Added some useful IDA scripts (NPOTB).

2012-07-29 02:51:50 +01:00 · 2012-07-29 02:51:50 +01:00 · 67ae85b840
commit 67ae85b840
parent 0f6e8dd311
2 changed files with 246 additions and 0 deletions
--- a/tools/ida_scripts/makesig.idc
+++ b/tools/ida_scripts/makesig.idc
@ -0,0 +1,126 @@
 #include <idc.idc>
 /* makesig.idc: IDA script to automatically create and wildcard a function signature.
 * Copyright 2012, Asher Baker
 * 
 * This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
 * 
 * Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
 * 
 * 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
 * 
 * 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
 * 
 * 3. This notice may not be removed or altered from any source distribution.
 */
 static main()
 {
 	Wait(); // We won't work until autoanalysis is complete
 	SetStatus(IDA_STATUS_WORK);
 	auto pAddress = ScreenEA();
 	pAddress = GetFunctionAttr(pAddress, FUNCATTR_START);
 	if (pAddress == BADADDR)
 	{
 		Warning("Make sure you are in a function!");							
 		SetStatus(IDA_STATUS_READY);
 		return;
 	}
 	auto sig;
 	auto pFunctionEnd = GetFunctionAttr(pAddress, FUNCATTR_END);
 	while (pAddress != BADADDR)
 	{
 		auto pInfo = DecodeInstruction(pAddress);
 		if (!pInfo)
 		{
 			Warning("Something went terribly wrong D:");       
 			SetStatus(IDA_STATUS_READY);
 			return;
 		}
 		// isCode(GetFlags(pAddress)) == Opcode
 		// isTail(GetFlags(pAddress)) == Operand
 		// ((GetFlags(pAddress) & MS_CODE) == FF_IMMD) == :iiam:
 		auto bDone = 0;
 		if (pInfo.n == 1)
 		{
 			if (pInfo.Op0.type == o_near || pInfo.Op0.type == o_far)
 			{
 				sig = sprintf("%s%02X %s", sig, Byte(pAddress), PrintWildcards(GetDTSize(pInfo.Op0.dtyp)));
 				bDone = 1;
 			}
 		}
 		if (!bDone) { // unknown, just wildcard addresses
 			auto i;
 			for (i = 0; i < pInfo.size; i++)
 			{
 				auto pLoc = pAddress + i;
 				if (GetFixupTgtType(pLoc) == FIXUP_OFF32)
 				{
 					sig = sprintf("%s%s", sig, PrintWildcards(4));
 					i = i + 3;
 				} else {
 					sig = sprintf("%s%02X ", sig, Byte(pLoc));
 				}
 			}
 		}
 		if (IsGoodSig(sig))
 			break;
 		pAddress = NextHead(pAddress, pFunctionEnd);
 	}
 	Message("%s\n", sig);
 	SetStatus(IDA_STATUS_READY);
 	return;
 }
 static GetDTSize(dtyp)
 {
 	if (dtyp == dt_byte)
 	{
 		return 1;
 	} else if (dtyp == dt_word) {
 		return 2;
 	} else if (dtyp == dt_dword) {
 		return 4;
 	} else if (dtyp == dt_float) {
 		return 4;
 	} else if (dtyp == dt_double) {
 		return 8;
 	} else {
 		Warning("Unknown type size (%d)", dtyp);
 		return -1;
 	}
 }
 static PrintWildcards(count)
 {
 	auto i, string;
 	for (i = 0; i < count; i++)
 	{
 		string = sprintf("%s? ", string);
 	}
 	return string;
 }
 static IsGoodSig(sig)
 {
 	auto count, addr;
 	addr = FindBinary(addr, SEARCH_DOWN|SEARCH_NEXT, sig);
 	while (addr != BADADDR)
 	{
 		count = count + 1;
 		addr = FindBinary(addr, SEARCH_DOWN|SEARCH_NEXT, sig);
 	}
 	return (count == 1);
 }
--- a/tools/ida_scripts/vtable_dump.py
+++ b/tools/ida_scripts/vtable_dump.py
@ -0,0 +1,120 @@
 """vtable_dump.py: IDAPython script to dump a linux vtable (and a reconstructed windows one) from a binary."""
 """
 This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
 Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
 3. This notice may not be removed or altered from any source distribution.
 """
 __author__ = "Asher Baker"
 __copyright__ = "Copyright 2012, Asher Baker"
 __license__ = "zlib/libpng"
 import re
 def Analyze():
 	SetStatus(IDA_STATUS_WORK)
 	if GetLongPrm(INF_COMPILER).id != COMP_GNU:
 		Warning("This script is for binaries compiled with GCC only.")
 		SetStatus(IDA_STATUS_READY)
 		return
 	ea = ScreenEA()
 	if not isHead(GetFlags(ea)):
 		ea = PrevHead(ea)
 	# Param needed to support old IDAPython versions
 	end = NextHead(ea, 4294967295)
 	name = Demangle(Name(ea), GetLongPrm(INF_LONG_DN))
 	if ea == BADADDR or name is None or not re.search(r"vf?table(?: |'\{)for", name):
 		Warning("No vtable selected!\nSelect vtable block first.")
 		SetStatus(IDA_STATUS_READY)
 		return
 	linux_vtable = []
 	temp_windows_vtable = []
 	# Extract vtable
 	while ea < end:
 		offset = Dword(ea)
 		# A vtable starts with some metadata, if it's missing...
 		if isCode(GetFlags(offset)):
 			Warning("Something went wrong!")
 			SetStatus(IDA_STATUS_READY)
 			return
 		# Skip thisoffs and typeinfo address
 		ea += 8
 		while ea < end and isCode(GetFlags(Dword(ea))):
 			name = Demangle(Name(Dword(ea)), GetLongPrm(INF_LONG_DN))
 			if offset == 0:
 				linux_vtable.append(name)
 				temp_windows_vtable.append(name)
 			else:
 				# MI entry, strip "`non-virtual thunk to'" and remove from list
 				#     But not if it's a dtor... what the hell is this.
 				if (name.find("`non-virtual thunk to'") != -1) and name.find("::~") == -1:
 					name = name[22:]
 					#print "Stripping '%s' from windows vtable." % (name)
 					temp_windows_vtable.remove(name)
 			ea += 4
 	for i, v in enumerate(temp_windows_vtable):
 		if v.find("::~") != -1:
 			#print "Found destructor at index %d: %s" % (i, v)
 			del temp_windows_vtable[i]
 			break
 	windows_vtable = []
 	overload_stack = []
 	prev_function = ""
 	prev_symbol = ""
 	for v in temp_windows_vtable:
 		function = v.split("(", 1)[0]
 		if function == prev_function:
 			# If we don't have a stack, we need to push the last function on first
 			if len(overload_stack) == 0:
 				# We will have added this in the previous run, remove it again...
 				windows_vtable.pop()
 				#print "Storing '%s' (!)" % (prev_symbol)
 				overload_stack.append(prev_symbol)
 			#print "Storing '%s'" % (v)
 			overload_stack.append(v)
 		else:
 			# If we've moved onto something new, dump the stack first
 			if len(overload_stack) > 0:
 				#print overload_stack
 				while len(overload_stack) > 0:
 					windows_vtable.append(overload_stack.pop())
 			windows_vtable.append(v)
 		prev_function = function
 		prev_symbol = v
 	print "Lin Win Function"
 	for i, v in enumerate(linux_vtable):
 		winindex = windows_vtable.index(v) if v in windows_vtable else None
 		if winindex is not None:
 			print "%3d %3d %s" % (i, winindex, v)
 		else:
 			print "%3d     %s" % (i, v)
 	SetStatus(IDA_STATUS_READY)
 if __name__ == '__main__':
 	Analyze()