def fc(func_name, fuzzy=False):
"""find function calls to 'func_name'
"""
if fuzzy:
name = func_name.lower()
query = lambda cf, e: (e.op is cot_call and e.x.op is cot_obj and name
in get_name(e.x.obj_ea).lower())
return tb.exec_query(query, Functions(), False)
# else...
ea = get_name_ea(BADADDR, func_name)
if ea != BADADDR:
query = lambda cf, e: (e.op is cot_call and e.x.op is cot_obj and
get_name(e.x.obj_ea) == func_name)
return tb.exec_query(query, list(set(CodeRefsTo(ea, True))), False)
return list()
def find_memcpy():
"""find calls to memcpy() where the 'n' argument is signed
we're going through all functions in order to pick up inlined memcpy() calls
"""
query = lambda cf, e: (e.op is cot_call and e.x.op is cot_obj and 'memcpy'
in get_name(e.x.obj_ea) and len(e.a) == 3 and e.a[
2].op is cot_var and cf.lvars[e.a[2].v.idx
].tif.is_signed())
return tb.exec_query(query, Functions(), False)
def find_gpa():
"""find dynamically imported functions (Windows)
example function to be passed to hr_toolbox.display()
"""
query = lambda cfunc, e: (e.op is cot_call and e.x.op is cot_obj and
'GetProcAddress' in get_name(e.x.obj_ea) and len(
e.a) == 2 and e.a[1].op is cot_obj and
is_strlit(get_flags(e.a[1].obj_ea)))
gpa = get_name_ea_simple('GetProcAddress')
ea_list = [
f.start_ea
for f in [get_func(xref.frm) for xref in XrefsTo(gpa, XREF_FAR)] if f
]
return tb.exec_query(query, list(dict.fromkeys(ea_list)))
def find_malloc():
"""calls to malloc() with a size argument that is anything
but a variable or an immediate number.
"""
func_name = 'malloc'
query = lambda cf, e: (e.op is cot_call and
e.x.op is cot_obj and
get_name(e.x.obj_ea) == func_name and
len(e.a) == 1 and
e.a[0].op not in [cot_num, cot_var])
ea_malloc = get_name_ea_simple(func_name)
ea_set = set([f.start_ea for f in [get_func(xref.frm) for xref in XrefsTo(ea_malloc, XREF_FAR)] if f])
return tb.exec_query(query, ea_set, False)
def find_gpa():
"""find dynamically imported functions (Windows)
example function to be passed to hr_toolbox.display()
"""
func_name = 'GetProcAddress'
query = lambda cfunc, e: (e.op is cot_call and e.x.op is cot_obj and
get_name(e.x.obj_ea) == func_name and len(e.a) ==
2 and e.a[1].op is cot_obj and is_strlit(
get_flags(e.a[1].obj_ea)))
gpa = get_name_ea_simple(func_name)
ea_set = ([
f.start_ea
for f in [get_func(xref.frm) for xref in XrefsTo(gpa, XREF_FAR)] if f
])
return tb.exec_query(query, ea_set, False)
def find_sprintf():
"""find calls to sprintf() where the format string argument contains '%s'
"""
func_name = 'sprintf'
query = lambda cfunc, e: (e.op is cot_call and
e.x.op is cot_obj and
func_name in get_name(e.x.obj_ea) and
len(e.a) >= 2 and
e.a[1].op is cot_obj and
is_strlit(get_flags(e.a[1].obj_ea)) and
b'%s' in get_strlit_contents(e.a[1].obj_ea, -1, 0, STRCONV_ESCAPE))
ea_malloc = get_name_ea_simple(func_name)
ea_set = set([f.start_ea for f in [get_func(xref.frm) for xref in XrefsTo(ea_malloc, XREF_FAR)] if f])
return tb.exec_query(query, ea_set, False)
