本文介绍了一个用于IDA动态调试的Python脚本示例。该脚本通过设置断点、跟踪函数调用并读取内存内容来辅助调试过程。具体实现了文件创建和读取时的内存内容捕获,并将这些内容保存到指定文件中。
IDA动态调试下断点 还是比较费劲的,写个脚本可能更好一些
import idc
import idaapi
import struct
#idaapi.dbg_write_memory(ea,buf)
idaapi.enable_extlang_python(1)
md={}
add=0
size=0
index=0
cross_refs=0
findname=["MZ","PE"]
for func in findname:
addr=LocByName(func)
if addr!=BADADDR:
cross_refs=CodeRefsTo(addr,0)
print "got it"
for ref in range(cross_refs):
print "%08x"% ref
SetColor(ref,CiC_ITEM,0x0000ff)
def createfile():
global md
#print "code %d \ninput %d" % (GetRegValue("eax") ,GetRegValue("edi"))
ea1=GetRegValue("esp")+4
buf=""
a=idc.Dword(ea1)
#print "s%x\n" % a
for i in range(50):
k=idc.Byte(a+i)
buf=buf+chr(k)
print "filename ___%s_____\n" % buf
#SetRegValue(0x11113333,"edx")
md[ea1]=buf
return 1
print "start"
def readfile():
global add, size,index
index=index+1
if GetRegValue("eip")==0x20095280:
add=Dword(GetRegValue("esp")+8)
size=Dword(GetRegValue("esp")+12)
if GetRegValue("eip")==0x20095338:
b=""
for i in range(size) :
b=b+chr(Byte(add+i))
v="%d" %index
file0=r"c:\hk"+v+"dat"
file1=r"c:\hk"+v+"dat"
f1=open(file0,"wb")
f1.write(b)
f1.close()
f1=open(file1,"w")
f1.write(b)
f1.close()
return 1
ea=0x7c00 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'createfile()')
ea=0x20001000 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'createfile()')
ea=0x20095960 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'createfile()')
ea=0x20095280 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'readfile()')
ea=0x20095338 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'readfile()')
print "end"
import idc
import idaapi
import struct
#idaapi.dbg_write_memory(ea,buf)
idaapi.enable_extlang_python(1)
md={}
add=0
size=0
index=0
cross_refs=0
findname=["MZ","PE"]
for func in findname:
addr=LocByName(func)
if addr!=BADADDR:
cross_refs=CodeRefsTo(addr,0)
print "got it"
for ref in range(cross_refs):
print "%08x"% ref
SetColor(ref,CiC_ITEM,0x0000ff)
def createfile():
global md
#print "code %d \ninput %d" % (GetRegValue("eax") ,GetRegValue("edi"))
ea1=GetRegValue("esp")+4
buf=""
a=idc.Dword(ea1)
#print "s%x\n" % a
for i in range(50):
k=idc.Byte(a+i)
buf=buf+chr(k)
print "filename ___%s_____\n" % buf
#SetRegValue(0x11113333,"edx")
md[ea1]=buf
return 1
print "start"
def readfile():
global add, size,index
index=index+1
if GetRegValue("eip")==0x20095280:
add=Dword(GetRegValue("esp")+8)
size=Dword(GetRegValue("esp")+12)
if GetRegValue("eip")==0x20095338:
b=""
for i in range(size) :
b=b+chr(Byte(add+i))
v="%d" %index
file0=r"c:\hk"+v+"dat"
file1=r"c:\hk"+v+"dat"
f1=open(file0,"wb")
f1.write(b)
f1.close()
f1=open(file1,"w")
f1.write(b)
f1.close()
return 1
ea=0x7c00 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'createfile()')
ea=0x20001000 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'createfile()')
ea=0x20095960 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'createfile()')
ea=0x20095280 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'readfile()')
ea=0x20095338 #fopen
idc.AddBpt(ea)
idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)
idc.SetBptCnd(ea, 'readfile()')
print "end"
扫一扫
599
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
