예제 #1
0
파일: reg.cpp 프로젝트: nealey/vera
ea_t map_port(ea_t from)
{
  for ( int i=0; i < map.size(); i++ )
    if ( map[i].from == from )
      return map[i].to;
  return from;
}
예제 #2
0
int does_exist(TFuncMallocWrapper new_func_malloc)
{
	for(int i = 0; i< funcMalloc_wrappers.size(); i++){
		if(funcMalloc_wrappers[i].address == new_func_malloc.address)return 1;
	}
	return 0;
}
예제 #3
0
파일: utils.cpp 프로젝트: BIDData/BIDMach
int writeQIntVec(qvector & qv, string fname, int buffsize) {
  int j, nrows, fmt, ncols, nnz;
  uint64 v;
  ostream *ofstr = open_out_buf(fname, buffsize);
  ncols = qv.size();
  nrows = 4;
  nnz = nrows * ncols;
  fmt = 110;
  ofstr->write((const char *)&fmt, 4);
  ofstr->write((const char *)&nrows, 4);
  ofstr->write((const char *)&ncols, 4);
  ofstr->write((const char *)&nnz, 4);
  for (j = 0; j < qv.size(); j++) {
    v = qv[j].bottom;
    ofstr->write((const char *)&v, 8);
    v = qv[j].top;
    ofstr->write((const char *)&v, 8);
  }
  closeos(ofstr);
  return 0;
}
tid_t idaapi merge_types(qvector<qstring> types_to_merge, qstring type_name) {
	tid_t struct_type_id = BADADDR;

	std::set<ea_t> offsets;

	if (types_to_merge.size() != 0) {
		struct_type_id = add_struc(BADADDR, type_name.c_str());
		if (struct_type_id != 0 || struct_type_id != BADADDR)
		{
			struc_t * struc = get_struc(struct_type_id);
			if (struc != NULL) {
				qvector<qstring>::iterator types_iter;
				for (types_iter = types_to_merge.begin(); types_iter != types_to_merge.end(); types_iter++) {

					tid_t type_id = get_struc_id((*types_iter).c_str());
					if (type_id != BADADDR) {
						struc_t * struc_type = get_struc(type_id);
						if (struc_type != NULL) {
							// enumerate members
							for (ea_t offset = get_struc_first_offset(struc_type); offset != BADADDR; offset = get_struc_next_offset(struc_type, offset)) {
								member_t * member_info = get_member(struc_type, offset);
								if (member_info != NULL) {
									if (offsets.count(member_info->soff) == 0) {
										qstring member_name = get_member_name2(member_info->id);
										asize_t member_size = get_member_size(member_info);

										if (member_name.find("vftbl_", 0) != -1) {
											tinfo_t tif;
											if (get_member_tinfo2(member_info, &tif)) {
												add_struc_member(struc, member_name.c_str(), member_info->soff, dwrdflag(), NULL, member_size);
												member_t * membr = get_member(struc, member_info->soff);
												if (membr != NULL) {
													set_member_tinfo2(struc, membr, 0, tif, SET_MEMTI_COMPATIBLE);
												}
											}
										}
										else {
											add_struc_member(struc, member_name.c_str(), member_info->soff, member_info->flag, NULL, member_size);
										}

										offsets.insert(member_info->soff);
									}
								}
							}
						}
					}
				}
			}
		}
	}

	return struct_type_id;
}
예제 #5
0
//queue up a received datagram for eventual handlng via IDA's execute_sync mechanism
//call no sdk functions other than execute_sync
void disp_request_t::queueObject(json_object *obj) {
   bool call_exec = false;
   qmutex_lock(mtx);
   objects.push_back(obj);
   call_exec = objects.size() == 1;
   qmutex_unlock(mtx);

   if (call_exec) {
      //only invoke execute_sync if the buffer just added was at the head of the queue
      //in theory this allows multiple datagrams to get queued for handling
      //in a single execute_sync callback
      execute_sync(*this, MFF_WRITE);
   }
}
예제 #6
0
파일: utils.cpp 프로젝트: BIDData/BIDMach
int writeQIntVecx(qvector & im, string fname, int buffsize) {
  int fmt, nrows, ncols, nnz;
  ostream *ofstr = open_out_buf(fname.c_str(), buffsize);
  fmt = 170;
  nrows = im.size();
  ncols = 1;
  nnz = nrows;
  ofstr->write((const char *)&fmt, 4);
  ofstr->write((const char *)&nrows, 4);
  ofstr->write((const char *)&ncols, 4);
  ofstr->write((const char *)&nnz, 4);
  ofstr->write((const char *)&im[0], 16 * nrows);
  closeos(ofstr);
  return 0;
}
예제 #7
0
//this is the callback that gets called by execute_sync, in theory new datagrams
//can arrive and be processed during the loop since queue synchronization takes
//place within the StringList
int idaapi disp_request_t::execute(void) {
   while (objects.size() > 0) {
      qmutex_lock(mtx);
      qvector<json_object*>::iterator i = objects.begin();
      json_object *obj = *i;
      objects.erase(i);
      qmutex_unlock(mtx);
      bool res = (*_disp)(obj);
      if (!res) {  //not sure we really care what is returned here
//         msg(PLUGIN_NAME": connection to server severed at dispatch.\n");
//         comm->cleanup(true);     //probably not the right thing to do??
//         break;
      }
      else {
         //msg(PLUGIN_NAME": dispatch routine called successfully.\n");
      }
   }
   return 0;
}
예제 #8
0
void IDAP_run(int arg)
{
	FILE *f, *f2;
	char *filename = construct_output_filename(".import_allocs.txt");
	f = qfopen(filename, "wb");
	char *filename2 = construct_output_filename(".import_allocs_wrappers.txt");
	f2 = qfopen(filename2, "wb");

	//r0 allocators
	funcMalloc.push_back(TFuncMalloc(" ExAllocatePoolWithQuota", 2));
	funcMalloc.push_back(TFuncMalloc(" __imp__ExAllocatePoolWithQuota@8", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc(" ExAllocatePoolWithQuotaTag", 2));
	funcMalloc.push_back(TFuncMalloc(" __imp__ExAllocatePoolWithQuotaTag@12", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("ExAllocatePoolWithTag", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__ExAllocatePoolWithTag@12", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("ExAllocatePoolWithTagPriority", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__ExAllocatePoolWithTagPriority@16", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("IoAllocateMdl", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__IoAllocateMdl@20", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("RtlAllocateHeap", 3));
	funcMalloc.push_back(TFuncMalloc("__imp__RtlAllocateHeap", 3));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("EngAllocMem", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__EngAllocMem", 2));//win32k.sys
	funcMalloc.push_back(TFuncMalloc("__imp__EngAllocMem@12", 2));//win32k.sys


	//type pointer to size!!!
	//funcMalloc.push_back(TFuncMalloc("ZwAllocateVirtualMemory", 4));
	//funcMalloc.push_back(TFuncMalloc("__imp__ZwAllocateVirtualMemory@24", 4));//ntoskrnl.exe
	//funcMalloc.push_back(TFuncMalloc("NtAllocateVirtualMemory", 4));
	//funcMalloc.push_back(TFuncMalloc("__imp__NtAllocateVirtualMemory@24", 4));//ntoskrnl.exe



	//funcMalloc.push_back(TFuncMalloc("RtlReAllocateHeap", 4));
	//funcMalloc.push_back(TFuncMalloc("HeapAlloc", 3));



	//r3 allocators
	funcMalloc.push_back(TFuncMalloc("GlobalAlloc", 2));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("HeapAlloc", 3));//kernel32.dll
	funcMalloc.push_back(TFuncMalloc("__imp__HeapAlloc@12", 3));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("__imp__HeapReAlloc@16", 4));//kernel32.dll
	funcMalloc.push_back(TFuncMalloc("HeapReAlloc", 4));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("__imp__LocalAlloc@8", 2));//kernel32.dll
	funcMalloc.push_back(TFuncMalloc("LocalAlloc", 2));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("__imp__LocalReAlloc@12", 3));//kernel32.dll
	funcMalloc.push_back(TFuncMalloc("LocalReAlloc", 3));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("VirtualAlloc", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__VirtualAlloc@16", 2));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("__imp__MpHeapAlloc", 3));//msdart.dll export
	funcMalloc.push_back(TFuncMalloc("__imp__MpHeapReAlloc", 3));//msdart.dll export

	funcMalloc.push_back(TFuncMalloc("__imp__GdipAlloc@4", 1));//gdiplus.dll export
	//funcMalloc.push_back(TFuncMalloc("GpMalloc", 1));//gdiplus.dll

	funcMalloc.push_back(TFuncMalloc("__imp__malloc", 1));//msvcrt.dll
	funcMalloc.push_back(TFuncMalloc("_malloc", 1));//msvcrt.dll, the same as __imp__malloc

	funcMalloc.push_back(TFuncMalloc("__imp__realloc", 2));//msvcrt.dll
	funcMalloc.push_back(TFuncMalloc("_realloc", 2));//msvcrt.dll

	//funcMalloc.push_back(TFuncMalloc("_alloca", 1));
	//funcMalloc.push_back(TFuncMalloc("_malloca", 1));



	uint i = 0, j = funcMalloc.size();
	msg("standart funcMalloc.size() = %d\n", funcMalloc.size());
	for(; i< funcMalloc.size(); i++){
		find_alloc_calls_ex(f, funcMalloc[i]);
		pretty_printing_ex(f, funcMalloc[i]);

		if(Malloc_calls.size() >  0 )
			Malloc_calls.clear();
		
		qfprintf(f,"\n\n");

		qflush( f );
	}

	qfclose( f );

	
	j = funcMalloc_wrappers.size();
	msg("standart funcMalloc_wrappers.size() = %d\n", j);

	
	//TODO: add level property 
	i = 0;
	while( i < j){

		find_alloc_calls_warreps_ex(f2, funcMalloc_wrappers[i]);
		msg("[%d].funcMalloc.size() = %d\n", i, funcMalloc_wrappers.size());
		msg("[%d].Malloc_calls.size() = %d\n", i, Malloc_calls.size());
		pretty_printing_ex(f2, funcMalloc_wrappers[i]);
		if(Malloc_calls.size() >  0 )
			Malloc_calls.clear();
		j = funcMalloc_wrappers.size();
		i++;
		qflush( f2 );
	}
	


	qfclose( f2 );


	return ;
}
예제 #9
0
void pretty_printing_ex(FILE* f, TFuncMalloc func)
{

	func_t *callee_func;
	qstring name_of_malloc_callee_function;
	int func_name_set = 0;


	for(int i = 0; i < Malloc_calls.size(); i++){
		qfprintf(f,"\r\n");
		callee_func = get_func(Malloc_calls[i].address);
		func_name_set = 0;

		if(callee_func){
			func_name_set = 1;
			get_short_name(&name_of_malloc_callee_function, callee_func->startEA);
			//generate_disasm_line(callee_func->startEA, name_of_malloc_callee_function, sizeof(name_of_malloc_callee_function));
			//tag_remove(name_of_malloc_callee_function, name_of_malloc_callee_function, sizeof(name_of_malloc_callee_function));
		}

		if(func_name_set)
			qfprintf(f,"%s xref: at %a %s\n", func.alloc_func_name, Malloc_calls[i].address, name_of_malloc_callee_function.c_str());
		else
			qfprintf(f,"%s xref: at %a %s\n", func.alloc_func_name, Malloc_calls[i].address, "CISSRT_undefined_function");
		

		if(Malloc_calls[i].type == CONSTVALUE){
			qfprintf(f,"Type: CONST = %d Malloc bytes\n", Malloc_calls[i].value);
		}

		if(Malloc_calls[i].type == VARVALUE){
			char buffer[MAXSTR];
			//char instr_clean[MAXSTR];
			// Store the disassembled text in buf
			ua_ana0(Malloc_calls[i].address_of_last_size_object_modified);

			generate_disasm_line(cmd.ea, buffer, sizeof(buffer));
			tag_remove(buffer, buffer, sizeof(buffer));

			if(Malloc_calls[i].address_of_last_size_object_modified != BADADDR)
				qfprintf(f,"Type: VAR, last modif at %a %s\n", Malloc_calls[i].address_of_last_size_object_modified, buffer);
			else
				qfprintf(f,"Type: VAR, last modif lost :( \n");
			//qfprintf(f,"last modif: \n", instr_clean);			
		}

		if(Malloc_calls[i].type == VARVALUEVULN){
			char buffer[MAXSTR];
			//char instr_clean[MAXSTR];
			// Store the disassembled text in buf
			ua_ana0(Malloc_calls[i].address_of_last_size_object_modified);

			generate_disasm_line(cmd.ea, buffer, sizeof(buffer));
			tag_remove(buffer, buffer, sizeof(buffer));

			//qfprintf(f,"get_first_operand disasm instruction: %s\n", instr_clean);
			if(Malloc_calls[i].address_of_last_size_object_modified != BADADDR)
				qfprintf(f,"Type: VAR, Possible Integer Overflow %a %s\n", Malloc_calls[i].address_of_last_size_object_modified, buffer);
			else
				qfprintf(f,"Type: VAR, last modif lost :( \n");//shouldnt be here
		}

		if(Malloc_calls[i].type == UNDEFINED){
			char buffer[MAXSTR];
			// Store the disassembled text in buf
			ua_ana0(Malloc_calls[i].address_of_last_size_object_modified);

			generate_disasm_line(cmd.ea, buffer, sizeof(buffer));
			tag_remove(buffer, buffer, sizeof(buffer));

			//qfprintf(f,"get_first_operand disasm instruction: %s\n", instr_clean);
			if(Malloc_calls[i].address_of_last_size_object_modified != BADADDR)
				qfprintf(f,"Type: UNDEFINED, at %a %s", Malloc_calls[i].address_of_last_size_object_modified, buffer);//shouldnt be here
			else
				qfprintf(f,"Type: UNDEFINED, last modif lost :(");
		}
	}

}
예제 #10
0
void pretty_printing_ex(FILE* f, TFuncMallocWrapper func)
{
	func_t *callee_func;
	qstring name_of_malloc_callee_function;
	int func_name_set = 0;

	for(int i = 0; i < Malloc_calls.size(); i++){
		//qfprintf(f,"%s ----> %s xref: at %a \n", func.alloc_func_name, func.ancestor, Malloc_calls[i].address);
		qfprintf(f,"\r\n");
		callee_func = get_func(Malloc_calls[i].address);
		func_name_set = 0;

		if(callee_func){
			func_name_set = 1;
			get_short_name(&name_of_malloc_callee_function, callee_func->startEA);
			//generate_disasm_line(callee_func->startEA, name_of_malloc_callee_function, sizeof(name_of_malloc_callee_function));
			//tag_remove(name_of_malloc_callee_function, name_of_malloc_callee_function, sizeof(name_of_malloc_callee_function));
		}

		if(func_name_set)
			qfprintf(f,"%s argNumber = %d ----> %s xref: at %a %s\n", func.alloc_func_name, func.push_malloc_size_count, func.ancestor, Malloc_calls[i].address, name_of_malloc_callee_function.c_str());
		else
			qfprintf(f,"%s argNumber = %d ----> %s xref: at %a %s\n", func.alloc_func_name, func.push_malloc_size_count, func.ancestor, Malloc_calls[i].address, "CISSRT_undefined_function");
			//qfprintf(f,"%s xref: at %a %s\n", func.alloc_func_name, Malloc_calls[i].address, "CISSRT_undefined_function");


		if(Malloc_calls[i].type == CONSTVALUE){
			qfprintf(f,"Type: CONST = %d Malloc bytes\n", Malloc_calls[i].value);
		}
		else if(Malloc_calls[i].type == VARVALUE){
			char buf[MAXSTR];
			char instr_clean[MAXSTR];
			// Store the disassembled text in buf
			ua_ana0(Malloc_calls[i].address_of_last_size_object_modified);
			generate_disasm_line(cmd.ea, buf, sizeof(buf)-1);
			// This will appear as colour-tagged text (which will
			// be mostly unreadable in IDA's
			tag_remove(buf, instr_clean, sizeof(instr_clean)-1);
			if(Malloc_calls[i].address_of_last_size_object_modified != BADADDR)
				qfprintf(f,"Type: VAR, last modif at %a %s\n", Malloc_calls[i].address_of_last_size_object_modified, instr_clean);
			else
				qfprintf(f,"Type: VAR, last modif lost :(");
			//qfprintf(f,"last modif: %s\n", instr_clean);			
		}
		else if(Malloc_calls[i].type == VARVALUEVULN){
			char buf[MAXSTR];
			char instr_clean[MAXSTR];
			// Store the disassembled text in buf
			ua_ana0(Malloc_calls[i].address_of_last_size_object_modified);
			generate_disasm_line(cmd.ea, buf, sizeof(buf)-1);
			// This will appear as colour-tagged text (which will
			// be mostly unreadable in IDA's
			tag_remove(buf, instr_clean, sizeof(instr_clean)-1);
			//qfprintf(f,"get_first_operand disasm instruction: %s\n", instr_clean);
			if(Malloc_calls[i].address_of_last_size_object_modified != BADADDR)
				qfprintf(f,"Type: VAR, Possible Integer Overflow at %a %s\n", Malloc_calls[i].address_of_last_size_object_modified, instr_clean);
			else
				qfprintf(f,"Type: VAR, last modif lost :(");
		}
		else if(Malloc_calls[i].type == UNDEFINED){
			char buf[MAXSTR];
			char instr_clean[MAXSTR];
			// Store the disassembled text in buf
			ua_ana0(Malloc_calls[i].address_of_last_size_object_modified);
			generate_disasm_line(cmd.ea, buf, sizeof(buf)-1);
			// This will appear as colour-tagged text (which will
			// be mostly unreadable in IDA's
			tag_remove(buf, instr_clean, sizeof(instr_clean)-1);
			//qfprintf(f,"get_first_operand disasm instruction: %s\n", instr_clean);

			//qfprintf(f,"Type:var bytes, Possible Integer Overflow at %a %s\n", Malloc_calls[i].address_of_last_size_object_modified, instr_clean);
			if(Malloc_calls[i].address_of_last_size_object_modified != BADADDR)
				qfprintf(f,"Type: UNDEFINED, at %a %s", Malloc_calls[i].address_of_last_size_object_modified, instr_clean);//shouldnt be here
			else
				qfprintf(f,"Type: UNDEFINED, last modif lost :(");
		}
	}
}
예제 #11
0
void analyze_malloc_xref_ex(char *name, ea_t xref_addr, int push_count)
{
	qstring buffer;
	int value = 0;
	int type;
	op_t memory_size_var;
	if(is_trampoline(xref_addr)){
		func_t *func = get_func(xref_addr);
		//msg("analyze_malloc_xref: %s %a - trampoline!\n", name, xref_addr);
		//too easy, how about mov ebp,esp jmp:malloc?
		if(func){
			qstring buff;
			get_short_name(&buff, func->startEA);
			//get_long_name(BADADDR, func->startEA, buffer, MAXSTR);
			TFuncMallocWrapper new_malloc = TFuncMallocWrapper((char *)buff.c_str(), name, push_count, xref_addr, TRAMPOLINE);
			if(!does_exist(new_malloc))
				funcMalloc_wrappers.push_back(new_malloc);
		}
		else{
			TFuncMallocWrapper new_malloc = TFuncMallocWrapper("new malloc", name, push_count, xref_addr, TRAMPOLINE);
			if(!does_exist(new_malloc))
				funcMalloc_wrappers.push_back(new_malloc);
		}
	}



	ea_t push_malloc_size_addr = find_instruction_N_times_backward(xref_addr, NN_push, push_count);

	if(push_malloc_size_addr != BADADDR){
		memory_size_var = get_first_operand_new(push_malloc_size_addr);

		//Allocation of const memory size
		if(memory_size_var.type == o_imm){
			//msg("analyze_malloc_xref: %s %a - immediate!\n", name, push_malloc_size_addr);
			Malloc_calls.push_back(TFuncMalloc_call(xref_addr, CONSTVALUE, memory_size_var.value));

			//msg("analyze_malloc_xref: %s Malloc_call_list.size() = %d!\n", name, Malloc_calls.size());
			return;
		}

		//Allocation of var memory size


		//Allocation of var by register
		if(memory_size_var.type == o_reg){
			ea_t addr_of_src = find_instruction_that_changes_operand_backward_smart(push_malloc_size_addr, memory_size_var);
			msg("analyze_malloc_xref: %s %a - var!\n", name, push_malloc_size_addr);
			if(addr_of_src != BADADDR){
				type = assign_type(addr_of_src, &value);
				Malloc_calls.push_back(TFuncMalloc_call(xref_addr, type, value, addr_of_src));
			}
			else
				Malloc_calls.push_back(TFuncMalloc_call(xref_addr, UNDEFINED));

			msg("analyze_malloc_xref: %s Malloc_call_list.size() = %d!\n", name, Malloc_calls.size());

			return;
		}

		//Allocation of var by argument - new trampoline
		//TODO: better algo!
		if( (memory_size_var.type == o_displ) && (memory_size_var.reg == 5) && (memory_size_var.phrase == 5) && (memory_size_var.value == 0) && ( (int)memory_size_var.addr > 0) ){
			func_t *func = get_func(xref_addr);
			//too easy, how about mov ebp,esp call:malloc?
			if(func)

				get_short_name(&buffer, func->startEA);
				//get_long_name(BADADDR, func->startEA, buffer, MAXSTR);
				TFuncMallocWrapper new_malloc = TFuncMallocWrapper((char *)buffer.c_str(), name, memory_size_var.addr / sizeof(ea_t) - 1, func->startEA, WRAPPER);
				if(!does_exist(new_malloc))
					funcMalloc_wrappers.push_back(new_malloc);
				//funcMalloc.push_back(TFuncMalloc("here var name", memory_size_var.addr / sizeof(ea_t),func->startEA, WRAPPER));
			else{
				TFuncMallocWrapper new_malloc = TFuncMallocWrapper("new malloc", name, memory_size_var.addr / sizeof(ea_t) - 1, xref_addr, WRAPPER);//maybetter name malloc_at_%a?
				if(!does_exist(new_malloc))
					funcMalloc_wrappers.push_back(new_malloc);
					//funcMalloc.push_back(TFuncMalloc("here name of addr", memory_size_var.addr / sizeof(ea_t), xref_addr, WRAPPER));
			}

			return;

			msg("analyze_malloc_xref: %s Malloc_call_list.size() = %d!\n", name, Malloc_calls.size());

		}
		else{
			Malloc_calls.push_back(TFuncMalloc_call(xref_addr, VARVALUE));
		}
	}
	else{
		Malloc_calls.push_back(TFuncMalloc_call(xref_addr, UNDEFINED));
	}

	msg("analyze_malloc_xref: %s Malloc_call_list.size() = %d!\n", name, Malloc_calls.size());
}