cxm95
12/3/2018 - 4:39 AM
IDA: sig and func
sig and func script for ida 6.4
# coding:utf-8
'''
Created on 2018年9月2日
1. apply the given sig
2. extract the function type flag
@author: qldxsun
'''
import idaapi
import idautils
import idc
try:
import cPickle as pickle
except:
import pickle
idaapi.autoWait()
def apply_sig(sig_name):
return idc.ApplySig(sig_name)
"""
@return: func_details: {ea:(func_name, is_lib_func), ... }
"""
def extract_func_type():
func_details = {}
for ea in idautils.Functions():
func = idaapi.get_func(ea)
if not idaapi.is_func_entry(func):
continue
if ea in func_details:
raise Exception("ERROR. Two functions are in a same address")
func_details[ea] = (idaapi.get_ea_name(ea), idaapi.FUNC_LIB & func.flags)
return func_details
apply_sig('libc6_2.23-0ubuntu6_i386')
idaapi.autoWait()
func_details = extract_func_type()
f = open(r'd:\func_details', 'w')
pickle.dump(func_details, f)
f.close()
sig_name_list = ['__dl_mcount']
def add_unidentified_lib_funcs(sig_name_list):
for sig_name in sig_name_list:
ea = idc.LocByName(sig_name)
if not idaapi.create_insn(ea):
print 'add insn failed'
continue
idaapi.autoWait()
if not idaapi.add_func(ea, idaapi.BADADDR):
print 'add func failed'
continue
idaapi.autoWait()
def identify_vfprintf():
ea = idc.LocByName('__IO_vfprintf_internal')
for xref in XrefsTo(ea, 0):
from_ea = xref.frm
push_ea = idaapi.get_item_head(from_ea - 1)
if idaapi.get_item_size(push_ea)==6:
insn = idautils.DecodeInstruction(push_ea)
if not insn:
print 'push insn before vfprintf decode failed'
continue
if 'push' in insn.get_canon_mnem():
arg_ea = insn.Operands[0].addr
pointer = idaapi.get_long(arg_ea)
print 'push insn found @ %x, before vfprintf @%x, arg_ea=%x, pointer=%x' % (push_ea, from_ea, arg_ea, pointer)
else:
print 'not push'
else:
print 'insn length is not 6'
idc.Exit()