Created
February 16, 2020 09:04
Revisions
-
ophirharpaz created this gist
Feb 16, 2020 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,31 @@ SYSCALL_OPCODE = '\xCD\x80' REGULAR_COMMENT = 0 # as opposed to a repeatable one def get_syscalls_addresses(): return (h for h in Heads() if SYSCALL_OPCODE == GetManyBytes(h, ItemSize(h))) def get_syscall_name_from_addr(addr): # Fetch the syscall name from IDA's automatic comment # e.g. '; LINUX - sys_prtcl' --> 'sys_prtcl' comment = GetCommentEx(addr, REGULAR_COMMENT) return comment.split(' ')[-1] def rename_functions_according_to_syscalls(): # (1) Find all occurrences of int 80h by iterating on all Heads (instructions & data items) syscall_addresses = get_syscalls_addresses() # (2) Fetch the syscall name from the disassembly syscall_name_per_address = {addr: get_syscall_name_from_addr(addr) for addr in syscall_addresses} # (3) Get the address of the function each syscall belongs to for addr, syscall_name in syscall_name_per_address.items(): function_addr = idaapi.get_func(addr).startEA # (4) ...then rename MakeNameEx(function_addr, syscall_name, idc.SN_NOWARN) if __name__ == '__main__': rename_functions_according_to_syscalls()