Python idautils.FuncItems() Examples

The following are 13 code examples of idautils.FuncItems(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module idautils , or try the search function .
Example #1
Source Project: idasec   Author: RobinDavid   File: AnalysisWidget.py    License: GNU Lesser General Public License v2.1 6 votes vote down vote up
def detect_start_and_stop(self):  # FIXME:Duplicate code with core (or something similar)
        start, stop = 0, 0
        if self.core.ftype == "PE":
            start, stop = self.core.fun_mapping["start"]
        else:
            if "main" in self.core.fun_mapping:
                start, stop = self.core.fun_mapping["main"]
            elif "start" in self.core.fun_mapping:
                if "__libc_start_main" in self.core.fun_mapping:
                    instrs = list(idautils.FuncItems(self.core.fun_mapping["start"][0]))
                    instrs.reverse()
                    for inst in instrs:
                        arg1 = idc.GetOperandValue(inst, 0)
                        if idc.GetMnem(inst) == "push":
                            start, stop = arg1, self.core.fun_mapping["start"][1]
                            break
                else:
                    start, stop = self.core.fun_mapping["start"]
            else:
                start, stop = idc.BeginEA(), 0
        self.start, self.stop = start, stop 
Example #2
Source Project: slid   Author: arvinddoraiswamy   File: save_disasm.py    License: MIT License 6 votes vote down vote up
def save_mnemonics_functions_ida(f1):
  filename= f1
  mnemonics = {}
  flag= 0

  for segAddress in Segments():
    segName = SegName(segAddress)
    if segName == ".text":
      funcs = Functions(SegStart(segAddress), SegEnd(segAddress))
      for address in funcs:
        t1= GetFunctionName(address)
        f1= idautils.FuncItems(address)
        t2=''
        for i in f1:
          t2+= GetMnem(i)
          t2+= '^^^'
        mnemonics[filename+'>'+t1]= t2+'<'+str(address)
        
  return mnemonics 
Example #3
Source Project: Reef   Author: darx0r   File: Reef.py    License: GNU General Public License v3.0 6 votes vote down vote up
def find_xrefs_from( self, func_ea ):
    
        xrefs = []

        for item in idautils.FuncItems( func_ea ):
            
            ALL_XREFS = 0
            for ref in idautils.XrefsFrom( item, ALL_XREFS ):
                    
                if ref.type not in XrefsFromFinder.XREF_TYPE2STR:
                    continue
                
                if ref.to in idautils.FuncItems( func_ea ):
                    continue
                
                disas = idc.GetDisasm( item )
                curr_xref = XrefFrom( item, ref.to, ref.type, disas )
                xrefs.append( curr_xref )
                
        return xrefs 
Example #4
Source Project: idasec   Author: RobinDavid   File: configuration_file.py    License: GNU Lesser General Public License v2.1 5 votes vote down vote up
def set_start_stop(self, ftype):
        assert_ida_available()
        import idc
        import idaapi
        import idautils
        fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1)
                       for x in idautils.Functions()}
        start = idc.BeginEA()
        stop = 0
        if ftype == PE:
            start, stop = fun_mapping["start"]
        else:
            if not idc.isCode(idc.GetFlags(start)):
                if idc.MakeCode(start) == 0:
                    print "Fail to decode instr !"
                idaapi.autoWait()
            if idc.GetFunctionName(start) == "":
                if idc.MakeFunction(start) == 0:
                    print "Fail to create function !"
                idaapi.autoWait()
                fun_mapping = {idc.GetFunctionName(x): (idaapi.get_func(x).startEA, idaapi.get_func(x).endEA-1)
                               for x in idautils.Functions()}

            if "main" in fun_mapping:
                start, stop = fun_mapping["main"]
            elif "start" in fun_mapping:
                if "__libc_start_main" in fun_mapping:
                    instrs = list(idautils.FuncItems(fun_mapping["start"][0]))
                    instrs.reverse()
                    for inst in instrs:
                        arg1 = idc.GetOperandValue(inst, 0)
                        if idc.GetMnem(inst) == "push":
                            start, stop = arg1, fun_mapping["start"][1]
                            break
                else:
                    start, stop = fun_mapping["start"]
        self.config.start, self.config.stop = start, stop 
Example #5
Source Project: idasec   Author: RobinDavid   File: static_opaque_analysis.py    License: GNU Lesser General Public License v2.1 5 votes vote down vote up
def process_routine(self, rtn_addr, pred_addr=None, rtn_i=1, total_rtn=1):
        if rtn_addr not in self.functions_cfg:
            self.functions_cfg[rtn_addr] = MyFlowGraph(rtn_addr)
        cfg = self.functions_cfg[rtn_addr]
        path_to = self.config_to_path_function(cfg)
        if pred_addr is None:
            candidates = {x for x in idautils.FuncItems(rtn_addr) if idc.GetMnem(x) in cond_jump}
        else:
            candidates = {pred_addr}
        nb_candidates = len(candidates)
        self.functions_candidates[rtn_addr] = set()
        self.functions_spurious_instrs[rtn_addr] = set()

        self.progressbar_loading.reset()
        self.progressbar_loading.setMaximum(len(candidates))

        name = idc.GetFunctionName(rtn_addr)
        self.result_widget.webview.append("\n=> Function:%s\n" % name)

        self.log("[result]", "Start processing function: 0x%x" % rtn_addr)
        for i, addr in zip(xrange(len(candidates)), candidates):
            path = path_to(addr)
            res = self.process_addr(rtn_addr, addr, path)
            if self.STOP:
                return
            elif res is None:
                continue
            dead_br = "/" if res.dead_branch is None else "%x" % res.dead_branch
            self.result_widget.webview.append("%x:\t%s\t\tK:%d\tDead:%s" % (addr, to_status_name(res.status), res.k, dead_br))

            self.result_widget.webview.verticalScrollBar().setValue(self.result_widget.webview.verticalScrollBar().maximum())
            self.loading_stat.setText("Fun: %d/%d  Addr: %d/%d" % (rtn_i, total_rtn, i+1, nb_candidates))

            self.progressbar_loading.setValue(self.progressbar_loading.value()+1)
            self.functions_candidates[rtn_addr].add(addr) 
Example #6
Source Project: Sark   Author: tmr232   File: function.py    License: MIT License 5 votes vote down vote up
def iter_function_lines(func_ea) -> Iterable[Line]:
    """Iterate the lines of a function.

    Args:
        func_ea (idaapi.func_t, int): The function to iterate.

    Returns:
        Iterator over all the lines of the function.
    """
    for line in idautils.FuncItems(get_ea(func_ea)):
        yield Line(line) 
Example #7
Source Project: rematch   Author: nirizr   File: function.py    License: GNU General Public License v3.0 5 votes vote down vote up
def count(self):
    """return the number of instructions contained in function"""
    return len(list(idautils.FuncItems(self.offset))) 
Example #8
Source Project: rematch   Author: nirizr   File: assembly_hash.py    License: GNU General Public License v3.0 5 votes vote down vote up
def data(self):
    md5 = hashlib.md5()
    for ea in idautils.FuncItems(self.offset):
      asm_line = idc.GetDisasmEx(ea, idc.GENDSM_MULTI_LINE)
      if ';' in asm_line:
        asm_line = asm_line[:asm_line.find(';')]
      asm_line = asm_line.strip()
      asm_line = " ".join(asm_line.split())
      asm_line = asm_line.lower()
      md5.update(asm_line)
    return md5.hexdigest() 
Example #9
Source Project: rematch   Author: nirizr   File: instruction_hash.py    License: GNU General Public License v3.0 5 votes vote down vote up
def data(self):
    h = self.keleven
    for ea in idautils.FuncItems(self.offset):
      h = self._cycle(h, idc.Byte(ea))
      # go over all additional bytes of any instruction
      for i in range(ea + 1, ea + idc.ItemSize(ea)):
        h = self._cycle(h, idc.Byte(i))
    return h 
Example #10
Source Project: rematch   Author: nirizr   File: identity_hash.py    License: GNU General Public License v3.0 5 votes vote down vote up
def data(self):
    h = self.keleven
    for ea in idautils.FuncItems(self.offset):
      h = self._cycle(h, idc.Byte(ea))
      # skip additional bytes of any instruction that contains an offset in it
      if idautils.CodeRefsFrom(ea, False) or idautils.DataRefsFrom(ea):
        continue
      for i in range(ea + 1, ea + idc.ItemSize(ea)):
        h = self._cycle(h, idc.Byte(i))
    return h 
Example #11
Source Project: rematch   Author: nirizr   File: mnemonic_hash.py    License: GNU General Public License v3.0 5 votes vote down vote up
def data(self):
    md5 = hashlib.md5()
    for ea in idautils.FuncItems(self.offset):
      mnem_line = idc.GetMnem(ea)
      mnem_line = mnem_line.strip()
      mnem_line = mnem_line.lower()
      md5.update(mnem_line)
    return md5.hexdigest() 
Example #12
Source Project: IDAPython_Note   Author: ExpLife0011   File: 13_注释和重命名.py    License: MIT License 4 votes vote down vote up
def check_for_wrapper(func):
    flags = idc.GetFunctionFlags(func)
    #跳过库函数和简单的跳转函数
    if flags & FUNC_LIB or flags & FUNC_THUNK:
        return
    dism_addr = list(idautils.FuncItems(func))
    #获取函数的长度
    func_length = len(dism_addr)
    #如果函数的超过32条指令则返回
    if func_length > 0x20:
        return
    
    func_call = 0
    instr_cmp = 0
    op = None
    op_addr = None
    op_type = None
    
    #遍历函数中的每条指令
    for ea in dism_addr:
        m = idc.GetMnem(ea)
        if m == 'call' or m == 'jmp':
            if m == 'jmp':
                temp = idc.GetOperandValue(ea, 0)
                # 忽略函数边界内的跳转
                if temp in dism_addr:
                    continue
            func_call += 1
            #封装函数内不会包含多个函数调用
            if func_call == 2:
                return
            op_addr = idc.GetOperandValue(ea, 0)
            op_type = idc.GetOpType(ea, 0)
        elif m == 'cmp' or m == 'test':
            # 封装函数内不应该包含太多的逻辑运算
            instr_cmp += 1
            if instr_cmp == 3:
                return
        else:
            continue
    
    # 所有函数内的指令都被分析过了
    if op_addr == None:
        return
    
    name = idc.Name(op_addr)
    #跳过名称粉碎的函数名称
    if "[" in name or "$" in name or "?" in name or "@" in name or name == "":
        return
    name = "w_" + name
    if op_type == o_near:
        if idc.GetFunctionFlags(op_addr) & FUNC_THUNK:
            rename_wrapper(name, func)
            return
    if op_type == o_mem or op_type == o_far:
        rename_wrapper(name, func)
        return 
Example #13
Source Project: prefix   Author: gaasedelen   File: ida_prefix.py    License: MIT License 4 votes vote down vote up
def graph_down(ea, path=set()):
    """
    Recursively collect all function calls.

    Copied with minor modifications from
    http://hooked-on-mnemonics.blogspot.com/2012/07/renaming-subroutine-blocks-and.html
    """
    path.add(ea)

    #
    # extract all the call instructions from the current function
    #

    call_instructions = []
    instruction_info = idaapi.insn_t()
    for address in idautils.FuncItems(ea):

        # decode the instruction
        if not idaapi.decode_insn(instruction_info, address):
            continue

        # check if this instruction is a call
        if not idaapi.is_call_insn(instruction_info):
            continue

        # save this address as a call instruction
        call_instructions.append(address)

    #
    # iterate through all the instructions in the target function (ea) and
    # inspect all the call instructions
    #

    for x in call_instructions:

        #  TODO
        for r in idautils.XrefsFrom(x, idaapi.XREF_FAR):
            #print(0x%08X" % h, "--calls-->", "0x%08X" % r.to)
            if not r.iscode:
                continue

            # get the function pointed at by this call
            func = idaapi.get_func(r.to)
            if not func:
                continue

            # ignore calls to imports / library calls / thunks
            if (func.flags & (idaapi.FUNC_THUNK | idaapi.FUNC_LIB)) != 0:
                continue

            #
            # if we have not traversed to the destination function that this
            # call references, recurse down to it to continue our traversal
            #

            if r.to not in path:
                graph_down(r.to, path)

    return path