def find_vm_addr(trace):
"""
Find the virtual machine addr
:param trace: instruction trace
:return: virtual function start addr
"""
push_dict = defaultdict(lambda: 0)
vm_func_dict = defaultdict(lambda: 0)
# try to find the vm Segment via series of push commands, which identify the vm_addr also
for line in trace:
try:
if line.disasm[0] == 'push':
push_dict[GetFunctionAttr(line.addr, FUNCATTR_START)] += 1
except:
pass
vm_func = max(push_dict, key=push_dict.get)
vm_seg_start = SegStart(vm_func)
vm_seg_end = SegEnd(vm_func)
# test wheather the vm_func is the biggest func in the Segment
vm_funcs = Functions(vm_seg_start, vm_seg_end)
for f in vm_funcs:
vm_func_dict[f] = GetFunctionAttr(f, FUNCATTR_END) - GetFunctionAttr(f, FUNCATTR_START)
if max(vm_func_dict, key=vm_func_dict.get) != vm_func:
return AskAddr(vm_func,
"Found two possible addresses for the VM function start address: %s and %s. Choose one!" %
(vm_func, max(vm_func_dict, key=vm_func_dict.get)))
else:
return vm_func
评论列表
文章目录
