Created
February 16, 2020 09:04
-
-
Save ophirharpaz/d50f017fdcf62f322770266731a64b13 to your computer and use it in GitHub Desktop.
This IDAPython script renames functions according to the Linux syscall (int 80h) they contain. The script assumes each syscall is invoked only once.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SYSCALL_OPCODE = '\xCD\x80' | |
| REGULAR_COMMENT = 0 # as opposed to a repeatable one | |
| def get_syscalls_addresses(): | |
| return (h for h in Heads() if SYSCALL_OPCODE == GetManyBytes(h, ItemSize(h))) | |
| def get_syscall_name_from_addr(addr): | |
| # Fetch the syscall name from IDA's automatic comment | |
| # e.g. '; LINUX - sys_prtcl' --> 'sys_prtcl' | |
| comment = GetCommentEx(addr, REGULAR_COMMENT) | |
| return comment.split(' ')[-1] | |
| def rename_functions_according_to_syscalls(): | |
| # (1) Find all occurrences of int 80h by iterating on all Heads (instructions & data items) | |
| syscall_addresses = get_syscalls_addresses() | |
| # (2) Fetch the syscall name from the disassembly | |
| syscall_name_per_address = {addr: get_syscall_name_from_addr(addr) for addr in syscall_addresses} | |
| # (3) Get the address of the function each syscall belongs to | |
| for addr, syscall_name in syscall_name_per_address.items(): | |
| function_addr = idaapi.get_func(addr).startEA | |
| # (4) ...then rename | |
| MakeNameEx(function_addr, syscall_name, idc.SN_NOWARN) | |
| if __name__ == '__main__': | |
| rename_functions_according_to_syscalls() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment