Python idautils.FuncItems() Examples
The following are 13
code examples of idautils.FuncItems().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idautils
, or try the search function
.
.
Example #1
| Source File: AnalysisWidget.py From idasec with GNU Lesser General Public License v2.1 | 6 votes |
|
def detect_start_and_stop(self): # FIXME:Duplicate code with core (or something similar)
start, stop = 0, 0
if self.core.ftype == "PE":
start, stop = self.core.fun_mapping["start"]
else:
if "main" in self.core.fun_mapping:
start, stop = self.core.fun_mapping["main"]
elif "start" in self.core.fun_mapping:
if "__libc_start_main" in self.core.fun_mapping:
instrs = list(idautils.FuncItems(self.core.fun_mapping["start"][0]))
instrs.reverse()
for inst in instrs:
arg1 = idc.GetOperandValue(inst, 0)
if idc.GetMnem(inst) == "push":
start, stop = arg1, self.core.fun_mapping["start"][1]
break
else:
start, stop = self.core.fun_mapping["start"]
else:
start, stop = idc.BeginEA(), 0
self.start, self.stop = start, stop
Example #2
| Source File: save_disasm.py From slid with MIT License | 6 votes |
|
def save_mnemonics_functions_ida(f1):
filename= f1
mnemonics = {}
flag= 0
for segAddress in Segments():
segName = SegName(segAddress)
if segName == ".text":
funcs = Functions(SegStart(segAddress), SegEnd(segAddress))
for address in funcs:
t1= GetFunctionName(address)
f1= idautils.FuncItems(address)
t2=''
for i in f1:
t2+= GetMnem(i)
t2+= '^^^'
mnemonics[filename+'>'+t1]= t2+'<'+str(address)
return mnemonics
Example #3
| Source File: Reef.py From Reef with GNU General Public License v3.0 | 6 votes |
|
def find_xrefs_from( self, func_ea ):
xrefs = []
for item in idautils.FuncItems( func_ea ):
ALL_XREFS = 0
for ref in idautils.XrefsFrom( item, ALL_XREFS ):
if ref.type not in XrefsFromFinder.XREF_TYPE2STR:
continue
if ref.to in idautils.FuncItems( func_ea ):
continue
disas = idc.GetDisasm( item )
curr_xref = XrefFrom( item, ref.to, ref.type, disas )
xrefs.append( curr_xref )
return xrefs
Example #4
| Source File: configuration_file.py From idasec with GNU Lesser General Public License v2.1 | 5 votes |
|
def set_start_stop(self, ftype):
assert_ida_available()
import idc
import idaapi
import idautils
fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1)
for x in idautils.Functions()}
start = idc.BeginEA()
stop = 0
if ftype == PE:
start, stop = fun_mapping["start"]
else:
if not idc.isCode(idc.GetFlags(start)):
if idc.MakeCode(start) == 0:
print "Fail to decode instr !"
idaapi.autoWait()
if idc.GetFunctionName(start) == "":
if idc.MakeFunction(start) == 0:
print "Fail to create function !"
idaapi.autoWait()
fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1)
for x in idautils.Functions()}
if "main" in fun_mapping:
start, stop = fun_mapping["main"]
elif "start" in fun_mapping:
if "__libc_start_main" in fun_mapping:
instrs = list(idautils.FuncItems(fun_mapping["start"][0]))
instrs.reverse()
for inst in instrs:
arg1 = idc.GetOperandValue(inst, 0)
if idc.GetMnem(inst) == "push":
start, stop = arg1, fun_mapping["start"][1]
break
else:
start, stop = fun_mapping["start"]
self.config.start, self.config.stop = start, stop
Example #5
| Source File: static_opaque_analysis.py From idasec with GNU Lesser General Public License v2.1 | 5 votes |
|
def process_routine(self, rtn_addr, pred_addr=None, rtn_i=1, total_rtn=1):
if rtn_addr not in self.functions_cfg:
self.functions_cfg[rtn_addr] = MyFlowGraph(rtn_addr)
cfg = self.functions_cfg[rtn_addr]
path_to = self.config_to_path_function(cfg)
if pred_addr is None:
candidates = {x for x in idautils.FuncItems(rtn_addr) if idc.GetMnem(x) in cond_jump}
else:
candidates = {pred_addr}
nb_candidates = len(candidates)
self.functions_candidates[rtn_addr] = set()
self.functions_spurious_instrs[rtn_addr] = set()
self.progressbar_loading.reset()
self.progressbar_loading.setMaximum(len(candidates))
name = idc.GetFunctionName(rtn_addr)
self.result_widget.webview.append("\n=> Function:%s\n" % name)
self.log("[result]", "Start processing function: 0x%x" % rtn_addr)
for i, addr in zip(xrange(len(candidates)), candidates):
path = path_to(addr)
res = self.process_addr(rtn_addr, addr, path)
if self.STOP:
return
elif res is None:
continue
dead_br = "/" if res.dead_branch is None else "%x" % res.dead_branch
self.result_widget.webview.append("%x:\t%s\t\tK:%d\tDead:%s" % (addr, to_status_name(res.status), res.k, dead_br))
self.result_widget.webview.verticalScrollBar().setValue(self.result_widget.webview.verticalScrollBar().maximum())
self.loading_stat.setText("Fun: %d/%d Addr: %d/%d" % (rtn_i, total_rtn, i+1, nb_candidates))
self.progressbar_loading.setValue(self.progressbar_loading.value()+1)
self.functions_candidates[rtn_addr].add(addr)
Example #6
| Source File: function.py From Sark with MIT License | 5 votes |
|
def iter_function_lines(func_ea) -> Iterable[Line]:
"""Iterate the lines of a function.
Args:
func_ea (idaapi.func_t, int): The function to iterate.
Returns:
Iterator over all the lines of the function.
"""
for line in idautils.FuncItems(get_ea(func_ea)):
yield Line(line)
Example #7
| Source File: ida_prefix.py From prefix with MIT License | 5 votes |
|
def graph_down(ea, path=set()):
"""
Recursively collect all function calls.
Copied with minor modifications from
http://hooked-on-mnemonics.blogspot.com/2012/07/renaming-subroutine-blocks-and.html
"""
path.add(ea)
#
# extract all the call instructions from the current function
#
call_instructions = []
instruction_info = idaapi.insn_t()
for address in idautils.FuncItems(ea):
# decode the instruction
if not idaapi.decode_insn(instruction_info, address):
continue
# check if this instruction is a call
if not idaapi.is_call_insn(instruction_info):
continue
# save this address as a call instruction
call_instructions.append(address)
#
# iterate through all the instructions in the target function (ea) and
# inspect all the call instructions
#
for x in call_instructions:
# TODO
for r in idautils.XrefsFrom(x, idaapi.XREF_FAR):
#print(0x%08X" % h, "--calls-->", "0x%08X" % r.to)
if not r.iscode:
continue
# get the function pointed at by this call
func = idaapi.get_func(r.to)
if not func:
continue
# ignore calls to imports / library calls / thunks
if (func.flags & (idaapi.FUNC_THUNK | idaapi.FUNC_LIB)) != 0:
continue
#
# if we have not traversed to the destination function that this
# call references, recurse down to it to continue our traversal
#
if r.to not in path:
graph_down(r.to, path)
return path
Example #8
| Source File: function.py From rematch with GNU General Public License v3.0 | 5 votes |
|
def count(self):
"""return the number of instructions contained in function"""
return len(list(idautils.FuncItems(self.offset)))
Example #9
| Source File: assembly_hash.py From rematch with GNU General Public License v3.0 | 5 votes |
|
def data(self):
md5 = hashlib.md5()
for ea in idautils.FuncItems(self.offset):
asm_line = idc.GetDisasmEx(ea, idc.GENDSM_MULTI_LINE)
if ';' in asm_line:
asm_line = asm_line[:asm_line.find(';')]
asm_line = asm_line.strip()
asm_line = " ".join(asm_line.split())
asm_line = asm_line.lower()
md5.update(asm_line)
return md5.hexdigest()
Example #10
| Source File: instruction_hash.py From rematch with GNU General Public License v3.0 | 5 votes |
|
def data(self):
h = self.keleven
for ea in idautils.FuncItems(self.offset):
h = self._cycle(h, idc.Byte(ea))
# go over all additional bytes of any instruction
for i in range(ea + 1, ea + idc.ItemSize(ea)):
h = self._cycle(h, idc.Byte(i))
return h
Example #11
| Source File: identity_hash.py From rematch with GNU General Public License v3.0 | 5 votes |
|
def data(self):
h = self.keleven
for ea in idautils.FuncItems(self.offset):
h = self._cycle(h, idc.Byte(ea))
# skip additional bytes of any instruction that contains an offset in it
if idautils.CodeRefsFrom(ea, False) or idautils.DataRefsFrom(ea):
continue
for i in range(ea + 1, ea + idc.ItemSize(ea)):
h = self._cycle(h, idc.Byte(i))
return h
Example #12
| Source File: mnemonic_hash.py From rematch with GNU General Public License v3.0 | 5 votes |
|
def data(self):
md5 = hashlib.md5()
for ea in idautils.FuncItems(self.offset):
mnem_line = idc.GetMnem(ea)
mnem_line = mnem_line.strip()
mnem_line = mnem_line.lower()
md5.update(mnem_line)
return md5.hexdigest()
Example #13
| Source File: 13_注释和重命名.py From IDAPython_Note with MIT License | 4 votes |
|
def check_for_wrapper(func):
flags = idc.GetFunctionFlags(func)
#跳过库函数和简单的跳转函数
if flags & FUNC_LIB or flags & FUNC_THUNK:
return
dism_addr = list(idautils.FuncItems(func))
#获取函数的长度
func_length = len(dism_addr)
#如果函数的超过32条指令则返回
if func_length > 0x20:
return
func_call = 0
instr_cmp = 0
op = None
op_addr = None
op_type = None
#遍历函数中的每条指令
for ea in dism_addr:
m = idc.GetMnem(ea)
if m == 'call' or m == 'jmp':
if m == 'jmp':
temp = idc.GetOperandValue(ea, 0)
# 忽略函数边界内的跳转
if temp in dism_addr:
continue
func_call += 1
#封装函数内不会包含多个函数调用
if func_call == 2:
return
op_addr = idc.GetOperandValue(ea, 0)
op_type = idc.GetOpType(ea, 0)
elif m == 'cmp' or m == 'test':
# 封装函数内不应该包含太多的逻辑运算
instr_cmp += 1
if instr_cmp == 3:
return
else:
continue
# 所有函数内的指令都被分析过了
if op_addr == None:
return
name = idc.Name(op_addr)
#跳过名称粉碎的函数名称
if "[" in name or "$" in name or "?" in name or "@" in name or name == "":
return
name = "w_" + name
if op_type == o_near:
if idc.GetFunctionFlags(op_addr) & FUNC_THUNK:
rename_wrapper(name, func)
return
if op_type == o_mem or op_type == o_far:
rename_wrapper(name, func)
return
