-
-
[原创]IDA Domain: 更Pythonic的 IDA API
-
发表于: 2天前
-
翻 Hex-Ray 文档时发现了一个好玩的新功能, 差不多8月份发布的,还挺新
ida domain — “一个对初学者友好的开源 Domain API,简化了脚本编写和插件开发,使其以前所未有的方式变得易于上手——以 Pythonic 的方式。”
ida domain 兼容现有的 idc 和 idapython api
macOS环境配置
在test.py文件中写入
当然,也可以直接在 IDA 控制台或 IpyDA 里写
IDA Domain API 有以下常用对象实体
比老的 idapython api 结构清晰多了,看着就舒服
ida 会把反编译器分析的信息都保存到 idb 中,在 ida_domain 中把 idb 作为入口对象来操作
G 0x1be23c 正是JNI_OnLoad()
可以通过一个经典的获取函数对象的方法看到 api 设计思路上的差别
如果使用 idapython 那你必须熟悉 idapython 的结构还有哪些模块里存了哪些函数,想使用什么功能得进源码里一顿找, ida_domain 把相关 api 通过实例对象组装到一起,极大地减小了学习成本。
之前访问 microCode 和 ctree 要通过遍历整个结构树来获取,借助ida_domain轻松获取, 非常nice
值得一提,在 idapython 中对ui事件,反编译事件等等的hook都分散在不同的模块中,在ida_domain 中聚合了大部分的事件hook
通过反编译钩子 DecompilerHooks 看一下 ida反编译的内部执行流程
可惜 ida_domain 暂时还没有能直接操作微码的api,不过可以和 idapython 的 API 结合着用,总之未来可期
[+] ida内部反编译流程,ctree和microcode
cd5K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2W2L8r3q4K6N6r3W2U0i4K6u0W2j5$3!0Q4x3V1k6K6k6h3y4#2M7X3W2@1P5g2)9J5k6r3I4S2j5Y4y4Q4x3V1k6A6L8Y4c8J5L8$3c8#2j5%4c8A6L8$3&6Q4x3X3c8@1L8#2)9J5k6r3S2W2P5s2u0S2P5i4y4Q4x3X3c8V1k6h3y4G2L8i4m8A6L8r3q4@1K9h3!0F1i4K6u0V1K9h3&6@1k6i4u0F1j5h3I4K6
[+] ida_domain Hexray官方教程
f15K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6A6k6r3q4Q4x3X3c8V1L8$3#2S2K9h3&6Q4x3X3g2V1L8$3y4K6i4K6u0W2K9r3g2^5i4K6u0V1M7X3q4&6M7#2)9J5k6h3y4G2L8g2)9J5c8X3N6W2N6s2c8A6L8X3N6Q4y4h3k6K6N6r3q4J5N6r3g2V1i4K6u0r3i4K6t1K6M7%4c8W2M7q4)9J5k6o6y4Q4x3X3c8$3k6i4u0A6k6Y4W2Q4x3X3c8A6L8Y4y4@1j5h3I4D9j5i4c8A6L8$3^5`.
[+] ida_domain github 源码
571K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6t1k6i4S2d9j5i4W2K6f1@1q4Q4x3V1k6A6k6r3q4Q4x3X3c8V1L8$3#2S2K9h3^5`.
nano ~/.zshrc
//写入这行 (推荐使用ida9.2,可以直接看microCode)
export IDADIR="/Applications/IDA Professional 9.2.app/Contents/MacOS/"
^X, 然后一直回车//验证
echo $IDADIR然后pip install ida-domain
//开一个干净的虚拟环境
python -m venv ida-env
source ida-env/bin/activate
nano ~/.zshrc
//写入这行 (推荐使用ida9.2,可以直接看microCode)
export IDADIR="/Applications/IDA Professional 9.2.app/Contents/MacOS/"
^X, 然后一直回车//验证
echo $IDADIR然后pip install ida-domain
//开一个干净的虚拟环境
python -m venv ida-env
source ida-env/bin/activate
try:
from ida_domain import Database
print("✓ Installation successful!")
except ImportError as e:
print(f"✗ Installation failed: {e}")
//python test.py
>>> ✓ Installation successful!try:
from ida_domain import Database
print("✓ Installation successful!")
except ImportError as e:
print(f"✗ Installation failed: {e}")
//python test.py
>>> ✓ Installation successful!import ida_domain
db = ida_domain.Database()
print(f' Entry point: {hex(db.entries[0].address)}')
# db.functions.get_all() 通过db绑定的实例访问对象>>> Entry point: 0x1be23c
import ida_domain
db = ida_domain.Database()
print(f' Entry point: {hex(db.entries[0].address)}')
# db.functions.get_all() 通过db绑定的实例访问对象>>> Entry point: 0x1be23c
# ida_domainfunc = db.functions.get_at(0x1DE5C4)
db.functions.get_disassembly(func)# idapythonimport idautils
func = idaapi.get_func(0x1DE5C4) # idapython
dism_addr = list(idautils.FuncItems(0x1DE5C4))
for line in dism_addr:
print("0x%x %s" % (line,idc.generate_disasm_line(line, 0)))
# ida_domainfunc = db.functions.get_at(0x1DE5C4)
db.functions.get_disassembly(func)# idapythonimport idautils
func = idaapi.get_func(0x1DE5C4) # idapython
dism_addr = list(idautils.FuncItems(0x1DE5C4))
for line in dism_addr:
print("0x%x %s" % (line,idc.generate_disasm_line(line, 0)))
func = db.functions.get_at(0x1DE5C4)
db.functions.get_microcode(func) # 获取微码
db.functions.get_pseudocode(func) # 获取伪c
# 基于idapython的比较长,不写了# 获取指定偏移处的微码mcode = db.bytes.get_microcode_between(0x1DE608, 0x1DE60C)
>>>['1. 0 mov #0x138.8, t2.8 ; 1DE608 u= d=t2.8',
'1. 1 add x0.8, t2.8, t2.8 ; 1DE608 u=x0.8,t2.8 d=t2.8',
'1. 2 ldx cs.2, t2.8, t1.8 ; 1DE608 u=t2.8,cs.2,(ALLMEM) d=t1.8',
'1. 3 mov t1.8, x19.8 ; 1DE608 u=t1.8 d=x19.8',
'1. 4 goto @2 ; 1DE608 u=']
func = db.functions.get_at(0x1DE5C4)
db.functions.get_microcode(func) # 获取微码
db.functions.get_pseudocode(func) # 获取伪c
# 基于idapython的比较长,不写了# 获取指定偏移处的微码mcode = db.bytes.get_microcode_between(0x1DE608, 0x1DE60C)
>>>['1. 0 mov #0x138.8, t2.8 ; 1DE608 u= d=t2.8',
'1. 1 add x0.8, t2.8, t2.8 ; 1DE608 u=x0.8,t2.8 d=t2.8',
'1. 2 ldx cs.2, t2.8, t1.8 ; 1DE608 u=t2.8,cs.2,(ALLMEM) d=t1.8',
'1. 3 mov t1.8, x19.8 ; 1DE608 u=t1.8 d=x19.8',
'1. 4 goto @2 ; 1DE608 u=']
import ida_hexrays,idaapi
from ida_domain import database, hooks
class MyDecompilerHooks(hooks.DecompilerHooks):
def __init__(self):
super().__init__()
def log(self,msg: str = ''):
print(msg)
def glbopt(self,mba):
self.log("glbopt")
return super().glbopt(mba)
def prealloc(self, mba):
self.log("prealloc")
return super().prealloc(mba)
def locopt(self, mba):
self.log("locopt")
return super().locopt(mba)
def preoptimized(self,mba):
self.log("preoptimized")
return super().preoptimized(mba)
def microcode(self, mba_t) -> int:
self.log("microcode")
return super().microcode(mba_t)
def prolog(self,mba,fc,reachable_blocks,decomp_flags):
self.log("prolog")
return super().prolog(mba, fc, reachable_blocks, decomp_flags)
def stkpnts(self,mba,*sps):
self.log("stkpnts")
return super().stkpnts(mba, *sps)
def flowchart(self,fc,mba,reachable_blocks,decomp_flags):
self.log("flowchart")
return super().flowchart(fc, mba, reachable_blocks, decomp_flags)
decomp_hook = MyDecompilerHooks()
decomp_hook.hook()//然后输入这句,强制ida重新分析这个函数
ida_hexrays.mark_cfunc_dirty(0x1DE5C4)
手动f5>>> flowchart stkpnts 计算sp指针的移动prolog microcode 微码已经生成preoptimized 下面对应微码的不同成熟度locoptpreallocpreallocpreallocpreallocpreallocpreallocglbopt...之后生成ctree,伪c代码import ida_hexrays,idaapi
from ida_domain import database, hooks
class MyDecompilerHooks(hooks.DecompilerHooks):
def __init__(self):
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
