def GetDyn(): phoff = idc.get_wide_dword(ida_ida.inf_get_min_ea() + 0x1c) + ida_ida.inf_get_min_ea() phnum = idc.get_wide_word(ida_ida.inf_get_min_ea() + 0x2c) phentsize = idc.get_wide_word(ida_ida.inf_get_min_ea() + 0x2a) for i in range(phnum): p_type = idc.get_wide_dword(phoff + phentsize * i) if p_type == 2: # PY_DYNAMIC dyn_addr = idc.get_wide_dword(phoff + phentsize * i + 8) return dyn_addr
def init_nearest_names(): debugNamesList = ida_name.get_debug_names(ida_ida.inf_get_min_ea(), ida_ida.inf_get_max_ea()) #NearestName definition: <ida_dir>\python\3\ida_name.py, line: 1351 #if your idapython NearestName is unavailable, comment this code return idaapi.NearestName(debugNamesList)
def __init__(self): self.storage = {} self.bt_obj = Utils.get_bitness(ida_ida.inf_get_min_ea()) # self.bt_obj = Utils.get_bitness(idc.BeginEA()) 7.2 self.structCreator = Utils.StructCreator(self.bt_obj) self.processor = None self.typer = None
def __init__(self): self.storage = {} self.bt_obj = Utils.get_bitness(ida_ida.inf_get_min_ea()) self.structCreator = Utils.StructCreator(self.bt_obj) self.processor = None self.typer = None self.is116 = False
def get_all_byte_chunks() -> Iterable[Tuple[int, int]]: """ Iterates all chunks of defined bytes in the sample. """ start = ida_ida.inf_get_min_ea() end = ida_ida.inf_get_max_ea() yield from get_byte_chunks(start, end - start)
def run(self, arg): arch = idc.get_wide_word(ida_ida.inf_get_min_ea() + 0x12) if arch == 0x3E: # EM_X86_64 PltResolver64() elif arch == 0x3: # EM_386 PltResolver32() else: print('[-] Only support EM_X86_64 and EM_386') return 1
def activate(self, ctx): print(ctx) arch = idc.get_wide_word(ida_ida.inf_get_min_ea() + 0x12) if arch == 0x3E: # EM_X86_64 PltResolver64(self.debug_mode) elif arch == 0x3: # EM_386 PltResolver32(self.debug_mode) else: print('[-] Only support EM_X86_64 and EM_386') return 1
def main(): if not ida_dbg.is_debugger_on(): print("Please run the process first!") return if ida_dbg.get_process_state() != -1: print("Please suspend the debugger first!") return dn = ida_name.get_debug_names(ida_ida.inf_get_min_ea(), ida_ida.inf_get_max_ea()) for i in dn: print("%08x: %s" % (i, dn[i]))
def find_wdf_callback_through_immediate(mnemonic, operand, val): for i in range(10): addr, operand_ = ida_search.find_imm(ida_ida.inf_get_min_ea(), idc.SEARCH_DOWN | idc.SEARCH_NEXT, val) if addr != idc.BADADDR: #print hex(addr), idc.GetDisasm(addr), "Operand ", operand_ if operand_ == operand and idc.print_insn_mnem(addr) == mnemonic: return addr else: break return None
def dbg_trace(self, tid, ea): # Log all traced addresses if ea < ida_ida.inf_get_min_ea() or ea > ida_ida.inf_get_max_ea(): raise Exception( "Received a trace callback for an address outside this database!" ) self._log("trace %08X" % ea) self.traces += 1 insn = ida_ua.insn_t() insnlen = ida_ua.decode_insn(insn, ea) # log disassembly and ESP for call instructions if insnlen > 0 and insn.itype in [NN_callni, NN_call, NN_callfi]: self._log("call insn: %s" % generate_disasm_line( ea, GENDSM_FORCE_CODE | GENDSM_REMOVE_TAGS)) self._log("ESP=%08X" % ida_dbg.get_reg_val("ESP")) return 1
def apply_iat(self, iat): min_ea = ida_ida.inf_get_min_ea() max_ea = ida_ida.inf_get_max_ea() image_base = ida_nalt.get_imagebase() idaapi.msg(f"{hex(min_ea)} - {hex(max_ea)} - {hex(image_base)} \n") for i in range(min_ea, max_ea): mnemonic = idc.print_insn_mnem(i) if mnemonic == "call" and str(idc.print_operand( i, 0)).startswith("dword"): try: idc.set_name( idc.get_operand_value(i, 0), iat[hex(idc.get_operand_value(i, 0))] + str(random.randint(0, 1000)) ) # I added random.randint() because some functions already in the IAT are dynamically resolved again, so renaming them causes a conflict, if you want remove it. (Sample causing the problem: https://bazaar.abuse.ch/sample/49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71/) open("resolved_iat.txt", "a").write(f"{hex(idc.get_operand_value(i, 0))}\n") except: open("unresolved_iat.txt", "a").write(f"{hex(idc.get_operand_value(i, 0))}\n")
def add_rodata_segment(self): last_seg_end = idc.get_first_seg() # print(hex(last_seg_end)) for s in idautils.Segments(): start = idc.get_segm_start(s) end = idc.get_segm_end(s) if int(start) != int(last_seg_end): # found idaapi.add_segm(0, last_seg_end, start, "roooodata", "CONST") print("Adding segment from 0x%x to 0x%x" % (last_seg_end, start)) print("OK") break else: last_seg_end = end idc.plan_and_wait(ida_ida.inf_get_min_ea(), ida_ida.inf_get_max_ea()) # idc.plan_and_wait(idc.MinEA(), idc.MaxEA()) self.start = last_seg_end self.end = start return last_seg_end, start
import ida_ida import ida_idaapi import ida_problems for ptype in [ ida_problems.PR_NOBASE, ida_problems.PR_NONAME, ida_problems.PR_NOFOP, ida_problems.PR_NOCMT, ida_problems.PR_NOXREFS, ida_problems.PR_JUMP, ida_problems.PR_DISASM, ida_problems.PR_HEAD, ida_problems.PR_ILLADDR, ida_problems.PR_MANYLINES, ida_problems.PR_BADSTACK, ida_problems.PR_ATTN, ida_problems.PR_FINAL, ida_problems.PR_ROLLED, ida_problems.PR_COLLISION, ida_problems.PR_DECIMP, ]: plistdesc = ida_problems.get_problem_name(ptype) ea = ida_ida.inf_get_min_ea() while True: ea = ida_problems.get_problem(ptype, ea + 1) if ea == ida_idaapi.BADADDR: break print("0x%08x: %s" % (ea, plistdesc))
def find_a(): ea = ida_ida.inf_get_min_ea() while ea < max_addr: ea = idc.FindUnexplored(ea, idc.SEARCH_DOWN) ida_funcs.add_func(ea)
def make_udefind_func(self): ea = ida_ida.inf_get_min_ea() max_addr = ida_ida.inf_get_max_ea() while ea < max_addr: ea = idaapi.find_not_func(ea, idc.SEARCH_DOWN) ida_funcs.add_func(ea)
Run like so: ida -A "-S...path/to/produce_lst_file.py" <binary-file> where: -A instructs IDA to run in non-interactive mode -S holds a path to the script to run (note this is a single token; there is no space between '-S' and its path.) """ import ida_auto import ida_fpro import ida_ida import ida_loader import ida_pro # derive output file name idb_path = ida_loader.get_path(ida_loader.PATH_TYPE_IDB) lst_path = "%s.lst" % idb_path ida_auto.auto_wait() # wait for end of auto-analysis fptr = ida_fpro.qfile_t() # FILE * wrapper if fptr.open(lst_path, "wt"): try: ida_loader.gen_file( # generate .lst file ida_loader.OFILE_LST, fptr.get_fp(), ida_ida.inf_get_min_ea(), ida_ida.inf_get_max_ea(), 0) finally: fptr.close() ida_pro.qexit(0)
def find_b(): ea = ida_ida.inf_get_min_ea() while ea < max_addr: ea = idaapi.find_not_func(ea, idc.SEARCH_DOWN) ida_funcs.add_func(ea)