这个脚本用于ida和od结合分析的时候,从od里面抓出来的代码,或者脱壳后的代码中call api 丢失的问题,有些在堆栈中保存的api地址也用着很爽.
#This Script is rebuild the iat
#
#
iat_file=GetIdaDirectory()+"\\IAT.txt"
hfile = file(iat_file,’r’)
dump_info=hfile.readline()
dric = dict()
offet = 0
hfile = file(iat_file,’r’)
dump_info=hfile.readline()
dric = dict()
offet = 0
while (dump_info):
if len(dump_info)>8:
address = long(dump_info[0:8],16)
funname = dump_info.split(‘.’)
if len(funname) == 2:
name = funname[1]
real_name = name[:-1]
#print dric.get(real_name)
if dric.get(real_name) == None:
dric[real_name] = address
else:
real_name = real_name+’_x’
dric[real_name] = address
dump_info=hfile.readline()
if len(dump_info)>8:
address = long(dump_info[0:8],16)
funname = dump_info.split(‘.’)
if len(funname) == 2:
name = funname[1]
real_name = name[:-1]
#print dric.get(real_name)
if dric.get(real_name) == None:
dric[real_name] = address
else:
real_name = real_name+’_x’
dric[real_name] = address
dump_info=hfile.readline()
sorted = map(lambda x:(x[0], x[1]), dric.items())
offset = 0
for name,addre in sorted:
addre=addre+offset
addre=addre & 0xFFFFFFFF
MakeName(addre,name)
hfile.close()
y\’r learning python? cool.