A higher level API for IdaRub
 sp <foo bar com> |
Friday, July 21 2006 07:35.06 CDT |
Im still dreaming of IdaHaskell for the sheer expressiveness that language provides. Alas, I fear IdaHaskell will remain a dream for years to come. Using IdaRub it is fortunately possible to make a big step towards the expressiveness of Haskell. I have started to develop a higher level API for IdaRub that allows you to do things in fewer lines of code.
Here are a few examples.
Heres how you get a list of all instructions used in a file:
p file.map{|f| f.map{|i| i.instruction}}.flatten.uniq.sort
Want to find all functions that start with a jmp instruction? Here you go:
p file.map{|f| [f.name, f[0].instruction]}.select{|x| x[1] == jmp}
Or what about listing all functions ordered by the number of functions that call them?
p file.map{|f| [f.name, f[0].crefs_to.length]}.sort{|x,y| y[1] <=> x[1]}
If you want to have a sorted list of all bytes used in the first function youd do this:
p (file[0].start .. file[0].end).map{|x| x.byte}.uniq.sort{|x,y| x-y}.map{|x| "%02X" % x}
If you want a list of all unicode string references in the file containing an asterisk the following one-liner would do the job:
p file.string_list.select{|x| x.type == 3 && x.offset.unicode =~ /*/}.map{|x| [x.offset.offset, x.offset.unicode]}
I could go on and on and on. The number of one-liners to do neat stuff is nearly endless. Its not quite Haskell yet but Im reasonably happy.
Theres also a new instruction counter script that makes use of the high level API. The new script is noticibly smaller and prettier to look at. Furthermore you will notice that all output is directed through the new idap function. This function prints to stdout if the script is started from the console (remote mode) or to the output window inside IDA if the script is started from within IDA (local mode).
Right now the high-level API is merely a quick one-day hack. Nevertheless you can already do pretty cool stuff with it. You might want to check it out.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |