def _feature_functiontype(self, f_ea):
'''
functiontype here is to identify the type of the function, now we just identify whether the function is doing memory
operation like memcpy. later maybe we will extend the types.
for memory operation type,the way we identify is:
a. There're loops
b. There're index change
how to identify index change?
c. Memory operation include but not limited to:
a. Mov [eax....], ecx, lea....
b. Stos, movs, lods
for 8-bit, 16-bot
c. Call library memory function, strcpy, ...
prior feature: loopcount
'''
# lflag = 0
imflag = 0
for loop in self.loops.values():
# lflag = 1
for block in loop:
for l_ea in idautils.Heads(block[0],block[1]):
inst = idautils.DecodeInstruction(l_ea)
if inst == None:
continue
if inst.itype in [122]: # mov
# mov 122
if 3 == inst[0].type or 4 == inst[0].type:
imflag = 1
elif inst.itype in [124,207,107]: #movs/movsd, stos lods
# 124 movs 207 stos 107 lods
imflag = 1
elif inst.itype in [16]: # call library function
# 16 call
istr = GetInstruction(l_ea)
if 'strcpy' in istr or 'memcpy' in istr or 'alloc' in istr or 'free' in istr:
imflag = 1
if imflag:#lflag and
return 1
else:
return 0
评论列表
文章目录
