ida 插件編寫

Ida中的IDC 腳本 ，python 腳本 還有插件功能給我們提供了很強大的擴展性，我們在分析二進制代碼的時候總會有些時候需要寫些腳本來給我們提供自動化的分析來釋放我們的雙手。

腳本已經很方便了，但有些時候爲了效率我們還是需要編寫下插件的。現在就來介紹下ida 插件的編寫：

#include <ida.hpp>
#include <idp.hpp>
#include <search.hpp>
#include <loader.hpp>

#include <Windows.h>
#include "Search_arm_syscall.h"

int IDAP_init(void)
{
	// Do checks here to ensure your plug-in is being used within
	// an environment it was written for. Return PLUGIN_SKIP if the 	
	// checks fail, otherwise return PLUGIN_KEEP.

	return PLUGIN_KEEP;
}

void IDAP_term(void)
{
	// Stuff to do when exiting, generally you'd put any sort
	// of clean-up jobs here.
	return;
}

// The plugin can be passed an integer argument from the plugins.cfg
// file. This can be useful when you want the one plug-in to do
// something different depending on the hot-key pressed or menu
// item selected.
void IDAP_run(int arg)
{
	// The "meat" of your plug-in

	msg("search arm syscall start %x end %x\n",getnseg(0)->startEA,
		getnseg(0)->endEA);

	search_svc_call(getnseg(0)->startEA,getnseg(0)->endEA);

	return;
}

// There isn't much use for these yet, but I set them anyway.
char IDAP_comment[] 	= "This is my test plug-in";
char IDAP_help[] 		= "My plugin";

// The name of the plug-in displayed in the Edit->Plugins menu. It can 
// be overridden in the user's plugins.cfg file.
char IDAP_name[] 		= "My plugin";

// The hot-key the user can use to run your plug-in.
char IDAP_hotkey[] 	= "Alt-X";

// The all-important exported PLUGIN object
plugin_t PLUGIN =
{
	IDP_INTERFACE_VERSION,	// IDA version plug-in is written for
	0,					// Flags (see below)
	IDAP_init,			// Initialisation function
	IDAP_term,			// Clean-up function
	IDAP_run,				// Main plug-in body
	IDAP_comment,			// Comment �unused
	IDAP_help,			// As above �unused
	IDAP_name,			// Plug-in name shown in 
	// Edit->Plugins menu
	IDAP_hotkey			// Hot key to run the plug-in
};

下面寫一個arm elf 中遍歷 svc call 

int search_svc_call(ea_t start,ea_t end)
{
	ea_t i;
	ea_t addrA;

	addrA = 0;

	for(i = start ; i < (end - 8) ; i += 2)
	{
		addrA = find_binary(i,
			i + 8,
			"?? 70 A0 E3 00 00 00 EF",
			getDefaultRadix(),
			SEARCH_DOWN);

		if(addrA != 0xFFFFFFFF)
		{
			msg("svc CALL :%x %s\n",addrA,arm_syscall_table[get_full_byte(addrA)]);
			
			if (get_func(addrA))
			{
				set_name(get_func(addrA)->startEA,arm_syscall_table[get_full_byte(addrA)]);
			}
			
		}
	}

	return 0;
}

這裏面只遍歷出了這總類型的系統調用，應該還有別的類型的svc，不過現在也夠用了比一個個自己去填寫方便多了：