fengjixuchui / indirectcalls Goto Github PK
View Code? Open in Web Editor NEWThis project forked from nihilus/indirectcalls
This project forked from nihilus/indirectcalls
indirectCalls IDA Pro Plugin ---------------------------- The plugin was developed for the book "Reverse Engineering with IDA Pro". Description: The indirectCalls plugin operates on ELF and PE IA-32 binaries. The plugin is used to help reverse engineer C++ binaries. C++ binaries present a challenge to the reverse engineer. This plugin attempts to help with C++'s use of indirect calls. C++ code uses calls through registers as shown in the following assembly snippet : .text:030876E4 mov esi, [ecx] ; esi = VTable .text:030876E6 push eax .text:030876E7 call dword ptr [esi+1Ch] ; indirect call The plugin also tracks indirect jumps such as: jmp eax The plugin and documentation refers to indirect calls and jumps as indirect calls for the sake of brevity. Cross references are not created by IDA during analysis. The plugin sets breakpoints on all indirect calls, including indirect jumps. The binary is exercised by the debugger and any plugin set breakpoints are recorded. Options are available to create cross references and display a list of possible VTables. Usage: The plugin will have an entry under ( Edit | Plugins | indirectCalls). The plugin by default is bound to a hotkey (Alt-F7). The current cursor address is used to determine which segment to plugin uses. Starting the plugin will bring up the following menu: ----------------------------- (*) Run Debugger ( ) Only collect information ----------------------------- [x] Display indirect call list [x] Display BPs hit [ ] Display cross segment BPs hit [ ] Make the xrefs [ ] Make the xrefs for cross segment calls [x] Display possible vtables [ ] Include non-offset(call [eax]) calls for vtables ----------------------------- Radio button options: Run the debugger - This option executes the program using the built in debugger. This option should not be used on unknown binaries without proper precautions. Process options under the Debugger need to configured. Only collect information - This option only scans the binary for indirect calls. The 'Display indirect call list' checkbox must be selected, otherwise no information is presented to the user. All the other checkbox options are only valid when running under the debugger. Checkbox options: Display indirect call list - This option lists all indirect calls such as: jmp eax call ebx call [esi + 1Ch] Display BPs hit - This option will list all indirect calls whose breakpoint was hit. Display cross segment BPs hit - This options will also include breakpoints on indirect calls that span across segments. Cross segment calls are generally imports. Make the xrefs - This option will create code cross references between the indirect call and the target. Make the xrefs for cross segment calls - This option also creates cross references for targets belonging to a different segment than the caller. Display possible vtables - The plugin attempts to calculate VTables by using the base register value in a call similar to the following: call [eax + 8h] ; this option assumes eax points to the base of a VTable Include non-offset(call [eax]) calls for vtables - This option will also include calls lacking offsets into VTable calculation. This option can lead to false positives as generally a VTable is rarely called once and only through the first function. Note: By default the debugger displays messages whenever a breakpoint is hit. This behavior can slow down the plugin considerably. Debugger options are located under ( Debugger | Debugger options ... ). Building: The plugin builds with Visual Studio 2005/2008 including Express Editions. The project currently assumes the location of the SDK to be: C:\SDK\idasdk51 If the SDK is in a different location a couple options need to be updated. The options are located under the indirectCalls Property pages. Both of options listed below must be updated to reflect the location of the SDK. 1. C/C++ -> General -> Additional Include Directories 2. Linker -> General -> Additional Library Directories NOTE: There is a bug in all versions of the SDK. One of the #includes in \include\intel.hpp needs to changed. from: #include “../idaidp.hpp” to: #include “../module/idaidp.hpp Todo: The plugin was written as a proof of concept. Many improvements can be made. The plugin should determine which segments are marked as executable code, rather than relying on the current cursor position. The breakpoints can be changed to lower level code similar to Ilfak's code coverage plugin, (http://hexblog.com/2006/03/coverage_analyzer.html) Exception handling is left to the user. Static analysis can be combined with the plugin to help reconstruct objects and determine inheritance. Changelog: v.01 - Initial release for book Contact: Please contact me considering any bugs. http://jeru.ringzero.net/?page_id=3
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.