deresz / funcap Goto Github PK

Now to support thiscall conventions (ECX register) you should modify the configuration:

self.CMT_CALL_CTX = [re.compile('^arg'), re.compile('^ECX')]
self.CMT_RET_CTX = [re.compile('^EAX')]
self.CMT_RET_SAVED_CTX = [re.compile('^arg'), re.compile('^ECX')]

But then it's shown in all the calls the ECX register as an argument.

It would be nice to detect the call convention of the call and only when the call convention is thiscall shows the ECX argument.

Can funcap be run in macOS?
I try to use funcap in macOS,I tried to use ida to reverse an ios app,but something went wrong,below is the info:

/Applications/IDA Pro 7.0/ida.app/Contents/MacOS/plugins/funcap/funcap.py: exceptions must be old-style classes or derived from BaseException, not str
Traceback (most recent call last):
  File "/Applications/IDA Pro 7.0/ida64.app/Contents/MacOS/python/ida_idaapi.py", line 553, in IDAPython_ExecScript
    execfile(script, g)
  File "/Applications/IDA Pro 7.0/ida.app/Contents/MacOS/plugins/funcap/funcap.py", line 1920, in <module>
    raise "FunCap: architecture not supported"
TypeError: exceptions must be old-style classes or derived from BaseException, not str

Exception in DBG Hook function:
Traceback (most recent call last):
File "E:/Crack tools/Hex-Rays IDA 6.1 Pro Andvanced/python/funcap.py", line 1365, in dbg_step_into
self.handle_after_call(ret_addr, self.stub_name)
File "E:/Crack tools/Hex-Rays IDA 6.1 Pro Andvanced/python/funcap.py", line 1209, in handle_after_call
ret_shift = self.calc_ret_shift(ea)
File "E:/Crack tools/Hex-Rays IDA 6.1 Pro Andvanced/python/funcap.py", line 1470, in calc_ret_shift
curr_head = PrevHead(GetFunctionAttr(ea, FUNCATTR_END))
TypeError: PrevHead() takes exactly 2 arguments (1 given) }

I am so careless.....I update IDAPython,then,there is no errors.

Instead of simple arg frame size calculation (get_num_args_stack()) and argument primitive type guessing (only string and int) - we could read function prototypes guessed by IDA, or even HexRays decompiler plugin, and cast arguments at them. For API calls we could use some info from underlying debugging symbols. This seem cool but it's lot of work and it should be experimentally verified first if it would work at all.

Single step and continue requests are lost sometimes (tried on 32-bit java.exe v1.6.0 - confirmed and logged with hexrays) and sometimes, on the other hand, we get a lot of unexpected single steps. It will probably be better to calculate the destination jump address instead of using single stepping - it should be more stable.

Crashes almost immediately after hooking a segment and running the debugger. Have tried multiple executables that work well with IDA 6.6 but crash almost immediately on 6.7. Can give a crash dump on request.

Using IDA Pro 6.7.141229 32bit

Commands executed: d.on(); d.hookSeg(".text")

Better call and ret association: build a call tree for each thread instead of current stack pointer-based hashing (this turns out not reliable)

d.hookSeg() will not finish and running python script window wont go away until pressing cancel.

IDA Pro 7.7

It would be very cool to have also the comment of the trace in the decompiled pseudocode.

Re-implementation of funcap as a pintool. This poses some chalenges but I think it is worth the effort, especially for things like obfuscated code where standard debugger breakpoints mess up with the code and traditional trace is just too slow. I am unsure if it would work for ARM, and sure that it won't support kernel mode so it has some drawbacks ...

some database interface for collected data + UI plugin in IDA - so that right click on a function call in IDA will show the table with links to different captures for that particular call. This would be really cool.

On my Ida 6.1 funcap crashes Ida after adding lots of breakpoints and calling ProcessResume.
If I limit number of addet breakpoints the crash does not occur. I can not figure out whether crash caused by some specific breakpoint on their amount.

Amd64 stack-based arguments are not always well captured. To reproduce: try 64-bit version of java.exe v1.6.0. - we get too large stack frame

I haven't been able to get funcap to log any functions. I'm on IDA 6.3 and it hasn't logged any functions when I've debugged binaries.

The way I've been trying to do it is starting the script and then starting the process through the debugger menu. Is there a different way you're supposed to do it?