-
Notifications
You must be signed in to change notification settings - Fork 3
/
ModifyDecompileResultFromFunctionName.java
108 lines (88 loc) · 3.34 KB
/
ModifyDecompileResultFromFunctionName.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
// @author Ko Nakagawa
// @category PCode
// @keybinding
// @menupath
// @toolbar
import ghidra.app.decompiler.DecompInterface;
import ghidra.app.decompiler.DecompileOptions;
import ghidra.app.script.GhidraScript;
import ghidra.program.model.pcode.*;
import ghidra.program.model.symbol.*;
public class ModifyDecompileResultFromFunctionName extends GhidraScript {
private boolean isTargetFunction(VarnodeAST vn, String fncName) {
if (!vn.isAddress()) return false;
final var addr = vn.getAddress();
final var fnc = getSymbolAt(addr);
if (fnc == null) return false;
return fnc.toString().contains(fncName);
}
private String findProcName(PcodeOpAST pcGetProcAddress) {
// NOTE: get the varnode of the second argument
VarnodeAST vn = (VarnodeAST) pcGetProcAddress.getInput(2);
// get varnode of copy source
PcodeOp copyPcode = vn.getDef();
if (copyPcode == null) {
return null;
}
VarnodeAST vnIn = (VarnodeAST) copyPcode.getInput(0);
if (!vnIn.isConstant() && !vnIn.isAddress()) {
return null;
}
final var nameDataAtConst = vnIn.getAddress();
if (nameDataAtConst == null) {
return null;
}
// NOTE: Cannot get string data at const address space, thus convert it to ram address space
final var nameDataAtRamSpace = toAddr(nameDataAtConst.getUnsignedOffset());
final var nameString = getDataAt(nameDataAtRamSpace);
if (nameString == null) {
return null;
}
final var procName = nameString.getDefaultValueRepresentation();
if (procName == null) {
return null;
}
// NOTE: remove ""
return procName.substring(1, procName.length() - 1);
}
public void run() throws Exception {
final var options = new DecompileOptions();
final var ifc = new DecompInterface();
ifc.setOptions(options);
ifc.openProgram(currentProgram);
ifc.setSimplificationStyle("decompile");
final var curFunction = getFunctionContaining(currentAddress);
final var res = ifc.decompileFunction(curFunction, 30, monitor);
final var highFunction = res.getHighFunction();
if (highFunction == null) {
throw new Exception("Cannot get high function");
}
final var pcodeOps = highFunction.getPcodeOps();
while (pcodeOps.hasNext()) {
final var pcodeElem = pcodeOps.next();
final var opcode = pcodeElem.getOpcode();
if ((opcode != PcodeOp.CALL) && (opcode != PcodeOp.CALLIND)) {
continue;
}
VarnodeAST vn = (VarnodeAST) pcodeElem.getInput(0);
if (isTargetFunction(vn, "GetProcAddress")) {
println("GetProcAddress is found");
final var procName = findProcName(pcodeElem);
printf("Second argument is %s\n", procName);
Varnode outVarnode = pcodeElem.getOutput();
final var outVarnodeHighVariable = outVarnode.getHigh();
if (outVarnodeHighVariable == null) {
println("Cannot find high variable");
break;
}
final var highVariable = outVarnodeHighVariable.getSymbol();
if (highVariable != null) {
HighFunctionDBUtil.updateDBVariable(
highVariable, "pfn" + procName, null, SourceType.USER_DEFINED);
} else {
println("Cannot get high symbol");
}
}
}
}
}