Python idc.GetString() Examples
The following are 15
code examples of idc.GetString().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idc
, or try the search function
.
.
Example #1
| Source File: hint_calls.py From idawilli with Apache License 2.0 | 6 votes |
|
def enum_string_refs_in_function(fva):
'''
yield the string references in the given function.
Args:
fva (int): the starting address of a function
Returns:
sequence[tuple[int, int, str]]: tuples of metadata, including:
- the address of the instruction referencing a string
- the address of the string
- the string
'''
for ea in enum_function_addrs(fva):
for ref in idautils.DataRefsFrom(ea):
stype = idc.GetStringType(ref)
if stype < 0 or stype > 7:
continue
CALC_MAX_LEN = -1
s = str(idc.GetString(ref, CALC_MAX_LEN, stype))
yield ea, ref, s
Example #2
| Source File: StringParser.py From DIE with MIT License | 6 votes |
|
def parseValue(self, rawValue):
"""
Parse the string value
@return:
"""
if self.type_params == ASCII_STR:
value = idc.GetString(rawValue, strtype=idc.ASCSTR_C)
description = "ASCII C-String"
elif self.type_params == UNICODE_STR:
value = idc.GetString(rawValue, strtype=idc.ASCSTR_UNICODE)
description = "Unicode String"
else:
return
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 0, description, raw_value)
Example #3
| Source File: idautils.py From dumpDex with Apache License 2.0 | 5 votes |
|
def __str__(self):
return idc.GetString(self.ea, self.length, self.type)
Example #4
| Source File: exception.py From mcsema with Apache License 2.0 | 5 votes |
|
def read_string(ea):
s = idc.GetString(ea, -1, idc.ASCSTR_C)
if s:
slen = len(s)+1
idc.MakeUnknown(ea, slen, idc.DOUNK_SIMPLE)
idaapi.make_ascii_string(ea, slen, idc.ASCSTR_C)
return s, ea + slen
else:
return s, ea
Example #5
| Source File: exception.py From mcsema with Apache License 2.0 | 5 votes |
|
def get_type_info(ea):
tis = read_pointer(ea + get_address_size_in_bytes())
if is_invalid_ea(tis):
return idc.BADADDR
name = idc.GetString(tis)
if name == None or len(name) == 0:
return idc.BADADDR, name
ea2 = ea + 2*get_address_size_in_bytes()
return ea2, name
Example #6
| Source File: StringParser.py From DIE with MIT License | 5 votes |
|
def guessValues(self, rawValue):
"""
Guess string values
"""
minLength = 5 # The minimal string length
value = idc.GetString(rawValue, strtype=idc.ASCSTR_C)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "ASCII C-String", raw_value)
value = idc.GetString(rawValue, strtype=idc.ASCSTR_UNICODE)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "Ascii Unicode String", raw_value)
value = idc.GetString(rawValue, strtype=idaapi.ASCSTR_PASCAL)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "Ascii Pascal string", raw_value)
value = idc.GetString(rawValue, strtype=idaapi.ASCSTR_LEN2)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "Ascii String (Len2)", raw_value)
value = idc.GetString(rawValue, strtype=idaapi.ASCSTR_LEN4)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "Ascii String (Len4)", raw_value)
value = idc.GetString(rawValue, strtype=idaapi.ASCSTR_ULEN2)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "Ascii String (ULen2)", raw_value)
value = idc.GetString(rawValue, strtype=idaapi.ASCSTR_ULEN4)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "Ascii String (ULen4)", raw_value)
Example #7
| Source File: BasicStringParser.py From DIE with MIT License | 5 votes |
|
def guessValues(self, rawValue):
"""
Guess string values
"""
minLength = 5
str_value = idc.DbgDword(rawValue+4)
if str_value is None:
return False
value = idc.GetString(str_value, strtype=idc.ASCSTR_C)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "std::basic_string", raw_value)
return True
if not value:
# If this is not an ASCII string, check for the string value at offset +0x04
tmp = idc.GetString(rawValue, strtype=idc.ASCSTR_C)
if tmp:
return False
value = idc.GetString(rawValue+4, strtype=idc.ASCSTR_C)
if value and len(value) >= minLength:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "std::basic_string", raw_value)
return True
return False
Example #8
| Source File: BasicStringParser.py From DIE with MIT License | 5 votes |
|
def parseValue(self, rawValue):
"""
Parse the string value
@return:
"""
str_value = idc.DbgDword(rawValue+4)
if str_value is None:
return False
value = idc.GetString(str_value, strtype=idc.ASCSTR_C)
if value:
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "std::basic_string", raw_value)
return True
else:
# If this is not an ASCII string, check for the string value at offset +0x04
tmp = idc.GetString(rawValue, strtype=idc.ASCSTR_C)
if tmp:
return False
value = idc.GetString(rawValue+4, strtype=idc.ASCSTR_C)
value, raw_value = self.normalize_raw_value(value)
self.addParsedvalue(value, 1, "std::basic_string", raw_value)
return True
return False
Example #9
| Source File: collect_classes.py From ida_kernelcache with MIT License | 5 votes |
|
def _process_mod_init_func_for_metaclasses(func, found_metaclass):
"""Process a function from the __mod_init_func section for OSMetaClass information."""
_log(4, 'Processing function {}', idc.GetFunctionName(func))
def on_BL(addr, reg):
X0, X1, X3 = reg['X0'], reg['X1'], reg['X3']
if not (X0 and X1 and X3):
return
_log(5, 'Have call to {:#x}({:#x}, {:#x}, ?, {:#x})', addr, X0, X1, X3)
# OSMetaClass::OSMetaClass(this, className, superclass, classSize)
if not idc.SegName(X1).endswith("__TEXT.__cstring") or not idc.SegName(X0):
return
found_metaclass(X0, idc.GetString(X1), X3, reg['X2'] or None)
_emulate_arm64(func, idc.FindFuncEnd(func), on_BL=on_BL)
Example #10
| Source File: kernel.py From ida_kernelcache with MIT License | 5 votes |
|
def parse_prelink_info():
"""Find and parse the kernel __PRELINK_INFO dictionary."""
segments = _find_prelink_info_segments()
for segment in segments:
prelink_info_string = idc.GetString(segment)
prelink_info = kplist.kplist_parse(prelink_info_string)
if prelink_info:
return prelink_info
_log(0, 'Could not find __PRELINK_INFO')
return None
Example #11
| Source File: Stingray.py From Stingray with GNU General Public License v3.0 | 5 votes |
|
def __init__( self, xref, addr ):
type = idc.GetStringType(addr)
if type < 0 or type >= len(String.ASCSTR):
raise StringParsingException()
CALC_MAX_LEN = -1
string = str( idc.GetString(addr, CALC_MAX_LEN, type) )
self.xref = xref
self.addr = addr
self.type = type
self.string = string
Example #12
| Source File: findcrypt3.py From findcrypt-yara with BSD 3-Clause "New" or "Revised" License | 5 votes |
|
def yarasearch(self, memory, offsets, rules):
print(">>> start yara search")
values = list()
matches = rules.match(data=memory)
for match in matches:
for string in match.strings:
name = match.rule
if name.endswith("_API"):
try:
name = name + "_" + idc.GetString(self.toVirtualAddress(string[0], offsets))
except:
pass
value = [
self.toVirtualAddress(string[0], offsets),
match.namespace,
name + "_" + hex(self.toVirtualAddress(string[0], offsets)).lstrip("0x").rstrip("L").upper(),
string[1],
repr(string[2]),
]
idaapi.set_name(value[0], name
+ "_"
+ hex(self.toVirtualAddress(string[0], offsets)).lstrip("0x").rstrip("L").upper()
, 0)
values.append(value)
print("<<< end yara search")
return values
Example #13
| Source File: objc2_xrefs_helper.py From flare-ida with Apache License 2.0 | 5 votes |
|
def __init__(self,objc_class_va,segment_map,arch=ARCH_X86_64):
"""Create a new ObjcClass instance
Arguments:
objc_class_va {number} -- Virtual address of the Objective-C class to parse
segment_map {dictionary} -- A dictionary mapping segment names to a start/end virtual address tuple
Keyword Arguments:
arch {number} -- CPU architecture. Either ARCH_X86_64 or ARM64 (default: {ARCH_X86_64})
"""
self.arch=arch
self.segment_map=segment_map
class_ro_va=Qword(objc_class_va+self.OBJC2_CLASS_RO_OFFSET)
self.name_pointer=Qword(class_ro_va+self.OBJC2_CLASS_RO_NAME_OFFSET)
self.method_list=[]
if class_ro_va == BADADDR or class_ro_va==0:
self.class_ro_va=None
return
self.class_ro_va=class_ro_va
class_methods_va=Qword(class_ro_va+self.OBJC2_CLASS_RO_BASE_METHODS_OFFSET)
if class_methods_va == BADADDR or class_methods_va==0:
self.class_methods_va=None
return
self.class_methods_va=class_methods_va
Message("Class found at virtual address: 0x%x\n" % objc_class_va)
Message("Class name: %s\n" % GetString(self.name_pointer))
#Parse the method_list_t struct and build a list of methods
self.method_list=ObjcMethodList(class_methods_va,segment_map,arch=arch)
Example #14
| Source File: find_get_proc_address.py From flare-ida with Apache License 2.0 | 5 votes |
|
def findGetProcAddress(cfunc):
class visitor(idaapi.ctree_visitor_t):
def __init__(self, cfunc):
idaapi.ctree_visitor_t.__init__(self, idaapi.CV_FAST)
self.cfunc = cfunc
def visit_expr(self, i):
if i.op == idaapi.cot_call:
# look for calls to GetProcAddress
if idc.Name(i.x.obj_ea) == "GetProcAddress":
# ASCSTR_C == 0
# Check to see if the second argument is a C string
if idc.GetStringType(i.a[1].obj_ea) == 0:
targetName = idc.GetString(i.a[1].obj_ea, -1, 0)
# Found function name
# Look for global assignment
parent = self.cfunc.body.find_parent_of(i)
if parent.op == idaapi.cot_cast:
# Ignore casts and look for the parent
parent = self.cfunc.body.find_parent_of(parent)
if parent.op == idaapi.cot_asg:
# We want to find the left hand side (x)
idc.MakeName(parent.cexpr.x.obj_ea, targetName + "_")
return 0
v = visitor(cfunc)
v.apply_to(cfunc.body, None)
Example #15
| Source File: vxhunter_ida.py From vxhunter with BSD 2-Clause "Simplified" License | 4 votes |
|
def fix_vxworks_idb(load_address, vx_version, symbol_table_start, symbol_table_end):
current_image_base = idaapi.get_imagebase()
symbol_interval = 16
if vx_version == 6:
symbol_interval = 20
symbol_table_start += load_address
symbol_table_end += load_address
ea = symbol_table_start
shift_address = load_address - current_image_base
while shift_address >= 0x70000000:
idaapi.rebase_program(0x70000000, 0x0008)
shift_address -= 0x70000000
idaapi.rebase_program(shift_address, 0x0008)
while ea < symbol_table_end:
# for VxWorks 6 unknown symbol format
if idc.Byte(ea + symbol_table_end - 2) == 3:
ea += symbol_interval
continue
offset = 4
if idaapi.IDA_SDK_VERSION >= 700:
idc.create_strlit(idc.Dword(ea + offset), idc.BADADDR)
else:
idc.MakeStr(idc.Dword(ea + offset), idc.BADADDR)
sName = idc.GetString(idc.Dword(ea + offset), -1, idc.ASCSTR_C)
print("Found %s in symbol table" % sName)
if sName:
sName_dst = idc.Dword(ea + offset + 4)
if vx_version == 6:
sName_type = idc.Dword(ea + offset + 12)
else:
sName_type = idc.Dword(ea + offset + 8)
idc.MakeName(sName_dst, sName)
if sName_type in need_create_function:
# flags = idc.GetFlags(ea)
print("Start fix Function %s at %s" % (sName, hex(sName_dst)))
idc.MakeCode(sName_dst) # might not need
idc.MakeFunction(sName_dst, idc.BADADDR)
ea += symbol_interval
print("Fix function by symbol table finish.")
print("Start IDA auto analysis, depending on the size of the firmware this might take a few minutes.")
idaapi.autoWait()
