static BOOL process_vtbl(ea_t &ea_sect)
{
	VTBL_info_t vftable_info_t;
	if(get_vtbl_info(ea_sect, vftable_info_t))
	{
		ea_sect = vftable_info_t.ea_end;
		ea_t ea_assumed;
		verify_32_t((vftable_info_t.ea_begin - 4), ea_assumed);

		if(vftable_info_t.methods > 1)
		{
			if(has_user_name(getFlags(vftable_info_t.ea_begin)))
			{							
				vftable_info_t.vtbl_name = get_short_name(vftable_info_t.ea_begin);

				qstring vtbl_info_str;
				vtbl_info_str.cat_sprnt(" 0x%x - 0x%x:  %s  methods count: %d", vftable_info_t.ea_begin, vftable_info_t.ea_end, vftable_info_t.vtbl_name.c_str(), vftable_info_t.methods);
				vtbl_list.push_back(vtbl_info_str);

				vtbl_t_list.push_back(vftable_info_t);

				return(TRUE);
			}
		}

		return(FALSE);
	}

	ea_sect += sizeof(UINT);	
	return(FALSE);
}
void process_rtti()
{
	ea_t start = getnseg(0)->startEA;

	while (TRUE)
	{
		ea_t rt = find_RTTI(start, inf.maxEA);
		start = rt + 4;

		if (rt == BADADDR)
			break;

		char* name = get_demangle_name(rt);

		ea_t rtd = rt - 8;

		rtti_addr.push_back(rtd);

		qstring tmp;
#ifndef __EA64__
		tmp.cat_sprnt(" 0x%x:  %s", rtd, name);
#else
		tmp.cat_sprnt(_T(" 0x%I64X:  %s"), rtd, name);
#endif

		rtti_list.push_back(tmp);
	}
}
static void get_xrefs_to_vtbl()
{
	ea_t cur_vt_ea = vtbl_t_list[current_line_pos].ea_begin;
	for (ea_t addr = get_first_dref_to(cur_vt_ea); addr != BADADDR; addr = get_next_dref_to(cur_vt_ea, addr))
	{
		qstring name;
		get_func_name2(&name, addr);

		xref_addr.push_back(addr);

		qstring tmp;
		tmp.cat_sprnt(" 0x%x:  %s", addr, name);
		xref_list.push_back(tmp);
	}
}
static BOOL process_vtbl(ea_t &ea_sect)
{
	VTBL_info_t vftable_info_t;
	if (get_vtbl_info(ea_sect, vftable_info_t))
	{
		ea_sect = vftable_info_t.ea_end;
		ea_t ea_assumed;
#ifndef __EA64__
		verify_32_t((vftable_info_t.ea_begin - 4), ea_assumed);
#else
		verify_64_t((vftable_info_t.ea_begin - sizeof(UINT64)), ea_assumed);
#endif


		if (vftable_info_t.methods > 0)
		{
			/*if(has_user_name(getFlags(vftable_info_t.ea_begin)))
			{	*/
			vftable_info_t.vtbl_name = f_get_short_name(vftable_info_t.ea_begin);
			qstring vtbl_info_str;
#ifndef __EA64__
			vtbl_info_str.cat_sprnt(" 0x%x - 0x%x:  %s  methods count: ", vftable_info_t.ea_begin, vftable_info_t.ea_end, vftable_info_t.vtbl_name);
			vtbl_info_str.cat_sprnt(" %u", vftable_info_t.methods);
#else
			
			vtbl_info_str.cat_sprnt(_T("  0x%I64X -  0x%I64X:  %s  methods count: "), vftable_info_t.ea_begin, vftable_info_t.ea_end, vftable_info_t.vtbl_name);
			vtbl_info_str.cat_sprnt(_T(" %d"), (vftable_info_t.methods));
#endif
			vtbl_list.push_back(vtbl_info_str);
			vtbl_t_list.push_back(vftable_info_t);
			return(TRUE);
			//}
		}
		return(FALSE);
	}
#ifndef __EA64__
	ea_sect += sizeof(UINT);
#else
	ea_sect += sizeof(UINT64);	
#endif

	return(FALSE);
}
示例#5
0
文件: reg.cpp 项目: nealey/vera
static void add_mapping(ea_t from, ea_t to)
{
  if ( from != to )
  {
    deb(IDA_DEBUG_IDP, "add_mapping %a -> %a\n", from, to);
    portmap_t &p = map.push_back();
    p.from = from;
    p.to = to;
  }
}
static void get_xrefs_to_vtbl()
{
	// the list is repeat while select another vtable
	xref_list.clear();
	xref_addr.clear();

	ea_t cur_vt_ea = vtbl_t_list[current_line_pos].ea_begin;
	for (ea_t addr = get_first_dref_to(cur_vt_ea); addr != BADADDR; addr = get_next_dref_to(cur_vt_ea, addr))
	{
		qstring name;
		f_get_func_name2(&name, addr);

		xref_addr.push_back(addr);

		qstring tmp;
#ifndef __EA64__
		tmp.cat_sprnt(" 0x%x:  %s", addr, name);
#else
		tmp.cat_sprnt(_T(" 0x%I64X:  %s"), addr, name);
#endif
		xref_list.push_back(tmp);
	}
}
示例#7
0
//queue up a received datagram for eventual handlng via IDA's execute_sync mechanism
//call no sdk functions other than execute_sync
void disp_request_t::queueObject(json_object *obj) {
   bool call_exec = false;
   qmutex_lock(mtx);
   objects.push_back(obj);
   call_exec = objects.size() == 1;
   qmutex_unlock(mtx);

   if (call_exec) {
      //only invoke execute_sync if the buffer just added was at the head of the queue
      //in theory this allows multiple datagrams to get queued for handling
      //in a single execute_sync callback
      execute_sync(*this, MFF_WRITE);
   }
}
//---------------------------------------------------------------------------
bool x86seh_ctx_t::get_sehlist()
{
  uint64 fs_sel;
  ea_t fs_base;
  uint32 excr_ea;
  handlers.clear();
  if ( !get_reg_val("fs", &fs_sel)
    || internal_get_sreg_base(tid, int(fs_sel), &fs_base) <= 0
    || read_dbg_memory(fs_base, &excr_ea, sizeof(excr_ea)) != sizeof(excr_ea) )
  {
    warning("Failed to build the SEH list for thread %08X", tid);
    return false;
  }

  struct EXC_REG_RECORD
  {
    uint32 p_prev;
    uint32 p_handler;
  };
  EXC_REG_RECORD rec;
  std::set<uint32> seen;
  while ( excr_ea != 0xffffffff )
  {
    if ( read_dbg_memory(excr_ea, &rec, sizeof(rec)) != sizeof(rec) )
      break;

    if ( !seen.insert(excr_ea).second )
    {
      msg("Circular SEH record has been detected\n");
      break;
    }

    handlers.push_back(rec.p_handler);
    excr_ea = rec.p_prev;
  }
  return true;
}
示例#9
0
void IDAP_run(int arg)
{
	FILE *f, *f2;
	char *filename = construct_output_filename(".import_allocs.txt");
	f = qfopen(filename, "wb");
	char *filename2 = construct_output_filename(".import_allocs_wrappers.txt");
	f2 = qfopen(filename2, "wb");

	//r0 allocators
	funcMalloc.push_back(TFuncMalloc(" ExAllocatePoolWithQuota", 2));
	funcMalloc.push_back(TFuncMalloc(" __imp__ExAllocatePoolWithQuota@8", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc(" ExAllocatePoolWithQuotaTag", 2));
	funcMalloc.push_back(TFuncMalloc(" __imp__ExAllocatePoolWithQuotaTag@12", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("ExAllocatePoolWithTag", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__ExAllocatePoolWithTag@12", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("ExAllocatePoolWithTagPriority", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__ExAllocatePoolWithTagPriority@16", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("IoAllocateMdl", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__IoAllocateMdl@20", 2));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("RtlAllocateHeap", 3));
	funcMalloc.push_back(TFuncMalloc("__imp__RtlAllocateHeap", 3));//ntoskrnl.exe

	funcMalloc.push_back(TFuncMalloc("EngAllocMem", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__EngAllocMem", 2));//win32k.sys
	funcMalloc.push_back(TFuncMalloc("__imp__EngAllocMem@12", 2));//win32k.sys


	//type pointer to size!!!
	//funcMalloc.push_back(TFuncMalloc("ZwAllocateVirtualMemory", 4));
	//funcMalloc.push_back(TFuncMalloc("__imp__ZwAllocateVirtualMemory@24", 4));//ntoskrnl.exe
	//funcMalloc.push_back(TFuncMalloc("NtAllocateVirtualMemory", 4));
	//funcMalloc.push_back(TFuncMalloc("__imp__NtAllocateVirtualMemory@24", 4));//ntoskrnl.exe



	//funcMalloc.push_back(TFuncMalloc("RtlReAllocateHeap", 4));
	//funcMalloc.push_back(TFuncMalloc("HeapAlloc", 3));



	//r3 allocators
	funcMalloc.push_back(TFuncMalloc("GlobalAlloc", 2));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("HeapAlloc", 3));//kernel32.dll
	funcMalloc.push_back(TFuncMalloc("__imp__HeapAlloc@12", 3));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("__imp__HeapReAlloc@16", 4));//kernel32.dll
	funcMalloc.push_back(TFuncMalloc("HeapReAlloc", 4));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("__imp__LocalAlloc@8", 2));//kernel32.dll
	funcMalloc.push_back(TFuncMalloc("LocalAlloc", 2));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("__imp__LocalReAlloc@12", 3));//kernel32.dll
	funcMalloc.push_back(TFuncMalloc("LocalReAlloc", 3));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("VirtualAlloc", 2));
	funcMalloc.push_back(TFuncMalloc("__imp__VirtualAlloc@16", 2));//kernel32.dll

	funcMalloc.push_back(TFuncMalloc("__imp__MpHeapAlloc", 3));//msdart.dll export
	funcMalloc.push_back(TFuncMalloc("__imp__MpHeapReAlloc", 3));//msdart.dll export

	funcMalloc.push_back(TFuncMalloc("__imp__GdipAlloc@4", 1));//gdiplus.dll export
	//funcMalloc.push_back(TFuncMalloc("GpMalloc", 1));//gdiplus.dll

	funcMalloc.push_back(TFuncMalloc("__imp__malloc", 1));//msvcrt.dll
	funcMalloc.push_back(TFuncMalloc("_malloc", 1));//msvcrt.dll, the same as __imp__malloc

	funcMalloc.push_back(TFuncMalloc("__imp__realloc", 2));//msvcrt.dll
	funcMalloc.push_back(TFuncMalloc("_realloc", 2));//msvcrt.dll

	//funcMalloc.push_back(TFuncMalloc("_alloca", 1));
	//funcMalloc.push_back(TFuncMalloc("_malloca", 1));



	uint i = 0, j = funcMalloc.size();
	msg("standart funcMalloc.size() = %d\n", funcMalloc.size());
	for(; i< funcMalloc.size(); i++){
		find_alloc_calls_ex(f, funcMalloc[i]);
		pretty_printing_ex(f, funcMalloc[i]);

		if(Malloc_calls.size() >  0 )
			Malloc_calls.clear();
		
		qfprintf(f,"\n\n");

		qflush( f );
	}

	qfclose( f );

	
	j = funcMalloc_wrappers.size();
	msg("standart funcMalloc_wrappers.size() = %d\n", j);

	
	//TODO: add level property 
	i = 0;
	while( i < j){

		find_alloc_calls_warreps_ex(f2, funcMalloc_wrappers[i]);
		msg("[%d].funcMalloc.size() = %d\n", i, funcMalloc_wrappers.size());
		msg("[%d].Malloc_calls.size() = %d\n", i, Malloc_calls.size());
		pretty_printing_ex(f2, funcMalloc_wrappers[i]);
		if(Malloc_calls.size() >  0 )
			Malloc_calls.clear();
		j = funcMalloc_wrappers.size();
		i++;
		qflush( f2 );
	}
	


	qfclose( f2 );


	return ;
}
示例#10
0
void analyze_malloc_xref_ex(char *name, ea_t xref_addr, int push_count)
{
	qstring buffer;
	int value = 0;
	int type;
	op_t memory_size_var;
	if(is_trampoline(xref_addr)){
		func_t *func = get_func(xref_addr);
		//msg("analyze_malloc_xref: %s %a - trampoline!\n", name, xref_addr);
		//too easy, how about mov ebp,esp jmp:malloc?
		if(func){
			qstring buff;
			get_short_name(&buff, func->startEA);
			//get_long_name(BADADDR, func->startEA, buffer, MAXSTR);
			TFuncMallocWrapper new_malloc = TFuncMallocWrapper((char *)buff.c_str(), name, push_count, xref_addr, TRAMPOLINE);
			if(!does_exist(new_malloc))
				funcMalloc_wrappers.push_back(new_malloc);
		}
		else{
			TFuncMallocWrapper new_malloc = TFuncMallocWrapper("new malloc", name, push_count, xref_addr, TRAMPOLINE);
			if(!does_exist(new_malloc))
				funcMalloc_wrappers.push_back(new_malloc);
		}
	}



	ea_t push_malloc_size_addr = find_instruction_N_times_backward(xref_addr, NN_push, push_count);

	if(push_malloc_size_addr != BADADDR){
		memory_size_var = get_first_operand_new(push_malloc_size_addr);

		//Allocation of const memory size
		if(memory_size_var.type == o_imm){
			//msg("analyze_malloc_xref: %s %a - immediate!\n", name, push_malloc_size_addr);
			Malloc_calls.push_back(TFuncMalloc_call(xref_addr, CONSTVALUE, memory_size_var.value));

			//msg("analyze_malloc_xref: %s Malloc_call_list.size() = %d!\n", name, Malloc_calls.size());
			return;
		}

		//Allocation of var memory size


		//Allocation of var by register
		if(memory_size_var.type == o_reg){
			ea_t addr_of_src = find_instruction_that_changes_operand_backward_smart(push_malloc_size_addr, memory_size_var);
			msg("analyze_malloc_xref: %s %a - var!\n", name, push_malloc_size_addr);
			if(addr_of_src != BADADDR){
				type = assign_type(addr_of_src, &value);
				Malloc_calls.push_back(TFuncMalloc_call(xref_addr, type, value, addr_of_src));
			}
			else
				Malloc_calls.push_back(TFuncMalloc_call(xref_addr, UNDEFINED));

			msg("analyze_malloc_xref: %s Malloc_call_list.size() = %d!\n", name, Malloc_calls.size());

			return;
		}

		//Allocation of var by argument - new trampoline
		//TODO: better algo!
		if( (memory_size_var.type == o_displ) && (memory_size_var.reg == 5) && (memory_size_var.phrase == 5) && (memory_size_var.value == 0) && ( (int)memory_size_var.addr > 0) ){
			func_t *func = get_func(xref_addr);
			//too easy, how about mov ebp,esp call:malloc?
			if(func)

				get_short_name(&buffer, func->startEA);
				//get_long_name(BADADDR, func->startEA, buffer, MAXSTR);
				TFuncMallocWrapper new_malloc = TFuncMallocWrapper((char *)buffer.c_str(), name, memory_size_var.addr / sizeof(ea_t) - 1, func->startEA, WRAPPER);
				if(!does_exist(new_malloc))
					funcMalloc_wrappers.push_back(new_malloc);
				//funcMalloc.push_back(TFuncMalloc("here var name", memory_size_var.addr / sizeof(ea_t),func->startEA, WRAPPER));
			else{
				TFuncMallocWrapper new_malloc = TFuncMallocWrapper("new malloc", name, memory_size_var.addr / sizeof(ea_t) - 1, xref_addr, WRAPPER);//maybetter name malloc_at_%a?
				if(!does_exist(new_malloc))
					funcMalloc_wrappers.push_back(new_malloc);
					//funcMalloc.push_back(TFuncMalloc("here name of addr", memory_size_var.addr / sizeof(ea_t), xref_addr, WRAPPER));
			}

			return;

			msg("analyze_malloc_xref: %s Malloc_call_list.size() = %d!\n", name, Malloc_calls.size());

		}
		else{
			Malloc_calls.push_back(TFuncMalloc_call(xref_addr, VARVALUE));
		}
	}
	else{
		Malloc_calls.push_back(TFuncMalloc_call(xref_addr, UNDEFINED));
	}

	msg("analyze_malloc_xref: %s Malloc_call_list.size() = %d!\n", name, Malloc_calls.size());
}