def getApiMap(self): self._api_map = {} num_imports = ida_nalt.get_import_module_qty() for i in range(0, num_imports): self._import_module_name = ida_nalt.get_import_module_name(i) ida_nalt.enum_import_names(i, self._cbEnumImports) return self._api_map
def find_imported_funcs(dllname): def imp_cb(ea, name, ord): if not name: name = '' imports.append([ea, name, ord]) return True imports = [] nimps = ida_nalt.get_import_module_qty() for i in xrange(0, nimps): name = ida_nalt.get_import_module_name(i) if re.match(dllname, name, re.IGNORECASE) is None: continue ida_nalt.enum_import_names(i, imp_cb) return imports
def find_import_functions(): import ida_nalt as api imported_function_list = [] def imports_names_cb(ea, name, ord): if name is not None: imported_function_list.append(name) # True -> Continue enumeration # False -> Stop enumeration return True nimps = api.get_import_module_qty() for i in xrange(nimps): name = api.get_import_module_name(i) api.enum_import_names(i, imports_names_cb) return imported_function_list
def get_all_importfunc(): nimps = ida_nalt.get_import_module_qty() result = [] for i in range(nimps): name = ida_nalt.get_import_module_name(i) if not name: # print("Failed to get import module name for #%d" % i) # name = "<unnamed>" pass # print("Walking imports for module %s" % name) def imp_cb(ea, name, ordinal): if name: # print("%08x: %s (ordinal #%d)" % (ea, name, ordinal)) result.append(name) # True -> Continue enumeration # False -> Stop enumeration return True ida_nalt.enum_import_names(i, imp_cb) return result
def iter_imports() -> Iterable[Tuple[int, str, str]]: """ Iterates the imports, returning the address function name and namespace for the import. :yields: (address, func_name, namespace) """ for i in range(ida_nalt.get_import_module_qty()): namespace = ida_nalt.get_import_module_name(i) entries = [] def callback(addr, name, ordinal): if name: # Name will include a "__imp_" prefix if the import is accessed through # a thunk function. # Pull the address of the thunk function instead. raw_name = ida_name.get_name(addr) if raw_name.startswith("__imp_"): for xref in idautils.XrefsTo(addr): func = ida_funcs.get_func(xref.frm) if func and func.flags & ida_funcs.FUNC_THUNK: addr = func.start_ea name = ida_funcs.get_func_name(addr) break else: raise RuntimeError(f"Failed to find a thunk for {name} at 0x{addr:08X}") entries.append((addr, name)) return True # continue enumeration ida_nalt.enum_import_names(i, callback) for addr, name in entries: yield addr, name, namespace
""" summary: enumerate file imports description: Using the API to enumerate file imports. """ from __future__ import print_function import ida_nalt nimps = ida_nalt.get_import_module_qty() print("Found %d import(s)..." % nimps) for i in range(nimps): name = ida_nalt.get_import_module_name(i) if not name: print("Failed to get import module name for #%d" % i) name = "<unnamed>" print("Walking imports for module %s" % name) def imp_cb(ea, name, ordinal): if not name: print("%08x: ordinal #%d" % (ea, ordinal)) else: print("%08x: %s (ordinal #%d)" % (ea, name, ordinal)) # True -> Continue enumeration # False -> Stop enumeration return True
def iter_imports(module_name=None, api_names=None): """ Iterate the thunk function wrappers for API imports. Yields the module name, function name, and reference to function. .. code_block:: python for ea, name, module_name in utils.iter_imports(): print("{}.{} function at: 0x{:0x}".format(module_name, name, ea)) for ea, name, _ in utils.iter_imports("KERNEL32"): print("KERNEL32.{} function at: {}".format(name, ea)) for ea, name, module_name in utils.iter_imports(api_names=["GetProcAddress", "GetFileSize"]): print("{}.{} function at: {}".format(module_name, name, ea)) for ea, _, _ in utils.iter_imports("KERNEL32", "GetProcAddress"): print("KERNEL32.GetProcAddress function at: {}".format(ea)) NOTE: The same function name can be yield more than once if it appears in multiple modules or has multiple thunk wrappers. Name is the original import name and does not necessarily reflect the function name. e.g. "GetProcAddress", "GetProcAddress_0", and "GetProcAddress_1" will all be "GetProcAddress" :param module_name: Filter imports to a specified library. :param api_names: Filter imports to specific API name(s). Can be a string of a single name or list of names. :yield: (ea, api_name, module_name) """ if isinstance(api_names, str): api_names = [api_names] for i in range(ida_nalt.get_import_module_qty()): _module_name = ida_nalt.get_import_module_name(i) if not _module_name: continue if module_name and module_name.lower() != _module_name.lower(): continue entries = [] target_set = set(api_names) if api_names else None def callback(ea, name, ordinal): if name: # Sometimes IDA includes "__imp_" to the front of the name. # Strip this off to be more consistent to what you would see in the GUI. if name.startswith("__imp_"): name = name[6:] # Collect name if matches filter or if no filter set. if target_set and name in target_set: entries.append((ea, name)) target_set.remove(name) if not target_set: # Found all targeted function names. stop enumeration. return False elif not api_names: entries.append((ea, name)) return True # continue enumeration ida_nalt.enum_import_names(i, callback) for ea, name in entries: # Yield thunk wrapper functions if they exists. for xref in idautils.XrefsTo(ea): func = ida_funcs.get_func(xref.frm) if not func: continue if func.flags & ida_funcs.FUNC_THUNK: yield xref.frm, name, _module_name # Yield reference in data segment signature # (yielding after thunks, since those are more likely to be used) yield ea, name, _module_name