#!/bin/python # IDAPython script that can be used to identify dynamically loaded functions # in TeslaCrypt samples leveraging the Carberp source code. apis = { "pFlushViewOfFile" : 0x664FD32B, "pLoadLibraryA" : 0xC8AC8026, "pLoadLibraryW" : 0xC8AC8030, "pLoadLibraryExA" : 0x20088E6A, "pLoadLibraryExW" : 0x20088E7C, "pFreeLibrary" : 0x4B935B8E, "pGetProcAddress" : 0x1FC0EAEE, "pTerminateProcess" : 0x9E6FA842, "pVirtualAlloc" : 0x697A6AFE, "pVirtualAllocEx" : 0x9ABFB8A6, "pVirtualFree" : 0x3A35705F, "pVirtualFreeEx" : 0x5C17EC75, "pVirtualQuery" : 0x6A582465, "pVirtualQueryEx" : 0x919786E, "pVirtualProtect" : 0xA9DE6F5A, "pVirtualProtectEx" : 0x9BD6888F, "pCloseHandle" : 0x723EB0D5, "pGlobalAlloc" : 0x725EA171, "pGlobalFree" : 0x240339C8, "pCreateFileA" : 0x8F8F114, "pCreateFileW" : 0x8F8F102, "pWriteFile" : 0xF3FD1C3, "pGetCurrentDirectoryA" : 0xC80715CE, "pWriteProcessMemory" : 0xBEA0BF35, "pCreateRemoteThread" : 0xE61874B3, "pReadFile" : 0x487FE16B, "pSetFilePointer" : 0xEF48E03A, "pCopyFileA" : 0x2EE4F10D, "pCopyFileW" : 0x2EE4F11B, "pMoveFileA" : 0x20E4E9ED, "pMoveFileW" : 0x20E4E9FB, "pMoveFileExA" : 0x3A7A7478, "pMoveFileExW" : 0x3A7A746E, "pDeleteFileA" : 0x81F0F0DF, "pDeleteFileW" : 0x81F0F0C9, "pGetFileSize" : 0xAEF7CBF1, "pCreateFileMappingA" : 0xEF0A25B7, "pCreateFileMappingW" : 0xEF0A25A1, "pMapViewOfFile" : 0x5CD9430, "pGetFileTime" : 0xAE17C071, "pSetFileTime" : 0xAE17C571, "pGetModuleHandleA" : 0xA48D6762, "pGetModuleHandleW" : 0xA48D6774, "pUnmapViewOfFile" : 0x77CD9567, "pWaitForSingleObject" : 0xC54374F3, "pSleep" : 0x3D9972F5, "pWideCharToMultiByte" : 0xE74F57EE, "pMultiByteToWideChar" : 0x5AA7E70B, "pGetModuleFileNameA" : 0x774393E8, "pGetModuleFileNameW" : 0x774393FE, "pGetSystemDirectoryA" : 0x49A1374A, "pGetSystemDirectoryW" : 0x49A1375C, "pGetTempPathA" : 0x58FE7ABE, "pGetTempPathW" : 0x58FE7AA8, "pGetVolumeInformationA" : 0x67ECDE97, "pGetVolumeInformationW" : 0x67ECDE81, "pSetFileAttributesA" : 0x4D5587B7, "pSetFileAttributesW" : 0x4D5587A1, "pCreateProcessA" : 0x46318AC7, "pCreateProcessW" : 0x46318AD1, "pGetVersionExA" : 0x9C480E24, "pGetVersionExW" : 0x9C480E32, "pCreateThread" : 0x6FB89AF0, "pCreateMutexA" : 0xBF78969C, "pCreateMutexW" : 0xBF78968A, "pReleaseMutex" : 0xBB74A4A2, "pGetVersion" : 0xCB932CE2, "pDeviceIoControl" : 0x82E8173, "pQueryDosDeviceA" : 0xAC81BECB, "pQueryDosDeviceW" : 0xAC81BEDD, "pIsBadReadPtr" : 0x7D544DBD, "pIsBadWritePtr" : 0xAC85818D, "pGetCurrentProcess" : 0xD89AD05, "pCreateEventW" : 0x8D5A50CA, "pSetEvent" : 0x5E7EE0D0, "pResetEvent" : 0x3B3EE0F9, "pGetShortPathNameA" : 0x223296ED, "pGetShortPathNameW" : 0x223296FB, "pLocalFree" : 0x84033DEB, "pGetPrivateProfileStringA" : 0xAA19E291, "pGetPrivateProfileStringW" : 0xAA19E287, "pGetFileAttributesA" : 0x475587B7, "pGetFileAttributesW" : 0x475587A1, "pGetEnvironmentVariableA" : 0x9802EF30, "pGetEnvironmentVariableW" : 0x9802EF26, "pReadProcessMemory" : 0x9D00A761, "pExitProcess" : 0x95902B19, "pOpenProcess" : 0x99A4299D, "pGetCurrentProcessId" : 0x6B416786, "pProcess32First" : 0x19F78C90, "pProcess32Next" : 0xC930EA1E, "pCreateToolhelp32Snapshot" : 0x5BC1D14F, "pWinExec" : 0xE8BF6DAD, "pFindResourceA" : 0x8FE060C, "pSetLastError" : 0x1295012C, "pLoadResource" : 0x1A10BD8B, "pLockResource" : 0x1510BD8A, "pSizeofResource" : 0x86867F0E, "pLockRsrc" : 0xBAC5467D, "pGetTempFileNameA" : 0xFA4F502, "pGetTempFileNameW" : 0xFA4F514, "pGetLongPathNameA" : 0x9835D5A1, "pCreateEventA" : 0x8D5A50DC, "pConnectNamedPipe" : 0x7235F00E, "pCreateNamedPipeA" : 0x42F9BB48, "pGetTickCount" : 0x69260152, "pExitThread" : 0x768AA260, "plstrcmpiA" : 0x515BE757, "pSuspendThread" : 0xEEBA5EBA, "pGetComputerNameA" : 0x3DEF91BA, "pGetThreadContext" : 0xAA1DE02F, "pSetThreadContext" : 0xAA1DC82F, "pResumeThread" : 0x7B88BF3B, "pProcessIdToSessionId" : 0x654F3F9E, "pWTSGetActiveConsoleSessionId" : 0x654FEEAC, "pOpenMutexA" : 0xAE52C609, "pCreateProcessInternalA" : 0xE24394E4, "pCreateProcessInternalW" : 0xE24394F2, "pTerminateThread" : 0xC09D5D66, "plopen" : 0xCDFC3010, "plstrcmpA" : 0x2CA2B7E6, "plstrcmpW" : 0x2CA2B7F0, "plstrcatA" : 0x2CA1B5E6, "plstrcatW" : 0x2CA1B5F0, "plstrcpyA" : 0x2CA5F366, "plstrcpyW" : 0x2CA5F370, "plstrlenA" : 0x2D40B8E6, "plstrlenW" : 0x2D40B8F0, "pThread32First" : 0x89B968D2, "pThread32Next" : 0x4C1077D6, "pOpenThread" : 0x7E92CA65, "pGetWindowsDirectoryA" : 0x78B00C7E, "pGetWindowsDirectoryW" : 0x78B00C68, "pFindFirstFileA" : 0x32432444, "pFindFirstFileW" : 0x32432452, "pFindNextFileA" : 0x279DEAD7, "pFindNextFileW" : 0x279DEAC1, "pFindClose" : 0x7B4842C1, "pRemoveDirectoryA" : 0x4AE7572B, "pInitializeCriticalSection" : 0xDA81BC58, "pEnterCriticalSection" : 0xF3B84F05, "pLeaveCriticalSection" : 0x392B6027, "pDeleteCriticalSection" : 0x7B2D2505, "pGetProcessHeap" : 0x68807354, "pHeapAlloc" : 0x5550B067, "pHeapReAlloc" : 0xFC7A6EFD, "pHeapSize" : 0x0AEBEA6A, "pHeapFree" : 0x084D25EA, "pGetCurrentThreadId" : 0xA45B370A, "pGetCurrentThread" : 0x4FBA916C, "pGlobalLock" : 0x25447AC6, "pGlobalUnlock" : 0xF50B872, "pSetErrorMode" : 0x6C544060, "pGetFileInformationByHandle" : 0xF149BCC4, "pFileTimeToLocalFileTime" : 0xE5792E94, "pFileTimeToDosDateTime" : 0xB68EBEF8, "pOutputDebugStringA" : 0xD0498CD4, "pExpandEnvironmentStringsA" : 0x23EBE98B, "pExpandEnvironmentStringsW" : 0x23EBE99D, "pOutputDebugStringW" : 0xD0498CC2, "pLocalAlloc" : 0x725CB0A1, "pFindFirstChangeNotificationA" : 0xE8402F0, "pFindCloseChangeNotification" : 0x3634D801, "pFindNextChangeNotification" : 0xFAB3FE71, "pCreateDirectoryW" : 0xA073561, "pCreateDirectoryA" : 0xA073577, "pOpenEventW" : 0x9C70005F, "pGetSystemTimeAsFileTime" : 0x6951E92A, "pGetSystemTime" : 0x270118E2, "pGetLogicalDriveStringsA" : 0x70F6FE31, "pGetDriveTypeA" : 0x399354CE, "pGetACP" : 0x5e9063ee, "pSetCurrentDirectoryW" : 0xc8071758, "pSetCurrentDirectoryA" : 0xc807174e, "pDuplicateHandle" : 0x533d3b41, "pGetExitCodeProcess" : 0xFDC94385, "pGetCommandLineA" : 0xFB0730C, "pCreateProcessAsUserA" : 0x985267C4, "pSetThreadToken" : 0xA16FE0FD, "pOpenProcessToken" : 0x80DBBE07, "pLookupPrivilegeValueA" : 0x1B3D12B9, "pLookupPrivilegeValueW" : 0x1B3D12AF, "pAdjustTokenPrivileges" : 0x7A2167DC, "pRegOpenKeyExA" : 0xAAD67FF8, "pRegOpenKeyExW" : 0xAAD67FEE, "pRegQueryInfoKeyA" : 0xBDF4DB19, "pRegQueryInfoKeyW" : 0xBDF4DB0F, "pRegEnumKeyExA" : 0xB4F673FD, "pRegEnumKeyExW" : 0xB4F673EB, "pRegEnumValueA" : 0xF65A7D95, "pRegEnumValueW" : 0xF65A7D83, "pRegQueryValueExA" : 0x1802E7C8, "pRegQueryValueExW" : 0x1802E7DE, "pRegCloseKey" : 0xDB355534, "pRegDeleteKeyA" : 0x398C5285, "pRegDeleteKeyW" : 0x398C5293, "pRegSetValueExA" : 0x3E400FD6, "pRegSetValueExW" : 0x3E400FC0, "pGetUserNameA" : 0xB9D41C2F, "pGetUserNameW" : 0xB9D41C39, "pOpenServiceA" : 0x83969964, "pStartServiceA" : 0x1CA1FD2F, "pControlService" : 0x5FFEE3F1, "pGetKernelObjectSecurity" : 0xB29136DD, "pOpenSCManagerA" : 0xA06E459C, "pQueryServiceStatusEx" : 0xF6C712F4, "pGetCurrentHwProfileA" : 0xF684C7A9, "pGetTokenInformation" : 0xD4ECC759, "pInitializeSecurityDescriptor" : 0xB8538A52, "pSetSecurityDescriptorOwner" : 0xDADD5994, "pSetFileSecurityW" : 0x5A9B2FDD, "pRegCreateKeyW" : 0xAE9E4290, "pRegCreateKeyA" : 0xAE9E4286, "pRegCreateKeyExW" : 0x90A097F0, "pRegCreateKeyExA" : 0x90A097E6, "pCloseServiceHandle" : 0x78CEC357, "pCryptAcquireContextA" : 0x8AD7DE34, "pCryptReleaseContext" : 0x72760BB8, "pCryptImportKey" : 0x78660DBE, "pCryptEncrypt" : 0xCEBF13BE, "pCryptDecrypt" : 0xCEBF17E6, "pCryptSetKeyParam" : 0x37A53419, "pCryptDestroyKey" : 0xD4B3D42, "pAllocateAndInitializeSid" : 0x28E9E291, "pCheckTokenMembership" : 0x87FEDB50, "pFreeSid" : 0x5CB5EF72, "pRegDeleteValueA" : 0x560c7c4a, "pExitWindowsEx" : 0xAD7043A4, "pPeekMessageW" : 0xD7A87C3A, "pDispatchMessageW" : 0x4BAED1DE, "pMsgWaitForMultipleObjects" : 0xD36CEAF0, "pWaitForInputIdle" : 0x4FAC81B4, "pGetWindowThreadProcessId" : 0x6C7F716F, "pFindWindowA" : 0x252B53B, "pGetSystemMetrics" : 0x8EBEF5B1, "pGetActiveWindow" : 0xDB7C98AC, "pGetKeyboardLayoutNameA" : 0xEA0FAD78, "pOpenClipboard" : 0x6ADFC795, "pGetClipboardData" : 0x8E7AE818, "pCloseClipboard" : 0xF0EC2212, "pGetWindowTextA" : 0x9C29100A, "pGetWindowTextW" : 0x9C29101C, "pGetForegroundWindow" : 0xCACD450, "pGetWindowLongPtrA" : 0x1D6C998B, "pGetWindowLongPtrW" : 0x1D6C999D, "pEnumChildWindows" : 0xAE8A5532, "pGetParent" : 0x5992A5F2, "pGetDesktopWindow" : 0xCD4AC62B, "pIsWindowVisible" : 0xCFAAD7BF, "pSetWindowLongA" : 0xBD6C998B, "pSetWindowLongW" : 0xBD6C999D, "pGetWindowLongA" : 0x1D6C998B, "pGetWindowLongW" : 0x1D6C999D, "pSetLayeredWindowAttributes" : 0x2DDBD2AF, "pSetWindowPos" : 0xA92DF5AF, "pMessageBoxA" : 0xABBC680D, "pMessageBoxW" : 0xABBC681B, "pGetClassNameW" : 0x484006A, "pGetClassNameA" : 0x484007C, "pShowWindow" : 0x7506E960, "pSendMessageW" : 0x58A81C3F, "pSendMessageA" : 0x58A81C29, "pEnumWindows" : 0x9940B5CA, "pIsWindow" : 0x9D4AF949, "pGetWindow" : 0xDA12E549, "pCreateDesktopW" : 0xC43ED7B1, "pCreateDesktopA" : 0xC43ED7A7, "pGetThreadDesktop" : 0x79F9B7FA, "pSwitchDesktop" : 0x5B92DEA5, "pSetThreadDesktop" : 0x79F99FFA, "pGetTopWindow" : 0xC90E0C33, "pMoveWindow" : 0x7234A16F, "pFindWindowExA" : 0xAD4FFCD5, "pGetMessageA" : 0xC8A274AC, "pSendMessageTimeoutW" : 0x65846C69, "pSendMessageTimeoutA" : 0x65846C7F, "pSetClipboardViewer" : 0x322391FC, "pIsClipboardFormatAvailable" : 0xB161BF96, "pChangeClipboardChain" : 0x7CF84417, "pPostMessageA" : 0xC8A87EA7, "pGetMessagePos" : 0x9D2F45DB, "pClientToScreen" : 0x543DF505, "pGetWindowRect" : 0x97F85FA0, "pDefWindowProcA" : 0xC6CE9B8A, "pCallWindowProcA" : 0xEE5FDA87, "pGetKeyNameTextW" : 0xAD34F519, "pGetKeyboardState" : 0xF5E780A6, "pGetKeyboardLayout" : 0xA0C69BF7, "pToUnicodeEx" : 0x2944D0D1, "pLoadCursorW" : 0xCFB2E5CF, "pRegisterClassA" : 0xAEABC9A4, "pCreateWindowExA" : 0xBF7EFB5A, "pTranslateMessage" : 0xC45D9631, "pDispatchMessageA" : 0x4BAED1C8, "pGetWindowDC" : 0xB95254C7, "pReleaseDC" : 0x4CB2D16D, "pFillRect" : 0xCAD4D692, "pActivateKeyboardLayout" : 0xD9EE8729, "pwvsprintfA" : 0x6B3AF0EC, "pwvsprintfW" : 0x6b3af0fa, "pWSACleanup" : 0x8FB8B5BD, "pWSAStartup" : 0xCDDE757D, "psocket" : 0xFC7AF16A, "pclosesocket" : 0x939D7D9C, "paccept" : 0x3C797B7A, "pbind" : 0xC5A7764, "phtons" : 0x8E9BF775, "plisten" : 0x9E7D3188, "precv" : 0xE5971F6, "psend" : 0xE797764, "pconnect" : 0xEDD8FE8A, "pshutdown" : 0x4C7C5841, "pgethostbyname" : 0xF44318C6, "pgethostbyaddr" : 0xF5A25C51, "pinet_addr" : 0x95E4A5D7, "pinet_ntoa" : 0x9400A044, "pgetaddrinfo" : 0xD9F839BA, "pgetpeername" : 0xD939F838, "pselect" : 0x5D99726A, "psetsockopt" : 0xD8923733, "pWSAGetLastError" : 0x8E878072, "pWSASetLastError" : 0x8E850072, "pRtlComputeCrc32" : 0x687B7023, "pRtlImageDirectoryEntryToData" : 0x503f7b28, "pRtlInitUnicodeString" : 0x3287EC73, "pRtlInitAnsiString" : 0xEE02056A, "pNtOpenFile" : 0x9C45B56C, "pNtOpenDirectoryObject" : 0xF5F11CF0, "pNtCreateSection" : 0x6E6F608B, "pNtOpenSection" : 0x5FA9AB38, "pZwLoadDriver" : 0x42F57D33, "pZwUnloadDriver" : 0x95849B61, "pRtlAdjustPrivilege" : 0xC2A6B1AE, "pZwMakeTemporaryObject" : 0x128CE9D3, "pNtClose" : 0x3D9AC241, "pRtlImageNtHeader" : 0xDD39FD14, "pZwQuerySystemInformation" : 0xBC44A131, "pZwUnmapViewOfSection" : 0x9ED4D161, "pZwMapViewOfSection" : 0x594D9A3C, "pZwQueueApcThread" : 0xC0E4F6EE, "pZwResumeThread" : 0xACF8BF39, "pZwTestAlert" : 0xC952A06B, "pZwQueryInformationThread" : 0xFAEDF3AA, "pZwOpenProcess" : 0x9C0AC99D, "pZwOpenProcessToken" : 0xADACBE07, "pZwClose" : 0x3D9A9259, "pZwAllocateVirtualMemory" : 0x594AA9E4, "pZwFreeVirtualMemory" : 0xBED3922C, "pZwWriteVirtualMemory" : 0xEEE7AF23, "pZwProtectVirtualMemory" : 0x3836C63E, "pRtlCreateUserThread" : 0xE9E0A4F7, "pLdrLoadDll" : 0x78740534, "pLdrGetDllHandle" : 0x7E287C6A, "pLdrGetProcedureAddress" : 0x323C2875, "pZwSetContextThread" : 0x62E2FE6F, "pZwSetInformationProcess" : 0xCA2BF652, "pZwQueryInformationProcess" : 0xA638CE5F, "pZwQueryInformationFile" : 0x0f7ba4b7, "pZwShutdownSystem" : 0x6F1C809E, "pWinStationTerminateProcess" : 0xA60C5F05, "pSHGetSpecialFolderPathA" : 0xC95D8550, "pSHGetSpecialFolderPathW" : 0xC95D8546, "pFindExecutableA" : 0x37707500, "pFindExecutableW" : 0x37707516, "pSHGetFolderPathA" : 0xDEAA9541, "pSHGetFolderPathW" : 0xDEAA9557, "pShellExecuteW" : 0x570BC88F, "pShellExecuteA" : 0x570BC899, "pStrStrIW" : 0x3E3B7742, "pStrStrIA" : 0x3E3B7754, "pShellExecuteExA" : 0xf2276983, "pShellExecuteExW" : 0xf2276995, "pInternetConnectA" : 0xBE618D3E, "pInternetConnectW" : 0xBE618D28, "pHttpOpenRequestA" : 0x1510002F, "pHttpOpenRequestW" : 0x15100039, "pHttpSendRequestA" : 0x9F13856A, "pHttpSendRequestW" : 0x9F13857C, "pInternetCloseHandle" : 0x7314FB0C, "pInternetQueryOptionA" : 0x2AE71934, "pInternetQueryOptionW" : 0x2AE71922, "pInternetSetOptionA" : 0x1AD09C78, "pInternetSetStatusCallback" : 0x9EF6461, "pHttpQueryInfoA" : 0x2F5CE027, "pHttpQueryInfoW" : 0x2F5CE031, "pHttpAddRequestHeadersA" : 0xB5901061, "pHttpAddRequestHeadersW" : 0xB5901077, "pGetUrlCacheEntryInfoW" : 0x57FBC0CB, "pFindFirstUrlCacheEntryA" : 0xDDCB15D, "pFindNextUrlCacheEntryA" : 0x8733D614, "pDeleteUrlCacheEntry" : 0xA3A80AB6, "pFindCloseUrlCache" : 0xFDE87743, "pInternetOpenA" : 0x8593DD7, "pInternetOpenUrlA" : 0xB87DBD66, "pInternetReadFile" : 0x1A212962, "pInternetReadFileExA" : 0x2C523864, "pInternetReadFileExW" : 0x2C523872, "pReadUrlCacheEntryStream" : 0x1672BC16, "pUnlockUrlCacheEntryStream" : 0xEE22C82A, "pRetrieveUrlCacheEntryStreamA" : 0x609C6936, "pFindFirstUrlCacheEntryExA" : 0x2C567F36, "pFindNextUrlCacheEntryExA" : 0xF5841D8D, "pDeleteUrlCacheEntryA" : 0xD4055B10, "pURLDownloadToFileA" : 0xD95D2399, "pURLDownloadToFileW" : 0xD95D238F, "pObtainUserAgentString" : 0x534D481, "pCreateCompatibleBitmap" : 0x6B3470D5, "pCreateCompatibleDC" : 0x5AF0017C, "pSelectObject" : 0x4894DAFC, "pBitBlt" : 0x9E90B462, "pDeleteDC" : 0x5E10F525, "pDeleteObject" : 0x48B87EFC, "pGetDeviceCaps" : 0x39E9624F, "pCreateSolidBrush" : 0xEF9AC06E, "pEnableEUDC" : 0xB676E907, "pGdiplusStartup" : 0x55F74962, "pGdipCreateBitmapFromHBITMAP" : 0xB7F0B572, "pGdipSaveImageToFile" : 0xE410B3EB, "pGdipDisposeImage" : 0x226FA923, "pGdiplusShutdown" : 0x99A24264, "pCertOpenSystemStoreA" : 0xEEA9ED9D, "pCertEnumCertificatesInStore" : 0x9897E094, "pPFXExportCertStoreEx" : 0xDFDB467E, "pCertCloseStore" : 0xCC1A6B6B, "pPFXImportCertStore" : 0x3A1B7F5D, "pCertAddCertificateContextToStore" : 0xDC6DD6E5, "pCertDuplicateCertificateContext" : 0x2F16F47, "pCertDeleteCertificateFromStore" : 0x5B08B5F, "pCheckSumMappedFile" : 0xd5edc5a2, "pPathCombineA" : 0x45b615d5, "pPathCombineW" : 0x45b615c3, "pPathFindFileNameA" : 0xeed5398c, "pPathFindFileNameW" : 0xEED5399A, "pGetProcessImageFileNameA" : 0x2741105, "pCoInitializeEx" : 0x7573DE28, "pCoUninitialize" : 0xEDB3159D, "pCoCreateInstance" : 0x368435BE, "pCoInitializeSecurity" : 0x910EACB3, "pAddPrintProvidorA" : 0x4B12B4DF, "pDeletePrintProvidorA" : 0x3D369C42 } # Attempt to create the 'carberpAPI' enumeration that will be used later on. id_enum = idc.AddEnum(0, "carberpAPI", idaapi.hexflag()); if id_enum != 0xffffffff: for k,v in apis.iteritems(): idc.AddConstEx(id_enum, k, v, -1); print "[*] Added Carberp API enumeration: carberpAPI" def get_all_enum_constants(): ''' Returns hash of constant numerical representations. Value of each key is an array containing the constant name (array[0]) and the constant ID (array[1]). ''' constants = {} all_enums = GetEnumQty() for i in range(0, all_enums): en = GetnEnum(i) first = GetFirstConst(en, -1) v1 = GetConstEx(en, first, 0, -1) name = GetConstName(v1) constants[int(first)] = [name, en] while True: first = GetNextConst(en, first, -1) v1 = GetConstEx(en, first, 0, -1) name = GetConstName(v1) if first == 0xFFFFFFFF: break constants[int(first)] = [name, en] return constants # Grabbing all enumerations in the IDB and storing to a variable for later use. ALL_CONSTANTS = get_all_enum_constants() def modify_push_to_enum(addr, constants): ''' Convert address to enumeration ''' constant_id = GetOperandValue(addr, 0) if constant_id in constants: enum_id = constants[constant_id] OpEnumEx(addr, 0, enum_id[1], 0) return enum_id[0] else: return None def enum_for_xrefs(f_addr, stack_pos): ''' This function will search for cross-references to a given function. ''' for x in XrefsTo(f_addr, flags=0): curr_addr = x.frm print '[+] Cross-reference discovered at 0x%x' % curr_addr addr_m_30 = curr_addr-30 current_constant = None c = 0 while curr_addr >= addr_m_30: curr_addr = PrevHead(curr_addr) if GetMnem(curr_addr) == "push": c += 1 if c == stack_pos: data = GetOperandValue(curr_addr, 0) if data > 0xFFFF and data < 0xFFFFFFFF: print '[*] Enumeration found: 0x%x' % data enum = modify_push_to_enum(curr_addr, ALL_CONSTANTS) return None def find_pattern(pattern, max_attempt=5): ''' Find a pattern in a binary, and provide any references to said pattern. ''' addr = MinEA() results = [] for x in range(0, max_attempt): addr = idc.FindBinary(addr, SEARCH_DOWN, pattern) if addr != idc.BADADDR: if addr not in results: results.append(addr) return results def find_next_call_address(ea, max_attempt=5): ''' Attempt to find the next call instruction after a particular address. ''' for x in range(0, max_attempt): if GetMnem(ea) == "call": return GetOperandValue(ea,0) ea = NextHead(ea) return None def find_GetProcAddressEx(): ''' Try and find an instance of 'push C8AC8026'. This is a way of identifying the GetProcAddressEx() function within the binary. ''' load_library = find_pattern('68 26 80 AC C8') if load_library: likely_function = find_next_call_address(load_library[0]) print '[+] GetProcAddressEx discovered at 0x%x' % likely_function return likely_function return None def find_GetApiAddr(): ''' Try and find an instance of 'push 1A212962'. This is a way of identifying the GetApiAddr() function within the binary. ''' load_library = find_pattern('68 62 29 21 1A') if load_library: likely_function = find_next_call_address(load_library[0]) print '[+] GetApiAddr discovered at 0x%x' % likely_function return likely_function return None GetProcAddressEx = find_GetProcAddressEx() if GetProcAddressEx: print "[+] Attempting to discover cross-references for GetProcAddressEx" enum_for_xrefs(GetProcAddressEx, 3) GetApiAddr = find_GetApiAddr() if GetApiAddr: print "[+] Attempting to discover cross-references for GetApiAddr" enum_for_xrefs(GetApiAddr, 2)