我们从Python开源项目中,提取了以下9个代码示例,用于说明如何使用idaapi.FUNC_THUNK。
def output_symbols(out): """Dump symbols.""" try: from idaapi import get_func_name2 as get_func_name # Since get_func_name is deprecated (at least from IDA 6.9) except ImportError: from idaapi import get_func_name # Older versions of IDA don't have get_func_name2 # so we just use the older name get_func_name def func_name_propagate_thunk(ea): current_name = get_func_name(ea) if current_name[0].isalpha(): return current_name func = idaapi.get_func(ea) temp_ptr = idaapi.ea_pointer() ea_new = idaapi.BADADDR if func.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK: ea_new = idaapi.calc_thunk_func_target(func, temp_ptr.cast()) if ea_new != idaapi.BADADDR: ea = ea_new propagated_name = get_func_name(ea) or '' # Ensure it is not `None` if len(current_name) > len(propagated_name) > 0: return propagated_name else: return current_name # Fallback to non-propagated name for weird times that IDA gives # a 0 length name, or finds a longer import name for ea in idautils.Segments(): fs = idautils.Functions(idc.SegStart(ea), idc.SegEnd(ea)) for f in fs: out.write('("%s" 0x%x 0x%x)\n' % ( func_name_propagate_thunk(f), idc.GetFunctionAttr(f, idc.FUNCATTR_START), idc.GetFunctionAttr(f, idc.FUNCATTR_END)))
def is_import_or_lib_func(ea): """ Is ea part of an imported function or a known library? @param ea: any ea within the function scope @return: True if function is either imported or a known library function. """ return Functions(ea).flags & (idaapi.FUNC_LIB | idaapi.FUNC_THUNK)
def is_thunk(cls, func): '''Return True if the function ``func`` is considered a code thunk.''' fn = by(func) return fn.flags & idaapi.FUNC_THUNK == idaapi.FUNC_THUNK
def graph_down(ea, path=set()): """ Recursively collect all function calls. Copied with minor modifications from http://hooked-on-mnemonics.blogspot.com/2012/07/renaming-subroutine-blocks-and.html """ path.add(ea) # # iterate through all the instructions in the target function (ea) and # inspect all the call instructions # for x in [x for x in idautils.FuncItems(ea) if idaapi.is_call_insn(x)]: # TODO for r in idautils.XrefsFrom(x, idaapi.XREF_FAR): #print "0x%08X" % h, "--calls-->", "0x%08X" % r.to if not r.iscode: continue # get the function pointed at by this call func = idaapi.get_func(r.to) if not func: continue # ignore calls to imports / library calls / thunks if (func.flags & (idaapi.FUNC_THUNK | idaapi.FUNC_LIB)) != 0: continue # # if we have not traversed to the destination function that this # call references, recurse down to it to continue our traversal # if r.to not in path: graph_down(r.to, path) return path
