IDA-dumpDyn
本帖最后由 m4n0w4r 于 2019-2-2 20:02 编辑Author: Lasha Khasaia @_qaz_qaz
Feature:
If a process allocates a dynamic memory using VirtualAlloc, HeapAlloc, new, etc. and continues execution from that address, most of times, the memory address will be different for each different execution, it means that if we comment, rename variables or set breakpoints, nothing of this will be left in the next execution because the shellcode or code section will take a different memory address.
dumpDyn.py is IDAPython plugin(script) which saves comments, names, breakpoints, functions from one execution to another.
https://user-images.githubusercontent.com/16405698/49311939-70f5b980-f4da-11e8-81d6-09bd083d4e49.PNG
If VirtualAlloc/VirtualAllocEx is used to allocate a dynamic memory (which is the case with most malware), you can use icons on the toolbar to save and restore your work:
https://user-images.githubusercontent.com/16405698/49311767-f7f66200-f4d9-11e8-81c5-8f8c648c0c9e.gif
In any other case(HeapAlloc, malloc, new, etc), you need to specify memory location and size:
https://user-images.githubusercontent.com/16405698/49311821-26743d00-f4da-11e8-883a-7205df03125e.PNG
https://user-images.githubusercontent.com/16405698/49311822-270cd380-f4da-11e8-95e3-256634ff69be.PNG
https://user-images.githubusercontent.com/16405698/49311823-270cd380-f4da-11e8-8e93-e99276de14e0.gif
Restore functions from undefined data:
https://user-images.githubusercontent.com/16405698/49588512-cad50400-f95e-11e8-915e-4e7609fe1a06.gif
Info:
https://github.com/secrary/IDA-scripts/tree/master/dumpDyn
知道为啥别人都不评论你吗 欢迎老外{:1_911:} 全是英文的,你怎么不给我们翻译一下,你去哪儿弄的这些。 God, how to use IDA? Do you have any tutorials?
谢谢@Thanks!
页:
[1]