ida python函数
本帖最后由 元始天尊 于 2015-10-18 16:07 编辑总结一下:
idautils.py
CodeRefsFrom(ea,flow) 查找给定代码段地址指令引用到的代码
ea=地址
for ref in CodeRefsFrom(ScreenEA(), 1):
print ref
CodeRefsTo(ea,flow) 查找引用给定代码段地址指令到的代码
DataRefsTo(ea,flow)
DataRefsTo(ea,flow)
XrefsFrom(ea, flags=0) 查找所有交叉引用
XrefsTo(ea, flags=0)
Functions(start=None, end=None)获取地址范围中的每个函数
Chunks(start) 获取指定地址所在函数范围
Names() 遍历符号表
Segments() 遍历各个段基址
Entries() 入口点信息
FuncItems(start)每行汇编代码的地址
Structs()遍历结构体
StructMembers(sid)遍历结构体成员
DecodePrecedingInstruction(ea)获取指令结构
DecodePreviousInstruction(ea)
DecodeInstruction(ea)
GetInputFileMD5() 获取输入文件md5
Strings(object) 获取字符串
GetIdbDir() 获取idb目录
GetRegisterList() 获取寄存器名表
GetInstructionList 获取汇编指令表
Assemble(ea, line)汇编一条指令到机器码
print Assemble(0x13480,{"nop",GetDisasm(0x13480)})
(True, ['\xe8O\xc6\x01\x00', '\x90'])
atoa(ea)获取所在段
Jump(ea) 移动光标
Eval(expr) 计算表达式
Exec(command) 执行命令行
MakeCode(ea)分析代码区
MakeNameEx(ea, name, flags)重命名地址
MakeArray(ea, nitems) 创建数组
MakeStr(ea, endea) 创建字符串
MakeData(ea, flags, size, tid) 创建数据
MakeByte(ea)
MakeWord(ea)
MakeDWord(ea)
MakeQWord(ea)
MakeOWord(ea)
MakeYWord(ea)
MakeFlot(ea)
MakeDouble(ea)
MakePackReal(ea)
MakeTbyte(ea)
MakeStructEx(ea)
MakeCustomDataEx(ea)
PatchByte(ea, value) 修改程序字节
PatchWord(ea, value)
PatchDword(ea, value)
PatchByte(ea, value)
PatchByte(ea, value)
Byte(ea) 将地址解释为Byte
Word(ea)
DWord(ea)
QWord(ea)
GetFloat(ea)
GetDouble(ea)
GetDisasm(ea) 获取反汇编
GetString(ea, length = -1, strtype = ASCSTR_C)获取字符串
LocByName(name)获取符号地址
ScreenEA()获取光标所在地址
GetCurrentLine()获取光标所在行反汇编
ItemSize(ea)获取指令或数据长度
FindText(ea, flag, y, x, searchstr)查找文本
FindBinary(ea, flag, searchstr, radix=16) 查找16进制
FirstSeg()遍历pe段
NextSeg(ea)
SegStart(ea)获取段首位置
SegEnd(ea)获取段尾位置
SegName(ea)获取段名
GetEntryPointQty() 获取入口点个数
GetEntryOrdinal(index)获取入口点地址
GetEntryName(ordinal) 入口名
本帖最后由 元始天尊 于 2015-11-4 13:35 编辑
查找mov ,?形式存储的字符串,用python脚本自动查找:
Base=0
while Base < 0xFFFFFFFF:
print SegName(Base)
if SegName(Base) == ".text" or SegName(Base) == "INIT":
codebegin=Base
codeend=SegEnd(Base)
while codebegin <= codeend:
if Word(codebegin) == 0x45C6 and Word(codebegin+4) == 0x45C6 and Byte(codebegin+3) < 0x80:
str=""
print "string at %x"%(codebegin)
while (Word(codebegin) == 0x45C6 ):
str=str+chr(Byte(codebegin+3))
codebegin=codebegin+4
print str
elif Word(codebegin) == 0x85C6 and Word(codebegin+7) == 0x85C6 and Byte(codebegin+6) < 0x80:
str=""
print "string at %x"%(codebegin)
while (Word(codebegin) == 0x85C6 ):
str=str+chr(Byte(codebegin+6))
codebegin=codebegin+7
print str
elif Byte(codebegin) == 0x6A and Byte(codebegin+7) == 0x6A and Byte(codebegin+1) < 0x80:
str=""
print "string at %x"%(codebegin)
while (Byte(codebegin) == 0x6A ):
str=str+chr(Byte(codebegin+1))
codebegin=codebegin+7
print str
codebegin=codebegin+1
Base=NextSeg(Base)
如何处理 经过处理的字符串,除了上帖中的问题,还存在以下情况:
RegPath = '\\';
RegPath = 'R';
RegPath = 'E';
RegPath = 'G';
RegPath = 'I';
RegPath = 'S';
RegPath = 'T';
RegPath = 'R';
RegPath = 'Y';
RegPath = '\\';
RegPath = 'M';
RegPath = 'A';
RegPath = 'C';
RegPath = 'H';
RegPath = 'I';
RegPath = 'N';
RegPath = 'E';
RegPath = '\\';
RegPath = 'S';
RegPath = 'Y';
RegPath = 'S';
RegPath = 'T';
RegPath = 'E';
RegPath = 'M';
RegPath = '\\';
RegPath = 'C';
RegPath = 'U';
RegPath = 'R';
RegPath = 'R';
RegPath = 'E';
RegPath = 'N';
RegPath = 'T';
RegPath = 'C';
RegPath = 'O';
RegPath = 'N';
RegPath = 'T';
RegPath = 'R';
RegPath = 'R';
RegPath = 'O';
RegPath = 'V';
RegPath = 'I';
RegPath = 'C';
RegPath = 'E';
RegPath = 'S';
RegPath = 'T';
RegPath = 'L';
RegPath = 'S';
RegPath = 'S';
RegPath = 'D';
RegPath = 'E';
RegPath = 'E';
RegPath = 'T';
RegPath = 'F';
RegPath = '\\';
RegPath = 'E';
RegPath = 'S';
RegPath = 'E';
RegPath = 'B';
RegPath = 'E';
RegPath = '\\';
RegPath = 'N';
RegPath = 'S';
RegPath = 'T';
RegPath = 0;
可见是乱序排列的,这时我们可以用idc脚本直接看结果:
auto RegPath=" " ;
RegPath = '\\';
RegPath = 'R';
RegPath = 'E';
RegPath = 'G';
RegPath = 'I';
RegPath = 'S';
RegPath = 'T';
RegPath = 'R';
RegPath = 'Y';
RegPath = '\\';
RegPath = 'M';
RegPath = 'A';
RegPath = 'C';
RegPath = 'H';
RegPath = 'I';
RegPath = 'N';
RegPath = 'E';
RegPath = '\\';
RegPath = 'S';
RegPath = 'Y';
RegPath = 'S';
RegPath = 'T';
RegPath = 'E';
RegPath = 'M';
RegPath = '\\';
RegPath = 'C';
RegPath = 'U';
RegPath = 'R';
RegPath = 'R';
RegPath = 'E';
RegPath = 'N';
RegPath = 'T';
RegPath = 'C';
RegPath = 'O';
RegPath = 'N';
RegPath = 'T';
RegPath = 'R';
RegPath = 'R';
RegPath = 'O';
RegPath = 'V';
RegPath = 'I';
RegPath = 'C';
RegPath = 'E';
RegPath = 'S';
RegPath = 'T';
RegPath = 'L';
RegPath = 'S';
RegPath = 'S';
RegPath = 'D';
RegPath = 'E';
RegPath = 'E';
RegPath = 'T';
RegPath = 'F';
RegPath = '\\';
RegPath = 'E';
RegPath = 'S';
RegPath = 'E';
RegPath = 'B';
RegPath = 'E';
RegPath = '\\';
RegPath = 'N';
RegPath = 'S';
RegPath = 'T';
RegPath = 0;
print(RegPath);
本帖最后由 元始天尊 于 2015-11-2 00:01 编辑
标注常量UNICODE_STRING
#define RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) \
{ sizeof(OBJECT_ATTRIBUTES), NULL, RTL_CONST_CAST(PUNICODE_STRING)(n), a, NULL, NULL }
#define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a)
#define RTL_CONSTANT_STRING(s) { sizeof( s ) - sizeof( (s) ), sizeof( s ), s }
first=0
next=FirstSeg()
print SegName(next)
while first!=next:
first=next
next=NextSeg(first)
print SegName(next)
if SegName(next) == ".rdata" or SegName(next) == ".data":
databegin=next
dataend=NextSeg(next)
while databegin <= dataend:
if (Word(databegin)+2 == Word(databegin+2)) and (GetStringType(Dword(databegin+4)) == ASCSTR_UNICODE):
MakeStruct(databegin,"UNICODE_STRING")
databegin=databegin+8
elif (Word(databegin)+1 == Word(databegin+2)) and (GetStringType(Dword(databegin+4)) == ASCSTR_C):
MakeStruct(databegin,"ANSI_STRING")
databegin=databegin+8
else:
databegin=databegin+2
查找伪调用:
mov eax,ServiceIndex
lea edx,
int 2E
first=0
next=FirstSeg()
print SegName(next)
while first!=next:
first=next
next=NextSeg(first)
print SegName(next)
if SegName(next) == ".text" or SegName(next) == "INIT":
codebegin=next
codeend=NextSeg(next)
while codebegin <= codeend:
if Byte(codebegin) ==0xA1 and Dword(codebegin+5) == 0x424548D:
print"FakeNtCall at %x\n"%(codebegin)
codebegin=codebegin+11
codebegin=codebegin+1
可以可以!! 可以可以!!
页:
[1]