Python idaapi.o_mem() Examples

The following are 4 code examples of idaapi.o_mem(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module idaapi , or try the search function .
Example #1
Source File: first.py    From FIRST-plugin-ida with GNU General Public License v2.0 6 votes vote down vote up 
def get_non_jmp_wrapped_functions():
            '''Returns a list of functions addresses

            Functions definited in the IDB, from auto analysis or manually
            definited, are part of the list returned. Functions that are
            just wrappers with a jmp instruction are not included.

            Returns:
                list: Empty list or list of integer values

                The list of integer values correspond to a function's start
                address
            '''
            addresses = []
            for function_ea in IDAW.Functions():
                function = IDAW.get_func(function_ea)
                if function:
                    mnem = IDAW.GetMnem(function.startEA)
                    op_type = IDAW.GetOpType(function.startEA, 0)
                    if not (('jmp' == mnem) and (op_type == IDAW.o_mem)):
                        addresses.append(function.startEA)

            return addresses
Example #2
Source File: instruction.py    From ida-minsc with BSD 3-Clause "New" or "Revised" License 6 votes vote down vote up 
def memory(ea, op):
        '''Operand type decoder for memory-type operands which return an address.'''
        if op.type in {idaapi.o_mem, idaapi.o_far, idaapi.o_near, idaapi.o_displ}:
            seg, sel = (op.specval & 0xffff0000) >> 16, (op.specval & 0x0000ffff) >> 0
            return op.addr
        optype = map(utils.funbox("{:s}({:d})".format), [('idaapi.o_far', idaapi.o_far), ('idaapi.o_near', idaapi.o_near)])
        raise E.InvalidTypeOrValueError(u"{:s}.address({:#x}, {!r}) : Expected operand type `{:s}` or `{:s}` but operand type {:d} was received.".format('.'.join((__name__, 'operand_types')), ea, op, optype[0], optype[1], op.type))
Example #3
Source File: disassembler.py    From vt-ida-plugin with Apache License 2.0 4 votes vote down vote up 
def get_opcodes(addr, strict):
    """Get current bytes of the instruction pointed at addr.

    Args:
      addr: address of the current instruction
      strict: be more restrictive when applying wildcards (True) or not (False)

    Returns:
      String: hex-encoded representation of the bytes obtained at addr
    """

    if strict:
      offsets_types = {idaapi.o_far, idaapi.o_mem, idaapi.o_imm}
    else:
      offsets_types = {idaapi.o_far, idaapi.o_mem}

    pattern = ''
    mnem = idautils.DecodeInstruction(addr)

    if mnem is not None:
      op1_type = mnem.Op1.type
      op2_type = mnem.Op2.type

      logging.debug(
          '[VTGREP] Instruction: %s  [%d, %d, %d]',
          idc.generate_disasm_line(addr, 0),
          mnem.itype,
          op1_type,
          op2_type
          )

      inst_len = idc.get_item_size(addr)
      drefs = [x for x in idautils.DataRefsFrom(addr)]

      # Checks if any operand constains a memory address
      if (drefs and
          ((op1_type == idaapi.o_imm) or (op2_type == idaapi.o_imm)) or
          op1_type in offsets_types or op2_type in offsets_types):
        pattern = Disassembler.wildcard_instruction(addr)
      # Checks if the instruction is a CALL (near or far) or
      # if it's a JMP (excluding near jumps)
      else:
        if ((mnem.itype == idaapi.NN_call) or
            (mnem.itype == idaapi.NN_jmp and op1_type != idaapi.o_near)):
          pattern = Disassembler.wildcard_instruction(addr)
        # In any other case, concatenate the raw bytes to the current string
        else:
          pattern = binascii.hexlify(idc.get_bytes(addr, inst_len))
          pattern = pattern.decode('utf-8')
      return pattern
    else: return 0
Example #4
Source File: first.py    From FIRST-plugin-ida with GNU General Public License v2.0 4 votes vote down vote up 
def get_apis(address):
            '''Returns a list of all APIs used by a function.

            The address provided will be used to get a function and each
            instruction in the function is examined for APIs in the sample's
            IAT.

            Args:
                address (`int`): An address associated with a function. The
                    address can be any address within the function.

            Returns:
                list: Empty list or list of `MetadataShim` objects
            '''
            apis = []
            #   populate iat
            if not FIRST.iat:
                func = lambda ea, name, ord: FIRST.iat.append(name) == None
                imports = IDAW.get_import_module_qty()
                if imports:
                    for i in xrange(imports):
                        IDAW.enum_import_names(i, func)

            #   Cycle through all instructions within the function
            for instr in safe_generator(IDAW.FuncItems(address)):
                name = None
                if not IDAW.is_call_insn(instr):
                    instruction = IDAW.DecodeInstruction(instr)
                    if not instruction:
                        continue

                    for i in xrange(len(instruction.Operands)):
                        if IDAW.GetOpType(instr, i) == idaapi.o_mem:
                            name = IDAW.Name(IDAW.GetOperandValue(instr, i))
                            break

                else:
                    #   It is a call instruction
                    for xref in safe_generator(IDAW.XrefsFrom(instr, IDAW.XREF_FAR)):
                        if xref.to == None:
                            break

                        name = IDAW.NameEx(0, xref.to)

                if (name in FIRST.iat) and (name not in apis):
                    apis.append(name)

            return apis