[Python/IDA] PyIDAWow (function renaming)

[Xartrick]

Hello.

I created this script (pronounced PiDaWo) to learn how to use IDA API using Python.
For this, I used IDAPython.

This script is signature based (pattern), and is based on a XML file structure.
This only rename functions defined by hand, and will work on small updates.
Signature are based on the function start to the function end.
You can modify this script to work differently, to work with symbols.

Here is the script itself:

Code:

# Product : PyIDAWow
# Version : 0.1a
# Author  : Xartrick

import os
import idaapi
from xml.dom.minidom import parseString

def StartPyIDAWow(file):
	print '[?] Parsing signature list...'
	signatures = ParseSignatureList(file)
	if signatures['success'] == False:
		print '[-]', signatures['message']
		return
	print '[+] Parsed', len(signatures['data']), 'signature(s)!'
	print '[?] PyIDAWow process started...'
	for signature in signatures['data']:
		functions = GetFunctionAddresses(signature['pattern'])
		if len(functions) == 0:
			print '[-] No match for', signature['name']
		elif len(functions) > 1:
			print '[-] Too much matches for', signature['name'], '(' + str(len(functions)), 'matches)'
		else:
			print '[+] Rename function at', hex(functions[0]), 'to', signature['name']
			MakeNameEx(functions[0], signature['name'], idaapi.SN_NOWARN)
	print '[?] PyIDAWow process finished!'

def ParseSignatureList(file):
	if not os.path.isfile(file):
		return { 'success' : False, 'message' : 'Signature file list not found.' }
	signatures = []
	f    = open(file, 'r')
	data = f.read()
	f.close()
	xml = parseString(data)
	for node in xml.getElementsByTagName('Signature'):
		name    = node.getElementsByTagName('Name')[0].getAttribute('value')
		pattern = node.getElementsByTagName('Pattern')[0].getAttribute('value')
		signatures.append({ 'name' : str(name), 'pattern' : str(pattern) })
	return { 'success' : True, 'data' : signatures }

def GetFunctionAddresses(signature):
	addr      = 0
	addresses = []
	while True:
		addr = FindBinary(addr, SEARCH_DOWN, signature)
		if addr == idaapi.BADADDR:
			break
		addresses.append(addr)
		addr += 1
	return addresses

print '[?] PyIDAWow loaded.'

And here is a signatures file example:

Code:

<?xml version="1.0"?>
<Signatures>
	<Signature>
		<Name    value="ClntObjMgrGetActivePlayer" />
		<Pattern value="8B 0D ?? ?? ?? ?? 85 C9 75 05 33 C0 33 D2 C3 8B 81 ?? ?? ?? ?? 8B 91 ?? ?? ?? ?? C3" />
	</Signature>
	<Signature>
		<Name    value="ClntObjMgrGetActivePlayerObj" />
		<Pattern value="E8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? 6A 10 52 50 E8 ?? ?? ?? ?? 83 C4 14 C3" />
	</Signature>
	<!--Signature>
		<Name    value="" />
		<Pattern value="" />
	</Signature-->
</Signatures>

I tested it with (and it worked):

• 5.2.0 (16769) (Live)
• 5.3.0 (1712 (Live)
• 5.4.0 (17205) (PTR)

Here is an IDA session example:

Code:

[?] PyIDAWow loaded.
Python>StartPyIDAWow("C:\\Users\\Xartrick\\Desktop\\PyIDAWow\\Signatures.xml")
[?] Parsing signature list...
[+] Parsed 2 signature(s)!
[?] PyIDAWow process started...
[+] Rename function at 0x84ad00 to ClntObjMgrGetActivePlayer
[+] Rename function at 0x403290 to ClntObjMgrGetActivePlayerObj
[?] PyIDAWow process finished!

I don't know if I will update this script, but I publish my work.

I hope this will be useful to someone.

[DarkLinux]

Kool stuff, I have anyways wanted to get into scripts for IDA, looks like a good place to start

[Xartrick]

If you want to improve it, add an index entry to the signature's structure and then, subtract or add this index to get the correct place to the symbol.
With my (current) code, you have to start by the start of your symbol.