def SetAllConditionBpt():
ea = 0x2C13000
while ea < 0x357D000:
mnem = idc.GetMnem(ea)
if mnem == 'retn':
idc.add_bpt(ea)
ea = idc.NextHead(ea)
def get_jit_function(self):
esp = idc.get_reg_value("ESP")
method_name = self.get_method_name(esp)
function = idc.get_wide_dword(esp + 8)
method_id = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x20)
abc_info_pos = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x1C)
method_info = get_qword(abc_info_pos) + get_qword(abc_info_pos + 8)
if (self.as3dump != []):
method = next((x for x in self.as3dump if x["id"] == method_id), None)
if (method is not None and method["info"] == method_info):
method_name = method["name"]
self.set_jit_info(method_id, function)
print("Resolved jit function: 0x%x - %s" % (function, method_name))
self.rename_addr(function, method_name)
if ((method_name not in self.ignore and not self.ignore_all) or
(method_name in self.debug_if_equals) or
(any(x for x in self.debug_if_contains if method_name is not None and x in method_name))):
self.traced.append({"name": method_name, "ea": function, "type": "jit", "hit": 0})
idc.add_bpt(function)
def enable_bp_ret(funcname):
func_ea = idc.get_name_ea_simple(funcname)
bps = []
for ea in idautils.FuncItems(func_ea):
if idc.GetMnem(ea) == "retn":
idc.add_bpt(ea)
bps.append(ea)
return bps
def hook(self, hook_addr=0):
"""
Args:
hook_addr(int): address for inline hook code, 0 indicates bpt hook.
Returns:
memory size in bytes used for inline hook.
"""
self.hook_addr = hook_addr
self.func_addr = idc.get_name_ea_simple(self.name)
if self.func_addr == 0:
return 0
print("Hooking %s at 0x%x" % (self.name, self.func_addr))
if self.hook_addr == 0:
idc.add_bpt(self.func_addr)
idc.set_bpt_cond(self.func_addr, self.bpt_cond_hook_code)
return 0
else:
# assemble jmp code
jmp_code = "jmp 0x%x" % self.hook_addr
jmp_buf, _ = assemble(jmp_code, self.func_addr)
# read function prologue according to jmp code length
# NOTE: instructions like 'call $+5' in prologue will
# cause problems.
insn = idaapi.insn_t()
move_length = 0
while move_length < len(jmp_buf):
idaapi.decode_insn(insn, self.func_addr + move_length)
move_length += insn.size
prologue = idaapi.get_bytes(self.func_addr, move_length)
# write jmp code
idaapi.patch_bytes(self.func_addr, jmp_buf)
# assmble hook code
hook_buf, _ = assemble(self.inline_hook_code, self.hook_addr)
hook_buf += prologue
jmp_back_code = 'jmp 0x%x' % (self.func_addr + move_length)
jmp_back_buf, _ = assemble(jmp_back_code,
self.hook_addr + len(hook_buf))
hook_buf += jmp_back_buf
# wirte hook code
idaapi.patch_bytes(self.hook_addr, hook_buf)
return len(hook_buf)
def addTracebp(self, ea=None):
if ea is None:
ea = idc.get_screen_ea()
rea = ea - self.offset
self.tracebp.add(rea)
if not idc.add_bpt(ea):
idc.enable_bpt(ea, True)
def __call__(self):
try:
if self.hardware:
bp_flag = idc.BPT_EXEC # default is hardware https://www.hex-rays.com/products/ida/support/sdkdoc/group___b_p_t___h.html
else:
bp_flag = (idc.BPT_SOFT | idc.BPT_EXEC)
idc.add_bpt(self.address, bp_flag)
enable_res = idc.enable_bpt(self.address, True)
l.debug("bp flag value %x enable_res %s" % (bp_flag, enable_res))
self.result = enable_res
except Exception as e:
l.debug("set_breakpoint exception %s" % (e))
self.exception = True
def bp_recover(self, remove=True, suffix=""):
bplist = DbgInfo.config_load("breakpoints" + suffix, list)
if not bplist:
return False
if remove:
nbp = idc.get_bpt_qty()
bps = []
for i in range(nbp):
bp = idc.get_bpt_ea(i)
bps.append(bp)
for bp in bps:
idc.del_bpt(bp)
for bp in bplist:
ea = bp[0]
addr = ea + self.offset
idc.add_bpt(addr)
idc.enable_bpt(addr, bp[1])
return True
def bp_load(self, userbp=True, tracebp=True):
invalid = []
if tracebp:
for ea in self.tracebp:
addr = ea + self.offset
if idc.get_func_off_str(addr):
idc.add_bpt(addr)
else:
invalid.append(addr)
if userbp:
for ea in self.userbp:
addr = ea + self.offset
if idc.get_func_off_str(addr):
idc.add_bpt(addr)
else:
invalid.append(addr)
if invalid:
print("invalid ea:", str(invalid))
self.invalidbp = invalid
def set_watchpoint(self, address, *args, **kwargs):
"""Inserts a watchpoint which is triggered when a read or a write is executed on address
:param address: The name of a variable or an address to watch
:param bool temporary: Temporary breakpoint
:returns: True on success else False
"""
idc.add_bpt(address)
bp_flag = idc.BPT_RDWR # BPT_RDWR = 3 https://www.hex-rays.com/products/ida/support/sdkdoc/group___b_p_t___h.html setting Read Write breakpoint because some debuggers (Linux local) doesn't support
l.debug("ida target set_watchpoing at %x value" % (address))
idc.set_bpt_attr(address, idc.BPTATTR_SIZE, 1)
attr_res = idc.set_bpt_attr(address, idc.BPTATTR_TYPE, bp_flag)
enable_res = idc.enable_bpt(address, True)
l.debug("bp flag value %x attr_res %s enable_res %s" %
(bp_flag, attr_res, enable_res))
return attr_res and enable_res # return False if enable or setting attributes fails
def addReadWriteTrace(addr, bpt_size = 1):
result = idc.add_bpt(addr, bpt_size, BreakpointMode.ReadWrite)
if result == False:
raise AddTraceError(addr, "Unable to set breakpoint at the given address.")
pbpt = ida_dbg.bpt_t()
ida_dbg.get_bpt(addr, pbpt)
pbpt.flags = 10
result = ida_dbg.update_bpt(pbpt)
if result == False:
raise AddTraceError(addr, "Unable to a 'trace-breakpoint' at the given address.")
def get_native_function(self):
ecx = idc.get_reg_value("ECX")
esp = idc.get_reg_value("ESP")
method_name = self.get_method_name(esp)
if (idc.get_wide_byte(idc.get_wide_dword(ecx + 8) + 0x38) != 0):
function = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x28)
else:
function = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x24)
print("Resolved native function: 0x%x - %s" % (function, method_name))
if ((method_name not in self.ignore and not self.ignore_all) or
(method_name in self.debug_if_equals) or
(any(x for x in self.debug_if_contains if method_name is not None and x in method_name))):
self.traced.append({"name": method_name, "ea": function, "type": "native", "hit": 0})
idc.add_bpt(function)
def addbp(self, instr, ea=None):
if ea is None:
ea = idc.get_screen_ea()
func = idaapi.get_func(ea)
start_ea = func.start_ea
instrtable = self.get_func_instr(startEA)
l = instrtable.get(instr)
if l:
for disa in l:
pos = disa.offset + start_ea
if not idc.add_bpt(pos):
idc.enable_bpt(pos, True)
def addbp2(self, ea=None):
if ea is None:
ea = idc.get_screen_ea()
func = idaapi.get_func(ea)
start_ea = func.start_ea
bps = self.get_bp2(start_ea)
if bps.add(ea):
if not idc.add_bpt(ea):
idc.enable_bpt(ea, True)
return bps
else:
return False
def get_interpreted_function(self, eip):
if (eip == self.addr["setInterp"]):
esp = idc.get_reg_value("ESP")
self.method_name = self.get_method_name(esp)
self.is_interpreted_state = True
elif (eip == self.addr["setInterpRet"] and self.is_interpreted_state):
function = idc.get_reg_value("EAX")
print("Resolved interpreted function: 0x%x - %s" % (function, self.method_name))
if ((self.method_name not in self.ignore and not self.ignore_all) or
(self.method_name in self.debug_if_equals) or
(any(x for x in self.debug_if_contains if self.method_name is not None and x in self.method_name))):
self.traced.append({"name": self.method_name, "ea": function, "type": "interp", "hit": 0})
idc.add_bpt(function)
self.is_interpreted_state = False
def addcallinfo(self, called, caller, tid=0):
offcaller = idc.get_func_off_str(caller)
ecalled = called - self.offset
calledinfo = self.get_callinfo(ecalled, tid)
if not offcaller:
calledinfo.ncalled += 1
return False
ecaller = caller - self.offset
l = offcaller.split("+")
if len(l) > 1:
eafn = ecaller - int(l[1], 16)
else:
eafn = ecaller
callerinfo = self.get_callinfo(eafn, tid)
callerinfo.addcall(ecalled, ecaller)
if calledinfo.addcalled(ecaller):
common.common_cmt(called, calledinfo.calledlist.keys(),
"called by: ", self.offset, False)
bpea = eafn + self.offset
if self.enabletrace:
if not idc.add_bpt(bpea):
idc.enable_bpt(bpea, True)
return True
def add_func(self):
_var_debug()
funcname = self.funcinput.text().encode('utf-8').strip()
if funcname:
afn = idc.get_name_ea_simple(funcname) # LocByName
if afn & 1:
self.funcinput.setText(funcname + " is not a function")
return False
else:
ea = idc.get_screen_ea()
func = idaapi.get_func(ea)
if not func:
return False
afn = func.start_ea
dbginfo = self.dbginfo
arg = dbginfo.append_func_watch(afn)
if not idc.add_bpt(afn):
idc.enable_bpt(afn, True)
# dbginfo.addbp("RET", afn)
if arg:
self.argtree_append(arg)
return True
return False
def set_breakpoint(ea, isthumb=1):
idc.SetReg(ea, "T", 1)
idc.MakeCode(ea)
idc.add_bpt(ea)
#!/usr/bin/python
import idc
import idautils
func_list = [
"kernelbase_VirtualAlloc",
"kernelbase_VirtualProtect",
"kernel32_CreateThread",
"kernelbase_CreateProcessA",
"kernelbase_CreateProcessInternalA"
"kernelbase_CreateProcessW",
"kernelbase_CreateProcessAsUserW",
"kernel32_FindResourceA",
"kernelbase_LoadResource",
]
if __name__ == "__main__":
for func in func_list:
func_addr = idc.LocByName(func)
print "Set BreakPoint: %X, %s" % (func_addr, func)
idc.add_bpt(func_addr, 0, BPT_SOFT)
idc.enable_bpt(func_addr, True)
def set_breakpoints(self): idc.add_bpt(self.addr["verifyNative"]) idc.add_bpt(self.addr["setJit"]) idc.add_bpt(self.addr["setInterp"]) idc.add_bpt(self.addr["setInterpRet"]) idc.add_bpt(self.addr["writePrologue"]) idc.add_bpt(self.addr["hasReachableExceptionsRet"])
def set_breakpoint(ea):
# idc.SetReg(ea, "T", 1)
idc.MakeCode(ea)
idc.add_bpt(ea)