Exemplo n.º 1
0
def create_word_and_name(offset, name):
    """
    Apply word type to offset and name it

    :param offset: Offset of word
    :param name: Name to apply
    """

    idaapi.create_word(offset, 2)
    idaapi.set_name(offset, name, idaapi.SN_NOWARN|idaapi.SN_NOLIST|idaapi.SN_NOCHECK)
Exemplo n.º 2
0
 def make_word(self, offset):
     """Create a word at the given offset in the IDB"""
     self.ret = idaapi.create_word(offset, 2)
     return self.ret
Exemplo n.º 3
0
def load_file(li, neflags, format):
    # Not clear why this is necessary given the return value from accept_file,
    # but IDA will quit if you don't include this.
    idaapi.set_processor_type("metapc", idaapi.SETPROC_LOADER)

    # This boolean will be set if IDA is "reloading" the file as opposed to
    # loading it for the first time, i.e., File->Load File->Reload Input File.
    # We just ignore requests to reload.
    bReload = (neflags & idaapi.NEF_RELOAD) != 0
    if bReload:
        return 1

    # Parse the header again
    li.seek(0)
    rawData = li.read(HBHEADER_SIZE)
    head = HBHeader._make(struct.unpack(HBHEADER_FMT, rawData))

    # Add a code segment
    seg = idaapi.segment_t()
    seg.start_ea = 0
    seg.end_ea = head.mod_size
    seg.bitness = 1
    idaapi.add_segm_ex(seg, HBSEGNAME, "CODE", 0)

    # Read the contents of the file into the code segment we just created
    li.seek(0)
    li.file2base(0, 0, head.mod_size, False)

    # Create data items for the header fields and give them names
    idaapi.create_dword(0x00, 4)
    idaapi.set_name(0x00, "HBHDR_Magic",
                    idaapi.SN_NOWARN | idaapi.SN_NOLIST | idaapi.SN_NOCHECK)

    idaapi.create_word(0x04, 2)
    idaapi.set_name(0x04, "HBHDR_DllList",
                    idaapi.SN_NOWARN | idaapi.SN_NOLIST | idaapi.SN_NOCHECK)

    idaapi.create_word(0x06, 2)
    idaapi.set_name(0x06, "HBHDR_IAT",
                    idaapi.SN_NOWARN | idaapi.SN_NOLIST | idaapi.SN_NOCHECK)

    idaapi.create_dword(0x08, 4)
    idaapi.set_name(0x08, "HBHDR_EntryPoint",
                    idaapi.SN_NOWARN | idaapi.SN_NOLIST | idaapi.SN_NOCHECK)

    idaapi.create_dword(0x0C, 4)
    idaapi.set_name(0x0C, "HBHDR_ModuleSize",
                    idaapi.SN_NOWARN | idaapi.SN_NOLIST | idaapi.SN_NOCHECK)

    idaapi.create_dword(0x10, 4)
    idaapi.set_name(0x10, "HBHDR_RelocationsSize",
                    idaapi.SN_NOWARN | idaapi.SN_NOLIST | idaapi.SN_NOCHECK)

    idaapi.create_dword(0x14, 4)
    idaapi.set_name(0x14, "HBHDR_Relocations",
                    idaapi.SN_NOWARN | idaapi.SN_NOLIST | idaapi.SN_NOCHECK)

    # Add the module's entrypoint as an entrypoint in IDA
    idaapi.add_entry(head.ep, head.ep, "start", 1)

    # Load a type library so that the imports will show proper names and types.
    # I'm not sure why idaapi.load_til doesn't do what I want, but it doesn't.
    idc.LoadTil("mssdk_win7")

    # Parse the import table in a loop.
    dllEntryPos = head.dll_list
    iatCurr = head.iat
    dllNumFuncsOpt = wordAt(li, dllEntryPos)

    # For each DLL entry, where the DLL entry list is terminated by an entry
    # specifying zero imports...
    while dllNumFuncsOpt[0] and dllNumFuncsOpt[1] != 0:
        if dllNumFuncsOpt[1] * 4 + head.iat > head.mod_size:
            idaapi.msg(
                "[E] Hidden Bee Loader: IAT entry outside of module boundary %#x. Aborting import parsing.\n"
                % (dllNumFuncsOpt[1], head.mod_size))
            break

        # Get the DLL name
        dllName = li.getz(idaapi.MAXSTR, dllEntryPos + 2)

        # Get the specified number of DWORD hashes
        hashes = dwordsAt(li, iatCurr, dllNumFuncsOpt[1])
        if hashes is None:
            idaapi.msg(
                "[E] Hidden Bee Loader: could not read %d API hashes beginning at %#x. Aborting import parsing.\n"
                % (dllNumFuncsOpt[1], iatCurr))
            break

        # Look up the hashes, rename their addresses after the corresponding API
        do_dll_imports(dllName, iatCurr, hashes)

        # Move on to next DLL
        iatCurr += 4 * dllNumFuncsOpt[1]
        dllEntryPos += 2 + len(dllName) + 1
        dllNumFuncsOpt = wordAt(li, dllEntryPos)

    # Check that the last DLL entry read correctly
    if not dllNumFuncsOpt[0]:
        idaapi.msg(
            "[E] Hidden Bee Loader: could not read IAT DLL entry at %#x. Aborting import parsing.\n"
            % dllEntryPos)

    # Read the relocations
    relocs = dwordsAt(li, head.relocs, head.relocs_size / 4)
    if not relocs:
        idaapi.msg(
            "[E] Hidden Bee Loader: could not read relocation data. Aborting relocation parsing.\n"
        )
        return 1

    idaapi.msg("[I] Processing relocations\n")
    for reloc in relocs:
        if reloc > head.mod_size:
            idaapi.msg(
                "[E] Hidden Bee Loader: relocation entry %#x outside of module boundary %#x, skipping.\n"
                % (reloc, head.mod_size))
        else:
            do_reloc(reloc, 0)

    # Store a copy of the relocation data in a global netnode in case the user
    # messes with it in the database. Needed so we can relocate the database if
    # the user requests it.
    gNode = idaapi.netnode()
    gNode.create(NETNODE_NAME)
    gNode.setblob(idaapi.get_bytes(head.relocs, head.relocs_size), 0, 'D')

    return 1
Exemplo n.º 4
0
 def add_port_2(ea, name):
     idaapi.set_name(ea, name)
     idaapi.create_word(ea, 2)
Exemplo n.º 5
0
def name_word(ea, name):
    idaapi.set_name(ea, name)
    idaapi.create_word(ea, 2)
    idaapi.set_offset(ea, 0, 0)