FIRST :: Info¶

class first_plugin_ida.first.FIRST[source]

class Info[source]

Information gathering functions.

Will get different information required by FIRST to interact with server or other plug-in side operations.

This class contains only static methods and should be accessed as such.

processor_map¶

Dictionary mapping between IDA’s naming convention to FIRST’s.

Type:	`dict`

include_bits¶

List of processors that should include the number of bits.

Type:	`list`

static get_apis(address)[source]

Returns a list of all APIs used by a function.

The address provided will be used to get a function and each instruction in the function is examined for APIs in the sample’s IAT.

Parameters:	address (int) – An address associated with a function. The address can be any address within the function.
Returns:	Empty list or list of MetadataShim objects
Return type:	list

static get_architecture()[source]

Returns the architecture the sample is built for.

The values are normalized for the FIRST server. It altered then FIRST will not match on other functions with the same architecture.

Returns:	str. String representation of the architecture associated with the sample. Examples: intel32, intel64, arm32, mips, etc.

static get_file_details()[source]

Returns details about the sample.

The MD5 and CRC32 fields will always be returned since IDA Pro provides that information. If the IDB is created with the original sample then the sample will be hashed to get the SHA1 and SHA256. All tthe data is stored in the IDB to prevent getting the information multiple times.

Returns:	dict. Dictionary of file hashes and CRC32.

include_bits = ['intel', 'arm']

static is_32bit()[source]

Returns if the sample is 32bit or not.

Returns:	True is 32bit or False.
Return type:	bool

processor_map = {'metapc': 'intel'}

static set_file_details(md5, crc32, sha1=None, sha256=None)[source]

Sets details about the sample.

This is a work around for situations where there is no original sample on disk that IDA analyzes. FIRST requires a MD5 and CRC32 to store functions, without it the function will not be saved.

Parameters:	md5 (`str`) – Valid MD5 hash

static signature(address)[source]

Returns opcodes for the function the address is associated with.

Given a virtual address, this function will return it in a series of bytes or None. The opcodes are ordered in address ascending order.

Parameters:	address (int) – An address associated with a function. The address can be any address within the function.
Returns:	A string of binary data on success. None: On failure.
Return type:	str