Skip to content

Instantly share code, notes, and snippets.

@jimmy947788

jimmy947788/ida_find_arm64_svc.py

Created April 1, 2024 07:31
Show Gist options
  • Save jimmy947788/7e91f1ddb0f853be17012e8769e5883d to your computer and use it in GitHub Desktop.
Save jimmy947788/7e91f1ddb0f853be17012e8769e5883d to your computer and use it in GitHub Desktop.
Download ZIP
该脚本用于在 IDA 中查找 ARM64 架构的 SVC 指令,并添加注释显示系统调用号对应的系统调用名称。
Raw
ida_find_arm64_svc.py
# Description: 该脚本用于在 IDA 中查找 ARM64 架构的 SVC 指令,并添加注释显示系统调用号对应的系统调用名称。
# environment: IDA 7.7, python 3.9
# Author: jimmy947788 吉掰米
# email: [email protected]
import idautils
import idc
# 系統調用號到名稱的映射
syscall_mapping = {
0: "__NR_io_setup",
1: "__NR_io_destroy",
2: "__NR_io_submit",
3: "__NR_io_cancel",
4: "__NR_io_getevents",
5: "__NR_setxattr",
6: "__NR_lsetxattr",
7: "__NR_fsetxattr",
8: "__NR_getxattr",
9: "__NR_lgetxattr",
10: "__NR_fgetxattr",
11: "__NR_listxattr",
12: "__NR_llistxattr",
13: "__NR_flistxattr",
14: "__NR_removexattr",
15: "__NR_lremovexattr",
16: "__NR_fremovexattr",
17: "__NR_getcwd",
18: "__NR_lookup_dcookie",
19: "__NR_eventfd2",
20: "__NR_epoll_create1",
21: "__NR_epoll_ctl",
22: "__NR_epoll_pwait",
23: "__NR_dup",
24: "__NR_dup3",
25: "__NR_fcntl",
26: "__NR_inotify_init1",
27: "__NR_inotify_add_watch",
28: "__NR_inotify_rm_watch",
29: "__NR_ioctl",
30: "__NR_ioprio_set",
31: "__NR_ioprio_get",
32: "__NR_flock",
33: "__NR_mknodat",
34: "__NR_mkdirat",
35: "__NR_unlinkat",
36: "__NR_symlinkat",
37: "__NR_linkat",
38: "__NR_renameat",
39: "__NR_umount2",
40: "__NR_mount",
41: "__NR_pivot_root",
42: "__NR_nfsservctl",
43: "__NR_statfs",
44: "__NR_fstatfs",
45: "__NR_truncate",
46: "__NR_ftruncate",
47: "__NR_fallocate",
48: "__NR_faccessat",
49: "__NR_chdir",
50: "__NR_fchdir",
51: "__NR_chroot",
52: "__NR_fchmod",
53: "__NR_fchmodat",
54: "__NR_fchownat",
55: "__NR_fchown",
56: "__NR_openat",
57: "__NR_close",
58: "__NR_vhangup",
59: "__NR_pipe2",
60: "__NR_quotactl",
61: "__NR_getdents64",
62: "__NR_lseek",
63: "__NR_read",
64: "__NR_write",
65: "__NR_readv",
66: "__NR_writev",
67: "__NR_pread64",
68: "__NR_pwrite64",
69: "__NR_preadv",
70: "__NR_pwritev",
71: "__NR_sendfile",
72: "__NR_pselect6",
73: "__NR_ppoll",
74: "__NR_signalfd4",
75: "__NR_vmsplice",
76: "__NR_splice",
77: "__NR_tee",
78: "__NR_readlinkat",
79: "__NR_fstatat",
80: "__NR_fstat",
81: "__NR_sync",
82: "__NR_fsync",
83: "__NR_fdatasync",
84: "__NR_sync_file_range",
85: "__NR_timerfd_create",
86: "__NR_timerfd_settime",
87: "__NR_timerfd_gettime",
88: "__NR_utimensat",
89: "__NR_acct",
90: "__NR_capget",
91: "__NR_capset",
92: "__NR_personality",
93: "__NR_exit",
94: "__NR_exit_group",
95: "__NR_waitid",
96: "__NR_set_tid_address",
97: "__NR_unshare",
98: "__NR_futex",
99: "__NR_set_robust_list",
100: "__NR_get_robust_list",
101: "__NR_nanosleep",
102: "__NR_getitimer",
103: "__NR_setitimer",
104: "__NR_kexec_load",
105: "__NR_init_module",
106: "__NR_delete_module",
107: "__NR_timer_create",
108: "__NR_timer_gettime",
109: "__NR_timer_getoverrun",
110: "__NR_timer_settime",
111: "__NR_timer_delete",
112: "__NR_clock_settime",
113: "__NR_clock_gettime",
114: "__NR_clock_getres",
115: "__NR_clock_nanosleep",
116: "__NR_syslog",
117: "__NR_ptrace",
118: "__NR_sched_setparam",
119: "__NR_sched_setscheduler",
120: "__NR_sched_getscheduler",
121: "__NR_sched_getparam",
122: "__NR_sched_setaffinity",
123: "__NR_sched_getaffinity",
124: "__NR_sched_yield",
125: "__NR_sched_get_priority_max",
126: "__NR_sched_get_priority_min",
127: "__NR_sched_rr_get_interval",
128: "__NR_restart_syscall",
129: "__NR_kill",
130: "__NR_tkill",
131: "__NR_tgkill",
132: "__NR_sigaltstack",
133: "__NR_rt_sigsuspend",
134: "__NR_rt_sigaction",
135: "__NR_rt_sigprocmask",
136: "__NR_rt_sigpending",
137: "__NR_rt_sigtimedwait",
138: "__NR_rt_sigqueueinfo",
139: "__NR_rt_sigreturn",
140: "__NR_setpriority",
141: "__NR_getpriority",
142: "__NR_reboot",
143: "__NR_setregid",
144: "__NR_setgid",
145: "__NR_setreuid",
146: "__NR_setuid",
147: "__NR_setresuid",
148: "__NR_getresuid",
149: "__NR_setresgid",
150: "__NR_getresgid",
151: "__NR_setfsuid",
152: "__NR_setfsgid",
153: "__NR_times",
154: "__NR_setpgid",
155: "__NR_getpgid",
156: "__NR_getsid",
157: "__NR_setsid",
158: "__NR_getgroups",
159: "__NR_setgroups",
160: "__NR_uname",
161: "__NR_sethostname",
162: "__NR_setdomainname",
163: "__NR_getrlimit",
164: "__NR_setrlimit",
165: "__NR_getrusage",
166: "__NR_umask",
167: "__NR_prctl",
168: "__NR_getcpu",
169: "__NR_gettimeofday",
170: "__NR_settimeofday",
171: "__NR_adjtimex",
172: "__NR_getpid",
173: "__NR_getppid",
174: "__NR_getuid",
175: "__NR_geteuid",
176: "__NR_getgid",
177: "__NR_getegid",
178: "__NR_gettid",
179: "__NR_sysinfo",
180: "__NR_mq_open",
181: "__NR_mq_unlink",
182: "__NR_mq_timedsend",
183: "__NR_mq_timedreceive",
184: "__NR_mq_notify",
185: "__NR_mq_getsetattr",
186: "__NR_msgget",
187: "__NR_msgctl",
188: "__NR_msgrcv",
189: "__NR_msgsnd",
190: "__NR_semget",
191: "__NR_semctl",
192: "__NR_semtimedop",
193: "__NR_semop",
194: "__NR_shmget",
195: "__NR_shmctl",
196: "__NR_shmat",
197: "__NR_shmdt",
198: "__NR_socket",
199: "__NR_socketpair",
200: "__NR_bind",
201: "__NR_listen",
202: "__NR_accept",
203: "__NR_connect",
204: "__NR_getsockname",
205: "__NR_getpeername",
206: "__NR_sendto",
207: "__NR_recvfrom",
208: "__NR_setsockopt",
209: "__NR_getsockopt",
210: "__NR_shutdown",
211: "__NR_sendmsg",
212: "__NR_recvmsg",
213: "__NR_readahead",
214: "__NR_brk",
215: "__NR_munmap",
216: "__NR_mremap",
217: "__NR_add_key",
218: "__NR_rest_key",
219: "__NR_keyctl",
220: "__NR_clone",
221: "__NR_execve",
222: "__NR_mmap",
223: "__NR_fadvise64",
224: "__NR_swapon",
225: "__NR_swapoff",
226: "__NR_mprotect",
227: "__NR_msync",
228: "__NR_mlock",
229: "__NR_munlock",
230: "__NR_mlockall",
231: "__NR_munlockall",
232: "__NR_mincore",
233: "__NR_madvise",
234: "__NR_remap_file_pages",
235: "__NR_mbind",
236: "__NR_get_mempolicy",
237: "__NR_set_mempolicy",
238: "__NR_migrate_pages",
239: "__NR_move_pages",
240: "__NR_rt_tgsigqueueinfo",
241: "__NR_perf_event_open",
242: "__NR_accept4",
243: "__NR_recvmmsg",
244: "__NR_or1k_atomic",
260: "__NR_wait4",
261: "__NR_prlimit64",
262: "__NR_fanotify_init",
263: "__NR_fanotify_mark",
264: "__NR_name_to_handle_at",
265: "__NR_open_by_handle_at",
266: "__NR_clock_adjtime",
267: "__NR_syncfs",
268: "__NR_setns",
269: "__NR_sendmmsg",
270: "__NR_process_vm_readv",
271: "__NR_process_vm_writev",
272: "__NR_kcmp",
273: "__NR_finit_module",
274: "__NR_sched_setattr",
275: "__NR_sched_getattr",
276: "__NR_renameat2",
277: "__NR_seccomp",
278: "__NR_getrandom",
279: "__NR_memfd_create",
280: "__NR_bpf",
281: "__NR_execveat",
282: "__NR_userfaultfd",
283: "__NR_membarrier",
284: "__NR_mlock2",
285: "__NR_copy_file_range",
286: "__NR_preadv2",
287: "__NR_pwritev2"
}
# 遍历所有的函数
for func in idautils.Functions():
func_name = idc.get_func_name(func)
print(f"正在检查函数: {func_name}")
# 遍历函数中的所有指令
for ins in idautils.FuncItems(func):
mnemonic = idc.print_insn_mnem(ins)
# 检查指令是否为 MOV W8, #imm
if mnemonic == "MOV":
opnd = idc.print_operand(ins, 0)
if opnd == "W8":
if idc.get_operand_type(ins, 1) == idc.o_imm:
imm_value = idc.get_operand_value(ins, 1) # 获取立即数的值
syscall_name = syscall_mapping.get(imm_value, f"Unknown syscall {imm_value}")
# 从当前 MOV 指令位置向下搜索第一个 SVC 指令
next_ins = ins
while True:
next_ins = idc.next_head(next_ins, idc.get_segm_end(next_ins))
if idc.print_insn_mnem(next_ins) == "SVC":
# 在找到的 SVC 指令处添加注释
comment = f"System call: {syscall_name}"
idc.set_cmt(next_ins, comment, 0)
print(f"在地址 {hex(next_ins)} 的 SVC 指令上添加注释:{comment}")
break
# 如果到达函数末尾还未找到 SVC,则退出循环
if next_ins == idc.get_func_attr(func, idc.FUNCATTR_END):
print("在 MOV W8, #imm 指令之后未找到 SVC 指令。")
break
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment