Python idaapi.get_func() Examples

The following are 30 code examples of idaapi.get_func(). These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module idaapi , or try the search function .
Example #1
Source Project: win_driver_plugin   Author: FSecureLABS   File: win_driver_plugin.py    License: BSD 3-Clause "New" or "Revised" License 13 votes vote down vote up
def find_dispatch_by_struct_index():
    """Attempts to locate the dispatch function based off it being loaded in a structure
    at offset 70h, based off of https://github.com/kbandla/ImmunityDebugger/blob/master/1.73/Libs/driverlib.py """
    
    out = set()
    for function_ea in idautils.Functions():
        flags = idc.get_func_flags(function_ea)
        # skip library functions
        if flags & idc.FUNC_LIB:
            continue
        func = idaapi.get_func(function_ea)
        addr = func.startEA
        while addr < func.endEA:
            if idc.GetMnem(addr) == 'mov':
                if '+70h' in idc.GetOpnd(addr, 0) and idc.GetOpType(addr, 1) == 5:
                    out.add(idc.GetOpnd(addr, 1))
            addr = idc.NextHead(addr)
    return out 
Example #2
Source Project: win_driver_plugin   Author: FSecureLABS   File: win_driver_plugin.py    License: BSD 3-Clause "New" or "Revised" License 6 votes vote down vote up
def find_all_ioctls():
    """
    From the currently selected address attempts to traverse all blocks inside the current function to find all immediate values which
    are used for a comparison/sub immediately before a jz. Returns a list of address, second operand pairs.
    """
    
    ioctls = []
    # Find the currently selected function and get a list of all of it's basic blocks
    addr = idc.ScreenEA()
    f = idaapi.get_func(addr)
    fc = idaapi.FlowChart(f, flags=idaapi.FC_PREDS)
    for block in fc:
        # grab the last two instructions in the block 
        last_inst = idc.PrevHead(block.endEA)
        penultimate_inst = idc.PrevHead(last_inst)
        # If the penultimate instruction is cmp or sub against an immediate value immediately preceding a 'jz' 
        # then it's a decent guess that it's an IOCTL code (if this is a dispatch function)
        if idc.GetMnem(penultimate_inst) in ['cmp', 'sub'] and idc.GetOpType(penultimate_inst, 1) == 5:
            if idc.GetMnem(last_inst) == 'jz':
                value = get_operand_value(penultimate_inst)
                ioctls.append((penultimate_inst, value))
                ioctl_tracker.add_ioctl(penultimate_inst, value)
    return ioctls 
Example #3
Source Project: Karta   Author: CheckPointSW   File: ida_api.py    License: MIT License 6 votes vote down vote up
def funcAt(self, ea):
        """Return the function that includes the given address.

        Args:
            ea (int): effective address of the wanted function

        Return Value:
            A function instance, or None if no such function
        """
        func = idaapi.get_func(ea)
        if func is None:
            return None
        # can now use sark more freely
        try:
            return sark.Function(ea)
        except sark.exceptions.SarkNoFunction:
            # just to be sure
            return None

    # Overridden base function 
Example #4
Source Project: idawilli   Author: williballenthin   File: hint_calls.py    License: Apache License 2.0 6 votes vote down vote up
def enum_function_addrs(fva):
    '''
    yield the effective addresses of each instruction in the given function.
    these addresses are not guaranteed to be in any order.
    
    Args:
      fva (int): the starting address of a function
    
    Returns:
      sequence[int]: the addresses of each instruction
    '''
    f = idaapi.get_func(fva)
    if not f:
        raise ValueError('not a function')

    for block in idaapi.FlowChart(f):
        ea = block.startEA
        while ea <= block.endEA:
            yield ea
            ea = idc.NextHead(ea) 
Example #5
Source Project: dumpDex   Author: CvvT   File: idautils.py    License: Apache License 2.0 6 votes vote down vote up
def FuncItems(start):
    """
    Get a list of function items

    @param start: address of the function

    @return: ea of each item in the function
    """
    func = idaapi.get_func(start)
    if not func:
        return
    fii = idaapi.func_item_iterator_t()
    ok = fii.set(func)
    while ok:
        yield fii.current()
        ok = fii.next_code() 
Example #6
Source Project: heap-viewer   Author: danigargu   File: misc.py    License: GNU General Public License v3.0 6 votes vote down vote up
def get_libc_version_disasm():
    fnc_addr = get_name_ea_simple("gnu_get_libc_version")
    if fnc_addr == BADADDR:
        return None

    add_func(fnc_addr)
    fnc = get_func(fnc_addr)
    if fnc is None:
        return None

    for head in Heads(fnc.start_ea, fnc.end_ea):
        disas = GetDisasm(head)
        if disas.startswith("lea"):
            m = re.search(";\s\"(.*)\"$", disas)
            if m:
                return m.groups()[0]
    return None

# -------------------------------------------------------------------------- 
Example #7
Source Project: idamagicstrings   Author: joxeankoret   File: IDAMagicStrings.py    License: GNU Affero General Public License v3.0 6 votes vote down vote up
def OnDblClick(self, node_id):
    eas = self.nodes_ea[node_id]
    if len(eas) == 1:
      jumpto(list(eas)[0])
    else:
      items = []
      for ea in eas:
        func = idaapi.get_func(ea)
        if func is None:
          s = get_strlit_contents(ea)
          s = s.decode("utf-8")
          if s is not None and s.find(str(self[node_id])) == -1:
            s = get_strlit_contents(ea, strtype=1)
          else:
            s = GetDisasm(ea)
        else:
          s = get_func_name(func.start_ea)

        items.append(["0x%08x" % ea, repr(s)])

      chooser = CClassXRefsChooser("XRefs to %s" % str(self[node_id]), items)
      idx = chooser.Show(1)
      if idx > -1:
        jumpto(list(eas)[idx]) 
Example #8
Source Project: Sark   Author: tmr232   File: core.py    License: MIT License 6 votes vote down vote up
def get_func(func_ea):
    """get_func(func_t or ea) -> func_t

    Take an IDA function (``idaapi.func_t``) or an address (EA) and return
    an IDA function object.

    Use this when APIs can take either a function or an address.

    Args:
        func_ea: ``idaapi.func_t`` or ea of the function.

    Returns:
        An ``idaapi.func_t`` object for the given address. If a ``func_t`` is
        provided, it is returned.
    """
    if isinstance(func_ea, idaapi.func_t):
        return func_ea
    func = idaapi.get_func(func_ea)
    if func is None:
        raise exceptions.SarkNoFunction("No function at 0x{:08X}".format(func_ea))

    return func 
Example #9
Source Project: Sark   Author: tmr232   File: codeblock.py    License: MIT License 6 votes vote down vote up
def get_nx_graph(ea, ignore_external=False):
    """Convert an IDA flowchart to a NetworkX graph."""
    nx_graph = networkx.DiGraph()
    func = idaapi.get_func(ea)
    flowchart = FlowChart(func, ignore_external=ignore_external)
    for block in flowchart:
        # Make sure all nodes are added (including edge-less nodes)
        nx_graph.add_node(block.start_ea)

        for pred in block.preds():
            nx_graph.add_edge(pred.start_ea, block.start_ea)
        for succ in block.succs():
            nx_graph.add_edge(block.start_ea, succ.start_ea)

    return nx_graph 
Example #10
Source Project: idataco   Author: jjo-sec   File: interesting_xor.py    License: GNU General Public License v3.0 6 votes vote down vote up
def find_interesting_xors(self):
        next_xor = idc.FindText(idc.MinEA(), idc.SEARCH_DOWN|idc.SEARCH_NEXT, 0, 0, "xor")
        while next_xor != idc.BADADDR:
            if idc.GetOpnd(next_xor, 0) != idc.GetOpnd(next_xor, 1):
                entry = {"func":"", "addr": next_xor, "loop":False, "disasm": idc.GetDisasm(next_xor)}
                func = idaapi.get_func(next_xor)
                if func:
                    entry["func"] = idaapi.get_name(idc.BADADDR, func.startEA)
                    heads = idautils.Heads(next_xor, func.endEA)
                    lxors = []
                    for head in heads:
                        if idc.GetMnem(head).startswith('j'):
                            jmp_addr = idc.GetOperandValue(head,0)
                            if jmp_addr < next_xor and jmp_addr > func.startEA:
                                entry["loop"] = True
                                break
                self._interesting_xors.append(entry)
            next_xor = idc.FindText(idc.NextHead(next_xor), idc.SEARCH_DOWN|idc.SEARCH_NEXT, 0, 0, "xor") 
Example #11
Source Project: vt-ida-plugin   Author: VirusTotal   File: plugin_loader.py    License: Apache License 2.0 5 votes vote down vote up
def search_function_with_wildcards():
    addr_current = idc.get_screen_ea()
    addr_func = idaapi.get_func(addr_current)

    if not addr_func:
      logging.error('[VT Plugin] Current address doesn\'t belong to a function')
      ida_kernwin.warning('Point the cursor in an area beneath a function.')
    else:
      search_vt = vtgrep.VTGrepSearch(
          addr_start=addr_func.start_ea,
          addr_end=addr_func.end_ea
          )
      search_vt.search(True, False) 
Example #12
Source Project: idasec   Author: RobinDavid   File: ida_utils.py    License: GNU Lesser General Public License v2.1 5 votes vote down vote up
def __init__(self, fun_addr):
        super(MyFlowGraph, self).__init__()
        self.fun = idaapi.get_func(fun_addr)
        self.startEA = self.fun.startEA
        self.endEA = self.fun.endEA
        for bb in idaapi.FlowChart(self.fun):
            self.__setitem__(bb.id, MyBasicBlock(bb))
        self._compute_links()
        self.edge_map = self.make_graph()
        self.shortest_path_map = self.dijkstra(self.edge_map)
        self.size = sum([x.size() for x in self.values()])
        self.viewer = MyFlowGraphViewer(self, "Extract(%s)" % idc.GetFunctionName(self.startEA)) 
Example #13
Source Project: idasec   Author: RobinDavid   File: configuration_file.py    License: GNU Lesser General Public License v2.1 5 votes vote down vote up
def set_start_stop(self, ftype):
        assert_ida_available()
        import idc
        import idaapi
        import idautils
        fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1)
                       for x in idautils.Functions()}
        start = idc.BeginEA()
        stop = 0
        if ftype == PE:
            start, stop = fun_mapping["start"]
        else:
            if not idc.isCode(idc.GetFlags(start)):
                if idc.MakeCode(start) == 0:
                    print "Fail to decode instr !"
                idaapi.autoWait()
            if idc.GetFunctionName(start) == "":
                if idc.MakeFunction(start) == 0:
                    print "Fail to create function !"
                idaapi.autoWait()
                fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1)
                               for x in idautils.Functions()}

            if "main" in fun_mapping:
                start, stop = fun_mapping["main"]
            elif "start" in fun_mapping:
                if "__libc_start_main" in fun_mapping:
                    instrs = list(idautils.FuncItems(fun_mapping["start"][0]))
                    instrs.reverse()
                    for inst in instrs:
                        arg1 = idc.GetOperandValue(inst, 0)
                        if idc.GetMnem(inst) == "push":
                            start, stop = arg1, fun_mapping["start"][1]
                            break
                else:
                    start, stop = fun_mapping["start"]
        self.config.start, self.config.stop = start, stop 
Example #14
Source Project: idasec   Author: RobinDavid   File: static_opaque_analysis.py    License: GNU Lesser General Public License v2.1 5 votes vote down vote up
def run(self):
        # -- GUI stuff
        self.result_widget.set_actions_visible_and_enabled(False)
        self.set_progress_visible(True)
        # -----------

        # Refill the configuration file
        if self.configuration.ksteps != 0 and self.config_widget.radio_path_routine.isChecked():
            self.k = self.configuration.ksteps  # Use the ksteps given if making the path on the whole routine

        self.result_widget.webview.append("### Opaque predicates Detection ###\n")

        self.configuration.analysis_name = "static opaque"
        self.configuration.additional_parameters.typeid = self.configuration.additional_parameters.STANDARD

        target_val = str(self.config_widget.target_field.text())
        start_tps = time.time()
        if self.config_widget.radio_addr.isChecked():
            addr = utils.to_addr(target_val)
            self.process_routine(idaapi.get_func(addr).startEA, pred_addr=addr)
        elif self.config_widget.radio_routine.isChecked():
            addr = idc.LocByName(target_val)
            if addr == idc.BADADDR:
                addr = utils.to_addr(target_val)
            self.process_routine(addr)
        elif self.config_widget.radio_program.isChecked():
            self.process_program()
        else:
            pass

        self.exec_time_total = time.time() - start_tps - self.exec_time_dep
        self.analyse_finished = True
        self.broker.terminate()

        # -- GUI stuff
        self.result_widget.set_actions_visible_and_enabled(True)
        self.set_progress_visible(False)
        # ------------
        self.analysis_terminated() 
Example #15
Source Project: idasec   Author: RobinDavid   File: static_opaque_analysis.py    License: GNU Lesser General Public License v2.1 5 votes vote down vote up
def highlight_dead_code(self, enabled):
        curr_fun = idaapi.get_func(idc.here()).startEA
        cfg = self.functions_cfg[curr_fun]
        # for cfg in self.functions_cfg.values():
        for bb in cfg.values():
            color = {Status.DEAD: 0x5754ff, Status.ALIVE: 0x98FF98, Status.UNKNOWN: 0xaa0071}[bb.status]
            color = 0xFFFFFF if enabled else color
            for i in bb:
                idc.SetColor(i, idc.CIC_ITEM, color)
        self.actions[HIGHLIGHT_DEAD_CODE] = (self.highlight_dead_code, not enabled)
        self.result_widget.action_selector_changed(HIGHLIGHT_DEAD_CODE) 
Example #16
Source Project: idasec   Author: RobinDavid   File: static_opaque_analysis.py    License: GNU Lesser General Public License v2.1 5 votes vote down vote up
def highlight_spurious(self, enabled):
        print "Highlight spurious clicked !"
        curr_fun = idaapi.get_func(idc.here()).startEA
        cfg = self.functions_cfg[curr_fun]
        color = 0xFFFFFF if enabled else 0x507cff
        for bb in [x for x in cfg.values() if x.is_alive()]:  # Iterate only alive basic blocks
            for i, st in bb.instrs_status.items():
                if st == Status.DEAD:  # Instructions dead in alive basic blocks are spurious
                    idc.SetColor(i, idc.CIC_ITEM, color)
        self.actions[HIGHLIGHT_SPURIOUS_CALCULUS] = (self.highlight_spurious, not enabled)
        self.result_widget.action_selector_changed(HIGHLIGHT_SPURIOUS_CALCULUS) 
Example #17
Source Project: idasec   Author: RobinDavid   File: idasec_core.py    License: GNU Lesser General Public License v2.1 5 votes vote down vote up
def update_mapping(self):
        pass
        self.fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1) for x in
                            idautils.Functions()}
        self.seg_mapping = {idc.SegName(x): (idc.SegStart(x), idc.SegEnd(x)) for x in idautils.Segments()} 
Example #18
Source Project: Sibyl   Author: cea-sec   File: find.py    License: GNU General Public License v3.0 5 votes vote down vote up
def __init__(self):

        addr = idc.ScreenEA()
        func = idaapi.get_func(addr)

        tests_choice = "\n".join(map(lambda x: "<%s:{r%s}>" % (x, x), AVAILABLE_TESTS))
        ida_kernwin.Form.__init__(self,
r"""BUTTON YES* Launch
BUTTON CANCEL NONE
Sibyl Settings

{FormChangeCb}
Apply on:
<One function:{rOneFunc}>
<All functions:{rAllFunc}>{cMode}>

<Targeted function:{cbFunc}>

Testsets to use:
%s{cTest}>

""" % tests_choice, {
    'FormChangeCb': ida_kernwin.Form.FormChangeCb(self.OnFormChange),
    'cMode': ida_kernwin.Form.RadGroupControl(("rOneFunc", "rAllFunc")),
    'cTest': ida_kernwin.Form.ChkGroupControl(map(lambda x: "r%s" % x,
                                      AVAILABLE_TESTS),
                                  value=(1 << len(AVAILABLE_TESTS)) - 1),
    'cbFunc': ida_kernwin.Form.DropdownListControl(
        items=self.available_funcs,
        readonly=False,
        selval="0x%x" % func.startEA),
}
        )

        self.Compile() 
Example #19
Source Project: idascripts   Author: nlitsme   File: enumerators.py    License: MIT License 5 votes vote down vote up
def Texts(*args):
    """
    Enumerate text search matches

    @param <range>: see getrange
    @param searchstr:    string or regex
    @param flags:        for instance SEARCH_REGEX

    @return: list of addresses matching searchstr

    Example::

        for ea in Texts((FirstSeg(), BADADDR), "LDR *PC, =", SEARCH_REGEX):
            f = idaapi.get_func(ea)
            if f and f.start_ea==ea:
                n= idaapi.get_name(BADADDR, ea)
                if not n.startswith("sub_"):
                    MakeName(ea, "j_%s" %n)

    Will search for functions containing only  "LDR PC, =xxxxx",
    and rename them as j_XXXXX.
    """
    (first, last)= getrange(args)
    i= getstringpos(args)
    if i<0:
        raise Exception("missing searchstring")

    searchstr= args[i]
    flags = args[i+1] if i+1<len(args) else 0

    ea= idaapi.find_text(first, idaapi.SEARCH_DOWN|flags, 0, 0, searchstr)
    while ea!=idaapi.BADADDR and ea<last:
        yield ea
        ea= idaapi.find_text(idaapi.next_head(ea, last), idaapi.SEARCH_DOWN|flags, 0, 0, searchstr) 
Example #20
Source Project: idawilli   Author: williballenthin   File: yara_fn.py    License: Apache License 2.0 5 votes vote down vote up
def get_basic_blocks(fva):
    '''
    return sequence of `BasicBlock` instances for given function.
    '''
    ret = []
    func = idaapi.get_func(fva)
    if func is None:
        return ret

    for bb in idaapi.FlowChart(func):
        ret.append(BasicBlock(va=bb.start_ea,
                              size=bb.end_ea - bb.start_ea))

    return ret 
Example #21
Source Project: idawilli   Author: williballenthin   File: yara_fn.py    License: Apache License 2.0 5 votes vote down vote up
def get_function(va):
    '''
    return va for first instruction in function that contains given va.
    '''
    return idaapi.get_func(va).start_ea 
Example #22
Source Project: idawilli   Author: williballenthin   File: hint_calls.py    License: Apache License 2.0 5 votes vote down vote up
def get_custom_viewer_hint(self, view, place):
        try:
            tform = idaapi.get_current_tform()
            if idaapi.get_tform_type(tform) != idaapi.BWN_DISASM:
                return None

            curline = idaapi.get_custom_viewer_curline(view, True)
            
            # sometimes get_custom_viewer_place() returns [x, y] and sometimes [place_t, x, y].
            # we want the place_t.
            viewer_place = idaapi.get_custom_viewer_place(view, True)
            if len(viewer_place) != 3:
                return None

            _, x, y = viewer_place
            ea = place.toea()

            # "color" is a bit of misnomer: its the type of the symbol currently hinted
            color = get_color_at_char(curline, x)
            if color != idaapi.COLOR_ADDR:
                return None

            # grab the FAR references to code (not necessarilty a branch/call/jump by itself)
            far_code_references = [xref.to for xref in idautils.XrefsFrom(ea, ida_xref.XREF_FAR) 
                                   if idc.isCode(idc.GetFlags(xref.to))]
            if len(far_code_references) != 1:
                return None

            fva = far_code_references[0]

            # ensure its actually a function
            if not idaapi.get_func(fva):
                return None

            # this magic constant is the number of "important lines" to display by default.
            # the remaining lines get shown if you scroll down while the hint is displayed, revealing more lines.
            return render_function_hint(fva), DEFAULT_IMPORTANT_LINES_NUM
        except Exception as e:
            logger.warning('unexpected exception: %s. Get in touch with @williballenthin.', e, exc_info=True)
            return None 
Example #23
Source Project: dumpDex   Author: CvvT   File: idautils.py    License: Apache License 2.0 5 votes vote down vote up
def Chunks(start):
    """
    Get a list of function chunks

    @param start: address of the function

    @return: list of funcion chunks (tuples of the form (start_ea, end_ea))
             belonging to the function
    """
    func_iter = idaapi.func_tail_iterator_t( idaapi.get_func( start ) )
    status = func_iter.main()
    while status:
        chunk = func_iter.chunk()
        yield (chunk.startEA, chunk.endEA)
        status = func_iter.next() 
Example #24
Source Project: GhIDA   Author: Cisco-Talos   File: utility.py    License: Apache License 2.0 5 votes vote down vote up
def get_current_address():
    """
    Get the hex address of the function.
    """
    ca = idc.here()
    func = idaapi.get_func(ca)
    if not func:
        print("GhIDA:: [!] Error: function not found.")
        return None

    # Get function start address
    ea = func.start_ea
    ea = hex(ea).strip("0x").strip("L")
    return ea 
Example #25
Source Project: GhIDA   Author: Cisco-Talos   File: utility.py    License: Apache License 2.0 5 votes vote down vote up
def convert_address(ca):
    """
    Convert a decimal address into the hex address
    of the corresponding function.
    """
    func = idaapi.get_func(ca)
    if not func:
        print("GhIDA:: [!] Error: function not found.")
        return None

    # Get function start address
    ea = func.start_ea
    ea = hex(ea).strip("0x").strip("L")
    return ea 
Example #26
Source Project: ida_haru   Author: TakahiroHaruyama   File: yara_fn.py    License: Apache License 2.0 5 votes vote down vote up
def get_basic_blocks(fva):
    '''
    return sequence of `BasicBlock` instances for given function.
    '''
    ret = []
    func = idaapi.get_func(fva)
    if func is None:
        return ret

    for bb in idaapi.FlowChart(func):
        ret.append(BasicBlock(va=bb.start_ea,
                              size=bb.end_ea - bb.start_ea))

    return ret 
Example #27
Source Project: ida_haru   Author: TakahiroHaruyama   File: yara_fn.py    License: Apache License 2.0 5 votes vote down vote up
def get_function(va):
    '''
    return va for first instruction in function that contains given va.
    '''
    return idaapi.get_func(va).start_ea 
Example #28
Source Project: heap-viewer   Author: danigargu   File: misc.py    License: GNU General Public License v3.0 5 votes vote down vote up
def get_func_name_offset(ea):
    func = idaapi.get_func(ea)
    if func:
        offset = ea - func.start_ea
        return "%s+%#x" % (get_func_name(ea), offset)
    return "%#x" % ea

# -------------------------------------------------------------------------- 
Example #29
Source Project: idamagicstrings   Author: joxeankoret   File: IDAMagicStrings.py    License: GNU Affero General Public License v3.0 5 votes vote down vote up
def rename_items(self, items):
    for i in items:
      item = self.items[i]
      ea = int(item[3], 16)
      candidate, _ = os.path.splitext(item[2])
      name = "%s_%08x" % (candidate, ea)
      func = idaapi.get_func(ea)
      if func is not None:
        ea = func.start_ea
        set_name(ea, name, SN_CHECK)
      else:
        line = "WARNING: Cannot rename 0x%08x to %s because there is no function associated."
        print(line % (ea, name)) 
Example #30
Source Project: idamagicstrings   Author: joxeankoret   File: IDAMagicStrings.py    License: GNU Affero General Public License v3.0 5 votes vote down vote up
def __init__(self, title, classes, final_list):
    idaapi.GraphViewer.__init__(self, title)
    self.selected = None
    self.classes = classes
    self.final_list = final_list
    self.nodes = {}
    self.nodes_ea = {}
    self.graph = {}

    self.last_cmd = 0

    dones = set()
    for ea, tokens in self.classes:
      refs = DataRefsTo(ea)
      refs_funcs = set()
      for ref in refs:
        func = idaapi.get_func(ref)
        if func is not None:
          refs_funcs.add(func.start_ea)

      if len(refs_funcs) == 1:
        func_ea = list(refs_funcs)[0]
        if func_ea in dones:
          continue
        dones.add(func_ea)

        func_name = get_func_name(func_ea)
        tmp = demangle_name(func_name, INF_SHORT_DN)
        if tmp is not None:
          func_name = tmp

        element = [func_ea, func_name, "::".join(tokens), [get_string(ea)]]
        self.final_list.append(element)