def __process_exports(self): exports = list() for i in range(0, ida_entry.get_entry_qty()): ordinal = ida_entry.get_entry_ordinal(i) ea = ida_entry.get_entry(ordinal) flags = ida_bytes.get_full_flags(ea) type = 'unknown' if ida_bytes.is_func(flags): type = 'function' elif ida_bytes.is_data(flags): type = 'data' export = { 'ordinal': ordinal, 'rva': ea - self._base, 'name': ida_entry.get_entry_name(ordinal), 'type': type } exports.append(export) return exports
def get_conflict(self): """ :return: None if there's no conflict, empty string if there's no change, data if there's a change. """ # TODO: Fill docstring, plus, make the function return 0,1,2 and save the current data by itself. code_address = self._has_code() if code_address: return 'Code: 0x%x' % code_address num_of_elements = self._get_num_of_elements() data_undefined = True for i in xrange(self.data): ea_flags = ida_bytes.get_full_flags(self.address + i) if ea_flags & 0x400: # Data defined data_undefined = False if data_undefined: return None # No conflict # Iterate over all local data, and check if there's any conflict with the type conflict = '' for i in xrange(num_of_elements): current_address = self.address + ( i * self.TYPE_TO_SIZE[self.data_type]) current_address = ida_bytes.get_item_head(current_address) ea_flags = ida_bytes.get_full_flags(current_address) if not ida_bytes.is_data(ea_flags): conflict += 'unknown at 0x%x\n' % current_address continue current_data_type = ea_flags & ida_bytes.DT_TYPE if self.data_type != current_data_type: # Different data conflict += '%s at 0x%x\n' % ( self.TYPE_TO_NAME[current_data_type], current_address) if conflict: return conflict # TODO: Deal with the case it's just multiple type definitions in the area? return '' # No difference
def dump(): ret = [] for addr, name in idautils.Names(): flags = ida_bytes.get_flags(addr) if ida_bytes.has_dummy_name(flags) or ida_bytes.has_auto_name( flags) or not ida_bytes.is_data(flags): print('skip auto:', name) continue # Sometimes the auto-generated names don't actually usually have the # right flags set, so skip these auto-looking names. if any( name.startswith(s) for s in ['byte_', 'word_', 'dword_', 'unk_', 'jpt_']): continue # print('%08x' % addr, '%08x' % flags, name, # ida_bytes.is_data(flags)) sz = ida_bytes.get_item_size(addr) if ida_bytes.is_struct(flags): ti = ida_nalt.opinfo_t() ida_bytes.get_opinfo(ti, addr, 0, flags) # itemsize = ida_bytes.get_data_elsize(addr, flags, ti) typ = ida_struct.get_struc_name(ti.tid) else: # itemsize = ida_bytes.get_item_size(addr) typ = None ret.append({ 'address': addr, 'name': name, 'type': typ, 'sz': sz, 'flags': flags, }) return ret
def get_conflict(self): """ :return: None if there's no conflict, empty string if there's no change, data if there's a change. """ # TODO: Fill docstring, plus, make the function return 0,1,2 and save the current data by itself. conflicts = "" conflict_flag = False for i in xrange(self.data): current_address = self.address + i head_address = ida_bytes.get_item_head(current_address) if ida_bytes.is_code(ida_bytes.get_full_flags(head_address)): conflict_flag = True ea_flags = ida_bytes.get_full_flags(head_address) if not ida_bytes.is_data(ea_flags): continue conflict_flag = True conflicts += '%s at 0x%x\n' % ( self.TYPE_TO_NAME[ea_flags & ida_bytes.DT_TYPE], head_address) if conflict_flag: return conflicts return None
def is_data_start(ea): flags = ida_bytes.get_full_flags(ea) data = ida_bytes.is_data(flags) head = ida_bytes.is_head(flags) return data and head
def dump(): ret = [] for addr, name in idautils.Names(): flags = ida_bytes.get_flags(addr) # The 'a' heuristic is fairly bad but we need to filter out IDA's default # naming for strings if ida_bytes.has_dummy_name(flags) or ida_bytes.has_auto_name(flags) or not ida_bytes.is_data(flags) or name[0] == 'a': continue # Sometimes the auto-generated names don't actually usually have the # right flags set, so skip these auto-looking names. if any(name.startswith(s) for s in ['byte_', 'word_', 'dword_', 'unk_', 'jpt_']): continue sz = ida_bytes.get_item_size(addr) if ida_bytes.is_struct(flags): ti = ida_nalt.opinfo_t() ida_bytes.get_opinfo(ti, addr, 0, flags) typ = ida_struct.get_struc_name(ti.tid) else: typ = None ret.append(filter_none({ 'address': addr, 'name': name, 'type': typ, 'sz': sz, 'flags': flags, })) return ret
def dump_heads(out): # out is a file like object, sys.stdout or an acual file object # There doesn't seem to a good way to determine what function a # particular address is in. Almost everyone recommends iterating # of the functions, and then getting the bytes out of each, but # that's not really what we want because it skips non function # bytes and reports them in the wrong order. It appears that the # best we can do is to build a map in advance. :-( a2fmap = build_a2fmap() min_ea = idaapi.cvar.inf.minEA max_ea = idaapi.cvar.inf.maxEA ea = min_ea while ea != ida_idaapi.BADADDR: ida_auto.show_addr(ea) isize = ida_bytes.get_item_size(ea) ibytes = ida_bytes.get_bytes(ea, isize) ihexbytes = binascii.b2a_hex(ibytes).upper() iflags = ida_bytes.get_flags(ea) # Skip the PE header? if not ida_bytes.is_head(iflags): ea = ida_bytes.next_head(ea, max_ea) continue # Loop up this address in the address-to-function map. if ea in a2fmap: faddrs = a2fmap[ea] else: faddrs = [ea] tcode = "ERROR" imnem = "???" iops = "???" if ida_bytes.is_code(iflags): tcode = "INSN" imnem = "???" iops = "???" insn = idautils.DecodeInstruction(ea) if insn == None: imnem = "BAD" iops = "" elif not insn.is_canon_insn(): imnem = "NCAN" iops = "" else: imnem = insn.get_canon_mnem() sops = [] for n in range(8): ostr = ida_ua.print_operand(ea, n) if ostr is not None: ostrnt = ida_lines.tag_remove(ostr) if ostrnt != '': sops.append(ostrnt) iops = ', '.join(sops) elif ida_bytes.is_data(iflags): tcode = "DATA" imnem = "db" iops = "???" if ida_bytes.is_align(iflags): tcode += "_ALIGN" #elif ida_bytes.is_struct(iflags): # tcode += "_STRUCT" #elif ida_bytes.is_char(iflags): # tcode += "_STR" # There are other types that IDA recognizes. elif ida_bytes.is_unknown(iflags): tcode = "UNK-%08X" % iflags imnem = "???" iops = "???" for faddr in sorted(faddrs): out.write('"PART",0x%08X,"%s",0x%08X,"%s","%s","%s"\n' % (ea, tcode, faddr, ihexbytes, imnem, iops)) ea = ida_bytes.next_head(ea, max_ea) print "Analysis complete!"