Python idc.get_func_attr() Examples
The following are 14
code examples of idc.get_func_attr().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idc
, or try the search function
.
.
Example #1
| Source File: functions_plus.py From functions-plus with MIT License | 6 votes |
|
def build_functions_tree(self, functions_list):
'''
Builds tree of functions.
'''
func_state = FunctionState()
functions_tree = OrderedDict()
for function_name in sorted(functions_list):
func_state.args = ''
func_state.addr = functions_list[function_name]
func_state.flags = \
idc.get_func_attr(func_state.addr, idc.FUNCATTR_FLAGS)
demangled_name = self.maybe_demangle(function_name)
chunks = self.get_chunks(demangled_name, func_state)
self.maybe_push(chunks, functions_tree, func_state)
return functions_tree
Example #2
| Source File: exp.py From run_idat with GNU General Public License v3.0 | 5 votes |
|
def get_all_func():
num = 0
content = []
for func in idautils.Functions():
seg_perm = idc.get_segm_attr(func,SEGATTR_PERM) # 段属性
if(5 !=seg_perm):
continue
seg_name = idc.get_segm_name(func) # 段名
if(".plt" == seg_name):
continue
func_name = idc.get_func_name(func) # 函数名
func_flags = hex(idc.get_func_attr(func,FUNCATTR_FLAGS))# 函数信息
func_head = hex(idc.get_func_attr(func,FUNCATTR_START)) # 函数头
func_end = hex(idc.get_func_attr(func,FUNCATTR_END)) # 函数尾
l = []
l.append(num)
l.append(seg_name)
l.append(seg_perm)
l.append(func_name)
l.append(func_flags)
l.append(func_head)
l.append(func_end)
content.append(l)
num += 1
#print(l)
return content
# 程序入口
Example #3
| Source File: util.py From mcsema with Apache License 2.0 | 5 votes |
|
def is_noreturn_function(ea):
"""Returns `True` if the function at `ea` is a no-return function."""
flags = idc.get_func_attr(ea, idc.FUNCATTR_FLAGS)
return 0 < flags and \
(flags & idaapi.FUNC_NORET) and \
ea not in FUNC_LSDA_ENTRIES.keys() and \
"cxa_throw" not in get_symbol_name(ea)
Example #4
| Source File: util.py From mcsema with Apache License 2.0 | 5 votes |
|
def is_thunk(ea): """Returns true if some address is a known to IDA to be a thunk.""" flags = idc.get_func_attr(ea, idc.FUNCATTR_FLAGS) return (idc.BADADDR != flags) and 0 < flags and 0 != (flags & 0x00000080L)
Example #5
| Source File: collect_variable.py From mcsema with Apache License 2.0 | 5 votes |
|
def recover_variables(F, func_ea, blockset):
""" Recover the stack variables from the function. It also collect
the instructions referring to the stack variables.
"""
# Checks for the stack frame; return if it is None
if not is_code_by_flags(func_ea) or \
not idc.get_func_attr(func_ea, idc.FUNCATTR_FRAME):
return
functions = list()
f_name = get_symbol_name(func_ea)
f_ea = idc.get_func_attr(func_ea, idc.FUNCATTR_START)
f_vars = collect_function_vars(func_ea, blockset)
functions.append({"ea":f_ea, "name":f_name, "stackArgs":f_vars})
for offset in f_vars.keys():
if f_vars[offset]["safe"] is False:
continue
var = F.stack_vars.add()
var.sp_offset = offset
var.name = f_vars[offset]["name"]
var.size = f_vars[offset]["size"]
for i in f_vars[offset]["writes"]:
r = var.ref_eas.add()
r.inst_ea = i["ea"]
r.offset = i["offset"]
for i in f_vars[offset]["reads"]:
r = var.ref_eas.add()
r.inst_ea = i["ea"]
r.offset = i["offset"]
Example #6
| Source File: Main.py From Virtuailor with GNU General Public License v3.0 | 5 votes |
|
def get_xref_code_to_func(func_addr):
a = idautils.XrefsTo(func_addr, 1)
addr = {}
for xref in a:
frm = xref.frm # ea in func
start = idc.get_func_attr(frm, idc.FUNCATTR_START) # to_xref func addr
func_name = idc.get_func_name(start) # to_xref func name
addr[func_name] = [xref.iscode, start]
return addr
Example #7
| Source File: quicktime.py From ida-minsc with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def getMinorDispatchTableAddress(ea):
"""find address of last lea in function"""
start = idc.get_func_attr(ea, idc.FUNCATTR_START)
end = idc.prev_head( idc.get_func_attr(ea, idc.FUNCATTR_END), start)
res = prevMnemonic(end, 'lea', start)
assert res != idc.BADADDR
return idc.get_operand_value(res, 1)
Example #8
| Source File: quicktime.py From ida-minsc with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def getMajorDispatchTableAddress():
"""find quicktime major dispatch table"""
res = idc.get_name_ea_simple('theQuickTimeDispatcher')
res = nextMnemonic(res, 'lea', idc.get_func_attr(res, idc.FUNCATTR_END))
assert res != idc.BADADDR
return idc.get_operand_value(res, 1)
Example #9
| Source File: functions_plus.py From functions-plus with MIT License | 5 votes |
|
def __init__(self, show_extra_fields):
self.addr = None
self.flags = None
self.show_extra_fields = show_extra_fields
self.names = [
'Name', 'Address', 'Segment', 'Length', 'Locals', 'Arguments'
]
self.handlers = {
0: lambda: None,
1: lambda: self.fmt(self.addr),
2: lambda: '{}'.format(idc.get_segm_name(self.addr)),
3: lambda: self.fmt(idc.get_func_attr(self.addr, idc.FUNCATTR_END) - self.addr),
4: lambda: self.fmt(idc.get_func_attr(self.addr, idc.FUNCATTR_FRSIZE)),
5: lambda: self.fmt(idc.get_func_attr(self.addr, idc.FUNCATTR_ARGSIZE))
}
if self.show_extra_fields:
self.names.extend(['R', 'F', 'L', 'S', 'B', 'T', '='])
# TODO: add Lumina column info
self.handlers.update({
6: lambda: self.is_true(not self.flags & idc.FUNC_NORET, 'R'),
7: lambda: self.is_true(self.flags & idc.FUNC_FAR, 'F'),
8: lambda: self.is_true(self.flags & idc.FUNC_LIB, 'L'),
9: lambda: self.is_true(self.flags & idc.FUNC_STATIC, 'S'),
10: lambda: self.is_true(self.flags & idc.FUNC_FRAME, 'B'),
11: lambda: self.is_true(idc.get_type(self.addr), 'T'),
12: lambda: self.is_true(self.flags & idc.FUNC_BOTTOMBP, '=')
})
Example #10
| Source File: stackstrings.py From flare-ida with Apache License 2.0 | 5 votes |
|
def getFuncRanges_ida7(ea, doAllFuncs):
if doAllFuncs:
funcs = []
funcGen = idautils.Functions(idc.get_segm_start(ea), idc.get_segm_end(ea))
for i in funcGen:
funcs.append(i)
funcRanges = []
for i in range(len(funcs) - 1):
funcRanges.append( (funcs[i], funcs[i+1]) )
funcRanges.append( (funcs[-1], idc.get_segm_end(ea)) )
return funcRanges
else:
#just get the range of the current function
fakeRanges = [( idc.get_func_attr(idc.here(), idc.FUNCATTR_START), idc.get_func_attr(idc.here(), idc.FUNCATTR_END)), ]
return fakeRanges
Example #11
| Source File: collect_variable.py From mcsema with Apache License 2.0 | 4 votes |
|
def build_stack_variable(func_ea):
stack_vars = dict()
frame = idc.get_func_attr(func_ea, idc.FUNCATTR_FRAME)
if not frame:
return stack_vars
f_name = get_symbol_name(func_ea)
#grab the offset of the stored frame pointer, so that
#we can correlate offsets correctly in referent code
# e.g., EBP+(-0x4) will match up to the -0x4 offset
delta = idc.GetMemberOffset(frame, " s")
if delta == -1:
delta = 0
if f_name not in _FUNC_UNSAFE_LIST:
offset = idc.get_first_member(frame)
while -1 != _signed_from_unsigned(offset):
member_name = idc.get_member_name(frame, offset)
if member_name is None:
offset = idc.get_next_offset(frame, offset)
continue
if (member_name == " r" or member_name == " s"):
offset = idc.get_next_offset(frame, offset)
continue
member_size = idc.GetMemberSize(frame, offset)
if offset >= delta:
offset = idc.get_next_offset(frame, offset)
continue
member_flag = idc.GetMemberFlag(frame, offset)
flag_str = _get_flags_from_bits(member_flag)
member_offset = offset-delta
stack_vars[member_offset] = {"name": member_name,
"size": member_size,
"flags": flag_str,
"writes": list(),
"referent": list(),
"reads": list(),
"safe": False }
offset = idc.get_next_offset(frame, offset)
else:
offset = idc.get_first_member(frame)
frame_size = idc.get_func_attr(func_ea, idc.FUNCATTR_FRSIZE)
flag_str = ""
member_offset = _signed_from_unsigned(offset) - delta
stack_vars[member_offset] = {"name": f_name,
"size": frame_size,
"flags": flag_str,
"writes": list(),
"referent": list(),
"reads": list(),
"safe": False }
return stack_vars
Example #12
| Source File: vtableAddress.py From Virtuailor with GNU General Public License v3.0 | 4 votes |
|
def get_con2_var_or_num(i_cnt, cur_addr):
"""
:param i_cnt: the register of the virtual call
:param cur_addr: the current address in the memory
:return: "success" string and the address of the vtable's location. if it fails it sends the reason and -1
"""
start_addr = idc.get_func_attr(cur_addr, idc.FUNCATTR_START)
virt_call_addr = cur_addr
cur_addr = idc.prev_head(cur_addr)
dct_arch = get_arch_dct()
if dct_arch == -1:
return 'Wrong Architechture', "-1", cur_addr
while cur_addr >= start_addr:
if idc.print_insn_mnem(cur_addr)[:3] == dct_arch["opcode"] and idc.print_operand(cur_addr, 0) == i_cnt: # TODO lea ?
opnd2 = idc.print_operand(cur_addr, 1)
place = opnd2.find(dct_arch["separator"])
if place != -1: # if the function is not the first in the vtable
register = opnd2[opnd2.find('[') + 1: place]
if opnd2.find('*') == -1:
offset = opnd2[place + dct_arch["val_offset"]: opnd2.find(']')]
else:
offset = "*"
return register, offset, cur_addr
else:
offset = "0"
if opnd2.find(']') != -1:
register = opnd2[opnd2.find('[') + 1: opnd2.find(']')]
else:
register = opnd2
return register, offset, cur_addr
elif idc.print_insn_mnem(cur_addr)[:4] == "call":
intr_func_name = idc.print_operand(cur_addr, 0)
# In case the code has CFG -> ignores the function call before the virtual calls
if "guard_check_icall_fptr" not in intr_func_name:
if "nullsub" not in intr_func_name:
# intr_func_name = idc.Demangle(intr_func_name, idc.GetLongPrm(idc.INF_SHORT_DN))
print("Warning! At address 0x%08x: The vtable assignment might be in another function (Maybe %s),"
" could not place BP." % (virt_call_addr, intr_func_name))
cur_addr = start_addr
cur_addr = idc.prev_head(cur_addr)
return "out of the function", "-1", cur_addr
return '', 0, cur_addr
Example #13
| Source File: objc2_analyzer.py From flare-ida with Apache License 2.0 | 4 votes |
|
def getIvarTypeFromFunc(self, eh, va):
if va in self.ivarSetters:
return self.ivarSetters[va]
elif va in self.notIvarSetters:
return UNKNOWN
addr = va
endVa = idc.get_func_attr(va, idc.FUNCATTR_END)
if endVa - va < 0x20:
ivarVa = None
while addr <= endVa:
srcOpnd = idc.print_operand(addr, 1)
# if ivar is the src op for an instruction, assume this function will return it
if eh.arch == unicorn.UC_ARCH_ARM and "_OBJC_IVAR_$_" in srcOpnd:
oploc = idc.get_name_ea_simple(
srcOpnd[srcOpnd.find("_OBJC_IVAR_$_"):srcOpnd.find(" ")])
if oploc != idc.BADADDR:
ivarVa = oploc
break
elif eh.arch == unicorn.UC_ARCH_ARM64:
for x in idautils.XrefsFrom(addr):
if (idc.get_segm_name(x.to) == "__objc_ivar" and
idc.get_name(x.to, idc.ida_name.GN_VISIBLE)[:13] == "_OBJC_IVAR_$_"):
ivarVa = x.to
break
elif eh.arch == unicorn.UC_ARCH_X86:
if "_OBJC_IVAR_$_" in srcOpnd:
ivarVa = idc.get_operand_value(addr, 1)
break
addr = idc.next_head(addr, idc.get_inf_attr(idc.INF_MAX_EA))
if ivarVa:
for x in idautils.XrefsTo(ivarVa):
if x.frm >= self.objcConst[0] and x.frm < self.objcConst[1]:
typeStr = eh.getIDBString(
eh.derefPtr(x.frm + eh.size_pointer * 2))
self.ivarSetters[va] = typeStr[2:-1]
logging.debug("%s is an ivar getter function, returning type %s" % (
eh.hexString(va), typeStr[2:-1]))
return typeStr[2:-1]
else:
logging.debug(
"%s determined not to be an ivar getter function", eh.hexString(va))
self.notIvarSetters.append(va)
else:
logging.debug(
"%s determined not to be an ivar getter function", eh.hexString(va))
self.notIvarSetters.append(va)
return UNKNOWN
# returns class or sel name from IDA name
Example #14
| Source File: mykutils.py From flare-ida with Apache License 2.0 | 4 votes |
|
def _emit_fnbytes(emit_instr_cb, header, footer, indent, fva=None, warn=True):
"""Emit function bytes in a format defined by the callback and
headers/footers provided.
Warns if any instruction operands are not consistent with
position-independent code, in which case the user may need to templatize
the position-dependent portions.
"""
fva = fva or idc.here()
fva = idc.get_func_attr(fva, idc.FUNCATTR_START)
va_end = idc.get_func_attr(fva, idc.FUNCATTR_END)
# Operand types observed in position-independent code:
optypes_position_independent = set([
ida_ua.o_reg, # 1: General Register (al,ax,es,ds...)
ida_ua.o_phrase, # 3: Base + Index
ida_ua.o_displ, # 4: Base + Index + Displacement
ida_ua.o_imm, # 5: Immediate
ida_ua.o_near, # 7: Immediate Near Address
])
# Notably missing because I want to note and handle these if/as they are
# encountered:
# ida_ua.o_idpspec0 = 8: FPP register
# ida_ua.o_idpspec1 = 9: 386 control register
# ida_ua.o_idpspec2 = 10: 386 debug register
# ida_ua.o_idpspec3 = 11: 386 trace register
va = fva
nm = idc.get_name(fva)
optypes_found = set()
s = header.format(name=nm)
while va not in (va_end, idc.BADADDR):
size = idc.get_item_size(va)
the_bytes = idc.get_bytes(va, size)
for i in range(0, 8):
optype = idc.get_operand_type(va, i)
if optype:
optypes_found.add(optype)
s += indent + emit_instr_cb(va, the_bytes, size)
va = idc.next_head(va)
s += footer
position_dependent = optypes_found - optypes_position_independent
if position_dependent:
msg = ('This code may have position-dependent operands (optype %s)' %
(', '.join([str(o) for o in position_dependent])))
if warn:
Warning(msg)
else:
logger.warn(msg)
return s
