change_stkvar_type
summary: change the type & name of a function stack frame variable
- description:
The goal of this script is to demonstrate some usage of the type API.
In this script, we show a way to change the type and the name of a stack variable. In this case we will take advantage of the fact that RtlImageNtHeader calls RtlImageNtHeaderEx which takes a pointer to PIMAGE_NT_HEADERS as its fourth parameter and, for this, uses a stack variable of its caller.
Get the function object for RtlImageNtHeader.
Iterate through the function item to localize the load of the stack variable address before the call to RtlImageNtHeaderEx. We
keep this information.
Localize the call and take advantage of the previoulsy stored instruction to get the stack variable index in the frame.
Set the type and rename the stack variable.
level: advanced
Attributes
Functions
|
Module Contents
- change_stkvar_type.new_name = 'pNtHeaders'
- change_stkvar_type.caller_name = 'RtlImageNtHeader'
- change_stkvar_type.callee_name = 'RtlImageNtHeaderEx'
- change_stkvar_type.type_name = '_IMAGE_NT_HEADERS64'
- change_stkvar_type.lea_insn = None
- change_stkvar_type.main()