merge: merge branch "function_plt_checker" to "development"

Function PLT checker
VyacheslavIurevich · Jul 12, 2024 · f20b040 · f20b040
2 parents d2b579d + fbf6e95
commit f20b040
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/src/function_is_plt.py b/src/function_is_plt.py
@@ -0,0 +1,29 @@
+'''Check if input function is PLT jump'''
+
+#pylint: disable=wrong-import-order
+import pyhidra # pylint: disable=import-error
+from elftools.elf.elffile import ELFFile # pylint: disable=import-error
+pyhidra.start()
+
+def get_got_bounds(path):
+    '''Get GOT section addresses bounds'''
+    with open(path, "rb") as file:
+        elf = ELFFile(file)
+        section = elf.get_section_by_name('.got')
+        return section.header.sh_addr, section.header.sh_addr + section.header.sh_size - 2
+
+def function_is_plt(function, path):
+    '''Check if input function is PLT jump'''
+    program = function.getProgram()
+    image_base = int(str(program.getImageBase()), 16)
+    listing = program.getListing()
+    body = function.getBody()
+    got_start, got_end = get_got_bounds(path)
+    for address in body.getAddresses(True):
+        code_unit = str(listing.getCodeUnitAt(address))
+        if code_unit.startswith("JMP qword ptr"):
+            words = code_unit.split()
+            address_str = words[-1][1:-1] # removing []
+            address = int(address_str, 16)
+            return got_start <= address - image_base <= got_end
+    return False