Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
8bd398f
commit d747097
Showing
3 changed files
with
210 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -52,3 +52,6 @@ coverage.xml | |
| # Sphinx documentation | ||
| docs/_build/ | ||
|
|
||
| # Mac OS files | ||
| .DS_Store | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| # Find calls to GetProcAddress and rename global variables | ||
| import idc | ||
| import idaapi | ||
| ''' | ||
| cot_asg | ||
| / \ | ||
| / \ | ||
| cot_obj cot_cast | ||
| | | ||
| cot_call | ||
| / | \ | ||
| / | \ | ||
| / | \ | ||
| / | \ | ||
| cot_obj cot_var cot_obj | ||
| ''' | ||
| def findGetProcAddress(cfunc): | ||
| class visitor(idaapi.ctree_visitor_t): | ||
| def __init__(self, cfunc): | ||
| idaapi.ctree_visitor_t.__init__(self, idaapi.CV_FAST) | ||
| self.cfunc = cfunc | ||
|
|
||
| def visit_expr(self, i): | ||
| if (i.op == idaapi.cot_call): | ||
| # look for calls to GetProcAddress | ||
| if (idc.Name(i.x.obj_ea) == "GetProcAddress"): | ||
|
|
||
| # ASCSTR_C == 0 | ||
| # check to see if the second argument is a c string | ||
| if (idc.GetStringType(i.a[1].obj_ea) == 0): | ||
| targetName = idc.GetString(i.a[1].obj_ea, -1, 0) | ||
| #print "GetProcAdderss for: %s" % (targetName) | ||
|
|
||
| ## found function name | ||
| ## look for global assignment | ||
| parent = self.cfunc.body.find_parent_of(i) | ||
| print "Parent type: %s" % parent.op | ||
| if (parent.op == idaapi.cot_cast): | ||
| # ignore casts and look for the parent | ||
| parent = self.cfunc.body.find_parent_of(parent) | ||
| print "Parent Parent type: %s" % parent.op | ||
|
|
||
| if (parent.op == idaapi.cot_asg): | ||
| # we want to find the left hand side | ||
| print "Left Side %s %s" % (parent.cexpr.x.opname, hex(parent.cexpr.x.obj_ea)) | ||
| idc.MakeName(parent.cexpr.x.obj_ea, targetName + "_") | ||
|
|
||
| return 0 | ||
|
|
||
| v = visitor(cfunc) | ||
| v.apply_to(cfunc.body, None) | ||
|
|
||
| def event_callback(event, *args): | ||
|
|
||
| if event == idaapi.hxe_maturity: | ||
| cfunc, maturity = args | ||
| if maturity == idaapi.CMAT_FINAL: | ||
| findGetProcAddress(cfunc) | ||
|
|
||
| return 0 | ||
|
|
||
| def main(): | ||
| if not idaapi.init_hexrays_plugin(): | ||
| return False | ||
|
|
||
| print "Hex-rays version %s has been detected" % idaapi.get_hexrays_version() | ||
|
|
||
| idaapi.install_hexrays_callback(event_callback) | ||
| ''' | ||
| f = idaapi.get_func(idaapi.get_screen_ea()); | ||
| if f is None: | ||
| print "Please position the cursor within a function" | ||
| return True | ||
| cfunc = idaapi.decompile(f); | ||
| if cfunc is None: | ||
| print "Failed to decompile!" | ||
| return True | ||
| print "Decompiled function" | ||
| ''' | ||
| if main(): | ||
| idaapi.term_hexrays_plugin(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,125 @@ | ||
| # | ||
| # Stack strings helper | ||
| # IDA's decompiler view shows stack strings in numerical form, a format highly unreadable. | ||
| # This script adds a popup menu entry to display them as characters, to quickly skim through them | ||
| # | ||
| # Tested with IDA 7+ | ||
| # | ||
|
|
||
| import ida_hexrays | ||
| import ida_kernwin | ||
| import idaapi | ||
|
|
||
| import string | ||
|
|
||
|
|
||
| ACTION_NAME = "Stack strings" | ||
|
|
||
| # -------------------------------------------------------------------------- | ||
| class char_converter_visitor_t(idaapi.ctree_visitor_t): | ||
| def __init__(self): | ||
| idaapi.ctree_visitor_t.__init__(self, idaapi.CV_FAST) | ||
|
|
||
| def visit_expr(self, expr): | ||
| """ | ||
| Search for simple assignents to stack vars | ||
| """ | ||
| if expr.op != ida_hexrays.cot_asg: | ||
| return 0 | ||
|
|
||
| _x = expr.x | ||
| _y = expr.y | ||
|
|
||
| if _x.op == ida_hexrays.cot_var and _y.op == ida_hexrays.cot_num: | ||
| # Something like "v1 = 65" | ||
| num_value = _y.n.value(_y.type) | ||
|
|
||
| # Bail out soon | ||
| if num_value < 1 or num_value > 255: | ||
| return 0 | ||
|
|
||
| if chr(num_value) not in string.printable: | ||
| return 0 | ||
|
|
||
| # Create a new expr object to replace _y | ||
| # This will be of type cot_str | ||
| z = idaapi.cexpr_t() | ||
|
|
||
| # In order to modify an existing cexpr | ||
| # you have to swap it with a newly created one | ||
| z.swap(_y) | ||
| _y.op = ida_hexrays.cot_str | ||
| _y.string = chr(num_value) | ||
|
|
||
| return 0 | ||
|
|
||
| # -------------------------------------------------------------------------- | ||
| class stack_strings_ah_t(ida_kernwin.action_handler_t): | ||
| def __init__(self): | ||
| ida_kernwin.action_handler_t.__init__(self) | ||
|
|
||
| def activate(self, ctx): | ||
| vu = ida_hexrays.get_widget_vdui(ctx.widget) | ||
| # ---------------------------------------------- | ||
| # Do something with the vdui (vu) | ||
| print "Analyzing decompiled code..." | ||
| cv = char_converter_visitor_t() | ||
| cv.apply_to(vu.cfunc.body, None) | ||
|
|
||
| vu.refresh_ctext() | ||
|
|
||
| return 1 | ||
|
|
||
| def update(self, ctx): | ||
| return ida_kernwin.AST_ENABLE_FOR_WIDGET if \ | ||
| ctx.widget_type == ida_kernwin.BWN_PSEUDOCODE else \ | ||
| ida_kernwin.AST_DISABLE_FOR_WIDGET | ||
|
|
||
|
|
||
| def cb(event, *args): | ||
| if event == ida_hexrays.hxe_populating_popup: | ||
| widget, phandle, vu = args | ||
| res = idaapi.attach_action_to_popup(vu.ct, None, ACTION_NAME) | ||
|
|
||
| return 0 | ||
|
|
||
|
|
||
| def show_banner(): | ||
| print "-" * 60 | ||
| print "CHAR CONVERTER" | ||
| print "Converts stack string assignments to char representation" | ||
| print "Example:" | ||
| print "v1 = 65 -> v1 = 'A'" | ||
| print "v2 = 66 -> v1 = 'B'" | ||
| print "..." | ||
| print "-" * 60 | ||
|
|
||
|
|
||
| def main(): | ||
| show_banner() | ||
|
|
||
| print "Unregistering old action..." | ||
| ida_kernwin.unregister_action(ACTION_NAME) | ||
|
|
||
| if ida_hexrays.init_hexrays_plugin(): | ||
| ida_kernwin.register_action( | ||
| ida_kernwin.action_desc_t( | ||
| ACTION_NAME, | ||
| "Keep sanity (stack strings)", | ||
| stack_strings_ah_t(), | ||
| None)) | ||
|
|
||
| print "Registered new action" | ||
|
|
||
| idaapi.install_hexrays_callback(cb) | ||
|
|
||
| else: | ||
| print "[x] No decompiler found!" | ||
| return | ||
|
|
||
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| main() | ||
|
|