[原创]基于llvm编译器的ida自动结构体分析插件 | 宜武汇-ag真人国际厅网站

bool idastructwriter::emittargetcode(shptr module)

shptr usedtypes(usedtypesvisitor::getusedtypes(module));

for (const auto &structtype : usedstructtypes)

    {

        emitstructida(structtype){

        tid_t strucval = 0;

        //通过名称匹配

        std::regex vtblreg("class_vtable_(. )_type");

        auto i = structnames.find(structtype);

        if (i != structnames.end()) {

            std::string rawname = i->second;               

            uint64_t vtbladdr = 0;

            std::cmatch  results;

            std::regex express(vtblreg);

            if (std::regex_search(rawname.c_str(), results, express))

            {

                if (results.size() == 2)

                {

                    std::string vtbstr = results[1];

                    vtbladdr = strtoull(vtbstr.c_str(), 0, 16);

                }

            }

            strucval = get_struc_id(rawname.c_str());

            if (strucval != badaddr)

            {

                struc_t* sptr = get_struc(strucval);

                del_struc(sptr);

            }

            //生成结构体

            strucval = add_struc(badaddr, rawname.c_str());

            address field_offset = 0;

            const structtype::elementtypes& elements = structtype->getelementtypes();

            for (structtype::elementtypes::size_type i = 0; i < elements.size(); i) {

 

                shptr<type> elemtype(elements.at(i));

                uint64_t elelen = emitvarwithtype(variable::create("field_" field_offset.tohexstring(), elemtype), strucval, field_offset.getvalue());

                field_offset = elelen;

            }

            info_msg("create vtable struct : " << rawname << " ,size :"<< field_offset << std::endl);

        }       

    }

uint64_t idastructwriter::emitvarwithtype(shptr var, tid_t strucval, address field_offset)

    struc_t* sptr = get_struc(strucval);

    shptr<type> vartype(var->gettype());

    uint64_t elelen = determinetypesize(vartype);

    var->accept(this);

    flags_t flag = byte_flag();

    flags_t flag2 = byte_flag();

    std::string filename = var->getname();   

    if (isa(vartype))

    {

    ...

    }

    else {

        if (elelen == 1)

        {

            flag = byte_flag();

        }

        else if (elelen == 2)

        {

            flag = word_flag();

        }

        else if (elelen == 4)

        {

            flag = dword_flag();

        }

        else if (elelen == 6)

        {

            flag = word_flag();

            flag2 = word_flag();

        }

        else if (elelen == 8)

        {

            flag = qword_flag();

        }

        if (elelen == 6)

        {

            //添加结构体成员

            std::string filename2 = filename "_";

            add_struc_member(sptr, filename.c_str(), badaddr, flag, nullptr, elelen-2);

            add_struc_member(sptr, filename2.c_str(), badaddr, flag2, nullptr, elelen-4);

        }

        else {

            add_struc_member(sptr, filename.c_str(), badaddr, flag, nullptr, elelen);

        }

    }

    return elelen;

//注册ida的f5按键hexrays回调

install_hexrays_callback(my_hexrays_cb_t, nullptr);

ida_dll_data  int idaapi my_hexrays_cb_t(void *ud, hexrays_event_t event, va_list va)

    switch (event)

    {

    case hxe_open_pseudocode:

    {

        vdui_t* vu = va_arg(va, vdui_t *);

        cfuncptr_t cfunc = vu.cfunc;

        ea_t vtaddrreal=vtbl2fns.find(cfunc->entry_ea).first;

        rawname.sprnt("class_vtable_%x_type", vtaddrreal);

        tid_t strucval = get_struc_id(rawname.c_str());

        if (strucval)

        {

            tinfo_t new_type = create_typedef(rawname.c_str());

            tinfo_t new_type_ptr = make_pointer(new_type);

            for (lvar_t& vr : *cfunc->get_lvars())

            {

                qstring nm = vr.name;

                //设置为分析出来的结构体引用

                vr.set_lvar_type(new_type_ptr);

                vu.refresh_view(false);

                return;

            }

        }

原文链接:https://bbs.kanxue.com/thread-272289.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/原创基于llvm编译器的ida自动结构体分析插件/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图