ida-explorer: use proper IDA API to fetch segment access

[williballenthin]

https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/ida/insn.py#L408 https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/ida/insn.py#L430 https://github.com/mandiant/capa/blob/430f9da449cbd2c7142594f3bcf370cbcfee37d8/capa/features/extractors/ida/insn.py#L435

[s-ff]

Hi @williballenthin, @mike-hunhoff,

Could you please point me to the relevant IDA APIs to use for this scenario?

I understand that the goal here is to avoid using idc.GetDisasm(insn.ea). I explored a bit, and came accross this alternative (yet very similar) implementationidc.print_operand(insn.ea, 1) to check PEB access for example.

I am wondering if we could replace if "fs:" in idc.GetDisassm(insn.ea) with " fs:" in print_operand(insn.ea, 1) and idc.get_operand_value(insn.ea, 1) == 0x30 as shown below:

Let me know what you think.

[williballenthin]

hey @s-ff

I don't think the print routines are fundamentally different than the original solution, to parse the string representation. You'd need to do some new research to find the IDA APIs that disassemble instructions into a data structure that can be inspected. We don't know how to do this yet.

[mr-tz]

It's probably decode_insn or a similar IDAPython API to decode the instruction and then inspect the resulting object.

[s-ff]

I agree that decode_insn is the way to go here. However, the resulting object does not expose any APIs to actually assess if an operand corresponds to a segment register. Based on my understanding, idc.print_operand() or idc.GetDisasm() appear to be the only APIs that can help in this specific case.

It might also be worth looking into the ida_segregs.