def restore_x(unique_name, start=here()):
if MD5_hash_data_file and os.path.isfile(MD5_hash_data_file):
with open(MD5_hash_data_file, "rb") as ifile:
received_data = pickle.loads(ifile.read())
saved_data = received_data
# (start_addr, end_addr, names, comms, bpts)
if unique_name in saved_data:
current_data = saved_data[unique_name]
# restore names
names = current_data[2]
for name in names:
# names: (rel_addr, name)
ida_name.set_name(start + name[0], name[1])
# restore comments
# comms: (rel_addr, TYPE, comment)
comms = current_data[3]
for comm in comms:
# 1:MakeComm and 2:MakeRptCmt
if comm[1] == 1:
MakeComm(start + comm[0], comm[2])
else:
MakeRptCmt(start + comm[0], comm[2])
# restore breakpoints
# bpts: (rel_addr, size, type)
bpts = current_data[4]
for bpt in bpts:
ida_dbg.add_bpt(start + bpt[0], bpt[1], bpt[2])
def btn_add_next_inst_bpt(self, code=0):
"""
给所有断点的下一条指令下断点
"""
bpt_list = self.get_all_bpt_list()
for bpt in bpt_list:
ida_dbg.add_bpt(ida_bytes.next_head(bpt, ida_idaapi.BADADDR), 0,
idc.BPT_DEFAULT)
def btn_add_all_vuln_bpt(self, code=0):
"""添加断点 所有危险函数漏洞地址"""
self.add_fast_dict_from_all_vuln_func()
for xref_addr_t in reduce(lambda x, y: x + y,
self.vuln_func_fast_dict.values()):
ida_dbg.add_bpt(xref_addr_t, 0, idc.BPT_DEFAULT)
FELogger.info('已添加断点:危险函数漏洞分析(全部)')
def restore_x(unique_name=None, start=None):
ea = ida_kernwin.get_screen_ea()
# signature
if not unique_name:
if not start:
seg = ida_segment.getseg(ea)
start = seg.start_ea
sig_bytes = ida_bytes.get_bytes(start, SIGNATURE_SIZE)
sig_hash = hashlib.md5(sig_bytes).hexdigest()
unique_name = sig_hash
if not start:
seg = ida_segment.getseg(ea)
start = seg.start_ea
if MD5_hash_data_file and os.path.isfile(MD5_hash_data_file):
with open(MD5_hash_data_file, "rb") as ifile:
received_data = pickle.loads(ifile.read())
saved_data = received_data
print("dumpDyn::restore\n\
Name: {}\n\
Restore address: {}\n".format(unique_name, hex(start)))
# (start_addr, end_addr, names, comms, bpts, funcs)
if unique_name in saved_data:
current_data = saved_data[unique_name]
# restore names
names = current_data[2]
for name in names:
# names: (rel_addr, name, is_code)
ida_name.set_name(start + name[0], name[1])
flags = ida_bytes.get_flags(start + name[0])
if name[2] and not ida_bytes.is_code(flags):
ida_auto.auto_make_code(start + name[0])
# restore comments
# comms: (rel_addr, TYPE, comment)
comms = current_data[3]
for comm in comms:
# 0:MakeComm and 1:MakeRptCmt
ida_bytes.set_cmt(start + comm[0], comm[2], comm[1])
# restore breakpoints
# bpts: (rel_addr, size, type)
bpts = current_data[4]
for bpt in bpts:
ida_dbg.add_bpt(start + bpt[0], bpt[1], bpt[2])
# restore functions
funcs_addr = current_data[5]
for addr in funcs_addr:
ida_auto.auto_make_proc(start + addr) # make code & func
def setAndDisable(addr):
bptEnabled = ida_dbg.check_bpt(addr)
if bptEnabled < 0:
# no breakpoint, add one
#print 'setAndDisable no bpt at %x, add one' % addr
ida_dbg.add_bpt(addr)
elif bptEnabled == 0:
# breakpoint, but not enabled
#print 'found bpt at %x, enable it' % addr
ida_dbg.enable_bpt(addr, True)
else:
#print 'breakpoint exists, use it'
pass
# disable all breakpoints, excempting the one we just set/enabled
disabledSet = disableAllBpts(addr)
return bptEnabled, disabledSet
def btn_import_all_bpt_addr(self, code=0):
"""
导入离线断点
"""
cur_workpath = os.getcwd()
csv_filepath = os.path.join(
cur_workpath, '%s_bpt.csv' % ida_nalt.get_root_filename())
if os.path.exists(csv_filepath):
with open(csv_filepath, 'r') as f:
next(f)
reader = csv.reader(f)
for row in reader:
ida_dbg.add_bpt(int(row[0], 16), 0, idc.BPT_DEFAULT)
FELogger.info("导入断点完成:%s" % csv_filepath)
else:
FELogger.warn("文件不存在:%s" % csv_filepath)
def btn_add_one_vuln_bpt(self, code=0):
"""添加断点 某个危险函数漏洞地址"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入危险函数名')
if tgt_t in SINK_FUNC:
if not tgt_t in self.vuln_func_fast_dict:
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
tag = SINK_FUNC[tgt_t]['tag']
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
if tag == FUNC_TAG['PRINTF']:
items = printf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['STRING']:
items = str_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['SCANF']:
items = scanf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['SYSTEM']:
items = system_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['MEMORY']:
items = mem_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
else:
FELogger.info("未支持函数%s" % tgt_t)
if tgt_t in self.vuln_func_fast_dict:
for xref_addr_t in self.vuln_func_fast_dict[tgt_t]:
ida_dbg.add_bpt(xref_addr_t, 0, idc.BPT_DEFAULT)
FELogger.info('已添加断点:危险函数漏洞分析(%s)' % tgt_t)
else:
FELogger.warn("未支持函数")
def add_tmp_func(self, info_only=False):
"""
添加临时sink函数
info_only: 在添加函数信息的同时是否添加断点
"""
input_str = ida_kernwin.ask_text(
0, '',
"请输入任意函数名/函数地址,及各参数类型(none, int, str),可输入多行\n例如:\nstrcmp str str")
try:
rules = [x.strip() for x in input_str.strip().split('\n')]
for rule in rules:
tgt_t = rule.split(' ')[0].strip()
args_rule = [x.strip() for x in rule.split(' ')[1:]]
if not tgt_t in self.tmp_func_dict:
if tgt_t.startswith('0x'):
addr_t = int(tgt_t, 16)
addr_hexstr = hexstr(addr_t)
CUSTOM_FUNC[addr_hexstr] = {'args_rule': args_rule}
self.tmp_func_dict[addr_hexstr] = [addr_t]
if info_only == False:
ida_dbg.add_bpt(addr_t, 0, idc.BPT_DEFAULT)
else:
for func_addr_t in idautils.Functions():
func_name_t = ida_funcs.get_func_name(func_addr_t)
if func_name_t == tgt_t:
CUSTOM_FUNC[func_name_t] = {
'args_rule': args_rule
}
self.tmp_func_dict[func_name_t] = []
for xref_addr_t in idautils.CodeRefsTo(
func_addr_t, 0):
self.tmp_func_dict[func_name_t].append(
xref_addr_t)
if info_only == False:
ida_dbg.add_bpt(
xref_addr_t, 0, idc.BPT_DEFAULT)
else:
continue
break
else:
continue
else:
CUSTOM_FUNC[tgt_t] = {'args_rule': args_rule}
for xref_addr_t in self.tmp_func_dict[tgt_t]:
if info_only == False:
ida_dbg.add_bpt(xref_addr_t, 0, idc.BPT_DEFAULT)
else:
continue
FELogger.info("已添加断点:%s" % rule)
except Exception as e:
FELogger.info("输入信息有误:%s" % e)
def do_import():
db = {}
module = idaapi.get_root_filename().lower()
base = idaapi.get_imagebase()
file = ida_kernwin.ask_file(0,
"x64dbg database|{}".format(get_file_mask()),
"Import database")
if not file:
return
print("Importing database {}".format(file))
with open(file) as dbdata:
db = json.load(dbdata)
count = 0
labels = db.get("labels", [])
for label in labels:
try:
if label["module"] != module:
continue
ea = int(label["address"], 16) + base
name = label["text"]
ida_name.set_name(ea, str(name), 0)
count += 1
except:
pass
print("{:d}/{:d} label(s) imported".format(count, len(labels)))
count = 0
comments = db.get("comments", [])
for comment in comments:
try:
if comment["module"] != module:
continue
ea = int(comment["address"], 16) + base
name = comment["text"]
ida_bytes.set_cmt(ea, str(name), 1)
count += 1
except:
pass
print("{:d}/{:d} comment(s) imported".format(count, len(comments)))
count = 0
breakpoints = db.get("breakpoints", [])
for breakpoint in breakpoints:
try:
if breakpoint["module"] != module:
continue
ea = int(breakpoint["address"], 16) + base
bptype = breakpoint["type"]
if bptype == BPNORMAL:
count += 1
ida_dbg.add_bpt(ea, 1, BPT_DEFAULT)
elif bptype == BPHARDWARE:
titantype = int(breakpoint["titantype"], 16)
hwtype = (titantype >> 4) & 0xF
if hwtype == UE_HARDWARE_EXECUTE:
hwtype = BPT_EXEC
elif hwtype == UE_HARDWARE_WRITE:
hwtype = BPT_WRITE
elif hwtype == UE_HARDWARE_READWRITE:
hwtype = BPT_RDWR
else:
continue
hwsize = titantype & 0xF
if hwsize == UE_HARDWARE_SIZE_1:
hwsize = 1
elif hwsize == UE_HARDWARE_SIZE_2:
hwsize = 2
elif hwsize == UE_HARDWARE_SIZE_4:
hwsize = 4
elif hwsize == UE_HARDWARE_SIZE_8:
hwsize = 8
else:
continue
count += 1
ida_dbg.add_bpt(ea, hwsize, hwtype)
except:
pass
print("{:d}/{:d} breakpoint(s) imported".format(count, len(breakpoints)))
print("Done!")
def set_breakpoint(self, address):
ida_dbg.add_bpt(address)