-
Notifications
You must be signed in to change notification settings - Fork 31
Expand file tree
/
Copy pathIDAScript.py
More file actions
282 lines (219 loc) · 9.89 KB
/
IDAScript.py
File metadata and controls
282 lines (219 loc) · 9.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
from idautils import *
from idc import *
import os
#---------------------------------------------------------------------
# Global Variables
ScriptVersion = "1.1.3.0"
#---------------------------------------------------------------------
# Application Variables
# Configuration Registers (From w2i file)
Windbg2IDAVersion = ""
ImageName = ""
ModuleIndex = ""
ModuleBaseAddress = ""
ModuleEndAddress = ""
ModuleVersion = ""
InclueRegistersAsComment = False
ShowBranchTakenOrNot = False
# Holders
CurrentInstruction = ""
CurrentRegisters = ""
ListOfColoredFunctions = []
ListPointersWithColors = [] # For detecting colors that needs to be combined
#---------------------------------------------------------------------
def BlendColors(Color1 , Color2, amount):
tempColor1 = (tuple(int(Color1[i:i+2], 16) for i in (0, 2, 4)))
tempColor2 = (tuple(int(Color2[i:i+2], 16) for i in (0, 2, 4)))
r = ((tempColor1[0] * amount) + tempColor2[0] * (1 - amount));
g = ((tempColor1[1] * amount) + tempColor2[1] * (1 - amount));
b = ((tempColor1[2] * amount) + tempColor2[2] * (1 - amount));
return '%02x%02x%02x' % (r, g, b)
#---------------------------------------------------------------------
def GetBasicBlockID(Graph, StartAddress):
for Block in Graph:
if Block.startEA <= StartAddress and Block.endEA > StartAddress:
return Block.id
#---------------------------------------------------------------------
def GetFunctionBaseAddress(Address):
"""
Address can be any address inside the function.
@return:
- func_t object
- None object if invalid
"""
obj = get_func(Address)
if obj is not None:
return obj.startEA
else:
return 0
#---------------------------------------------------------------------
def ColorBlock(Address, Color):
"""
Colors an entire IDA basic block.
This coloration appears on the graph view
"""
BaseBlockEA = GetFunctionBaseAddress(Address)
Func = get_func(Address)
if Func:
Graph = FlowChart(Func, flags=FC_PREDS)
BlockID = GetBasicBlockID(Graph, Address)
Node = node_info_t()
Node.bg_color = Color
idaapi.set_node_info2(BaseBlockEA, BlockID, Node, idaapi.NIF_BG_COLOR | idaapi.NIF_FRAME_COLOR)
#---------------------------------------------------------------------
def UniqueWithOutChangeOrder(seq):
seen = set()
seen_add = seen.add
return [x for x in seq if not (x in seen or seen_add(x))]
#---------------------------------------------------------------------
def CheckWhetherAddressIsValid(name_or_ea):
"""
Function that accepts a name or an ea and checks if the address is enabled.
If a name is passed then idaapi.get_name_ea() is applied to retrieve the name
@return:
- Returns the resolved EA or
- Raises an exception if the address is not enabled
"""
# a string? try to resolve it
if type(name_or_ea) == types.StringType:
ea = idaapi.get_name_ea(idaapi.BADADDR, name_or_ea)
else:
ea = name_or_ea
# could not resolve name or invalid address?
if ea == idaapi.BADADDR or not idaapi.isEnabled(ea):
print("[*] Address (" + str(hex(name_or_ea)) + ") is invalid, Is it in current module ?!" )
else :
print("[*] Address ("+str(hex(name_or_ea))+") belongs to, Function : " + GetFunctionName(name_or_ea))
ListOfColoredFunctions.append(GetFunctionName(name_or_ea))
return ea
#---------------------------------------------------------------------
def InterpretFile(filePathArg):
global ListPointersWithColors
IsReadingInstructions = False # Detects whether we're in reading instructions state
CurrentColor = 0 # Default Color
with open(filePathArg) as fp:
line = fp.readline()
while line:
if IsReadingInstructions == False :
if "Windbg2IDA Version=" in line:
Windbg2IDAVersion = line.strip().replace("Windbg2IDA Version=","")
print("[*] Current File Windbg 2 IDA Version : " + Windbg2IDAVersion)
elif "Image Name=" in line:
ImageName = line.strip().replace("Image Name=","")
print("[*] Image Name : " + ImageName)
elif "Module Index=" in line:
ModuleIndex = line.strip().replace("Module Index=","")
print("[*] Module Index : " + ModuleIndex)
elif "Module Base Address=" in line:
ModuleBaseAddress = int(line.strip().replace("Module Base Address=","") ,16)
print("[*] Module Base Address : " + str(hex(ModuleBaseAddress)))
elif "Module End Address=" in line:
ModuleEndAddress = int(line.strip().replace("Module End Address=","") ,16)
print("[*] Module End Address : " + str(hex(ModuleEndAddress)))
elif "Module Version=" in line:
ModuleVersion = line.strip().replace("Module Version=","")
print("[*] Module Version : " + ModuleVersion)
elif "InclueRegistersAsComment=" in line:
if line.strip().replace("InclueRegistersAsComment=","") == "true" :
InclueRegistersAsComment = True
else:
InclueRegistersAsComment = False
elif "ShowBranchTakenOrNot=" in line:
if line.strip().replace("ShowBranchTakenOrNot=","") == "true" :
ShowBranchTakenOrNot = True
else:
ShowBranchTakenOrNot = False
elif "Color=" in line:
CurrentColor = int(line.strip().replace("Color=",""))
# Convert it to somehow little endian which IDA understands :(
TempHex = str(hex(CurrentColor).replace("0x",""))
lengthOfTemp = 6 - len(TempHex)
TempHex = lengthOfTemp * "0" + TempHex
TempHex = TempHex[4:6] + TempHex[2:4] + TempHex[0:2]
CurrentColor = int(TempHex , 16)
print("[*] Color : " + str(hex(CurrentColor)))
elif "Instructions=" in line:
IsReadingInstructions = True
print("[*] Start Reading Instructions ...")
else :
# Reading Lines of Instruction and Registers
# Detect end of file
if "<EOF>" in line :
line = fp.readline()
continue
if InclueRegistersAsComment:
CurrentRegisters = line.replace("\n","")
CurrentInstruction = fp.readline()
else :
CurrentInstruction = line
if ShowBranchTakenOrNot and InclueRegistersAsComment :
# Check if Branch is taken or not
if "[br=0]" in CurrentInstruction :
CurrentRegisters = "[Branch is not taken] "+ CurrentRegisters
if "[br=1]" in CurrentInstruction :
CurrentRegisters = "[Branch is taken] "+ CurrentRegisters
# Interpret Instructions and Registers
CurrentPointer = CurrentInstruction.split(" ")[0].replace("`","")
CurrentIndexFromModuleBase = int(CurrentPointer , 16) - ModuleBaseAddress
# Computer where to set color
ColorPointer = idaapi.get_imagebase() + CurrentIndexFromModuleBase
print("[*] Setting color to : " + str(hex(ColorPointer)))
#============================================================================
# Detecting color combinations
UseNewColor = False
NewColor = " "
# PreviousColors = [item for item in ListPointersWithColors if item[0] == ColorPointer and item[1] == CurrentColor]
PreviousColors = [item for item in ListPointersWithColors if item[0] == ColorPointer]
for item in PreviousColors :
print("[*] Previsously this pointer has the following color : " + str(item) + ", let's combine it with another color.")
UseNewColor = True
# Check for combination of more than two colors
if NewColor == " " :
NewColor = BlendColors(str(item[1]), str(hex(CurrentColor)).replace("0x","") ,0.5)
else :
NewColor = BlendColors(NewColor, str(hex(CurrentColor)).replace("0x","") ,0.5)
print("[*] Previous color : "+str(hex(CurrentColor))+", New color : 0x" + NewColor)
# Add it to list with orginal color
ListPointersWithColors.append(tuple([ColorPointer,(CurrentColor)]))
#============================================================================
# Check Whether Address Is Valid
CheckWhetherAddressIsValid(ColorPointer)
if UseNewColor:
SetColor(ColorPointer, CIC_ITEM, int(NewColor,16))
ColorBlock(ColorPointer, int(NewColor, 16))
else:
SetColor(ColorPointer, CIC_ITEM, CurrentColor)
ColorBlock(ColorPointer, CurrentColor)
if InclueRegistersAsComment:
if "[gotonewline]" in CurrentRegisters:
MakeRptCmt(ColorPointer, CurrentRegisters.split("[gotonewline]")[0] + "\n" + CurrentRegisters.split("[gotonewline]")[1])
else :
MakeRptCmt(ColorPointer, CurrentRegisters)
line = fp.readline()
#---------------------------------------------------------------------
print("[*] IDAScript interpreter for Windbg2IDA files.")
print("[*] Script Version :" + ScriptVersion)
print("[*] Written by Sina Karvandi")
print("===================================================")
# Interpret File
FolderOfw2iFiles = os.path.dirname(os.path.realpath(__file__)) + "\\w2i Files"
IsFileFound = False
for file in os.listdir(FolderOfw2iFiles):
#if file.endswith(".w2i"):
filePath = os.path.join(FolderOfw2iFiles, file)
print("[*] Interpreting file :" + filePath)
InterpretFile(filePath)
IsFileFound = True
if IsFileFound == False:
print("[*] No file found !")
print("[*] Please make sure you copy .w2i files into the : " + FolderOfw2iFiles)
# Show list of functions that colors applied to
print("===================================================")
print("Changes applied to these function(s) : ")
# Unique them
ListOfColoredFunctions = UniqueWithOutChangeOrder(ListOfColoredFunctions)
for item in ListOfColoredFunctions:
print("\t" + item)
print("===================================================")
print("Happy Reverse Engineering ;)")
print("===================================================")