API refactoring. find_all_calls_to(_within)

mandiant · Feb 18, 2020 · 88fe71a · 88fe71a
1 parent 486613c
commit 88fe71a
Show file tree

Hide file tree

Showing 11 changed files with 64 additions and 28 deletions.
diff --git a/FIDL/decompiler_utils.py b/FIDL/decompiler_utils.py
@@ -12,8 +12,7 @@
 # <[email protected]>
 # ===========================================================================
 
-__version__ = '1.0'
-__codename__ = 'nerdilicious'
+__version__ = '1.1'
 
 from idc import *
 from idaapi import *
@@ -2247,7 +2246,7 @@ def get_all_vars_in_node(cex):
     return var_indexes
 
 
-def find_all_calls_to(f_name, ea):
+def find_all_calls_to_within(f_name, ea):
     """Finds all calls to a function with the given name \
     within the function containing the ``ea`` address.
 
@@ -2266,7 +2265,7 @@ def find_all_calls_to(f_name, ea):
     try:
         c = controlFlowinator(ea=ea, fast=False)
     except Exception as e:
-        print("Failed to find_all_calls_to {}".format(f_name))
+        print("Failed to find_all_calls_to_within {}".format(f_name))
         print(e)
         return []
 
@@ -2285,6 +2284,43 @@ def find_all_calls_to(f_name, ea):
     return call_objs
 
 
+def find_all_calls_to(f_name):
+    """Finds all calls to a function with the given name
+
+    Note that the string comparison is relaxed to find variants of it, that is,
+    searching for ``malloc`` will match as well ``_malloc``, ``malloc_0``, etc.
+
+    :param f_name: the function name to search for
+    :type f_name: string
+    :return: a list of :class:`callObj`
+    :rtype: list
+    """
+
+    f_ea = get_name_ea_simple(f_name)
+    if f_ea == BADADDR:
+        print("Failed to resolve address for {}".format(f_name))
+        return []
+
+    callz = []
+    callers = set()
+
+    for ref in XrefsTo(f_ea, True):
+        if not ref.iscode:
+            continue
+
+        # Get a set of unique *function* callers
+        f = get_func(ref.frm)
+        f_ea = f.start_ea
+        callers.add(f_ea)
+
+    for caller_ea in callers:
+        c = find_all_calls_to_within(f_name, caller_ea)
+        print("{:X}".format(caller_ea), len(c))
+        callz += c
+
+    return callz
+
+
 def find_elements_of_type(cex, element_type, elements=None):
     """Recursively extracts expression elements until \
     a :class:`cexpr_t` from a specific group is found

diff --git a/FIDL/docs/_build/html/_sources/tutorial.rst.txt b/FIDL/docs/_build/html/_sources/tutorial.rst.txt
@@ -449,7 +449,7 @@ The following script implements this:
     import FIDL.decompiler_utils as du
 
 
-    callz = du.find_all_calls_to(f_name='GetProcAddress', ea=here())
+    callz = du.find_all_calls_to_within(f_name='GetProcAddress', ea=here())
     for co in callz:
         # The *second* argument of ``GetProcAddress`` is the API name
         api_name = co.args[1].val
@@ -540,8 +540,8 @@ The example script can be found on the **examples** directory of the source code
         results = []
         suspicious_lens = []
 
-        mallocz = du.find_all_calls_to('malloc', c.ea)
-        memcpyz = du.find_all_calls_to('memcpy', c.ea)
+        mallocz = du.find_all_calls_to_within('malloc', c.ea)
+        memcpyz = du.find_all_calls_to_within('memcpy', c.ea)
 
         if not mallocz or not memcpyz:
             return []
@@ -617,7 +617,7 @@ The example script can be found on the **examples** directory of the source code
 
 As we can see, :ref:`controlFlowinator_label` object is indeed the central piece of this API. It is the only argument of the function ``find_possible_malloc_issues`` at line 14. The convenience function ``do_for_all_funcs`` (line 89) is used to iterate over all functions on a binary, calculate their ``controlFlowinator`` and call a function with it as parameter (see line 90) and the API documentation for more information about this wrapper.
 
-At lines 27, 28 all occurrences of calls to ``malloc`` and ``memcpy`` are calculated. The result of ``find_all_calls_to`` are so called ``callObj``, a complex data structure containing a lot of information about the *call* (name, arguments, location, etc.)
+At lines 27, 28 all occurrences of calls to ``malloc`` and ``memcpy`` are calculated. The result of ``find_all_calls_to_within`` are so called ``callObj``, a complex data structure containing a lot of information about the *call* (name, arguments, location, etc.)
 
 The argument of ``malloc`` is used as a parameter of ``is_arithmetic_expression`` (line 41), an auxiliary function returning a *boolean*, indicating whether the expression is arithmetic (that is, addition, substraction, multiplication, etc. or a combination of them). In this specific case we specify a second parameter to restrict the search to additions only.
 

diff --git a/FIDL/docs/_build/html/api.html b/FIDL/docs/_build/html/api.html
@@ -548,8 +548,8 @@
 </dd></dl>
 
 <dl class="function">
-<dt id="decompiler_utils.find_all_calls_to">
-<code class="sig-prename descclassname">decompiler_utils.</code><code class="sig-name descname">find_all_calls_to</code><span class="sig-paren">(</span><em class="sig-param">f_name</em>, <em class="sig-param">ea</em><span class="sig-paren">)</span><a class="headerlink" href="#decompiler_utils.find_all_calls_to" title="Permalink to this definition">¶</a></dt>
+<dt id="decompiler_utils.find_all_calls_to_within">
+<code class="sig-prename descclassname">decompiler_utils.</code><code class="sig-name descname">find_all_calls_to_within</code><span class="sig-paren">(</span><em class="sig-param">f_name</em>, <em class="sig-param">ea</em><span class="sig-paren">)</span><a class="headerlink" href="#decompiler_utils.find_all_calls_to_within" title="Permalink to this definition">¶</a></dt>
 <dd><p>Finds all calls to a function with the given name     within the function containing the <code class="docutils literal notranslate"><span class="pre">ea</span></code> address.</p>
 <p>Note that the string comparison is relaxed to find variants of it, that is,
 searching for <code class="docutils literal notranslate"><span class="pre">malloc</span></code> will match as well <code class="docutils literal notranslate"><span class="pre">_malloc</span></code>, <code class="docutils literal notranslate"><span class="pre">malloc_0</span></code>, etc.</p>

diff --git a/FIDL/docs/_build/html/api_overview.html b/FIDL/docs/_build/html/api_overview.html
@@ -597,8 +597,8 @@
 </dd></dl>
 
 <dl class="function">
-<dt id="decompiler_utils.find_all_calls_to">
-<code class="descclassname">decompiler_utils.</code><code class="descname">find_all_calls_to</code><span class="sig-paren">(</span><em>f_name</em>, <em>ea</em><span class="sig-paren">)</span><a class="headerlink" href="#decompiler_utils.find_all_calls_to" title="Permalink to this definition">¶</a></dt>
+<dt id="decompiler_utils.find_all_calls_to_within">
+<code class="descclassname">decompiler_utils.</code><code class="descname">find_all_calls_to_within</code><span class="sig-paren">(</span><em>f_name</em>, <em>ea</em><span class="sig-paren">)</span><a class="headerlink" href="#decompiler_utils.find_all_calls_to_within" title="Permalink to this definition">¶</a></dt>
 <dd><p>Finds all calls to a function with the given name     within the function containing the <code class="docutils literal notranslate"><span class="pre">ea</span></code> address</p>
 <table class="docutils field-list" frame="void" rules="none">
 <col class="field-name" />

diff --git a/FIDL/docs/_build/html/genindex.html b/FIDL/docs/_build/html/genindex.html
@@ -260,7 +260,7 @@ <h2 id="D">D</h2>
 <h2 id="F">F</h2>
 <table style="width: 100%" class="indextable genindextable"><tr>
   <td style="width: 33%; vertical-align: top;"><ul>
-      <li><a href="api.html#decompiler_utils.find_all_calls_to">find_all_calls_to() (in module decompiler_utils)</a>
+      <li><a href="api.html#decompiler_utils.find_all_calls_to_within">find_all_calls_to_within() (in module decompiler_utils)</a>
 </li>
   </ul></td>
   <td style="width: 33%; vertical-align: top;"><ul>