菜鸟IDA python调试脚本

IDA动态调试下断点 还是比较费劲的，写个脚本可能更好一些

import idc

import idaapi

import struct

#idaapi.dbg_write_memory(ea,buf)

idaapi.enable_extlang_python(1)

md={}

add=0

size=0

index=0

cross_refs=0

findname=["MZ","PE"]

for func in findname:

addr=LocByName(func)

if addr!=BADADDR:

cross_refs=CodeRefsTo(addr,0)

print "got it"

for ref in range(cross_refs):

print "%08x"% ref

SetColor(ref,CiC_ITEM,0x0000ff)

def createfile():

global md

#print "code %d \ninput %d" % (GetRegValue("eax") ,GetRegValue("edi"))

ea1=GetRegValue("esp")+4

buf=""

a=idc.Dword(ea1)

#print "s%x\n" % a

for i in range(50):

k=idc.Byte(a+i)

buf=buf+chr(k)

print "filename ___%s_____\n" % buf

#SetRegValue(0x11113333,"edx")

md[ea1]=buf

return 1

print "start"

def readfile():

global add, size,index

index=index+1

if GetRegValue("eip")==0x20095280:

add=Dword(GetRegValue("esp")+8)

size=Dword(GetRegValue("esp")+12)

if GetRegValue("eip")==0x20095338:

b=""

for i in range(size) :

b=b+chr(Byte(add+i))

v="%d" %index

file0=r"c:\hk"+v+"dat"

file1=r"c:\hk"+v+"dat"

f1=open(file0,"wb")

f1.write(b)

f1.close()

f1=open(file1,"w")

f1.write(b)

f1.close()

return 1

ea=0x7c00 #fopen

idc.AddBpt(ea)

idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)

idc.SetBptCnd(ea, 'createfile()')

ea=0x20001000 #fopen

idc.AddBpt(ea)

idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)

idc.SetBptCnd(ea, 'createfile()')

ea=0x20095960 #fopen

idc.AddBpt(ea)

idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)

idc.SetBptCnd(ea, 'createfile()')

ea=0x20095280 #fopen

idc.AddBpt(ea)

idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)

idc.SetBptCnd(ea, 'readfile()')

ea=0x20095338 #fopen

idc.AddBpt(ea)

idc.SetBptAttr(ea, BPTATTR_FLAGS, GetBptAttr(ea, BPTATTR_FLAGS)&0xfffe)

idc.SetBptCnd(ea, 'readfile()')

print "end"