Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# address of the API resolver routine
fn_ea = LocByName("resolve")
# base address in IDB
base = idaapi.get_imagebase()
# base address in the target process
remote = 0x00020000
refs = list(CodeRefsTo(fn_ea, 0))
print 'found %d refs' % len(refs)
# max number of steps from a API resolver call
# to look for push instructions of function arguments
max_cmd_lookback = 10
# how much arguments API resolver uses
num_args = 2
# this variable is used for transmitting data to debugger's side
__extern__ = list()
for ref in refs:
# ref is a reference to the API resolver routine
# Now get all instructions in the function,
# where the API resolver is referenced from
items = list(FuncItems(ref)) # We need this list to find
# were function arguments are pushed
index_of_resolver_call = items.index(ref)
push_args_list = []
# move back from the call searching for arguments
for i in range(1, max_cmd_lookback):
if index_of_resolver_call - i < 0:
break # start of function was reached
cmd_ref = items[index_of_resolver_call - i]
# command should be PUSH
if GetMnem(cmd_ref) != "push":
continue # take the next command
# push operand type should be immediate value
if GetOpType(cmd_ref, 0) != o_imm:
break # we can't resolve API in this case
push_args_list.append(cmd_ref - base + remote)
if len(push_args_list) == num_args:
break
if len(push_args_list) != num_args:
print "Failed to resolve %x" % ref
continue
__extern__.append({'ref': ref - base + remote,
'push_args_list': push_args_list})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment