def is_system_lib(ea): """ Returns true if a segment belongs to a system library, in which case we don't want to recursively hook calls. Covers Windows, Linux, Mac, Android, iOS @param ea: an effective address within a function """ name = idc.SegName(ea) if not name: return False # the below is for Windows kernel debugging if name == 'nt': return True sysfolders = [re.compile("\\\\windows\\\\", re.I), re.compile("\\\\Program Files ", re.I), re.compile("/usr/", re.I), \ re.compile("/system/", re.I), re.compile("/lib/", re.I)] m = idc.GetFirstModule() while m: path = idc.GetModuleName(m) if re.search(name, path): if any(regex.search(path) for regex in sysfolders): return True else: return False m = idc.GetNextModule(m) return False
def guessValues(self, rawValue): """ Guess string values """ module = idc.GetModuleName(rawValue) if module == 0: return False self.addParsedvalue(module, 5, "Module", hex(rawValue)) return True
def parseValue(self, rawValue): """ Parse the string value @return: """ module = idc.GetModuleName(rawValue) if module == 0: return False self.addParsedvalue(module, 5, "Module", hex(rawValue)) return True
def get_module_base(moduleName): print moduleName module_base = idc.GetFirstModule() while module_base != None: module_name = idc.GetModuleName(module_base) if module_name.find(moduleName) >= 0: print module_name break module_base = idc.GetNextModule(module_base) return module_base
def dynamic_breakpoint(targe_type): has_linker = False module_base = idc.GetFirstModule() while module_base != None: module_name = idc.GetModuleName(module_base) if module_name.find('linker') >= 0: has_linker = True break module_base = idc.GetNextModule(module_base) if has_linker == False: print '[*]unable to find linker module base' return module_size = idc.GetModuleSize(module_base) print '[*]found linker base=>0x%08X, Size=0x%08X' % (module_base, module_size) print("\t[-]begin to search DT_INIT") init_func_ea = 0 init_array_ea = 0 # bytecode=b'\x53\x1e\x73\xb5\x03\x33\x06\x46\x0d\x46\x14\x46\x24\xd8\x13\x48\x78\x44\x01\x68\x01\x29' bytecode = [ 0x14, 0x49, 0x04, 0x20, 0x23, 0x46, 0x14, 0x4A, 0x79, 0x44, 0x7A, 0x44 ] findcode = True for ea_offset in range(module_base, module_base + module_size): findcode = True for i in xrange(len(bytecode)): if idaapi.get_byte(ea_offset + i) != bytecode[i]: findcode = False break if (findcode == True): init_func_ea = ea_offset + 0x1A init_array_ea = ea_offset + 0x30 break if (findcode == False): print("can't find bytecode") return print "\t[-]found INIT=>0x%08X INIT_ARRAY=>0x%08X" % (init_func_ea, init_array_ea) print("\t[-]try set breakpoint there") if targe_type == 12: idc.AddBpt(init_func_ea) if targe_type == 25: idc.AddBpt(init_array_ea) print("[*]script finish")