williballenthin/functions_as_data.py

## functions_as_data.py
'''
Identify functions that are referenced as data.

For example, something weird is going on below::

    .text:10001833 BE 60 25 00 10          mov     esi, offset sub_10002560    <<<<
    .text:10001838 8B 45 FC                mov     eax, [ebp+var_4]
    .text:1000183B 89 5F 04                mov     [edi+4], ebx
    .text:1000183E 81 C7 18 02 00 00       add     edi, 218h
    .text:10001844 F3 A5                   rep movsd

The script also does a good job of identifying function pointers::

    .text:100021A6 8D 45 FC                lea     eax, [ebp+var_4]
    .text:100021A9 50                      push    eax             ; int
    .text:100021AA 6A 00                   push    0               ; dwCreationFlags
    .text:100021AC 6A 00                   push    0               ; void *
    .text:100021AE 68 60 21 00 10          push    offset sub_10002160 ; lpModuleName    <<<<
    .text:100021B3 6A 00                   push    0               ; dwStackSize
    .text:100021B5 6A 00                   push    0               ; lpThreadAttributes
    .text:100021B7 E8 A2 1F 00 00          call    __beginthr
'''
import idc
import idautils
import ida_bytes
import ida_funcs


for fva in idautils.Functions():
    if idc.get_func_flags(fva) & ida_funcs.FUNC_LIB:
        # ignore pointers to library functions, such as exception handlers.
        continue

    drefs = list(idautils.DataRefsTo(fva))
    if not drefs:
        continue

    code_drefs = set([])
    for dref in drefs:
        if not ida_bytes.is_code(ida_bytes.get_flags(dref)):
            # ignore function pointers in data,
            # such as from vtables.
            continue

        if idc.get_func_flags(ida_funcs.get_func(dref).startEA) & ida_funcs.FUNC_LIB:
            # ignore function pointers in library functions,
            # such as initializers.
            continue

        code_drefs.add(dref)

    if not code_drefs:
        continue

    print('function treated as data: %s (0x%x)' % (idc.GetFunctionName(fva), fva))
    for dref in code_drefs:
        print('  - from 0x%x' % (dref))

        cmt = 'used as pointer (0x%x)' % (dref)
        existing_cmt = idc.GetFunctionCmt(fva, 0)
        if cmt not in existing_cmt:
            idc.SetFunctionCmt(fva, existing_cmt + '\n' + cmt, 0)
	'''
	Identify functions that are referenced as data.

	For example, something weird is going on below::

	.text:10001833 BE 60 25 00 10 mov esi, offset sub_10002560 <<<<
	.text:10001838 8B 45 FC mov eax, [ebp+var_4]
	.text:1000183B 89 5F 04 mov [edi+4], ebx
	.text:1000183E 81 C7 18 02 00 00 add edi, 218h
	.text:10001844 F3 A5 rep movsd

	The script also does a good job of identifying function pointers::

	.text:100021A6 8D 45 FC lea eax, [ebp+var_4]
	.text:100021A9 50 push eax ; int
	.text:100021AA 6A 00 push 0 ; dwCreationFlags
	.text:100021AC 6A 00 push 0 ; void *
	.text:100021AE 68 60 21 00 10 push offset sub_10002160 ; lpModuleName <<<<
	.text:100021B3 6A 00 push 0 ; dwStackSize
	.text:100021B5 6A 00 push 0 ; lpThreadAttributes
	.text:100021B7 E8 A2 1F 00 00 call __beginthr
	'''
	import idc
	import idautils
	import ida_bytes
	import ida_funcs


	for fva in idautils.Functions():
	if idc.get_func_flags(fva) & ida_funcs.FUNC_LIB:
	# ignore pointers to library functions, such as exception handlers.
	continue

	drefs = list(idautils.DataRefsTo(fva))
	if not drefs:
	continue

	code_drefs = set([])
	for dref in drefs:
	if not ida_bytes.is_code(ida_bytes.get_flags(dref)):
	# ignore function pointers in data,
	# such as from vtables.
	continue

	if idc.get_func_flags(ida_funcs.get_func(dref).startEA) & ida_funcs.FUNC_LIB:
	# ignore function pointers in library functions,
	# such as initializers.
	continue

	code_drefs.add(dref)

	if not code_drefs:
	continue

	print('function treated as data: %s (0x%x)' % (idc.GetFunctionName(fva), fva))
	for dref in code_drefs:
	print(' - from 0x%x' % (dref))

	cmt = 'used as pointer (0x%x)' % (dref)
	existing_cmt = idc.GetFunctionCmt(fva, 0)
	if cmt not in existing_cmt:
	idc.SetFunctionCmt(fva, existing_cmt + '\n' + cmt, 0)