本文整理汇总了Python中idc.PrevHead方法的典型用法代码示例。如果您正苦于以下问题:Python idc.PrevHead方法的具体用法?Python idc.PrevHead怎么用?Python idc.PrevHead使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类idc
的用法示例。
在下文中一共展示了idc.PrevHead方法的6个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: find_all_ioctls
# 需要导入模块: import idc [as 别名]
# 或者: from idc import PrevHead [as 别名]
def find_all_ioctls():
"""
From the currently selected address attempts to traverse all blocks inside the current function to find all immediate values which
are used for a comparison/sub immediately before a jz. Returns a list of address, second operand pairs.
"""
ioctls = []
# Find the currently selected function and get a list of all of it's basic blocks
addr = idc.ScreenEA()
f = idaapi.get_func(addr)
fc = idaapi.FlowChart(f, flags=idaapi.FC_PREDS)
for block in fc:
# grab the last two instructions in the block
last_inst = idc.PrevHead(block.endEA)
penultimate_inst = idc.PrevHead(last_inst)
# If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz'
# then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
if idc.GetMnem(penultimate_inst) in ['cmp', 'sub'] and idc.GetOpType(penultimate_inst, 1) == 5:
if idc.GetMnem(last_inst) == 'jz':
value = get_operand_value(penultimate_inst)
ioctls.append((penultimate_inst, value))
ioctl_tracker.add_ioctl(penultimate_inst, value)
return ioctls
示例2: get_function_end_address
# 需要导入模块: import idc [as 别名]
# 或者: from idc import PrevHead [as 别名]
def get_function_end_address(ea):
"""
Get function end address
@param ea: function start_ea.
@return: The function end ea. If no function end ea found returns None.
"""
try:
if ea is None:
return None
func_attr_end = idc.GetFunctionAttr(ea, idc.FUNCATTR_END)
if func_attr_end == idc.BADADDR:
return None
return idc.PrevHead(func_attr_end, ea)
except Exception as ex:
raise RuntimeError("Count not locate end address for function %s: %s" % (hex(ea), ex))
示例3: get_bbl_head
# 需要导入模块: import idc [as 别名]
# 或者: from idc import PrevHead [as 别名]
def get_bbl_head(self, head):
"""
The function returns address of the head instruction
for the basic block.
@head - address of arbitrary instruction in the basic block.
@return - head address of the basic block.
"""
while 1:
prev_head = idc.PrevHead(head, 0)
if isFlow(idc.GetFlags(prev_head)):
head = prev_head
if prev_head >= SegEnd(head):
raise Exception("Can't identify bbl head")
continue
else:
if prev_head == hex(0xffffffffL):
return head
else:
return prev_head
break
示例4: find_arg_ea
# 需要导入模块: import idc [as 别名]
# 或者: from idc import PrevHead [as 别名]
def find_arg_ea(ea_call, arg_name):
""" Return ea of argument by looking backwards from library function
call.
Arguments:
ea_call -- effective address of call
arg_name -- the argument name to look for
"""
# the search for previous instruction/data will stop at the specified
# address (inclusive)
prev_instr = idc.PrevHead(ea_call, ea_call - PREVIOUS_INSTR_DELTA)
while prev_instr > (ea_call - ARG_SEARCH_THRESHOLD) and \
prev_instr != idaapi.BADADDR:
# False indicates not to look for repeatable comments
comment = idc.GetCommentEx(prev_instr, False)
if comment == arg_name:
return prev_instr
prev_instr = idc.PrevHead(
prev_instr, prev_instr - PREVIOUS_INSTR_DELTA)
raise ArgumentNotFoundException(' Argument {} not found within threshold'
.format(arg_name))
示例5: find_pool_tags
# 需要导入模块: import idc [as 别名]
# 或者: from idc import PrevHead [as 别名]
def find_pool_tags():
""" Dirty hack around IDA's type information, find references to tag using functions then the comment marking the tag
then add the function caller/tag to output dictionary.
"""
funcs = [
'ExAllocatePoolWithTag',
'ExFreePoolWithTag',
'ExAllocatePoolWithTagPriority'
]
tags = {}
def imp_cb(ea, name, ord):
if name in funcs:
for xref in idautils.XrefsTo(ea):
call_addr = xref.frm
caller_name = idc.GetFunctionName(call_addr)
prev = idc.PrevHead(call_addr)
for _ in range(10):
if idc.Comment(prev) == 'Tag' and idc.GetOpType(prev, 1) == 5:
tag_raw = idc.GetOperandValue(prev, 1)
tag = ''
for i in range(3, -1, -1):
tag += chr((tag_raw >> 8 * i) & 0xFF)
if tag in tags.keys():
tags[tag].add(caller_name)
else:
tags[tag] = set([caller_name])
break
prev = idc.PrevHead(prev)
return True
nimps = idaapi.get_import_module_qty()
for i in xrange(0, nimps):
name = idaapi.get_import_module_name(i)
if not name:
continue
idaapi.enum_import_names(i, imp_cb)
return tags
示例6: get_function_args_count
# 需要导入模块: import idc [as 别名]
# 或者: from idc import PrevHead [as 别名]
def get_function_args_count(self, function_ea, local_vars):
"""
The function returns count of function arguments
@function_ea - function entry point
@local_vars - local variables dictionary
@return - function arguments count
"""
# i#9 Now, we can't identify fastcall functions.
function_args_count = 0
args_dict = dict()
for local_var in local_vars:
usage_list = local_vars.get(local_var, None)
if usage_list == None:
print "WARNING: empty usage list for ", local_var
continue
for head in usage_list:
ops = self.get_instr_operands(int(head, 16))
for idx, (op,type) in enumerate(ops):
if op.count("+") == 1:
value = idc.GetOperandValue(int (head, 16), idx)
if value < (15 * ARGUMENT_SIZE) and "ebp" in op:
args_dict.setdefault(local_var, []).append(head)
elif op.count("+") == 2:
if "arg" in local_var:
args_dict.setdefault(local_var, []).append(head)
else:
continue
function_args_count = len(args_dict)
if function_args_count:
return function_args_count, args_dict
#TODO Check previous algorithm here
f_end = idc.FindFuncEnd(function_ea)
f_end = idc.PrevHead(f_end, 0)
instr_mnem = idc.GetMnem(f_end)
#stdcall ?
if "ret" in instr_mnem:
ops = self.get_instr_operands(f_end)
if len(ops) == 1:
for op,type in ops:
op = op.replace("h", "")
function_args_count = int(op,16)/ARGUMENT_SIZE
return function_args_count, args_dict
#cdecl ?
refs = idautils.CodeRefsTo(function_ea, 0)
for ref in refs:
#trying to find add esp,x signature after call
head = idc.NextHead(ref, 0xFFFFFFFF)
if head:
disasm = idc.GetDisasm(head)
if "add" in disasm and "esp," in disasm:
ops = self.get_instr_operands(head)
op,type = ops[1]
if op:
op = op.replace("h", "")
function_args_count = int(op,16)/ARGUMENT_SIZE
return function_args_count, args_dict
return function_args_count, args_dict