IDApython is very powerful, but IDApython can only output information about one module each time it is executed. If you want to process the information of multiple modules at the same time, the python RPC服务通信mechanism can be used as a good choice.
This is mainly about some issues that need to be paid attention to when using RPC communication to prevent reverse personnel from stepping on pits like me.
The specific implementation code of RPC communication can refer to: https://blog.csdn.net/weixin_30955617/article/details/95011695
PYTHON3 can read this: https://www.jianshu.com/p/9987913cf734
host uses server 1010 Port monitoring, idat64.exe uses port 1010 to query the server for necessary information and obtain the returned data.
But when the communication is actually running, the port relative to the external address of the server's idat64.exe is not fixed at 1010, but changes all the time. As shown below.
Use netstat -ano to find that the external address (idat64.exe) has been changing (the second column in the figure). The maximum port number is 65535, as shown in the figure. After the port number is increased to 65534, the external address starts directly from 1010. Increment the port number for communication.
DEBUG
1. Errors that easily occur during IDApython debugging:
ConnectionRefusedError: [WinError 10061] The server is not turned on (sometimes no error is reported, IDA直接卡死没反应)
2. During IDA batch processing of some modules, the RPC communication suddenly stopped to the beginning of a certain module and no longer continued, causing the program to be suspended. 但是单独跑一个模块时,发现IDApython并没有出现任何问题。
No matter how long the RPC has been in communication, as long as it reaches the module, the communication will definitely be suspended.
After a day of investigation and analysis, it was found that the interfaceless program idat64.exe added a sentence of print import_entry structure when calling the output module to import table information. This line of code will not affect the execution in general small modules, but it will stably cause stuck in modules with more import tables (more than 350).
Therefore, IDApython of idat64.exe used in batch processing does not have print statements, and it cannot be annotated in Chinese.
3. RPC communication in python, this kind of remote procedure call uses http as the transmission protocol and XML as the encoding format for transmitting information. Some parameters are better in the form of strings when passing parameters in server-side functions, and other types such as integer and str may cause errors.
info = searchheihei(1,'StorPortLogError','storport')
print info
ret = searchhaha('0','4104')
print ret
4. The most annoying thing in the Windows command line is that there are spaces. When using Linux to port IDApython, you must pay attention to not having spaces in the Wine command. The directory in the python path can be found with \ or /, but in IDApython, you can only use the / left slash as the path, otherwise the path cannot be found.
5. When printing a relatively large array in IDApython, RPC communication may be blocked. So IDApython is best not to have print.