我们从Python开源项目中,提取了以下9个代码示例,用于说明如何使用idautils.XrefsTo()。
def get_import_thunk(import_addr): ''' find import thunk for the given import pointer. this is a function that simply jumps to the external implementation of the routine. Args: import_addr (int): address of import table pointer. Returns: int: address of function thunk. Raises: ValueError: when the thunk does not exist. ''' for xref in idautils.XrefsTo(import_addr): if xref.type != 3: # XrefTypeName(3) == 'Data_Read' continue if idc.GetMnem(xref.frm) != 'jmp': continue return xref.frm raise ValueError('thunk does not exist')
def _refs_to_tablegroup(self): from itertools import chain if self.tablegroup is None: return [] candidates = [] # For now just use the first table array primary_table = self.tablegroup.primary_table() # When debug symbols are present, the decompile will usually # refer to the function table as an offset from the start # of the vtable, so also allow references to that. references = chain(idautils.XrefsTo(primary_table.address_point), idautils.XrefsTo(self.tablegroup.ea)) for ref in references: start = as_signed(idc.GetFunctionAttr(ref.frm, idc.FUNCATTR_START), TARGET_ADDRESS_SIZE) if start == -1: continue candidates.append(start) return candidates
def get_xrefs_to(functions): candidate_functions = {} for fva in functions: candidate_functions[fva] = len(list(idautils.XrefsTo(fva))) return candidate_functions
def make_islands_xrefs_force_bl_call(ea, verbose=True): """ makes all BL references to a branch islands as call """ segname = idc.SegName(ea) if verbose: print "[+] forcing bl call on: %s [0x%X]" % (segname, ea) if "branch_islands" in segname: idc.SetFunctionFlags(ea, idc.GetFunctionFlags(ea) & (0xffffffff - 1)) for x in idautils.XrefsTo(ea): make_islands_xrefs_force_bl_call(x.frm) return idc.ArmForceBLCall(ea)
def get_xrefs(self): return (IdaLocation(x.frm) for x in idautils.XrefsTo(self.at))
def get_callers(ea,maxlen=None): ''' Walk through the callers recursively starting at address ea. maxlen is the maximum number of node the graph can contain. Return a dictionary of list of caller addresses. Return empty dictionary when number of node > maxlen. ''' xtree = {} visited = [] towalk = [ea] while towalk: curr = towalk.pop() if curr not in xtree: # the start point also will record in the tree xtree[curr] = [] if curr not in visited: visited.append(curr) for x in idautils.XrefsTo(curr): caller = idaapi.get_func(x.frm) if caller: caller = caller.startEA if caller not in visited: towalk.append(caller) # else: #not very clear, if this is not a function, still record it?? # caller = x.frm # xtree[caller] = [] xtree[curr].append(caller) if maxlen and len(tree) > maxlen: return {} return xtree
def eFunc(self, address=None, retAddr=None, args=[]): if address == None: address = here() func = get_func(address) if retAddr == None: refs = [ref.frm for ref in XrefsTo(func.startEA, 0)] if len(refs) != 0: retAddr = refs[0] + ItemSize(refs[0]) else: print("Please offer the return address.") return self._emulate(func.startEA, retAddr, args) res = self.curUC.reg_read(self.REG_RES) return res
def _feature_returnpoints(self, f_ea): ''' Number of 'ret' within the function rets = [addr1, addr2. ...] prior feature: Null ''' # rets = [] # for ea in idautils.FuncItems(f_ea): # if idaapi.is_ret_insn(ea): # rets.append(ea) # self.ftable["returnpoints"] = rets DEBUG_PRINT("in returnpoints") fun = idaapi.get_func(f_ea) visited = [] retVal = [] for ret in self.ftable["returnpoints"]: towalk = [ret] # print 'towalk',towalk while towalk: curr = towalk.pop() # print 'curr',curr if curr not in range(fun.startEA,fun.endEA+2): # the start point also will record int the tree # print 'not in range' continue # print '1', hex(curr) if curr not in visited: visited.append(curr) inst = GetInstruction(curr) # print '2', inst if inst is None: continue elif 'eax' in inst: # print ret, curr, inst retVal.append((ret,curr,inst)) continue for xto in idautils.XrefsTo(curr, 0): DEBUG_PRINT('xto') if xto.frm not in visited: DEBUG_PRINT(xto.frm) towalk.append(xto.frm) DEBUG_PRINT(retVal) return len(self.ftable["returnpoints"]), retVal
def __init__(self, ea): #: The address of the start of this vtable self.ea = ea ea, offset_to_top = get_address(ea) #: The offset to the top of the object for a subobject with this vtable self.offset_to_top = as_signed(offset_to_top, TARGET_ADDRESS_SIZE) # Arbitrary bounds for offset size if self.offset_to_top < -0xFFFFFF or self.offset_to_top > 0xFFFFFF: raise ValueError("Invalid table address `0x{:02x}`".format(self.ea)) ea, typeinfo = get_address(ea) #: Handle to the RTTI object associated with this vtable (if any) self.typeinfo = None if typeinfo != 0: if not in_same_segment(typeinfo, self.ea): raise ValueError("Invalid table address `0x{:02x}`".format(self.ea)) else: self.typeinfo = ItaniumTypeInfo(typeinfo) #: A list of function addresses in this vtable (some may be NULL) self.functions = [] #: The address of the start of the function array self.address_point = ea try: next(idautils.XrefsTo(self.address_point)) except StopIteration: raise ValueError("Invalid table address `0x{:02x}`".format(self.ea)) while True: ea, func = get_address(ea) # The first few function pointers can be 0 if not is_in_executable_segment(func): if func == 0 and all([f == 0 for f in self.functions]): pass else: break self.functions.append(func) # Because the first two functions can be zero, and the RTTI # pointer and base offset can also be zero, require at least # one function to not be zero (so blocks of zero don't match). if all([f == 0 for f in self.functions]): raise ValueError("Invalid table address `0x{:02x}`".format(self.ea)) #: The size in bytes of this vtable self.size = TARGET_ADDRESS_SIZE*(len(self.functions) + 2)
