Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/patois/mrspicky

MrsPicky - An IDAPython decompiler script that helps auditing memcpy() and memmove() calls
https://github.com/patois/mrspicky

automated binary-auditing decompiler hex-rays hexrays ida-pro idapython memcpy vulnerability

Last synced: 3 months ago
JSON representation

MrsPicky - An IDAPython decompiler script that helps auditing memcpy() and memmove() calls

Host: GitHub
URL: https://github.com/patois/mrspicky
Owner: patois
License: other
Created: 2019-05-14T22:00:15.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2024-03-14T07:21:37.000Z (8 months ago)
Last Synced: 2024-03-14T08:34:15.049Z (8 months ago)
Topics: automated, binary-auditing, decompiler, hex-rays, hexrays, ida-pro, idapython, memcpy, vulnerability
Language: Python
Homepage:
Size: 1.41 MB
Stars: 105
Watchers: 8
Forks: 22
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # MrsPicky

MrsPicky - An IDAPython decompiler script that helps auditing memcpy() and memmove() calls.

![mrspicky animated gif](/rsrc/picky.gif?raw=true)

This example code shows how the HexRays decompiler can be scripted in

order to identify potentially dangerous calls to memcpy() function calls.

It is in no way meant to be a fully working script covering all possible

use cases but just a few instead.

It will display a list of identified calls that can be and is meant to

be searched, sorted and filtered interactively using IDA's built-in

filtering features. Double clicking an entry will jump to the respective

call within the currently active IDA or Decompiler view.

In cases where the "n" argument that is passed to memcpy() calls can be

resolved statically, the resulting list's "max n" tab reflects the maximum

number of bytes that the destination buffer "dst" can be written to (in

other words: any number larger than that will corrupt whatever follows

the current stack frame, which usually is a return address.

The "problems" tab may contain the following keywords:

  * "memcorr" - indicates a confirmed memory corruption

  * "argptr"  - the "dst" pointer points beyond the local stack frame

                (this may not actually be a problem per se but...)

Feel free to adjust the script to suit your personal preferences.

Relevant code is commented and explained below so that hopefully it will

be easy to adapt the code to cover more use-cases as well as further

functions such as malloc() whatsoever.

## Requirements

This script is based on Python3 and requires IDA 7.3 to work. Python2

version is available ![here](https://github.com/patois/mrspicky/tree/mrspicky-python2).

For further help, check out vds5.py that comes with the HexRays SDK.

This script is licensed under the "THE BEER-WARE LICENSE" (Revision 42) license.