1#!/usr/bin/env ruby 2 3# Copyright (c) 2009 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# This is an idarub script for extracting system call numbers from a DLL that 8# has been loaded into the IDA disassembler. The interesting system call stubs 9# are contained in ntdll.dll, user32.dll, gdi32.dll, and imm32.dll. 10 11require 'idarub' 12 13ida, = IdaRub.auto_client 14 15curea = 0 16 17filename = ida.get_root_filename 18 19while true 20 curea = ida.find_binary( 21 curea, ida.BADADDR, 'ba 00 03 fe 7f', 16, ida.SEARCH_DOWN) 22 break if curea == ida.BADADDR 23 24 raise "z" if ida.get_byte(curea - 5) != 0xb8 25 26 syscall = ida.get_long(curea - 4) 27 # Remove the IDA _ prefix and the @argsize trailing decorator... 28 funcname = ida.get_func_name(curea).split('@', 2)[0].split('_', 2)[-1] 29 puts '%d: "%s!%s",' % [syscall, filename, funcname] 30 31 curea += 1 32end 33