示例#1
0
def find_malloc_par():
    mp_ = idc.get_name_ea_simple("mp_")
    if mp_ != idc.BADADDR:
        return mp_

    segm = idaapi.get_segm_by_name("[heap]")
    if segm is None:
        return None

    offset = get_struct_offsets(malloc_par()).get('sbrk_base')
    sbrk_base = segm.start_ea
    ea = idc.get_segm_start(get_name_ea_simple("_IO_2_1_stdin_"))
    end_ea = idc.get_segm_end(ea)

    while ea < end_ea:
        ptr = config.get_ptr(ea)
        if idaapi.is_loaded(ptr) and ptr == sbrk_base:
            return (ea - offset)
        ea += config.ptr_size

    return None
示例#2
0
def find_main_arena():
    main_arena = idc.get_name_ea_simple("main_arena")  # from libc6-dbg
    if main_arena != idc.BADADDR:
        return main_arena

    ea = idc.get_segm_start(idc.get_name_ea_simple("_IO_2_1_stdin_"))
    end_ea = idc.get_segm_end(ea)

    # &main_arena->next
    offsets = {
        4: [1088, 1096],  # 32 bits
        8: [2152, 2160]  # 64 bits
    }[config.ptr_size]

    if ea == idc.BADADDR or end_ea == idc.BADADDR:
        return None

    while ea < end_ea:
        ptr = config.get_ptr(ea)  # ptr to main_arena
        if idaapi.is_loaded(ptr) and ptr < ea:
            if (ea - ptr) in offsets:
                return ptr
        ea += config.ptr_size
    return None