def __init__(self): idc.Til2Idb(-1, "EFI_GUID") idc.Til2Idb(-1, "EFI_SYSTEM_TABLE") idc.Til2Idb(-1, "EFI_RUNTIME_SERVICES") idc.Til2Idb(-1, "EFI_BOOT_SERVICES") self.gBServices = {} self.gBServices["InstallProtocolInterface"] = [] self.gBServices["ReinstallProtocolInterface"] = [] self.gBServices["UninstallProtocolInterface"] = [] self.gBServices["HandleProtocol"] = [] self.gBServices["RegisterProtocolNotify"] = [] self.gBServices["OpenProtocol"] = [] self.gBServices["CloseProtocol"] = [] self.gBServices["OpenProtocolInformation"] = [] self.gBServices["ProtocolsPerHandle"] = [] self.gBServices["LocateHandleBuffer"] = [] self.gBServices["LocateProtocol"] = [] self.gBServices["InstallMultipleProtocolInterfaces"] = [] self.gBServices["UninstallMultipleProtocolInterfaces"] = [] self.Protocols = {} self.Protocols["AmiGuids"] = ami_guids.ami_guids self.Protocols["EdkGuids"] = edk_guids.edk_guids self.Protocols["Edk2Guids"] = edk2_guids.edk2_guids self.Protocols["All"] = [ # { # address: ... # service: ... # guid: ... # }, # ... ] self.Protocols["PropGuids"] = [] self.Protocols["Data"] = []
def __init__(self): header = utils.get_header_idb() if not len(header): header = utils.get_header_file() self.arch = utils.get_machine_type(header) self.subsystem = utils.check_subsystem(header) self.valid = True if not self.subsystem: print("[ERROR] Wrong subsystem") self.valid = False if not (self.arch == "x86" or self.arch == "x64"): print("[ERROR] Wrong architecture") self.valid = False if self.arch == "x86": self.BOOT_SERVICES_OFFSET = BOOT_SERVICES_OFFSET_x86 if self.arch == "x64": self.BOOT_SERVICES_OFFSET = BOOT_SERVICES_OFFSET_x64 self.base = idaapi.get_imagebase() idc.Til2Idb(-1, "EFI_GUID") idc.Til2Idb(-1, "EFI_SYSTEM_TABLE") idc.Til2Idb(-1, "EFI_RUNTIME_SERVICES") idc.Til2Idb(-1, "EFI_BOOT_SERVICES") self.gBServices = {} self.gBServices["InstallProtocolInterface"] = [] self.gBServices["ReinstallProtocolInterface"] = [] self.gBServices["UninstallProtocolInterface"] = [] self.gBServices["HandleProtocol"] = [] self.gBServices["RegisterProtocolNotify"] = [] self.gBServices["OpenProtocol"] = [] self.gBServices["CloseProtocol"] = [] self.gBServices["OpenProtocolInformation"] = [] self.gBServices["ProtocolsPerHandle"] = [] self.gBServices["LocateHandleBuffer"] = [] self.gBServices["LocateProtocol"] = [] self.gBServices["InstallMultipleProtocolInterfaces"] = [] self.gBServices["UninstallMultipleProtocolInterfaces"] = [] self.Protocols = {} self.Protocols["AmiGuids"] = ami_guids.ami_guids self.Protocols["EdkGuids"] = edk_guids.edk_guids self.Protocols["Edk2Guids"] = edk2_guids.edk2_guids self.Protocols["All"] = [ # { # address: ... # service: ... # guid: ... # protocol_name: ... # protocol_place: ... # }, # ... ] self.Protocols["PropGuids"] = [] self.Protocols["Data"] = []
def _find_or_create_struct(): name = "sce_module_info_t" sid = idc.GetStrucIdByName(name) if sid != idc.BADADDR: return sid # already exists sid = idc.AddStrucEx(-1, name, 0) idc.AddStrucMember(sid, "modattribute", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "modversion", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "modname", -1, idc.FF_ASCI, -1, 27) idc.AddStrucMember(sid, "type", -1, idc.FF_BYTE, -1, 1) idc.AddStrucMember(sid, "gp_value", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "ent_top", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "ent_end", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "stub_top", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "stub_end", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "module_nid", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "field_38", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "field_3C", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "field_40", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "mod_start", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "mod_stop", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "exidx_start", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "exidx_end", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "extab_start", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "extab_end", -1, idc.FF_DWRD, -1, 4) idc.Til2Idb(-1, name) return sid
def _find_or_create_struct(): name = "sce_module_imports_t" sid = idc.GetStrucIdByName(name) if sid != idc.BADADDR: return sid # already exists sid = idc.AddStrucEx(-1, name, 0) idc.AddStrucMember(sid, "size", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "version", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "flags", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "num_functions", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "num_vars", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "num_tls_vars", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "reserved1", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "lib_nid", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "lib_name", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "reserved2", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "func_nid_table", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "func_entry_table", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "var_nid_table", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "var_entry_table", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "tls_nid_table", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "tls_entry_table", -1, idc.FF_DWRD, -1, 4) idc.Til2Idb(-1, name) return sid
def load_kmdf_types_into_idb(): header_path = idautils.GetIdbDir() # change relative path to use more easily idaapi.idc_parse_types("".join([header_path, "../Tools/kmdf_re/code/WDFStructsV2.h"]), idc.PT_FILE) for idx in range(1, idc.GetMaxLocalType()): print(idx, idc.GetLocalTypeName(idx)) idc.Til2Idb(idx, idc.GetLocalTypeName(idx))
def add_enums(function): """ Add standard enums from parsed MSDN documentation for all imported library calls and their arguments. Arguments: function -- function object """ enum_count = 0 for argument in function.arguments: # Add standard enums if not argument.enums: g_logger.debug(' No standard constants available for %s' % argument.name) else: for enum in argument.enums: g_logger.debug(' Importing enum %s for argument %s' % (enum, argument.name)) if idc.Til2Idb(-1, enum) != idaapi.BADADDR: g_logger.debug(' ' + enum + ' ' + hex(idc.GetEnum(enum)) + ' added successfully') enum_count = enum_count + 1 else: g_logger.debug(' Could not add ' + enum) if not argument.constants: # No constants for this argument continue argument.name = argument.name.encode('utf-8') function.name = function.name.encode('utf-8') # Add constant descriptions for constant in argument.constants: constant.name = constant.name.encode('utf-8') if constant.name == 'NULL': # Create unique name, so we can add descriptive comment to it constant.name = 'NULL_{}_{}'.format(argument.name, function.name) # Add custom enum for NULL values if it does not exist yet enumid = idc.GetEnum(NULL_ENUM_NAME) if enumid == idaapi.BADADDR: enumid = idc.AddEnum(-1, NULL_ENUM_NAME, idaapi.hexflag()) idc.AddConstEx(enumid, constant.name, 0, -1) constid = idc.GetConstByName(constant.name) idc.SetConstCmt(constid, format_comment(constant.description), False) else: constid = idc.GetConstByName(constant.name) if constid: if idc.SetConstCmt(constid, format_comment(constant.description), False): g_logger.debug(' Description added for %s' % constant.name) else: g_logger.debug(' No description added for %s' % constant.name) return enum_count
def load_til(path_to_til): if not ida_typeinf.load_til(path_to_til, os.path.dirname(path_to_til)): raise Exception("load_til('%s') has failed" % (path_to_til)) # Fix UINTN to be the actual word size if we can determine it idc.Til2Idb(-1, "UINTN") entry = idc.GetEntryPoint(idc.GetEntryOrdinal(0)) if entry != idc.BADADDR: typedef = "typedef UINT" + str(16 << idc.GetSegmentAttr(entry, idc.SEGATTR_BITNESS)) + " UINTN;" for i in range(0, idc.GetMaxLocalType()): if idc.GetLocalTypeName(i) == "UINTN": idc.SetLocalType(idc.SetLocalType(i, "", 0), typedef, 0)
def subclass(self, sup=None, **kwargs): tp = self.currentType(self.CHECK_VTBL, **kwargs) tp = self.checkVtblStruct(tp) cnm = tp['name'] if not sup: sup = idc.AskStr('', "Subclass " + cnm + " from:") if not sup or sup == cnm: Logger.debug("Subclasssing cancelled") return idc.Til2Idb(-1, sup + 'Vtbl') s = MODS.struct.Struct(sup + 'Vtbl') Logger.debug("Subclassing class %s from %s", str(tp), sup) ea = tp['vtblea'] nm = None funcs = [] while (not nm): ofs = idc.Qword(ea) if not ofs or ofs == idc.BADADDR: break try: func = FuncDescr.fromEA(ofs) except FuncDescr.NotFunctionError as e: func = None if not kwargs.get('force'): raise funcs += [func] ea += 8 nm = idc.Name(ea) flds = s.fields() if len(funcs) != len(flds) and (not kwargs.get('force')): raise self.WrongTypeError("Functions count doesn't match", s.name) for i, fofs in enumerate(sorted(flds.keys())): fld = flds[fofs] f = funcs[i] if f is None: continue refcnt = len(MODS.util.refsFromSeg(f.ea, ".rdata")) if self.untouchedFunc(f.name): nm = cnm if refcnt == 1 else sup was = str(f) f.clearType() f.parseType(fld['type'][0]) f.name = nm + "::" + fld['name'] ni = 1 while idaapi.get_name_ea(idc.BADADDR, f.name) != idc.BADADDR: ni += 1 f.name = nm + "::" + fld['name'] + "_" + str(ni) f.changeParam(0, 'this', nm + '*') f.update(True) Logger.debug("Converted func %s to type %s", was, str(f)) self.update()
def create_vtable_struct(class_name, functions): struct_name = 'vtable_' + class_name sid = idc.GetStrucIdByName(struct_name) if sid != BADADDR: print("vtable already exists for " + class_name) return 0 sid = idc.AddStrucEx(-1, struct_name, 0) idc.Til2Idb(-1, struct_name) offset = 0 for fn in functions: func_name = fn[0] func_name = func_name.replace('~', 'destr_') func_type = fn[1] idc.AddStrucMember(sid, func_name, -1, idc.FF_QWRD, -1, 8) if func_type != '': if func_type.find("__cdecl(") > -1: func_type = func_type.replace("__cdecl", "(__cdecl *%s)" % func_name) elif func_type.find("__stdcall(") > -1: func_type = func_type.replace("__stdcall", "(__stdcall *%s)" % func_name) elif func_type.find("__fastcall(") > -1: func_type = func_type.replace("__fastcall", "(__fastcall *%s)" % func_name) elif func_type.find("__thiscall(") > -1: func_type = func_type.replace("__thiscall", "(__thiscall *%s)" % func_name) elif func_type.find("__usercall(") > -1: func_type = func_type.replace("__usercall", "(__usercall *%s)" % func_name) elif func_type.find("__userpurge(") > -1: func_type = func_type.replace("__userpurge", "(__userpurge *%s)" % func_name) SetType(GetMemberId(sid, offset), func_type) # MakeComm(GetMemberId(sid, offset), func_name) # "__int64 (__fastcall *)(ClassName *this)"); offset += 8 print(fn) return 1
def _find_or_create_struct(): name = "sce_module_exports_t" sid = idc.GetStrucIdByName(name) if sid != idc.BADADDR: return sid # already exists sid = idc.AddStrucEx(-1, name, 0) idc.AddStrucMember(sid, "size", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "lib_version", -1, idc.FF_BYTE, -1, 2) idc.AddStrucMember(sid, "attribute", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "num_functions", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "num_vars", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "unk", -1, idc.FF_WORD, -1, 2) idc.AddStrucMember(sid, "num_tls_vars", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "lib_nid", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "lib_name", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "nid_table", -1, idc.FF_DWRD, -1, 4) idc.AddStrucMember(sid, "entry_table", -1, idc.FF_DWRD, -1, 4) idc.Til2Idb(-1, name) return sid
# # ida_kernelcache/segment.py # Brandon Azad # # Functions for interacting with the segments of the kernelcache in IDA. No prior initialization is # necessary. # import idc import ida_utilities as idau import kernel _log = idau.make_log(0, __name__) idc.Til2Idb(-1, 'mach_header_64') idc.Til2Idb(-1, 'load_command') idc.Til2Idb(-1, 'segment_command_64') idc.Til2Idb(-1, 'section_64') _LC_SEGMENT_64 = 0x19 def _macho_segments_and_sections(ea): """A generator to iterate through a Mach-O file's segments and sections. Each iteration yields a tuple: (segname, segstart, segend, [(sectname, sectstart, sectend), ...]) """ hdr = idau.read_struct(ea, 'mach_header_64', asobject=True) nlc = hdr.ncmds
def add_struct_to_idb(name): idc.Til2Idb(-1, name)
def ImportNativeArgumentsToIDA(filepath): global ArgumentsReplacement os.chdir(filepath) for include_name in glob.glob("*.inc"): is_valid = False for i in range(len(SAMPIncludes)): if (include_name == SAMPIncludes[i]): is_valid = True if (is_valid): include_handle = open(include_name, "r") for line in include_handle: if (line.find("native") != -1): # Its a native. native_name = line[:line.find("(")].split(" ")[1] native_name = native_name[ native_name.find(":") + 1:] # Hack to remove stuff like Float: natives.append(native_name) # Define structure # VERY hacky. I'm rusty on python... arguments = line[line.find("("):].replace("(", "").replace( ")", ",)").replace("&", "").replace("[]", "").replace("const", "").split(",") arguments = arguments[:len(arguments) - 1] # Hack to remove ); \n ending. struct_id = idc.GetStrucIdByName("Native" + native_name + "Params") if struct_id == idc.BADADDR: #No point in going through arguments if struct already exists. struct_id = idc.AddStrucEx( -1, "Native" + native_name + "Params", 0) idc.Til2Idb(-1, "Native" + native_name + "Params") idc.AddStrucMember(struct_id, "param_count", -1, idc.FF_DWRD, -1, 4) print("Created IDA Struct Native" + native_name + "Params!") for argument in arguments: if (argument.find(":") != -1): argument = argument[ argument.find(":") + 1:] # Another "hack" to remove stuff such as Float: if (argument.find("=") != -1): argument = argument[:argument.find( "=" )] # Yet again, another "hack" to remove default values in natives. # Add structure arg idc.AddStrucMember(struct_id, argument.replace(" ", ""), -1, idc.FF_DWRD, -1, 4) else: print("Did not create native structure for native " + native_name + " it already exists in your IDB.")
def load_kmdf_types_into_idb(): header_path = idautils.GetIdbDir() idaapi.idc_parse_types("".join([header_path, "WDFStructs.h"]), idc.PT_FILE) for idx in range(1, idc.GetMaxLocalType()): print(idx, idc.GetLocalTypeName(idx)) idc.Til2Idb(idx, idc.GetLocalTypeName(idx))