[FEATURE] On import.txt load: set thunks as data of appropriate size

hasherezade · Jan 13, 2022 · 54e6c16 · 54e6c16
1 parent 4e992f0
commit 54e6c16
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/ifl.py b/ifl.py
@@ -18,6 +18,7 @@
 
 import idaapi  # type: ignore
 import idc  # type: ignore
+import ida_bytes
 import ida_kernwin
 
 from idaapi import BADADDR, jumpto, next_addr, o_void, prev_addr,\
@@ -935,6 +936,7 @@ def _saveFunctionsNames(self, file_name: Optional[str], ext: str) -> bool:
     def _stripImportName(self, func_name) -> str:
         """Keep only ImportName, without the DLL name, and the ordinal.
         """
+
         fn1 = func_name.split('.')
         if len(fn1) >= 2:
             func_name = fn1[1].strip()
@@ -943,6 +945,21 @@ def _stripImportName(self, func_name) -> str:
             func_name = fn1[0].strip()
         return func_name
 
+    def _defineImportThunk(self, start, thunk_val):
+        """If the binary has the Import Thunk filled, define it as a data chunk of appropriate size.
+        """
+
+        info = idaapi.get_inf_structure()
+        if info.is_64bit():
+            curr_val = idc.get_qword(start)
+            if (curr_val == thunk_val):
+                return ida_bytes.create_data(start, idaapi.FF_QWORD, 8, idaapi.BADADDR)
+        elif info.is_32bit():
+            curr_val = ida_bytes.get_dword(start)
+            if (curr_val == thunk_val):
+                return ida_bytes.create_data(start, idaapi.FF_DWORD, 4, idaapi.BADADDR)
+        return False
+
     def _loadFunctionsNames(self, file_name: Optional[str], ext: str) -> Optional[Tuple[int, int]]:
         """Loads functions names from the given file into the internal mappings.
         Fromats: CSV (default), or TAG (PE-bear, PE-sieve compatibile).
@@ -987,6 +1004,8 @@ def _loadFunctionsNames(self, file_name: Optional[str], ext: str) -> Optional[Tu
                 if is_imp_list or (start in curr_functions):
                     if is_imp_list:
                         func_name = self._stripImportName(func_name)
+                        thunk_val = int(fn[1].strip(), 16)
+                        self._defineImportThunk(start, thunk_val)
 
                     if self.subDataManager.setFunctionName(start, func_name):
                         functions += 1