IDA插件编写学习笔记

插件目录结构

ida安装目录

plugins

plugin_script.py

python

plugin_script

plugin_script_impl.py

__init__.py

其中plugin_script可以是自己定义的名称

plugin_script.py文件结构

插件示例

示例：打印程序中的空函数listNullFunc.py

import idautils
import idaapi
import idc

class ListNullFunc(idaapi.plugin_t): # 需要继承自IDA的插件类
    flags = idaapi.PLUGIN_UNL
    comment="List All null functions" 
    wanted_name="List Null Func" # 插件名称
    wanted_hotkey="Ctrl-Alt-Y" # 插件快捷键
    help="so..."
    def init(self):
        # 插件初始化时的操作
        idaapi.msg("[lnf]List All Null functions starts\n")
        idaapi.require('listNullFunc') # 导入python目录下的模块
        idaapi.require('listNullFunc.listNullFuncImpl')
        # PLUGIN_KEEP
        return idaapi.PLUGIN_OK
    def run(self,arg):
        # 插件的入口函数
        idaapi.msg("[lnf]List All Null functions runs\n")
        listNullFunc.listNullFuncImpl.main()
    def term(self):
        # 插件结束时调用的方法
        idaapi.msg("[lnf]List Null Func stopped\n")
def PLUGIN_ENTRY():
    return ListNullFunc()

ListNullFuncImpl.py

from idautils import *
from idaapi import *
from idc import *
def main():
    msg("[lnf]: These are Null Functions\n")
    funcs = Functions()
    for func in funcs:
        # print(hex(func))
        # print(get_bytes(func,1))
        if get_bytes(func,1)[0]==0xc3:
            print(hex(func),"is a null function")
if __name__=="__main__":
    main()

接下来按照上面的文件结构部署插件

也可以扫描目标函数然后patch掉空函数调用

使用nu1l 公开赛RE1实验，花指令，空函数比较多

[lnf]List All Null functions starts
[lnf]List All Null functions runs
[lnf]: These are Null Functions
0x123410ad is a null function
0x1234116c is a null function
0x12341256 is a null function
0x123412ac is a null function
0x123412b8 is a null function
0x123412da is a null function
0x123412ee is a null function
0x123412fe is a null function
0x12341315 is a null function
0x12341326 is a null function
0x12341365 is a null function
0x12341389 is a null function
0x123413bc is a null function
0x12341454 is a null function
0x1234146b is a null function
0x123414e7 is a null function
0x123414fb is a null function
0x1234154c is a null function
0x12341560 is a null function
0x123415f3 is a null function
0x12341603 is a null function
0x12341617 is a null function
0x12341d7e is a null function
[lnf]List Null Func stopped

杂谈

大部分IDA插件也可以如此安装

IDA插件也可以安装到%APPDATA%\Roaming\Hex-Rays\IDA Pro\plugins目录下，目录结构如下

plugins

plugin_script

plugin_script_impl.py

__init__.py

plugin_script.py

参考资料

https://www.52pojie.cn/thread-1198722-1-1.html

https://www.hex-rays.com/wp-content/static/products/ida/support/idapython_docs/

https://blog.csdn.net/qq_35056292/article/details/89421793