.is_unicode(stype):
# res = idc.GetString(ea, )
return idc.GetString(ea, strtype=stype)
