def find_interesting_xors(self):
next_xor = idc.FindText(idc.MinEA(), idc.SEARCH_DOWN | idc.SEARCH_NEXT,
0, 0, "xor")
while next_xor != idc.BADADDR:
if idc.GetOpnd(next_xor, 0) != idc.GetOpnd(next_xor, 1):
entry = {
"func": "",
"addr": next_xor,
"loop": False,
"disasm": idc.GetDisasm(next_xor)
}
func = idaapi.get_func(next_xor)
if func:
entry["func"] = idaapi.get_name(idc.BADADDR, func.startEA)
heads = idautils.Heads(next_xor, func.endEA)
lxors = []
for head in heads:
if idc.GetMnem(head).startswith('j'):
jmp_addr = idc.GetOperandValue(head, 0)
if jmp_addr < next_xor and jmp_addr > func.startEA:
entry["loop"] = True
break
self._interesting_xors.append(entry)
next_xor = idc.FindText(idc.NextHead(next_xor),
idc.SEARCH_DOWN | idc.SEARCH_NEXT, 0, 0,
"xor")
def findCodeCavez(self, segment=".text"):
start = idc.SegByBase(idc.SegByName(segment))
if start == idc.BADADDR:
print "Can't find segment %s" % (segment)
return
end = idc.SegEnd(start)
curr_addr = start
curr_size = 0
biggest_addr = idc.BADADDR
biggest_size = 0
results = []
while start < end:
new_addr = idc.FindText(start + curr_size, idc.SEARCH_DOWN, 0, 0,
"align")
if start == new_addr:
break
curr_size = idc.ItemSize(new_addr)
if curr_size > biggest_size:
biggest_addr = new_addr
biggest_size = curr_size
start = new_addr
results.append((new_addr, curr_size))
return results
return biggest_addr, biggest_size
def get_next_bad_addr(curEa, regex_query):
""" gets the next unmapped address offset for given EA in IDA """
toJump = 0
ea = curEa
while ea <= curEa and ea != idc.BADADDR:
toJump += 4
ea = idc.FindText(curEa + toJump, idc.SEARCH_DOWN | idc.SEARCH_REGEX,
0, 0, regex_query)
if toJump >= 0x100:
return idc.BADADDR
return ea
# 二进制查找
# push ebp
# mov ebp,esp
pattern = '55 56 57'
addr = MinEA()
for x in range(0, 5):
addr = idc.FindBinary(addr, SEARCH_DOWN | SEARCH_NEXT, pattern)
if addr != idc.BADADDR:
print hex(addr), idc.GetDisasm(addr)
# 字符串查找
cur_addr = MinEA()
end = MaxEA()
while cur_addr < end:
cur_addr = idc.FindText(cur_addr, SEARCH_DOWN, 0, 0, "_fmode")
if cur_addr == idc.BADADDR:
break
else:
print hex(cur_addr), idc.GetDisasm(cur_addr)
cur_addr = idc.NextHead(cur_addr)
#F这个参数需要先通过idc.GetFlags(ea)获取地址的内部标志表示形式,然后再传给idc.is*系列函数当参数
#判断IDA是否将其判定为代码
idc.isCode(F)
#判断IDA是否将其判定为数据
idc.isData(F)
#判断IDA是否将其判定为尾部
import idautils
import idc
import json
import os
ea = idc.MinEA()
all = {}
while True:
ea = idc.FindText(ea, idc.SEARCH_DOWN, 0, 0, "syscall")
if ea == idaapi.BADADDR:
break
func_name = idc.GetFunctionName(ea)
ins = idc.FindText(ea, idc.SEARCH_UP, 0, 0, "mov")
syscall_num = idc.GetOpnd(ins, 1)
all[func_name] = syscall_num
ea += len("syscall")
out_path = os.path.join(os.path.expanduser('~'), 'Desktop')
in_file = idc.GetInputFile().replace('.', '_')
out_path += "\\" + in_file + '_syscalls.json'
with open(out_path, 'w+') as fp:
json.dump(all, fp)
print "Saved %d system calls to %s" % (len(all), out_path)