def addAnalysisModules(vw):
import vivisect
import vivisect.analysis.i386 as viv_analysis_i386
arch = vw.getMeta('Architecture')
fmt = vw.getMeta('Format')
plat = vw.getMeta('Platform')
if fmt == 'pe':
vw.addAnalysisModule("vivisect.analysis.pe")
if arch == 'i386':
vw.addImpApi('windows', 'i386')
viv_analysis_i386.addEntrySigs(vw)
vw.addStructureModule('win32', 'vstruct.defs.win32')
vw.addStructureModule('ntdll',
'vstruct.defs.windows.win_5_1_i386.ntdll')
elif arch == 'amd64':
vw.addImpApi('windows', 'amd64')
vw.addStructureModule('ntdll',
'vstruct.defs.windows.win_6_1_amd64.ntdll')
vw.addConstModule('vstruct.constants.ntstatus')
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule(
"vivisect.analysis.ms.vftables") # RELIES ON LOC_POINTER
vw.addAnalysisModule(
"vivisect.analysis.generic.emucode") # RELIES ON LOC_POINTER
# run imports after emucode
if arch == 'i386':
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.ms.hotpatch")
vw.addFuncAnalysisModule("vivisect.analysis.ms.msvc")
# Snap in an architecture specific emulation pass
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
# See if we got lucky and got arg/local hints from symbols
vw.addAnalysisModule('vivisect.analysis.ms.localhints')
# Find import thunks
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule('vivisect.analysis.ms.msvcfunc')
vw.addAnalysisModule('vivisect.analysis.generic.strconst')
elif fmt == 'elf': # ELF ########################################################
vw.addAnalysisModule("vivisect.analysis.elf")
if arch == 'i386':
viv_analysis_i386.addEntrySigs(vw)
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
# add va set for tracking thunk_bx function(s)
vw.addVaSet('thunk_bx', (('fva', vivisect.VASET_ADDRESS), ))
vw.addFuncAnalysisModule("vivisect.analysis.i386.thunk_bx")
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
# Get PLTs taken care of early
vw.addFuncAnalysisModule("vivisect.analysis.elf.elfplt")
# Generic code block analysis
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
# Add our emulation modules
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
# Find import thunks
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
vw.addAnalysisModule("vivisect.analysis.generic.pointers")
elif fmt == 'macho': # MACH-O ###################################################
if arch == 'i386':
viv_analysis_i386.addEntrySigs(vw)
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
# Add the one that brute force finds function entry signatures
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
vw.addAnalysisModule("vivisect.analysis.generic.pointers")
elif fmt == 'blob': # BLOB ######################################################
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
elif fmt == 'ihex': # BLOB ######################################################
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
#vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
else:
raise Exception('Analysis modules unknown for format: %s' % fmt)
def addAnalysisModules(vw):
import vivisect
import vivisect.analysis.i386 as viv_analysis_i386
arch = vw.getMeta('Architecture')
fmt = vw.getMeta('Format')
plat = vw.getMeta('Platform')
if fmt == 'pe':
vw.addAnalysisModule("vivisect.analysis.generic.entrypoints")
vw.addAnalysisModule("vivisect.analysis.pe")
if arch == 'i386':
vw.addImpApi('windows', 'i386')
vw.addImpApi('windows', 'i386')
if plat == 'winkern':
vw.addImpApi('winkern', 'i386')
viv_analysis_i386.addEntrySigs(vw)
vw.addStructureModule('win32', 'vstruct.defs.win32')
vw.addStructureModule('ntdll',
'vstruct.defs.windows.win_5_1_i386.ntdll')
elif arch == 'amd64':
vw.addImpApi('windows', 'amd64')
if plat == 'winkern':
vw.addImpApi('winkern', 'amd64')
vw.addStructureModule('ntdll',
'vstruct.defs.windows.win_6_1_amd64.ntdll')
elif arch in ARM_ARCHS:
vw.addImpApi('windows', 'arm')
vw.addFuncAnalysisModule('vivisect.analysis.arm.renaming')
vw.addConstModule('vstruct.constants.ntstatus')
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule(
"vivisect.analysis.ms.vftables") # RELIES ON LOC_POINTER
vw.addAnalysisModule(
"vivisect.analysis.generic.emucode") # RELIES ON LOC_POINTER
# run imports after emucode
if arch == 'i386':
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
vw.addAnalysisModule("vivisect.analysis.i386.golang")
elif arch == 'amd64':
vw.addAnalysisModule("vivisect.analysis.amd64.golang")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.ms.hotpatch")
vw.addFuncAnalysisModule("vivisect.analysis.ms.msvc")
if arch in ('i386', 'amd64'):
# Applies to i386 and amd64, will split it up when neccessary
vw.addFuncAnalysisModule("vivisect.analysis.i386.instrhook")
# Snap in an architecture specific emulation pass
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
elif arch in ARM_ARCHS:
vw.addFuncAnalysisModule("vivisect.analysis.arm.emulation")
# See if we got lucky and got arg/local hints from symbols
vw.addAnalysisModule('vivisect.analysis.ms.localhints')
# Find import thunks
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule('vivisect.analysis.ms.msvcfunc')
vw.addAnalysisModule('vivisect.analysis.generic.strconst')
elif fmt == 'elf': # ELF ########################################################
# elfplt wants to be run before generic.entrypoints.
vw.addAnalysisModule("vivisect.analysis.elf.elfplt")
vw.addAnalysisModule("vivisect.analysis.generic.entrypoints")
vw.addAnalysisModule("vivisect.analysis.elf")
if arch in ('i386', 'amd64', 'arm'):
vw.addImpApi('posix', arch)
if arch == 'i386':
viv_analysis_i386.addEntrySigs(vw)
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
# add va set for tracking thunk_bx function(s)
vw.addVaSet('thunk_bx', (('fva', vivisect.VASET_ADDRESS), ))
vw.addFuncAnalysisModule("vivisect.analysis.i386.thunk_bx")
elif arch in ARM_ARCHS:
vw.addVaSet('thunk_reg', (
('fva', vivisect.VASET_ADDRESS),
('reg', vivisect.VASET_INTEGER),
))
vw.addFuncAnalysisModule('vivisect.analysis.arm.thunk_reg')
vw.addFuncAnalysisModule('vivisect.analysis.arm.renaming')
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.elf.libc_start_main")
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
# Generic code block analysis
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
if arch in ('i386', 'amd64'):
# Applies to i386 and amd64, will split it up when neccessary
vw.addFuncAnalysisModule("vivisect.analysis.i386.instrhook")
# Add our emulation modules
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
elif arch in ARM_ARCHS:
vw.addFuncAnalysisModule("vivisect.analysis.arm.emulation")
# Find import thunks
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
# due to inconsistencies in plt layouts, we'll keep this as a func module as well
vw.addFuncAnalysisModule("vivisect.analysis.elf.elfplt")
vw.addAnalysisModule("vivisect.analysis.generic.pointers")
elif fmt == 'macho': # MACH-O ###################################################
vw.addAnalysisModule("vivisect.analysis.generic.entrypoints")
if arch == 'i386':
viv_analysis_i386.addEntrySigs(vw)
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
# Add the one that brute force finds function entry signatures
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
elif arch in ARM_ARCHS:
vw.addFuncAnalysisModule("vivisect.analysis.arm.emulation")
vw.addFuncAnalysisModule('vivisect.analysis.arm.renaming')
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
vw.addAnalysisModule("vivisect.analysis.generic.pointers")
elif fmt == 'blob': # BLOB ######################################################
vw.addAnalysisModule("vivisect.analysis.generic.entrypoints")
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
#vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
if arch in ARM_ARCHS:
vw.addFuncAnalysisModule("vivisect.analysis.arm.emulation")
vw.addFuncAnalysisModule('vivisect.analysis.arm.renaming')
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
elif fmt == 'ihex': # BLOB ######################################################
vw.addAnalysisModule("vivisect.analysis.generic.entrypoints")
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
#vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
if arch in ARM_ARCHS:
vw.addFuncAnalysisModule("vivisect.analysis.arm.emulation")
vw.addFuncAnalysisModule('vivisect.analysis.arm.renaming')
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
else:
raise Exception('Analysis modules unknown for format: %s' % fmt)
logger.info('Vivisect Analysis Setup Hooks Complete')
def addAnalysisModules(vw):
import vivisect
import vivisect.analysis.i386 as viv_analysis_i386
arch = vw.getMeta('Architecture')
fmt = vw.getMeta('Format')
plat = vw.getMeta('Platform')
if fmt == 'pe':
vw.addAnalysisModule("vivisect.analysis.pe")
if arch == 'i386':
vw.addImpApi('windows','i386')
viv_analysis_i386.addEntrySigs(vw)
vw.addStructureModule('win32', 'vstruct.defs.win32')
vw.addStructureModule('ntdll', 'vstruct.defs.windows.win_5_1_i386.ntdll')
elif arch == 'amd64':
vw.addImpApi('windows','amd64')
vw.addStructureModule('ntdll', 'vstruct.defs.windows.win_6_1_amd64.ntdll')
vw.addConstModule('vstruct.constants.ntstatus')
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.ms.vftables") # RELIES ON LOC_POINTER
vw.addAnalysisModule("vivisect.analysis.generic.emucode") # RELIES ON LOC_POINTER
# run imports after emucode
if arch == 'i386':
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.ms.hotpatch")
vw.addFuncAnalysisModule("vivisect.analysis.ms.msvc")
# Snap in an architecture specific emulation pass
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
# See if we got lucky and got arg/local hints from symbols
vw.addAnalysisModule('vivisect.analysis.ms.localhints')
# Find import thunks
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule('vivisect.analysis.ms.msvcfunc')
elif fmt == 'elf': # ELF ########################################################
vw.addAnalysisModule("vivisect.analysis.elf")
if arch == 'i386':
viv_analysis_i386.addEntrySigs(vw)
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
# add va set for tracking thunk_bx function(s)
vw.addVaSet('thunk_bx', ( ('fva', vivisect.VASET_ADDRESS), ) )
vw.addFuncAnalysisModule("vivisect.analysis.i386.thunk_bx")
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
# Get PLTs taken care of early
vw.addFuncAnalysisModule("vivisect.analysis.elf.elfplt")
# Generic code block analysis
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
# Add our emulation modules
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
# Find import thunks
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
vw.addAnalysisModule("vivisect.analysis.generic.pointers")
elif fmt == 'macho': # MACH-O ###################################################
if arch == 'i386':
viv_analysis_i386.addEntrySigs(vw)
vw.addAnalysisModule("vivisect.analysis.i386.importcalls")
# Add the one that brute force finds function entry signatures
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
if arch == 'i386':
vw.addFuncAnalysisModule("vivisect.analysis.i386.calling")
elif arch == 'amd64':
vw.addFuncAnalysisModule("vivisect.analysis.amd64.emulation")
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
vw.addAnalysisModule("vivisect.analysis.generic.pointers")
elif fmt == 'blob': # BLOB ######################################################
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
elif fmt == 'ihex': # BLOB ######################################################
vw.addAnalysisModule("vivisect.analysis.generic.funcentries")
vw.addAnalysisModule("vivisect.analysis.generic.relocations")
#vw.addAnalysisModule("vivisect.analysis.generic.pointertables")
vw.addAnalysisModule("vivisect.analysis.generic.emucode")
vw.addFuncAnalysisModule("vivisect.analysis.generic.codeblocks")
vw.addFuncAnalysisModule("vivisect.analysis.generic.impapi")
vw.addFuncAnalysisModule("vivisect.analysis.generic.thunks")
else:
raise Exception('Analysis modules unknown for format: %s' % fmt)
