Last active
September 1, 2022 20:11
-
-
Save nirizr/fe0ce9948b3db05555da42bbfe0e5a1e to your computer and use it in GitHub Desktop.
Revisions
-
nirizr revised this gist
Aug 14, 2017 . 1 changed file with 3 additions and 11 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,32 +1,24 @@ import idc, idaapi, idautils, ida_xref def find_stack_members(func_ea): members = {} base = None frame = idc.GetFrame(func_ea) for frame_member in idautils.StructMembers(frame): member_offset, member_name, _ = frame_member members[member_offset] = member_name if member_name == ' r': base = member_offset if not base: raise ValueError("Failed identifying the stack's base address using the return address hidden stack member") return members, base def find_stack_xrefs(func_offset): func_ea = ida_funcs.get_func(func_offset).startEA members, stack_base = find_stack_members(func_ea) for func_item in FuncItems(func_ea): flags = idc.GetFlags(ea) stkvar = 0 if idc.isStkvar0(flags) else 1 if idc.isStkvar1(flags) else None if not stkvar: continue ida_ua.decode_insn(func_item) -
Aug 14, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,39 @@ import idc, idaapi, idautils, ida_xref import functools def find_stack_members(func_ea): members = {} base = None frame = idc.GetFrame(func_ea) for frame_member in idautils.StructMembers(frame): member_offset, member_name, member_type = frame_member members[member_offset] = member_name if member_name == ' r': base = member_offset if not base: raise ValueError("Failed identifying the stack's base address using the return address hidden stack member") return members, base def isStkvar(ea): flags = idc.GetFlags(ea) if idc.isStkvar0(flags): return 0 if idc.isStkvar1(flags): return 1 return False def find_stack_xrefs(func_offset): func_ea = ida_funcs.get_func(func_offset).startEA members, stack_base = find_stack_members(func_ea) for func_item in FuncItems(func_ea): stkvar = isStkvar(func_item) if not stkvar: continue ida_ua.decode_insn(func_item) op = ida_ua.cmd.Operands[stkvar] stack_offset = op.addr + idc.GetSpd(func_item) + stack_base member = members[stack_offset] print("At offset {:x} stack member {} is referenced by operand number {}".format(func_item, member, stkvar)) if __name__ == "__main__": find_stack_xrefs(idc.ScreenEA())