问题描述
我制作了一个ida python代码,用于检查代码覆盖率。
但是,当我使用此脚本时,出现运行时错误,并且无法获得正确的ESP值。
I made a ida python code which for checking code coverage.But when I used this script, I got a runtime error and I could not get correct ESP value.
-我的代码-
from idaapi import *
class DbgHook(DBG_Hooks):
def dbg_process_exit(self, pid, tid, ea, code):
# bpt Del
for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())):
DelBpt(fun)
return
debugger.unhook()
def dbg_bpt(self, tid, ea):
RefCode = get_long(GetRegValue('esp'))
print "[*] Hit : 0x%08x - %s" % (ea , GetFunctionName(ea))
print " GetRegValue : compare RET : 0x%08x" % RefCode
return 1
for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())):
fnName = GetFunctionName(fun)
AddBpt(fun)
SetBptAttr(fun, BPTATTR_FLAGS, (GetBptAttr(fun, BPTATTR_FLAGS) & ~BPT_BRK ));
debugger = DbgHook()
debugger.unhook()
debugger.hook()
num_bp = GetBptQty()
print "[*] Set %d breakpoints " % num_bp
我遇到了错误
[*] Set 153 breakpoints
Cannot find sync source "view:IDA View-A"; ignoring group
400000: process C:\temp\nc.exe has started (pid=6336)
773C0000: loaded C:\WINDOWS\system32\ntdll.dll
Unloaded
Unloaded
Unloaded
Unloaded
76050000: loaded C:\WINDOWS\SysWOW64\kernel32.dll
76550000: loaded C:\WINDOWS\SysWOW64\KernelBase.dll
76360000: loaded C:\WINDOWS\SysWOW64\msvcrt.dll
77409FA0: thread has started (tid=11496)
77409FA0: thread has started (tid=10228)
74010000: loaded C:\WINDOWS\SysWOW64\wsock32.dll
76130000: loaded C:\WINDOWS\SysWOW64\ws2_32.dll
762B0000: loaded C:\WINDOWS\SysWOW64\sechost.dll
75FA0000: loaded C:\WINDOWS\SysWOW64\rpcrt4.dll
740F0000: loaded C:\WINDOWS\SysWOW64\sspicli.dll
740E0000: loaded C:\WINDOWS\SysWOW64\cryptbase.dll
770B0000: loaded C:\WINDOWS\SysWOW64\bcryptprimitives.dll
77409FA0: thread has started (tid=9556)
[*] Hit : 0x004057f0 - TlsCallback_0
GetRegValue : compare RET : 0x77436aae
[*] Hit : 0x00405eb0 - sub_405EB0
GetRegValue : compare RET : 0x00000000
[*] Hit : 0x004061e8 - InitializeCriticalSection
GetRegValue : compare RET : 0x00000000
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
[*] Hit : 0x00401020 - sub_401020
GetRegValue : compare RET : 0x00401178
[*] Hit : 0x004057f0 - TlsCallback_0
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405620 - SetUnhandledExceptionFilter
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405980 - sub_405980
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405e10 - sub_405E10
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00406088 - __getmainargs
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00406090 - __p__fmode
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405ba0 - sub_405BA0
GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405df0 - sub_405DF0
GetRegValue : compare RET : 0x9b3e0acd
[*] Hit : 0x00405d90 - sub_405D90
GetRegValue : compare RET : 0x9b3e0acd
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
RefCode = get_long(GetRegValue('esp'))
StopIteration
[*] Hit : 0x00401300 - sub_401300
GetRegValue : compare RET : 0x00000000
当我在0x00401300处手动检查ESP时,可以看到0x0040620b的值。但是使用我的代码,ESP值在0x00401300处为0x00000000。
when I manually checked ESP at 0x00401300, I could see 0x0040620b value. but with my code, there was an incorrect ESP value 0x00000000 at 0x00401300.
我该如何解决?
推荐答案
由于OP没有提供答案,我会给它一个机会
IDA维护它是IDB文件格式(以及处于活动状态时未压缩的文件)的分析文件的副本/表示形式。这些文件默认情况下包含可执行文件中的每个字节,并且在调试时将包含大多数已分配内存区域中的大多数字节。寄存器也发生类似的情况。
IDA maintains it's own copy / representation of the analyzed file in it's IDB file format (and the uncompressed files while active). Those files contain every byte in the executable by default, and will contain most bytes in most allocated memory regions while debugging. A similar thing happens with registers.
IDA不会(也不能)在可执行文件运行时不断更新内存和寄存器的状态,并且只会定期更新。为此,函数将强制IDA刷新内存(并注册)状态。
IDA does not (and cannot) constantly update the state of memory and registers while the executable is running and only does so periodically. To assist with that, the function RefreshDebuggerMemory()
will force IDA to refresh memory (and register) state.
这篇关于IDA Python-为什么我的代码返回错误的ESP值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!