本文整理汇总了Python中idc.GetOpType方法的典型用法代码示例。如果您正苦于以下问题:Python idc.GetOpType方法的具体用法?Python idc.GetOpType怎么用?Python idc.GetOpType使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类idc
的用法示例。
在下文中一共展示了idc.GetOpType方法的13个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: find_dispatch_by_struct_index
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def find_dispatch_by_struct_index():
"""Attempts to locate the dispatch function based off it being loaded in a structure
at offset 70h, based off of https://github.com/kbandla/ImmunityDebugger/blob/master/1.73/Libs/driverlib.py """
out = set()
for function_ea in idautils.Functions():
flags = idc.get_func_flags(function_ea)
# skip library functions
if flags & idc.FUNC_LIB:
continue
func = idaapi.get_func(function_ea)
addr = func.startEA
while addr < func.endEA:
if idc.GetMnem(addr) == 'mov':
if '+70h' in idc.GetOpnd(addr, 0) and idc.GetOpType(addr, 1) == 5:
out.add(idc.GetOpnd(addr, 1))
addr = idc.NextHead(addr)
return out
示例2: find_all_ioctls
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def find_all_ioctls():
"""
From the currently selected address attempts to traverse all blocks inside the current function to find all immediate values which
are used for a comparison/sub immediately before a jz. Returns a list of address, second operand pairs.
"""
ioctls = []
# Find the currently selected function and get a list of all of it's basic blocks
addr = idc.ScreenEA()
f = idaapi.get_func(addr)
fc = idaapi.FlowChart(f, flags=idaapi.FC_PREDS)
for block in fc:
# grab the last two instructions in the block
last_inst = idc.PrevHead(block.endEA)
penultimate_inst = idc.PrevHead(last_inst)
# If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz'
# then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
if idc.GetMnem(penultimate_inst) in ['cmp', 'sub'] and idc.GetOpType(penultimate_inst, 1) == 5:
if idc.GetMnem(last_inst) == 'jz':
value = get_operand_value(penultimate_inst)
ioctls.append((penultimate_inst, value))
ioctl_tracker.add_ioctl(penultimate_inst, value)
return ioctls
示例3: get_position_and_translate
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def get_position_and_translate():
"""
Gets the current selected address and decodes the second parameter to the instruction if it exists/is an immediate
then adds the C define for the code as a comment and prints a summary table of all decoded IOCTL codes.
"""
pos = idc.ScreenEA()
if idc.GetOpType(pos, 1) != 5: # Check the second operand to the instruction is an immediate
return
value = get_operand_value(pos)
ioctl_tracker.add_ioctl(pos, value)
define = ioctl_decoder.get_define(value)
make_comment(pos, define)
# Print summary table each time a new IOCTL code is decoded
ioctls = []
for inst in ioctl_tracker.ioctl_locs:
value = get_operand_value(inst)
ioctls.append((inst, value))
ioctl_tracker.print_table(ioctls)
示例4: finish_populating_tform_popup
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def finish_populating_tform_popup(self, form, popup):
tft = idaapi.get_tform_type(form)
if tft != idaapi.BWN_DISASM:
return
pos = idc.ScreenEA()
register_dynamic_action(form, popup, 'Decode All IOCTLs in Function', DecodeAllHandler())
register_dynamic_action(form, popup, 'Decode IOCTLs using Angr', DecodeAngrHandler())
# If the second argument to the current selected instruction is an immediately
# then give the option to decode it.
if idc.GetOpType(pos, 1) == 5:
register_dynamic_action(form, popup, 'Decode IOCTL', DecodeHandler())
if pos in ioctl_tracker.ioctl_locs:
register_dynamic_action(form, popup, 'Invalid IOCTL', InvalidHandler())
if len(ioctl_tracker.ioctl_locs) > 0:
register_dynamic_action(form, popup, 'Show All IOCTLs', ShowAllHandler())
示例5: lookForOpArgs
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def lookForOpArgs(self, start, end):
for head in idautils.Heads(start, end):
try:
for i in range(2):
if using_ida7api:
t = idc.get_operand_type(head, i)
else:
t = idc.GetOpType(head, i)
if t == idc.o_imm:
if using_ida7api:
opval = idc.get_operand_value(head, i)
else:
opval = idc.GetOperandValue(head, i)
if self.params.useXORSeed:
opval = opval ^ self.params.XORSeed
for h in self.params.hashTypes:
hits = self.dbstore.getSymbolByTypeHash(h.hashType, opval)
for sym in hits:
logger.info("0x%08x: %s", head, str(sym))
self.addHit(head, sym)
self.markupLine(head, sym, self.params.useDecompiler)
except Exception as err:
logger.exception("Exception: %s", str(err))
示例6: find_ref_loc
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def find_ref_loc(config, ea, ref):
"""
type config: Config
type ea: idc.ea_t
type ref: idc.ea_t
"""
logger = logging.getLogger("idb2pat:find_ref_loc")
if ea == BADADDR:
logger.debug("Bad parameter: ea")
return BADADDR
if ref == BADADDR:
logger.debug("Bad parameter: ref")
return BADADDR
if idc.GetOpType(ea, 0) == o_near:
ref = (ref - get_item_end(ea)) & ((1<<config.pointer_size*8)-1)
if isCode(getFlags(ea)):
for i in zrange(ea, max(ea, 1 + get_item_end(ea) - config.pointer_size)):
if get_long(i) == ref:
return i
return BADADDR
示例7: get_called_func_data
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def get_called_func_data(self, ea):
"""
Try to get the called function name and address.
@param ea: Address to the CALL instruction
@return: On success a tuple of called function data (Function_ea, Demangled_Function_Name).
otherwise (None,None) tuple will be returned
"""
try:
func_name = None
call_dest = None
if idc.isCode(idc.GetFlags(ea)):
if is_call(ea):
operand_type = idc.GetOpType(ea, 0)
if operand_type in (5, 6, 7, 2):
call_dest = idc.GetOperandValue(ea, 0) # Call destination
func_name = get_function_name(call_dest).lower()
return call_dest, func_name
except Exception as ex:
self.logger.exception("Failed to get called function data: %s", ex)
return None, None
###############################################################################################
# Dynamic (RunTime) Breakpoints
示例8: get_instr_operands
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def get_instr_operands(self, head):
"""
@head - instruction address
@return - the function returns list of variables which is
used in the instruction
"""
i = 0
instr_op = list()
while i < 4:
op = idc.GetOpnd(head, i)
if op != "":
instr_op.append((op, idc.GetOpType(head, i)))
i += 1
return instr_op
示例9: find_pool_tags
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def find_pool_tags():
""" Dirty hack around IDA's type information, find references to tag using functions then the comment marking the tag
then add the function caller/tag to output dictionary.
"""
funcs = [
'ExAllocatePoolWithTag',
'ExFreePoolWithTag',
'ExAllocatePoolWithTagPriority'
]
tags = {}
def imp_cb(ea, name, ord):
if name in funcs:
for xref in idautils.XrefsTo(ea):
call_addr = xref.frm
caller_name = idc.GetFunctionName(call_addr)
prev = idc.PrevHead(call_addr)
for _ in range(10):
if idc.Comment(prev) == 'Tag' and idc.GetOpType(prev, 1) == 5:
tag_raw = idc.GetOperandValue(prev, 1)
tag = ''
for i in range(3, -1, -1):
tag += chr((tag_raw >> 8 * i) & 0xFF)
if tag in tags.keys():
tags[tag].add(caller_name)
else:
tags[tag] = set([caller_name])
break
prev = idc.PrevHead(prev)
return True
nimps = idaapi.get_import_module_qty()
for i in xrange(0, nimps):
name = idaapi.get_import_module_name(i)
if not name:
continue
idaapi.enum_import_names(i, imp_cb)
return tags
示例10: check_for_wrapper
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def check_for_wrapper(func):
flags = idc.GetFunctionFlags(func)
#跳过库函数和简单的跳转函数
if flags & FUNC_LIB or flags & FUNC_THUNK:
return
dism_addr = list(idautils.FuncItems(func))
#获取函数的长度
func_length = len(dism_addr)
#如果函数的超过32条指令则返回
if func_length > 0x20:
return
func_call = 0
instr_cmp = 0
op = None
op_addr = None
op_type = None
#遍历函数中的每条指令
for ea in dism_addr:
m = idc.GetMnem(ea)
if m == 'call' or m == 'jmp':
if m == 'jmp':
temp = idc.GetOperandValue(ea, 0)
# 忽略函数边界内的跳转
if temp in dism_addr:
continue
func_call += 1
#封装函数内不会包含多个函数调用
if func_call == 2:
return
op_addr = idc.GetOperandValue(ea, 0)
op_type = idc.GetOpType(ea, 0)
elif m == 'cmp' or m == 'test':
# 封装函数内不应该包含太多的逻辑运算
instr_cmp += 1
if instr_cmp == 3:
return
else:
continue
# 所有函数内的指令都被分析过了
if op_addr == None:
return
name = idc.Name(op_addr)
#跳过名称粉碎的函数名称
if "[" in name or "$" in name or "?" in name or "@" in name or name == "":
return
name = "w_" + name
if op_type == o_near:
if idc.GetFunctionFlags(op_addr) & FUNC_THUNK:
rename_wrapper(name, func)
return
if op_type == o_mem or op_type == o_far:
rename_wrapper(name, func)
return
示例11: processWriteLog
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def processWriteLog(self, tracker, cVa):
wlogEntry = tracker.va_write_map.get(cVa, None)
if (wlogEntry is None):
return
pc, writeVa, bytes = wlogEntry
if (writeVa in self.stackArgLocs) and (self.getStackArgNum(writeVa) not in self.resultArgs.keys()):
#it's a stack arg value
pc, value = transformWriteLogEntry(wlogEntry)
#self.tracker.logger.debug('writelog 0x%08x: Found stack arg %d: 0x%08x', pc, self.getStackArgNum(writeVa), value)
self.saveResult(writeVa, pc, value)
return
if writeVa not in self.tempMapping.keys():
#self.tracker.logger.debug('writelog 0x%08x: not interesting', pc)
return
#argName: the actual value we're tracing back
argName = self.tempMapping.pop(writeVa)
pc, value = transformWriteLogEntry(wlogEntry)
#we found a temp value tracing backwards, but need to determine if it's a constant
# or if we need to continue tracing backwards. basically as long as it's not
# a register, we stop?
mnem = idc.GetMnem(pc)
srcOpIdx = 0
if mnem.startswith('push'):
srcOpIdx = 0
elif mnem.startswith('mov'):
srcOpIdx = 1
else:
#TODO: any other data movement instructions need to be traced rahter
# than using the observed write log value?
#self.tracker.logger.debug('writelog 0x%08x: found (default): 0x%08x', pc, value)
self.saveResult(argName, pc, value)
return
#process data movements instructions:
optype = idc.GetOpType(pc, srcOpIdx)
if optype == idc.o_reg:
#need to trace the new reg now
newReg = idc.GetOpnd(pc, srcOpIdx)
#self.tracker.logger.debug('writelog 0x%08x tracing: (%s): %s', pc, self.getArgNameRep(argName), newReg)
self.tempMapping[newReg] = argName
else:
#not a register, so currently assuming we can use the stored value
#self.tracker.logger.debug('writelog 0x%08x: found (non-reg): 0x%08x', pc, value)
self.saveResult(argName, pc, value)
示例12: processRegMon
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def processRegMon(self, tracker, cVa):
if tracker.regMon is None:
#tracker.logger.debug('regmon: regMon is empty')
return
regMods = tracker.regMon.reg_map.get(cVa)
if regMods is None:
#tracker.logger.debug('regmon 0x%08x: no entry in reg_map', cVa)
return
#figure out if one of the monitored regs is modified in this instruction
# and if has not already been stored -> just want the first reg value
regMods = self.tracker.regMon.reg_map[cVa]
#self.tracker.logger.debug('regmon 0x%08x: examining %d items: %r', cVa, len(regMods), regMods)
for reg in regMods:
interesting1 = (reg in self.regs) and (reg not in self.resultArgs.keys())
interesting2 = (reg in self.tempMapping.keys())
if (not interesting1) and (not interesting2):
#modified reg isn't interesting: either a function arg or a temp traced value
#self.tracker.logger.debug('regmon 0x%08x: not interesting: %s', cVa, reg)
continue
mnem = idc.GetMnem(cVa)
argName = reg
if interesting1:
self.regs.remove(reg)
if interesting2:
argName = self.tempMapping.pop(reg)
if mnem.startswith('pop'):
#add the current stack read address to the temporary tracking
rlogEntry = tracker.va_read_map.get(cVa, None)
if rlogEntry is None:
raise RuntimeError('readlog entry does not exist for a pop')
pc, readVa, bytes = rlogEntry
#self.tracker.logger.debug('regmon 0x%08x tracing (pop): %s (%s): 0x%x', cVa, argName, reg, readVa)
self.tempMapping[readVa] = argName
elif mnem.startswith('mov'):
if idc.GetOpType(cVa, 1) == idc.o_reg:
#change to track this reg backwards
newReg = idc.GetOpnd(cVa, 1)
#self.tracker.logger.debug('regmon 0x%08x tracing (mov): %s (%s)', cVa, argName, newReg)
self.tempMapping[newReg] = argName
else:
#not a register, use the modified result otherwise?
#self.tracker.logger.debug('regmon 0x%08x found (mov): %s (%s): 0x%x', cVa, argName, reg, regMods[reg])
self.saveResult(argName, cVa, regMods[reg])
else:
#TODO: any other data movement instructions that should be traced back?
#self.tracker.logger.debug('regmon 0x%08x found (default): %s (%s): 0x%x', cVa, argName, reg, regMods[reg])
self.saveResult(argName, cVa, regMods[reg])
示例13: rename_constant
# 需要导入模块: import idc [as 别名]
# 或者: from idc import GetOpType [as 别名]
def rename_constant(arg_ea, fct_name, arg_name, arg_enums):
""" Rename constants to values from standard enumerations. """
instruction = idc.GetMnem(arg_ea)
if instruction == 'push':
op_num = 0
elif instruction == 'mov':
op_num = 1
else:
raise RenamingException('Constant: unhandled instruction ' +
instruction)
op_val = idc.GetOperandValue(arg_ea, op_num)
# NULL
if op_val == 0:
targetid = idc.GetConstByName('NULL_{}_{}'.format(arg_name, fct_name))
serial = 0
enumid = idc.GetEnum(NULL_ENUM_NAME)
constid = idc.GetConstEx(enumid, 0, serial, -1)
while constid != idaapi.BADADDR:
if constid == targetid:
idc.OpEnumEx(arg_ea, op_num, enumid, serial)
return
serial = serial + 1
constid = idc.GetConstEx(enumid, 0, serial, -1)
# All other constants
op_type = idc.GetOpType(arg_ea, op_num)
if op_type == idaapi.o_imm:
# only one choice
if len(arg_enums) == 1:
enumid = idc.GetEnum(arg_enums[0])
idc.OpEnumEx(arg_ea, op_num, enumid, 0)
return
for enum in arg_enums:
enumid = idc.GetEnum(enum)
constid = get_constant_id(enumid, op_val)
if constid == idaapi.BADADDR:
# Not in this enum
continue
else:
# Found the right enum
idc.OpEnumEx(arg_ea, op_num, enumid, 0)
return