def getAllStrings(self):
strings = idautils.Strings(default_setup=False)
strings.setup(strtypes=Strings.STR_C | Strings.STR_UNICODE,
ignore_instructions=True,
display_only_existing_strings=True,
minlen=1)
for string in strings:
self.allStrings[string.ea] = str(string)
def get_all_strings():
"""
Get a list of strings stored in that segment
"""
list_of_strings = idautils.Strings()
for string in list_of_strings:
if not str(string).endswith("\n"):
f.write(str(string) + '\n')
else:
f.write(str(string))
def make_strings_const():
s = idautils.Strings(False)
s.setup(strtypes=idautils.Strings.STR_UNICODE | idautils.Strings.STR_C)
for v in s:
gt = idc.GetType(v.ea)
if not gt:
gt = idc.GuessType(v.ea)
if gt and not gt.startswith("const "):
idc.SetType(v.ea, "const " + gt)
def refresh_strings():
# pylint: disable=global-statement
global strings
strings = {}
for i in idautils.Strings():
s = str(i)
if s not in strings:
strings[s] = [i]
else:
strings[s].append(i)
def getAllStrings(self):
strings = idautils.Strings(default_setup = False)
strings.setup(strtypes=Strings.STR_C | Strings.STR_UNICODE, ignore_instructions = True, display_only_existing_strings = True,minlen=4)
for string in strings:
self.allStrings.append(str(string))
output = {"Strings": self.allStrings}
output["FileName"] = self.fileName
output["FileMD5"] = self.fileMD5
output["Author Name"] = self.authorName
return output
def is_packed_upx():
strings = idautils.Strings()
count = 0
for s in strings:
if "upx.sf.net" in str(s):
return True
if count >= 2:
break
count += 1
return False
def stringsInner(self):
"""Create a collection / generator of all of the strings in the program (will be called only once).
Note:
A string object should have the following methods:
str(str_obj) := string content
str_obj.ea := definition address (ea) of the string
Return Value:
sorted (by address) collection of all of the used strings in the program (as string objects)
"""
return idautils.Strings()
def xrefs(self):
# Identify functions that reference the WPS checksum functions and resolve their string xrefs.
# Returns a dictionary of function EAs and a list of their string xrefs.
self._generate_checksum_xrefs_table()
for string in idautils.Strings():
for xref in idautils.XrefsTo(string.ea):
func = idaapi.get_func(xref.frm)
if func and self.funcs.has_key(func.startEA):
self.funcs[func.startEA].add(str(string))
return self.funcs
def get_strings():
tags = []
export_tag = {}
strings_ida = idautils.Strings(False)
strings_ida.setup(strtypes=[idc.STRTYPE_C, idc.STRTYPE_C_16])
for string in strings_ida:
export_tag = {
'offset': (string.ea - idaapi.get_imagebase()),
'tag': 'String',
'feeder': 'TagString'
}
tags.append(export_tag)
export_tags(tags)
def update(self, **kwargs):
oids = Oids()
sc = idautils.Strings()
r = re.compile(r"^[012]\.\d+(\.\d+)+$")
for s in sc:
if r.match(str(s)):
val = oids.getOid(str(s), False)
if val != str(s):
val = val.replace('/', '').replace(' ', '_').replace(
'-', '_').replace('.', '_')
nm = 'oid_' + val.encode('ascii')
if not idc.Name(s.ea).startswith(nm):
idc.MakeName(s.ea, nm)
oids.save()
def _build_string_xrefs(self):
for string in idautils.Strings():
key_string = str(string)
for xref in idautils.XrefsTo(string.ea):
func = idaapi.get_func(xref.frm)
if func:
start_ea = ida_shims.start_ea(func)
if not self.functions.has_key(start_ea):
self.functions[start_ea] = list()
xref = IDAProfilerXref(ea=string.ea, string=key_string,
xref=xref.frm, type=str)
self.functions[start_ea].append(xref)
def get_strings():
for strinfo in idautils.Strings():
strcont = GetString(strinfo.ea, strinfo.length, strinfo.strtype)
straddr = hex(strinfo.ea)
straddr = straddr[:-1]
print('%s:\t%s' % (straddr, strcont))
#sc = idaapi.string_info_t()
#count = idaapi.get_strlist_qty()
#for i in range(count):
#idaapi.get_strlist_item(i,sc)
#print(idaapi.get_ascii_contents(sc.ea,sc.length,sc.type))
return
def get_strings(self):
"""
Get all strings from the binary
>>> saram.get_strings().send()
"""
self._comment = inspect.stack()[0][3]
strings = '\n'.join([
'{offset} {value}'.format(offset=hex(x.ea), value=x)
for x in idautils.Strings()
])
self.command = 'Strings from binary'
self.output = strings
print(self.output)
return self
def _find_format_string_functions(self):
processed_func_eas = set()
for string in idautils.Strings():
if '%' in str(string):
for xref in idautils.XrefsTo(string.ea):
(func_ea, argn, regname) = self.argp.trace(xref.frm)
if func_ea is not None and \
func_ea not in processed_func_eas:
self.functions.append(
Function(start=func_ea, argc=argn, fmtarg=argn))
processed_func_eas.add(func_ea)
# Sort format string functions by xref count, largest first
self.functions.sort(key=lambda f: f.xrefs, reverse=True)
def __init__(self, sigfile=None):
if sigfile:
self.sigfile = sigfile
else:
self.sigfile = self.DEFAULT_SIGNATURE_FILE
# Useful for quickly identifying string xrefs from individual instructions
self.strings = {}
for string in idautils.Strings():
self.strings[string.ea] = RizzoStringDescriptor(string)
start = time.time()
self.signatures = self.generate()
end = time.time()
print("Generated %d formal signatures and %d fuzzy signatures for %d functions in %.2f seconds." % (len(self.signatures.formal), len(self.signatures.fuzzy), len(self.signatures.functions), (end-start)))
def stringify(self):
n = 0
ea = self.get_start_ea(self.DATA)
if ea == idc.BADADDR:
ea = ida_shims.get_first_seg()
print "Looking for possible strings starting at: 0x%X..." % ea,
for s in idautils.Strings():
if s.ea > ea:
if not ida_shims.is_strlit(ida_shims.get_full_flags(s.ea)) \
and ida_shims.create_strlit(s.ea, 0):
n += 1
print "created %d new ASCII strings" % n
def stringify(self):
n = 0
ea = self.get_start_ea(self.DATA)
if ea == idc.BADADDR:
ea = idc.FirstSeg()
print("Looking for possible strings starting at: %s:0x%X..." %
(idc.SegName(ea), ea)),
for s in idautils.Strings():
if s.ea > ea:
if not idc.isASCII(idc.GetFlags(s.ea)) and idc.MakeStr(
s.ea, idc.BADADDR):
n += 1
print "created %d new ASCII strings" % n
def go_version(self):
sc = idautils.Strings()
tmp = ""
version = "go1."
idx = -1
for s in sc:
idx = str(s).find("go1.")
if (idx+1):
tmp = str(s)
break
take = 5 if len(tmp) > 5 else len(tmp)-4
for i in range(take): # 5 bcoz, max version could be go1.XX.XX (enumerate XX.XX)
if tmp[idx+4+i] in ".0123456789":
version += tmp[idx+4+i]
else:
break
return version
def _build_string_xrefs(self):
#print "Building string profiles..."
#orig_functions_len = len(self.functions)
for string in idautils.Strings():
keystr = str(string)
for xref in idautils.XrefsTo(string.ea):
func = idaapi.get_func(xref.frm)
if func:
if not self.functions.has_key(func.startEA):
self.functions[func.startEA] = list()
self.functions[func.startEA].append(
IDAProfilerXref(ea=string.ea,
string=keystr,
xref=xref.frm,
type=str))
def get_func_str_hack(ea):
"""
get all referenced strings within a function, actually works
:param ea: offset within a function
:return: return list of strings referenced in function
"""
offsets = []
status, ea_st = get_func_addr(ea)
if status:
status, ea_end = get_func_addr_end(ea)
if status:
for _str in idautils.Strings():
s_ea = _str.ea
xref = idautils.XrefsTo(s_ea)
for x in xref:
temp_addr = x.frm
if ea_st <= temp_addr <= ea_end:
offsets.append((temp_addr, _str))
return offsets
def main():
s = idautils.Strings(False)
s.setup(strtypes=Strings.STR_UNICODE | Strings.STR_C)
hex_str_addr_list = []
for i, v in enumerate(s):
if v is None:
print("Failed to retrieve string index %d" % i)
else:
if (v.length + 1) % 2 != 0:
continue
# print("%x: len=%d type=%d index=%d-> '%s'" % (v.ea, v.length, v.type, i, str(v)))
str_value = str(v)
try:
str_value = str_value.decode("hex")
hex_str_addr_list.append(v.ea)
except Exception, e:
pass
def auto_string_naming(self):
idaStrings = idautils.Strings()
for cstring in idaStrings:
stringValue = idc.GetString(cstring.ea, cstring.length,
cstring.type)
currentName = idc.GetTrueName(cstring.ea)
if len(stringValue) > 6:
objFileValues = re.findall(r"[a-zA-Z]+(?=\.obj)", currentName)
objFile = ""
idc.MakeComm(cstring.ea, currentName)
if len(objFileValues) > 0:
objFile = objFileValues[0].upper()
newName = stringValue.title()
for repl in [x for x in string.punctuation]:
newName = newName.replace(repl, "")
newName = newName.replace(" ", "")
newName = "s{objFile}{currentName}".format(objFile=objFile,
currentName=newName)
idc.MakeNameEx(cstring.ea, newName, idc.SN_AUTO)
def export_func_names(fname):
s = idautils.Strings(False)
s.setup(strtypes=idautils.Strings.STR_UNICODE | idautils.Strings.STR_C)
jsontable = []
for v in s:
if v is None:
print("Failed to retrieve string index")
else:
xrefs = [x.frm for x in idautils.XrefsTo(v.ea)]
ret = [idaapi.get_func(x) for x in xrefs if idaapi.get_func(x)]
names = []
funcs = []
for func in ret:
if idc.GetFunctionName(func.startEA) not in names:
names.append(idc.GetFunctionName(func.startEA))
funcs.append(func)
if (len(funcs) != 1):
continue
func = funcs[0]
if idc.GetFunctionName(func.startEA).startswith("sub_"):
continue
print("%x: len=%d type=%d -> '%s'" %
(v.ea, v.length, v.type, unicode(v)))
d = {}
d['string'] = unicode(v)
d['str_type'] = v.type
d['func_name'] = idc.GetFunctionName(func.startEA)
d['func_demangled'] = demangle(d['func_name'])
d['func_c_decl'] = idc.GetType(func.startEA)
d['func_comment'] = idaapi.get_func_cmt(func, 1)
jsontable.append(d)
f = open(fname, 'w')
json.dump(jsontable, f, indent=4)
f.close()
def main():
root = {}
for s in idautils.Strings():
root[str(s)] = {}
for xref in idautils.XrefsTo(s.ea):
funcname = ida_funcs.get_func_name(xref.frm)
if (funcname is None):
continue
demangled = idc.demangle_name(funcname,
idc.get_inf_attr(idc.INF_SHORT_DN))
if demangled is None:
demangled = funcname
root[str(s)][demangled] = funcname
with open("data.json", "w") as f:
print("Dumping {} strings to data.json".format(len(root.items())))
json.dump(root, f, ensure_ascii=False, indent=4, separators=(",", ":"))
def FindStringEA(self):
searchstr = str("mkbundle: Error %d decompressing data for %s\n")
searchstr2 = str("Error %d decompresing data for %s\n")
#Do not use default set up, we'll call setup().
s = idautils.Strings(default_setup = False)
# we want C & Unicode strings, and *only* existing strings.
s.setup(strtypes=Strings.STR_C | Strings.STR_UNICODE, ignore_instructions = True, display_only_existing_strings = True)
#loop through strings
for i, v in enumerate(s):
if not v:
#print("Failed to retrieve string at index {}".format(i))
return -1
else:
#print("[{}] ea: {:#x} ; length: {}; type: {}; '{}'".format(i, v.ea,
#v.length, string_type_map.get(v.type, None), str(v)))
if str(v) == searchstr or str(v) == searchstr2:
return v.ea
return -1
def get_sources():
tags = []
export_tag = {}
string_refs = {}
strings_ida = idautils.Strings(False)
strings_ida.setup(strtypes=[idc.STRTYPE_C, idc.STRTYPE_C_16])
r = re.compile(r".*\.(c|cpp|h|hpp)")
for string in strings_ida:
string_refs[string.__str__()] = string.ea
strings = string_refs.keys()
matched = filter(r.match, strings)
for string in matched:
export_tag = {
'offset': (string_refs[string] - idaapi.get_imagebase()),
'tag': 'Source',
'feeder': 'TagSource'
}
tags.append(export_tag)
export_tags(tags)
def observerGlobalStrings(self, sds):
"""Observe and (hopefully) detect a pattern in all of the global strings.
Args:
sds (list): List of (sark) Data segments.
"""
pattern = AlignmentPattern()
for sd in sds:
self._analzyer.logger.debug("Data Segment: 0x%x - 0x%x", sd.startEA, sd.endEA)
# collect the data from all of the global strings
for cur_string in idautils.Strings():
string_ea = cur_string.ea
for sd in sds:
if sd.startEA <= string_ea and string_ea < sd.endEA:
if self.isGlobalAsciiString(string_ea):
pattern.add(string_ea, len(self.getAsciiString(string_ea)))
break
# find the pattern
result = pattern.decide()
# set out features accordingly
if result is not None:
self.setGlobalAlignment(result[0], result[1])
def main():
action = get_action()
if action == Mode_Invalid:
return
file = get_file(action)
if file is None:
ida_kernwin.warning("Invalid file specified!")
return
# strings = get_strs()
strings = list(idautils.Strings())
if action == Mode_Read:
read_strs(strings, file)
print("Done!")
else:
c1, c2, c3 = write_symbols(strings, file)
print("Successfully typed {} functions".format(len(FOUND_FUNCS)))
print("\t- {} Exact\n\t- {} Symboled in stripped\n\t- {} Stripped in symboled".format(c1, c2, c3))
ida_kernwin.hide_wait_box()
file.close()
def get_strings(min_len=5,
display_only_existing_strings=False,
debug=False):
strs = idautils.Strings()
#Do we export the other Strings.setup parameters ?
strs.setup(0xffffffff,
minlen=min_len,
display_only_existing_strings=display_only_existing_strings)
res = []
fails = []
for s in strs:
try:
res.append(data.ASCIIData(s.ea, True))
except ValueError as e:
if (s.ea < res[-1].addr + len(data.ASCIIData(res[-1].addr))):
print("Pass substring")
continue
print("String list error : {0}".format(e))
fails.append(s.ea)
raise
if debug:
return res, fails
return res #auto str construction ?
def has_string_entry(addr):
'''
Check whether the provided address is being tracked by IDA as a string. In
order to attempt to speed up subsequent lookups, string addresses will be
cached into a dictionary on first use.
Data returned will be a dictionary of strings, keyed by the address of the
string with the length as the value.
Args:
addr (int): The address to check.
Returns:
A dictionary of string lengths keyed by their address.
'''
if len(string_addrs) == 0:
for s in idautils.Strings():
string_addrs[s.ea] = s.length
try:
return string_addrs[addr]
except KeyError:
return None
