我们从Python开源项目中,提取了以下12个代码示例,用于说明如何使用idc.LocByName()。
def main(): ibt = IdaBackTracer() for ibt.api in ibt.send_api: adr = idc.LocByName(ibt.api) if ibt.api in ibt.xrefs: ibt.xrefs[ibt.api] = [] ibt.xrefs[ibt.api] = CodeRefsTo(adr, 1) for ibt.api, ref in ibt.xrefs.iteritems(): for address in list(ref): if ibt.api == "WSASendTo": arg_adr = ibt.get_arg(address, 2) print idc.GetDisasm(address) print idc.GetDisasm(arg_adr) print GetOpnd(arg_adr, 0) # TODO: Add trace function for none reg arguments like push 0, push [eax], push [0x40000000] if GetOpnd(arg_adr, 0) in ibt.registers: ibt.trace_reg(arg_adr, GetOpnd(arg_adr, 0)) #print '%d st occurance of %s in %s : %s'%(count[ibt.api], ibt.api, hex(adr),idc.GetDisasm(adr)) #print 'send buffer is %d arg of %s : %s' % (2, format(buffer,'%x'), idc.GetDisasm(buffer)) #ibt.trace_reg(buffer,GetOpnd(buffer, 0))
def getMajorDispatchTableAddress(): """find quicktime major dispatch table""" res = idc.LocByName('theQuickTimeDispatcher') res = nextMnemonic(res, 'lea', idc.GetFunctionAttr(res, idc.FUNCATTR_END)) assert res != idc.BADADDR return idc.GetOperandValue(res, 1)
def get_virtual_func_address(name, tinfo=None, offset=None): """ :param name: method name :param tinfo: class tinfo :param offset: virtual table offset :return: address of the method """ address = idc.LocByName(name) if address != idaapi.BADADDR: return address address = demangled_names.get(name, idaapi.BADADDR) if address != idaapi.BADADDR: return address + idaapi.get_imagebase() if tinfo is None or offset is None: return offset *= 8 udt_member = idaapi.udt_member_t() while tinfo.is_struct(): address = demangled_names.get(tinfo.dstr() + '::' + name, idaapi.BADADDR) if address != idaapi.BADADDR: return address + idaapi.get_imagebase() udt_member.offset = offset tinfo.find_udt_member(idaapi.STRMEM_OFFSET, udt_member) tinfo = udt_member.type offset = offset - udt_member.offset
def update(self, name, tinfo): self.name = name self.tinfo = tinfo self.name_modified = False self.tinfo_modified = False self.base_address = idc.LocByName(self.name) if self.base_address != idaapi.BADADDR: self.base_address -= idaapi.get_imagebase()
def check_init(self, adr): call_list, heap_flag = self.traverseCalls(adr) if heap_flag: return True for funcName in call_list: funcAddr = LocByName(funcName) return self.check_init(funcAddr) return False
def serialize(self): s = str(self.target_field.text()) if self.radio_addr.isChecked(): try: int(s, 16) except ValueError: print "Bad address given" return None elif self.radio_routine.isChecked(): addr = idc.LocByName(s) if addr == idc.BADADDR: print "Bad function name given" return None return specific_parameters_t()
def run(self): # -- GUI stuff self.result_widget.set_actions_visible_and_enabled(False) self.set_progress_visible(True) # ----------- # Refill the configuration file if self.configuration.ksteps != 0 and self.config_widget.radio_path_routine.isChecked(): self.k = self.configuration.ksteps # Use the ksteps given if making the path on the whole routine self.result_widget.webview.append("### Opaque predicates Detection ###\n") self.configuration.analysis_name = "static opaque" self.configuration.additional_parameters.typeid = self.configuration.additional_parameters.STANDARD target_val = str(self.config_widget.target_field.text()) start_tps = time.time() if self.config_widget.radio_addr.isChecked(): addr = utils.to_addr(target_val) self.process_routine(idaapi.get_func(addr).startEA, pred_addr=addr) elif self.config_widget.radio_routine.isChecked(): addr = idc.LocByName(target_val) if addr == idc.BADADDR: addr = utils.to_addr(target_val) self.process_routine(addr) elif self.config_widget.radio_program.isChecked(): self.process_program() else: pass self.exec_time_total = time.time() - start_tps - self.exec_time_dep self.analyse_finished = True self.broker.terminate() # -- GUI stuff self.result_widget.set_actions_visible_and_enabled(True) self.set_progress_visible(False) # ------------ self.analysis_terminated()
def copy_function(addr): func_addr = idc.LocByName(idaapi.get_func_name(addr)) if func_addr == idaapi.BADADDR: idaapi.msg("0x%08X does not belong to a defined function\n" % addr) return callTypes = ["__cdecl", "__fastcall", "__stdcall", "__thiscall", "__usercall"] funcDef = str(idaapi.decompile(func_addr)).split('\n', 1)[0] hasCallType = any(call_type in funcDef for call_type in callTypes) parenthesesStart = funcDef.find('(') parenthesesEnd = funcDef.rfind(')') funcNameStart = funcDef[0 : parenthesesStart].rfind(' ') funcNameEnd = parenthesesStart returnTypeStart = 0 returnTypeEnd = funcNameStart callType = "" if hasCallType: callTypeStart = funcDef[0 : funcNameStart].rfind(' ') callType = funcDef[callTypeStart + 1 : funcNameStart] returnTypeEnd = callTypeStart if callType == "__cdecl": callType = "" returnType = funcDef[returnTypeStart : returnTypeEnd] funcName = funcDef[funcNameStart + 1 : parenthesesStart] args = funcDef[parenthesesStart + 1 : parenthesesEnd] finalString = "{0} ({1}* {2})({3}) = ({0}({1}*)({3}))({4});".format( returnType, callType, funcName, args, "0x%08X" % func_addr ) return finalString
def bulk_function(): functionPtrs = "" for func_name in get_selected_funcs(): functionPtrDef = copy_function(idc.LocByName(func_name)) functionPtrs = functionPtrs + functionPtrDef + "\n" copy_to_clip(functionPtrs) idaapi.msg(functionPtrs)
def name_handlers(ea_from, ea_to): global COUNT addr = ea_from print "from: 0x%08x to: 0x%08x" % (addr, ea_to) while (addr < ea_to): func_to_name_ea = idc.Dword(addr) & 0xFFFFFFFE log_msg_ptr = idc.Dword(addr + 12) log_msg = idc.GetString(log_msg_ptr) #is that a function already? #There were 0 cases of this for our case if not idaapi.get_func(func_to_name_ea): print "There is no function at 0x%08x!" % func_to_name_ea idc.MakeFunction(func_to_name_ea) if "sms_Decode" in idc.GetFunctionName(func_to_name_ea) or "mm_Decode" in idc.GetFunctionName(func_to_name_ea) or "cc_Decode" in idc.GetFunctionName(func_to_name_ea) or "gmm_Decode" in idc.GetFunctionName(func_to_name_ea): print "Already named appropriately, don't overwrite" else: print "Naming %s based on %s as %s" % (idc.GetFunctionName(func_to_name_ea), log_msg, create_name(log_msg)) COUNT += 1 name = create_name(log_msg) # TODO: enable below naming ret = idc.LocByName(name) count = 1 while (ret != 0xffffffff): count += 1 ret = idc.LocByName(name + "__" + "%d" % count) idc.MakeName(func_to_name_ea, name + ("__%d" % count)*(count > 1)) addr += 16
def apply_labels(fun_names): new_sub = 0 new_som = 0 new_oth = 0 named_overwrittens = [] for f_ea, name in fun_names.iteritems(): name = re.sub('[^a-zA-Z0-9_]+', '', name) curr_name = idaapi.get_func_name(f_ea) if curr_name.startswith("sub_"): new_sub += 1 elif "_something" in curr_name: new_som += 1 else: new_oth += 1 named_overwrittens.append(curr_name) #so we don't overwrite these continue # stats counting aside, make sure we don't overwrite non-sub # functions from e.g. our IDC assignments if not curr_name.startswith("sub_") and not "_something" in curr_name: continue ret = idc.LocByName(name) count = 1 while (ret != 0xffffffff): count += 1 ret = idc.LocByName(name + "__" + "%d" % count) idc.MakeName(f_ea, name + ("__%d" % count)*(count > 1))
def parse_mpu(): """ NOTE: to find this symbol, run find_mcr.py and look for the MPU config instructions. Backtrace that function to a wrapper; backtrace that one to the MPU initialization function, which calls the wrapper in a loop using values from an array. That array is MPU_region_configs. """ mpu_struct_addr = idc.LocByName("MPU_region_configs") if mpu_struct_addr == 0xFFFFFFFF: print "NOTE: to find this symbol, run find_mcr.py and look for the MPU config instructions.\nBacktrace that function to a wrapper; backtrace that one to the MPU initialization function,\nwhich calls the wrapper in a loop using values from an array. That array is MPU_region_configs." return while(1): r = Region(mpu_struct_addr) if r.num == 0xFF: print "Delimiter found!" break else: r.pprint() mpu_struct_addr += 40 new_region = Region() new_region.set_DRNR(14) new_region.set_DRBAR(0x404E6000) # mo_call_establishment_trace_setup_msg new_region.set_size(0b01011) # 256*(2**4) aka 0x1000 aka 4096 bytes new_region.set_en(1) # enabled new_region.set_TEX_C_B(0b001,0,0) # non-cacheble new_region.set_XN(0) # no XN bit new_region.set_AP(0b011) # RW new_region.set_S(1) # shareable new_region.pprint()
