IDA逆向笔记-使用脚本代码获取exe里的所有函数信息
Posted 千夫长-向往生
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了IDA逆向笔记-使用脚本代码获取exe里的所有函数信息相关的知识,希望对你有一定的参考价值。
1.需求
在IDA软件中,写一个IDC脚本(类C语言),历遍一个exe文件里所有的函数,及函数内变量空间地址区域,参数个数等信息打印出来。
2.总结
经过下文的代码展开,我编写的一个小小的hello world程序, 分析出来35个函数,分析一个实际在用的程序,出来了1627个函数,还是会看到吐血,而且这些函数的信息,基本上在图形界面都可以看到,不过有了这个代码脚本,就可以在此基础上,改动一下,筛选出自己关心的函数。
学到现在,感觉IDC编程的目的,是想让你掌握IDA各种功能的代码实现,让你具备IDA软件的能力,也不错,到时可以自由的查找自己需要的信息。
3.被分析的程序的源码
使用的hello world.exe的源码,打印100遍hello world,为了模拟稍微复杂的结构,把printf放到一个函数中:
#include <stdio.h>
int read_i;
void prin()
printf("Hello, World! \\n");
int main()
int i;
for (i=0;i<100;i++)
prin();
read_i=i+8;
getchar();
return 0;
4.查找所有函数信息的IDC代码
#include <idc.idc>
static main()
auto addr,end,args,locals,frame,firstTArg,name,ret,i;
addr=0;
i=0;
for(addr = NextFunction(addr);addr!=BADADDR;addr=NextFunction(addr))
name=Name(addr);
end = GetFunctionAttr(addr,FUNCATTR_END);
locals = GetFunctionAttr(addr,FUNCATTR_FRSIZE);
frame = GetFrame(addr);
ret = GetMemberOffset(frame,"r");
firstTArg = ret+4;
args = GetStrucSize(frame)-firstTArg;
i=i+1;
Message("%d.Function%d:%s,start at %x,ends at %x\\n",i,name,addr,end);
Message(" local variable area is %d bytes\\n",locals);
Message(" Arguments occupy %d bytes (%d args )\\n\\n",args,args/4);
5.分析结果
1.Function:__gnu_exception_handler@4,start at 401000,ends at 401143
local variable area is 24 bytes
Arguments occupy 33 bytes (8 args )
2.Function:___mingw_CRTStartup,start at 401150,ends at 40127f
local variable area is 40 bytes
Arguments occupy 45 bytes (11 args )
3.Function:_mainCRTStartup,start at 401280,ends at 401298
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
4.Function:_WinMainCRTStartup,start at 4012a0,ends at 4012b8
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
5.Function:_atexit,start at 4012c0,ends at 4012cc
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
6.Function:__onexit,start at 4012d0,ends at 4012dc
local variable area is 0 bytes
Arguments occupy 9 bytes (2 args )
7.Function:___do_sjlj_init,start at 4012e0,ends at 4012e9
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
8.Function:_prin,start at 4012f0,ends at 401304
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
9.Function:_main,start at 401304,ends at 40135e
local variable area is 8 bytes
Arguments occupy 25 bytes (6 args )
10.Function:___do_global_dtors,start at 401360,ends at 401389
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
11.Function:___do_global_ctors,start at 401390,ends at 4013e3
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
12.Function:___main,start at 4013f0,ends at 40140d
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
13.Function:__pei386_runtime_relocator,start at 401410,ends at 401438
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
14.Function:___cpu_features_init,start at 401440,ends at 40153b
local variable area is 4 bytes
Arguments occupy 9 bytes (2 args )
15.Function:__fpreset,start at 401540,ends at 401547
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
16.Function:___w32_sharedptr_default_unexpected,start at 401550,ends at 40155e
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
17.Function:___w32_sharedptr_get,start at 401560,ends at 4015f3
local variable area is 104 bytes
Arguments occupy 109 bytes (27 args )
18.Function:___w32_sharedptr_initialize,start at 401600,ends at 401865
local variable area is 200 bytes
Arguments occupy 205 bytes (51 args )
19.Function:__alloca,start at 401870,ends at 40189d
local variable area is 0 bytes
Arguments occupy -3 bytes (0 args )
20.Function:__cexit,start at 4018a0,ends at 4018a6
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
21.Function:___p__environ,start at 4018a8,ends at 4018ae
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
22.Function:_signal,start at 4018b0,ends at 4018b6
local variable area is 0 bytes
Arguments occupy 9 bytes (2 args )
23.Function:___p__fmode,start at 4018b8,ends at 4018be
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
24.Function:__setmode,start at 4018c0,ends at 4018c6
local variable area is 0 bytes
Arguments occupy 9 bytes (2 args )
25.Function:___getmainargs,start at 4018c8,ends at 4018ce
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
26.Function:_getchar,start at 4018d0,ends at 4018d6
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
27.Function:_printf,start at 4018d8,ends at 4018de
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
28.Function:__assert,start at 4018e0,ends at 4018e6
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
29.Function:_free,start at 4018e8,ends at 4018ee
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
30.Function:_malloc,start at 4018f0,ends at 4018f6
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
31.Function:_abort,start at 4018f8,ends at 4018fe
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
32.Function:_memset,start at 401900,ends at 401906
local variable area is 0 bytes
Arguments occupy 13 bytes (3 args )
33.Function:_SetUnhandledExceptionFilter@4,start at 401908,ends at 40190e
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
34.Function:_ExitProcess@4,start at 401910,ends at 401916
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
35.Function:___sjlj_init_ctor,start at 401918,ends at 401921
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Caching 'Functions window'... ok
Function1:__gnu_exception_handler@4,start at 401000,ends at 401143
local variable area is 24 bytes
Arguments occupy 33 bytes (8 args )
Function2:___mingw_CRTStartup,start at 401150,ends at 40127f
local variable area is 40 bytes
Arguments occupy 45 bytes (11 args )
Function3:_mainCRTStartup,start at 401280,ends at 401298
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
Function4:_WinMainCRTStartup,start at 4012a0,ends at 4012b8
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
Function5:_atexit,start at 4012c0,ends at 4012cc
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function6:__onexit,start at 4012d0,ends at 4012dc
local variable area is 0 bytes
Arguments occupy 9 bytes (2 args )
Function7:___do_sjlj_init,start at 4012e0,ends at 4012e9
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function8:_prin,start at 4012f0,ends at 401304
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
Function9:_main,start at 401304,ends at 40135e
local variable area is 8 bytes
Arguments occupy 25 bytes (6 args )
Function10:___do_global_dtors,start at 401360,ends at 401389
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
Function11:___do_global_ctors,start at 401390,ends at 4013e3
local variable area is 8 bytes
Arguments occupy 13 bytes (3 args )
Function12:___main,start at 4013f0,ends at 40140d
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function13:__pei386_runtime_relocator,start at 401410,ends at 401438
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function14:___cpu_features_init,start at 401440,ends at 40153b
local variable area is 4 bytes
Arguments occupy 9 bytes (2 args )
Function15:__fpreset,start at 401540,ends at 401547
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function16:___w32_sharedptr_default_unexpected,start at 401550,ends at 40155e
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function17:___w32_sharedptr_get,start at 401560,ends at 4015f3
local variable area is 104 bytes
Arguments occupy 109 bytes (27 args )
Function18:___w32_sharedptr_initialize,start at 401600,ends at 401865
local variable area is 200 bytes
Arguments occupy 205 bytes (51 args )
Function19:__alloca,start at 401870,ends at 40189d
local variable area is 0 bytes
Arguments occupy -3 bytes (0 args )
Function20:__cexit,start at 4018a0,ends at 4018a6
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
Function21:___p__environ,start at 4018a8,ends at 4018ae
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
Function22:_signal,start at 4018b0,ends at 4018b6
local variable area is 0 bytes
Arguments occupy 9 bytes (2 args )
Function23:___p__fmode,start at 4018b8,ends at 4018be
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
Function24:__setmode,start at 4018c0,ends at 4018c6
local variable area is 0 bytes
Arguments occupy 9 bytes (2 args )
Function25:___getmainargs,start at 4018c8,ends at 4018ce
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
Function26:_getchar,start at 4018d0,ends at 4018d6
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
Function27:_printf,start at 4018d8,ends at 4018de
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function28:__assert,start at 4018e0,ends at 4018e6
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
Function29:_free,start at 4018e8,ends at 4018ee
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function30:_malloc,start at 4018f0,ends at 4018f6
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function31:_abort,start at 4018f8,ends at 4018fe
local variable area is 0 bytes
Arguments occupy 1 bytes (0 args )
Function32:_memset,start at 401900,ends at 401906
local variable area is 0 bytes
Arguments occupy 13 bytes (3 args )
Function33:_SetUnhandledExceptionFilter@4,start at 401908,ends at 40190e
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function34:_ExitProcess@4,start at 401910,ends at 401916
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )
Function35:___sjlj_init_ctor,start at 401918,ends at 401921
local variable area is 0 bytes
Arguments occupy 5 bytes (1 args )以上是关于IDA逆向笔记-使用脚本代码获取exe里的所有函数信息的主要内容,如果未能解决你的问题,请参考以下文章