def output_symbols(out):
"""Dump symbols."""
try:
from idaapi import get_func_name2 as get_func_name
# Since get_func_name is deprecated (at least from IDA 6.9)
except ImportError:
from idaapi import get_func_name
# Older versions of IDA don't have get_func_name2
# so we just use the older name get_func_name
def func_name_propagate_thunk(ea):
current_name = get_func_name(ea)
if current_name[0].isalpha():
return current_name
func = idaapi.get_func(ea)
temp_ptr = idaapi.ea_pointer()
ea_new = idaapi.BADADDR
if func.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK:
ea_new = idaapi.calc_thunk_func_target(func, temp_ptr.cast())
if ea_new != idaapi.BADADDR:
ea = ea_new
propagated_name = get_func_name(ea) or '' # Ensure it is not `None`
if len(current_name) > len(propagated_name) > 0:
return propagated_name
else:
return current_name
# Fallback to non-propagated name for weird times that IDA gives
# a 0 length name, or finds a longer import name
for ea in idautils.Segments():
fs = idautils.Functions(idc.SegStart(ea), idc.SegEnd(ea))
for f in fs:
out.write('("%s" 0x%x 0x%x)\n' % (
func_name_propagate_thunk(f),
idc.GetFunctionAttr(f, idc.FUNCATTR_START),
idc.GetFunctionAttr(f, idc.FUNCATTR_END)))
python类FUNC_THUNK的实例源码
def is_import_or_lib_func(ea):
"""
Is ea part of an imported function or a known library?
@param ea: any ea within the function scope
@return: True if function is either imported or a known library function.
"""
return Functions(ea).flags & (idaapi.FUNC_LIB | idaapi.FUNC_THUNK)
def is_thunk(cls, func):
'''Return True if the function ``func`` is considered a code thunk.'''
fn = by(func)
return fn.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK
def is_thunk(cls, func):
'''Return True if the function ``func`` is considered a code thunk.'''
fn = by(func)
return fn.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK
def is_thunk(cls, func):
'''Return True if the function ``func`` is considered a code thunk.'''
fn = by(func)
return fn.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK
def is_thunk(cls, func):
'''Return True if the function ``func`` is considered a code thunk.'''
fn = by(func)
return fn.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK
def is_thunk(cls, func):
'''Return True if the function ``func`` is considered a code thunk.'''
fn = by(func)
return fn.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK
def is_thunk(cls, func):
'''Return True if the function ``func`` is considered a code thunk.'''
fn = by(func)
return fn.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK
def graph_down(ea, path=set()):
"""
Recursively collect all function calls.
Copied with minor modifications from
http://hooked-on-mnemonics.blogspot.com/2012/07/renaming-subroutine-blocks-and.html
"""
path.add(ea)
#
# iterate through all the instructions in the target function (ea) and
# inspect all the call instructions
#
for x in [x for x in idautils.FuncItems(ea) if idaapi.is_call_insn(x)]:
# TODO
for r in idautils.XrefsFrom(x, idaapi.XREF_FAR):
#print "0x%08X" % h, "--calls-->", "0x%08X" % r.to
if not r.iscode:
continue
# get the function pointed at by this call
func = idaapi.get_func(r.to)
if not func:
continue
# ignore calls to imports / library calls / thunks
if (func.flags & (idaapi.FUNC_THUNK | idaapi.FUNC_LIB)) != 0:
continue
#
# if we have not traversed to the destination function that this
# call references, recurse down to it to continue our traversal
#
if r.to not in path:
graph_down(r.to, path)
return path
