def __process_exports(self): exports = list() for i in range(0, ida_entry.get_entry_qty()): ordinal = ida_entry.get_entry_ordinal(i) ea = ida_entry.get_entry(ordinal) flags = ida_bytes.get_full_flags(ea) type = 'unknown' if ida_bytes.is_func(flags): type = 'function' elif ida_bytes.is_data(flags): type = 'data' export = { 'ordinal': ordinal, 'rva': ea - self._base, 'name': ida_entry.get_entry_name(ordinal), 'type': type } exports.append(export) return exports
def iter_exports(): """ Iterate API exports. :yield: (ea, name) """ for i in range(ida_entry.get_entry_qty()): ordinal = ida_entry.get_entry_ordinal(i) ea = ida_entry.get_entry(ordinal) name = ida_entry.get_entry_name(ordinal) yield ea, name
def Entries(): """ Returns a list of entry points @return: List of tuples (index, ordinal, ea, name) """ n = ida_entry.get_entry_qty() for i in xrange(0, n): ordinal = ida_entry.get_entry_ordinal(i) ea = ida_entry.get_entry(ordinal) name = ida_entry.get_entry_name(ordinal) yield (i, ordinal, ea, name)
def do_the_magic(): start_time = time.time() # Turn any known GUIDs found into GUID structures print("Updating GUIDs...") tools.update_guids(os.path.join(EfiTools.base_dir, "guids", "db.ini")) tools.update_guids( os.path.join(EfiTools.base_dir, "guids", "custom.ini")) for idx in range(0, get_entry_qty()): entry = get_entry(get_entry_ordinal(idx)) print( "Performing initial structure updates starting at entry point ({:#x})..." .format(entry)) tools.update_structs_from_regs(entry, rdx=Structure("EFI_SYSTEM_TABLE")) print("Updating structures from xrefs...") tools.update_structs_from_xrefs() print("Searching for EFI protocols...") protocols = tools.update_protocols() print("Updating structures from lvars...") tools.update_structs_from_lvars(protocols) print("Updating structures from xrefs...") tools.update_structs_from_xrefs() print("Searching for EFI protocols...") protocols = tools.update_protocols() print("Updating structures from lvars...") tools.update_structs_from_lvars(protocols) for protocol in protocols: print(protocol.name) print(" GUID : %s" % protocol.guid.as_uuid()) print(" Interface : %s" % protocol.interface) print(" Introduced at : 0x%X" % protocol.introduced_at) print(" Class : %s" % str(protocol.__class__).split(".")[-1]) print("Finished in %f seconds" % (time.time() - start_time))
def main(): print("Waiting for autoanalysis...") ida_auto.auto_wait() if init_hexrays(): eqty = ida_entry.get_entry_qty() if eqty: idbpath = idc.get_idb_path() cpath = idbpath[:-4] + ".c" with open(cpath, "w") as outfile: print("writing results to '%s'..." % cpath) for i in range(eqty): ea = ida_entry.get_entry(ida_entry.get_entry_ordinal(i)) decompile_func(ea, outfile) else: print("No known entrypoint. Cannot decompile.") if ida_kernwin.cvar.batch: print("All done, exiting.") ida_pro.qexit(0)
import ida_idp import ida_entry ida_auto.auto_wait() ALL_DECOMPILERS = { ida_idp.PLFM_386: ("hexrays", "hexx64"), ida_idp.PLFM_ARM: ("hexarm", "hexarm64"), ida_idp.PLFM_PPC: ("hexppc", "hexppc64"), ida_idp.PLFM_MIPS: ("hexmips", "hexmips64"), } pair = ALL_DECOMPILERS.get(ida_idp.ph.id, None) if pair: decompiler = pair[1 if ida_ida.cvar.inf.is_64bit() else 0] if ida_loader.load_plugin( decompiler) and ida_hexrays.init_hexrays_plugin(): eqty = ida_entry.get_entry_qty() if eqty: ea = ida_entry.get_entry(ida_entry.get_entry_ordinal(0)) print("Decompiling at: %X" % ea) cf = ida_hexrays.decompile(ea) if cf: print(cf) else: print("Decompilation failed") else: print("No known entrypoint. Cannot decompile.") else: print("Couldn't load or initialize decompiler: \"%s\"" % decompiler) else: print("No known decompilers for architecture with ID: %d" % ida_idp.ph.id)
def get_binary_with_functions(): binary = {} # if rebase == 1: # rebase_program(-1 * get_imagebase(), 0) binary_name = get_input_file_path() binary['name'] = binary_name binary['sha256'] = get_bin_hash() binary['base'] = get_imagebase() binary['entry_points'] = [get_entry(i) for i in range(get_entry_qty())] info = get_inf_structure() bits = "b32" endian = "be" endian = "be" if info.is_be() else "le" if info.is_32bit(): bits = "b32" if info.is_64bit(): bits = "b64" binary['architecture'] = get_processor() binary['endian'] = endian binary['bits'] = bits binary['disassembler'] = 'ida' binary['compiler'] = get_compiler_name(info.cc.id) # binary['description'] = "" strs = Strings() strs.setup(strtypes=[i for i in range(11)]) binary['strings'] = {st.ea: str(st) for st in strs if st.length > 1} binary['data'] = {} import_modules = set() import_functions = {} nimps = get_import_module_qty() for i in range(0, nimps): name = get_import_module_name(i) if not name: print("Failed to get import module name for #%d" % i) continue name = name.lower() def imp_cb(ea, f_name, ord): if f_name and ea: if f_name.startswith("__imp_"): f_name = f_name[len("__imp_"):] f_name = str(f_name).strip() import_functions[ea] = (name, f_name, str(ord)) return True import_modules.add(name.strip()) enum_import_names(i, imp_cb) binary['import_modules'] = list(import_modules) binary['import_functions'] = import_functions binary['export_functions'] = get_exports() binary['disassembled_at'] = now_str() binary['seg'] = {} for seg_ea in Segments(): binary['seg'][seg_ea] = idc.get_segm_name(seg_ea) functions = get_functions() binary['functions_count'] = len(functions) return binary, functions
import ida_loader import ida_hexrays import ida_idp import ida_entry ida_auto.auto_wait() ALL_DECOMPILERS = { ida_idp.PLFM_386 : ("hexrays", "hexx64"), ida_idp.PLFM_ARM : ("hexarm", "hexarm64"), ida_idp.PLFM_PPC : ("hexppc", "hexppc64"), } pair = ALL_DECOMPILERS.get(ida_idp.ph.id, None) if pair: decompiler = pair[1 if ida_ida.cvar.inf.is_64bit() else 0] if ida_loader.load_plugin(decompiler) and ida_hexrays.init_hexrays_plugin(): eqty = ida_entry.get_entry_qty() if eqty: ea = ida_entry.get_entry(ida_entry.get_entry_ordinal(0)) print("Decompiling at: %X" % ea) cf = ida_hexrays.decompile(ea) if cf: print(cf) else: print("Decompilation failed") else: print("No known entrypoint. Cannot decompile.") else: print("Couldn't load or initialize decompiler: \"%s\"" % decompiler) else: print("No known decompilers for architecture with ID: %d" % ida_idp.ph.id)