fwrapper - Script for Accessing Data in IDA

Carving and writing data to IDBs in IDA can be a little painful. fwrapper is a script that makes it easier for accessing data in IDBs. The script can be used to select a block of data (by highlighting it) and save the data to a buffer. The script has the option to export the data/buffer to a file, import the data from a file, modify the data in a buffer and patch the IDB. To use fwrapper.py we would select the block of data we would like to use and then run the script.


In the image above we can see the data has been highlighted, at this point we have already executed the script and we can access the bytes via fwrapper.buffer. If we wanted to save the selected blob of data we would execute fwrapper.export(). This would open up a save as dialogue box option. If we wanted to import the data into fwrapper.buffer we would execute fwrapper.importb(). This would open a dialogue box and we could import a file. If we wanted to save the contents of fwrapper.buffer to the start of the selected address we would execute fwrapper.patch(). At anytime the start address (fwrapper.start) and buffer contents (fwrapper.buffer) can be modified. This is useful if we wanted to modify the data outside of IDA or add data to the IDB. An example would be decrypting a block RC4 encrypted data or wanting to extract the binary of some code.

Source - LINK

# Name: 
#    fwrapper.py
# Version: 
#    0.1
# Description: 
#    This script can be used to carve out data and work with data in IDA.           
# Author
#    alexander<dot>hanel<at>gmail<dot>com

import sys 
import idaapi 

class WRAPPER():
    def __init__(self):
        self.start = SelStart()
        self.end = SelEnd()
        self.buffer = ''
        self.ogLen = None
        self.status = True
        
    def checkBounds(self):
        if self.start is BADADDR or self.end is BADADDR:
            self.status = False 

    def getData(self):
        self.ogLen = self.end - self.start  
        try:
            for byte in GetManyBytes(self.start, self.ogLen):
                self.buffer = self.buffer + byte
        except:
            self.status = False
        return
        
    def run(self):
        self.checkBounds()
        if self.status == False:
            sys.stdout.write('ERROR: Please select valid data')
            return 
        self.getData()
         
    def patch(self):
        for index, byte in enumerate(self.buffer):
             PatchByte(self.start+index, ord(byte))
             
    def importb(self):
        fileName = AskFile(0, "*.*", 'Import File')
        try:
            self.buffer = open(fileName, 'r').read()
        except:
            sys.stdout.write('ERROR: Cannot access file')
               
    def export(self):
        exportFile = AskFile(1, "*.*", 'Export Buffer')
        f = open(exportFile, 'wb')
        f.write(self.buffer)
        f.close()
        
if __name__ == "__main__":
    fwrapper = WRAPPER()
    fwrapper.run()

2 comments:

  1. AnonymousDecember 23, 2012 at 6:57 AM

    From what I can see other than getting the actual bytes no xrefs, data dependencies, graph relationship is collected, this is probably as if you were to ctrl+ins the block, or am I wrong ?

    ReplyDelete
    Replies
    1. Alexander HanelDecember 23, 2012 at 11:02 AM

      I'd recommend running the code and experimenting with it. CTRL+INS is simply copy. Open an IDB, select some code, run the script, then execute the following fwrapper.export() in the output window. You will get a dialogue box, save off the data in then look at it in a hexeditor.

      Delete

Subscribe to: Post Comments (Atom)