我正在使用ghidra对ARM二进制文件进行一些反向工程。我想知道是否有一种方法来获取与所有清单相关的基本块。是否可以通过IDE使用某个功能,或者是否可以通过脚本管理器使用一个脚本,以便至少在一个功能内获取基本块。尽管我找到了反汇编二进制文件的脚本,但找不到列出基本块的函数。除了ghidra,还有其他逆向工程工具可以帮助我完成这项工作吗?谢谢!

#1 楼

您可以使用BasicBlockModel

示例

from ghidra.program.model.block import BasicBlockModel
from ghidra.util.task import TaskMonitor

bbm = BasicBlockModel(currentProgram)
blocks = bbm.getCodeBlocks(TaskMonitor.DUMMY)
block = blocks.next()

while block:
    print "Label: {}".format(block.name)
    print "Min Address: {}".format(block.minAddress)
    print "Max address: {}".format(block.maxAddress)
    print
    block = blocks.next()


Output 

Label: LAB_0048b428
Min Address: 0048b428
Max address: 0048b43f

Label: httpStringPut
Min Address: 0048b440
Max address: 0048b46b

Label: 0048b46c
Min Address: 0048b46c
Max address: 0048b47f

Label: LAB_0048b480
Min Address: 0048b480
Max address: 0048b4b3

Label: httpBoundaryGet
Min Address: 0048b4c0
Max address: 0048b4cf

<snip>

更新

如果要打印反汇编的基本块,可以将脚本修改为

from ghidra.program.model.block import BasicBlockModel
from ghidra.util.task import TaskMonitor

def print_disassembly(block):
    listing = currentProgram.getListing()
    ins_iter = listing.getInstructions(block, True)

    while ins_iter.hasNext():
        ins = ins_iter.next()
        print "{} {}".format(ins.getAddressString(False, True), ins)

bbm = BasicBlockModel(currentProgram)
blocks = bbm.getCodeBlocks(TaskMonitor.DUMMY)
block = blocks.next()

while block:
    print_disassembly(block)
    block = blocks.next()
    print


输出

00409fcc lui gp,0xb
00409fd0 addiu gp,gp,0x68b4
00409fd4 addu gp,gp,t9
00409fd8 addiu sp,sp,-0x20
00409fdc sw gp,0x10(sp)
00409fe0 sw ra,0x1c(sp)
00409fe4 sw gp,0x18(sp)
00409fe8 bal 0x00409ff0
00409fec _nop

00409ff0 lui gp,0x4c
00409ff4 addiu gp,gp,0x880
00409ff8 lw t9,-0x7fe8(gp)
00409ffc nop
0040a000 addiu t9,t9,-0x5e80
0040a004 jalr t9
0040a008 _nop
0040a00c lw gp,0x10(sp)
0040a010 nop
0040a014 bal 0x0040a01c
0040a018 _nop

<snip>


评论

非常感谢你!

–hEShaN
20 Mar 20 '20在15:41
有没有一种方法可以帮助我获取属于每个基本块的程序集助记符? block.getAddresses(True)将给我一个迭代器,但是我需要的是一组属于基本块的助记符

–hEShaN
20-3-20在20:05


@hEShaN检查更新的答案。

– 0xec
20 Mar 20 '20在21:38
非常感谢!

–hEShaN
20 Mar 20 '20 at 21:47

#2 楼

0xec已经回答了您,但是如果您对函数感兴趣,可以按如下所示进行迭代

#TODO Lists Functions in a given program
#@author  blabb
#@category _NEW_

funcs = currentProgram.getFunctionManager().getFunctions(True)
f1 = funcs.next()
print("Function Name",f1.getName())
print("Function Body" , f1.getBody())
print("Function Entry" , f1.getEntryPoint())
print("Functions Calls",f1.getCalledFunctions(ghidra.util.task.TaskMonitor.DUMMY))
print("Function is Called From",f1.getCallingFunctions(ghidra.util.task.TaskMonitor.DUMMY))


对于第一个函数使用hasnext()或while( next)到
循环

functions.py> Running...
('Function Name', u'MmFreeIndependentPages')

('Function Body', [[140001010, 140001172] [1401d4c1a, 1401d4c8c] ])

('Function Entry', 140001010)

('Functions Calls', [MiReturnPoolCharges, MiPteInShadowRange, memset, MiIsPfnFromSlabAllocation, 
MiWritePteShadow,MI_READ_PTE_LOCK_FREE,MiLockAndDecrementShareCount,MiReleasePtes, MiPteHasShadow])

('Function is Called From', [MmFreeIsrStack, FUN_14098fe9c, IopLiveDumpAllocateDumpBuffers, 
IopLiveDumpWriteDumpFile, KiStartDynamicProcessor, IopLiveDumpWriteDumpFileWithHvPages,   
HvlDeleteProcessor,IopLiveDumpFreeDumpBuffers,ExDeletePoolTagTable, HvlStartBootLogicalProcessors,  
KeStartAllProcessors, HvlpInitializeHvCrashdump, IopLiveDumpReleaseResources])


评论

非常感谢你

–hEShaN
20 Mar 20 '20在15:41

#3 楼

@ 0xec的答案很好。该脚本将帮助您明智地使用块功能。

from ghidra.program.model.block import BasicBlockModel

blockiterator = BasicBlockModel(currentProgram).getCodeBlocks(monitor)
# dictionary contains function wise basic block information
functions = {}

def add_block(function, block):
    if function not in functions:
         functions[function] = []
    functions[function].append(block)

# For each block, look through the function list until we find a match
while blockiterator.hasNext():
    cur_block = blockiterator.next().getMinAddress()
    function = getFirstFunction()
    found = False

    # Search functions until we find a match or run out of functions
    while function is not None:
        b = function.getBody()
        if b.contains(cur_block):
            add_block(function.getName(), cur_block)
            found=True
            break

        # Update function to next and loop again
        function = getFunctionAfter(function)

    # Done searching functions. If we never found it, add to unknown list
    if not found:
        add_block("_unknown", cur_block)

print(functions)