def get_commands():
for f in db.xref.code(0x44c8f8):
prev_instr = db.prev(f)
d = db.disasm(prev_instr)
try:
with open('C:\\Windows\\Temp\\commands', 'a') as f:
f.write(d.split('.')[1] + '\n')
except:
print(d)
def FindLastAssignment(ea, register):
start,end = database.guessrange(ea)
while ea > start:
ea = database.prev(ea)
m = idc.GetMnem(ea)
r = idc.GetOpnd(ea, 0)
if m == 'mov' and r == register:
return ea
continue
raise ValueError('FindLastAssignment(0x%x, %s) Found no matches'% (ea, register))
def FindLastAssignment(ea, register):
start,end = database.guessrange(ea)
while ea > start:
ea = database.prev(ea)
m = idc.GetMnem(ea)
r = idc.GetOpnd(ea, 0)
if m == 'mov' and r == register:
return ea
continue
raise ValueError('FindLastAssignment(0x%x, %s) Found no matches'% (ea, register))
def search_malloc(addr, funcname='malloc', curr_addr_list=None):
# print(hex(addr), curr_addr_list)
if curr_addr_list == None:
curr_addr_list = [addr]
print("Addr: {}".format(addr))
curr_calls = fn.tag(addr).get('calls', {})
for ea in fn.iterate(addr):
if not ins.isCall(ea):
continue
if ins.op_type(0) == 'reg':
"""
Handle this case - malloc(100)
mov ebp, ds:malloc
push 100
call ebp
"""
if funcname in db.disasm(ea):
# Push before malloc "should" be within 20 instructions
"""
Handle this case - malloc(100)
push 100
mov eax, 10
mov ebx, 20
call malloc
"""
search_addr = db.prev(ea)
for _ in range(20):
if ins.mnem(search_addr) == 'push':
break
search_addr = db.prev(search_addr)
print("FOUND PUSH FOR MALLOC: {}".format(hex(search_addr)))
malloc_value = ins.op_value(search_addr, 0)
if isinstance(malloc_value, (int, long)):
curr_calls[funcname] = malloc_value
else:
curr_calls[funcname] = 'variable'
fn.tag(addr, 'calls', curr_calls)
return True
call = ins.op_value(ea, 0)
# Don't cycle ourselves
if call == addr:
print("Ignoring recursive loop on function: {}".format(hex(addr)))
continue
# Try to know if the call operand is a valid address
# Bail if not..
try:
print(hex(call))
except:
continue
# Check if this function has been analyzed already
# and return the result
# Cannot return False, because that will exit the loop and not
# continue to iterate over the rest of the instrutions in the function
call_cache = fn.tag(call).get('calls', {})
print("Call cache: {}".format(call_cache))
if funcname in call_cache:
if call_cache[funcname]:
curr_calls[funcname] = call_cache[funcname]
fn.tag(addr, 'calls', curr_calls)
return True
# Don't call functions we are currently looking into
if call in curr_addr_list:
continue
# Only now ca
curr_addr_list.append(call)
search_malloc(call, funcname=funcname, curr_addr_list=curr_addr_list)
curr_calls[funcname] = False
fn.tag(addr, 'calls', curr_calls)
return False