search

danielplohmann / apiscout

This project aims at simplifying Windows API import recovery on arbitrary memory dumps
BSD 2-Clause "Simplified" License
241 stars 41 forks source link

Fix getAllMemoryFromIda to return all sections instead of just one #3

Closed nazywam closed 7 years ago

nazywam commented 7 years ago

See https://github.com/danielplohmann/apiscout/issues/2

danielplohmann commented 7 years ago

Hey,

thank you very much for notifying about this, you are absolutely right! Based on my experiences from IDAscope, it will require a little more effort to address this completely. :-/ Given there are multiple segments, they do not necessarily need to be next to each other, which means they need to be tracked individually. Only this would allow knowing where hits are found in order to be able to accurately annotate the corresponding offsets with the APIs identified.

Anyways, I'll integrate your PR as soon as I am back from travel and I will then also extend the respective part in the code to address it in the way I outlined above. :) Thanks again!

Rev-gh commented 7 years ago

@danielplohmann: @nazywam would come by and say hi, but he's shy (you're in the same building now :))).

nazywam commented 7 years ago

Would something like this work better?

def getAllMemoryFromIda(self):
    result = ""

    for seg in idautils.Segments():
        start = idc.SegStart(seg)
        end = idc.SegEnd(seg)
        for ea in lrange(start, end):
            result += chr(idc.Byte(ea))

    return result