Python idaapi.get_dword() Examples

The following are 3 code examples of idaapi.get_dword(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module idaapi , or try the search function .
Example #1
Source File: shellcode_hash_search.py    From flare-ida with Apache License 2.0 6 votes vote down vote up 
def lookForDwordArray(self, start, end):
        logger.debug("Starting to look between: %08x:%08x", start, end)
        for i in range(end-start):
            loc = start + i
            if using_ida7api:
                val = idaapi.get_dword(loc)
            else:
                val = idc.Dword(loc)

            for h in self.params.hashTypes:
                hits = self.dbstore.getSymbolByTypeHash(h.hashType, val)
                for sym in hits:
                    logger.info("0x%08x: %s", loc, str(sym))
                    self.addHit(loc, sym)
                    self.markupLine(loc, sym)

###################################################################
#
###################################################################
Example #2
Source File: ida_debugger.py    From IDAngr with BSD 2-Clause "Simplified" License 5 votes vote down vote up 
def get_dword(self, addr):
        return idaapi.get_dword(addr)
Example #3
Source File: DBGHider.py    From DBGHider with Apache License 2.0 4 votes vote down vote up 
def dbg_process_start(self, pid, tid, ea, name, base, size):

        self.mem_for_inline_hooks = 0
        self.virtualalloc = 0

        ntdll = DllHook('ntdll.dll')
        ntdll.add_func( FuncHook('ntdll_NtClose', NtClose_inline_hook_code_32, NtClose_bpt_cond_hook_code_32) )
        ntdll.add_func( FuncHook('ntdll_NtQueryInformationProcess', NtQueryInformationProcess_inline_hook_code_32, NtQueryInformationProcess_bpt_cond_hook_code_32) )

        self.dlls = [ntdll]


        # IDA creates a segment named "TIB[XXXXXXXX]", which points to
        # wow_peb64 antually. We can get peb from wow_peb64 with 0x1000 offset.
        #               peb_addr = wow_peb64_addr + 0x1000
        # Note: IDA has not created segment "TIB[XXXXXXXX]" at this point.

        # tid = get_current_thread()
        # tib_segm_name = "TIB[%08X]" % tid
        # print tib_segm_name
        # tib_segm = get_segm_by_name(tib_segm_name)
        # wow_peb64 = tib_segm.start_ea
        # peb = tib_segm.start_ea + 0x1000

        # on debugging start, ebx points to peb
        # get addrs of peb and wow_peb64
        ebx = idc.get_reg_value("ebx")
        peb = ebx
        wow_peb64 = peb - 0x1000

        # patch peb->BeingDebugged
        # solving peb->NtGlobalFlag and "Heap Magic" anti-debug method
        # at the same time.
        idc.patch_byte(peb + 2, 0)
        idc.patch_byte(wow_peb64 + 2, 0)


        # patching peb process paramters
        peb_process_parameters = idaapi.get_dword(peb + 0x10)
        flag = idaapi.get_dword(peb_process_parameters + 0x8)
        idc.patch_dword(peb_process_parameters + 0x8, flag | 0x4000)

        # patching peb64 process paramters
        peb64_process_parameters = idaapi.get_qword(wow_peb64 + 0x20)
        flag = idaapi.get_dword(peb64_process_parameters + 0x8)
        idc.patch_dword(peb64_process_parameters + 0x8, flag | 0x4000)