def _define_strings_in_sections(sections, view): for section_name in sections: section = view.sections[section_name] for s in view.get_strings(section.start, len(section)): view.define_user_data_var(s.start, Type.array(Type.char(), s.length + 1))
def _lookup_type(type_string: str, view: BinaryView): if type_string in basic_types: return basic_types[type_string] elif type_string == '*': return Type.pointer(view.arch, Type.char()) elif type_string.startswith('@'): if type_string[2:-1] in view.types: return Type.pointer( view.arch, Type.named_type_from_type( type_string[2:-1], view.types[type_string[2:-1]] ) ) elif type_string != '@?' and type_string != '@': if type_string[2:-1]: new_type = Type.named_type_from_type( type_string[2:-1], Type.structure_type(Structure())) view.define_user_type(type_string[2:-1], new_type) else: new_type = Type.void() return Type.pointer(view.arch, new_type) else: return Type.pointer(view.arch, Type.void()) elif type_string.startswith('#'): return Type.pointer(view.arch, Type.void()) elif type_string == ':': return view.types['SEL'] else: return Type.pointer(view.arch, Type.void())
def __create_class_name_type(bv: BinaryView, vmt: DelphiVMT, out_struct: types.Structure) -> bool: vmt_offsets = vmt.vmt_offsets if not vmt.seek_to_vmt_offset(vmt_offsets.cVmtClassName): return False class_name_ptr = vmt.read_ptr() if class_name_ptr is None: return False if not vmt.seek_to_code(class_name_ptr): return False class_name_len = vmt.read8() if class_name_len is None: return False class_name_struct = types.Structure() class_name_struct.append(Type.int(1, False), 'length') class_name_struct.append(Type.array(Type.char(), class_name_len), 'value') struct_type = Type.structure_type(class_name_struct) bv.define_user_data_var(class_name_ptr, struct_type) out_struct.append(Type.pointer(bv.arch, struct_type), 'cVmtClassName') # Create Symbole for class name class_name_sym = Symbol(SymbolType.DataSymbol, class_name_ptr, f'{vmt.class_name}Name') bv.define_user_symbol(class_name_sym) return True
def define_cfstrings_plugin(view: BinaryView): log_debug("define_cfstrings_plugin") from_bytes = _get_from_bytes(view) cfstring_type = view.get_type_by_name('CFString') if cfstring_type is None: cfstring_type = view.platform.parse_types_from_source( _cfstring_definition).types['CFString'] view.define_user_type('CFString', cfstring_type) wchar_type = view.platform.parse_types_from_source( _wchar_definition).types['wchar'] cfstring = Type.named_type_from_type('CFString', cfstring_type) __cfstring = view.get_section_by_name('__cfstring') if __cfstring is None: return buffer = cfstring_type.structure['buffer'] length = cfstring_type.structure['length'] for addr in range(__cfstring.start, __cfstring.end, cfstring_type.width): view.define_user_data_var(addr, cfstring) for xref in view.get_data_refs(addr): view.define_user_data_var(xref, Type.pointer(view.arch, cfstring)) string_pointer = from_bytes( view.read(addr + buffer.offset, buffer.type.width)) string_length = from_bytes( view.read(addr + length.offset, length.type.width), ) + 1 string_section = view.get_sections_at(string_pointer) if not string_section: return if string_section[0].name == '__ustring': char_type = wchar_type else: char_type = Type.char() view.define_user_data_var(string_pointer, Type.array(char_type, string_length))
def _define_selectors(view: BinaryView): __objc_selrefs = view.sections.get('__objc_selrefs') if __objc_selrefs is None: raise KeyError('This binary has no __objc_selrefs section') SEL = view.get_type_by_name('SEL') if SEL is None: raise TypeError('The SEL type is not defined!') for addr in range(__objc_selrefs.start, __objc_selrefs.end, SEL.width): view.define_user_data_var(addr, SEL) selector = int.from_bytes(view.read(addr, SEL.width), "little") if selector != 0: name = view.get_ascii_string_at(selector, 3) if name is not None: view.define_user_data_var( name.start, Type.array(Type.char(), name.length + 1))
def fix_printfs(view: BinaryView): printf = view.get_symbols_by_name('_printf') if not printf: printf = view.get_symbols_by_name('printf') if not printf: return for sym in printf: function = view.get_function_at(sym.address) if not function: continue xrefs = view.get_code_refs(function.start) for xref in xrefs: caller: Function = xref.function call_mlil = caller.get_low_level_il_at(xref.address).mlil print(call_mlil) if call_mlil is None: continue fmt_operand = call_mlil.params[0] if fmt_operand.operation == MediumLevelILOperation.MLIL_VAR: log.log_warn( f"Potential format string bug: {fmt_operand.address:x}") continue elif fmt_operand.operation in ( MediumLevelILOperation.MLIL_CONST_PTR, MediumLevelILOperation.MLIL_CONST): fmt_address = fmt_operand.constant fmt = view.get_ascii_string_at(fmt_address, 2) if fmt is None: continue fmt_value = fmt.value else: continue specifiers = fmt_value.split('%') param_types = [] for specifier in specifiers[1:]: if not specifier: continue if specifier.startswith('d'): param_types.append(Type.int(4, sign=True)) elif specifier.startswith('s'): param_types.append(Type.pointer(view.arch, Type.char())) elif specifier.startswith('p'): param_types.append(Type.pointer(view.arch, Type.void())) else: log.log_warn( f'Unknown format specifier: {specifier}; skipping') param_types.append(Type.pointer(view.arch, Type.void())) param_idx = 1 params = [ FunctionParameter(Type.pointer(view.arch, Type.char()), 'fmt') ] for param in param_types: params.append(FunctionParameter(param, f'arg{param_idx}')) param_idx += 1 caller.set_call_type_adjustment(xref.address, Type.function(Type.int(4), params))
} cache; struct class_ro_t* vtable; }; struct category_t { const char *name; class_t *cls; struct method_list_t *instanceMethods; struct method_list_t *classMethods; struct protocol_list_t *protocols; struct property_list_t *instanceProperties; }; ''' basic_types = { 'c': Type.char(), 'i': Type.int(4, True), 's': Type.int(2, True), 'l': Type.int(4, True), 'q': Type.int(8, True), 'C': Type.int(1, False), 'I': Type.int(4, False), 'S': Type.int(2, False), 'L': Type.int(4, False), 'Q': Type.int(8, False), 'f': Type.float(4), 'd': Type.float(8), 'B': Type.bool(), 'v': Type.void() }
Type, TypeLibrary, Structure ) advapi32_x86 = TypeLibrary.new(Architecture["x86"], "advapi32.dll") advapi32_x86.add_platform(Platform["windows-x86"]) BOOL = Type.int(4, altname="BOOL") HCRYPTPROV_type = Type.structure_type(Structure()) HCRYPTPROV = Type.named_type_from_type( "HCRYPTPROV", HCRYPTPROV_type ) LPCSTR_type = Type.pointer(Architecture["x86"], Type.char()) LPCSTR = Type.named_type_from_type('LPCSTR', LPCSTR_type) DWORD = Type.int(4, sign=False, altname="DWORD") advapi32_x86.add_named_type("HCRYPTPROV", HCRYPTPROV_type) CryptAcquireContextA = Type.function( BOOL, [ FunctionParameter( Type.pointer(Architecture["x86"], HCRYPTPROV), "phProv" ), FunctionParameter(LPCSTR, "szContainer"), FunctionParameter(LPCSTR, "szProvider"), FunctionParameter(DWORD, "dwProvType"),