def btn_get_one_sink_func_xref(self, code=0):
"""
查看某个危险函数调用地址
"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入要查看的危险函数名')
if tgt_t in SINK_FUNC:
cols = [['', 0 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX]]
items = []
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
tmp_list = []
for xref_addr in xref_list:
data = AnalysisChooseData(vuln=0, name=tgt_t, ea=xref_addr)
items.append(data)
tmp_list.append(xref_addr)
self.sink_func_xref_dict[tgt_t] = tmp_list
chooser = AnalysisChooser(title='危险函数调用地址', cols=cols, item=items)
chooser.Show()
else:
FELogger.warn("未支持函数")
def add_fast_dict_from_all_vuln_func(self):
mgr_t = FESinkFuncMgr()
for func_name, xref_list in mgr_t.gen_sink_func_xref():
if not func_name in self.vuln_func_fast_dict:
tag = SINK_FUNC[func_name]['tag']
print('func_name: ', func_name)
print('xref_list: ', len(xref_list))
if tag == FUNC_TAG['PRINTF']:
items = printf_func_analysis(func_name, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['STRING']:
items = str_func_analysis(func_name, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['SCANF']:
items = scanf_func_analysis(func_name, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['SYSTEM']:
items = system_func_analysis(func_name, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['MEMORY']:
items = mem_func_analysis(func_name, xref_list)
self.add_fast_dict_from_items(items)
else:
FELogger.info("未支持函数%s" % func_name)
else:
continue
def add_or_del_one_xref_bpt(self, is_add):
if is_add == True:
action = idc.add_bpt
act_info = '添加'
else:
action = idc.del_bpt
act_info = '删除'
tgt_t = ida_kernwin.ask_str('', 0, '请输入危险函数名')
if tgt_t in SINK_FUNC:
if not tgt_t in self.sink_func_xref_dict:
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
tmp_list = []
for xref_addr in xref_list:
tmp_list.append(xref_addr)
action(xref_addr)
self.sink_func_xref_dict[tgt_t] = tmp_list
else:
for xref_addr_t in self.sink_func_xref_dict[tgt_t]:
action(xref_addr_t)
FELogger.info("已%s断点:危险函数调用地址(%s)" % (act_info, tgt_t))
else:
FELogger.warn("未支持函数")
def btn_get_sink_func_addr(self, code=0):
"""
查看危险函数地址列表
"""
cols = [['', 0 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX]]
items = []
mgr_t = FESinkFuncMgr()
for func_name, func_addr in mgr_t.gen_sink_func_addr():
data = AnalysisChooseData(vuln=0, name=func_name, ea=func_addr)
items.append(data)
chooser = AnalysisChooser(title='危险函数地址', cols=cols, item=items)
chooser.Show()
def btn_get_all_sink_func_xref(self, code=0):
"""
查看所有危险函数调用地址
"""
cols = [['', 0 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX]]
items = []
mgr_t = FESinkFuncMgr()
for func_name, xref_list in mgr_t.gen_sink_func_xref():
tmp_list = []
for xref_addr in xref_list:
data = AnalysisChooseData(vuln=0, name=func_name, ea=xref_addr)
items.append(data)
tmp_list.append(xref_addr)
self.sink_func_xref_dict[func_name] = tmp_list
chooser = AnalysisChooser(title='危险函数调用地址', cols=cols, item=items)
chooser.Show()
def add_or_del_all_xref_bpt(self, is_add):
if is_add == True:
action = idc.add_bpt
act_info = '添加'
else:
action = idc.del_bpt
act_info = '删除'
if self.sink_func_xref_dict == {}:
mgr_t = FESinkFuncMgr()
for func_name, xref_list in mgr_t.gen_sink_func_xref():
tmp_list = []
for xref_addr_t in xref_list:
tmp_list.append(xref_addr_t)
action(xref_addr_t)
self.sink_func_xref_dict[func_name] = tmp_list
else:
for xref_addr_t in reduce(lambda x, y: x + y,
self.sink_func_xref_dict.values()):
action(xref_addr_t)
FELogger.info('已%s断点:危险函数调用地址(全部)' % act_info)
def btn_add_one_vuln_bpt(self, code=0):
"""添加断点 某个危险函数漏洞地址"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入危险函数名')
if tgt_t in SINK_FUNC:
if not tgt_t in self.vuln_func_fast_dict:
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
tag = SINK_FUNC[tgt_t]['tag']
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
if tag == FUNC_TAG['PRINTF']:
items = printf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['STRING']:
items = str_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['SCANF']:
items = scanf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['SYSTEM']:
items = system_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
elif tag == FUNC_TAG['MEMORY']:
items = mem_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
else:
FELogger.info("未支持函数%s" % tgt_t)
if tgt_t in self.vuln_func_fast_dict:
for xref_addr_t in self.vuln_func_fast_dict[tgt_t]:
ida_dbg.add_bpt(xref_addr_t, 0, idc.BPT_DEFAULT)
FELogger.info('已添加断点:危险函数漏洞分析(%s)' % tgt_t)
else:
FELogger.warn("未支持函数")
def btn_get_one_vuln_func(self, code=0):
"""查看某个危险函数漏洞地址"""
tgt_t = ida_kernwin.ask_str('', 0, '请输入要查看的危险函数名')
if tgt_t in SINK_FUNC:
mgr_t = FESinkFuncMgr()
xref_list = mgr_t.get_one_func_xref(tgt_t)
tag = SINK_FUNC[tgt_t]['tag']
if not xref_list:
FELogger.warn("未找到函数%s" % tgt_t)
return
# printf系列函数
if tag == FUNC_TAG['PRINTF']:
items = printf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['格式字符串地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['格式字符串', 15 | ida_kernwin.Choose.CHCOL_PLAIN],
['长度', 10 | ida_kernwin.Choose.CHCOL_HEX]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
# str系列函数
elif tag == FUNC_TAG['STRING']:
items = str_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['来源地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['字符串', 15 | ida_kernwin.Choose.CHCOL_PLAIN],
['字符串长度', 10 | ida_kernwin.Choose.CHCOL_HEX]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
# scanf系列函数
elif tag == FUNC_TAG['SCANF']:
items = scanf_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['格式字符串地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['格式字符串', 15 | ida_kernwin.Choose.CHCOL_PLAIN],
['长度', 10 | ida_kernwin.Choose.CHCOL_HEX]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
# system函数
elif tag == FUNC_TAG['SYSTEM']:
items = system_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['来源地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['命令语句', 15 | ida_kernwin.Choose.CHCOL_PLAIN]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
# mem系列函数
elif tag == FUNC_TAG['MEMORY']:
items = mem_func_analysis(tgt_t, xref_list)
self.add_fast_dict_from_items(items)
cols = [['可疑', 3 | ida_kernwin.Choose.CHCOL_DEC],
['函数名', 10 | ida_kernwin.Choose.CHCOL_PLAIN],
['函数地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['来源地址', 10 | ida_kernwin.Choose.CHCOL_HEX],
['', 0 | ida_kernwin.Choose.CHCOL_PLAIN],
['字符串长度', 10 | ida_kernwin.Choose.CHCOL_HEX]]
chooser = AnalysisChooser(title='危险函数漏洞分析',
cols=cols,
item=items)
chooser.Show()
else:
FELogger.info("未支持函数%s" % tgt_t)
else:
FELogger.warn("未支持函数")