вторник, 29 декабря 2020 г.

IDCFuncs in ida pro 7.x

Let's assume what we want to have some normal programming language inside ida pro (not strange looking pile of spaces). Or just to made RPC interface so you can use several instances of ida from external processeses. In previous versions (since 4.x - I can be wrong) we had IDCFuncs which I used for example to embed perl. But since 7.x this symbol is no longer exported (obviously to make users' lives even more unbearable). Sure this small problem can`t stop me. So there are at least two ways to find IDCFuncs in any ida pro 7.x

signature search

strictly speaking this method allows you to find IDCFuncs->funcs. Name of first function in this array of ext_idcfunc_t always is "____" (yes, some undocumented function with name of four underscores). So you first must search for it in .text section (in ida.dll/ida64.dll) and then find address in .data - this will be first ext_idcfunc_t:

struct ext_idcfunc_t
{  const char *name;             ///< Name of function  
   idc_func_t *fptr;             ///< Pointer to the Function
   const char *args;             ///< Type of arguments. Terminated with 0.        
   const idc_value_t *defvals;   ///< Default argument values.
   int ndefvals;                 ///< Number of default values.     
   int flags;                    ///< \ref EXTFUN_
};

some disasm magic

It`s very ironic that in the disassembler you have to use another disassembler to find what you want. Lets see which exported functions use IDCFuncs