-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathfixupSysctlSet.py
executable file
·110 lines (83 loc) · 2.63 KB
/
fixupSysctlSet.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# This script is part of the IDA IOS Toolkit
# (C) Copyright 2011 Stefan Esser
# This script ensures that all sysctl_oid structures referenced by the
# sysctl_set segment are marked correctly. In addition to that all
# sysctl oid_handlers used get the correct function type.
import idaapi, idc, idautils
def registersysctlstructs():
'''
registersysctlstructs:
Registers the 'sysctl_req' and 'sysctl_oid' struct types in IDA.
'''
strsysctl_req = """
struct sysctl_req {
struct proc *p;
int lock;
void* oldptr;
size_t oldlen;
size_t oldidx;
int (*oldfunc)(struct sysctl_req *, const void *, size_t);
void* newptr;
size_t newlen;
size_t newidx;
int (*newfunc)(struct sysctl_req *, void *, size_t);
};
"""
strsysctl_oid = """
struct sysctl_oid {
void *oid_parent;
void *oid_link;
int oid_number;
int oid_kind;
void *oid_arg1;
int oid_arg2;
const char *oid_name;
int (*oid_handler) (struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req);
const char *oid_fmt;
};
"""
idc.SetLocalType(-1, strsysctl_req, 0)
Til2Idb(-1, "sysctl_req")
idc.SetLocalType(-1, strsysctl_oid, 0)
Til2Idb(-1, "sysctl_oid")
def fixupSysctlSet():
'''
fixupSysctlSet:
Fixes up the '__sysctl_set' segment, ensures the targets are actually
'sysctl_oid' structures and adds the correct function type to the handler.
'''
segm = idaapi.get_segm_by_name("__sysctl_set")
if not segm:
print "Could not find __sysctl_set segment"
return
segea = segm.startEA
segend = segm.endEA
sid = get_struc_id("sysctl_oid")
ssize = get_struc_size(sid)
stru = get_struc(sid)
if ssize == 0:
print "Could not load information about 'sysctl_oid' struct"
return
# clear whole range of sysctl_set segment
idaapi.do_unknown_range(segea, segend-segea, DOUNK_DELNAMES)
# idapython oldschool - we work with the structure offset
oid_handler = get_member_by_name(stru, "oid_handler")
# loop through sysctl_set segment
while segea < segend:
# Ensure pointer is a pointer
idaapi.op_offset(segea, 0, idaapi.REF_OFF32, 0xffffffff, 0, 0)
ptr = idc.Dword(segea)
# Mark structure as sysctl_oid structure
idaapi.do_unknown_range(ptr, ssize, DOUNK_DELNAMES)
x = doStruct(ptr, ssize, sid)
handler = idc.Dword(ptr + oid_handler.soff)
# We have to support ARM THUMB code
addr = handler & 0xFFFFFFFE
# Set correct function type for oid_handler
idc.SetType(addr, "int *oid_handler(struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req);")
segea += 4
if __name__ == '__main__':
registersysctlstructs()
fixupSysctlSet()
print 'Done.'
# TODO generate names for structures