mirror of
https://github.com/NationalSecurityAgency/ghidra.git
synced 2024-10-23 05:31:02 +00:00
85 lines
2.6 KiB
Java
85 lines
2.6 KiB
Java
/* ###
|
|
* IP: GHIDRA
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
import ghidra.app.script.GhidraScript;
|
|
import ghidra.program.model.address.Address;
|
|
import ghidra.util.exception.CancelledException;
|
|
|
|
public class SearchForImageBaseOffsets extends GhidraScript {
|
|
|
|
@Override
|
|
public void run() throws Exception {
|
|
|
|
if (currentProgram == null) {
|
|
println("No open program");
|
|
return;
|
|
}
|
|
|
|
if (currentProgram.getMemory().isBigEndian()) {
|
|
println("This script only looks for little endian image base offsets");
|
|
return;
|
|
}
|
|
|
|
Address imageBase = currentProgram.getImageBase();
|
|
|
|
long currentAddressOffset = currentAddress.getOffset();
|
|
long imageBaseOffset = imageBase.getOffset();
|
|
|
|
long currentAddressIbo = imageBaseOffset ^ currentAddressOffset;
|
|
|
|
byte searchBytes[] = createLittleEndianByteArray(currentAddressIbo, 8);
|
|
println("searching for possible ibo64 references to " + currentAddress.toString() + " ...");
|
|
searchForByteArray(searchBytes);
|
|
|
|
searchBytes = createLittleEndianByteArray(currentAddressIbo, 4);
|
|
println("searching for possible ibo32 references to " + currentAddress.toString() + " ...");
|
|
searchForByteArray(searchBytes);
|
|
|
|
}
|
|
|
|
/**
|
|
* Method to create a byte array out of the given long value
|
|
* @param value the given value
|
|
* @param numBytes the number of bytes from the low end of the value to copy into the array
|
|
* @return the little endian byte array for the given value
|
|
* @throws CancelledException if cancelled
|
|
*/
|
|
private byte[] createLittleEndianByteArray(long value, int numBytes)
|
|
throws CancelledException {
|
|
|
|
|
|
byte byteArray[] = new byte[numBytes];
|
|
|
|
for (int i = 0; i < numBytes; i++) {
|
|
monitor.checkCancelled();
|
|
byteArray[i] = (byte) (value >> (8 * i) & 0xff);
|
|
}
|
|
|
|
return byteArray;
|
|
}
|
|
|
|
private void searchForByteArray(byte[] byteArray) throws CancelledException {
|
|
Address start = currentProgram.getMinAddress();
|
|
Address found = find(start, byteArray);
|
|
while (found != null) {
|
|
monitor.checkCancelled();
|
|
println(found.toString());
|
|
start = found.add(1);
|
|
found = find(start, byteArray);
|
|
}
|
|
}
|
|
|
|
}
|