我是勤劳的搬运工,送给需要的人
本帖最后由 fgs720319 于 2015-7-19 20:24 编辑from idaapi import *
from idc import *
import idautils
EXTERNALMETHOD = "__ZN12IOUserClient14externalMethodEjP25IOExternalMethodArgumentsP24IOExternalMethodDispatchP8OSObjectPv"
GETNOTIFICATIONSEMAPHORE =
"__ZN12IOUserClient24getNotificationSemaphoreEmPP9semaphore"
GETTARGETANDMETHODFORINDEX =
"__ZN12IOUserClient26getTargetAndMethodForIndexEPP9IOServicem"
EXTERNALMETHOD_OFFSET = -8;
GETTARGETANDMETHODFORINDEX_OFFSET = 7;
def find_sMethods():
func_ea = LocByName(GETNOTIFICATIONSEMAPHORE)
print "IOUserClient::getNotificationSemaphore at %08x" % func_ea
xrefs = XrefsTo(func_ea) for xref in xrefs:
extra_msg = ""
external_method_ea = xref.frm + EXTERNALMETHOD_OFFSET * 4;
content_ea = Dword(external_method_ea) & 0xFFFFFFFE;
if content_ea & 0xFFFFFFFE != LocByName(EXTERNALMETHOD):
extra_msg += "IOUserClient::externalMethod overriden (%08x - %s) " % (content_ea & 0xFFFFFFFE, GetFunctionName(content_ea))
gettarget_method_ea = xref.frm + GETTARGETANDMETHODFORINDEX_OFFSET * 4;
content_ea = Dword(gettarget_method_ea) & 0xFFFFFFFE;
if content_ea != LocByName(GETTARGETANDMETHODFORINDEX):
extra_msg += "IOUserClient::getTargetAndMethodFromIndex overriden (%08x - %s) " % (content_ea & 0xFFFFFFFE, GetFunctionName(content_ea))
driver=SegName(xref.frm)
driver=driver[:driver.index(':')]
print "%s - %s" % (driver, extra_msg)
if __name__ == '__main__':
find_sMethods()
print "Done!"
好像很牛逼的样子,完全看不懂。 额,这是在寻找ht公司泄露文件时发现的某人写的寻找UserClient sMethods IDA脚本,我看不懂所以转给大家看看 好像很牛逼的样子,完全看不懂。{:4_88:}
页:
[1]