forked from jjo-sec/idataco
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathidataco.py
137 lines (113 loc) · 4.16 KB
/
idataco.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/usr/bin/python
########################################################################
# Copyright (c) 2015
# Jason Jones <jason<at>jasonjon<dot>es>
# All rights reserved.
########################################################################
#
# This file is part of IDA TACO
#
# IDATACO is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see
# <http://www.gnu.org/licenses/>.
#
########################################################################
__version__ = "0.1"
__author__ = "arbor-jjones"
import idaapi
import idc
import idautils
from PySide import QtGui, QtCore
from collections import OrderedDict
from idataco.widgets.imports import TacoImports
from idataco.widgets.loader import TacoLoader
from idataco.widgets.calls import TacoCalls
from idataco.widgets.byte_strings import TacoByteStrings
from idataco.widgets.interesting_xor import TacoInterestingXOR
from idataco.widgets.switch_jumps import TacoSwitchJumps
from idataco.widgets.signatures import TacoSignatures
import logging
log = logging.getLogger("taco")
log.setLevel('DEBUG')
handler = logging.StreamHandler()
# clear any existing handlers to avoid duplicate messages
log.handlers = []
handler.setFormatter(logging.Formatter("[%(asctime)s] [%(module)s] [%(levelname)s] %(funcName)s: %(message)s"))
log.addHandler(handler)
"""
IDA TACO is an IDA Pro Plugin designed to bring Cuckoo Sandbox-generated output into IDA Pro
to assist in reverse engineering malware as well as combining some commonly used tools into one UI
"""
class IDATaco(idaapi.PluginForm):
ENABLED_WIDGETS = [
TacoLoader,
TacoCalls,
TacoSignatures,
TacoImports,
TacoByteStrings,
TacoInterestingXOR,
TacoSwitchJumps
]
def Show(self):
return idaapi.PluginForm.Show(self, "T.A.C.O.", options = idaapi.PluginForm.FORM_PERSIST)
def OnCreate(self, form):
# Get parent widget
self.parent = self.FormToPySideWidget(form)
self.calls = []
self.call_categories = set()
self.cuckoo_version = "Unknown"
self.impts = []
# Create tab control
self.tabs = QtGui.QTabWidget()
self.tabs.setTabsClosable(False)
self._widgets = {}
# create
for widget in self.ENABLED_WIDGETS:
w = widget(self)
self._widgets[widget.short_name] = w
tab, tab_name = w.getTacoTab()
self.tabs.addTab(tab, tab_name)
layout = QtGui.QVBoxLayout()
layout.addWidget(self.tabs)
self.parent.setLayout(layout)
self.loadNonCuckooTabs()
def loadNonCuckooTabs(self):
for widget_name, widget in self._widgets.iteritems():
if not widget_name.startswith("cuckoo_"):
log.debug("Loading Widget {}".format(widget_name))
widget.load()
def OnClose(self, form):
global TacoForm
del TacoForm
log.debug("Closing")
def Create(self):
return True
def jsonFileLoaded(self):
self._widgets["cuckoo_loader"].loadProcTree()
self._widgets["cuckoo_signatures"].load()
def loadProcessData(self):
selected = self._widgets["cuckoo_loader"].getSelectedItems()
if len(selected) == 1:
pid = int(selected[0].text(0))
data = self.process_data[pid]
self.impts = data["imports"]
self.calls = data["calls"]
del data
# @TODO: Set a flag for tabs that need to be signaled on data load
self._widgets["cuckoo_imports"].load()
self._widgets["cuckoo_calls"].load()
def start():
global TacoForm
TacoForm = IDATaco()
TacoForm.Show()
start()