def is_system_lib(ea):
"""
Returns true if a segment belongs to a system library, in which case we don't want to recursively hook calls.
Covers Windows, Linux, Mac, Android, iOS
@param ea: an effective address within a function
"""
name = idc.SegName(ea)
if not name:
return False
# the below is for Windows kernel debugging
if name == 'nt':
return True
sysfolders = [re.compile("\\\\windows\\\\", re.I), re.compile("\\\\Program Files ", re.I), re.compile("/usr/", re.I), \
re.compile("/system/", re.I), re.compile("/lib/", re.I)]
m = idc.GetFirstModule()
while m:
path = idc.GetModuleName(m)
if re.search(name, path):
if any(regex.search(path) for regex in sysfolders):
return True
else:
return False
m = idc.GetNextModule(m)
return False
def guessValues(self, rawValue):
"""
Guess string values
"""
module = idc.GetModuleName(rawValue)
if module == 0:
return False
self.addParsedvalue(module, 5, "Module", hex(rawValue))
return True
def parseValue(self, rawValue):
"""
Parse the string value
@return:
"""
module = idc.GetModuleName(rawValue)
if module == 0:
return False
self.addParsedvalue(module, 5, "Module", hex(rawValue))
return True
def get_module_base(moduleName):
print moduleName
module_base = idc.GetFirstModule()
while module_base != None:
module_name = idc.GetModuleName(module_base)
if module_name.find(moduleName) >= 0:
print module_name
break
module_base = idc.GetNextModule(module_base)
return module_base
def dynamic_breakpoint(targe_type):
has_linker = False
module_base = idc.GetFirstModule()
while module_base != None:
module_name = idc.GetModuleName(module_base)
if module_name.find('linker') >= 0:
has_linker = True
break
module_base = idc.GetNextModule(module_base)
if has_linker == False:
print '[*]unable to find linker module base'
return
module_size = idc.GetModuleSize(module_base)
print '[*]found linker base=>0x%08X, Size=0x%08X' % (module_base,
module_size)
print("\t[-]begin to search DT_INIT")
init_func_ea = 0
init_array_ea = 0
# bytecode=b'\x53\x1e\x73\xb5\x03\x33\x06\x46\x0d\x46\x14\x46\x24\xd8\x13\x48\x78\x44\x01\x68\x01\x29'
bytecode = [
0x14, 0x49, 0x04, 0x20, 0x23, 0x46, 0x14, 0x4A, 0x79, 0x44, 0x7A, 0x44
]
findcode = True
for ea_offset in range(module_base, module_base + module_size):
findcode = True
for i in xrange(len(bytecode)):
if idaapi.get_byte(ea_offset + i) != bytecode[i]:
findcode = False
break
if (findcode == True):
init_func_ea = ea_offset + 0x1A
init_array_ea = ea_offset + 0x30
break
if (findcode == False):
print("can't find bytecode")
return
print "\t[-]found INIT=>0x%08X INIT_ARRAY=>0x%08X" % (init_func_ea,
init_array_ea)
print("\t[-]try set breakpoint there")
if targe_type == 12:
idc.AddBpt(init_func_ea)
if targe_type == 25:
idc.AddBpt(init_array_ea)
print("[*]script finish")