tsuib_1_pyth

from idautils import *
from idc import *
from ida_ida import *

def find_xor():
    xor_counter = 0
    ea = inf_get_min_ea()
    for funcAddr in Functions(get_segm_start(ea), get_segm_end(ea)):
        name = get_func_name(funcAddr)
        instructions_addresses = list(FuncItems(funcAddr))
        for addr in instructions_addresses:
            instruction = print_insn_mnem(addr)
            if instruction == "xor" and print_operand(addr, 1) != print_operand(addr, 0):
                xor_counter += 1
                print("In function {} at addr 0x{} {} {}, {}".format(name, addr, instruction, print_operand(addr, 0), print_operand(addr, 1)))
    print("Total quantity of XOR operation: {}".format(xor_counter))


def find_defense():
    print("========================")
    functions = list(["ds:CheckRemoteDebuggerPresent", "ds:IsDebuggerPresent"])
    ea = inf_get_min_ea()
    for funcAddr in Functions(get_segm_start(ea), get_segm_end(ea)):
        name = get_func_name(funcAddr)
        instructions_addresses = list(FuncItems(funcAddr))
        for addr in instructions_addresses:
            instruction = print_insn_mnem(addr)
            if instruction == "call":
                oper = print_operand(addr, 0)
                for i in functions:
                    if oper.find(i) != -1:
                        print("In function {} is detected at addr 0x{} call {}".format(name, funcAddr, oper))
    print("========================")

def find_time_manages():
    print("========================")
    functions = list(["ds:GetTickCount", "ds:GetSystemTimeAsFileTime"])
    ea = inf_get_min_ea()
    for funcAddr in Functions(get_segm_start(ea), get_segm_end(ea)):
        name = get_func_name(funcAddr)
        instructions_addresses = list(FuncItems(funcAddr))
        for addr in instructions_addresses:
            instruction = print_insn_mnem(addr)
            if instruction == "call":
                oper = print_operand(addr, 0)
                for i in functions:
                    if oper.find(i) != -1:
                        print("In function {} is detected at addr 0x{} call {}".format(name, funcAddr, oper))
            elif instruction == "rdtsc":
                oper = print_operand(addr, 0)
                print("In function {} is detected at addr 0x{} rtdsc {}".format(name, funcAddr, oper))

def find_rare():
    print("========================")
    ea = inf_get_min_ea()
    for funcAddr in Functions(get_segm_start(ea), get_segm_end(ea)):
        name = get_func_name(funcAddr)
        instructions_addresses = list(FuncItems(funcAddr))
        for addr in instructions_addresses:
            instruction = print_insn_mnem(addr)
            if instruction == "int":
                oper = print_operand(addr, 0)
                print("In function {} is detected at addr 0x{} int {}".format(name, funcAddr, oper))
    print("========================")

def find_peb_teb():
    print("========================")
    ea = inf_get_min_ea()
    for funcAddr in Functions(get_segm_start(ea), get_segm_end(ea)):
        name = get_func_name(funcAddr)
        instructions_addresses = list(FuncItems(funcAddr))
        for addr in instructions_addresses:
            instruction = print_insn_mnem(addr)
            if instruction == "mov":
                oper = print_operand(addr, 1)
                if oper.find("fs:30h") != -1:
                    print("Reading from PEB detected\nIn function {} is detected at addr 0x{} mov {}, {}".format(name, funcAddr,  print_operand(addr, 0), oper))
                elif oper.find("fs:18h") != -1:
                    print("Reading from TEB detected\nIn function {} is detected at addr 0x{} mov {}, {}".format(name, funcAddr,  print_operand(addr, 0), oper))

def find_crypt():
    print("========================")
    ea = inf_get_min_ea()
    jmps = ['jmp', 'jnz', 'jz', 'jbe', 'jne', 'je', 'jb', 'jg', 'jge']
    for func in Functions(get_segm_start(ea), get_segm_end(ea)):
        func_name = get_func_name(func)
        xor_addr = 0
        instructions_addresses = list(FuncItems(func))
        for instr_addr in instructions_addresses:
            if print_insn_mnem(instr_addr) == 'xor':
                code = print_operand(instr_addr, 1)[0:-1]
                try:
                    val = int(code)
                except ValueError:
                    pass
                else:
                    if val <= 8192 and val >= 1:
                        xor_value = val
                        xor_addr = instr_addr

            if print_insn_mnem(instr_addr) in jmps:
                oper = print_operand(instr_addr, 0)
                if oper.find('loc_') != -1:
                    if instr_addr > xor_addr and xor_addr > int(oper[4:len(oper) + 1], 16):
                        print ("Function with xor coding {} at address {}. Constant key = {}".format(func_name, hex(func)[0:-1].upper(), xor_value))
    print("========================")

def anti_xor():
    mov_counter = 0
    decrypted = list()
    print("========================")
    ea = inf_get_min_ea()
    for funcAddr in Functions(get_segm_start(ea), get_segm_end(ea)):
        name = get_func_name(funcAddr)
        instructions_addresses = list(FuncItems(funcAddr))
        for addr in instructions_addresses:
            if print_insn_mnem(addr) == "mov":
                if print_operand(addr, 1) == "0" and mov_counter > 2 and decrypted is not None:
                    string = ""
                    for i in decrypted:
                        symbol = i ^ 0x22
                        if symbol == 32 or symbol == 33 or (symbol >= 40 and symbol <= 126):
                            string += chr(symbol)
                    if string != "":
                        print (repr(string))
                    decrypted = list()
                    mov_counter = 0
                if get_operand_type(addr,1) == 5:
                    decrypted.append(get_operand_value(addr, 1))
                    mov_counter += 1
            else:
                mov_counter = 0
                decrypted = list()
    print("========================")