IDA Python - 为什么我的代码 return 不正确的 ESP 值?
IDA Python - Why My code return incorrect ESP Value?
我制作了一个 ida python 代码用于检查代码覆盖率。
但是当我使用这个脚本时,我遇到了一个运行时错误,我无法获得正确的 ESP 值。
-我的代码-
from idaapi import *
class DbgHook(DBG_Hooks):
def dbg_process_exit(self, pid, tid, ea, code):
# bpt Del
for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())):
DelBpt(fun)
return
debugger.unhook()
def dbg_bpt(self, tid, ea):
RefCode = get_long(GetRegValue('esp'))
print "[*] Hit : 0x%08x - %s" % (ea , GetFunctionName(ea))
print " GetRegValue : compare RET : 0x%08x" % RefCode
return 1
for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())):
fnName = GetFunctionName(fun)
AddBpt(fun)
SetBptAttr(fun, BPTATTR_FLAGS, (GetBptAttr(fun, BPTATTR_FLAGS) & ~BPT_BRK ));
debugger = DbgHook()
debugger.unhook()
debugger.hook()
num_bp = GetBptQty()
print "[*] Set %d breakpoints " % num_bp
然后我得到一个错误
[*] Set 153 breakpoints
Cannot find sync source "view:IDA View-A"; ignoring group
400000: process C:\temp\nc.exe has started (pid=6336)
773C0000: loaded C:\WINDOWS\system32\ntdll.dll
Unloaded
Unloaded
Unloaded
Unloaded
76050000: loaded C:\WINDOWS\SysWOW64\kernel32.dll
76550000: loaded C:\WINDOWS\SysWOW64\KernelBase.dll
76360000: loaded C:\WINDOWS\SysWOW64\msvcrt.dll
77409FA0: thread has started (tid=11496)
77409FA0: thread has started (tid=10228)
74010000: loaded C:\WINDOWS\SysWOW64\wsock32.dll
76130000: loaded C:\WINDOWS\SysWOW64\ws2_32.dll
762B0000: loaded C:\WINDOWS\SysWOW64\sechost.dll
75FA0000: loaded C:\WINDOWS\SysWOW64\rpcrt4.dll
740F0000: loaded C:\WINDOWS\SysWOW64\sspicli.dll
740E0000: loaded C:\WINDOWS\SysWOW64\cryptbase.dll
770B0000: loaded C:\WINDOWS\SysWOW64\bcryptprimitives.dll
77409FA0: thread has started (tid=9556)
[*] Hit : 0x004057f0 - TlsCallback_0
GetRegValue : compare RET : 0x77436aae
[*] Hit : 0x00405eb0 - sub_405EB0
GetRegValue : compare RET : 0x00000000
[*] Hit : 0x004061e8 - InitializeCriticalSection
GetRegValue : compare RET : 0x00000000
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
[*] Hit : 0x00401020 - sub_401020
GetRegValue : compare RET : 0x00401178
[*] Hit : 0x004057f0 - TlsCallback_0
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405620 - SetUnhandledExceptionFilter
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405980 - sub_405980
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405e10 - sub_405E10
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00406088 - __getmainargs
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00406090 - __p__fmode
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405ba0 - sub_405BA0
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405df0 - sub_405DF0
GetRegValue : compare RET : 0x9b3e0acd
[*] Hit : 0x00405d90 - sub_405D90
GetRegValue : compare RET : 0x9b3e0acd
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
[*] Hit : 0x00401300 - sub_401300
GetRegValue : compare RET : 0x00000000
当我在 0x00401300 处手动检查 ESP 时,我可以看到 0x0040620b 值。但是使用我的代码,在 0x00401300 处有一个不正确的 ESP 值 0x00000000。
我该如何解决?
OP没有给出答案,我来试试
IDA 以其 IDB 文件格式(以及处于活动状态的未压缩文件)维护自己的分析文件副本/表示。默认情况下,这些文件包含可执行文件中的每个字节,并且在调试时将包含大多数已分配内存区域中的大部分字节。寄存器也会发生类似的事情。
IDA 不会(也不能)在可执行文件 运行 时不断更新内存和寄存器的状态,只会定期更新。为此,函数 RefreshDebuggerMemory() 将强制 IDA 刷新内存(和寄存器)状态。
我制作了一个 ida python 代码用于检查代码覆盖率。 但是当我使用这个脚本时,我遇到了一个运行时错误,我无法获得正确的 ESP 值。
-我的代码-
from idaapi import *
class DbgHook(DBG_Hooks):
def dbg_process_exit(self, pid, tid, ea, code):
# bpt Del
for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())):
DelBpt(fun)
return
debugger.unhook()
def dbg_bpt(self, tid, ea):
RefCode = get_long(GetRegValue('esp'))
print "[*] Hit : 0x%08x - %s" % (ea , GetFunctionName(ea))
print " GetRegValue : compare RET : 0x%08x" % RefCode
return 1
for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())):
fnName = GetFunctionName(fun)
AddBpt(fun)
SetBptAttr(fun, BPTATTR_FLAGS, (GetBptAttr(fun, BPTATTR_FLAGS) & ~BPT_BRK ));
debugger = DbgHook()
debugger.unhook()
debugger.hook()
num_bp = GetBptQty()
print "[*] Set %d breakpoints " % num_bp
然后我得到一个错误
[*] Set 153 breakpoints
Cannot find sync source "view:IDA View-A"; ignoring group
400000: process C:\temp\nc.exe has started (pid=6336)
773C0000: loaded C:\WINDOWS\system32\ntdll.dll
Unloaded
Unloaded
Unloaded
Unloaded
76050000: loaded C:\WINDOWS\SysWOW64\kernel32.dll
76550000: loaded C:\WINDOWS\SysWOW64\KernelBase.dll
76360000: loaded C:\WINDOWS\SysWOW64\msvcrt.dll
77409FA0: thread has started (tid=11496)
77409FA0: thread has started (tid=10228)
74010000: loaded C:\WINDOWS\SysWOW64\wsock32.dll
76130000: loaded C:\WINDOWS\SysWOW64\ws2_32.dll
762B0000: loaded C:\WINDOWS\SysWOW64\sechost.dll
75FA0000: loaded C:\WINDOWS\SysWOW64\rpcrt4.dll
740F0000: loaded C:\WINDOWS\SysWOW64\sspicli.dll
740E0000: loaded C:\WINDOWS\SysWOW64\cryptbase.dll
770B0000: loaded C:\WINDOWS\SysWOW64\bcryptprimitives.dll
77409FA0: thread has started (tid=9556)
[*] Hit : 0x004057f0 - TlsCallback_0
GetRegValue : compare RET : 0x77436aae
[*] Hit : 0x00405eb0 - sub_405EB0
GetRegValue : compare RET : 0x00000000
[*] Hit : 0x004061e8 - InitializeCriticalSection
GetRegValue : compare RET : 0x00000000
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
[*] Hit : 0x00401020 - sub_401020
GetRegValue : compare RET : 0x00401178
[*] Hit : 0x004057f0 - TlsCallback_0
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405620 - SetUnhandledExceptionFilter
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405980 - sub_405980
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405e10 - sub_405E10
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00406088 - __getmainargs
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00406090 - __p__fmode
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405ba0 - sub_405BA0
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405df0 - sub_405DF0
GetRegValue : compare RET : 0x9b3e0acd
[*] Hit : 0x00405d90 - sub_405D90
GetRegValue : compare RET : 0x9b3e0acd
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
[*] Hit : 0x00401300 - sub_401300
GetRegValue : compare RET : 0x00000000
当我在 0x00401300 处手动检查 ESP 时,我可以看到 0x0040620b 值。但是使用我的代码,在 0x00401300 处有一个不正确的 ESP 值 0x00000000。
我该如何解决?
OP没有给出答案,我来试试
IDA 以其 IDB 文件格式(以及处于活动状态的未压缩文件)维护自己的分析文件副本/表示。默认情况下,这些文件包含可执行文件中的每个字节,并且在调试时将包含大多数已分配内存区域中的大部分字节。寄存器也会发生类似的事情。
IDA 不会(也不能)在可执行文件 运行 时不断更新内存和寄存器的状态,只会定期更新。为此,函数 RefreshDebuggerMemory() 将强制 IDA 刷新内存(和寄存器)状态。