flat assembler
Message board for the users of flat assembler.

Index > Examples and Tutorials > Tryed to remake plugin for IDA PRO 6.X in assembly

Author
Thread Post new topic Reply to topic
ProMiNick



Joined: 24 Mar 2012
Posts: 443
Location: Russian Federation, Sochi
ProMiNick
without SDK includes for now

callee.plw.ASM
Code:
format PE GUI 4.0 DLL as ''
entry DllEntryPoint

include 'win32a.inc'
include 'IDA6.X_SDK_target_32.inc'

section '.text' code readable executable

DllEntryPoint: procedure (hinstDLL,fdwReason,lpvReserved)
        mov     eax, [fdwReason]
        cmp     eax, 1
        jne     .retTRUE
        mov     eax, [hinstDLL]
        invoke  DisableThreadLibraryCalls, eax
      .retTRUE:
        xor     eax, eax
        inc     eax
        ret
endp

AskUsingForm_c: procedure (buffer,pcallee)
        lea     eax, [pcallee]
        cinvoke callui,ui_form,[buffer],eax
        ret
endp 

init: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        test    eax, eax ;PLFM_386
        jz      .retTRUE
        cmp     eax, PLFM_MIPS
        jz      .retTRUE
        cmp     eax, PLFM_ARM
        jz      .retTRUE
        xor     eax, eax
        ret
  .retTRUE:
        mov     eax, TRUE
        ret
endp

run: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        sub     eax, PLFM_MIPS
        jz      .MIPS_case
        ja      .ARM_case
        mov     eax, x86_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, mips_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, arm_case
  .nname_ready:
        mov     [nname], eax
        invoke  netnode_check,nnode,eax,0,FALSE
        cinvoke callui,ui_screenea,ea
        invoke  get_flags_ex,[ea],GFE_NOVALUE
        and     eax, MS_CLS
        cmp     eax, FF_CODE
        jnz     .locret
        invoke  netnode_altval,[nnode],[ea],'A'
        dec     eax
        mov     [callee],eax
        mov     eax, [ph]
        cmp     [eax + processor_t.id], PLFM_ARM
        jnz     .skipClearingARMmodebit
        and     [callee], not 1
  .skipClearingARMmodebit:
        cinvoke qsnprintf,buf,MAXSTR,form,help
        ccall   AskUsingForm_c,buf,callee
        test    eax, eax
        jz      .locret
        cmp     [callee], BADADDR
        jnz     .valid_callee
        invoke  netnode_supdel,[nnode],[ea],'A'
        jmp     .reanalyze
  .valid_callee:
        mov     edx, [ph]
        cmp     [edx + processor_t.id], PLFM_ARM
        jnz     .not_ARM
        test    al, 1
        jnz     .skipthumbbit
        invoke  get_segreg,[callee],reg__T
        test    eax, eax
        jz      .skipthumbbit
        cmp     eax, BADSEL
        jz      .skipthumbbit
        or      [callee], 1
  .skipthumbbit:
        mov     eax, [callee]
        inc     eax
        mov     [ea], eax
        invoke  netnode_supset,[nnode],[ea],ea,4,'A'
  .reanalyze:
        mov     eax, [ea+ea_t.lo]
        cmp     eax, BADADDR
        jz      .locret
        mov     eax, [ea]
        inc     eax
        invoke  auto_mark_range,[ea],eax,$28
  .locret:
        ret
endp

section '.data' data readable writeable

PLUGIN plugin_t IDP_INTERFACE_VERSION,0,init,NULL,run,comment,help,wanted_name,wanted_hotkey

nname           dd ?
nnode           nodeidx_t ;dd
ea              ea_t      ;dd

comment         db 'Change the callee address',0
help            db 'This plugin allows the user to change the address of the called function,10,\
                   'in constructs like',10,\
                   10,\
                   '       call esi',10,\
                   10,\
                   'You can enter a function name instead of its address',10,0
form            db 'HELP',10,\
                   '%s',10,\
                   'ENDHELP',10,\
                   'Enter the callee address',10,\
                   10,\
                   '  <~C~allee:$:500:40:::>',10\
                   ,10\
                   ,10,0
virtual at comment
        wanted_name     db 'Change the callee address',0
end virtual
wanted_hotkey   db 'Alt-F11',0
mips_case       db '$ mips',0
arm_case        db ' $arm',0
x86_case        db '$ vmm functions',0

buf             db MAXSTR dup (?)


section '.idata' import data readable writeable

  library idawll,'IDA.WLL',\
          kernel32,'KERNEL32.DLL'

  import idawll,\
         netnode_check,'netnode_check',\
         netnode_altval,'netnode_altval',\
         netnode_supset,'netnode_supset',\
         netnode_supdel,'netnode_supdel',\
         get_flags_ex,'get_flags_ex',\
         callui,'callui',\
         auto_mark_range,'auto_mark_range',\
         ph,'ph',\
         get_segreg,'get_segreg',\
         qsnprintf,'qsnprintf'

  import kernel32,\
         DisableThreadLibraryCalls,'DisableThreadLibraryCalls'

section '.edata' export data readable

  export 'callee.plw',\
         PLUGIN,'PLUGIN'

section '.reloc' fixups data readable discardable    


callee.p64.ASM
Code:
format PE GUI 4.0 DLL as ''
entry DllEntryPoint

include 'win32a.inc'
include 'IDA6.X_SDK_target_64.inc'

section '.text' code readable executable

DllEntryPoint: procedure (hinstDLL,fdwReason,lpvReserved)
        mov     eax, [fdwReason]
        cmp     eax, 1
        jne     .retTRUE
        mov     eax, [hinstDLL]
        invoke  DisableThreadLibraryCalls, eax
      .retTRUE:
        xor     eax, eax
        inc     eax
        ret
endp

AskUsingForm_c: procedure (buffer,pcallee)
        lea     eax, [pcallee]
        cinvoke callui,ui_form,[buffer],eax
        ret
endp 

init: procedure ()
        mov     eax,[ph]
        mov     eax, [eax + processor_t.id]
        test    eax, eax ;PLFM_386
        jz      .retTRUE
        cmp     eax, PLFM_MIPS
        jz      .retTRUE
        cmp     eax, PLFM_ARM
        jz      .retTRUE
        xor     eax, eax
        ret
  .retTRUE:
        mov     eax, TRUE
        ret
endp

run: procedure ()
        mov     eax, [ph]
        mov     eax, [eax + processor_t.id]
        sub     eax, PLFM_MIPS
        jz      .MIPS_case
        ja      .ARM_case
        mov     eax, x86_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, mips_case
        jmp     .nname_ready
  .MIPS_case:
        mov     eax, arm_case
  .nname_ready:
        mov     [nname], eax
        invoke  netnode_check,nnode,eax,0,FALSE
        cinvoke callui,ui_screenea,ea
        invoke  get_flags_ex,[ea + ea_t.lo],[ea + ea_t.hi],GFE_NOVALUE
        and     eax, MS_CLS
        cmp     eax, FF_CODE
        jnz     .locret
        invoke  netnode_altval,[nnode + nodeidx_t.lo],[nnode + nodeidx_t.hi],[ea + ea_t.lo],[ea + ea_t.hi],'A'
        add     eax, -1
        adc     edx, -1
        mov     [callee+ea_t.lo], eax
        mov     [callee+ea_t.hi], edx
        mov     eax, [ph]
        cmp     [eax + processor_t.id], PLFM_ARM
        jnz     .skipClearingthumbbit
        and     [callee+ea_t.lo], not 1
  .skipClearingthumbbit:
        cinvoke qsnprintf,buf,MAXSTR,form,help
        ccall   AskUsingForm_c,buf,callee
        test    eax, eax
        jz      .locret
        mov     eax, [callee+ea_t.lo]
        mov     edx, [callee+ea_t.hi]
        and     edx, eax
        cmp     edx, BADADDR
        jnz     .valid_callee
        invoke  netnode_supdel,[nnode + nodeidx_t.lo],[nnode + nodeidx_t.hi],[ea + ea_t.lo],[ea + ea_t.hi],'A'
        jmp     .reanalyze
  .valid_callee:
        mov     edx, [ph]
        cmp     [edx + processor_t.id], PLFM_ARM
        jnz     .skipthumbbit
        test    al, 1
        jnz     .skipthumbbit
        invoke  get_segreg,[callee+ea_t.lo],[callee+ea_t.hi],reg__T
        and     eax, edx
        jz      .skipthumbbit
        cmp     eax, BADSEL
        jz      .skipthumbbit
        or      [callee+ea_t.lo], 1
  .skipthumbbit:
        mov     eax, [callee+ea_t.lo]
        mov     edx, [callee+ea_t.hi]
        add     eax, 1
        adc     edx, 0
        mov     [ea], eax
        invoke  netnode_supset,[nnode + nodeidx_t.lo],[nnode + nodeidx_t.hi],[ea + ea_t.lo],[ea + ea_t.hi],ea,8,'A'
  .reanalyze:
        mov     eax, [ea+ea_t.lo]
        and     eax, [ea+ea_t.hi]
        cmp     eax, BADADDR
        jz      .locret
        mov     eax, [ea+ea_t.lo]
        mov     edx, [ea+ea_t.hi]
        add     eax, 1
        adc     edx, 0
        invoke  auto_mark_range,[ea+ea_t.lo],[ea+ea_t.hi],eax,edx,$28
  .locret:
        ret
endp

section '.data' data readable writeable

PLUGIN plugin_t IDP_INTERFACE_VERSION,0,init,NULL,run,comment,help,wanted_name,wanted_hotkey

nname           dd ?
nnode           nodeidx_t;dq
ea              ea_t     ;dq

comment         db 'Change the callee address',0
help            db 'This plugin allows the user to change the address of the called function,10,\
                   'in constructs like',10,\
                   10,\
                   '       call esi',10,\
                   10,\
                   'You can enter a function name instead of its address',10,0
form            db 'HELP',10,\
                   '%s',10,\
                   'ENDHELP',10,\
                   'Enter the callee address',10,\
                   10,\
                   '  <~C~allee:$:500:40:::>',10\
                   ,10\
                   ,10,0
virtual at comment
        wanted_name     db 'Change the callee address',0
end virtual
wanted_hotkey   db 'Alt-F11',0
mips_case       db '$ mips',0
arm_case        db ' $arm',0
x86_case        db '$ vmm functions',0

buf             db MAXSTR dup (?)


section '.idata' import data readable writeable

  library idawll,'IDA64.WLL',\
          kernel32,'KERNEL32.DLL'

  import idawll,\
         netnode_check,'netnode_check',\
         netnode_altval,'netnode_altval',\
         netnode_supset,'netnode_supset',\
         netnode_supdel,'netnode_supdel',\
         get_flags_ex,'get_flags_ex',\
         callui,'callui',\
         auto_mark_range,'auto_mark_range',\
         ph,'ph',\
         get_segreg,'get_segreg',\
         qsnprintf,'qsnprintf'

  import kernel32,\
         DisableThreadLibraryCalls,'DisableThreadLibraryCalls'

section '.edata' export data readable

  export 'callee.p64',\
         PLUGIN,'PLUGIN'

section '.reloc' fixups data readable discardable    


original in C:
Code:
/*
 *  Change the callee address for constructions like
 *
 *  call esi    ; LocalFree
 *
 */

#include <ida.hpp>
#include <idp.hpp>
#include <loader.hpp>
#include <kernwin.hpp>
#include <bytes.hpp>
#include <auto.hpp>
#include <srarea.hpp>
#define T 20

//--------------------------------------------------------------------------
int idaapi init(void)
{
  if ( ph.id != PLFM_386 && ph.id != PLFM_MIPS && ph.id != PLFM_ARM )
    return PLUGIN_SKIP; // only for x86, MIPS and ARM
  return PLUGIN_OK;
}

//--------------------------------------------------------------------------
static const char comment[] = "Change the callee address";
static const char help[] =
  "This plugin allows the user to change the address of the called function\n"
  "in constructs like\n"
  "\n"
  "       call esi\n"
  "\n"
  "You can enter a function name instead of its address\n";

//--------------------------------------------------------------------------
static const char *const form =
  "HELP\n"
  "%s\n"
  "ENDHELP\n"
  "Enter the callee address\n"
  "\n"
  "  <~C~allee:$:500:40:::>\n"
  "\n"
  "\n";

void idaapi run(int)
{
  static const char * nname;
  if ( ph.id == PLFM_MIPS )
    nname = "$ mips";
  else if ( ph.id == PLFM_ARM )
    nname = " $arm";
  else
    nname = "$ vmm functions";
  netnode n(nname);
  ea_t ea = get_screen_ea();    // get current address
  if ( !isCode(get_flags_novalue(ea)) ) return; // not an instruction
  ea_t callee = n.altval(ea)-1;         // get the callee address from the database
  // remove thumb bit for arm
  if ( ph.id == PLFM_ARM )
    callee &= ~1;
  char buf[MAXSTR];
  qsnprintf(buf, sizeof(buf), form, help);
  if ( AskUsingForm_c(buf, &callee) )
  {
    if ( callee == BADADDR )
    {
      n.altdel(ea);
    }
    else
    {
      if ( ph.id == PLFM_ARM && (callee & 1) == 0 )
      {
        // if we're calling a thumb function, set bit 0
        sel_t tbit = get_segreg(callee, T);
        if ( tbit != 0 && tbit != BADSEL )
          callee |= 1;
      }
      n.altset(ea, callee+1);     // save the new address
    }
    noUsed(ea);                 // reanalyze the current instruction
  }
}

//--------------------------------------------------------------------------
static const char wanted_name[] = "Change the callee address";
static const char wanted_hotkey[] = "Alt-F11";

//--------------------------------------------------------------------------
//
//      PLUGIN DESCRIPTION BLOCK
//
//--------------------------------------------------------------------------
plugin_t PLUGIN =
{
  IDP_INTERFACE_VERSION,
  0,                    // plugin flags
  init,                 // initialize

  NULL,                 // terminate. this pointer may be NULL.

  run,                  // invoke plugin

  comment,              // long comment about the plugin
                        // it could appear in the status line
                        // or as a hint

  help,                 // multiline help about the plugin

  wanted_name,          // the preferred short name of the plugin
  wanted_hotkey         // the preferred hotkey to run the plugin
};    


Is someone interested in writing plugins & loaders for IDA PRO in fasm?
I can support 6.X versions format PE GUI 4.0 DLL & 7.X versions format PE64 GUI 5.0 DLL.

_________________
I don`t like to refer by "you" to one person.
My soul requires acronim "thou" instead.
Post 25 Dec 2019, 14:56
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.