void disp_request_t::flush() {
qmutex_lock(mtx);
for (qvector<json_object*>::iterator i = objects.begin(); i != objects.end(); i++) {
json_object_put(*i);
}
objects.clear();
qmutex_unlock(mtx);
}
static void get_xrefs_to_vtbl()
{
// the list is repeat while select another vtable
xref_list.clear();
xref_addr.clear();
ea_t cur_vt_ea = vtbl_t_list[current_line_pos].ea_begin;
for (ea_t addr = get_first_dref_to(cur_vt_ea); addr != BADADDR; addr = get_next_dref_to(cur_vt_ea, addr))
{
qstring name;
f_get_func_name2(&name, addr);
xref_addr.push_back(addr);
qstring tmp;
#ifndef __EA64__
tmp.cat_sprnt(" 0x%x: %s", addr, name);
#else
tmp.cat_sprnt(_T(" 0x%I64X: %s"), addr, name);
#endif
xref_list.push_back(tmp);
}
}
//---------------------------------------------------------------------------
bool x86seh_ctx_t::get_sehlist()
{
uint64 fs_sel;
ea_t fs_base;
uint32 excr_ea;
handlers.clear();
if ( !get_reg_val("fs", &fs_sel)
|| internal_get_sreg_base(tid, int(fs_sel), &fs_base) <= 0
|| read_dbg_memory(fs_base, &excr_ea, sizeof(excr_ea)) != sizeof(excr_ea) )
{
warning("Failed to build the SEH list for thread %08X", tid);
return false;
}
struct EXC_REG_RECORD
{
uint32 p_prev;
uint32 p_handler;
};
EXC_REG_RECORD rec;
std::set<uint32> seen;
while ( excr_ea != 0xffffffff )
{
if ( read_dbg_memory(excr_ea, &rec, sizeof(rec)) != sizeof(rec) )
break;
if ( !seen.insert(excr_ea).second )
{
msg("Circular SEH record has been detected\n");
break;
}
handlers.push_back(rec.p_handler);
excr_ea = rec.p_prev;
}
return true;
}
void IDAP_run(int arg)
{
FILE *f, *f2;
char *filename = construct_output_filename(".import_allocs.txt");
f = qfopen(filename, "wb");
char *filename2 = construct_output_filename(".import_allocs_wrappers.txt");
f2 = qfopen(filename2, "wb");
//r0 allocators
funcMalloc.push_back(TFuncMalloc(" ExAllocatePoolWithQuota", 2));
funcMalloc.push_back(TFuncMalloc(" __imp__ExAllocatePoolWithQuota@8", 2));//ntoskrnl.exe
funcMalloc.push_back(TFuncMalloc(" ExAllocatePoolWithQuotaTag", 2));
funcMalloc.push_back(TFuncMalloc(" __imp__ExAllocatePoolWithQuotaTag@12", 2));//ntoskrnl.exe
funcMalloc.push_back(TFuncMalloc("ExAllocatePoolWithTag", 2));
funcMalloc.push_back(TFuncMalloc("__imp__ExAllocatePoolWithTag@12", 2));//ntoskrnl.exe
funcMalloc.push_back(TFuncMalloc("ExAllocatePoolWithTagPriority", 2));
funcMalloc.push_back(TFuncMalloc("__imp__ExAllocatePoolWithTagPriority@16", 2));//ntoskrnl.exe
funcMalloc.push_back(TFuncMalloc("IoAllocateMdl", 2));
funcMalloc.push_back(TFuncMalloc("__imp__IoAllocateMdl@20", 2));//ntoskrnl.exe
funcMalloc.push_back(TFuncMalloc("RtlAllocateHeap", 3));
funcMalloc.push_back(TFuncMalloc("__imp__RtlAllocateHeap", 3));//ntoskrnl.exe
funcMalloc.push_back(TFuncMalloc("EngAllocMem", 2));
funcMalloc.push_back(TFuncMalloc("__imp__EngAllocMem", 2));//win32k.sys
funcMalloc.push_back(TFuncMalloc("__imp__EngAllocMem@12", 2));//win32k.sys
//type pointer to size!!!
//funcMalloc.push_back(TFuncMalloc("ZwAllocateVirtualMemory", 4));
//funcMalloc.push_back(TFuncMalloc("__imp__ZwAllocateVirtualMemory@24", 4));//ntoskrnl.exe
//funcMalloc.push_back(TFuncMalloc("NtAllocateVirtualMemory", 4));
//funcMalloc.push_back(TFuncMalloc("__imp__NtAllocateVirtualMemory@24", 4));//ntoskrnl.exe
//funcMalloc.push_back(TFuncMalloc("RtlReAllocateHeap", 4));
//funcMalloc.push_back(TFuncMalloc("HeapAlloc", 3));
//r3 allocators
funcMalloc.push_back(TFuncMalloc("GlobalAlloc", 2));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("HeapAlloc", 3));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("__imp__HeapAlloc@12", 3));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("__imp__HeapReAlloc@16", 4));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("HeapReAlloc", 4));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("__imp__LocalAlloc@8", 2));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("LocalAlloc", 2));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("__imp__LocalReAlloc@12", 3));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("LocalReAlloc", 3));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("VirtualAlloc", 2));
funcMalloc.push_back(TFuncMalloc("__imp__VirtualAlloc@16", 2));//kernel32.dll
funcMalloc.push_back(TFuncMalloc("__imp__MpHeapAlloc", 3));//msdart.dll export
funcMalloc.push_back(TFuncMalloc("__imp__MpHeapReAlloc", 3));//msdart.dll export
funcMalloc.push_back(TFuncMalloc("__imp__GdipAlloc@4", 1));//gdiplus.dll export
//funcMalloc.push_back(TFuncMalloc("GpMalloc", 1));//gdiplus.dll
funcMalloc.push_back(TFuncMalloc("__imp__malloc", 1));//msvcrt.dll
funcMalloc.push_back(TFuncMalloc("_malloc", 1));//msvcrt.dll, the same as __imp__malloc
funcMalloc.push_back(TFuncMalloc("__imp__realloc", 2));//msvcrt.dll
funcMalloc.push_back(TFuncMalloc("_realloc", 2));//msvcrt.dll
//funcMalloc.push_back(TFuncMalloc("_alloca", 1));
//funcMalloc.push_back(TFuncMalloc("_malloca", 1));
uint i = 0, j = funcMalloc.size();
msg("standart funcMalloc.size() = %d\n", funcMalloc.size());
for(; i< funcMalloc.size(); i++){
find_alloc_calls_ex(f, funcMalloc[i]);
pretty_printing_ex(f, funcMalloc[i]);
if(Malloc_calls.size() > 0 )
Malloc_calls.clear();
qfprintf(f,"\n\n");
qflush( f );
}
qfclose( f );
j = funcMalloc_wrappers.size();
msg("standart funcMalloc_wrappers.size() = %d\n", j);
//TODO: add level property
i = 0;
while( i < j){
find_alloc_calls_warreps_ex(f2, funcMalloc_wrappers[i]);
msg("[%d].funcMalloc.size() = %d\n", i, funcMalloc_wrappers.size());
msg("[%d].Malloc_calls.size() = %d\n", i, Malloc_calls.size());
pretty_printing_ex(f2, funcMalloc_wrappers[i]);
if(Malloc_calls.size() > 0 )
Malloc_calls.clear();
j = funcMalloc_wrappers.size();
i++;
qflush( f2 );
}
qfclose( f2 );
return ;
}
static void free_mappings(void)
{
map.clear();
}