def getApiMap(self):
self._api_map = {}
num_imports = ida_nalt.get_import_module_qty()
for i in range(0, num_imports):
self._import_module_name = ida_nalt.get_import_module_name(i)
ida_nalt.enum_import_names(i, self._cbEnumImports)
return self._api_map
def find_imported_funcs(dllname):
def imp_cb(ea, name, ord):
if not name:
name = ''
imports.append([ea, name, ord])
return True
imports = []
nimps = ida_nalt.get_import_module_qty()
for i in xrange(0, nimps):
name = ida_nalt.get_import_module_name(i)
if re.match(dllname, name, re.IGNORECASE) is None:
continue
ida_nalt.enum_import_names(i, imp_cb)
return imports
def find_imported_funcs(dllname):
def imp_cb(ea, name, ord):
if not name:
name = ''
imports.append([ea, name, ord])
return True
imports = []
nimps = ida_nalt.get_import_module_qty()
for i in xrange(0, nimps):
name = ida_nalt.get_import_module_name(i)
if re.match(dllname, name, re.IGNORECASE) is None:
continue
ida_nalt.enum_import_names(i, imp_cb)
return imports
def find_import_functions():
import ida_nalt as api
imported_function_list = []
def imports_names_cb(ea, name, ord):
if name is not None:
imported_function_list.append(name)
# True -> Continue enumeration
# False -> Stop enumeration
return True
nimps = api.get_import_module_qty()
for i in xrange(nimps):
name = api.get_import_module_name(i)
api.enum_import_names(i, imports_names_cb)
return imported_function_list
def get_all_importfunc():
nimps = ida_nalt.get_import_module_qty()
result = []
for i in range(nimps):
name = ida_nalt.get_import_module_name(i)
if not name:
# print("Failed to get import module name for #%d" % i)
# name = "<unnamed>"
pass
# print("Walking imports for module %s" % name)
def imp_cb(ea, name, ordinal):
if name:
# print("%08x: %s (ordinal #%d)" % (ea, name, ordinal))
result.append(name)
# True -> Continue enumeration
# False -> Stop enumeration
return True
ida_nalt.enum_import_names(i, imp_cb)
return result
def iter_imports() -> Iterable[Tuple[int, str, str]]:
"""
Iterates the imports, returning the address function name and namespace
for the import.
:yields: (address, func_name, namespace)
"""
for i in range(ida_nalt.get_import_module_qty()):
namespace = ida_nalt.get_import_module_name(i)
entries = []
def callback(addr, name, ordinal):
if name:
# Name will include a "__imp_" prefix if the import is accessed through
# a thunk function.
# Pull the address of the thunk function instead.
raw_name = ida_name.get_name(addr)
if raw_name.startswith("__imp_"):
for xref in idautils.XrefsTo(addr):
func = ida_funcs.get_func(xref.frm)
if func and func.flags & ida_funcs.FUNC_THUNK:
addr = func.start_ea
name = ida_funcs.get_func_name(addr)
break
else:
raise RuntimeError(f"Failed to find a thunk for {name} at 0x{addr:08X}")
entries.append((addr, name))
return True # continue enumeration
ida_nalt.enum_import_names(i, callback)
for addr, name in entries:
yield addr, name, namespace
"""
summary: enumerate file imports
description:
Using the API to enumerate file imports.
"""
from __future__ import print_function
import ida_nalt
nimps = ida_nalt.get_import_module_qty()
print("Found %d import(s)..." % nimps)
for i in range(nimps):
name = ida_nalt.get_import_module_name(i)
if not name:
print("Failed to get import module name for #%d" % i)
name = "<unnamed>"
print("Walking imports for module %s" % name)
def imp_cb(ea, name, ordinal):
if not name:
print("%08x: ordinal #%d" % (ea, ordinal))
else:
print("%08x: %s (ordinal #%d)" % (ea, name, ordinal))
# True -> Continue enumeration
# False -> Stop enumeration
return True
def iter_imports(module_name=None, api_names=None):
"""
Iterate the thunk function wrappers for API imports.
Yields the module name, function name, and reference to function.
.. code_block:: python
for ea, name, module_name in utils.iter_imports():
print("{}.{} function at: 0x{:0x}".format(module_name, name, ea))
for ea, name, _ in utils.iter_imports("KERNEL32"):
print("KERNEL32.{} function at: {}".format(name, ea))
for ea, name, module_name in utils.iter_imports(api_names=["GetProcAddress", "GetFileSize"]):
print("{}.{} function at: {}".format(module_name, name, ea))
for ea, _, _ in utils.iter_imports("KERNEL32", "GetProcAddress"):
print("KERNEL32.GetProcAddress function at: {}".format(ea))
NOTE: The same function name can be yield more than once if it
appears in multiple modules or has multiple thunk wrappers.
Name is the original import name and does not necessarily reflect the function name.
e.g. "GetProcAddress", "GetProcAddress_0", and "GetProcAddress_1" will all be "GetProcAddress"
:param module_name: Filter imports to a specified library.
:param api_names: Filter imports to specific API name(s).
Can be a string of a single name or list of names.
:yield: (ea, api_name, module_name)
"""
if isinstance(api_names, str):
api_names = [api_names]
for i in range(ida_nalt.get_import_module_qty()):
_module_name = ida_nalt.get_import_module_name(i)
if not _module_name:
continue
if module_name and module_name.lower() != _module_name.lower():
continue
entries = []
target_set = set(api_names) if api_names else None
def callback(ea, name, ordinal):
if name:
# Sometimes IDA includes "__imp_" to the front of the name.
# Strip this off to be more consistent to what you would see in the GUI.
if name.startswith("__imp_"):
name = name[6:]
# Collect name if matches filter or if no filter set.
if target_set and name in target_set:
entries.append((ea, name))
target_set.remove(name)
if not target_set:
# Found all targeted function names. stop enumeration.
return False
elif not api_names:
entries.append((ea, name))
return True # continue enumeration
ida_nalt.enum_import_names(i, callback)
for ea, name in entries:
# Yield thunk wrapper functions if they exists.
for xref in idautils.XrefsTo(ea):
func = ida_funcs.get_func(xref.frm)
if not func:
continue
if func.flags & ida_funcs.FUNC_THUNK:
yield xref.frm, name, _module_name
# Yield reference in data segment signature
# (yielding after thunks, since those are more likely to be used)
yield ea, name, _module_name
