/
set_symbols_for_addresses.py
131 lines (104 loc) · 4.57 KB
/
set_symbols_for_addresses.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
################################################
##
## Author: Javier Vicente Vallejo
## Twitter: @vallejocc
## Web: http://www.vallejo.cc
##
################################################
#
# This scripts asks you for a file containing pairs address - symbol.
#
# This script walks all segments searching for DWORDs matching the addresses of the given file of pairs address - symbols,
# and it will name the variable containing the address with the symbol name.
#
# This script is thought to be used together with the windbg script dump_process_symbols_to_file.wdbg.
#
################################################
import idaapi
import idc
import idautils
import tkFileDialog
################################################
def binarySearch(alist, item):
first = 0
last = len(alist)-1
found = False
retval = 0
while first<=last and not found:
midpoint = (first + last)//2
#algunos malware saltan al comienzo de la api mas algunas instrucciones, por ejemplo:
#ADVAPI32!RegDeleteValueW:
#77daedf1 8bff mov edi,edi
#77daedf3 55 push ebp
#77daedf4 8bec mov ebp,esp
#77daedf6 83ec0c sub esp,0Ch <- malware salta aqui y ejecuta el push ebp, mov ebp, esp en su codigo
#Por eso no comparamos la direccion dada con la de la lista, sino que aceptamos q sea la de la lista o hasta 10 posiciones mas alante
if alist[midpoint][0] <= item and item < alist[midpoint][0]+10:
found = True
retval = midpoint
else:
if item < alist[midpoint][0]:
last = midpoint-1
else:
first = midpoint+1
return found, retval
################################################
symbols = []
imagebase = idaapi.get_imagebase()
ea = here()
symbols_file_path = tkFileDialog.askopenfilename()
f = open(symbols_file_path, "r+b")
lines = f.readlines()
f.close()
##### Collect symbols by content and set symbols by rva
for line in lines:
print line
linesplit = line.split(" ")
if len(linesplit)>0:
symbolstr = linesplit[1].strip()
symbolstr = symbolstr.replace(" = <no type information>", "").replace("(<no parameter info>)", "").replace("__CARRIAGE_RETURN__", "\r").replace("__NEWLINE__", "\n")
if " byrva" in symbolstr:
symbolstr = symbolstr.replace(" byrva", "")
if " comment" in symbolstr:
symbolstr = symbolstr.replace(" comment", "")
MakeComm(imagebase+int(linesplit[0],16), symbolstr)
elif " rptcomment" in symbolstr:
symbolstr = symbolstr.replace(" rptcomment", "")
MakeRptCmt(imagebase+int(linesplit[0],16), symbolstr)
else:
MakeNameEx(imagebase+int(linesplit[0],16), symbolstr.replace("!", "_").replace(" ", ""), 0)
else:
symbol = (int(linesplit[0],16), symbolstr)
symbols.append(symbol)
##### Set symbols by content
if len(symbols):
symbols = sorted(symbols, key=lambda symbols: symbols[0])
for seg_ea in Segments():
for ea in range(seg_ea, SegEnd(seg_ea)):
vop1 = None
vop2 = None
bIsCode = isCode(GetFlags(ea))
if bIsCode:
op1type = idc.GetOpType(ea, 0)
op2type = idc.GetOpType(ea, 1)
if op1type == 5 or op1type == 6 or op1type == 7:
vop1 = GetOperandValue(ea,0)
if op2type == 5 or op2type == 6 or op2type == 7:
vop2 = GetOperandValue(ea,1)
v = Dword(ea)
isymbol = binarySearch(symbols, v)
if vop1 and not isymbol[0]: isymbol = binarySearch(symbols, vop1)
if vop2 and not isymbol[0]: isymbol = binarySearch(symbols, vop2)
if isymbol[0]:
i = isymbol[1]
if bIsCode:
print "Is code!! %x %s\n" % (ea, symbols[i][1])
MakeComm(ItemHead(ea),symbols[i][1])
else:
print "%x %s\n" % (ea, symbols[i][1])
MakeUnkn(ea,4)
MakeDword(ea)
MakeNameEx(ea,symbols[i][1].replace("!", "_").replace(" ", ""),0)
MakeComm(ea,symbols[i][1])
symbols[i] = (symbols[i][0], "_"+symbols[i][1])
################################################