我们从Python开源项目中,提取了以下5个代码示例,用于说明如何使用idc.FUNCATTR_START。
def revise_syscall(rename=False): if not rename: print('Change the function name with `CGCHeler.revise_syscall(True)`.') # visit all instructions start_ea, end_ea = utils.get_seg_range('.text') eax = -1 ip = start_ea while ip < end_ea and ip != idaapi.BADADDR: if 'int' in idc.GetMnem(ip) and '80h' == idc.GetOpnd(ip, 0): if eax != -1: # fix comment and function name print('{}: {}'.format(hex(ip), syscall_table[eax])) idc.MakeComm(ip, 'CGC syscall: {}'.format(syscall_table[eax])) if rename: print('Change {} to {}'.format(idc.GetFunctionName(ip), syscall_table[eax])) idc.MakeName(idc.GetFunctionAttr(ip, idc.FUNCATTR_START), syscall_table[eax]) elif 'mov' in idc.GetMnem(ip) and 'eax' == idc.GetOpnd(ip, 0) and 5 == idc.GetOpType(ip, 1): value = idc.GetOpnd(ip, 1) if re.search('^[0-9]+$', value) != None: eax = int(value) if eax > 7 or eax < 1: eax = -1 ip = idc.NextHead(ip)
def _refs_to_tablegroup(self): from itertools import chain if self.tablegroup is None: return [] candidates = [] # For now just use the first table array primary_table = self.tablegroup.primary_table() # When debug symbols are present, the decompile will usually # refer to the function table as an offset from the start # of the vtable, so also allow references to that. references = chain(idautils.XrefsTo(primary_table.address_point), idautils.XrefsTo(self.tablegroup.ea)) for ref in references: start = as_signed(idc.GetFunctionAttr(ref.frm, idc.FUNCATTR_START), TARGET_ADDRESS_SIZE) if start == -1: continue candidates.append(start) return candidates
def output_symbols(out): """Dump symbols.""" try: from idaapi import get_func_name2 as get_func_name # Since get_func_name is deprecated (at least from IDA 6.9) except ImportError: from idaapi import get_func_name # Older versions of IDA don't have get_func_name2 # so we just use the older name get_func_name def func_name_propagate_thunk(ea): current_name = get_func_name(ea) if current_name[0].isalpha(): return current_name func = idaapi.get_func(ea) temp_ptr = idaapi.ea_pointer() ea_new = idaapi.BADADDR if func.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK: ea_new = idaapi.calc_thunk_func_target(func, temp_ptr.cast()) if ea_new != idaapi.BADADDR: ea = ea_new propagated_name = get_func_name(ea) or '' # Ensure it is not `None` if len(current_name) > len(propagated_name) > 0: return propagated_name else: return current_name # Fallback to non-propagated name for weird times that IDA gives # a 0 length name, or finds a longer import name for ea in idautils.Segments(): fs = idautils.Functions(idc.SegStart(ea), idc.SegEnd(ea)) for f in fs: out.write('("%s" 0x%x 0x%x)\n' % ( func_name_propagate_thunk(f), idc.GetFunctionAttr(f, idc.FUNCATTR_START), idc.GetFunctionAttr(f, idc.FUNCATTR_END)))
def getMinorDispatchTableAddress(ea): """find address of last lea in function""" start = idc.GetFunctionAttr(ea, idc.FUNCATTR_START) end = idc.PrevHead( idc.GetFunctionAttr(ea, idc.FUNCATTR_END), start) res = prevMnemonic(end, 'lea', start) assert res != idc.BADADDR return idc.GetOperandValue(res, 1)
def activate(self, ctx): hx_view = idaapi.get_tform_vdui(ctx.form) address = hx_view.cfunc.entry_ea xref_ea = idaapi.get_first_cref_to(address) xrefs = set() while xref_ea != idaapi.BADADDR: xref_func_ea = idc.GetFunctionAttr(xref_ea, idc.FUNCATTR_START) if xref_func_ea != idaapi.BADADDR: xrefs.add(xref_func_ea) else: print "[Warning] Function not found at 0x{0:08X}".format(xref_ea) xref_ea = idaapi.get_next_cref_to(address, xref_ea) for func_ea in xrefs: visitor = VariableLookupVisitor(address) try: cfunc = idaapi.decompile(func_ea) if cfunc: FunctionTouchVisitor(cfunc).process() visitor.apply_to(cfunc.body, None) for idx in visitor.result: scanner = DeepSearchVisitor(cfunc, 0, idx) scanner.process() for field in scanner.candidates: self.temporary_structure.add_row(field) except idaapi.DecompilationFailure: print "[Warning] Failed to decompile function at 0x{0:08X}".format(xref_ea) DeepSearchVisitor.clear()
