IDA脚本测试

A- A+
流沙团 网络安全 5452View 0

IDA脚本测试

0x001 枚举函数


#include <idc.idc>

static main() {
   auto addr, end, args, locals, frame, firstArg, name, ret;
   addr = 0;
   for (addr = NextFunction(addr); addr != BADADDR; addr = NextFunction(addr)) {
      name = Name(addr);
      end = GetFunctionAttr(addr, FUNCATTR_END);
      locals = GetFunctionAttr(addr, FUNCATTR_FRSIZE);
      frame = GetFrame(addr);
      ret = GetMemberOffset(frame, " r");
      if (ret == -1) continue;
      firstArg = ret + 4;
      args = GetStrucSize(frame) - firstArg;
      Message("Function: %s, starts at %x, ends at %x\n", name, addr, end);
      Message("   Local variable area is %d bytes\n", locals);
      Message("   Arguments occupy %d bytes (%d args)\n", args, args / 4);
   }
}


0x002 枚举指令

#include <idc.idc>

static main() {
   auto func, end, count, inst;
   func = GetFunctionAttr(ScreenEA(), FUNCATTR_START);
   if (func != -1) {
      end = GetFunctionAttr(func, FUNCATTR_END);
      count = 0;
      inst = func;
      while (inst < end) {
         count++;
         inst = FindCode(inst, SEARCH_DOWN | SEARCH_NEXT);
      }
      Warning("%s contains %d instructions\n", Name(func), count);
   }
   else {
      Warning("No function found at location %x", ScreenEA());
   }
}


0x003  枚举交叉引用

#include <idc.idc>

static main() {
  auto func, end, target, inst, name, flags, xref;
  flags = SEARCH_DOWN | SEARCH_NEXT;
  func = GetFunctionAttr(ScreenEA(), FUNCATTR_START);
  if (func != -1) {
    name = Name(func);
    end = GetFunctionAttr(func, FUNCATTR_END);
    for (inst = func; inst < end; inst = FindCode(inst, flags)) {
      for (target = Rfirst(inst); target!=BADADDR; target = Rnext(inst, target)) {
        xref = XrefType();
        if (xref == fl_CN || xref == fl_CF) {
          Message("%s calls %s from 0x%x\n", name, Name(target), inst);
        }
      }
    }
  }
  else {
    Warning("No function found at location %x", ScreenEA());
  }
}


0x004 枚举导出的函数

#include <idc.idc>

static list_callers(bad_func) {
   auto func, addr, xref, source;
   func = LocByName(bad_func);
   if (func == BADADDR) {
      Warning("Sorry, %s not found in database", bad_func);
   }
   else {
      for (addr = RfirstB(func); addr != BADADDR; addr = RnextB(func, addr)) {
         xref = XrefType();
         if (xref == fl_CN || xref == fl_CF) {
            source = GetFunctionName(addr);
            Message("%s is called from 0x%x in %s\n", bad_func, addr, source);
         }
      }
   }
}
static main() {
   list_callers("_strcpy");
   list_callers("_sprintf");
}


0x005  生成idt 文件的脚本

#include <idc.idc>

static main() {
   auto entryPoints, i, ord, addr, name, purged, file, fd;
   file = AskFile(1, "*.idt", "Select IDT save file");
   fd = fopen(file, "w");
   entryPoints = GetEntryPointQty();
   fprintf(fd, "ALIGNMENT 4\n");
   fprintf(fd, "0 Name=%s\n", GetInputFile());
   for (i = 0; i < entryPoints; i++) {
      ord = GetEntryOrdinal(i);
      if (ord == 0) continue;
      addr = GetEntryPoint(ord);
      if (ord == addr) {
         continue; //entry point has no ordinal
      }
      name = Name(addr);
      fprintf(fd, "%d Name=%s", ord, name);
      purged = GetFunctionAttr(addr, FUNCATTR_ARGSIZE);
      if (purged > 0) {
         fprintf(fd, " Pascal=%d", purged);
      }
      fprintf(fd, "\n");
   }
}


0x006 参数的自动识别

版本1

#include <idc.idc>

static main() {
  auto addr, op, end, idx;
  auto func_flags, type, val, search;
  search = SEARCH_DOWN | SEARCH_NEXT;
  addr = GetFunctionAttr(ScreenEA(), FUNCATTR_START);
  func_flags = GetFunctionFlags(addr);
  if (func_flags & FUNC_FRAME) {  //Is this an ebp based frame?
    end = GetFunctionAttr(addr, FUNCATTR_END);
    for (; addr < end && addr != BADADDR; addr = FindCode(addr, search)) {
      type = GetOpType(addr, 0);
      if (type == 3) {  //Is this a register indirect operand?
        if (GetOperandValue(addr, 0) == 4) {   //Is the register esp?
          MakeComm(addr, "arg_0");  //[esp] equates to arg_0
        }
      }
      else if (type == 4) {  //Is this a register + displacement operand?
        idx = strstr(GetOpnd(addr, 0), "[esp"); //Is the register esp?
        if (idx != -1) {
          val = GetOperandValue(addr, 0);   //get the displacement
          MakeComm(addr, form("arg_%d", val));  //add a comment
        }
      }
    }
  }
}


版本2

#include <idc.idc>

static getArgCount(func) {
   auto type, idx, count;
   type = GetType(func);
   if (type != "") {
      if (strstr(type, "()") != -1) return 0;
      if (strstr(type, "( )") != -1) return 0;
      if (strstr(type, "(void)") != -1) return 0;
      idx = strstr(type, "(");
      if (idx != -1) {
         count = 1;
         while (strstr(type, ",") != -1) {
            idx = strstr(type, ",");
            count++;
            type = substr(type, idx + 1, -1);
         }
         return count;
      }
   }
   return -1;
}

static getArg(func, n, nargs) {
   auto type, idx, count;
   type = GetType(func);
   if (type != "") {
      if (strstr(type, "()") != -1) return "";
      if (strstr(type, "( )") != -1) return "";
      if (strstr(type, "(void)") != -1) return "";
      idx = strstr(type, "(");
      if (idx != -1) {
         count = 1;
         do {
            type = substr(type, idx + 1, -1);
            Message("%d/%d: %s\n", count, nargs, type);
            idx = strstr(type, ",");
            if (count == n) {
               if (idx == -1) {
                  idx = strstr(type, ")");
               }
               return substr(type, 0, idx);
            }
            idx = strstr(type, ",");
            count++;
         } while (count <= nargs);
      }
   }
   return "";
}

static get_arg(ea, n) {
   auto op, tgt, flow, end, nargs;
   end = GetFunctionAttr(ea, FUNCATTR_END);
   while (ea < end && ea != BADADDR) {
      tgt = Rfirst0(ea);
      if (tgt != BADADDR) {
         flow = XrefType();
         if (flow == fl_CF || flow == fl_CN) {
            Message("found call at %x, target is %x\n", ea, tgt);
            nargs = getArgCount(tgt);
            Message("arg count = %d\n", nargs);
            if (nargs == -1) {
               return "";
            }
            if (n <= nargs) {
               return getArg(tgt, n, nargs);
            }
         }
      }
      ea = FindCode(ea, SEARCH_DOWN | SEARCH_NEXT);
   } 
   return "";
}

static main() {
   auto func, ea, comment, op, max, arg, idx;
   auto func_flags, type, val, call_loc;

   func = GetFunctionAttr(ScreenEA(), FUNCATTR_START);
   func_flags = GetFunctionFlags(func);
   if (func_flags & FUNC_FRAME) {
      max = GetFunctionAttr(func, FUNCATTR_END);
      for (ea = func; ea < max && ea != BADADDR; ea = FindCode(ea, SEARCH_DOWN | SEARCH_NEXT)) {
         type = GetOpType(ea, 0);
         if (type == 3) {
            //base + index
            if (GetOperandValue(ea, 0) == 4) {  //esp
               arg = get_arg(ea, 1);
               if (arg != "") {
                  comment = arg;
               }
               else {
                  comment = "arg_0";
               }
               MakeComm(ea, comment);
            }
         }
         else if (type == 4) {
            //base + disp + index
            op = GetOpnd(ea, 0);
            idx = strstr(op, "[esp");
            if (idx != -1) {
               val = GetOperandValue(ea, 0);
               arg = get_arg(ea, val / 4 + 1);
               if (arg != "") {
                  comment = arg;
               }
               else {
                  comment = form("arg_%d", val);
               }
               MakeComm(ea, comment);
            }
         }
      }
   }
}



0x007 模拟汇编语言行为


auto var_4, edx, eax, al;
var_4 = 0;
while (var_4 <= 0x3C1) {
   edx = var_4;
   edx = edx + 0x804B880;
   eax = var_4;
   eax = eax + 0x804B880;
   al = Byte(eax);
   al = al ^ 0x4B;
   PatchByte(edx, al);
   var_4++;
}


原文链接: IDA脚本测试 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙团 ( https://gyarmy.com/post-437.html )

发表评论

0则评论给“IDA脚本测试”