How to use vivisect - 10 common examples
To help you get started, we’ve selected a few vivisect examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
fr0gger / unprotect / windows_unprotect / module / strings.py View on Github 
def get_decoded_strings(exe):
# type: (object) -> object
vw = vivisect.VivWorkspace()
vw.loadFromFile(exe)
vw.analyze()
selected_functions = floss.main.select_functions(vw, None)
decoding_functions_candidates = floss.identification_manager.identify_decoding_functions(
vw,
floss.main.get_all_plugins(),
selected_functions
)
decoded_strings = floss.main.decode_strings(
vw,
decoding_functions_candidates,
MIN_STRINGLEN
)
stack_strings = floss.stackstrings.extract_stackstrings(
vw,def main():
do_tests()
#markup_type(IDAEnv(), ScreenEA())
#dump_this_type()
if len(sys.argv) == 3:
if "viv" in sys.argv[1]:
vw = vivisect.VivWorkspace()
vw.loadWorkspace(sys.argv[1])
dump_type(VivEnv(vw), int(sys.argv[2], 0x10))def loadWorkspaceFromIdb():
'''
from IDA Pro, load the currently loaded module into a vivisect workspace.
currently only supports windows PE files.
Returns:
vivisect.Workspace: the loaded and analyzed vivisect workspace.
'''
vw = vivisect.VivWorkspace()
if is_x86():
vw.setMeta('Architecture', 'i386')
elif is_x64():
vw.setMeta('Architecture', 'amd64')
else:
raise NotImplementedError('unsupported architecture')
if not is_exe():
raise NotImplementedError('unsupported file format')
vw.setMeta('Platform', 'windows')
vw.setMeta('Format', 'pe')
vw._snapInAnalysisModules()
filename = idc.GetInputFile()Parameters:
addr : any virtual address within a memory region
entry_point : (optional) original entry point
use_pe_load : (optional) attempt to save the memory region bytes to disk and load as PE
reanalyze : (optional) reanalyze the vivisect workspace, use this if the workspace has become stale
"""
print " [+] Getting vivisect workspace."
import vivisect # expensive import, so let's on-demand load it
pu = ProcessUtils()
va = pu.get_allocation_base(addr)
bytes = pu.get_process_region_bytes(va)
storage_name = '%d_%x_%x' % (self.process.get_pid(), va, len(bytes))
self.vw = vivisect.VivWorkspace()
temp_dir = tempfile.gettempdir()
storage_fname = '%s\\%s.viv' % (temp_dir, storage_name)
# Don't reanalyze the workspace, try to grab a cached one even if stale
if not reanalyze and os.path.exists(storage_fname):
self.vw.loadWorkspace(storage_fname)
# Reanalyze and create new workspace
else:
self.vw.setMeta('Architecture', self.arch)
self.vw.setMeta('Platform', 'windows')
self.vw.setMeta('Format', 'pe')
self.vw.config.viv.parsers.pe.nx = True
if utils.is_legit_pe(bytes) and use_pe_load:
import vivisect.parsers.pecacheDict = None
if filename is None:
return None
if cacheDict is None:
cacheDict = {}
logger.info('No vw cache present.')
setattr(sys.modules['idaapi'], 'vw_cached_workspace', cacheDict)
else:
vw = cacheDict.get(filename)
if vw is None:
logger.info('Got cache dict, but workspace not present')
else:
logger.info('Got vw from cached global value!')
return vw
vw = vivisect.VivWorkspace()
vivName = queryIdbNetnode(VIV_WORKSPACE_NAME)
if vivName is None or not os.path.exists(vivName):
vivName = filename + '.viv'
if os.path.exists(vivName):
logger.info('Loading existing workspace %s', vivName)
sys.stdout.flush()
vw.loadWorkspace(vivName)
else:
logger.info('Loading file into vivisect: %s', filename)
sys.stdout.flush()
vw.loadFromFile(filename)
if not fast:
logger.info('Performing vivisect analysis now. This may take some time...')
logger.info('#'*80)
vw.analyze()
logger.info('#'*80)def get_decoded_strings(exe):
# type: (object) -> object
# Prepare FLOSS for extracting hidden & encoded strings
vw = vivisect.VivWorkspace()
vw.loadFromFile(exe)
vw.analyze()
selected_functions = floss.main.select_functions(vw, None)
decoding_functions_candidates = floss.identification_manager.identify_decoding_functions(
vw,
floss.main.get_all_plugins(),
selected_functions
)
decoded_strings = floss.main.decode_strings(
vw,
decoding_functions_candidates,
MIN_STRINGLEN
)
stack_strings = floss.stackstrings.extract_stackstrings(
vw,def getWorkspaceFromFile(filepath, analyze=True):
"""
deserialize a file into a new vivisect workspace.
"""
vw = vivisect.VivWorkspace()
vw.verbose = True
vw.config.viv.parsers.pe.nx = True
vw.loadFromFile(filepath)
setVwVivisectLibraryVersion(vw)
if analyze:
setVwVivisectLibraryVersion(vw)
vw.analyze()
return vwself.vw._snapInAnalysisModules()
else:
import vivisect.parsers.pe
import envi.memory
import vivisect.const
defcall = vivisect.parsers.pe.defcalls.get(self.arch)
self.vw.setMeta("DefaultCall", defcall)
self.vw.addMemoryMap(va, envi.memory.MM_RWX, "", bytes)
pe = None
if utils.is_legit_pe(bytes):
pe = utils.get_pe_obj(va)
if not entry_point and pe:
entry_point = pe.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint + va
if entry_point:
self.vw.addEntryPoint(entry_point)
self.vw.addExport(entry_point, vivisect.const.EXP_FUNCTION, '__entry', '')
if pe:
self.vw.addVaSet("Library Loads",
(("Address", vivisect.const.VASET_ADDRESS), ("Library", vivisect.const.VASET_STRING)))
self.vw.addVaSet('pe:ordinals',
(('Address', vivisect.const.VASET_ADDRESS), ('Ordinal', vivisect.const.VASET_INTEGER)))
# Add exports
for rva, _, expname in pe.getExports():
self.vw.addExport(
va + rva, vivisect.const.EXP_UNTYPED, expname, '')
# Add imports
for rva, lname, iname in pe.getImports():
if self.vw.probeMemory(rva + va, 4, envi.memory.MM_READ):
self.vw.makeImport(rva + va, lname, iname)
self.vw._snapInAnalysisModules()def get_predecessor_basic_blocks(self, bb):
if bb.va in self._pred_cache:
for nbb in self._pred_cache[bb.va]:
yield nbb
return
predecessors = []
for xref in get_all_xrefs_to(self.vw, bb.va):
try:
pred = self.bb_by_end[xref[vivisect.const.XR_FROM]]
yield pred
predecessors.append(pred)
except KeyError:
# if we have a jump to the import table,
# the target of the jump is not a basic block in the function.
continue
self._pred_cache[bb.va] = predecessorsdef getAllXrefsTo(vw, va):
import vivisect
#manually parse the preceding instruction & look to see if it can fall through to us
#make a copy of the xrefs!!! or badness will ensue
init = vw.getXrefsTo(va)[:]
prev = vw.getPrevLocation(va)
if prev is None:
return init
lva, lsize, ltype, linfo = prev
if ltype != vivisect.const.LOC_OP:
return init
try:
op = vw.parseOpcode(lva)
except Exception:
print ('Weird error while doing getAllXrefsTo: %s' % str(err))
return init
brlist = op.getBranches()
for tova,bflags in brlist:
if tova == va:
init.append( (lva, tova, vivisect.const.REF_CODE, bflags) )
return initvivisect
Pure python disassembler, debugger, emulator, and static analysis framework
Package Health Score
65 / 100Popular vivisect functions
- vivisect.const
- vivisect.const.EXP_FUNCTION
- vivisect.const.EXP_UNTYPED
- vivisect.const.L_SIZE
- vivisect.const.L_VA
- vivisect.const.LOC_IMPORT
- vivisect.const.LOC_OP
- vivisect.const.LOC_STRING
- vivisect.const.LOC_UNI
- vivisect.const.REF_CODE
- vivisect.const.VASET_ADDRESS
- vivisect.const.VASET_INTEGER
- vivisect.impemu
- vivisect.impemu.monitor.EmulationMonitor
- vivisect.impemu.monitor.EmulationMonitor.__init__
- vivisect.parsers.pe
- vivisect.VivWorkspace