HexraysToolbox
1.0.0
Hexrays Toolbox(HXTB)是一組強大的IDAPYTHON腳本,可用於在二進製文件中查找和定位代碼模式,獨立於其基礎處理器體系結構。
以下動畫說明的查詢是一個示例,說明瞭如何使用十字級工具箱來影響Android的WhatsApp(CVE-2019-3568,Libwhatsapp.so)的漏洞。這是通過使用IDAPYTHON LAMBDA函數定位的所需代碼模式來完成的。找到示例腳本
。
每個目標體系結構需要有效的IDA許可證和有效的十六進制分解器許可證。
使用十六進制工具箱有幾種方法,每個工具箱都具有不同程度的靈活性。
interactive.py ,一個添加便利函數以與IDA命令行接口一起使用的腳本automation.py ,一個在批處理模式下在給定的文件集上處理和運行HXTB查詢的腳本從IDA中執行隨附的hxtb_shell.py腳本,打開了一個可用於開發,加載和運行HXTB查詢的GUI窗口。下面的屏幕截圖顯示了加載HXTB殼的查詢的樣子。
HXTB-Shell還接受HRDEVHELPER插件的上下文查看器創建的Python表達式。它們可以從中復制並直接粘貼到HXTB-Shell GUI中。
可以在HEXRAYS工具箱中包含的hxtbshell_queries子折中找到可以加載HXTB-Shell的其他示例查詢。
使用IDA(ALT-F7)加載hxtb.py可以使IDAPYTHON CLI和腳本解釋器(Shift-F2)均可提供諸如find_expr()和find_item()之類的功能。除其他外,這些功能可用於在當前加載的IDA數據庫上運行查詢。請查看下面顯示的一些示例。
find_item(ea, q)
find_expr(ea, q)
Positional arguments:
ea: address of a valid function within
the current database
q: lambda function
custom lambda function with the following arguments:
1. cfunc: cfunc_t
2. i/e: cinsn_t/cexpr_t
Returns:
list of query_result_t objects
Example:
find_expr(here(), lambda cf, e: e.op is cot_call)
-> finds and returns all function calls within a current function.
The returned data is a list of query_result_t objects (see hxtb.py).
The returned list can be passed to an instance of the ic_t class,
which causes the data to be displayed by a chooser as follows:
from idaapi import *
import hxtb
hxtb.ic_t(find_expr(here(), lambda cf,e:e.op is cot_call))
Please find the cfunc_t, citem_t, cinsn_t and cexpr_t structures
within hexrays.hpp for further help and details.
cot_eq
/
x / y
(anything) cot_num --- n.numval() == 0
from idaapi import *
from hxtb import find_expr
query = lambda cfunc , e : e . op is cot_eq and e . y . op is cot_num and e . y . numval () == 0
r = find_expr ( here (), query )
for e in r :
print ( e ) cot_call
/
x /
cot_obj
from idaapi import *
from hxtb import find_expr
query = lambda cfunc , e : e . op is cot_call and e . x . op is cot_obj
r = find_expr ( here (), query )
for e in r :
print ( e )
cot_call --- arg1 is cot_var
/ arg1 is on stack
x /
cot_obj --- name(obj_ea) == 'memcpy'
from idaapi import *
from hxtb import find_expr
r = []
query = lambda cfunc , e : ( e . op is cot_call and
e . x . op is cot_obj and
get_name ( e . x . obj_ea ) == 'memcpy' and
len ( e . a ) == 3 and
e . a [ 0 ]. op is cot_var and
cfunc . lvars [ e . a [ 0 ]. v . idx ]. is_stk_var ())
for ea in Functions ():
r += find_expr ( ea , query )
for e in r :
print ( e ) cot_call --- arg2 ('fmt') contains '%s'
/
x /
cot_obj --- name(obj_ea) == 'sprintf'
from idaapi import *
from hxtb import find_expr
r = []
query = lambda cfunc , e : ( e . op is cot_call and
e . x . op is cot_obj and
get_name ( e . x . obj_ea ) == 'sprintf' and
len ( e . a ) >= 2 and
e . a [ 1 ]. op is cot_obj and
is_strlit ( get_flags ( get_item_head ( e . a [ 1 ]. obj_ea ))) and
b'%s' in get_strlit_contents ( e . a [ 1 ]. obj_ea , - 1 , 0 , STRCONV_ESCAPE ))
for ea in Functions ():
r += find_expr ( ea , query )
for e in r :
print ( e ) from idaapi import *
from hxtb import ic_t
query = lambda cfunc , e : ( e . op in
[ cot_asgsshr , cot_asgsdiv ,
cot_asgsmod , cot_sge ,
cot_sle , cot_sgt ,
cot_slt , cot_sshr ,
cot_sdiv , cot_smod ])
ic_t ( query )
from idaapi import *
from hxtb import ic_t
ic_t ( lambda cf , i : i . op is cit_if )
from idaapi import *
from hxtb import ic_t , query_db
ic_t ( query_db ( lambda cf , i : is_loop ( i . op )))
from hxtb import ic_t , query_db , find_child_expr
from ida_hexrays import *
find_copy_query = lambda cfunc , i : ( i . op is cot_asg and
i . x . op is cot_ptr and
i . y . op is cot_ptr )
find_loop_query = lambda cfunc , i : ( is_loop ( i . op ) and
find_child_expr ( cfunc , i , find_copy_query ))
ic_t ( query_db ( find_loop_query ))
