The purpose of this example is to showcase how you can use the python scientifc computing tools with IDA Pro. In order to complete this demo you will need to have numpy, pandas, scipy and matplotlib installed. Once installed launch IDA with a notepad.exe database loaded (actually doesn't have to be notepad.exe but it's the one used in this example).
%matplotlib inline
import scipy.stats
import idc
import idaapi
import idautils
import numpy as np
import pandas as pd
import pylab
#Better looking Graphs..
pd.options.display.mpl_style = 'default'
pylab.rcParams['figure.figsize'] = 12.0, 8.0
#Binary Info
print "MD5: {} Binary: {}".format(idc.GetInputMD5(), idc.GetInputFile())
----------------------------------------------------------------------------------------------------- Python 2.7.5 |Anaconda 2.1.0 (32-bit)| (default, May 31 2013, 10:43:53) [MSC v.1500 32 bit (Intel)] IDAPython v1.7.0 final (serial 0) (c) The IDAPython Team <idapython@googlegroups.com> ----------------------------------------------------------------------------------------------------- MD5: E30299799C4ECE3B53F4A7B8897A35B6 Binary: notepad.exe
def entropy(in_bytes):
bytes = np.array(np.fromstring(in_bytes,dtype='uint8'), dtype='int32')
return scipy.stats.entropy(bytes[np.nonzero(bytes)])
def get_func_bytes(func_ea):
bytes = ""
for start, end in idautils.Chunks(func_ea):
bytes += idaapi.get_many_bytes(start, end - start)
return bytes
func_start = idc.GetFunctionAttr(idc.ScreenEA(), idc.FUNCATTR_START)
data = ((func_ea, entropy(get_func_bytes(func_ea))) for func_ea in idautils.Functions())
func_df = pd.DataFrame(data, columns=["EA", "Entropy"])
func_df['Formatted_EA'] = func_df['EA'].map(lambda ea: "{:X}".format(ea))
df_plt = func_df
ax = df_plt.plot(kind='scatter', x='EA', y='Entropy')
ax.set_xticklabels(['{:X}'.format(int(ea)) for ea in ax.get_xticks()])
ax
<matplotlib.axes._subplots.AxesSubplot at 0xdb5a030>
func_df.sort(['Entropy'], ascending=False)
EA | Entropy | Formatted_EA | |
---|---|---|---|
50 | 4223618 | 10.309925 | 407282 |
9 | 4199506 | 9.205673 | 401452 |
114 | 4279164 | 7.074449 | 414B7C |
11 | 4202542 | 6.874658 | 40202E |
117 | 4281006 | 6.558433 | 4152AE |
34 | 4220529 | 6.495139 | 406671 |
13 | 4204565 | 6.365993 | 402815 |
101 | 4275385 | 6.263491 | 413CB9 |
108 | 4277295 | 6.136212 | 41442F |
93 | 4274148 | 6.068605 | 4137E4 |
31 | 4220082 | 5.946059 | 4064B2 |
109 | 4277951 | 5.812822 | 4146BF |
1 | 4198624 | 5.805990 | 4010E0 |
107 | 4276843 | 5.769901 | 41426B |
84 | 4272057 | 5.663713 | 412FB9 |
123 | 4282943 | 5.635076 | 415A3F |
90 | 4273209 | 5.622370 | 413439 |
92 | 4273763 | 5.433877 | 413663 |
112 | 4278645 | 5.361000 | 414975 |
22 | 4219325 | 5.339757 | 4061BD |
77 | 4270842 | 5.337793 | 412AFA |
61 | 4269088 | 5.297247 | 412420 |
74 | 4270285 | 5.212553 | 4128CD |
81 | 4271678 | 5.192738 | 412E3E |
0 | 4198405 | 5.168159 | 401005 |
144 | 4283747 | 5.157894 | 415D63 |
120 | 4282474 | 5.152816 | 41586A |
89 | 4272974 | 5.110607 | 41334E |
119 | 4282243 | 5.108883 | 415783 |
113 | 4278944 | 5.052786 | 414AA0 |
... | ... | ... | ... |
128 | 4283454 | 2.196426 | 415C3E |
138 | 4283610 | 2.190622 | 415CDA |
133 | 4283528 | 2.184170 | 415C88 |
126 | 4283418 | 2.176904 | 415C1A |
43 | 4222965 | 2.173053 | 406FF5 |
131 | 4283492 | 2.168547 | 415C64 |
127 | 4283436 | 2.158516 | 415C2C |
137 | 4283594 | 2.143894 | 415CCA |
2 | 4198750 | 2.060482 | 40115E |
82 | 4271969 | 2.008445 | 412F61 |
12 | 4204543 | 1.496372 | 4027FF |
8 | 4199495 | 1.433464 | 401447 |
153 | 4284699 | 1.433189 | 41611B |
147 | 4284279 | 1.433088 | 415F77 |
148 | 4284290 | 1.432506 | 415F82 |
27 | 4219819 | 1.430097 | 4063AB |
10 | 4202531 | 1.420613 | 402023 |
135 | 4283564 | 1.418097 | 415CAC |
63 | 4269465 | 1.412329 | 412599 |
59 | 4269062 | 1.396386 | 412406 |
60 | 4269075 | 1.377923 | 412413 |
53 | 4268456 | 1.229824 | 4121A8 |
129 | 4283472 | 1.189524 | 415C50 |
130 | 4283482 | 1.126457 | 415C5A |
140 | 4283638 | 1.090974 | 415CF6 |
139 | 4283628 | 1.069728 | 415CEC |
58 | 4269052 | 1.045125 | 4123FC |
54 | 4268460 | 1.039051 | 4121AC |
25 | 4219744 | 0.972180 | 406360 |
154 | 4284712 | -0.000000 | 416128 |
155 rows × 3 columns
idc.Message(str(func_df.sort(['Entropy'], ascending=False)))