def get_func_code_refs_to(func_ea):
"""Returns a set with the code references to this function"""
code_refs = set()
for ref in idautils.CodeRefsTo(func_ea, 0): #callers
func_ida = idaapi.get_func(ref)
if not func_ida:
#print "BUG?: coderef came from no function! %X->%X"%(ref, addr)
continue
#if func_ida.startEA not in functions:
# print "BUG?: function %X not in our set (r=%X)!"%(func_ida.startEA, ref)
# continue
code_refs.add((ref, func_ida.startEA))
return code_refs
python类CodeRefsTo()的实例源码
def _ApdComm(self, ea, id):
# DEBUG_PRINT('_ApdComm')
g_mark = ' '
if self._global == 1:
idx = self._dbDict[ea]._idx_list[id][0]
g_mark = '_g'
else:
idx = self._dbDict[ea]._idx_list[id][0] - self._dbDict[idaapi.get_func(ea).startEA]._idx_list[0][0]
g_mark = '_L'
idxcomm = self._dbDict[ea]._idx_list[id][1]
comm = self._commMarker + str(idx) + g_mark +' ' +str(idxcomm).strip('{}')
oldComm = str(idc.GetCommentEx(ea, 0))
tag = ''
for xref in idautils.CodeRefsTo(ea, 0):
if xref !=[]:
if ea != idaapi.get_func(ea).startEA and oldComm == 'None':
comm = '\n' + comm
break
if(oldComm != 'None'):
comm = oldComm + '\n' + comm
idc.MakeComm(ea, str(comm))
self._dbDict[ea]._shown = True
return
def highlight_anti_debug_api_calls():
anti_debug_apis = [
"IsDebuggerPresent", "CheckRemoteDebuggerPresent", "NtQueryInformationProcess", "OutputDebugString",
]
library_calls = {} # api_name -> CodeRefsTo
get_imports(library_calls)
for api_name, codeRefsTo in library_calls.iteritems():
if api_name in anti_debug_apis:
logger.info("Potential Anti-Debug call %s imported", api_name)
if codeRefsTo:
logger.info(" - %s called at %s", api_name, ", ".join(["0x%x" % x for x in codeRefsTo]))
def make_import_names_callback(library_calls):
""" Return a callback function used by idaapi.enum_import_names(). """
def callback(ea, name, ordinal):
""" Callback function to retrieve code references to library calls. """
library_calls[name] = []
for ref in idautils.CodeRefsTo(ea, 0):
library_calls[name].append(ref)
return True # True -> Continue enumeration
return callback
def get_coderefs(self):
return (IdaLocation(frm) for frm in idautils.CodeRefsTo(self.at, 0))
def propagate_dead_code(self, ea, op_map):
prevs = [x for x in idautils.CodeRefsTo(ea, True) if x not in self.marked_addresses and
not self.dead_br_of_op(ea, x, op_map)]
if prevs: # IF there is no legit predecessors
idc.SetColor(ea, idc.CIC_ITEM, 0x0000ff)
self.marked_addresses[ea] = None
succs = [x for x in idautils.CodeRefsFrom(ea, True)]
for succ in succs:
self.propagate_dead_code(succ, op_map)
else:
return
def safe_path_to(self, addr):
path = self.full_path_to(addr) # Start from the full path
i = -1
for ea, k in zip(path, range(len(path))): # Compute i such that it is safe
nb_preds = len([x for x in idautils.CodeRefsTo(ea, True)])
if nb_preds > 1:
i = k
elif idc.GetDisasm(ea).startswith("call"):
i = k+1
print i
if i == -1:
return path
else:
return path[i:]
def DecryptString0(addrDecryptFunction):
print "[+]DecryptString0"
#Get All Calls to this function
calls = idautils.CodeRefsTo(addrDecryptFunction, 1)
#Iterate all Calls Decrypt Strings
for call in calls:
print "[+]Call at 0x%08X %s" % (call, idc.GetFunctionName(call))
pDecrypted, pEncrypted = GetDecryptString0Parameters(call)
print "[+]Parameters: 0x%08X 0x%08X" % (pDecrypted, pEncrypted)
#Get String
szEncryptedString = idc.GetString(pEncrypted)
#Handle one Byte Empty Strings
if szEncryptedString == None:
#Read Byte
szEncryptedString = ""
idx = 0
while True:
byte = idc.Byte(pEncrypted + idx)
szEncryptedString += chr(byte)
if byte == 0:
break
idx += 1
szDecryptedString = DecryptString0Algo(szEncryptedString, 0xFE)
print "[+]Dec: \"%s\"" % szDecryptedString
print
#Rename and Add Comments
idc.MakeRptCmt(pEncrypted, szDecryptedString)
idc.MakeNameEx(pEncrypted, "crypt" + szDecryptedString, SN_NOCHECK | SN_NOWARN)
idc.MakeNameEx(pDecrypted, "" + szDecryptedString, SN_NOCHECK | SN_NOWARN)
#Patch decrypted Buffer and convert to String
idx = 0
for c in szDecryptedString:
idc.PatchByte(pDecrypted + idx, ord(c))
idx += 1
idc.PatchByte(pDecrypted + idx, 0)
idc.MakeStr(pDecrypted, pDecrypted + idx)
print
def DecryptStackStrings(addrDecryptFunction):
global emu
print "[+]DecryptStackStrings"
#Get All XrefsTo this function
calls = idautils.CodeRefsTo(addrDecryptFunction, 1)
# Iterate all Calls Decrypt Strings
for call in calls:
print "[+]Call at 0x%08X %s" % (call, idc.GetFunctionName(call))
# Resolve Parameters
# Param1. DestBuffer
# Param2. Length
# Param3. StackStringEncrypted
destBuffer, length = GetDecryptString1Parameters(call)
print "[+]Params dest = 0x%08X len = 0x%08X" % (destBuffer, length)
#Get Emulation Boundaries
emulStart, emulEnd = GetDecryptString1EmulationBoundaries(call, length)
print "[+]Start 0x%08X, End 0x%08X" % (emulStart, emulEnd)
#Inits Registers
PrepareEmuRegister(emu, emulStart)
#Try to Emulate and Update the ida databse
try:
#Emulate
szDecryptedString = Emulate(emu, emulStart, emulEnd)
#Valid Decrypted String
if 0 < len(szDecryptedString):
print "[+]Decrypted: \"%s\" at 0x%08X" % (szDecryptedString, call)
#Add Comment and Patch Database
idc.MakeRptCmt(call, szDecryptedString)
#If DestBuffer is an address and not a register
#Make Name and Patch IDB
if destBuffer != 0 and destBuffer != -1:
idc.MakeNameEx(destBuffer, "" + szDecryptedString, SN_NOCHECK)
# Patch decrypted Buffer and convert to String
idx = 0
for c in szDecryptedString:
idc.PatchByte(destBuffer + idx, ord(c))
idx += 1
idc.PatchByte(destBuffer + idx, 0)
idc.MakeStr(destBuffer, destBuffer + idx)
except:
print "[+]EmulStart = 0x%08X, EmulEnd = 0x%08X" % (emulStart, emulEnd)
emu.dump_regs()
e = sys.exc_info()[0]
print e
print
#Performs the Emulation and Returns the Dumped String
