IDA

📖推荐书籍📖IDA Pro权威指南(第2版)

IDAPro权威指南(第二版)中文完美版.pdf

内置函数

Hex Rays > IDA Help > IDA Help: Alphabetical list of IDC functions

MakeNameEX

  1. MakeNameEx(long ea, string name, long flags=SN_CHECK);
  • ea:linear address
  • name:new name of address. If name == “”, then delete old name
  • flags:combination of SN_… constants

解释:MakeNameEx(函数地址,”函数名称”,函数flags)
示例:

  1. MakeNameEx(0x400104,"CreateThread",SN_PUBLIC);

IDA官方链接

  1. Rename an address
  2.      ea - linear address
  3.      name - new name of address. If name == "", then delete old name
  4.      flags - combination of SN_... constants
  5. returns: 1-ok, 0-failure
  7. success set_name(long ea, string name, long flags=SN_CHECK);
  10. #define SN_CHECK        0x01    // Fail if the name contains invalid characters
  11.                                 // If this bit is clear, all invalid chars
  12.                                 // (those !is_ident_char()) will be replaced
  13.                                 // by SUBSTCHAR
  14.                                 // List of valid characters is defined in ida.cfg
  15. #define SN_NOCHECK      0x00    // Replace invalid chars with SUBSTCHAR
  16. #define SN_PUBLIC       0x02    // if set, make name public
  17. #define SN_NON_PUBLIC   0x04    // if set, make name non-public
  18. #define SN_WEAK         0x08    // if set, make name weak
  19. #define SN_NON_WEAK     0x10    // if set, make name non-weak
  20. #define SN_AUTO         0x20    // if set, make name autogenerated
  21. #define SN_NON_AUTO     0x40    // if set, make name non-autogenerated
  22. #define SN_NOLIST       0x80    // if set, exclude name from the list
  23.                                 // if not set, then include the name into
  24.                                 // the list (however, if other bits are set,
  25.                                 // the name might be immediately excluded
  26.                                 // from the list)
  27. #define SN_NOWARN       0x100   // don't display a warning if failed
  28. #define SN_LOCAL        0x200   // create local name. a function should exist.
  29.                                 // local names can't be public or weak.
  30.                                 // also they are not included into the list of names
  31.                                 // they can't have dummy prefixes
  32. #define SN_IDBENC       0x400   // the name is given in the IDB encoding;
  33.                                 // non-ASCII bytes will be decoded accordingly.
  34.                                 // Specifying SN_IDBENC also implies SN_NODUMMY
  35. #define SN_FORCE        0x800   // if the specified name is already present
  36.                                 // in the database, try variations with a
  37.                                 // numerical suffix like "_123"
  38. #define SN_NODUMMY      0x1000  // automatically prepend the name with '_' if it
  39.                                 // begins with a dummy suffix such as 'sub_'.
  40.                                 // See also SN_IDBENC
  41. #define SN_DELTAIL      0x2000  // if name cannot be set because of a tail byte,
  42.                                 // delete the hindering item

实际运用

场景:样本通过Call+函数地址的方式调用函数,函数地址在IDA文件里面显示为数字,如:
IDA - 图1
函数地址大多通过Loadlibrary+GetProAddress动态获取
调用时,显示为:

IDA - 图2
通过脚本设置:image.png
image.png
设置后:IDA - 图5
前后对比:IDA - 图6

脚本中的函数地址通过IAT获取,请务必搞清楚地址,和地址内的值,以及函数之间的关系(如IAT的概念):
image.png

复制数据后,保留地址和函数名,最后处理(比如用Excel表格)成MakeNameEx(0x72941254,"CloseHandle",SN_PUBLIC)