Python idautils.DataRefsFrom() Examples
The following are 6
code examples of idautils.DataRefsFrom().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idautils
, or try the search function
.
Example #1
Source File: hint_calls.py From idawilli with Apache License 2.0 | 6 votes |
def enum_string_refs_in_function(fva): ''' yield the string references in the given function. Args: fva (int): the starting address of a function Returns: sequence[tuple[int, int, str]]: tuples of metadata, including: - the address of the instruction referencing a string - the address of the string - the string ''' for ea in enum_function_addrs(fva): for ref in idautils.DataRefsFrom(ea): stype = idc.GetStringType(ref) if stype < 0 or stype > 7: continue CALC_MAX_LEN = -1 s = str(idc.GetString(ref, CALC_MAX_LEN, stype)) yield ea, ref, s
Example #2
Source File: line.py From Sark with MIT License | 5 votes |
def drefs_from(self): """Destination addresses of data references from this line.""" return idautils.DataRefsFrom(self.ea)
Example #3
Source File: analyser.py From UEFI_RETool with MIT License | 5 votes |
def get_protocols(self): """found UEFI protocols information in idb""" for service_name in self.gBServices: for address in self.gBServices[service_name]: ea, found = address, False if self.arch == 'x86': for _ in range(1, 25): ea = idc.prev_head(ea) if (idc.get_operand_value(ea, 0) > self.base and idc.print_insn_mnem(ea) == 'push'): found = True break if self.arch == 'x64': for _ in range(1, 16): ea = idc.prev_head(ea) if (idc.get_operand_value(ea, 1) > self.base and idc.print_insn_mnem(ea) == 'lea'): found = True break if not found: continue for xref in idautils.DataRefsFrom(ea): if idc.print_insn_mnem(xref): continue if not check_guid(xref): continue cur_guid = get_guid(xref) record = { 'address': xref, 'service': service_name, 'guid': cur_guid, } if not self.Protocols['all'].count(record): self.Protocols['all'].append(record)
Example #4
Source File: identity_hash.py From rematch with GNU General Public License v3.0 | 5 votes |
def data(self): h = self.keleven for ea in idautils.FuncItems(self.offset): h = self._cycle(h, idc.Byte(ea)) # skip additional bytes of any instruction that contains an offset in it if idautils.CodeRefsFrom(ea, False) or idautils.DataRefsFrom(ea): continue for i in range(ea + 1, ea + idc.ItemSize(ea)): h = self._cycle(h, idc.Byte(i)) return h
Example #5
Source File: Stingray.py From Stingray with GNU General Public License v3.0 | 5 votes |
def find_function_strings( func_ea ): end_ea = idc.FindFuncEnd(func_ea) if end_ea == idaapi.BADADDR: return strings = [] for line in idautils.Heads(func_ea, end_ea): refs = idautils.DataRefsFrom(line) for ref in refs: try: strings.append( String(line, ref) ) except StringParsingException: continue return strings
Example #6
Source File: disassembler.py From vt-ida-plugin with Apache License 2.0 | 4 votes |
def get_opcodes(addr, strict): """Get current bytes of the instruction pointed at addr. Args: addr: address of the current instruction strict: be more restrictive when applying wildcards (True) or not (False) Returns: String: hex-encoded representation of the bytes obtained at addr """ if strict: offsets_types = {idaapi.o_far, idaapi.o_mem, idaapi.o_imm} else: offsets_types = {idaapi.o_far, idaapi.o_mem} pattern = '' mnem = idautils.DecodeInstruction(addr) if mnem is not None: op1_type = mnem.Op1.type op2_type = mnem.Op2.type logging.debug( '[VTGREP] Instruction: %s [%d, %d, %d]', idc.generate_disasm_line(addr, 0), mnem.itype, op1_type, op2_type ) inst_len = idc.get_item_size(addr) drefs = [x for x in idautils.DataRefsFrom(addr)] # Checks if any operand constains a memory address if (drefs and ((op1_type == idaapi.o_imm) or (op2_type == idaapi.o_imm)) or op1_type in offsets_types or op2_type in offsets_types): pattern = Disassembler.wildcard_instruction(addr) # Checks if the instruction is a CALL (near or far) or # if it's a JMP (excluding near jumps) else: if ((mnem.itype == idaapi.NN_call) or (mnem.itype == idaapi.NN_jmp and op1_type != idaapi.o_near)): pattern = Disassembler.wildcard_instruction(addr) # In any other case, concatenate the raw bytes to the current string else: pattern = binascii.hexlify(idc.get_bytes(addr, inst_len)) pattern = pattern.decode('utf-8') return pattern else: return 0