def search_retns(self):
if not self.debug: print("found %d modules" % len(self.modules))
for m in self.modules:
# Iterate over segments in the module
# BUG: Iterating over all loaded segments is more stable than looking up by address
if not self.debug: print("found %d segments" % idaapi.get_segm_qty())
for n in xrange(idaapi.get_segm_qty()):
seg = idaapi.getnseg(n)
# Locate executable segments in a selected modules
# NOTE: Each module may have multiple executable segments
if seg and seg.startEA >= m.addr and seg.endEA <= (m.addr + m.size):
# If the debugger is attached then we can check if the segment is executable, else
# just check if it is code or not.
if idaapi.dbg_can_query() and idaapi.get_process_state() < 0:
if seg.perm & idaapi.SEGPERM_EXEC == 0:
continue
elif seg.type & idaapi.SEG_CODE == 0:
continue
#######################################################
# Search for ROP gadgets
if self.searchRop:
#Search all instances of BLR
ea = seg.startEA
while True:
ea = idaapi.find_binary(ea + 1, seg.endEA, "4E 80 00 20", 16, idaapi.SEARCH_DOWN)
if ea == idaapi.BADADDR: break
self.retns.append((ea, m.file))
# Search all instances of BTCTR
ea = seg.startEA
while True:
ea = idaapi.find_binary(ea + 1, seg.endEA, "4E 80 04 20", 16, idaapi.SEARCH_DOWN)
if ea == idaapi.BADADDR: break
self.retns.append((ea, m.file))
# Search all instances of BTCTRL
ea = seg.startEA
while True:
ea = idaapi.find_binary(ea + 1, seg.endEA, "4E 80 04 21", 16, idaapi.SEARCH_DOWN)
if ea == idaapi.BADADDR: break
self.retns.append((ea, m.file))
def run(self, arg=0):
try:
if "ELF" not in idaapi.get_file_type_name():
raise Exception("Executable must be ELF fomat")
if not idaapi.is_debugger_on() or not idaapi.dbg_can_query():
raise Exception("The debugger must be active and suspended before using this plugin")
f = HeapPluginForm()
f.Show()
except Exception as e:
idaapi.warning("[%s] %s" % (PLUGNAME, e.message))
def main():
if not idaapi.dbg_can_query():
print "The debugger must be active and suspended before using this script!"
return
# Save current thread id
tid = GetCurrentThreadId()
# Iterate through all function instructions and take only call instructions
result = {}
for tid in idautils.Threads():
result[tid] = GetExceptionChain(tid)
# Restore previously selected thread
idc.SelectThread(tid)
# Build the graph
g = SEHGraph("SEH graph", result)
g.Show()
def main():
if not idaapi.dbg_can_query():
print "The debugger must be active and suspended before using this script!"
return
# Save current thread id
tid = get_current_thread()
# Iterate through all function instructions and take only call instructions
result = {}
for tid in idautils.Threads():
result[tid] = GetExceptionChain(tid)
# Restore previously selected thread
idc.select_thread(tid)
# Build the graph
g = SEHGraph("SEH graph", result)
g.Show()
if bit_strings:
for s in bit_strings:
print " %s" % s
def test_manual_regions():
L = idaapi.get_manual_regions()
if not L:
print "no manual regions!"
else:
dump_meminfo(L)
def test_readwrite():
ea = cpu.Eip
buf = idaapi.dbg_read_memory(ea, 5)
print "read: ", [hex(ord(x)) for x in buf]
idaapi.dbg_write_memory(ea, buf)
test_manual_regions()
if idaapi.dbg_can_query():
print "%x: fs" % (idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(),
cpu.fs))
test_getmeminfo()
test_getregs()
test_readwrite()
else:
print "run and suspend the debugger first"
L = idaapi.dbg_get_registers()
# name flags class dtyp bit_strings bit_strings_default_mask
for (name, flags, cls, dtype, bit_strings, bit_strings_default_mask) in L:
print "name=<%s> flags=%x class=%x dtype=%x bit_strings_mask=%x" % (name, flags, cls, dtype, bit_strings_default_mask)
if bit_strings:
for s in bit_strings:
print " %s" % s
def test_manual_regions():
L = idaapi.get_manual_regions()
if not L:
print "no manual regions!"
else:
dump_meminfo(L)
def test_readwrite():
ea = cpu.Eip
buf = idaapi.dbg_read_memory(ea, 5)
print "read: ", [hex(ord(x)) for x in buf]
idaapi.dbg_write_memory(ea, buf)
test_manual_regions()
if idaapi.dbg_can_query():
print "%x: fs" % (idaapi.dbg_get_thread_sreg_base(idc.GetCurrentThreadId(), cpu.fs))
test_getmeminfo()
test_getregs()
test_readwrite()
else:
print "run and suspend the debugger first"
def search_retns(self):
if not self.debug: print("found %d modules" % len(self.modules))
for m in self.modules:
# Iterate over segments in the module
# BUG: Iterating over all loaded segments is more stable than looking up by address
if not self.debug: print("found %d segments" % idaapi.get_segm_qty())
for n in xrange(idaapi.get_segm_qty()):
seg = idaapi.getnseg(n)
# Locate executable segments in a selected modules
# NOTE: Each module may have multiple executable segments
if seg and seg.startEA >= m.addr and seg.endEA <= (m.addr + m.size):
# If the debugger is attached then we can check if the segment is executable, else
# just check if it is code or not.
if idaapi.dbg_can_query() and idaapi.get_process_state() < 0:
if seg.perm & idaapi.SEGPERM_EXEC == 0:
continue
elif seg.type & idaapi.SEG_CODE == 0:
continue
#######################################################
# Search for ROP gadgets
if self.searchRop:
# Search all instances of RETN
ea = seg.startEA
while True:
ea = idaapi.find_binary(ea + 1, seg.endEA, "C3", 16, idaapi.SEARCH_DOWN)
if ea == idaapi.BADADDR: break
self.retns.append((ea, m.file))
# Search all instances of RETN imm16
ea = seg.startEA
while True:
ea = idaapi.find_binary(ea + 1, seg.endEA, "C2", 16, idaapi.SEARCH_DOWN)
if ea == idaapi.BADADDR: break
# Read imm16 value and filter large values
retn_imm16 = read_module_memory(ea + 1, 0x2)
retn_imm16 = unpack("<H", retn_imm16)[0]
if retn_imm16 <= self.maxRetnImm:
self.retns.append((ea, m.file))
#######################################################
# Search for JOP gadgets
if self.searchJop:
# Search all instances of JMP reg (FF /4) and CALL reg (FF /2)
ea = seg.startEA
while True:
ea = idaapi.find_binary(ea + 1, seg.endEA, "FF", 16, idaapi.SEARCH_DOWN)
if ea == idaapi.BADADDR: break
# Read possible ModR/M, SIB, and IMM8/IMM32 bytes
jop = read_module_memory(ea + 1, 0x6)
if jop == None or len(jop) == 0:
continue
###################################################
# JMP/CALL reg
if jop[0] in ["\xe0", "\xe1", "\xe2", "\xe3", "\xe4", "\xe5", "\xe6", "\xe7",
"\xd0", "\xd1", "\xd2", "\xd3", "\xd4", "\xd5", "\xd6", "\xd7"]:
self.retns.append((ea, m.file))
###################################################
# JMP/CALL [reg] no SIB
# NOTE: Do not include pure [disp] instruction.
# JMP/CALL [reg] no *SP,*BP
elif jop[0] in ["\x20", "\x21", "\x22", "\x23", "\x26", "\x27",
"\x10", "\x11", "\x12", "\x13", "\x16", "\x17"]:
self.retns.append((ea, m.file))
# JMP/CALL [reg + imm8] no *SP
elif jop[0] in ["\x60", "\x61", "\x62", "\x63", "\x65", "\x66", "\x67",
"\x50", "\x51", "\x52", "\x53", "\x55", "\x56", "\x57"]:
jop_imm8 = jop[1]
jop_imm8 = unpack("b", jop_imm8)[0] # signed
if jop_imm8 <= self.maxJopImm:
self.retns.append((ea, m.file))
# JMP/CALL [reg + imm32] no *SP
elif jop[0] in ["\xa0", "\xa1", "\xa2", "\xa3", "\xa5", "\xa6", "\xa7",
"\x90", "\x91", "\x92", "\x93", "\x95", "\x96", "\x97"]:
jop_imm32 = jop[1:5]
jop_imm32 = unpack("<i", jop_imm32)[0] # signed
if jop_imm32 <= self.maxJopImm:
self.retns.append((ea, m.file))
###################################################
# JMP/CALL [reg] with SIB
# NOTE: Do no include pure [disp] instructions in SIB ([*] - none)
elif (jop[0] in ["\x24", "\x64", "\xa4"] and not jop[1] in ["\x25", "\x65", "\xad",
"\xe5"]) or \
(jop[0] in ["\x14", "\x54", "\x94"] and not jop[1] in ["\x25", "\x65", "\xad",
"\xe5"]):
# Check for displacement
if jop[0] in ["\x64", "\x54"]:
jop_imm8 = jop[2]
jop_imm8 = unpack("b", jop_imm8)[0] # signed
if jop_imm8 <= self.maxJopImm:
self.retns.append((ea, m.file))
elif jop[0] in ["\xa4", "\x94"]:
jop_imm32 = jop[2:6]
jop_imm32 = unpack("<i", jop_imm32)[0] # signed
if jop_imm32 <= self.maxJopImm:
self.retns.append((ea, m.file))
else:
self.retns.append((ea, m.file))
print "[idasploiter] Found %d returns" % len(self.retns)
def is_ida_debugger_present():
"""
Check if IDA debugger is loaded and can be used
@return: True if IDA debugger has been set correctly, Otherwise returns Fals
"""
return idaapi.dbg_can_query()
def is_active(self):
return idaapi.is_debugger_on() and idaapi.dbg_can_query()
def readMemory(address, size):
if idaapi.dbg_can_query():
val = idaapi.dbg_read_memory(address, size)
return val
return None
def is_ida_debugger_present():
"""
Check if IDA debugger is loaded and can be used
@return: True if IDA debugger has been set correctly, Otherwise returns Fals
"""
return idaapi.dbg_can_query()