-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathresolve_api_dridex.py
46 lines (38 loc) · 1.36 KB
/
resolve_api_dridex.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import idaapi
def resolve_n_comment(func, func_name):
"""
Resolve API
"""
for xref in XrefsTo(LocByName(func_name)):
# init retrieve arguments
val1_ea = search_inst(xref.frm, "mov", "edx")
val1_op = GetOperandValue(val1_ea, 1)
val2_ea = search_inst(PrevHead(val1_ea), "mov", "ecx")
val2_op = GetOperandValue(val2_ea, 1)
# Call Dridex's func
try:
addr = func(val1_op, val2_op)
except:
continue
try:
# Get exported names of all loaded modules
names = idaapi.get_debug_names(idaapi.cvar.inf.minEA, idaapi.cvar.inf.maxEA)
# Add comments
MakeComm(xref.frm, "{:}".format(names[addr].replace("_", "!")))
except:
continue
def search_inst(ea, inst, op0=None):
"""
Find first instruction before the given ea
"""
while True:
if GetMnem(ea) == inst:
if op0 and GetOpnd(ea, 0) == op0:
return ea
ea = PrevHead(ea)
# Initialization ------------------------------------------
FUNC_NAME = "resolve_api"
PROTO = "PVOID __usercall {:s}@<eax>(DWORD val1@<edx>, DWORD val2@<ecx>);".format(FUNC_NAME)
# Execution -----------------------------------------------
resolve_function = Appcall.proto(FUNC_NAME, PROTO)
resolve_n_comment(resolve_function, FUNC_NAME)