def analyze_str_ptr(start_ea, end_ea):
str_cnt = 0
start_time = time.time()
# First, find string references. strings referenced by pointers are highly
# likely string.
ea = start_ea
while ea != idc.BADADDR and ea < end_ea:
status, ea = is_assigned(ea)
if status:
continue
str_ptr = ida_bytes.get_dword(ea)
if idc.get_str_type(str_ptr) is not None or check_string(str_ptr, 8):
# even already assigned strings may not have reference.
ida_offset.op_offset(ea, 0, idc.REF_OFF32)
if idc.get_str_type(str_ptr) is None:
create_string(str_ptr)
str_cnt += 1
if str_cnt % 10000 == 0:
print("%x: %d strings has been found. (%0.3f secs)" %
(ea, str_cnt, time.time() - start_time))
ea = next_addr_aligned(ea, 4)
print("Created %d strings. (%0.3f secs)" %
(str_cnt, time.time() - start_time))
def is_string(ea):
string_type = idc.get_str_type(idaapi.get_item_head(ea))
if string_type in (None, -1):
return False
return True
def __can_be_part_of_assert(cfunc, ctree_item):
# type: (idaapi.cfunc_t, idaapi.ctree_item_t) -> bool
"""
Returns true if expression we clicked is an argument passed to a function
and this argument is a string that can be a valid function name
"""
if ctree_item.citype != idaapi.VDI_EXPR:
return False
expression = ctree_item.it.to_specific_type
if expression.op != idaapi.cot_obj:
return False
parent = cfunc.body.find_parent_of(expression).to_specific_type
if parent.op != idaapi.cot_call or parent.x.op != idaapi.cot_obj:
return False
obj_ea = expression.obj_ea
if not helper.is_code_ea(obj_ea) and idc.get_str_type(
obj_ea) == idc.STRTYPE_C:
str_potential_name = idc.get_strlit_contents(obj_ea)
if type(str_potential_name) is not str:
# convert bytes to str (python 3)
str_potential_name = str_potential_name.decode('ascii')
return idaapi.is_valid_typename(str_potential_name)
return False
def base64_decode(std):
addr = idc.BADADDR
ea = idc.get_screen_ea()
flags = idaapi.get_flags(ea)
if idc.is_strlit(flags):
addr = ea # cursor is on the string
elif idc.is_code(flags):
addr = idc.get_first_dref_from(ea) # get data reference from the instruction
if addr == idc.BADADDR:
plg_print("No string or reference to the string found\n")
return
b64str_enc = None
try:
b64str_enc = idc.get_strlit_contents(addr, -1, idc.get_str_type(addr))
except:
pass
if not b64str_enc:
plg_print("Could not get string at address 0x%X" % addr)
return
try:
b64str_dec = base64.standard_b64decode(b64str_enc) if std else base64.urlsafe_b64decode(b64str_enc)
except Exception as e:
plg_print("Could not decode. %s" % str(e))
return
if b64str_dec:
plg_print("Base64 decode of string '%s':" % b64str_enc)
process_data_result(ea, bytearray(b64str_dec))
def get_string(ea):
"""
Returns a string from the given location.
:param ea: starting address of string
:return: A string
"""
stype = idc.get_str_type(ea)
return idc.get_strlit_contents(ea, strtype=stype)
def get_strings(start_addr, end_addr):
strings = []
for h in idautils.Heads(start_addr, end_addr):
refs = idautils.DataRefsFrom(h)
for ref in refs:
t = idc.get_str_type(ref)
if isinstance(t, int) and t >= 0:
s = idc.get_strlit_contents(ref)
if s and isprintable(s):
strings.append([h, s, t, ref])
return strings
def __init__(self, xref, addr):
type_ = idc.get_str_type(addr)
if type_ < 0 or type_ >= len(String.ASCSTR):
raise StringParsingException()
string = str(ida_bytes.get_strlit_contents(addr, 0xffff, type_))
self.xref = xref
self.addr = addr
self.type = type_
self.string = string
def getMatches(self, addr):
results = []
try:
string = idc.GetString(addr)
if string is not None and len(string) > 3 and idc.get_str_type(
addr) is not None:
results.append(string)
except Exception as e:
if pdbg: traceback.print_exc()
return results
def stringAt(self, ea):
"""Return the string that was found on the given address, regardless of it's type.
Args:
ea (int): effective address of the wanted string
Return Value:
A python string that contains the found string (or None on error)
"""
str_type = idc.get_str_type(ea)
if str_type is None:
return None
return idc.get_strlit_contents(ea, -1, str_type).decode("utf-8")
def get_string(ea):
"""Read the string at the given ea.
This function uses IDA's string APIs and does not implement any special logic.
"""
# We get the item-head because the `GetStringType` function only works on the head of an item.
string_type = idc.get_str_type(idaapi.get_item_head(ea))
if string_type is None:
raise exceptions.SarkNoString("No string at 0x{:08X}".format(ea))
string = idc.get_strlit_contents(ea, strtype=string_type)
if not string:
raise exceptions.SarkNoString("No string at 0x{:08X}".format(ea))
return string
def analyze_ida_str():
global all_str
if "all_str" not in globals():
all_str = idautils.Strings()
str_cnt = 0
start_time = time.time()
for s in all_str:
# check if there exists already assigned function or string
if any(
ida_funcs.get_fchunk(ea) or (idc.get_str_type(ea) is not None)
for ea in (s.ea, s.ea + s.length)):
continue
if check_string(30) and create_string(s.ea):
str_cnt += 1
if str_cnt % 1000 == 0:
print("%x: %d strings has been found. (%0.3f secs)" %
(s.ea, str_cnt, time.time() - start_time))
print("Created %d strings. (%0.3f secs)" %
(str_cnt, time.time() - start_time))
def is_assigned(ea):
func_end = idc.get_func_attr(ea, idc.FUNCATTR_END)
# check if function is already assigned
if func_end != idc.BADADDR:
# sometimes, ida returns wrong addr
if func_end > ea:
ea = func_end
else:
ea = next_addr_aligned(ea, 4)
return True, ea
# check if string is already assigned
if idc.get_str_type(ea) is not None:
item_end = idc.get_item_end(ea)
# sometimes, ida returns wrong addr
if item_end > ea:
ea = item_end
else:
ea = next_addr_aligned(ea, 4)
return True, ea
return False, ea
def get_string_type(self, addr):
try:
type_s = idc.get_str_type(addr)
return str(ida_bytes.get_strlit_contents(addr, -1, type_s))
except TypeError:
raise StringException()