IDA Python - Why My code return incorrect ESP Value?

问题

I made a ida python code which for checking code coverage. But when I used this script, I got a runtime error and I could not get correct ESP value.

-My code-

from idaapi import *
class DbgHook(DBG_Hooks):
    def dbg_process_exit(self, pid, tid, ea, code):
        # bpt Del
        for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())):
            DelBpt(fun)
        return
        debugger.unhook()

    def dbg_bpt(self, tid, ea):
        RefCode = get_long(GetRegValue('esp'))
        print "[*] Hit : 0x%08x - %s" % (ea , GetFunctionName(ea))
        print " GetRegValue : compare RET : 0x%08x" % RefCode
        return 1

for fun in Functions(SegStart(ScreenEA()),SegEnd(ScreenEA())):
    fnName = GetFunctionName(fun)
    AddBpt(fun)
    SetBptAttr(fun, BPTATTR_FLAGS, (GetBptAttr(fun, BPTATTR_FLAGS) & ~BPT_BRK ));

debugger = DbgHook()
debugger.unhook()
debugger.hook()

num_bp = GetBptQty()
print "[*] Set %d breakpoints " % num_bp

And I got an error

[*] Set 153 breakpoints 
Cannot find sync source "view:IDA View-A"; ignoring group
400000: process C:\temp\nc.exe has started (pid=6336)
773C0000: loaded C:\WINDOWS\system32\ntdll.dll
Unloaded 
Unloaded 
Unloaded 
Unloaded 
76050000: loaded C:\WINDOWS\SysWOW64\kernel32.dll
76550000: loaded C:\WINDOWS\SysWOW64\KernelBase.dll
76360000: loaded C:\WINDOWS\SysWOW64\msvcrt.dll
77409FA0: thread has started (tid=11496)
77409FA0: thread has started (tid=10228)
74010000: loaded C:\WINDOWS\SysWOW64\wsock32.dll
76130000: loaded C:\WINDOWS\SysWOW64\ws2_32.dll
762B0000: loaded C:\WINDOWS\SysWOW64\sechost.dll
75FA0000: loaded C:\WINDOWS\SysWOW64\rpcrt4.dll
740F0000: loaded C:\WINDOWS\SysWOW64\sspicli.dll
740E0000: loaded C:\WINDOWS\SysWOW64\cryptbase.dll
770B0000: loaded C:\WINDOWS\SysWOW64\bcryptprimitives.dll
77409FA0: thread has started (tid=9556)
[*] Hit : 0x004057f0 - TlsCallback_0
 GetRegValue : compare RET : 0x77436aae
[*] Hit : 0x00405eb0 - sub_405EB0
 GetRegValue : compare RET : 0x00000000
[*] Hit : 0x004061e8 - InitializeCriticalSection
 GetRegValue : compare RET : 0x00000000
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
  File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
    RefCode = get_long(GetRegValue('esp'))
StopIteration
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
  File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
    RefCode = get_long(GetRegValue('esp'))
StopIteration
[*] Hit : 0x00401020 - sub_401020
 GetRegValue : compare RET : 0x00401178
[*] Hit : 0x004057f0 - TlsCallback_0
 GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405620 - SetUnhandledExceptionFilter
 GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405980 - sub_405980
 GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405e10 - sub_405E10
 GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00406088 - __getmainargs
 GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00406090 - __p__fmode
 GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405ba0 - sub_405BA0
 GetRegValue : compare RET : 0x00401160
[*] Hit : 0x00405df0 - sub_405DF0
 GetRegValue : compare RET : 0x9b3e0acd
[*] Hit : 0x00405d90 - sub_405D90
 GetRegValue : compare RET : 0x9b3e0acd
Exception in DBG Hook function: SWIG director method error. Error detected when calling 'DBG_Hooks.dbg_bpt'
Traceback (most recent call last):
  File "C:/Users/jm/Documents/MakeCode/ida-python/tutorial/Code_Cover.py", line 18, in dbg_bpt
    RefCode = get_long(GetRegValue('esp'))
StopIteration
[*] Hit : 0x00401300 - sub_401300
 GetRegValue : compare RET : 0x00000000

when I manually checked ESP at 0x00401300, I could see 0x0040620b value. but with my code, there was an incorrect ESP value 0x00000000 at 0x00401300.

How could I fix it?

回答1:

Since OP did not provide an answer, I'll give it a shot

IDA maintains it's own copy / representation of the analyzed file in it's IDB file format (and the uncompressed files while active). Those files contain every byte in the executable by default, and will contain most bytes in most allocated memory regions while debugging. A similar thing happens with registers.

IDA does not (and cannot) constantly update the state of memory and registers while the executable is running and only does so periodically. To assist with that, the function RefreshDebuggerMemory() will force IDA to refresh memory (and register) state.

来源：https://stackoverflow.com/questions/35076730/ida-python-why-my-code-return-incorrect-esp-value

标签

python

debugging

hook

swig

ida