Python idaapi.get_dword() Examples
The following are 3
code examples of idaapi.get_dword().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idaapi
, or try the search function
.
Example #1
Source File: shellcode_hash_search.py From flare-ida with Apache License 2.0 | 6 votes |
def lookForDwordArray(self, start, end): logger.debug("Starting to look between: %08x:%08x", start, end) for i in range(end-start): loc = start + i if using_ida7api: val = idaapi.get_dword(loc) else: val = idc.Dword(loc) for h in self.params.hashTypes: hits = self.dbstore.getSymbolByTypeHash(h.hashType, val) for sym in hits: logger.info("0x%08x: %s", loc, str(sym)) self.addHit(loc, sym) self.markupLine(loc, sym) ################################################################### # ###################################################################
Example #2
Source File: ida_debugger.py From IDAngr with BSD 2-Clause "Simplified" License | 5 votes |
def get_dword(self, addr): return idaapi.get_dword(addr)
Example #3
Source File: DBGHider.py From DBGHider with Apache License 2.0 | 4 votes |
def dbg_process_start(self, pid, tid, ea, name, base, size): self.mem_for_inline_hooks = 0 self.virtualalloc = 0 ntdll = DllHook('ntdll.dll') ntdll.add_func( FuncHook('ntdll_NtClose', NtClose_inline_hook_code_32, NtClose_bpt_cond_hook_code_32) ) ntdll.add_func( FuncHook('ntdll_NtQueryInformationProcess', NtQueryInformationProcess_inline_hook_code_32, NtQueryInformationProcess_bpt_cond_hook_code_32) ) self.dlls = [ntdll] # IDA creates a segment named "TIB[XXXXXXXX]", which points to # wow_peb64 antually. We can get peb from wow_peb64 with 0x1000 offset. # peb_addr = wow_peb64_addr + 0x1000 # Note: IDA has not created segment "TIB[XXXXXXXX]" at this point. # tid = get_current_thread() # tib_segm_name = "TIB[%08X]" % tid # print tib_segm_name # tib_segm = get_segm_by_name(tib_segm_name) # wow_peb64 = tib_segm.start_ea # peb = tib_segm.start_ea + 0x1000 # on debugging start, ebx points to peb # get addrs of peb and wow_peb64 ebx = idc.get_reg_value("ebx") peb = ebx wow_peb64 = peb - 0x1000 # patch peb->BeingDebugged # solving peb->NtGlobalFlag and "Heap Magic" anti-debug method # at the same time. idc.patch_byte(peb + 2, 0) idc.patch_byte(wow_peb64 + 2, 0) # patching peb process paramters peb_process_parameters = idaapi.get_dword(peb + 0x10) flag = idaapi.get_dword(peb_process_parameters + 0x8) idc.patch_dword(peb_process_parameters + 0x8, flag | 0x4000) # patching peb64 process paramters peb64_process_parameters = idaapi.get_qword(wow_peb64 + 0x20) flag = idaapi.get_dword(peb64_process_parameters + 0x8) idc.patch_dword(peb64_process_parameters + 0x8, flag | 0x4000)