Python idc.FUNC_LIB Examples
The following are 7
code examples of idc.FUNC_LIB().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idc
, or try the search function
.
.
Example #1
| Source File: win_driver_plugin.py From win_driver_plugin with BSD 3-Clause "New" or "Revised" License | 13 votes |
|
def find_dispatch_by_struct_index():
"""Attempts to locate the dispatch function based off it being loaded in a structure
at offset 70h, based off of https://github.com/kbandla/ImmunityDebugger/blob/master/1.73/Libs/driverlib.py """
out = set()
for function_ea in idautils.Functions():
flags = idc.get_func_flags(function_ea)
# skip library functions
if flags & idc.FUNC_LIB:
continue
func = idaapi.get_func(function_ea)
addr = func.startEA
while addr < func.endEA:
if idc.GetMnem(addr) == 'mov':
if '+70h' in idc.GetOpnd(addr, 0) and idc.GetOpType(addr, 1) == 5:
out.add(idc.GetOpnd(addr, 1))
addr = idc.NextHead(addr)
return out
Example #2
| Source File: functions_plus.py From functions-plus with MIT License | 6 votes |
|
def _handle_function_data_instance(self, function_tree, root):
'''
Handles FunctionData instance.
'''
flags = int(function_tree.flags)
addr = function_tree.addr
self.cols.set_data(addr, flags)
for index in xrange(0, len(self.cols.names)):
if index > 0:
root.setText(index, self.cols.item(index))
if flags & idc.FUNC_THUNK:
root.setBackground(index, QtGui.QColor('#E8DAEF'))
if flags & idc.FUNC_LIB:
root.setBackground(index, QtGui.QColor('#D1F2EB'))
Example #3
| Source File: win_driver_plugin.py From win_driver_plugin with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def find_dispatch_by_cfg():
"""
Finds the functions in the binary which are not directly called anywhere and counts how many other functions they call,
returing all functions which call > 0 other functions but are not called themselves. As a dispatch function is not normally directly
called but will normally many other functions this is a fairly good way to guess which function it is.
"""
out = []
called = set()
caller = dict()
# Loop through all the functions in the binary
for function_ea in idautils.Functions():
flags = idc.get_func_flags(function_ea)
# skip library functions
if flags & idc.FUNC_LIB:
continue
f_name = idc.GetFunctionName(function_ea)
# For each of the incoming references
for ref_ea in idautils.CodeRefsTo(function_ea, 0):
called.add(f_name)
# Get the name of the referring function
caller_name = idc.GetFunctionName(ref_ea)
if caller_name not in caller.keys():
caller[caller_name] = 1
else:
caller[caller_name] += 1
while True:
if len(caller.keys()) == 0:
break
potential = max(caller, key=caller.get)
if potential not in called:
out.append(potential)
del caller[potential]
return out
Example #4
| Source File: hook_lib_funcs.py From IDAngr with BSD 2-Clause "Simplified" License | 5 votes |
|
def hook_lib_funcs():
from angrdbg import load_project
project = load_project()
for func in idautils.Functions():
flags = idc.GetFunctionFlags(func)
if flags & idc.FUNC_LIB:
name = idc.GetFunctionName(func)
simproc = search_simproc(name)
if simproc is not None:
print name, simproc
project.hook_symbol(func, simproc())
Example #5
| Source File: functions_plus.py From functions-plus with MIT License | 5 votes |
|
def __init__(self, show_extra_fields):
self.addr = None
self.flags = None
self.show_extra_fields = show_extra_fields
self.names = [
'Name', 'Address', 'Segment', 'Length', 'Locals', 'Arguments'
]
self.handlers = {
0: lambda: None,
1: lambda: self.fmt(self.addr),
2: lambda: '{}'.format(idc.get_segm_name(self.addr)),
3: lambda: self.fmt(idc.get_func_attr(self.addr, idc.FUNCATTR_END) - self.addr),
4: lambda: self.fmt(idc.get_func_attr(self.addr, idc.FUNCATTR_FRSIZE)),
5: lambda: self.fmt(idc.get_func_attr(self.addr, idc.FUNCATTR_ARGSIZE))
}
if self.show_extra_fields:
self.names.extend(['R', 'F', 'L', 'S', 'B', 'T', '='])
# TODO: add Lumina column info
self.handlers.update({
6: lambda: self.is_true(not self.flags & idc.FUNC_NORET, 'R'),
7: lambda: self.is_true(self.flags & idc.FUNC_FAR, 'F'),
8: lambda: self.is_true(self.flags & idc.FUNC_LIB, 'L'),
9: lambda: self.is_true(self.flags & idc.FUNC_STATIC, 'S'),
10: lambda: self.is_true(self.flags & idc.FUNC_FRAME, 'B'),
11: lambda: self.is_true(idc.get_type(self.addr), 'T'),
12: lambda: self.is_true(self.flags & idc.FUNC_BOTTOMBP, '=')
})
Example #6
| Source File: idaxml.py From GhIDA with Apache License 2.0 | 4 votes |
|
def export_functions(self):
"""
Exports information about all functions.
"""
functions = idautils.Functions()
if functions == None:
return
self.update_status(FUNCTIONS)
timer = time.clock()
self.start_element(FUNCTIONS, True)
for addr in functions:
function = ida_funcs.get_func(addr)
if ida_segment.is_spec_ea(function.start_ea) == True:
continue
self.start_element(FUNCTION)
self.write_address_attribute(ENTRY_POINT, function.start_ea)
if ida_bytes.has_user_name(idc.get_full_flags(addr)) == True:
name = self.get_symbol_name(addr)
if name != None and len(name) > 0:
self.write_attribute(NAME, name)
if function.flags & idc.FUNC_LIB != 0:
self.write_attribute(LIBRARY_FUNCTION, "y")
self.close_tag(True)
fchunks = idautils.Chunks(addr)
for (startEA, endEA) in fchunks:
self.start_element(ADDRESS_RANGE)
self.write_address_attribute(START, startEA)
self.write_address_attribute(END, endEA - 1)
self.close_tag()
regcmt = ida_funcs.get_func_cmt(function, False)
if regcmt != None:
self.export_regular_cmt(regcmt)
rptcmt = ida_funcs.get_func_cmt(function, True)
if rptcmt != None:
self.export_repeatable_cmt(rptcmt)
demangled = ida_name.get_demangled_name(addr,
DEMANGLED_TYPEINFO,
self.inf.demnames, True)
if demangled != None and demangled == "'string'":
demangled = None
outbuf = ''
# TODO: How to handle print_type for function typeinfo cmts
#outbuf = idaapi.print_type(addr, False)
has_typeinfo = (demangled != None or (outbuf != None and
len(outbuf) > 0))
if demangled != None:
self.export_typeinfo_cmt(demangled)
elif has_typeinfo == True:
self.export_typeinfo_cmt(outbuf[:-1])
self.export_stack_frame(function)
self.end_element(FUNCTION)
self.end_element(FUNCTIONS)
self.display_cpu_time(timer)
Example #7
| Source File: idaxml.py From GhIDA with Apache License 2.0 | 4 votes |
|
def import_function(self, function):
"""
Creates a function using the FUNCTION attributes.
Args:
function: XML element containing the function address and
attributes.
"""
if self.options.Functions.checked == False:
return
try:
entry_point = self.get_address(function, ENTRY_POINT)
name = ''
if self.has_attribute(function, NAME):
name = self.get_attribute(function, NAME)
libfunc = 'n'
if self.has_attribute(function, LIBRARY_FUNCTION):
libfunc = self.get_attribute(function, LIBRARY_FUNCTION)
if idc.is_mapped(entry_point) == False:
msg = ("import_function: address %X not enabled in database"
% entry_point)
print(msg)
return
idc.add_func(entry_point, BADADDR)
self.update_counter(FUNCTION)
func = ida_funcs.get_func(entry_point)
if libfunc == 'y':
func.flags |= idc.FUNC_LIB
ranges = function.findall(ADDRESS_RANGE)
for addr_range in ranges:
(start, end) = self.import_address_range(addr_range)
ida_funcs.append_func_tail(func, start, end)
# TODO: auto_wait is probably not needed...
if AUTO_WAIT:
ida_auto.auto_wait()
regcmt = function.find(REGULAR_CMT)
if regcmt != None:
self.update_counter(FUNCTION + ':' + REGULAR_CMT)
ida_funcs.set_func_cmt(func, regcmt.text, False)
rptcmt = function.find(REPEATABLE_CMT)
if rptcmt != None:
self.update_counter(FUNCTION + ':' + REPEATABLE_CMT)
ida_funcs.set_func_cmt(func, rptcmt.text, True)
typecmt = function.find(TYPEINFO_CMT)
if typecmt != None:
self.update_counter(FUNCTION + ':' + TYPEINFO_CMT)
# TODO: TYPECMTs
#idc.SetType(entry_point, typecmt.text + ';')
sf = function.find(STACK_FRAME)
if sf != None:
self.import_stack_frame(sf, func)
register_vars = function.findall(REGISTER_VAR)
for register_var in register_vars:
self.import_register_var(register_var, func)
except:
msg = "** Exception occurred in import_function **"
print("\n" + msg + "\n", sys.exc_type, sys.exc_value)
