Created
September 24, 2018 10:42
-
-
Save a1ext/e7e0188011165dcd82c95e1f6621a2d4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# address of the API resolver routine | |
fn_ea = LocByName("resolve") | |
# base address in IDB | |
base = idaapi.get_imagebase() | |
# base address in the target process | |
remote = 0x00020000 | |
refs = list(CodeRefsTo(fn_ea, 0)) | |
print 'found %d refs' % len(refs) | |
# max number of steps from a API resolver call | |
# to look for push instructions of function arguments | |
max_cmd_lookback = 10 | |
# how much arguments API resolver uses | |
num_args = 2 | |
# this variable is used for transmitting data to debugger's side | |
__extern__ = list() | |
for ref in refs: | |
# ref is a reference to the API resolver routine | |
# Now get all instructions in the function, | |
# where the API resolver is referenced from | |
items = list(FuncItems(ref)) # We need this list to find | |
# were function arguments are pushed | |
index_of_resolver_call = items.index(ref) | |
push_args_list = [] | |
# move back from the call searching for arguments | |
for i in range(1, max_cmd_lookback): | |
if index_of_resolver_call - i < 0: | |
break # start of function was reached | |
cmd_ref = items[index_of_resolver_call - i] | |
# command should be PUSH | |
if GetMnem(cmd_ref) != "push": | |
continue # take the next command | |
# push operand type should be immediate value | |
if GetOpType(cmd_ref, 0) != o_imm: | |
break # we can't resolve API in this case | |
push_args_list.append(cmd_ref - base + remote) | |
if len(push_args_list) == num_args: | |
break | |
if len(push_args_list) != num_args: | |
print "Failed to resolve %x" % ref | |
continue | |
__extern__.append({'ref': ref - base + remote, | |
'push_args_list': push_args_list}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment