Python idc.GetOpType() Examples
The following are 13
code examples of idc.GetOpType().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idc
, or try the search function
.
.
Example #1
| Source File: win_driver_plugin.py From win_driver_plugin with BSD 3-Clause "New" or "Revised" License | 13 votes |
|
def find_dispatch_by_struct_index():
"""Attempts to locate the dispatch function based off it being loaded in a structure
at offset 70h, based off of https://github.com/kbandla/ImmunityDebugger/blob/master/1.73/Libs/driverlib.py """
out = set()
for function_ea in idautils.Functions():
flags = idc.get_func_flags(function_ea)
# skip library functions
if flags & idc.FUNC_LIB:
continue
func = idaapi.get_func(function_ea)
addr = func.startEA
while addr < func.endEA:
if idc.GetMnem(addr) == 'mov':
if '+70h' in idc.GetOpnd(addr, 0) and idc.GetOpType(addr, 1) == 5:
out.add(idc.GetOpnd(addr, 1))
addr = idc.NextHead(addr)
return out
Example #2
| Source File: win_driver_plugin.py From win_driver_plugin with BSD 3-Clause "New" or "Revised" License | 7 votes |
|
def find_all_ioctls():
"""
From the currently selected address attempts to traverse all blocks inside the current function to find all immediate values which
are used for a comparison/sub immediately before a jz. Returns a list of address, second operand pairs.
"""
ioctls = []
# Find the currently selected function and get a list of all of it's basic blocks
addr = idc.ScreenEA()
f = idaapi.get_func(addr)
fc = idaapi.FlowChart(f, flags=idaapi.FC_PREDS)
for block in fc:
# grab the last two instructions in the block
last_inst = idc.PrevHead(block.endEA)
penultimate_inst = idc.PrevHead(last_inst)
# If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz'
# then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
if idc.GetMnem(penultimate_inst) in ['cmp', 'sub'] and idc.GetOpType(penultimate_inst, 1) == 5:
if idc.GetMnem(last_inst) == 'jz':
value = get_operand_value(penultimate_inst)
ioctls.append((penultimate_inst, value))
ioctl_tracker.add_ioctl(penultimate_inst, value)
return ioctls
Example #3
| Source File: win_driver_plugin.py From win_driver_plugin with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def get_position_and_translate():
"""
Gets the current selected address and decodes the second parameter to the instruction if it exists/is an immediate
then adds the C define for the code as a comment and prints a summary table of all decoded IOCTL codes.
"""
pos = idc.ScreenEA()
if idc.GetOpType(pos, 1) != 5: # Check the second operand to the instruction is an immediate
return
value = get_operand_value(pos)
ioctl_tracker.add_ioctl(pos, value)
define = ioctl_decoder.get_define(value)
make_comment(pos, define)
# Print summary table each time a new IOCTL code is decoded
ioctls = []
for inst in ioctl_tracker.ioctl_locs:
value = get_operand_value(inst)
ioctls.append((inst, value))
ioctl_tracker.print_table(ioctls)
Example #4
| Source File: win_driver_plugin.py From win_driver_plugin with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def finish_populating_tform_popup(self, form, popup):
tft = idaapi.get_tform_type(form)
if tft != idaapi.BWN_DISASM:
return
pos = idc.ScreenEA()
register_dynamic_action(form, popup, 'Decode All IOCTLs in Function', DecodeAllHandler())
register_dynamic_action(form, popup, 'Decode IOCTLs using Angr', DecodeAngrHandler())
# If the second argument to the current selected instruction is an immediately
# then give the option to decode it.
if idc.GetOpType(pos, 1) == 5:
register_dynamic_action(form, popup, 'Decode IOCTL', DecodeHandler())
if pos in ioctl_tracker.ioctl_locs:
register_dynamic_action(form, popup, 'Invalid IOCTL', InvalidHandler())
if len(ioctl_tracker.ioctl_locs) > 0:
register_dynamic_action(form, popup, 'Show All IOCTLs', ShowAllHandler())
Example #5
| Source File: shellcode_hash_search.py From flare-ida with Apache License 2.0 | 6 votes |
|
def lookForOpArgs(self, start, end):
for head in idautils.Heads(start, end):
try:
for i in range(2):
if using_ida7api:
t = idc.get_operand_type(head, i)
else:
t = idc.GetOpType(head, i)
if t == idc.o_imm:
if using_ida7api:
opval = idc.get_operand_value(head, i)
else:
opval = idc.GetOperandValue(head, i)
if self.params.useXORSeed:
opval = opval ^ self.params.XORSeed
for h in self.params.hashTypes:
hits = self.dbstore.getSymbolByTypeHash(h.hashType, opval)
for sym in hits:
logger.info("0x%08x: %s", head, str(sym))
self.addHit(head, sym)
self.markupLine(head, sym, self.params.useDecompiler)
except Exception as err:
logger.exception("Exception: %s", str(err))
Example #6
| Source File: idb2pat.py From flare-ida with Apache License 2.0 | 6 votes |
|
def find_ref_loc(config, ea, ref):
"""
type config: Config
type ea: idc.ea_t
type ref: idc.ea_t
"""
logger = logging.getLogger("idb2pat:find_ref_loc")
if ea == BADADDR:
logger.debug("Bad parameter: ea")
return BADADDR
if ref == BADADDR:
logger.debug("Bad parameter: ref")
return BADADDR
if idc.GetOpType(ea, 0) == o_near:
ref = (ref - get_item_end(ea)) & ((1<<config.pointer_size*8)-1)
if isCode(getFlags(ea)):
for i in zrange(ea, max(ea, 1 + get_item_end(ea) - config.pointer_size)):
if get_long(i) == ref:
return i
return BADADDR
Example #7
| Source File: BpHandler.py From DIE with MIT License | 5 votes |
|
def get_called_func_data(self, ea):
"""
Try to get the called function name and address.
@param ea: Address to the CALL instruction
@return: On success a tuple of called function data (Function_ea, Demangled_Function_Name).
otherwise (None,None) tuple will be returned
"""
try:
func_name = None
call_dest = None
if idc.isCode(idc.GetFlags(ea)):
if is_call(ea):
operand_type = idc.GetOpType(ea, 0)
if operand_type in (5, 6, 7, 2):
call_dest = idc.GetOperandValue(ea, 0) # Call destination
func_name = get_function_name(call_dest).lower()
return call_dest, func_name
except Exception as ex:
self.logger.exception("Failed to get called function data: %s", ex)
return None, None
###############################################################################################
# Dynamic (RunTime) Breakpoints
Example #8
| Source File: IDAMetrics_static.py From IDAmetrics with BSD 2-Clause "Simplified" License | 5 votes |
|
def get_instr_operands(self, head):
"""
@head - instruction address
@return - the function returns list of variables which is
used in the instruction
"""
i = 0
instr_op = list()
while i < 4:
op = idc.GetOpnd(head, i)
if op != "":
instr_op.append((op, idc.GetOpType(head, i)))
i += 1
return instr_op
Example #9
| Source File: dump_pool_tags.py From win_driver_plugin with BSD 3-Clause "New" or "Revised" License | 4 votes |
|
def find_pool_tags():
""" Dirty hack around IDA's type information, find references to tag using functions then the comment marking the tag
then add the function caller/tag to output dictionary.
"""
funcs = [
'ExAllocatePoolWithTag',
'ExFreePoolWithTag',
'ExAllocatePoolWithTagPriority'
]
tags = {}
def imp_cb(ea, name, ord):
if name in funcs:
for xref in idautils.XrefsTo(ea):
call_addr = xref.frm
caller_name = idc.GetFunctionName(call_addr)
prev = idc.PrevHead(call_addr)
for _ in range(10):
if idc.Comment(prev) == 'Tag' and idc.GetOpType(prev, 1) == 5:
tag_raw = idc.GetOperandValue(prev, 1)
tag = ''
for i in range(3, -1, -1):
tag += chr((tag_raw >> 8 * i) & 0xFF)
if tag in tags.keys():
tags[tag].add(caller_name)
else:
tags[tag] = set([caller_name])
break
prev = idc.PrevHead(prev)
return True
nimps = idaapi.get_import_module_qty()
for i in xrange(0, nimps):
name = idaapi.get_import_module_name(i)
if not name:
continue
idaapi.enum_import_names(i, imp_cb)
return tags
Example #10
| Source File: 13_注释和重命名.py From IDAPython_Note with MIT License | 4 votes |
|
def check_for_wrapper(func):
flags = idc.GetFunctionFlags(func)
#跳过库函数和简单的跳转函数
if flags & FUNC_LIB or flags & FUNC_THUNK:
return
dism_addr = list(idautils.FuncItems(func))
#获取函数的长度
func_length = len(dism_addr)
#如果函数的超过32条指令则返回
if func_length > 0x20:
return
func_call = 0
instr_cmp = 0
op = None
op_addr = None
op_type = None
#遍历函数中的每条指令
for ea in dism_addr:
m = idc.GetMnem(ea)
if m == 'call' or m == 'jmp':
if m == 'jmp':
temp = idc.GetOperandValue(ea, 0)
# 忽略函数边界内的跳转
if temp in dism_addr:
continue
func_call += 1
#封装函数内不会包含多个函数调用
if func_call == 2:
return
op_addr = idc.GetOperandValue(ea, 0)
op_type = idc.GetOpType(ea, 0)
elif m == 'cmp' or m == 'test':
# 封装函数内不应该包含太多的逻辑运算
instr_cmp += 1
if instr_cmp == 3:
return
else:
continue
# 所有函数内的指令都被分析过了
if op_addr == None:
return
name = idc.Name(op_addr)
#跳过名称粉碎的函数名称
if "[" in name or "$" in name or "?" in name or "@" in name or name == "":
return
name = "w_" + name
if op_type == o_near:
if idc.GetFunctionFlags(op_addr) & FUNC_THUNK:
rename_wrapper(name, func)
return
if op_type == o_mem or op_type == o_far:
rename_wrapper(name, func)
return
Example #11
| Source File: argtracker.py From flare-ida with Apache License 2.0 | 4 votes |
|
def processWriteLog(self, tracker, cVa):
wlogEntry = tracker.va_write_map.get(cVa, None)
if (wlogEntry is None):
return
pc, writeVa, bytes = wlogEntry
if (writeVa in self.stackArgLocs) and (self.getStackArgNum(writeVa) not in self.resultArgs.keys()):
#it's a stack arg value
pc, value = transformWriteLogEntry(wlogEntry)
#self.tracker.logger.debug('writelog 0x%08x: Found stack arg %d: 0x%08x', pc, self.getStackArgNum(writeVa), value)
self.saveResult(writeVa, pc, value)
return
if writeVa not in self.tempMapping.keys():
#self.tracker.logger.debug('writelog 0x%08x: not interesting', pc)
return
#argName: the actual value we're tracing back
argName = self.tempMapping.pop(writeVa)
pc, value = transformWriteLogEntry(wlogEntry)
#we found a temp value tracing backwards, but need to determine if it's a constant
# or if we need to continue tracing backwards. basically as long as it's not
# a register, we stop?
mnem = idc.GetMnem(pc)
srcOpIdx = 0
if mnem.startswith('push'):
srcOpIdx = 0
elif mnem.startswith('mov'):
srcOpIdx = 1
else:
#TODO: any other data movement instructions need to be traced rahter
# than using the observed write log value?
#self.tracker.logger.debug('writelog 0x%08x: found (default): 0x%08x', pc, value)
self.saveResult(argName, pc, value)
return
#process data movements instructions:
optype = idc.GetOpType(pc, srcOpIdx)
if optype == idc.o_reg:
#need to trace the new reg now
newReg = idc.GetOpnd(pc, srcOpIdx)
#self.tracker.logger.debug('writelog 0x%08x tracing: (%s): %s', pc, self.getArgNameRep(argName), newReg)
self.tempMapping[newReg] = argName
else:
#not a register, so currently assuming we can use the stored value
#self.tracker.logger.debug('writelog 0x%08x: found (non-reg): 0x%08x', pc, value)
self.saveResult(argName, pc, value)
Example #12
| Source File: argtracker.py From flare-ida with Apache License 2.0 | 4 votes |
|
def processRegMon(self, tracker, cVa):
if tracker.regMon is None:
#tracker.logger.debug('regmon: regMon is empty')
return
regMods = tracker.regMon.reg_map.get(cVa)
if regMods is None:
#tracker.logger.debug('regmon 0x%08x: no entry in reg_map', cVa)
return
#figure out if one of the monitored regs is modified in this instruction
# and if has not already been stored -> just want the first reg value
regMods = self.tracker.regMon.reg_map[cVa]
#self.tracker.logger.debug('regmon 0x%08x: examining %d items: %r', cVa, len(regMods), regMods)
for reg in regMods:
interesting1 = (reg in self.regs) and (reg not in self.resultArgs.keys())
interesting2 = (reg in self.tempMapping.keys())
if (not interesting1) and (not interesting2):
#modified reg isn't interesting: either a function arg or a temp traced value
#self.tracker.logger.debug('regmon 0x%08x: not interesting: %s', cVa, reg)
continue
mnem = idc.GetMnem(cVa)
argName = reg
if interesting1:
self.regs.remove(reg)
if interesting2:
argName = self.tempMapping.pop(reg)
if mnem.startswith('pop'):
#add the current stack read address to the temporary tracking
rlogEntry = tracker.va_read_map.get(cVa, None)
if rlogEntry is None:
raise RuntimeError('readlog entry does not exist for a pop')
pc, readVa, bytes = rlogEntry
#self.tracker.logger.debug('regmon 0x%08x tracing (pop): %s (%s): 0x%x', cVa, argName, reg, readVa)
self.tempMapping[readVa] = argName
elif mnem.startswith('mov'):
if idc.GetOpType(cVa, 1) == idc.o_reg:
#change to track this reg backwards
newReg = idc.GetOpnd(cVa, 1)
#self.tracker.logger.debug('regmon 0x%08x tracing (mov): %s (%s)', cVa, argName, newReg)
self.tempMapping[newReg] = argName
else:
#not a register, use the modified result otherwise?
#self.tracker.logger.debug('regmon 0x%08x found (mov): %s (%s): 0x%x', cVa, argName, reg, regMods[reg])
self.saveResult(argName, cVa, regMods[reg])
else:
#TODO: any other data movement instructions that should be traced back?
#self.tracker.logger.debug('regmon 0x%08x found (default): %s (%s): 0x%x', cVa, argName, reg, regMods[reg])
self.saveResult(argName, cVa, regMods[reg])
Example #13
| Source File: __init__.py From flare-ida with Apache License 2.0 | 4 votes |
|
def rename_constant(arg_ea, fct_name, arg_name, arg_enums):
""" Rename constants to values from standard enumerations. """
instruction = idc.GetMnem(arg_ea)
if instruction == 'push':
op_num = 0
elif instruction == 'mov':
op_num = 1
else:
raise RenamingException('Constant: unhandled instruction ' +
instruction)
op_val = idc.GetOperandValue(arg_ea, op_num)
# NULL
if op_val == 0:
targetid = idc.GetConstByName('NULL_{}_{}'.format(arg_name, fct_name))
serial = 0
enumid = idc.GetEnum(NULL_ENUM_NAME)
constid = idc.GetConstEx(enumid, 0, serial, -1)
while constid != idaapi.BADADDR:
if constid == targetid:
idc.OpEnumEx(arg_ea, op_num, enumid, serial)
return
serial = serial + 1
constid = idc.GetConstEx(enumid, 0, serial, -1)
# All other constants
op_type = idc.GetOpType(arg_ea, op_num)
if op_type == idaapi.o_imm:
# only one choice
if len(arg_enums) == 1:
enumid = idc.GetEnum(arg_enums[0])
idc.OpEnumEx(arg_ea, op_num, enumid, 0)
return
for enum in arg_enums:
enumid = idc.GetEnum(enum)
constid = get_constant_id(enumid, op_val)
if constid == idaapi.BADADDR:
# Not in this enum
continue
else:
# Found the right enum
idc.OpEnumEx(arg_ea, op_num, enumid, 0)
return
