NyaMisty · October 1, 2024 16:09
diff --git a/ida_linux_kernel_ptr.py b/ida_linux_kernel_ptr.py
 import idaapi
 import idc
 import struct

 KERNEL_START = 0xFFFFFFC008000000
 KERNEL_END = 0xFFFFFFC008EF1008

 def is_kernel_addr(a):
  return KERNEL_START <= a <= KERNEL_END

 for ea in range(KERNEL_START, KERNEL_END, 4):
    q = idaapi.get_qword(ea)
    if is_kernel_addr(q):
        idaapi.create_data(ea, idaapi.qword_flag(), 8, idaapi.BADNODE)
        idaapi.op_offset(ea, 0, idaapi.REF_OFF64)
        continue
    d = idaapi.get_dword(ea)
    dd = struct.unpack('<i', d.to_bytes(4, 'little'))[0]
    if is_kernel_addr(ea + dd) and -0x1000000 < dd < -0x4000: # 数据段必然在代码后面，所以这种reference肯定是往前指，而且并不一定是4字节对齐的
      # if idc.get_segm_name(ea) == '.init.data':
      #    continue
      #print(hex(ea))
      idaapi.create_dword(ea, 4)
      ri = idaapi.refinfo_t()
      ri.init(idaapi.REF_OFF32 | idaapi.REFINFO_SIGNEDOP | idaapi.REFINFO_SELFREF)
      idaapi.op_offset_ex(ea, 0, ri)
	import idaapi
	import idc
	import struct

	KERNEL_START = 0xFFFFFFC008000000
	KERNEL_END = 0xFFFFFFC008EF1008

	def is_kernel_addr(a):
	return KERNEL_START <= a <= KERNEL_END

	for ea in range(KERNEL_START, KERNEL_END, 4):
	q = idaapi.get_qword(ea)
	if is_kernel_addr(q):
	idaapi.create_data(ea, idaapi.qword_flag(), 8, idaapi.BADNODE)
	idaapi.op_offset(ea, 0, idaapi.REF_OFF64)
	continue
	d = idaapi.get_dword(ea)
	dd = struct.unpack('<i', d.to_bytes(4, 'little'))[0]
	if is_kernel_addr(ea + dd) and -0x1000000 < dd < -0x4000: # 数据段必然在代码后面，所以这种reference肯定是往前指，而且并不一定是4字节对齐的
	# if idc.get_segm_name(ea) == '.init.data':
	# continue
	#print(hex(ea))
	idaapi.create_dword(ea, 4)
	ri = idaapi.refinfo_t()
	ri.init(idaapi.REF_OFF32 \| idaapi.REFINFO_SIGNEDOP \| idaapi.REFINFO_SELFREF)
	idaapi.op_offset_ex(ea, 0, ri)