def __init__(self):
idc.Til2Idb(-1, "EFI_GUID")
idc.Til2Idb(-1, "EFI_SYSTEM_TABLE")
idc.Til2Idb(-1, "EFI_RUNTIME_SERVICES")
idc.Til2Idb(-1, "EFI_BOOT_SERVICES")
self.gBServices = {}
self.gBServices["InstallProtocolInterface"] = []
self.gBServices["ReinstallProtocolInterface"] = []
self.gBServices["UninstallProtocolInterface"] = []
self.gBServices["HandleProtocol"] = []
self.gBServices["RegisterProtocolNotify"] = []
self.gBServices["OpenProtocol"] = []
self.gBServices["CloseProtocol"] = []
self.gBServices["OpenProtocolInformation"] = []
self.gBServices["ProtocolsPerHandle"] = []
self.gBServices["LocateHandleBuffer"] = []
self.gBServices["LocateProtocol"] = []
self.gBServices["InstallMultipleProtocolInterfaces"] = []
self.gBServices["UninstallMultipleProtocolInterfaces"] = []
self.Protocols = {}
self.Protocols["AmiGuids"] = ami_guids.ami_guids
self.Protocols["EdkGuids"] = edk_guids.edk_guids
self.Protocols["Edk2Guids"] = edk2_guids.edk2_guids
self.Protocols["All"] = [
# {
# address: ...
# service: ...
# guid: ...
# },
# ...
]
self.Protocols["PropGuids"] = []
self.Protocols["Data"] = []
def __init__(self):
header = utils.get_header_idb()
if not len(header):
header = utils.get_header_file()
self.arch = utils.get_machine_type(header)
self.subsystem = utils.check_subsystem(header)
self.valid = True
if not self.subsystem:
print("[ERROR] Wrong subsystem")
self.valid = False
if not (self.arch == "x86" or self.arch == "x64"):
print("[ERROR] Wrong architecture")
self.valid = False
if self.arch == "x86":
self.BOOT_SERVICES_OFFSET = BOOT_SERVICES_OFFSET_x86
if self.arch == "x64":
self.BOOT_SERVICES_OFFSET = BOOT_SERVICES_OFFSET_x64
self.base = idaapi.get_imagebase()
idc.Til2Idb(-1, "EFI_GUID")
idc.Til2Idb(-1, "EFI_SYSTEM_TABLE")
idc.Til2Idb(-1, "EFI_RUNTIME_SERVICES")
idc.Til2Idb(-1, "EFI_BOOT_SERVICES")
self.gBServices = {}
self.gBServices["InstallProtocolInterface"] = []
self.gBServices["ReinstallProtocolInterface"] = []
self.gBServices["UninstallProtocolInterface"] = []
self.gBServices["HandleProtocol"] = []
self.gBServices["RegisterProtocolNotify"] = []
self.gBServices["OpenProtocol"] = []
self.gBServices["CloseProtocol"] = []
self.gBServices["OpenProtocolInformation"] = []
self.gBServices["ProtocolsPerHandle"] = []
self.gBServices["LocateHandleBuffer"] = []
self.gBServices["LocateProtocol"] = []
self.gBServices["InstallMultipleProtocolInterfaces"] = []
self.gBServices["UninstallMultipleProtocolInterfaces"] = []
self.Protocols = {}
self.Protocols["AmiGuids"] = ami_guids.ami_guids
self.Protocols["EdkGuids"] = edk_guids.edk_guids
self.Protocols["Edk2Guids"] = edk2_guids.edk2_guids
self.Protocols["All"] = [
# {
# address: ...
# service: ...
# guid: ...
# protocol_name: ...
# protocol_place: ...
# },
# ...
]
self.Protocols["PropGuids"] = []
self.Protocols["Data"] = []
def _find_or_create_struct():
name = "sce_module_info_t"
sid = idc.GetStrucIdByName(name)
if sid != idc.BADADDR:
return sid # already exists
sid = idc.AddStrucEx(-1, name, 0)
idc.AddStrucMember(sid, "modattribute", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "modversion", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "modname", -1, idc.FF_ASCI, -1, 27)
idc.AddStrucMember(sid, "type", -1, idc.FF_BYTE, -1, 1)
idc.AddStrucMember(sid, "gp_value", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "ent_top", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "ent_end", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "stub_top", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "stub_end", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "module_nid", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "field_38", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "field_3C", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "field_40", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "mod_start", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "mod_stop", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "exidx_start", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "exidx_end", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "extab_start", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "extab_end", -1, idc.FF_DWRD, -1, 4)
idc.Til2Idb(-1, name)
return sid
def _find_or_create_struct():
name = "sce_module_imports_t"
sid = idc.GetStrucIdByName(name)
if sid != idc.BADADDR:
return sid # already exists
sid = idc.AddStrucEx(-1, name, 0)
idc.AddStrucMember(sid, "size", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "version", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "flags", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "num_functions", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "num_vars", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "num_tls_vars", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "reserved1", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "lib_nid", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "lib_name", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "reserved2", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "func_nid_table", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "func_entry_table", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "var_nid_table", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "var_entry_table", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "tls_nid_table", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "tls_entry_table", -1, idc.FF_DWRD, -1, 4)
idc.Til2Idb(-1, name)
return sid
def load_kmdf_types_into_idb():
header_path = idautils.GetIdbDir()
# change relative path to use more easily
idaapi.idc_parse_types("".join([header_path, "../Tools/kmdf_re/code/WDFStructsV2.h"]), idc.PT_FILE)
for idx in range(1, idc.GetMaxLocalType()):
print(idx, idc.GetLocalTypeName(idx))
idc.Til2Idb(idx, idc.GetLocalTypeName(idx))
def add_enums(function):
""" Add standard enums from parsed MSDN documentation for all imported
library calls and their arguments.
Arguments:
function -- function object
"""
enum_count = 0
for argument in function.arguments:
# Add standard enums
if not argument.enums:
g_logger.debug(' No standard constants available for %s' %
argument.name)
else:
for enum in argument.enums:
g_logger.debug(' Importing enum %s for argument %s' %
(enum, argument.name))
if idc.Til2Idb(-1, enum) != idaapi.BADADDR:
g_logger.debug(' ' + enum + ' ' + hex(idc.GetEnum(enum)) +
' added successfully')
enum_count = enum_count + 1
else:
g_logger.debug(' Could not add ' + enum)
if not argument.constants:
# No constants for this argument
continue
argument.name = argument.name.encode('utf-8')
function.name = function.name.encode('utf-8')
# Add constant descriptions
for constant in argument.constants:
constant.name = constant.name.encode('utf-8')
if constant.name == 'NULL':
# Create unique name, so we can add descriptive comment to it
constant.name = 'NULL_{}_{}'.format(argument.name,
function.name)
# Add custom enum for NULL values if it does not exist yet
enumid = idc.GetEnum(NULL_ENUM_NAME)
if enumid == idaapi.BADADDR:
enumid = idc.AddEnum(-1, NULL_ENUM_NAME, idaapi.hexflag())
idc.AddConstEx(enumid, constant.name, 0, -1)
constid = idc.GetConstByName(constant.name)
idc.SetConstCmt(constid, format_comment(constant.description),
False)
else:
constid = idc.GetConstByName(constant.name)
if constid:
if idc.SetConstCmt(constid,
format_comment(constant.description),
False):
g_logger.debug(' Description added for %s' %
constant.name)
else:
g_logger.debug(' No description added for %s' %
constant.name)
return enum_count
def load_til(path_to_til):
if not ida_typeinf.load_til(path_to_til, os.path.dirname(path_to_til)):
raise Exception("load_til('%s') has failed" % (path_to_til))
# Fix UINTN to be the actual word size if we can determine it
idc.Til2Idb(-1, "UINTN")
entry = idc.GetEntryPoint(idc.GetEntryOrdinal(0))
if entry != idc.BADADDR:
typedef = "typedef UINT" + str(16 << idc.GetSegmentAttr(entry, idc.SEGATTR_BITNESS)) + " UINTN;"
for i in range(0, idc.GetMaxLocalType()):
if idc.GetLocalTypeName(i) == "UINTN":
idc.SetLocalType(idc.SetLocalType(i, "", 0), typedef, 0)
def subclass(self, sup=None, **kwargs):
tp = self.currentType(self.CHECK_VTBL, **kwargs)
tp = self.checkVtblStruct(tp)
cnm = tp['name']
if not sup:
sup = idc.AskStr('', "Subclass " + cnm + " from:")
if not sup or sup == cnm:
Logger.debug("Subclasssing cancelled")
return
idc.Til2Idb(-1, sup + 'Vtbl')
s = MODS.struct.Struct(sup + 'Vtbl')
Logger.debug("Subclassing class %s from %s", str(tp), sup)
ea = tp['vtblea']
nm = None
funcs = []
while (not nm):
ofs = idc.Qword(ea)
if not ofs or ofs == idc.BADADDR:
break
try:
func = FuncDescr.fromEA(ofs)
except FuncDescr.NotFunctionError as e:
func = None
if not kwargs.get('force'):
raise
funcs += [func]
ea += 8
nm = idc.Name(ea)
flds = s.fields()
if len(funcs) != len(flds) and (not kwargs.get('force')):
raise self.WrongTypeError("Functions count doesn't match", s.name)
for i, fofs in enumerate(sorted(flds.keys())):
fld = flds[fofs]
f = funcs[i]
if f is None:
continue
refcnt = len(MODS.util.refsFromSeg(f.ea, ".rdata"))
if self.untouchedFunc(f.name):
nm = cnm if refcnt == 1 else sup
was = str(f)
f.clearType()
f.parseType(fld['type'][0])
f.name = nm + "::" + fld['name']
ni = 1
while idaapi.get_name_ea(idc.BADADDR, f.name) != idc.BADADDR:
ni += 1
f.name = nm + "::" + fld['name'] + "_" + str(ni)
f.changeParam(0, 'this', nm + '*')
f.update(True)
Logger.debug("Converted func %s to type %s", was, str(f))
self.update()
def create_vtable_struct(class_name, functions):
struct_name = 'vtable_' + class_name
sid = idc.GetStrucIdByName(struct_name)
if sid != BADADDR:
print("vtable already exists for " + class_name)
return 0
sid = idc.AddStrucEx(-1, struct_name, 0)
idc.Til2Idb(-1, struct_name)
offset = 0
for fn in functions:
func_name = fn[0]
func_name = func_name.replace('~', 'destr_')
func_type = fn[1]
idc.AddStrucMember(sid, func_name, -1, idc.FF_QWRD, -1, 8)
if func_type != '':
if func_type.find("__cdecl(") > -1:
func_type = func_type.replace("__cdecl",
"(__cdecl *%s)" % func_name)
elif func_type.find("__stdcall(") > -1:
func_type = func_type.replace("__stdcall",
"(__stdcall *%s)" % func_name)
elif func_type.find("__fastcall(") > -1:
func_type = func_type.replace("__fastcall",
"(__fastcall *%s)" % func_name)
elif func_type.find("__thiscall(") > -1:
func_type = func_type.replace("__thiscall",
"(__thiscall *%s)" % func_name)
elif func_type.find("__usercall(") > -1:
func_type = func_type.replace("__usercall",
"(__usercall *%s)" % func_name)
elif func_type.find("__userpurge(") > -1:
func_type = func_type.replace("__userpurge",
"(__userpurge *%s)" % func_name)
SetType(GetMemberId(sid, offset), func_type)
# MakeComm(GetMemberId(sid, offset), func_name)
# "__int64 (__fastcall *)(ClassName *this)");
offset += 8
print(fn)
return 1
def _find_or_create_struct():
name = "sce_module_exports_t"
sid = idc.GetStrucIdByName(name)
if sid != idc.BADADDR:
return sid # already exists
sid = idc.AddStrucEx(-1, name, 0)
idc.AddStrucMember(sid, "size", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "lib_version", -1, idc.FF_BYTE, -1, 2)
idc.AddStrucMember(sid, "attribute", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "num_functions", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "num_vars", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "unk", -1, idc.FF_WORD, -1, 2)
idc.AddStrucMember(sid, "num_tls_vars", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "lib_nid", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "lib_name", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "nid_table", -1, idc.FF_DWRD, -1, 4)
idc.AddStrucMember(sid, "entry_table", -1, idc.FF_DWRD, -1, 4)
idc.Til2Idb(-1, name)
return sid
#
# ida_kernelcache/segment.py
# Brandon Azad
#
# Functions for interacting with the segments of the kernelcache in IDA. No prior initialization is
# necessary.
#
import idc
import ida_utilities as idau
import kernel
_log = idau.make_log(0, __name__)
idc.Til2Idb(-1, 'mach_header_64')
idc.Til2Idb(-1, 'load_command')
idc.Til2Idb(-1, 'segment_command_64')
idc.Til2Idb(-1, 'section_64')
_LC_SEGMENT_64 = 0x19
def _macho_segments_and_sections(ea):
"""A generator to iterate through a Mach-O file's segments and sections.
Each iteration yields a tuple:
(segname, segstart, segend, [(sectname, sectstart, sectend), ...])
"""
hdr = idau.read_struct(ea, 'mach_header_64', asobject=True)
nlc = hdr.ncmds
def add_struct_to_idb(name):
idc.Til2Idb(-1, name)
def ImportNativeArgumentsToIDA(filepath):
global ArgumentsReplacement
os.chdir(filepath)
for include_name in glob.glob("*.inc"):
is_valid = False
for i in range(len(SAMPIncludes)):
if (include_name == SAMPIncludes[i]):
is_valid = True
if (is_valid):
include_handle = open(include_name, "r")
for line in include_handle:
if (line.find("native") != -1): # Its a native.
native_name = line[:line.find("(")].split(" ")[1]
native_name = native_name[
native_name.find(":") +
1:] # Hack to remove stuff like Float:
natives.append(native_name)
# Define structure
# VERY hacky. I'm rusty on python...
arguments = line[line.find("("):].replace("(", "").replace(
")",
",)").replace("&",
"").replace("[]",
"").replace("const",
"").split(",")
arguments = arguments[:len(arguments) -
1] # Hack to remove ); \n ending.
struct_id = idc.GetStrucIdByName("Native" + native_name +
"Params")
if struct_id == idc.BADADDR: #No point in going through arguments if struct already exists.
struct_id = idc.AddStrucEx(
-1, "Native" + native_name + "Params", 0)
idc.Til2Idb(-1, "Native" + native_name + "Params")
idc.AddStrucMember(struct_id, "param_count", -1,
idc.FF_DWRD, -1, 4)
print("Created IDA Struct Native" + native_name +
"Params!")
for argument in arguments:
if (argument.find(":") != -1):
argument = argument[
argument.find(":") +
1:] # Another "hack" to remove stuff such as Float:
if (argument.find("=") != -1):
argument = argument[:argument.find(
"="
)] # Yet again, another "hack" to remove default values in natives.
# Add structure arg
idc.AddStrucMember(struct_id,
argument.replace(" ", ""), -1,
idc.FF_DWRD, -1, 4)
else:
print("Did not create native structure for native " +
native_name + " it already exists in your IDB.")
def load_kmdf_types_into_idb():
header_path = idautils.GetIdbDir()
idaapi.idc_parse_types("".join([header_path, "WDFStructs.h"]), idc.PT_FILE)
for idx in range(1, idc.GetMaxLocalType()):
print(idx, idc.GetLocalTypeName(idx))
idc.Til2Idb(idx, idc.GetLocalTypeName(idx))
