IDA调试小技巧

2023-10-29

IDA脚本

- MakeNameEX
- - IDA官方链接
  - 实际运用

MakeNameEX

MakeNameEx(long ea, string name, long flags=SN_CHECK);

ea - linear address
name - new name of address. If name == "", then delete old name
flags - combination of SN_... constants

解释：MakeNameEx(函数地址,“函数名称”,函数flags);
示例：MakeNameEx(0x400104,“CreateThread”,SN_PUBLIC);

IDA官方链接

https://www.hex-rays.com/products/ida/support/idadoc/203.shtml

Rename an address
     ea - linear address
     name - new name of address. If name == "", then delete old name
     flags - combination of SN_... constants
returns: 1-ok, 0-failure

success set_name(long ea, string name, long flags=SN_CHECK);


#define SN_CHECK        0x01    // Fail if the name contains invalid characters
                                // If this bit is clear, all invalid chars
                                // (those !is_ident_char()) will be replaced
                                // by SUBSTCHAR
                                // List of valid characters is defined in ida.cfg
#define SN_NOCHECK      0x00    // Replace invalid chars with SUBSTCHAR
#define SN_PUBLIC       0x02    // if set, make name public
#define SN_NON_PUBLIC   0x04    // if set, make name non-public
#define SN_WEAK         0x08    // if set, make name weak
#define SN_NON_WEAK     0x10    // if set, make name non-weak
#define SN_AUTO         0x20    // if set, make name autogenerated
#define SN_NON_AUTO     0x40    // if set, make name non-autogenerated
#define SN_NOLIST       0x80    // if set, exclude name from the list
                                // if not set, then include the name into
                                // the list (however, if other bits are set,
                                // the name might be immediately excluded
                                // from the list)
#define SN_NOWARN       0x100   // don't display a warning if failed
#define SN_LOCAL        0x200   // create local name. a function should exist.
                                // local names can't be public or weak.
                                // also they are not included into the list of names
                                // they can't have dummy prefixes
#define SN_IDBENC       0x400   // the name is given in the IDB encoding;
                                // non-ASCII bytes will be decoded accordingly.
                                // Specifying SN_IDBENC also implies SN_NODUMMY
#define SN_FORCE        0x800   // if the specified name is already present
                                // in the database, try variations with a
                                // numerical suffix like "_123"
#define SN_NODUMMY      0x1000  // automatically prepend the name with '_' if it
                                // begins with a dummy suffix such as 'sub_'.
                                // See also SN_IDBENC
#define SN_DELTAIL      0x2000  // if name cannot be set because of a tail byte,
                                // delete the hindering item

实际运用

场景：样本通过Call+函数地址的方式调用函数，函数地址在IDA文件里面显示为数字，如：
在这里插入图片描述
函数地址大多通过Loadlibrary+GetProAddress动态获取
调用时，显示为：

通过脚本设置

设置后

前后对比

脚本中的函数地址通过IAT获取，请务必搞清楚地址，和地址内的值，以及函数之间的关系（也就是IAT是啥）
在这里插入图片描述
复制数据后，保留地址和函数名，最后处理（比如用Excel表格）成MakeNameEx(0x72941254,"CloseHandle",SN_PUBLIC)

本文内容由网友自发贡献，版权归原作者所有，本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容，请联系:hwhale#tublm.com(使用前将#替换为@)