def get_commands(): for f in db.xref.code(0x44c8f8): prev_instr = db.prev(f) d = db.disasm(prev_instr) try: with open('C:\\Windows\\Temp\\commands', 'a') as f: f.write(d.split('.')[1] + '\n') except: print(d)
def FindLastAssignment(ea, register): start,end = database.guessrange(ea) while ea > start: ea = database.prev(ea) m = idc.GetMnem(ea) r = idc.GetOpnd(ea, 0) if m == 'mov' and r == register: return ea continue raise ValueError('FindLastAssignment(0x%x, %s) Found no matches'% (ea, register))
def search_malloc(addr, funcname='malloc', curr_addr_list=None): # print(hex(addr), curr_addr_list) if curr_addr_list == None: curr_addr_list = [addr] print("Addr: {}".format(addr)) curr_calls = fn.tag(addr).get('calls', {}) for ea in fn.iterate(addr): if not ins.isCall(ea): continue if ins.op_type(0) == 'reg': """ Handle this case - malloc(100) mov ebp, ds:malloc push 100 call ebp """ if funcname in db.disasm(ea): # Push before malloc "should" be within 20 instructions """ Handle this case - malloc(100) push 100 mov eax, 10 mov ebx, 20 call malloc """ search_addr = db.prev(ea) for _ in range(20): if ins.mnem(search_addr) == 'push': break search_addr = db.prev(search_addr) print("FOUND PUSH FOR MALLOC: {}".format(hex(search_addr))) malloc_value = ins.op_value(search_addr, 0) if isinstance(malloc_value, (int, long)): curr_calls[funcname] = malloc_value else: curr_calls[funcname] = 'variable' fn.tag(addr, 'calls', curr_calls) return True call = ins.op_value(ea, 0) # Don't cycle ourselves if call == addr: print("Ignoring recursive loop on function: {}".format(hex(addr))) continue # Try to know if the call operand is a valid address # Bail if not.. try: print(hex(call)) except: continue # Check if this function has been analyzed already # and return the result # Cannot return False, because that will exit the loop and not # continue to iterate over the rest of the instrutions in the function call_cache = fn.tag(call).get('calls', {}) print("Call cache: {}".format(call_cache)) if funcname in call_cache: if call_cache[funcname]: curr_calls[funcname] = call_cache[funcname] fn.tag(addr, 'calls', curr_calls) return True # Don't call functions we are currently looking into if call in curr_addr_list: continue # Only now ca curr_addr_list.append(call) search_malloc(call, funcname=funcname, curr_addr_list=curr_addr_list) curr_calls[funcname] = False fn.tag(addr, 'calls', curr_calls) return False