Python idc.get_reg_value() Examples
The following are 11
code examples of idc.get_reg_value().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idc
, or try the search function
.
.
Example #1
| Source File: klfdb.py From ActionScript3 with GNU General Public License v3.0 | 6 votes |
|
def get_native_function(self):
ecx = idc.get_reg_value("ECX")
esp = idc.get_reg_value("ESP")
method_name = self.get_method_name(esp)
if (idc.get_wide_byte(idc.get_wide_dword(ecx + 8) + 0x38) != 0):
function = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x28)
else:
function = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x24)
print("Resolved native function: 0x%x - %s" % (function, method_name))
if ((method_name not in self.ignore and not self.ignore_all) or
(method_name in self.debug_if_equals) or
(any(x for x in self.debug_if_contains if method_name is not None and x in method_name))):
self.traced.append({"name": method_name, "ea": function, "type": "native", "hit": 0})
idc.add_bpt(function)
Example #2
| Source File: klfdb.py From ActionScript3 with GNU General Public License v3.0 | 6 votes |
|
def get_interpreted_function(self, eip):
if (eip == self.addr["setInterp"]):
esp = idc.get_reg_value("ESP")
self.method_name = self.get_method_name(esp)
self.is_interpreted_state = True
elif (eip == self.addr["setInterpRet"] and self.is_interpreted_state):
function = idc.get_reg_value("EAX")
print("Resolved interpreted function: 0x%x - %s" % (function, self.method_name))
if ((self.method_name not in self.ignore and not self.ignore_all) or
(self.method_name in self.debug_if_equals) or
(any(x for x in self.debug_if_contains if self.method_name is not None and x in self.method_name))):
self.traced.append({"name": self.method_name, "ea": function, "type": "interp", "hit": 0})
idc.add_bpt(function)
self.is_interpreted_state = False
Example #3
| Source File: registers.py From deREferencing with GNU General Public License v3.0 | 6 votes |
|
def modify_value(self):
reg = self.get_selected_reg()
if not reg:
return
reg_val = idc.get_reg_value(reg)
b = idaapi.ask_str("0x%X" % reg_val, 0, "Modify register value")
if b is not None:
try:
value = int(idaapi.str2ea(b))
idc.set_reg_value(value, reg)
self.reload_info()
if reg == dbg.registers.flags:
self.reload_flags_view()
except:
idaapi.warning("Invalid expression")
Example #4
| Source File: registers.py From deREferencing with GNU General Public License v3.0 | 6 votes |
|
def reload_info(self):
if not dbg.is_process_suspended():
return False
self.ClearLines()
for flag in dbg.registers.flags:
try:
value = idc.get_reg_value(flag)
result = None
if self.flag_vals[flag] != value:
result = self.as_changed(str(value))
self.flag_vals[flag] = value
else:
result = str(value)
self.add_line('%-4s %s' % (flag, result))
except:
pass
return True
Example #5
| Source File: ida_debugger.py From IDAngr with BSD 2-Clause "Simplified" License | 5 votes |
|
def get_reg(self, name):
return idc.get_reg_value(name)
Example #6
| Source File: vtableAddress.py From Virtuailor with GNU General Public License v3.0 | 5 votes |
|
def get_local_var_value_64(loc_var_name):
frame = ida_frame.get_frame(idc.here())
loc_var = ida_struct.get_member_by_name(frame, loc_var_name)
loc_var_start = loc_var.soff
loc_var_ea = loc_var_start + idc.get_reg_value("RSP")
loc_var_value = idc.read_dbg_qword(loc_var_ea) # in case the variable is 32bit, just use get_wide_dword() instead
return loc_var_value
Example #7
| Source File: klfdb.py From ActionScript3 with GNU General Public License v3.0 | 5 votes |
|
def get_jit_function(self):
esp = idc.get_reg_value("ESP")
method_name = self.get_method_name(esp)
function = idc.get_wide_dword(esp + 8)
method_id = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x20)
abc_info_pos = idc.get_wide_dword(idc.get_wide_dword(esp + 4) + 0x1C)
method_info = get_qword(abc_info_pos) + get_qword(abc_info_pos + 8)
if (self.as3dump != []):
method = next((x for x in self.as3dump if x["id"] == method_id), None)
if (method is not None and method["info"] == method_info):
method_name = method["name"]
self.set_jit_info(method_id, function)
print("Resolved jit function: 0x%x - %s" % (function, method_name))
self.rename_addr(function, method_name)
if ((method_name not in self.ignore and not self.ignore_all) or
(method_name in self.debug_if_equals) or
(any(x for x in self.debug_if_contains if method_name is not None and x in method_name))):
self.traced.append({"name": method_name, "ea": function, "type": "jit", "hit": 0})
idc.add_bpt(function)
Example #8
| Source File: klfdb.py From ActionScript3 with GNU General Public License v3.0 | 5 votes |
|
def handler(self, break_on_next = False):
if (not self.init()):
return False
timeout = time.time() + self.timeout_seconds
while(self.wait_event()):
eip = idc.get_reg_value("EIP")
if (eip == self.addr["verifyNative"]):
self.get_native_function()
elif (eip == self.addr["setJit"]):
self.get_jit_function()
elif (eip == self.addr["setInterp"] or eip == self.addr["setInterpRet"]):
self.get_interpreted_function(eip)
elif (eip == self.addr["writePrologue"] or eip == self.addr["hasReachableExceptionsRet"]):
self.force_save_eip_generation(eip)
elif (self.stop_execution(eip, break_on_next)):
break
if (time.time() > timeout):
ret = ask_yn(-1, 'Timeout %d seconds. Would you like to continue execution?' % self.timeout_seconds)
if (ret == 1):
timeout = time.time() + self.timeout_seconds
else:
return False
return True
Example #9
| Source File: stack.py From deREferencing with GNU General Public License v3.0 | 5 votes |
|
def reload_info(self):
if not dbg.is_process_suspended():
return False
base_addr = None
if self.base_expr is None:
base_addr = idc.get_reg_value(dbg.registers.stack)
else:
base_addr = idaapi.str2ea(self.base_expr)
if base_addr == idc.BADADDR:
idaapi.warning("Invalid base expr: %s" % self.base_expr)
return False
if not idaapi.is_loaded(base_addr):
idaapi.warning("Memory address is not loaded: $#x" % base_addr)
return False
self.ClearLines()
dbg.set_thread_info()
try:
segm_end = idc.get_segm_end(base_addr)
n_entries = config.n_stack_entries or ((segm_end-base_addr) // dbg.ptr_size)
for i in range(n_entries):
offset = i * dbg.ptr_size
ptr = base_addr + offset
if not idaapi.is_loaded(ptr):
break
value = dbg.get_ptr(ptr)
self.add_line("%02d:%04X %s" % (i, offset, self.parse_value(ptr)))
except Exception as e:
idaapi.warning(str(e))
return False
return True
Example #10
| Source File: registers.py From deREferencing with GNU General Public License v3.0 | 5 votes |
|
def colorize_register(self, reg):
result = ''
reduced = False
try:
reg_val = idc.get_reg_value(reg)
except:
return None, False
label, changed = self.get_reg_label(reg, reg_val)
chain = self.get_ptr_chain(reg_val)
result += label + self.colorize_value(chain[0])
if reg == dbg.registers.flagsr:
return result, changed
elif reg != dbg.registers.pc:
vals = chain[1:]
if len(vals) > config.max_deref_levels:
vals = vals[:config.max_deref_levels]
reduced = True
result += ''.join([self.as_ptr(value) for value in vals])
if reduced:
result += self.as_arrow_string("[...]")
result += self.get_value_info(chain[-1])
if chain.limit_exceeded:
result += self.as_arrow_string("[...]")
return result, changed
Example #11
| Source File: DBGHider.py From DBGHider with Apache License 2.0 | 4 votes |
|
def dbg_process_start(self, pid, tid, ea, name, base, size):
self.mem_for_inline_hooks = 0
self.virtualalloc = 0
ntdll = DllHook('ntdll.dll')
ntdll.add_func( FuncHook('ntdll_NtClose', NtClose_inline_hook_code_32, NtClose_bpt_cond_hook_code_32) )
ntdll.add_func( FuncHook('ntdll_NtQueryInformationProcess', NtQueryInformationProcess_inline_hook_code_32, NtQueryInformationProcess_bpt_cond_hook_code_32) )
self.dlls = [ntdll]
# IDA creates a segment named "TIB[XXXXXXXX]", which points to
# wow_peb64 antually. We can get peb from wow_peb64 with 0x1000 offset.
# peb_addr = wow_peb64_addr + 0x1000
# Note: IDA has not created segment "TIB[XXXXXXXX]" at this point.
# tid = get_current_thread()
# tib_segm_name = "TIB[%08X]" % tid
# print tib_segm_name
# tib_segm = get_segm_by_name(tib_segm_name)
# wow_peb64 = tib_segm.start_ea
# peb = tib_segm.start_ea + 0x1000
# on debugging start, ebx points to peb
# get addrs of peb and wow_peb64
ebx = idc.get_reg_value("ebx")
peb = ebx
wow_peb64 = peb - 0x1000
# patch peb->BeingDebugged
# solving peb->NtGlobalFlag and "Heap Magic" anti-debug method
# at the same time.
idc.patch_byte(peb + 2, 0)
idc.patch_byte(wow_peb64 + 2, 0)
# patching peb process paramters
peb_process_parameters = idaapi.get_dword(peb + 0x10)
flag = idaapi.get_dword(peb_process_parameters + 0x8)
idc.patch_dword(peb_process_parameters + 0x8, flag | 0x4000)
# patching peb64 process paramters
peb64_process_parameters = idaapi.get_qword(wow_peb64 + 0x20)
flag = idaapi.get_dword(peb64_process_parameters + 0x8)
idc.patch_dword(peb64_process_parameters + 0x8, flag | 0x4000)
