class RTTIBaseClassDescriptor(RTTIStruc):
msid = get_struc_id("PMD")
if msid != BADADDR:
del_struc(msid)
msid = add_struc(0xFFFFFFFF, "PMD", False)
add_struc_member(msid, "mdisp", BADADDR, FF_DATA | FF_DWRD, -1, 4)
add_struc_member(msid, "pdisp", BADADDR, FF_DATA | FF_DWRD, -1, 4)
add_struc_member(msid, "vdisp", BADADDR, FF_DATA | FF_DWRD, -1, 4)
pmdid = msid
pmdstruc = get_struc(pmdid)
pmdsize = get_struc_size(pmdid)
msid = get_struc_id("RTTIBaseClassDescriptor")
if msid != BADADDR:
del_struc(msid)
msid = add_struc(0xFFFFFFFF, "RTTIBaseClassDescriptor", False)
add_struc_member(msid, "pTypeDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, 00000000, 4)
add_struc_member(msid, "numContainerBases", BADADDR, FF_DWRD | FF_DATA, -1,
4)
add_struc_member(msid, "PMD", BADADDR, FF_DATA | FF_DWRD | FF_STRU, pmdid,
pmdsize)
add_struc_member(msid, "attributes", BADADDR, FF_DWRD | FF_DATA, -1, 4)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print "Completed Registering RTTIBaseClassDescriptor"
def define(ea):
if BaseClassDescriptor.isDefined(ea):
return
td = TypeDescriptor(BaseClassDescriptor.__typeDescriptorPtr(ea))
attrs = BaseClassDescriptor.__attributes(ea)
if attrs != 0 and attrs != 0x40:
print '%08X: Suspicious attributes value: %08X' % (ea, attrs)
# raise RttiError('%08X: Suspicious attributes value: %08X' % (ea, attrs))
isV2 = (attrs & 0x40) != 0
if isV2:
strid = idaapi.get_struc_id('_s__RTTIBaseClassDescriptor2')
else:
strid = idaapi.get_struc_id('_s__RTTIBaseClassDescriptor')
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
pmd = BaseClassDescriptor.__where(ea)
name = '??_R1'
name += mangleNumber(pmd.mdisp)
name += mangleNumber(pmd.pdisp)
name += mangleNumber(pmd.vdisp)
name += mangleNumber(attrs)
name += td.baseMangledName + '8'
idaapi.set_name(ea, name, 0)
if isV2:
ClassHierarchyDescriptor.define(BaseClassDescriptor.__v2ChdPtr(ea))
def define(ea):
if CompleteObjectLocator.isDefined(ea):
return
if not CompleteObjectLocator.isValid(ea):
raise RttiError(
"%08X: doesn't look like a correct CompleteObjectLocator" %
(ea))
# Ensure referenced structs are defined.
# An exception will be thrown if something goes wrong.
tdPtr = idaapi.get_full_long(ea + 12)
td = TypeDescriptor(tdPtr)
chdPtr = idaapi.get_full_long(ea + 16)
chd = ClassHierarchyDescriptor(chdPtr)
strid = idaapi.get_struc_id('_s__RTTICompleteObjectLocator')
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
if chd.isMultipleInheritance:
if chd.isVirtualInheritance:
print '%08X: Cannot handle virtual inheritance yet.' % (ea)
else:
# '??_R4' + td.baseMangledName + '6B' + baseClassTd.baseMangledName + '@'
# '??_7' + ...
print '%08X: Cannot handle multiple inheritance yet.' % (ea)
else:
idaapi.set_name(ea, '??_R4' + td.baseMangledName + '6B@', 0)
def define(ea):
if BaseClassDescriptor.isDefined(ea):
return
td = TypeDescriptor(BaseClassDescriptor.__typeDescriptorPtr(ea))
attrs = BaseClassDescriptor.__attributes(ea)
if attrs != 0 and attrs != 0x40:
print "%08X: Suspicious attributes value: %08X" % (ea, attrs)
# raise RttiError('%08X: Suspicious attributes value: %08X' % (ea, attrs))
isV2 = (attrs & 0x40) != 0
if isV2:
strid = idaapi.get_struc_id("_s__RTTIBaseClassDescriptor2")
else:
strid = idaapi.get_struc_id("_s__RTTIBaseClassDescriptor")
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
pmd = BaseClassDescriptor.__where(ea)
name = "??_R1"
name += mangleNumber(pmd.mdisp)
name += mangleNumber(pmd.pdisp)
name += mangleNumber(pmd.vdisp)
name += mangleNumber(attrs)
name += td.baseMangledName + "8"
idaapi.set_name(ea, name, 0)
if isV2:
ClassHierarchyDescriptor.define(BaseClassDescriptor.__v2ChdPtr(ea))
def members(id):
"""Yields the members of the structure identified by ``id``.
Each iteration yields the ((offset,size),(name,comment,repeatable-comment)) of each member.
"""
st = idaapi.get_struc(id)
if not st:
# empty structure
return
size = idaapi.get_struc_size(st)
offset = 0
for i in range(st.memqty):
m = st.get_member(i)
ms = idaapi.get_member_size(m)
left, right = m.soff, m.eoff
if offset < left:
yield (offset, left - offset), (idaapi.get_member_name(m.id),
idaapi.get_member_cmt(m.id, 0),
idaapi.get_member_cmt(m.id, 1))
offset = left
yield (offset, ms), (idaapi.get_member_name(m.id),
idaapi.get_member_cmt(m.id, 0),
idaapi.get_member_cmt(m.id, 1))
offset += ms
return
def define(ea):
if CompleteObjectLocator.isDefined(ea):
return
if not CompleteObjectLocator.isValid(ea):
raise RttiError("%08X: doesn't look like a correct CompleteObjectLocator" % (ea))
# Ensure referenced structs are defined.
# An exception will be thrown if something goes wrong.
tdPtr = idaapi.get_full_long(ea + 12)
td = TypeDescriptor(tdPtr)
chdPtr = idaapi.get_full_long(ea + 16)
chd = ClassHierarchyDescriptor(chdPtr)
strid = idaapi.get_struc_id("_s__RTTICompleteObjectLocator")
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
if chd.isMultipleInheritance:
if chd.isVirtualInheritance:
print "%08X: Cannot handle virtual inheritance yet." % (ea)
else:
# '??_R4' + td.baseMangledName + '6B' + baseClassTd.baseMangledName + '@'
# '??_7' + ...
print "%08X: Cannot handle multiple inheritance yet." % (ea)
else:
idaapi.set_name(ea, "??_R4" + td.baseMangledName + "6B@", 0)
def __init__(self, name):
sid = -1
nametype = type(name)
if nametype is str:
self.name = name
sid = idaapi.get_struc_id(name)
elif nametype is int or nametype is long:
sid = name
self.name = idaapi.get_struc_name(sid)
self.sid = sid
ssize = 0
memberlist = None
offs = 0
if not warnBad(sid):
struc = idaapi.get_struc(sid)
ssize = idaapi.get_struc_size(sid)
#memberqty = idc.GetMemberQty(sid)
memberqty = struc.memqty
memberlist = [None] * memberqty
for i in range(0, memberqty):
#memberlist.append(idamember(sid, offs))
memberlist[i] = idamember(sid, offs)
offs = idaapi.get_struc_next_offset(struc, offs)
self.size = ssize
self.members = memberlist
class RTTICompleteObjectLocator(RTTIStruc):
# Init class statics
msid = get_struc_id("RTTICompleteObjectLocator")
if msid != BADADDR:
del_struc(get_struc(msid))
msid = add_struc(0xFFFFFFFF, "RTTICompleteObjectLocator", False)
add_struc_member(get_struc(msid), "signature", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "offset", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "cdOffset", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "pTypeDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
add_struc_member(get_struc(msid), "pClassDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
if u.x64:
add_struc_member(get_struc(msid), "pSelf", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print "Completed Registering RTTICompleteObjectLocator"
def __init__(self, ea, vtable):
filepath = GetIdbPath()[:-4]
fp = open(r"{filepath}.txt".format(filepath=filepath), 'a')
# fp.write(filepath)
print "Create file"
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
# Get adress of type descriptor from CompleteLocator
# print "Complete Object Locator at: 0x%x" % ea
offset = get_member_by_name(self.struc, "pTypeDescriptor").soff
typeDescriptor = get_32bit(ea + offset) + u.x64_imagebase()
# print "Looking for type Descriptor at: 0x%x" % typeDescriptor
rtd = RTTITypeDescriptor(typeDescriptor)
if rtd.class_name:
# print "Type Descriptor at: 0x%x" % typeDescriptor
offset = get_member_by_name(self.struc,
"pClassDescriptor").soff
classHierarchyDes = get_32bit(ea + offset) + u.x64_imagebase()
rchd = RTTIClassHierarchyDescriptor(classHierarchyDes)
# filter out None entries
rchd.bases = filter(lambda x: x, rchd.bases)
classes[strip(rtd.class_name)] = [strip(b) for b in rchd.bases]
MakeNameEx(vtable, "vtable__" + strip(rtd.class_name),
SN_NOWARN)
tempStr = hex(vtable).rstrip('L') + '\t' + strip(
rtd.class_name) + '\t' + str(GuessType(
Dword(vtable + 4))) + '\n'
if ('std' not in tempStr[:15] and 'ATL' not in tempStr[:15]):
fp.write(tempStr)
else:
# if the RTTITypeDescriptor doesn't have a valid name for us to
# read, then this wasn't a valid RTTICompleteObjectLocator
MakeUnknown(ea, self.size, DOUNK_SIMPLE)
fp.close()
def size(self, new):
res = idaapi.get_struc_size(self.ptr)
ok = idaapi.expand_struc(self.ptr, 0, new - res, True)
if not ok:
logging.fatal(
"{:s}.instance({:s}).resize : Unable to resize structure {:s} from {:#x} bytes to {:#x} bytes."
.format(__name__, self.name, self.name, res, new))
return res
def foreachStructureNameAndSize(struct_iterator, *additionalArgs):
assertFunction(struct_iterator)
first = int(getFirstStructIdx())
last = int(getLastStructIdx())
for i in range(first, last):
sid = idaapi.get_struc_by_idx(i)
if not struct_iterator(idaapi.get_struc_name(sid),
idaapi.get_struc_size(sid), *additionalArgs):
break
def assign_struct_to_address(address, struct_name):
idc.apply_type(address, get_Tinfo_from_name(struct_name))
struct_id = idaapi.get_struc_id(struct_name)
if struct_id != 0xffffffffffffffff:
struct_size = idaapi.get_struc_size(struct_id)
for i in range(struct_size):
ida_bytes.del_items(address + i, 0)
return idaapi.create_struct(address, struct_size, struct_id)
return False
def assign_struct_to_address(address, struct_name):
idc.ApplyType(address, get_Tinfo_from_name(struct_name))
struct_id = idaapi.get_struc_id(struct_name)
if struct_id != 0xffffffffffffffff:
struct_size = idaapi.get_struc_size(struct_id)
for i in range(struct_size):
idc.MakeUnkn(address+i, 0)
return idaapi.doStruct(address, struct_size, struct_id)
return False
def yacheck_function_local_vars(self):
addr = yaunit.load('function_with_local_vars')
frame = idaapi.get_frame(addr)
frame_size = idaapi.get_struc_size(frame.id)
offset = 0
last_name = None
while offset < frame_size and last_name is None:
last_name = idc.GetMemberName(frame.id, offset)
offset += 1
self.assertEqual(last_name, 'local_var')
def yatest_function_local_vars(self):
addr = yaunit.get_next_function(yaunit.has_locals)
frame = idaapi.get_frame(addr)
offset = 0
frame_size = idaapi.get_struc_size(frame.id)
while offset < frame_size:
if idc.SetMemberName(frame.id, offset, 'local_var'):
break
offset += 1
yaunit.save('function_with_local_vars', addr)
def define_ke_task_desc(ea, task_desc_name):
print "{}: 0x{:X}".format(task_desc_name, ea)
sid = idaapi.get_struc_id("ke_task_desc")
struct_size = idaapi.get_struc_size(sid)
# undefined addr and define struct
idaapi.del_items(ea, struct_size, idaapi.DELIT_DELNAMES)
idaapi.create_struct(ea, struct_size, sid)
idaapi.set_name(ea, task_desc_name, idaapi.SN_FORCE)
def define_ke_state_handler(ea):
# undefined addr and define struct
sid = idaapi.get_struc_id("ke_state_handler")
struct_size = idaapi.get_struc_size(sid)
idaapi.del_items(ea, struct_size, idaapi.DELIT_DELNAMES)
idaapi.create_struct(ea, struct_size, sid)
msg_table = idaapi.get_dword(ea)
msg_cnt = idaapi.get_word(ea + 4)
print "msg_table: 0x{:X}, msg_cnt: {}".format(msg_table, msg_cnt)
sid = idaapi.get_struc_id("ke_msg_handler")
struct_size = idaapi.get_struc_size(sid)
idaapi.del_items(msg_table, struct_size, idaapi.DELIT_DELNAMES)
idaapi.create_struct(msg_table, struct_size, sid)
idc.make_array(msg_table, msg_cnt)
for i in range(msg_cnt):
define_func(idaapi.get_dword(msg_table + 4 + i * 8))
def __init__(self, ea):
print "Processing Class Hierarchy Descriptor at 0x%x" % ea
do_unknown_range(ea, get_struc_size(self.tid), DOUNK_DELNAMES)
if doStruct(ea, get_struc_size(self.tid), self.tid):
baseClasses = get_32bit(ea + get_member_by_name(
self.struc, "pBaseClassArray").soff) + u.x64_imagebase()
nb_classes = get_32bit(
ea + get_member_by_name(self.struc, "numBaseClasses").soff)
print "Baseclasses array at 0x%x" % baseClasses
# Skip the first base class as it is itself (could check)
self.bases = []
for i in range(1, nb_classes):
baseClass = get_32bit(baseClasses + i * 4) + u.x64_imagebase()
print "base class 0x%x" % baseClass
doDwrd(baseClasses + i * 4, 4)
op_offset(baseClasses + i * 4, -1, u.REF_OFF | REFINFO_RVA, -1,
0, 0)
doStruct(baseClass, RTTIBaseClassDescriptor.size,
RTTIBaseClassDescriptor.tid)
typeDescriptor = get_32bit(baseClass) + u.x64_imagebase()
self.bases.append(
RTTITypeDescriptor(typeDescriptor).class_name)
class RTTICompleteObjectLocator(RTTIStruc):
# Init class statics
msid = get_struc_id("RTTICompleteObjectLocator")
if msid != BADADDR:
del_struc(get_struc(msid))
msid = add_struc(0xFFFFFFFF, "RTTICompleteObjectLocator", False)
add_struc_member(get_struc(msid), "signature", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "offset", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "cdOffset", BADADDR, FF_DATA | FF_DWRD,
None, 4)
add_struc_member(get_struc(msid), "pTypeDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
add_struc_member(get_struc(msid), "pClassDescriptor", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
if u.x64:
add_struc_member(get_struc(msid), "pSelf", BADADDR,
FF_DATA | FF_DWRD | FF_0OFF, u.mt_rva(), 4)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print "Completed Registering RTTICompleteObjectLocator"
def __init__(self, ea, vtable):
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
# Get adress of type descriptor from CompleteLocator
print "Complete Object Locator at: 0x%x" % ea
offset = get_member_by_name(self.struc, "pTypeDescriptor").soff
typeDescriptor = get_32bit(ea + offset) + u.x64_imagebase()
print "Looking for type Descriptor at: 0x%x" % typeDescriptor
rtd = RTTITypeDescriptor(typeDescriptor)
if rtd.class_name:
print "Type Descriptor at: 0x%x" % typeDescriptor
offset = get_member_by_name(self.struc,
"pClassDescriptor").soff
classHierarchyDes = get_32bit(ea + offset) + u.x64_imagebase()
rchd = RTTIClassHierarchyDescriptor(classHierarchyDes)
# filter out None entries
rchd.bases = filter(lambda x: x, rchd.bases)
className = strip(rtd.class_name)
classes[className] = [strip(b) for b in rchd.bases]
vtables[className] = vtable
MakeNameEx(vtable, "vtable__" + className, SN_NOWARN)
else:
# if the RTTITypeDescriptor doesn't have a valid name for us to
# read, then this wasn't a valid RTTICompleteObjectLocator
MakeUnknown(ea, self.size, DOUNK_SIMPLE)
def forceStruct(ea, name): """ forceStruct: ea, name Does all the necessary things to force IDA to convert the memory starting at address 'ea' into a struct of type 'name'. Returns the address after the struct. """ sid = idaapi.get_struc_id(name) ssize = idaapi.get_struc_size(sid) idaapi.do_unknown_range(ea, ssize, DOUNK_DELNAMES) x = idaapi.doStruct(ea, ssize, sid) return ea + ssize
def create_struct(name, fields, size):
struct_id = idaapi.get_struc_id(name)
# print struct_id
if struct_id != idaapi.BADADDR:
i = ida_kernwin.ask_yn(
0,
"A class structure for %s already exists. Are you sure you want to remake it?"
% name)
if i == idaapi.BADADDR:
return
if i == 1:
idaapi.del_struc_members(idaapi.get_struc(struct_id), 0,
idaapi.get_struc_size(struct_id))
# struct_id = idc.AddStrucEx(idaapi.BADADDR, name + "_vtbl", 0)
else:
struct_id = idaapi.add_struc(idaapi.BADADDR, name, 0)
if struct_id == idaapi.BADADDR:
Warning(
"Could not create the class structure!.\nPlease check something.")
return
sptr = idaapi.get_struc(struct_id)
for off in fields:
off, type_name, type_kind, field_name = fields[off]
print(
"Process field. Off = 0x%04X, type_name = %s (%d: %s), field_name = %s"
%
(off, type_name, type_kind, type_sizes[type_kind][0], field_name))
type_size = type_sizes[type_kind][1]
ret = ida_struct.add_struc_member(sptr, field_name.decode(), off,
flags_dict[type_size], None,
type_size)
if ret != 0:
ida_kernwin.warning("Unknown error! Err = %d" % ret)
return
mptr = ida_struct.get_member(sptr, off)
ida_struct.set_member_cmt(
mptr, " --> %s (%d: %s)" %
(type_name.decode(), type_kind, type_sizes[type_kind][0]), False)
struct_size = ida_struct.get_struc_size(sptr)
if size < struct_size:
ida_kernwin.warning(
"Struct create error! final size (%d) > instanse size (%d)" %
(struct_size, size))
elif size > struct_size:
for i in range(size - struct_size):
ida_struct.add_struc_member(sptr, "dummy%d" % i, idaapi.BADADDR,
idaapi.FF_BYTE, None, 1)
def load_file(li, neflags, format):
"""
Load the file into database
@param li: a file-like object which can be used to access the input data
@param neflags: options selected by the user, see loader.hpp
@return: 0-failure, 1-ok
"""
# Select the PC processor module
idaapi.set_processor_type("metapc", ida_idp.SETPROC_LOADER)
# read MBR into buffer
li.seek(0, os.SEEK_SET)
buf = li.read(li.size())
seg = idaapi.segment_t()
start = 0x7C00
size = len(buf)
end = start + size
# Create the segment
seg.start_ea = start
seg.end_ea = end
seg.bitness = 0 # 16-bit
idaapi.add_segm_ex(seg, "seg0", "CODE", 0)
# Copy the bytes
idaapi.mem2base(buf, start, end)
# add entry point
idaapi.add_entry(start, start, "start", 1)
strid = add_struct_def()
idaapi.set_name(start + 0x1BE, "MBR_PARTITION_TABLE", idaapi.SN_CHECK)
str_size = idaapi.get_struc_size(strid)
idaapi.create_struct(start + 0x1BE, str_size, strid)
idaapi.set_name(510, "MBR_SIGN", idaapi.SN_CHECK)
# Mark for analysis
AutoMark(start, AU_CODE)
load_debugger("bochs", 0)
return 1
def define(ea):
if ClassHierarchyDescriptor.isDefined(ea):
return
if not ClassHierarchyDescriptor.isValid(ea):
raise RttiError("%08X: Doesn't look like a correct ClassHierarchyDescriptor" % ea)
strid = idaapi.get_struc_id("_s__RTTIClassHierarchyDescriptor")
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
bca = BaseClassArray(
ClassHierarchyDescriptor.__baseClassArrayPtr(ea), ClassHierarchyDescriptor.__baseClassCount(ea)
)
# Entry 0 describes the class itself => I can find out the class name.
idaapi.set_name(ea, "??_R3" + bca[0].typeDescriptor.baseMangledName + "8", 0)
class RTTIBaseClassDescriptor(RTTIStruc):
msid = get_struc_id("RTTIBaseClassDescriptor")
if msid != BADADDR:
del_struc(msid)
msid = add_struc(0xFFFFFFFF, "RTTIBaseClassDescriptor", False)
add_struc_member(msid, "pTypeDescriptor", BADADDR,
FF_DATA | FF_DWORD | FF_0OFF,
u.mt_rva().tid, 4)
add_struc_member(msid, "numContainerBases", BADADDR, FF_DWORD | FF_DATA,
-1, 4)
add_struc_member(msid, "PMD", BADADDR, FF_DATA | FF_DWORD | FF_0OFF,
u.mt_rva().tid, 4)
add_struc_member(msid, "attributes", BADADDR, FF_DWORD | FF_DATA, -1, 4)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print("Completed Registering RTTIBaseClassDescriptor")
def MakeStructEx(ea=None, size=-1, strname="", strid=None):
'''
Convierte una dirección de memoria en un item de una estructura
@param ea: dirección a establecer
@param size: tamaño de la estructura en bytes.
@param strname: nombre de la estructura
@return: 1-todo bien, 0-mierda
'''
if strid is None:
strid = idaapi.get_struc_id(strname)
if size == -1:
size = idaapi.get_struc_size(strid)
return idaapi.doStruct(ea, size, strid)
class RTTITypeDescriptor(RTTIStruc):
class_name = None
msid = get_struc_id("RTTITypeDescriptor")
if msid != BADADDR:
del_struc(get_struc(msid))
msid = add_struc(0xFFFFFFFF, "RTTITypeDescriptor", False)
add_struc_member(get_struc(msid),
"pVFTable", BADADDR, FF_DATA | u.PTR_TYPE | FF_0OFF,
u.mt_address(), u.PTR_SIZE)
add_struc_member(get_struc(msid), "spare", BADADDR, FF_DATA | u.PTR_TYPE,
None, u.PTR_SIZE)
add_struc_member(get_struc(msid), "name", BADADDR, FF_DATA | FF_ASCI,
u.mt_ascii(), 0)
tid = msid
struc = get_struc(tid)
size = get_struc_size(tid)
print "Completed Registering RTTITypeDescriptor"
def __init__(self, ea):
name = ea + get_member_by_name(get_struc(self.tid), "name").soff
strlen = u.get_strlen(name)
if strlen is None:
# not a real vtable
return
self.size = self.size + strlen
mangled = get_ascii_contents(name, strlen, 0)
if mangled is None:
# not a real function name
return
# print "Mangled: " + mangled
demangled = demangle_name('??_R0' + mangled[1:], 0)
if demangled:
do_unknown_range(ea, self.size, DOUNK_DELNAMES)
if doStruct(ea, self.size, self.tid):
# print " Made td at 0x%x: %s" % (ea, demangled)
self.class_name = demangled
return
print " FAIL :("
return
def define(ea):
if ClassHierarchyDescriptor.isDefined(ea):
return
if not ClassHierarchyDescriptor.isValid(ea):
raise RttiError(
"%08X: Doesn't look like a correct ClassHierarchyDescriptor" %
ea)
strid = idaapi.get_struc_id('_s__RTTIClassHierarchyDescriptor')
size = idaapi.get_struc_size(strid)
idaapi.do_unknown_range(ea, size, idaapi.DOUNK_DELNAMES)
idaapi.doStruct(ea, size, strid)
bca = BaseClassArray(ClassHierarchyDescriptor.__baseClassArrayPtr(ea),
ClassHierarchyDescriptor.__baseClassCount(ea))
# Entry 0 describes the class itself => I can find out the class name.
idaapi.set_name(ea,
'??_R3' + bca[0].typeDescriptor.baseMangledName + '8',
0)
def members(id):
st = idaapi.get_struc(id)
if not st:
# empty structure
return
size = idaapi.get_struc_size(st)
offset = 0
for i in range(st.memqty):
m = st.get_member(i)
ms = idaapi.get_member_size(m)
left,right = m.soff,m.eoff
if offset < left:
yield (offset,left-offset), (None,None)
offset = left
yield (offset,ms),(idaapi.get_member_name(m.id), idaapi.get_member_cmt(m.id, 1))
offset += ms
return
def get_size(name, type, line):
if type == "BasicType":
try:
return idc.SizeOf(idc.parse_decl(str(name), 0)[1])
except:
try:
idc.SizeOf(
idc.parse_decl(str(line.get("type").get("name")),
0)[1])
except:
return 1
elif type == "ArrayType":
subType = line.get("type")
if not subType:
return line.get("size")
typeSize = IDAtools.get_size(str(subType.get("name")),
subType.get("table"), subType)
try:
return (typeSize * int(line.get("size")))
except TypeError:
return 1
elif type == "PointerType" or type == "ReferenceType" or type == "QualifierType":
return 4
elif type == "CFunctionType" or type == "CPPFunctionType":
return 4
elif type == "PDOMCEnumeration" or type == "PDOMCPPEnumeration":
return idaapi.get_enum_size(idaapi.get_enum(str(name)))
elif type == "PDOMCStructure" or type == "PDOMCPPClassType":
return idaapi.get_struc_size(idaapi.get_struc_id(str(name)))
elif type == "PDOMCTypedef" or type == "PDOMCPPTypedef":
subType = line.get("type")
if not subType:
return 1
return IDAtools.get_size(subType.get("name"), subType.get("table"),
subType)
else:
raise Exception("Missing case", type)
def members(id):
"""Return the ((offset,size),(name,comment)) of each member within the specified structure"""
st = idaapi.get_struc(id)
if not st:
# empty structure
return
size = idaapi.get_struc_size(st)
offset = 0
for i in range(st.memqty):
m = st.get_member(i)
ms = idaapi.get_member_size(m)
left, right = m.soff, m.eoff
if offset < left:
yield (offset, left - offset), (None, None)
offset = left
yield (offset, ms), (idaapi.get_member_name(m.id),
idaapi.get_member_cmt(m.id, 1))
offset += ms
return
import sark
import idautils
import idaapi
import csv
dataseg = sark.Segment(name="dataseg")
with open('c:/Users/Joe/applied_structs.csv', 'r') as csvfile:
for row in csv.reader(csvfile):
struct_id = idaapi.get_struc_id(row[1])
size = idaapi.get_struc_size(struct_id)
idaapi.doStruct(int(row[0]) + dataseg.ea,size, struct_id)
import idaapi
import ida_kernwin
import idc
struct_name = ida_kernwin.ask_str("", 4, "Enter struct name")
start = ida_kernwin.ask_addr(0, "Enter start address")
num_structs = ida_kernwin.ask_long(0, "Enter struct count")
should_number = ida_kernwin.ask_yn(0, "Number the structs as they're created?")
cur_struct_num = 0
struct_id = idaapi.get_struc_id(struct_name)
if struct_id == -1:
exit("No such struct {}".format(struct_name))
struct_size = idaapi.get_struc_size(struct_id)
cur = start
for i in range(num_structs):
create_struct(cur, struct_size, struct_name)
if should_number:
set_cmt(cur, str(cur_struct_num), 0)
cur_struct_num += 1
cur += struct_size
def size(id):
"""Return the size of the specified structure"""
return idaapi.get_struc_size(id)
def size(self):
return idaapi.get_struc_size(self.ptr)
def get_member_unit_size(mem, struc):
if idaapi.isStruct(mem.flag):
return idaapi.get_struc_size(util.member_str_id(mem, struc))
else:
return get_prim_unit_size(mem.flag)
def size(self):
return idaapi.get_struc_size(self.ptr)
def size(self):
'''Return the size of the structure.'''
return idaapi.get_struc_size(self.ptr)
def get_member_unit_size(mem, struc):
if idaapi.isStruct(mem.flag):
return idaapi.get_struc_size(util.member_str_id(mem, struc))
else:
return get_prim_unit_size(mem.flag)
