def __get_relative_node(self, src_node, key_name):
src_node_addr = src_node.get_addr()
next_node_addr = ida_xref.get_first_cref_to(src_node_addr)
print('[Debug]next_addr 0x%x' % next_node_addr)
if next_node_addr == idaapi.BADADDR:
return
if next_node_addr != idc.PrevHead(src_node_addr):
new_tree_node = TreeNode(ida_funcs.get_func_name(next_node_addr),
next_node_addr)
new_tree_node.add_parent(src_node)
src_node.add_child(new_tree_node)
print('[*]Add node %s 0x%x' %
(new_tree_node.get_name(), new_tree_node.get_addr()))
self.__get_relative_node(new_tree_node, key_name)
next_node_addr = ida_xref.get_next_cref_to(src_node_addr,
next_node_addr)
print('[Debug]next_addr 0x%x' % next_node_addr)
while next_node_addr != idaapi.BADADDR:
if next_node_addr == idc.PrevHead(src_node_addr):
continue
new_tree_node = TreeNode(ida_funcs.get_func_name(next_node_addr),
next_node_addr)
new_tree_node.add_parent(src_node)
src_node.add_child(new_tree_node)
print('[*]Add node %s 0x%x' %
(new_tree_node.get_name(), new_tree_node.get_addr()))
self.__get_relative_node(new_tree_node, key_name)
next_node_addr = ida_xref.get_next_cref_to(src_node_addr,
next_node_addr)
print('[Debug]next_addr 0x%x' % next_node_addr)
return
def propagate_function_type(ea: int, func_type: FUNCTION_TYPE):
print(f"propagate func {hex(ea)}, type {func_type}")
if visited.get(ea) is not None:
return
if func_type == FUNCTION_TYPE.NULLSUB:
ida_name.set_name(ea, f"nullsub_{hex(ea)[2:]}")
elif func_type == FUNCTION_TYPE.IDENTITY:
ida_name.set_name(ea, f"identity_{hex(ea)[2:]}")
elif func_type == FUNCTION_TYPE.GETVALUE:
ida_name.set_name(ea, f"getvalue_{hex(ea)[2:]}")
visited[ea] = True
cref = ida_xref.get_first_cref_to(ea)
while cref != idaapi.BADADDR:
cref_func = ida_funcs.get_func(cref)
#function is not defined or function has been visited
if cref_func is None or visited.get(cref_func.start_ea) is not None:
cref = ida_xref.get_next_cref_to(ea, cref)
continue
cref_func_type = infer_function_type(cref_func.start_ea, func_type)
if cref_func_type == FUNCTION_TYPE.OTHER:
cref = ida_xref.get_next_cref_to(ea, cref)
visited[cref_func.start_ea] = True
continue
propagate_function_type(cref_func.start_ea, cref_func_type)
cref = ida_xref.get_next_cref_to(ea, cref)
def find_mnem(target_ea, target_mnem, backward=False, threshold=0x100):
assert target_ea is not None
ea = target_ea
addr = None
visited = set()
while True:
mnem = ida_ua.ua_mnem(ea)
if not ida_ua.can_decode(ea) or not mnem:
break
if mnem == target_mnem:
addr = ea
break
visited.add(ea)
if backward:
next_ea = ida_xref.get_first_cref_to(ea)
if next_ea < target_ea - 0x100:
break
while next_ea != idc.BADADDR and next_ea in visited:
next_ea = ida_xref.get_next_cref_to(ea, next_ea)
else:
next_ea = ida_xref.get_first_cref_from(ea)
if next_ea > target_ea + 0x100:
break
while next_ea != idc.BADADDR and next_ea in visited:
next_ea = ida_xref.get_next_cref_from(ea, next_ea)
ea = next_ea
return addr
def main():
# Get current ea
ea = ida_kernwin.get_screen_ea()
# Get segment class
seg = ida_segment.getseg(ea)
# Loop from segment start to end
func_ea = seg.start_ea
# Get a function at the start of the segment (if any)
func = ida_funcs.get_func(func_ea)
if func is None:
# No function there, try to get the next one
func = ida_funcs.get_next_func(func_ea)
seg_end = seg.end_ea
while func is not None and func.start_ea < seg_end:
funcea = func.start_ea
print("Function %s at 0x%x" %
(ida_funcs.get_func_name(funcea), funcea))
ref = ida_xref.get_first_cref_to(funcea)
while ref != ida_idaapi.BADADDR:
print(" called from %s(0x%x)" %
(ida_funcs.get_func_name(ref), ref))
ref = ida_xref.get_next_cref_to(funcea, ref)
func = ida_funcs.get_next_func(funcea)
def handle_dll_calls(self):
dll_call_count = ida_bytes.get_dword(self.E_info_entry_ea +
self.dll_call_count_offset)
dll_call_lib_names_ea = ida_bytes.get_dword(
self.E_info_entry_ea + self.dll_call_lib_names_offset)
dll_call_func_names_ea = ida_bytes.get_dword(
self.E_info_entry_ea + self.dll_call_func_names_offset)
self.dll_calls = Dll_calls(dll_call_lib_names_ea,
dll_call_func_names_ea, dll_call_count)
ida_auto.auto_wait()
ea = ida_name.get_name_ea(idaapi.BADADDR, "j__krnl_MCallDllCmd")
code_fref_eas = []
fref_ea = ida_xref.get_first_fcref_to(ea)
while fref_ea != idaapi.BADADDR:
code_fref_eas.append(fref_ea)
fref_ea = ida_xref.get_next_cref_to(ea, fref_ea)
for ref_ea in code_fref_eas:
#get prev mov instruction
prev_ins_ea = idaapi.get_item_head(ref_ea - 1)
ins = ida_lines.generate_disasm_line(prev_ins_ea,
ida_lines.GENDSM_REMOVE_TAGS)
if (ins.startswith("mov eax,")):
index = ida_bytes.get_dword(prev_ins_ea + 1)
cmt = self.dll_calls[index]
ida_bytes.set_cmt(ref_ea, cmt, False)
def get_all_ref(self, addr):
"""
获取所有引用到addr的地址
"""
xref_t = []
addr_t = ida_xref.get_first_cref_to(addr)
while addr_t != ida_idaapi.BADADDR:
xref_t.append(addr_t)
addr_t = ida_xref.get_next_cref_to(addr, addr_t)
return xref_t
def proceed_backward(self, ea, reg_name, end_ea, end_cnt, offset=None):
# initialize prev code points
values = set()
xref = ida_xref.get_first_cref_to(ea)
while xref and xref != idc.BADADDR:
tmp_values = self.find_reg_value_helper(xref, reg_name, end_ea,
end_cnt, offset)
if tmp_values:
tmp_values = list(map(lambda x: x & 0xFFFFFFFF, tmp_values))
values.update(tmp_values)
xref = ida_xref.get_next_cref_to(ea, xref)
self.values[(ea, reg_name)] = values
return values
procs = {
0x18: "Create",
0x1C: "Destroy",
0x20: "Icon",
0x24: "Paint",
0x28: "Size",
0x2C: "Input",
0x30: "Focus",
0x34: "Scroll",
0x38: "Data",
0x3C: "Help"
}
if res[0] == 1:
regfunc = res[1]
regcall = ida_xref.get_first_cref_to(regfunc)
while regcall != ida_idaapi.BADADDR:
insn = ida_ua.insn_t()
ida_ua.decode_insn(insn, regcall)
for i in range(20):
if insn.get_canon_mnem() == 'mov' and insn.Op1.type == 4:
if insn.Op1.addr in procs:
ida_offset.op_plain_offset(insn.ea, 1, code_ea)
target = code_ea + insn.Op2.value
ida_funcs.add_func(target, ida_idaapi.BADADDR)
ida_name.set_name(
target, procs[insn.Op1.addr] + "_" + hex(regcall)[2:])
ida_ua.decode_prev_insn(insn, insn.ea)
regcall = ida_xref.get_next_cref_to(regfunc, regcall)
def get_code_xrefs(ea):
xref = ida_xref.get_first_cref_to(ea)
while xref != BADADDR:
yield xref
xref = ida_xref.get_next_cref_to(ea, xref)
