HotSpurzzZ 主页归档标签分类
IDA-Python 批量脚本分析程序
|IDA

众所周知,IDA Python对于分析二进制程序来说是一个非常好用的工具。
当面对大量的二进制文件需要分析时,可以实现自动化批量处理。
环境:IDA Pro7.5 Python3.7

这里准备两个python文件

analysis.py

实现对二进制程序的具体分析

Demo:

import idc
import os
import ida_auto
import ida_pro
import ida_nalt
import ida_ida

def analysis():
    #Do Some Things
    
def main():
    ida_auto.auto_wait()
    analysis()
    ida_pro.qexit(0)
if __name__ == "__main__":
    main()

run.py

Demo:

import os
import subprocess

dir_path = "path_to_binfile"
ida64_path = "path_to_ida"
analysis_file = "path_to_analysis.py"

def run():
    for root, dirs, files in os.walk(dir_path):
        for file_name in files:
            file_path = os.path.join(root, file_name)
            cmd = "{0} -LD:/mylog.log -c -A -S{1} {2}".format(ida64_path, ana_file, file_path)
            p = subprocess.Popen(cmd)
            p.wait()

if __name__ == "__main__":
    run()

其中:

dir_path 指需要进行分析的二进制文件的目录

ida64_path指向本地IDA程序

analysis_file指向前面的analysis.py

小示例

这里需要来分析多个二进制文件中某个函数的调用地址(相对地址):

analysis.py

import idc
import os
import ida_auto
import ida_pro
import ida_nalt
import ida_ida

outfile = open("result.txt","a+")

def analysis():
    addr_base = ida_ida.inf_get_min_ea()
    danger_funcs = ["system"]
    for func in danger_funcs:
        addr = idc.get_name_ea_simple(func)
        filename = ida_nalt.get_root_filename()
        if addr != BADADDR:
            cross_refs = CodeRefsTo( addr, 0 )
            for ref in cross_refs:
                ref = ref - addr_base
                outfile.write(filename + "-" + "%s" % func + "-0x" + "%08x" % ref + '\n')

def main():
    ida_auto.auto_wait()
    analysis()
    ida_pro.qexit(0)
    outfile.close()
if __name__ == "__main__":
    main()

run.py

import os
import subprocess

dir_path = "C://Users/Desktop/bin_file"
ida64_path = "E://IDA_Pro_v7.5_Portable/ida.exe"
analysis_file = "C://Users/Desktop/analysis.py"

def run():
    for root, dirs, files in os.walk(dir_path):
        for file_name in files:
            print(file_name)
            file_path = os.path.join(root, file_name)
            cmd = "{0} -LD:/mylog.log -c -A -S{1} {2}".format(ida64_path, ana_file, file_path)
            p = subprocess.Popen(cmd)
            p.wait()

if __name__ == "__main__":
    run()

只需python3 run.py即可

注意事项

IDA python中的API在7.4版本后产生了变化,如果本地使用的IDA Pro版本≥7.4,之前在网上搜的API可能就无法使用,旧版本与新版本相对应的API变化在这可以查询:

https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml

文章作者: HotSpurzzZ
文章链接: http://example.com/2021/11/12/IDA-Python 批量脚本分析程序/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 HotSpurzzZ
IDAIDA Python