我们从Python开源项目中,提取了以下9个代码示例,用于说明如何使用idautils.CodeRefsTo()。
def get_func_code_refs_to(func_ea): """Returns a set with the code references to this function""" code_refs = set() for ref in idautils.CodeRefsTo(func_ea, 0): #callers func_ida = idaapi.get_func(ref) if not func_ida: #print "BUG?: coderef came from no function! %X->%X"%(ref, addr) continue #if func_ida.startEA not in functions: # print "BUG?: function %X not in our set (r=%X)!"%(func_ida.startEA, ref) # continue code_refs.add((ref, func_ida.startEA)) return code_refs
def _ApdComm(self, ea, id): # DEBUG_PRINT('_ApdComm') g_mark = ' ' if self._global == 1: idx = self._dbDict[ea]._idx_list[id][0] g_mark = '_g' else: idx = self._dbDict[ea]._idx_list[id][0] - self._dbDict[idaapi.get_func(ea).startEA]._idx_list[0][0] g_mark = '_L' idxcomm = self._dbDict[ea]._idx_list[id][1] comm = self._commMarker + str(idx) + g_mark +' ' +str(idxcomm).strip('{}') oldComm = str(idc.GetCommentEx(ea, 0)) tag = '' for xref in idautils.CodeRefsTo(ea, 0): if xref !=[]: if ea != idaapi.get_func(ea).startEA and oldComm == 'None': comm = '\n' + comm break if(oldComm != 'None'): comm = oldComm + '\n' + comm idc.MakeComm(ea, str(comm)) self._dbDict[ea]._shown = True return
def highlight_anti_debug_api_calls(): anti_debug_apis = [ "IsDebuggerPresent", "CheckRemoteDebuggerPresent", "NtQueryInformationProcess", "OutputDebugString", ] library_calls = {} # api_name -> CodeRefsTo get_imports(library_calls) for api_name, codeRefsTo in library_calls.iteritems(): if api_name in anti_debug_apis: logger.info("Potential Anti-Debug call %s imported", api_name) if codeRefsTo: logger.info(" - %s called at %s", api_name, ", ".join(["0x%x" % x for x in codeRefsTo]))
def make_import_names_callback(library_calls): """ Return a callback function used by idaapi.enum_import_names(). """ def callback(ea, name, ordinal): """ Callback function to retrieve code references to library calls. """ library_calls[name] = [] for ref in idautils.CodeRefsTo(ea, 0): library_calls[name].append(ref) return True # True -> Continue enumeration return callback
def get_coderefs(self): return (IdaLocation(frm) for frm in idautils.CodeRefsTo(self.at, 0))
def propagate_dead_code(self, ea, op_map): prevs = [x for x in idautils.CodeRefsTo(ea, True) if x not in self.marked_addresses and not self.dead_br_of_op(ea, x, op_map)] if prevs: # IF there is no legit predecessors idc.SetColor(ea, idc.CIC_ITEM, 0x0000ff) self.marked_addresses[ea] = None succs = [x for x in idautils.CodeRefsFrom(ea, True)] for succ in succs: self.propagate_dead_code(succ, op_map) else: return
def safe_path_to(self, addr): path = self.full_path_to(addr) # Start from the full path i = -1 for ea, k in zip(path, range(len(path))): # Compute i such that it is safe nb_preds = len([x for x in idautils.CodeRefsTo(ea, True)]) if nb_preds > 1: i = k elif idc.GetDisasm(ea).startswith("call"): i = k+1 print i if i == -1: return path else: return path[i:]
def DecryptString0(addrDecryptFunction): print "[+]DecryptString0" #Get All Calls to this function calls = idautils.CodeRefsTo(addrDecryptFunction, 1) #Iterate all Calls Decrypt Strings for call in calls: print "[+]Call at 0x%08X %s" % (call, idc.GetFunctionName(call)) pDecrypted, pEncrypted = GetDecryptString0Parameters(call) print "[+]Parameters: 0x%08X 0x%08X" % (pDecrypted, pEncrypted) #Get String szEncryptedString = idc.GetString(pEncrypted) #Handle one Byte Empty Strings if szEncryptedString == None: #Read Byte szEncryptedString = "" idx = 0 while True: byte = idc.Byte(pEncrypted + idx) szEncryptedString += chr(byte) if byte == 0: break idx += 1 szDecryptedString = DecryptString0Algo(szEncryptedString, 0xFE) print "[+]Dec: \"%s\"" % szDecryptedString print #Rename and Add Comments idc.MakeRptCmt(pEncrypted, szDecryptedString) idc.MakeNameEx(pEncrypted, "crypt" + szDecryptedString, SN_NOCHECK | SN_NOWARN) idc.MakeNameEx(pDecrypted, "" + szDecryptedString, SN_NOCHECK | SN_NOWARN) #Patch decrypted Buffer and convert to String idx = 0 for c in szDecryptedString: idc.PatchByte(pDecrypted + idx, ord(c)) idx += 1 idc.PatchByte(pDecrypted + idx, 0) idc.MakeStr(pDecrypted, pDecrypted + idx) print
def DecryptStackStrings(addrDecryptFunction): global emu print "[+]DecryptStackStrings" #Get All XrefsTo this function calls = idautils.CodeRefsTo(addrDecryptFunction, 1) # Iterate all Calls Decrypt Strings for call in calls: print "[+]Call at 0x%08X %s" % (call, idc.GetFunctionName(call)) # Resolve Parameters # Param1. DestBuffer # Param2. Length # Param3. StackStringEncrypted destBuffer, length = GetDecryptString1Parameters(call) print "[+]Params dest = 0x%08X len = 0x%08X" % (destBuffer, length) #Get Emulation Boundaries emulStart, emulEnd = GetDecryptString1EmulationBoundaries(call, length) print "[+]Start 0x%08X, End 0x%08X" % (emulStart, emulEnd) #Inits Registers PrepareEmuRegister(emu, emulStart) #Try to Emulate and Update the ida databse try: #Emulate szDecryptedString = Emulate(emu, emulStart, emulEnd) #Valid Decrypted String if 0 < len(szDecryptedString): print "[+]Decrypted: \"%s\" at 0x%08X" % (szDecryptedString, call) #Add Comment and Patch Database idc.MakeRptCmt(call, szDecryptedString) #If DestBuffer is an address and not a register #Make Name and Patch IDB if destBuffer != 0 and destBuffer != -1: idc.MakeNameEx(destBuffer, "" + szDecryptedString, SN_NOCHECK) # Patch decrypted Buffer and convert to String idx = 0 for c in szDecryptedString: idc.PatchByte(destBuffer + idx, ord(c)) idx += 1 idc.PatchByte(destBuffer + idx, 0) idc.MakeStr(destBuffer, destBuffer + idx) except: print "[+]EmulStart = 0x%08X, EmulEnd = 0x%08X" % (emulStart, emulEnd) emu.dump_regs() e = sys.exc_info()[0] print e print #Performs the Emulation and Returns the Dumped String
