-
Notifications
You must be signed in to change notification settings - Fork 13
Expand file tree
/
Copy pathcli_utils.cpp
More file actions
428 lines (354 loc) · 11.4 KB
/
cli_utils.cpp
File metadata and controls
428 lines (354 loc) · 11.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
/*
CLI Utils: Cross-platform code for CLI finding and hooking
*/
#include <cstring>
#include <cstdint>
#include <string>
#include "idasdk.h"
#include "cli_utils.h"
#include "macro_editor.h"
#include <idacpp/callbacks/callbacks.hpp>
using namespace idacpp::callbacks;
#ifdef _WIN32
#include <windows.h>
#include <winternl.h>
#else
#include <dlfcn.h>
#ifdef __APPLE__
#include <mach-o/dyld.h>
#include <mach-o/getsect.h>
#else
#include <link.h>
#include <elf.h>
#endif
#endif
//-------------------------------------------------------------------------
// CLI Finding Implementation
//-------------------------------------------------------------------------
// Optimized search for a byte pattern in memory
// Uses memchr to quickly find first byte candidates, then validates full pattern
static const uint8_t* bin_search(const uint8_t* start, size_t size, const uint8_t* pattern, size_t pattern_len)
{
if (size < pattern_len || pattern_len == 0)
return nullptr;
const uint8_t first_byte = pattern[0];
const uint8_t* search_end = start + size - pattern_len;
const uint8_t* p = start;
while (p <= search_end)
{
// Use memchr to quickly find next occurrence of first byte
p = (const uint8_t*)memchr(p, first_byte, search_end - p + 1);
if (!p)
return nullptr;
// Found first byte - check if rest of pattern matches
if (pattern_len == 1 || memcmp(p + 1, pattern + 1, pattern_len - 1) == 0)
return p;
// Move to next position
++p;
}
return nullptr;
}
//-------------------------------------------------------------------------
// Search for a pointer to target address in memory range
static const cli_t* find_cli_struct(const uint8_t* base, size_t size, const uint8_t* target_str)
{
uintptr_t target_addr = (uintptr_t)target_str;
// Search for pointer to the target string
const uint8_t* ptr = base;
const uint8_t* end = base + size - sizeof(uintptr_t);
while (ptr <= end)
{
uintptr_t potential_ptr = *(const uintptr_t*)ptr;
// Check if this points to our target string
if (potential_ptr == target_addr)
{
// We found a pointer to the string
// The cli_t structure should be nearby (likely -8 bytes for lname field)
// cli_t layout: size(8), flags(4+padding), sname(8), lname(8), ...
// So lname is at offset 0x10
const cli_t* potential_cli = (const cli_t*)(ptr - offsetof(cli_t, lname));
// Validate: check if size field matches expected cli_t size
if (potential_cli->size == sizeof(cli_t))
{
// Additional validation: check if sname looks valid
if (potential_cli->sname != nullptr)
{
return potential_cli;
}
}
}
ptr++;
}
return nullptr;
}
//-------------------------------------------------------------------------
#ifdef _WIN32
// Windows implementation
cli_t* find_cli_in_module(const char* module_name, const char* target_string)
{
HMODULE hModule = GetModuleHandleA(module_name);
if (!hModule)
return nullptr;
// Get DOS header
PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER)hModule;
if (dos_header->e_magic != IMAGE_DOS_SIGNATURE)
return nullptr;
// Get NT headers - handle both PE32 and PE32+ (64-bit)
uint8_t* base = (uint8_t*)hModule;
PIMAGE_NT_HEADERS nt_headers = (PIMAGE_NT_HEADERS)(base + dos_header->e_lfanew);
if (nt_headers->Signature != IMAGE_NT_SIGNATURE)
return nullptr;
// Get module size based on PE format
size_t module_size;
WORD magic = nt_headers->OptionalHeader.Magic;
if (magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) // PE32+ (64-bit)
{
PIMAGE_NT_HEADERS64 nt_headers64 = (PIMAGE_NT_HEADERS64)nt_headers;
module_size = nt_headers64->OptionalHeader.SizeOfImage;
}
else if (magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC) // PE32 (32-bit)
{
PIMAGE_NT_HEADERS32 nt_headers32 = (PIMAGE_NT_HEADERS32)nt_headers;
module_size = nt_headers32->OptionalHeader.SizeOfImage;
}
else
{
return nullptr; // Unknown PE format
}
// Search for the target string
size_t target_len = strlen(target_string);
const uint8_t* found_str = bin_search(
base,
module_size,
(const uint8_t*)target_string,
target_len
);
if (!found_str)
return nullptr;
// Search for cli_t structure pointing to this string
const cli_t* cli = find_cli_struct(base, module_size, found_str);
return const_cast<cli_t*>(cli);
}
#elif defined(__linux__)
// Linux implementation
cli_t* find_cli_in_module(const char* module_name, const char* target_string)
{
void* handle = dlopen(module_name, RTLD_NOLOAD | RTLD_NOW);
if (!handle)
return nullptr;
struct link_map* map;
if (dlinfo(handle, RTLD_DI_LINKMAP, &map) != 0)
{
dlclose(handle);
return nullptr;
}
uint8_t* base = (uint8_t*)map->l_addr;
// Parse ELF header to get module size
Elf64_Ehdr* ehdr = (Elf64_Ehdr*)base;
if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0)
{
dlclose(handle);
return nullptr;
}
// Calculate total size from program headers
Elf64_Phdr* phdr = (Elf64_Phdr*)(base + ehdr->e_phoff);
size_t module_size = 0;
for (int i = 0; i < ehdr->e_phnum; i++)
{
if (phdr[i].p_type == PT_LOAD)
{
size_t end = phdr[i].p_vaddr + phdr[i].p_memsz;
if (end > module_size)
module_size = end;
}
}
// Search for the target string
size_t target_len = strlen(target_string);
const uint8_t* found_str = bin_search(
base,
module_size,
(const uint8_t*)target_string,
target_len
);
if (!found_str)
{
dlclose(handle);
return nullptr;
}
// Search for cli_t structure pointing to this string
const cli_t* cli = find_cli_struct(base, module_size, found_str);
dlclose(handle);
return const_cast<cli_t*>(cli);
}
#elif defined(__APPLE__)
// macOS implementation
cli_t* find_cli_in_module(const char* module_name, const char* target_string)
{
void* handle = dlopen(module_name, RTLD_NOLOAD | RTLD_NOW);
if (!handle)
return nullptr;
Dl_info info;
if (dladdr(handle, &info) == 0)
{
dlclose(handle);
return nullptr;
}
uint8_t* base = (uint8_t*)info.dli_fbase;
// Parse Mach-O header
struct mach_header_64* mh = (struct mach_header_64*)base;
if (mh->magic != MH_MAGIC_64)
{
dlclose(handle);
return nullptr;
}
// Calculate module size by finding the highest address
struct load_command* lc = (struct load_command*)(base + sizeof(struct mach_header_64));
size_t module_size = 0;
for (uint32_t i = 0; i < mh->ncmds; i++)
{
if (lc->cmd == LC_SEGMENT_64)
{
struct segment_command_64* seg = (struct segment_command_64*)lc;
size_t end = seg->vmaddr + seg->vmsize;
if (end > module_size)
module_size = end;
}
lc = (struct load_command*)((uint8_t*)lc + lc->cmdsize);
}
// Search for the target string
size_t target_len = strlen(target_string);
const uint8_t* found_str = bin_search(
base,
module_size,
(const uint8_t*)target_string,
target_len
);
if (!found_str)
{
dlclose(handle);
return nullptr;
}
// Search for cli_t structure pointing to this string
const cli_t* cli = find_cli_struct(base, module_size, found_str);
dlclose(handle);
return const_cast<cli_t*>(cli);
}
#else
#error "Unsupported platform"
#endif
//-------------------------------------------------------------------------
// Helper functions for common CLI types
// Find Python CLI in IDAPython module
cli_t* find_python_cli()
{
#ifdef _WIN32
const char* module_name = "idapython3.dll";
#elif defined(__linux__)
const char* module_name = "idapython3.so";
#elif defined(__APPLE__)
const char* module_name = "idapython3.dylib";
#else
return nullptr;
#endif
return find_cli_in_module(module_name, "Python - IDAPython plugin");
}
// Find IDC CLI in IDA main module
cli_t* find_idc_cli()
{
#ifdef _WIN32
const char* module_name = "ida.exe";
#elif defined(__linux__)
const char* module_name = "ida";
#elif defined(__APPLE__)
const char* module_name = "ida";
#else
return nullptr;
#endif
return find_cli_in_module(module_name, "IDC - Native built-in language");
}
//-------------------------------------------------------------------------
// CLI Hooking Implementation
//-------------------------------------------------------------------------
// Define callback registry for CLI execute_line hooks
DEFINE_CALLBACK_REGISTRY(cli_execute_registry, decltype(cli_t::execute_line), MAX_CLIS)
// Context structure to allow hooking CLIs
struct cli_ctx_t
{
const cli_t *old_cli;
cli_t new_cli;
callback_handle_t cb_handle;
};
static cli_ctx_t g_cli_ctx[MAX_CLIS] = {};
//-------------------------------------------------------------------------
const cli_t *hook_cli(const cli_t *cli)
{
for (int i=0; i < qnumber(g_cli_ctx); ++i)
{
// Find empty slot
auto &ctx = g_cli_ctx[i];
if (ctx.old_cli != nullptr)
continue;
// Register callback with lambda that captures old_cli
auto result = cli_execute_registry.register_callback(
[&ctx](const char *line) -> bool {
std::string repl = macro_replacer(line);
return ctx.old_cli->execute_line(repl.c_str());
}
);
if (!result)
break;
ctx.old_cli = cli;
ctx.new_cli = *cli;
ctx.cb_handle = result->first;
ctx.new_cli.execute_line = result->second;
return &ctx.new_cli;
}
return nullptr;
}
//-------------------------------------------------------------------------
const cli_t *unhook_cli(const cli_t *cli)
{
for (auto &ctx: g_cli_ctx)
{
if (ctx.old_cli != cli)
continue;
// Unregister the callback
cli_execute_registry.unregister_callback(ctx.cb_handle);
ctx.old_cli = nullptr;
ctx.cb_handle = INVALID_CALLBACK_HANDLE;
return &ctx.new_cli;
}
return nullptr;
}
//-------------------------------------------------------------------------
// CLI Installation
//-------------------------------------------------------------------------
// Ignore UI hooks when set
bool g_b_ignore_ui_notification = false;
// [Un]install a CLI (asynchronously) using a UI request
void request_install_cli(const cli_t *cli, bool install)
{
extern bool g_b_ignore_ui_notification;
class cli_install_req_t: public ui_request_t
{
const cli_t *cli;
bool install;
public:
cli_install_req_t(const cli_t *cli, bool install) : cli(cli), install(install)
{
}
virtual bool idaapi run()
{
g_b_ignore_ui_notification = true;
if (install)
install_command_interpreter(cli);
else
remove_command_interpreter(cli);
g_b_ignore_ui_notification = false;
return false;
}
};
execute_ui_requests(
new cli_install_req_t(cli, install),
nullptr);
}