Patch binary code with NOP or NULL bytes.

keystone-engine / keypatch

Multi-architecture assembler for IDA Pro. Powered by Keystone Engine.

http://www.keystone-engine.org/keypatch

GNU General Public License v2.0

1.49k stars 355 forks source link

Patch binary code with NOP or NULL bytes. #7

Closed quangnh89 closed 8 years ago

quangnh89 commented 8 years ago

This feature is very similar to OllyDbg.

example

redragonvn commented 8 years ago

Your "Fill with NOPs" is x86-specific code. Please make sure that "Fill with NOPs" context menu is only registered on supported arch (x86).

quangnh89 commented 8 years ago

Thanks for reviewing my work. I have fixed this issue and committed code.

aquynh commented 8 years ago

this is nice, but to be consistent with existing features, there are still some works to do:

can you add IDA comment to where you patch, in the form "Keypatch modified this ...".?
the current "Undo" function should be able to revert this patch

see related screenshots here https://twitter.com/keystone_engine/status/764847048344477696

balika011 commented 8 years ago

This looks usefull. What about make it support any arch? (Like ARM.)

quangnh89 commented 8 years ago

@balika011 Thank for your advice. I will make it support any arch. I think the feature which re-analyzes automatically after patching makes me slow-down. "reanalyse" option is needed.

reanalyze

def patch_code(self, address, assembly, syntax, padding, save_origcode, reanalyze = True, orig_asm = None, patch_data = None):
        global patch_info
# ........
 if reanalyze:
    # ask IDA to re-analyze the patched area
    idaapi.analyze_area(address, orig_func_end)

    # try to fix IDA function re-analyze issue after patching
    idaapi.func_setend(address, orig_func_end)

aquynh commented 8 years ago

Reanalyzing should be a must, but not a choice. This is what we are already doing with the current patcher.

quangnh89 commented 8 years ago

I'm analyzing a malware obfuscated by some tools and analysis of IDA always fails to detect address of the end of functions. I can send you this sample for further information.

aquynh commented 8 years ago

In that case, we can still go ahead patch ing, but do not reanalyze code. But we should log this issue, and warn user on what happened (using Warning() popup message, for example).

If you have a better idea, lets discuss here.

aquynh commented 8 years ago

merged into the "test" branch at https://github.com/keystone-engine/keypatch/tree/test will merge into "master" when it is ready, thanks.

aquynh commented 8 years ago

please send future pull requests for the "test" branch.