def find_value(self, func_addr, instr_addr, register):
"""
Attempts to resolve the value of the given register at the given address.
If the value cannot be resolved, None is returned.
"""
reg_num = idaapi.ph_get_regnames().index(register)
# go back from the current instruction to the start of the function
for instr_addr in list(instructions(func_addr, instr_addr))[::-1]:
# look for instrucations that move a value into the desired register
mnemonic = idc.GetMnem(instr_addr)
if mnemonic == 'mov':
op1_type = idc.get_operand_type(instr_addr, 0)
op1_value = idc.get_operand_value(instr_addr, 0)
if op1_type == idc.o_reg and op1_value == reg_num:
op2_type = idc.get_operand_type(instr_addr, 1)
op2_value = idc.get_operand_value(instr_addr, 1)
# if this instruction sets the register to an immediate value
if op2_type == idc.o_imm:
# return that value
return op2_value
else:
# it is not an immediate value, so we say we cannot
# resolve the value
return None
# we did not find an allocation of the register,
# so we return None to indicate that
return None
def __init__(self, sploiter):
self.maxRopOffset = 40 # Maximum offset from the return instruction to look for gadgets. default: 40
self.maxRopSize = 6 # Maximum number of instructions to look for gadgets. default: 6
self.maxRetnImm = 64 # Maximum imm16 value in retn. default: 64
self.maxJopImm = 255 # Maximum jop [reg + IMM] value. default: 64
self.maxRops = 0 # Maximum number of ROP chains to find. default: 0 (unlimited)
self.debug = False
self.regnames = idaapi.ph_get_regnames()
self.sploiter = sploiter
self.retns = list()
self.gadgets = list()
# Decoded instruction cache
self.insn_cache = dict()
# Extra bytes to read to ensure correct decoding of
# RETN, RETN imm16, CALL /2, and JMP /4 instructions.
self.dbg_read_extra = 6 # FF + ModR/M + SIB + disp32
self.insn_arithmetic_ops = ["inc","dec","neg", "add","sub","mul","imul","div","idiv","adc","sbb","lea"]
self.insn_bit_ops = ["not","and","or","xor","shr","shl","sar","sal","shld","shrd","ror","rcr","rcl"]
def finish_populating_widget_popup(self, form, popup):
# Or here, after the popup is done being populated by its owner.
# We will attach our action to the context menu
# for the 'Functions window' widget.
# The action will be be inserted in a submenu of
# the context menu, named 'Others'.
if idaversion.get_widget_type(form) == idaapi.BWN_CALL_STACK:
#line = form.GetCurrentLine()
pass
elif idaversion.get_widget_type(form) == idaapi.BWN_DISASM or \
idaversion.get_widget_type(form) == idaapi.BWN_DUMP:
#regs =['eax', 'ebx', 'ecx', 'edx', 'esi', 'edi', 'ebp', 'esp', 'ax', 'bx', 'cx', 'dx', 'ah', 'al', 'bh', 'bl', 'ch', 'cl', 'dh', 'dl']
regs = idaapi.ph_get_regnames()
idaapi.attach_action_to_popup(form, popup, "revCursor:action", 'RESim/')
idaapi.attach_action_to_popup(form, popup, "dis:action", 'RESim/')
highlighted = idaversion.getHighlight()
if highlighted is not None:
if highlighted in regs:
idaapi.attach_action_to_popup(form, popup, "modReg:action", 'RESim/')
else:
addr = getHex(highlighted)
if addr is not None or regFu.isHighlightedEffective():
idaapi.attach_action_to_popup(form, popup, "rev:action", 'RESim/')
idaapi.attach_action_to_popup(form, popup, "dataWatch:action", 'RESim/')
idaapi.attach_action_to_popup(form, popup, "addDataWatch:action", 'RESim/')
idaapi.attach_action_to_popup(form, popup, "revData:action", 'RESim/')
idaapi.attach_action_to_popup(form, popup, "modMemory:action", 'RESim/')
idaapi.attach_action_to_popup(form, popup, "stringMemory:action", 'RESim/')
opnum = idaapi.get_opnum()
if opnum >= 0:
idaapi.attach_action_to_popup(form, popup, "structField:action", 'RESim/')
def __init__(self):
# Get a list of the current processor module's registers
self.registers = idaapi.ph_get_regnames()
# Find the list of function argument registers that fit the current processor module
# TODO: Probably better to look this up based on the processor module name, as it can't
# distinguish between ARM and Thumb.
self.argv = None
for arch in self.ARCHES:
if not (set(arch.argv) - set(self.registers)):
self.argv = list(arch.argv)
self.delay_slot = arch.delay
self.insn_size = arch.size
break
if self.argv is None:
raise Exception("Unknown/unsupported architecture!")
def __init__(self):
# Get a list of the current processor module's registers
self.registers = idaapi.ph_get_regnames()
# Find the list of function argument registers that fit the current processor module
# TODO: Probably better to look this up based on the processor module name, as it can't
# distinguish between ARM and Thumb.
self.argv = None
for arch in self.ARCHES:
if not (set(arch.argv) - set(self.registers)):
self.argv = list(arch.argv)
self.delay_slot = arch.delay
self.insn_size = arch.size
break
if self.argv is None:
raise Exception("Unknown/unsupported architecture!")
def get_arch(): (arch, bits) = (None, None) for x in idaapi.ph_get_regnames(): name = x if name == 'RAX': arch = 'amd64' bits = 64 break elif name == 'EAX': arch = 'x86' bits = 32 break elif name == 'R0': arch = 'arm' bits = 32 break return (arch, bits)
def main():
# Obtain a list of the registers for the current architecture.
regs = idaapi.ph_get_regnames()
for i, reg in enumerate(regs):
print " %-5s = %d" % (reg.upper(), i)
# Add a separator
print "\n TOTAL_GPR = %d" % len(regs)
# Now create a list of the the previous enumerated registers and put them
# under the GPR (General Porpuse Registers) name).
print "\n GPR_NAMES = {"
for i, reg in enumerate(regs):
print " %-5s : \"%s\"," % (reg.upper(), reg)
print "\n }"
def regOffsetToName(offset):
"""
Get register name from an offset to ph.regnames
"""
regName = idaapi.ph_get_regnames()[offset]
if not offset in range(0, 7):
return regName.upper()
if get_native_size() is 16:
return regName.upper()
if get_native_size() is 32:
return "E" + regName.upper()
if get_native_size() is 64:
return "R" + regName.upper()
return ValueError("Failed to retrieve register name.")
def __init__(self):
self.registers = idaapi.ph_get_regnames()
self.argv = None
for arch in self.ARCHES:
if not (set(arch.argv) - set(self.registers)):
self.argv = list(arch.argv)
self.delay_slot = arch.delay
self.insn_size = arch.size
break
if self.argv is None:
self.argv = []
self.registers = []
self.delay_slot = False
self.insn_size = 0
self.unknown = True
else:
self.unknown = False
def get_arch(): (arch, mode) = (None, None) for x in idaapi.ph_get_regnames(): name = x if name.upper() == 'AX': arch = KS_ARCH_X86 info = idaapi.get_inf_structure() if info.is_64bit(): mode = KS_MODE_64 elif info.is_32bit(): mode = KS_MODE_32 else: mode = KS_MODE_16 break elif name.upper() == 'R0': arch = KS_ARCH_ARM mode = KS_MODE_ARM break return (arch, mode)
def __init__(self):
self.registers = idaapi.ph_get_regnames()
# Find the list of function argument registers that fit the current
# processor module
# TODO: Probably better to look this up based on the processor module
# name, as it can't distinguish between ARM and Thumb.
self.argv = None
for arch in self.ARCHES:
if not (set(arch.argv) - set(self.registers)):
self.argv = list(arch.argv)
self.delay_slot = arch.delay
self.insn_size = arch.size
break
if self.argv is None:
self.argv = []
self.registers = []
self.delay_slot = False
self.insn_size = 0
self.unknown = True
else:
self.unknown = False
def __init__(self):
# Get a list of the current processor module's registers
self.registers = idaapi.ph_get_regnames()
# Find the list of function argument registers that fit the current processor module
# TODO: Probably better to look this up based on the processor module name, as it can't
# distinguish between ARM and Thumb.
self.argv = None
for arch in self.ARCHES:
if not (set(arch.argv) - set(self.registers)):
self.argv = list(arch.argv)
self.delay_slot = arch.delay
self.insn_size = arch.size
break
if self.argv is None:
#print "WARNING: Unknown/unsupported architecture. Architecture specific analysis will be disabled."
self.argv = []
self.registers = []
self.delay_slot = False
self.insn_size = 0
self.unknown = True
else:
self.unknown = False
def __init__(self):
# Get a list of the current processor module's registers
self.registers = idaapi.ph_get_regnames()
# Find the list of function argument registers that fit the current processor module
# TODO: Probably better to look this up based on the processor module name, as it can't
# distinguish between ARM and Thumb.
self.argv = None
for arch in self.ARCHES:
if not (set(arch.argv) - set(self.registers)):
self.argv = list(arch.argv)
self.delay_slot = arch.delay
self.insn_size = arch.size
break
if self.argv is None:
#print "WARNING: Unknown/unsupported architecture. Architecture specific analysis will be disabled."
self.argv = []
self.registers = []
self.delay_slot = False
self.insn_size = 0
self.unknown = True
else:
self.unknown = False
def GetRegisterList():
"""Returns the register list"""
return idaapi.ph_get_regnames()
def GetRegisterList():
"""Returns the register list"""
return idaapi.ph_get_regnames()
def names(cls):
return idaapi.ph_get_regnames()
import menuMod
idaapi.require("idaSIM")
idaapi.require("stackTrace")
idaapi.require("bookmarkView")
idaapi.require("reHooks")
idaapi.require("menuMod")
from idaapi import Choose
'''
Ida script to reverse execution of Simics to the next breakpoint.
Since Ida does not know about reverse exectution, the general approach is to
tell Simics to reverse and then tell Ida to continue forward.
The script installs its functions as a hotkeys.
See showHelp below
'''
#reg_list =['eax', 'ebx', 'ecx', 'edx', 'esi', 'edi', 'ebp', 'esp', 'ax', 'bx', 'cx', 'dx', 'ah', 'al', 'bh', 'bl', 'ch', 'cl', 'dh', 'dl']
reg_list = idaapi.ph_get_regnames()
kernel_base = 0xc0000000
info = idaapi.get_inf_structure()
if info.is_64bit():
print('64-bit')
kernel_base = 0xFFFFFFFF00000000
else:
print('32-bit')
def showHelp(prompt=False):
print('in showHelp')
lines = {}
lines['overview'] = """
CGC Monitor Ida Client Help
The Ida gdb client is enhanced to support reverse execution; use of
def names(cls):
return idaapi.ph_get_regnames()
