Using Idapython to give conditional breakpoints to the Windows API

Problem Description:In the reverse analysis process, it is often necessary to track the invocation of operating system APIs. During debugging with Ida, you can set breakpoints on the specified API through interface actions. But the interface operation is inconvenient, which is not conducive to the analysis of automation and other defects. Using the Idapython script to implement conditional breakpoints under API functions can effectively solve the above problems.

First, through the interface operation to the Windows API breakpoint

1. Operation Process

To give the LoadLibraryA function breakpoint as an example, the program Ida01.exe (EXE file) corresponding to the source code as follows:

#include "windows.h"int main(){    LoadLibrary("E:\\Office10\\SAEXT.DLL");    LoadLibrary("E:\\document\\My Knowledge\\Update_x86\\WizTools.dll");    return 0;}

① after opening the exe file with Ida, set the debugger to pause at the entrance. Action path: Click Debugger→debugger Setup, check suspend on process entry point.

② Press F9, run EXE

③ find the Kernel32.dll in the Modules window, and then double-click on the right side of the Module:kernel32.dll tab window that appears, as shown in

④ Find the LoadLibraryA function and double-click, the IDA View window will navigate to the LoadLibraryA function and click on the small dot to the left of the specified address to place the breakpoint. After you finish the breakpoint as shown

⑤ if execution is interrupted only when the SAEXT.DLL is loaded, the breakpoint can be set to a conditional breakpoint. Method: In the Breakpoints window, right-click on the specified breakpoint, click Edit, and then enter in the condition edit box strstr(GetString(Dword(esp+4),-1, 0), "SAEXT.DLL") != -1 . It is important to note that this edit box must be an IDC script expression and cannot use the Idapython script. The DWORD (esp+4) In the expression is the first parameter value, in this case a pointer to the file path, GetString (Dword (esp+4)) is the fetch path, strstr is searched, and the breakpoint is valid if the path contains SAEXT.DLL as true.

2, problem analysis

① the process of the above breakpoint, the first thing to determine the API function of the DLL, and the analyst is difficult to remember the API function and the corresponding relationship between the DLL

② cannot be combined with automation scripts, the whole process requires human intervention

Ii. Idapython script implements Windows API conditional breakpoints

1. Ideas

Save all Windows APIs and DLLs to a file, and when the user breaks the breakpoint, the script automatically finds the DLL file name corresponding to the API function. After locating the file name, locate the function address with the file name + function name, and then place the breakpoint and set the related condition.

2. Script code

Consists of two files, one is the Idapython script break_api.py, and the other is the data file Win_api.dat (downloadable from the attachment) that holds the API function and DLL correspondence. Two files are placed in the [Ida installation directory]\python\script, the break_api.py script reads as follows:

def GetApiModule(api_name):    try:        path = GetIdaDirectory()        path = path + ‘\\python\\script\\win_api.dat‘        f = open(path, ‘r‘)        strall = f.read()        f.close()    except IOError:        Message(‘Can\‘t open win_api.dat.‘)        return ‘none‘    pos = strall.find(api_name)    if (-1 == pos):        Message(‘Can\‘t find the api.‘)        return ‘none‘    beg = strall.rfind(‘<‘, 0, pos)+1    end = strall.find(‘>‘, beg)    return strall[beg:end]def BptAPI(api_name):    dll_name = GetApiModule(api_name)    if dll_name == ‘none‘:        Message(‘API err.‘)        return    name = dll_name[0:len(dll_name)-4] + ‘_‘ + api_name    ea = LocByName(name)    AddBpt(ea)    SetBptCnd(ea, ‘strstr(GetString(Dword(esp+4),-1, 0), "SAEXT.DLL") != -1‘)

The code is simple and does not make redundant explanations.

3. How to use the script

① after opening the exe file with Ida, set the debugger to pause at the entrance. Action path: Click Debugger→debugger Setup, check suspend on process entry point.

② Press F9, run EXE

③ALT+F7, importing break_api.py

④ in the Output window, select the Python script, and then call Bptapi (' LoadLibraryA '), you can set the conditional breakpoint for the LoadLibraryA function, the specific conditions and the previous interface operation has been, if there are other requirements, You can modify the conditional expression.

Third, summary

This article simply gives a method for conditional breakpoints under Windows API functions using Idapython scripts, which can be flexibly applied according to their needs, thus automating the process of complex analysis. Hope to be of help to everyone.

Using Idapython to give conditional breakpoints to the Windows API