def _searchFunctionByHeuristic(
self, search, functionhash=None, firstcallhash=None, exact=None, heuristic=90, module=None, firstbb=None
):
"""
Search memory to find a function that fullfit the options.
@type search: STRING
@param search: searchCommand string to make the first selection
@type functionhash: STRING
@param functionhash: the primary function hash (use makeFunctionHash to generate this value)
@type firstcallhash: STRING
@param firstcallhash: the hash of the first call on single BB functions (use makeFunctionHash to generate this value)
@type exact: STRING
@param exact: an exact function hash, this's a binary byte-per-byte hash (use makeFunctionHash to generate this value)
@type heuristic: INTEGER
@param heuristic: heuristic threasold to consider a real function match
@type module: STRING
@param module: name of a module to restrict the search
@type firstbb: STRING
@param firstbb: generalized assembler of the first BB (to search function begin)
@rtype: LIST
@return: a list of tuples with possible function's addresses and the heauristic match percentage
"""
# if the first argument is a LIST, decode it to each real argument of the function, following the order in the CSV file.
# this give us a simple support for copy 'n paste from the CSV file.
if isinstance(search, list):
search.reverse()
tmp = search[:]
if tmp:
search = tmp.pop()
if tmp:
functionhash = tmp.pop()
if tmp:
firstcallhash = tmp.pop()
if tmp:
exact = tmp.pop()
if tmp:
version = tmp.pop()
if tmp:
file = tmp.pop()
if tmp:
firstbb = tmp.pop()
# this arguments are mandatory
if not search or not functionhash:
return None
if not firstcallhash:
firstcallhash = ""
heu_addy = None
heu_perc = 0
poss_functions = []
poss_return = []
search = string.replace(search, "\\n", "\n")
if search:
if module:
# XXX: access directly isn't the best way to do this
for key, mod in debugger.get_all_modules().iteritems():
if module.lower() in key.lower():
poss_functions += self.imm.searchCommandsOnModule(mod[0], search)
else:
poss_functions = self.imm.searchCommands(search)
if poss_functions:
for poss in poss_functions:
# self.imm.log("possible funct: %08X" % poss[0])
addy = self.imm.getFunctionBegin(poss[0])
if not addy:
# check entrypoint routine
for mod in self.imm.getAllModules().values():
if mod.getMainentry():
# self.imm.log("mainentry: %08X" % mod.getMainentry())
f = StackFunction(self.imm, mod.getMainentry())
if f.isInsideFunction(poss[0]):
addy = mod.getMainentry()
break
if not addy and firstbb:
# self.imm.log("Trying with the new firstbb")
addy = self.findBasicBlockHeuristically(poss[0], firstbb)
if not addy and firstbb:
tmp = self.findFirstBB(poss[0])
if tmp:
# self.imm.log("Trying with the new firstbb 2nd try:%X"%tmp,tmp)
addy = self.findBasicBlockHeuristically(tmp, firstbb)
if not addy:
addy = poss[0]
# self.imm.log("possible start: %08X" % addy)
# Make a comparision using an Exact Hash
if exact:
test = self.makeFunctionHashExact(addy)
if exact == test and not firstcallhash:
# self.imm.log("EXACT match")
# when we find an exact match, we don't need to search anymore
return [(addy, 100)]
perc = self.checkHeuristic(addy, functionhash, firstcallhash)
# self.imm.log("function %08X similar in %d%%" % (addy, perc))
if perc >= heuristic:
poss_return.append((addy, perc))
# self.imm.log("HEURISTIC match")
return poss_return
def _searchFunctionByHeuristic(self,
search,
functionhash=None,
firstcallhash=None,
exact=None,
heuristic=90,
module=None,
firstbb=None):
"""
Search memory to find a function that fullfit the options.
@type search: STRING
@param search: searchCommand string to make the first selection
@type functionhash: STRING
@param functionhash: the primary function hash (use makeFunctionHash to generate this value)
@type firstcallhash: STRING
@param firstcallhash: the hash of the first call on single BB functions (use makeFunctionHash to generate this value)
@type exact: STRING
@param exact: an exact function hash, this's a binary byte-per-byte hash (use makeFunctionHash to generate this value)
@type heuristic: INTEGER
@param heuristic: heuristic threasold to consider a real function match
@type module: STRING
@param module: name of a module to restrict the search
@type firstbb: STRING
@param firstbb: generalized assembler of the first BB (to search function begin)
@rtype: LIST
@return: a list of tuples with possible function's addresses and the heauristic match percentage
"""
#if the first argument is a LIST, decode it to each real argument of the function, following the order in the CSV file.
#this give us a simple support for copy 'n paste from the CSV file.
if isinstance(search, list):
search.reverse()
tmp = search[:]
if tmp: search = tmp.pop()
if tmp: functionhash = tmp.pop()
if tmp: firstcallhash = tmp.pop()
if tmp: exact = tmp.pop()
if tmp: version = tmp.pop()
if tmp: file = tmp.pop()
if tmp: firstbb = tmp.pop()
#this arguments are mandatory
if not search or not functionhash:
return None
if not firstcallhash:
firstcallhash = ""
heu_addy = None
heu_perc = 0
poss_functions = []
poss_return = []
search = string.replace(search, "\\n", "\n")
if search:
if module:
#XXX: access directly isn't the best way to do this
for key, mod in debugger.get_all_modules().iteritems():
if module.lower() in key.lower():
poss_functions += self.imm.searchCommandsOnModule(
mod[0], search)
else:
poss_functions = self.imm.searchCommands(search)
if poss_functions:
for poss in poss_functions:
#self.imm.log("possible funct: %08X" % poss[0])
addy = self.imm.getFunctionBegin(poss[0])
if not addy:
#check entrypoint routine
for mod in self.imm.getAllModules().values():
if mod.getMainentry():
#self.imm.log("mainentry: %08X" % mod.getMainentry())
f = StackFunction(self.imm, mod.getMainentry())
if f.isInsideFunction(poss[0]):
addy = mod.getMainentry()
break
if not addy and firstbb:
#self.imm.log("Trying with the new firstbb")
addy = self.findBasicBlockHeuristically(poss[0], firstbb)
if not addy and firstbb:
tmp = self.findFirstBB(poss[0])
if tmp:
#self.imm.log("Trying with the new firstbb 2nd try:%X"%tmp,tmp)
addy = self.findBasicBlockHeuristically(tmp, firstbb)
if not addy:
addy = poss[0]
#self.imm.log("possible start: %08X" % addy)
#Make a comparision using an Exact Hash
if exact:
test = self.makeFunctionHashExact(addy)
if exact == test and not firstcallhash:
#self.imm.log("EXACT match")
#when we find an exact match, we don't need to search anymore
return [(addy, 100)]
perc = self.checkHeuristic(addy, functionhash, firstcallhash)
#self.imm.log("function %08X similar in %d%%" % (addy, perc))
if perc >= heuristic:
poss_return.append((addy, perc))
#self.imm.log("HEURISTIC match")
return poss_return
def QueryAllModules(self):
return debugger.get_all_modules()
def QueryAllModules(self):
return debugger.get_all_modules()
