我可以通过以下 ida python 脚本获取段起始地址、结束地址和 DLL 的所有函数:
# Get the segment's starting address
ea = ScreenEA()
print(ea)
print(SegStart(ea),SegEnd(ea))
callers = dict()
callees = dict()
# Loop through all the functions
for function_ea in Functions(SegStart(ea), SegEnd(ea)):
f_name = GetFunctionName(function_ea)
print(f_name)
# Create a set with all the names of the functions calling (referring to)
# the current one.
callers[f_name] = Set(map(GetFunctionName, CodeRefsTo(function_ea, 0)))
# For each of the incoming references
for ref_ea in CodeRefsTo(function_ea, 0):
# Get the name of the referring function
caller_name = GetFunctionName(ref_ea)
# Add the current function to the list of functions
# called by the referring function
callees[caller_name] = callees.get(caller_name, Set())
callees[caller_name].add(f_name)
# Get the list of all functions
functions = Set(callees.keys()+callers.keys())
total_callees=0
# For each of the functions, print the number of functions calling it and
# number of functions being called. In short, indegree and outdegree
for f in functions:
print('%d:%s:%d' % (len(callers.get(f, [])), f, len(callees.get(f, []))))
total_callees+=len(callees.get(f,[]))
print("\nTotal callees of \t"+idaapi.get_root_filename()+"\t: "+str(total_callees))
在 IDA pro 中调用时脚本运行良好,但如果通过如下命令提示符调用它:
idaq.exe -A -S"C:\xxx\segment.py" "C:\fff\yy.dll"
输出不同如下:
4294967295
(4294967295L, 4294967295L)
Total callees of yy.dll : 0