예제 #1
0
    def make_arg_opnd(self, arg_idx):
        arg_opnd = make_reg_arg_opnd(arg_idx)
        if arg_opnd is not None:
            return arg_opnd
        else:
            od = '[rsp+arg_{}]'.format(idabuty.beautify_offset(8 * arg_idx))

            return idaobj.Opnd(ot=idc.o_displ, od=od)
예제 #2
0
    def make_arg_opnd(self, arg_idx):
        arg_opnd = make_reg_arg_opnd(arg_idx)
        if arg_opnd is not None:
            return arg_opnd
        else:
            stack_base = self.func.find_stack_base().od
            offset = int(stack_base.rstrip('h'), 16) - (8 * arg_idx)
            od = '[rsp+{}+var_{}]'.format(stack_base,
                                          idabuty.beautify_offset(offset))

            return idaobj.Opnd(ot=idc.o_displ, od=od)
예제 #3
0
    def find_dispatch_dev_ctrl(self):
        print idabuty.beautify_title('DriverObject:'), self.find_drv_obj()

        for ea in idautils.Heads(self.f.startEA, self.f.endEA):
            if idc.GetMnem(ea) == 'mov':
                opnd = idaobj.Opnd(ea=ea, oi=0)
                if opnd.ot == idc.o_displ:
                    parsed_opnd = opnd.parse()

                    if len(parsed_opnd) == 2:
                        pass
                        #print idabuty.beautify_ea(ea)

                    if len(parsed_opnd) == 3:
                        base_reg, idx, displ = parsed_opnd

                        # ['rcx', 'rax', '70h']
                        if ('*' not in idx) and (not idx.endswith('h')):
                            idx_reg = idx

                            opnd1 = self.find_drv_obj(
                            )  # mov     [rsp+drv_obj], rcx
                            opnd2 = idafind.find(
                                ea,
                                idaobj.Opnd(ot=idc.o_reg, od=base_reg),
                                is_bwd=1)  # mov     rcx, [rsp+48h+drv_obj]
                            is_drv_obj = idaobj.cmp_od_displ(opnd1, opnd2)

                            opnd = idafind.find(ea,
                                                idaobj.Opnd(ot=idc.o_reg,
                                                            od=idx_reg),
                                                is_bwd=True)
                            is_mj_dev_ctrl = '0Eh' == idaobj.parse_opnd(opnd)

                            is_mj_func = '70h' == displ

                            if is_drv_obj and is_mj_dev_ctrl and is_mj_func:
                                return idafind.get_func_from_opnd(
                                    idaobj.Opnd(ea=ea, oi=1))

        raise idafind.NotFoundError
예제 #4
0
    def find_io_stack_loc(self):
        irp_opnd = self.find_irp()
        print beautify_title('IRP:'), irp_opnd

        call_eas = self.find_mnem_eas('call')
        call_eas = filter(
            lambda ea: idafind.is_func_call_arg(self.f, ea, 0, irp_opnd),
            call_eas)
        call_eas = filter(
            lambda ea: 'IofCompleteRequest' not in idcnew.GetOpnd(ea, 0),
            call_eas)

        assert len(call_eas) == 1  # TODO: check +0B8h

        return idafind.find(call_eas[0], idaobj.Opnd(ot=idc.o_reg, od='rax'))
예제 #5
0
    def find_stack_base(self):
        from_ea = idcnew.GetBB(self.f.startEA).endEA
        target_opnd = idaobj.Opnd(ot=idc.o_reg, od='rsp')

        return idafind.find(from_ea, target_opnd, is_bwd=True)