├── Fix_Vmp_Dump_API.py ├── Get_Export_Fun_Name_Addr.py └── README.md /Fix_Vmp_Dump_API.py: -------------------------------------------------------------------------------- 1 | import idc 2 | import idaapi 3 | import idautils 4 | import re 5 | 6 | def Get_Code_List(ea,code_list,os_len): 7 | if os_len == 8: 8 | flag = 1 9 | j_flag = 1 10 | while (flag == 1 and j_flag == 1): 11 | code = idc.GetDisasm(ea) 12 | # print(code) 13 | code_list.append(str(hex(ea)) + "##" + code) 14 | if "retn" in code: 15 | break 16 | if "jmp null" in code: 17 | break 18 | x_code = code[0:3] 19 | if "jmp" == x_code or "cal" == x_code: 20 | j_flag = 0 21 | fun_addr = "0x" + code.split("_")[1] 22 | ea = int(fun_addr[0:18], 16) 23 | Get_Code_List(ea,code_list,os_len) 24 | ea = idc.NextHead(ea) 25 | elif os_len == 4: 26 | flag = 1 27 | j_flag = 1 28 | while (flag == 1 and j_flag == 1): 29 | code = idc.GetDisasm(ea) 30 | code_list.append(str(hex(ea)) + "##" + code) 31 | if "retn" in code: 32 | break 33 | if "jmp null" in code: 34 | break 35 | x_code = code[0:3] 36 | if "jmp" == x_code or "cal" == x_code: 37 | j_flag = 0 38 | if "nullsub" in code: 39 | break 40 | elif "_" in code: 41 | fun_addr = "0x" + code.split("_")[1] 42 | ea = int(fun_addr[0:10], 16) 43 | Get_Code_List(ea,code_list,os_len) 44 | else: 45 | print("!!!!!Get Code Error!!!!!") 46 | ea = idc.NextHead(ea) 47 | 48 | def Get_Data(reg,add_num,flag_num,hex_list,code_list,os_len): 49 | for x in range(flag_num, len(code_list)): 50 | rest_code = code_list[x].split("##")[1] 51 | ea = code_list[x].split("##")[0] 52 | mov_flag = "mov {0}, [{1}".format(reg, reg) 53 | if mov_flag in rest_code: 54 | if "-" in rest_code: 55 | if "_" in rest_code: 56 | op = idc.GetOperandValue(long(ea, base=16), 1) 57 | int_num_1 = op 58 | target_ea = add_num + int_num_1 59 | else: 60 | num_1 = rest_code.split("-")[1].split("]")[0].split("h")[0] 61 | int_num_1 = int(num_1, 16) 62 | target_ea = add_num - int_num_1 63 | for k in range(0, os_len): 64 | byte_data = idc.Byte(target_ea + k) 65 | str_byte_data = str(hex(byte_data)).split("0x")[1].replace("L","") 66 | if len(str_byte_data) == 1: 67 | str_byte_data = "0" + str_byte_data 68 | hex_list.append(str_byte_data) 69 | str_hex_num = "" 70 | for j in range(0, len(hex_list)): 71 | str_hex_num = str_hex_num + hex_list[len(hex_list) - 1 - j] 72 | int_num_3 = int("0x" + str_hex_num, 16) 73 | lea_flag_1 = "lea {0}, [{0}".format(reg, reg) 74 | for d in range(x, len(code_list)): 75 | rest_code_1 = code_list[d].split("##")[1] 76 | if lea_flag_1 in rest_code_1: 77 | if "-" in rest_code_1: 78 | last_num = rest_code_1.split("-")[1].split("]")[0].split("h")[0] 79 | int_last_num = int(last_num, 16) 80 | int_last_fun_addr = int_num_3 - int_last_num 81 | hex_data = hex(int_last_fun_addr) 82 | print("********************************************************************************") 83 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 84 | print("********************************************************************************") 85 | return hex_data 86 | elif "+" in rest_code_1: 87 | last_num = rest_code_1.split("+")[1].split("]")[0].split("h")[0] 88 | int_last_num = int(last_num, 16) 89 | int_last_fun_addr = int_num_3 + int_last_num 90 | hex_data = hex(int_last_fun_addr) 91 | print("********************************************************************************") 92 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 93 | print("********************************************************************************") 94 | return hex_data 95 | else: 96 | int_last_fun_addr = int_num_3 97 | hex_data = hex(int_last_fun_addr) 98 | print("********************************************************************************") 99 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 100 | print("********************************************************************************") 101 | return hex_data 102 | 103 | elif "+" in rest_code: 104 | if "_" in rest_code: 105 | op = idc.GetOperandValue(long(ea, base=16), 1) 106 | int_num_1 = op 107 | else: 108 | num_1 = rest_code.split("+")[1].split("]")[0].split("h")[0] 109 | int_num_1 = int(num_1, 16) 110 | target_ea = add_num + int_num_1 111 | #print(hex(target_ea)) 112 | for k in range(0, os_len): 113 | byte_data = idc.Byte(target_ea + k) 114 | str_byte_data = str(hex(byte_data)).split("0x")[1].replace("L","") 115 | if len(str_byte_data) == 1: 116 | str_byte_data = "0" + str_byte_data 117 | hex_list.append(str_byte_data) 118 | #print(hex_list) 119 | str_hex_num = "" 120 | for j in range(0, len(hex_list)): 121 | str_hex_num = str_hex_num + hex_list[len(hex_list) - 1 - j] 122 | int_num_3 = int("0x" + str_hex_num, 16) 123 | lea_flag_1 = "lea {0}, [{0}".format(reg, reg) 124 | for d in range(x, len(code_list)): 125 | rest_code_1 = code_list[d].split("##")[1] 126 | if lea_flag_1 in rest_code_1: 127 | if "-" in rest_code_1: 128 | last_num = rest_code_1.split("-")[1].split("]")[0].split("h")[0] 129 | int_last_num = int(last_num, 16) 130 | int_last_fun_addr = int_num_3 - int_last_num 131 | hex_data = hex(int_last_fun_addr) 132 | print("********************************************************************************") 133 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 134 | print("********************************************************************************") 135 | return hex_data 136 | elif "+" in rest_code_1: 137 | last_num = rest_code_1.split("+")[1].split("]")[0].split("h")[0] 138 | int_last_num = int(last_num, 16) 139 | int_last_fun_addr = int_num_3 + int_last_num 140 | hex_data = hex(int_last_fun_addr) 141 | print("********************************************************************************") 142 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 143 | print("********************************************************************************") 144 | return hex_data 145 | else: 146 | int_last_fun_addr = int_num_3 147 | hex_data = hex(int_last_fun_addr) 148 | print("********************************************************************************") 149 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 150 | print("********************************************************************************") 151 | return hex_data 152 | else: 153 | target_ea = add_num 154 | for k in range(0, os_len): 155 | byte_data = idc.Byte(target_ea + k) 156 | str_byte_data = str(hex(byte_data)).split("0x")[1].replace("L","") 157 | if len(str_byte_data) == 1: 158 | str_byte_data = "0" + str_byte_data 159 | hex_list.append(str_byte_data) 160 | str_hex_num = "" 161 | for j in range(0, len(hex_list)): 162 | str_hex_num = str_hex_num + hex_list[len(hex_list) - 1 - j] 163 | int_num_3 = int("0x" + str_hex_num, 16) 164 | lea_flag_1 = "lea {0}, [{0}".format(reg, reg) 165 | for d in range(x, len(code_list)): 166 | rest_code_1 = code_list[d].split("##")[1] 167 | if lea_flag_1 in rest_code_1: 168 | if "-" in rest_code_1: 169 | last_num = rest_code_1.split("-")[1].split("]")[0].split("h")[0] 170 | int_last_num = int(last_num, 16) 171 | int_last_fun_addr = int_num_3 - int_last_num 172 | hex_data = hex(int_last_fun_addr) 173 | print("********************************************************************************") 174 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 175 | print("********************************************************************************") 176 | return hex_data 177 | elif "+" in rest_code_1: 178 | last_num = rest_code_1.split("+")[1].split("]")[0].split("h")[0] 179 | int_last_num = int(last_num, 16) 180 | int_last_fun_addr = int_num_3 + int_last_num 181 | hex_data = hex(int_last_fun_addr) 182 | print("********************************************************************************") 183 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 184 | print("********************************************************************************") 185 | return hex_data 186 | else: 187 | int_last_fun_addr = int_num_3 188 | hex_data = hex(int_last_fun_addr) 189 | print("********************************************************************************") 190 | print("***** Get Real Function Addr [{0}] Success , Fuck VMP!!!!! *****".format(hex_data)) 191 | print("********************************************************************************") 192 | return hex_data 193 | 194 | def Get_Need_Addr(code_list,hex_list,os_len,flag_list): 195 | flag_num = 0 196 | reg = "" 197 | for m in range(0, len(code_list)): 198 | if "xchg" in code_list[m]: 199 | if len(code_list[m].split(",")[0].split("xchg")[1].strip()) != 2: 200 | reg = code_list[m].split(",")[0].split("xchg")[1].strip() 201 | for mm in range(m, len(code_list)): 202 | if "pop" in code_list[mm]: 203 | reg = code_list[mm].split(",")[0].split("pop")[1].strip() 204 | else: 205 | pass 206 | else: 207 | pass 208 | if reg == "": 209 | if "lea" in code_list[-2]: 210 | reg = code_list[-2].split(",")[0].split("lea")[1].strip() 211 | if "pop" in code_list[-2]: 212 | reg = code_list[-2].split(",")[0].split("pop")[1].strip() 213 | if os_len == 8: 214 | first_flag = "lea " + reg 215 | if os_len == 4: 216 | first_flag = "mov " + reg 217 | for i in range(0,len(code_list)): 218 | code = code_list[i].split("##")[1] 219 | if first_flag in code: 220 | if ":" in code: 221 | if ";" in code: 222 | ea = code_list[i].split("##")[0] 223 | op = idc.GetOperandValue(long(ea, base=16), 1) 224 | add_num = op 225 | fun_addr = Get_Data(reg, add_num, i, hex_list, code_list, os_len) 226 | return fun_addr 227 | else: 228 | pass 229 | elif "[" in code: 230 | pass 231 | elif "*" in code: 232 | pass 233 | elif "ax" in code.split(",")[1]: 234 | if len(code.split(",")[1]) < 4: 235 | pass 236 | else: 237 | flag_list.append(code_list[i]) 238 | flag_num = i 239 | elif "bx" in code.split(",")[1]: 240 | if len(code.split(",")[1]) < 4: 241 | pass 242 | else: 243 | flag_list.append(code_list[i]) 244 | flag_num = i 245 | elif "cx" in code.split(",")[1]: 246 | if len(code.split(",")[1]) < 4: 247 | pass 248 | else: 249 | flag_list.append(code_list[i]) 250 | flag_num = i 251 | elif "dx" in code.split(",")[1]: 252 | if len(code.split(",")[1]) < 4: 253 | pass 254 | else: 255 | flag_list.append(code_list[i]) 256 | flag_num = i 257 | elif "si" in code.split(",")[1]: 258 | if len(code.split(",")[1]) < 4: 259 | pass 260 | else: 261 | flag_list.append(code_list[i]) 262 | flag_num = i 263 | elif "di" in code.split(",")[1]: 264 | if len(code.split(",")[1]) < 4: 265 | pass 266 | else: 267 | flag_list.append(code_list[i]) 268 | flag_num = i 269 | elif "r8" in code.split(",")[1]: 270 | if len(code.split(",")[1]) < 4: 271 | pass 272 | else: 273 | flag_list.append(code_list[i]) 274 | flag_num = i 275 | elif "r9" in code.split(",")[1]: 276 | if len(code.split(",")[1]) < 4: 277 | pass 278 | else: 279 | flag_list.append(code_list[i]) 280 | flag_num = i 281 | else: 282 | flag_list.append(code_list[i]) 283 | flag_num = i 284 | ea = flag_list[-1].split("##")[0] 285 | op = idc.GetOperandValue(long(ea,base=16) , 1) 286 | add_num = op 287 | fun_addr = Get_Data(reg, add_num, flag_num,hex_list,code_list,os_len) 288 | return fun_addr 289 | 290 | def Fix_Fun_Name(ea,db_path,fun_addr): 291 | find_flag = 0 292 | with open(db_path,"r") as fr: 293 | for line in fr.readlines(): 294 | if fun_addr in line: 295 | fun_name = line.split(" ")[0] 296 | idc.set_name(ea, fun_name, idaapi.SN_FORCE) 297 | print("********************************************************************************") 298 | print("***** Rename Function Name [{0}] Success , Fuck VMP!!!!! *****".format(fun_name)) 299 | print("********************************************************************************") 300 | find_flag = 1 301 | else: 302 | pass 303 | if find_flag == 0: 304 | print("********************************************************************************") 305 | print("***** Not Find Function Name , Fuck VMP!!!!! *****".format(fun_name)) 306 | print("********************************************************************************") 307 | 308 | 309 | 310 | def Run(): 311 | hex_list = [] 312 | code_list = [] 313 | flag_list = [] 314 | ea = idc.ScreenEA() 315 | 316 | if(len(str(hex(ea)))) < 15: 317 | os_len = 4 318 | read_db_path = "D:\\fix_vmp_dump\\ntkrnlpa.txt" 319 | else: 320 | os_len = 8 321 | read_db_path = "D:\\fix_vmp_dump\\ntoskrnl.txt" 322 | fun_addr = "0x" + idc.GetDisasm(ea).split("_")[1] 323 | ea = int(fun_addr,16) 324 | Get_Code_List(ea,code_list,os_len) 325 | fun_addr = Get_Need_Addr(code_list,hex_list,os_len,flag_list) 326 | Fix_Fun_Name(ea,read_db_path,fun_addr) 327 | 328 | def Run_2(): 329 | for func in idautils.Functions(): 330 | hex_list = [] 331 | code_list = [] 332 | flag_list = [] 333 | ea = idc.ScreenEA() 334 | 335 | if(len(str(hex(ea)))) < 15: 336 | os_len = 4 337 | read_db_path = "D:\\fix_vmp_dump\\ntkrnlpa.txt" 338 | else: 339 | os_len = 8 340 | read_db_path = "D:\\fix_vmp_dump\\ntoskrnl.txt" 341 | try: 342 | Get_Code_List(func,code_list,os_len) 343 | fun_addr = Get_Need_Addr(code_list,hex_list,os_len,flag_list) 344 | Fix_Fun_Name(func,read_db_path,fun_addr) 345 | except: 346 | pass 347 | 348 | 349 | def registerHotkey(shortcut): 350 | idaapi.CompileLine(r'static Run() { RunPythonStatement("Fix_Vmp_Dump_API.Run()"); }') 351 | idc.AddHotkey(shortcut, "Run") 352 | 353 | def registerHotkey_2(shortcut): 354 | idaapi.CompileLine(r'static Run_2() { RunPythonStatement("Fix_Vmp_Dump_API.Run_2()"); }') 355 | idc.AddHotkey(shortcut, "Run_2") 356 | 357 | # fix single api name 358 | keyname = "Shift-F" 359 | registerHotkey(keyname) 360 | 361 | # fix all api name use carefully 362 | keyname = "Shift-G" 363 | registerHotkey_2(keyname) -------------------------------------------------------------------------------- /Get_Export_Fun_Name_Addr.py: -------------------------------------------------------------------------------- 1 | import os 2 | import idc 3 | import idaapi 4 | import binascii 5 | 6 | idb_path = idc.get_idb_path() 7 | 8 | if ".idb" in idb_path: 9 | export_table_file_name = idb_path.split(".idb")[0].split("\\")[-1] + ".txt" 10 | elif ".i64" in idb_path: 11 | export_table_file_name = idb_path.split(".i64")[0].split("\\")[-1] + ".txt" 12 | elif ".dll" in idb_path: 13 | export_table_file_name = idb_path.split(".dll")[0].split("\\")[-1] + ".txt" 14 | else: 15 | export_table_file_name = idb_path.split("\\")[-1] + ".txt" 16 | 17 | out_path = "D:\\fix_vmp_dump" 18 | 19 | if not os.path.exists(out_path): 20 | os.makedirs(out_path) 21 | 22 | file_name = out_path + "\\" + export_table_file_name 23 | if os.path.exists(file_name): 24 | os.remove(file_name) 25 | 26 | count = idc.get_entry_qty() 27 | with open(file_name,"a") as fa: 28 | for i in range(0,count-1): 29 | try: 30 | fa.write(idc.get_entry_name(idc.get_entry_ordinal(i)) + " " + hex(idc.get_entry(idc.get_entry_ordinal(i))) + "\n") 31 | except: 32 | pass 33 | print("Write Export Table Info To {0} Success!".format(file_name)) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FixVmpDump 2 | use python script to fix vmp dump api in ida. support x86 and x64. 3 | details in my blog: https://blog.csdn.net/yan_star/article/details/112798262 4 | 5 | # step 1 6 | (1) open need moudle by ida and run "Get_Export_Fun_Name_Addr.py". you can get "xxx.txt" in your "D:\fix_vmp_dump\". 7 | 8 | # step 2 9 | (1) put "Fix_Vmp_Dump_API.py" in your "%ida%/python/". 10 | (2) insert "**import Fix_Vmp_Dump_API**" to your "%ida%/python/init.py" file, like this: 11 | 12 | try: 13 | import ida_idaapi 14 | import ida_kernwin 15 | import ida_diskio 16 | import Fix_Vmp_Dump_API 17 | 18 | except ImportError as e: 19 | print "Import failed: %s. Current sys.path:" % str(e) 20 | for p in sys.path: 21 | print "\t%s" % p 22 | raise 23 | 24 | (3) restart your ida 25 | 26 | # step 3 27 | use hotkey "Shift-F" to fix single api. 28 | use hotket "Shift-G" to fix all api.(use carefully!) 29 | --------------------------------------------------------------------------------