ColorIda Script Compatible With Startup Script

1. idaapi.autoWait()
2. from idautils import *
3. from idc import *
4.  
5. #**********
6. #INIT STUFF
7. #*********
8. heads = Heads(0, 0xFFFFFFFF)
9. funcCalls = []
10. antiVM = []
11. xor = []
12.  
13. #******************
14. #PROCESS instrcutions
15. #******************
16. for i in heads:
17. #check if its a call
18.  if GetMnem(i) == "call":
19.   funcCalls.append(i)
20.  
21. # check if its anti vm also added some potential anti debugging stuff
22.  if (GetMnem(i) == "sidt" or GetMnem(i) == "rdtsc" or GetMnem(i) == "sgdt" or GetMnem(i) == "sldt" or GetMnem(i) == "smsw" or GetMnem(i) == "str" or GetMnem(i) == "in" or GetMnem(i) == "cpuid"):
23.   antiVM.append(i)
24.  
25. #check non zeroing xors  
26.  if GetMnem(i) == "xor":
27.   if (GetOpnd(i,0) != GetOpnd(i,1)):
28.    xor.append(i)
29.      
30. #****************
31. #COLOR and PRINT**
32. #****************
33. print "Number of calls: %d" % (len(funcCalls))
34. for i in funcCalls:
35.  SetColor(i, CIC_ITEM, 0x666666) #grey
36.  
37. print "Number of potential Anti-VM instructions: %d" % (len(antiVM))
38. for i in antiVM:
39.  print "Anti-VM potential at %x" % i
40.  SetColor(i, CIC_ITEM, 0x0000ff) #red
41.  
42. print "Number of xor: %d" % (len(xor))
43. for i in xor:
44.  SetColor(i, CIC_ITEM, 0x00a5ff) #orange