analysis

Module Contents

Classes

Unpacker(self,buf,wordsize,offset=0,should_log=False)
IndexType(self,name)
_Analysis(self,db,nodeid,fields) this is basically a metaclass for analyzers of IDA Pro netnode namespaces (named nodeid).
FileRegion(self,wordsize)
FileRegionV70(self,buf,wordsize)
func_t(self,buf,wordsize)
PString(self,length_is_total=True) short pascal string, prefixed with single byte length.
TypeString(self)
StructMember(self,db,nodeid)
STRUCT_FLAGS()
Struct(self,db,structid) Example:
Function(self,db,fva) Example:
Fixup(self,wordsize)
FixupV70(self,buf,wordsize)
Seg(self,buf,wordsize)

Functions

is_flag_set(flags,flag)
as_unix_timestamp(buf,wordsize=None) parse unix timestamp bytes into a timestamp.
as_md5(buf,wordsize=None) parse raw md5 bytes into a hex-formatted string.
cast(buf,V,wordsize=None) apply a vstruct class to a sequence of bytes.
as_cast(V) create a partial function that casts buffers to the given vstruct.
unpack_dd(buf,offset=0) unpack up to 32-bits using the IDA-specific data packing format.
unpack_dw(buf,offset=0) unpack word.
unpack_dq(buf,offset=0) unpack qword.
unpack_dds(buf)
unpack_dqs(buf)
Analysis(nodeid,fields) build a partial constructor for _Analysis with the given nodeid and fields.
chunks(l,n) Yield successive n-sized chunks from l.
pairs(l)
_get_xrefs(db,tag,src=None,dst=None,types=None)
get_crefs_to(db,ea,types=None) fetches the code references to the given address.
get_crefs_from(db,ea,types=None) fetches the code references from the given address.
get_drefs_to(db,ea,types=None) fetches the data references to the given address.
get_drefs_from(db,ea,types=None) fetches the data references from the given address.
parse_seg_strings(buf,wordsize=None)
enumerate_imports(db) enumerate the functions imported by the module in the given database.
enumerate_entrypoints(db) enumerate the entry point functions in the given database.
is_flag_set(flags, flag)
as_unix_timestamp(buf, wordsize=None)

parse unix timestamp bytes into a timestamp.

as_md5(buf, wordsize=None)

parse raw md5 bytes into a hex-formatted string.

cast(buf, V, wordsize=None)

apply a vstruct class to a sequence of bytes.

Args:
buf (bytes): the bytes to parse. V (type[vstruct.VStruct]): the vstruct class.
Returns:
V: the parsed instance of V.

Example:

s = cast(buf, Stat)
assert s.gid == 0x1000
as_cast(V)

create a partial function that casts buffers to the given vstruct.

Args:
V (type[vstruct.VStruct]): the vstruct class.
Returns:
callable[bytes]->V: the function that parses buffers into V instances.

Example:

S = as_cast(Stat)
s = S(buf)
assert s.gid == 0x1000
unpack_dd(buf, offset=0)

unpack up to 32-bits using the IDA-specific data packing format.

Args:
buf (bytes): the region to parse. offset (int): the offset into the region from which to unpack. default: 0.
Returns:
(int, int): the parsed dword, and the number of bytes consumed.
Raises:
KeyError: if the bounds of the region are exceeded.
unpack_dw(buf, offset=0)

unpack word.

unpack_dq(buf, offset=0)

unpack qword.

unpack_dds(buf)
unpack_dqs(buf)
class Unpacker(buf, wordsize, offset=0, should_log=False)
__init__(buf, wordsize, offset=0, should_log=False)
_do_unpack(unpack_fn)
dd()
dq()
dw()
addr()
class IndexType(name)
__init__(name)
str()
class _Analysis(db, nodeid, fields)

this is basically a metaclass for analyzers of IDA Pro netnode namespaces (named nodeid). provide set of fields, and parse them from netnodes (nodeid, tag, and optional index)

when accessed.
__init__(db, nodeid, fields)
_is_address(index)

does the given index fall within a segment?

_is_node(index)

does the index look like a raw nodeid?

_is_number(index)

does the index look like not (address or node)?

__getattr__(key)

for the given field name, fetch the value from the appropriate netnode. if the field matches multiple indices, then return a mapping from index to value.

Example:

assert root.version == 695

Example:

assert 0x401000 in entrypoints.ordinals

Example:

assert entrypoints.ordinals[0] == 'DllMain'
Args:
key (str): the name of the field to fetch.
Returns:
any: if a parser was provided, then the parsed data.
otherwise, the bytes associatd with the field. if the field matches multiple indices, then the result is mapping from index to value.
Raises:
KeyError: if the field does not exist.
get_field_tag(name)

get the tag associated with the given field name.

Example:

assert root.get_field_tag('version') == 'A'
Args:
key (str): the name of the field to fetch.
Returns:
str: a single character string tag.
get_field_index(name)

get the index associated with the given field name. Example:

assert root.get_field_index('version') == root.db.uint(-1)
Args:
key (str): the name of the field to fetch.
Returns:
int or IndexType: the index, if its specified.
otherwise, this will be an IndexType that indicates what indices are expected.
Analysis(nodeid, fields)

build a partial constructor for _Analysis with the given nodeid and fields.

Example:

Root = Analysis('Root Node', [Field(...), ...])
root = Root(some_idb)
assert root.version == 695
class FileRegion(wordsize)
__init__(wordsize)
class FileRegionV70(buf, wordsize)
__init__(buf, wordsize)
class func_t(buf, wordsize)
__init__(buf, wordsize)
class PString(length_is_total=True)

short pascal string, prefixed with single byte length.

__init__(length_is_total=True)
pcb_length()
class TypeString
__init__()
pcb_header()
pcb_length()
class StructMember(db, nodeid)
__init__(db, nodeid)
get_name()
get_type()
get_enum_id()
get_struct_id()
get_member_comment()
get_repeatable_member_comment()
__str__()
class STRUCT_FLAGS
class Struct(db, structid)

Example:

struc = Struct(idb, 0xFF000075) assert struc.get_name() == ‘EXCEPTION_INFO’ assert len(struc.get_members()) == 5 assert list(struc.get_members())[0].get_type() == ‘DWORD’

__init__(db, structid)
get_members()
chunks(l, n)

Yield successive n-sized chunks from l. via: https://stackoverflow.com/a/312464/87207

pairs(l)
class Function(db, fva)

Example:

func = Function(idb, 0x401000) assert func.get_name() == ‘DllEntryPoint’ assert func.get_signature() == ‘… DllEntryPoint(…)’

__init__(db, fva)
get_name()
get_signature()
get_chunks()
get_stack_change_points()
_get_xrefs(db, tag, src=None, dst=None, types=None)
get_crefs_to(db, ea, types=None)

fetches the code references to the given address.

Args:
db (idb.IDB): the database. ea (int): the effective address from which to fetch xrefs. types (collection of int): if provided, a whitelist collection of xref types to include.
Yields:
int: xref address.
get_crefs_from(db, ea, types=None)

fetches the code references from the given address.

Args:
db (idb.IDB): the database. ea (int): the effective address from which to fetch xrefs. types (collection of int): if provided, a whitelist collection of xref types to include.
Yields:
int: xref address.
get_drefs_to(db, ea, types=None)

fetches the data references to the given address.

Args:
db (idb.IDB): the database. ea (int): the effective address from which to fetch xrefs. types (collection of int): if provided, a whitelist collection of xref types to include.
Yields:
int: xref address.
get_drefs_from(db, ea, types=None)

fetches the data references from the given address.

Args:
db (idb.IDB): the database. ea (int): the effective address from which to fetch xrefs. types (collection of int): if provided, a whitelist collection of xref types to include.
Yields:
int: xref address.
class Fixup(wordsize)
__init__(wordsize)
pcb_type()
get_fixup_length()
class FixupV70(buf, wordsize)
__init__(buf, wordsize)
get_fixup_length()
parse_seg_strings(buf, wordsize=None)
class Seg(buf, wordsize)
__init__(buf, wordsize)
enumerate_imports(db)

enumerate the functions imported by the module in the given database.

yields:
Tuple[str, str, int]: library name, function name, function address
enumerate_entrypoints(db)

enumerate the entry point functions in the given database.

yields:
Tuple[str, int, int, str]: function name, address, ordinal (optional), and forwarded symbol (optional)