Adding Multiple Memory Regions

[psifertex]

If I'm working with a dumped binary and want to be able to add different memory dumps to separate regions of a database, how do I do this in Binary Ninja?

[psifertex]

Current recommendation

This question, or variations on it comes up a lot so I wanted to try to put together a longer writeup for people that have a need of this.

First, this is a bit of a hack and it's necessitated by issue #920.

As you can see from that issue, right now, BN wants memory to be backed by file contents because of the way the loader works. So there's two general approaches to this problem. First, you can simply concatenate the extra memory regions to the binary:

cat executable memap1 memmap2 > allmem

Then, when you open BN the usual executable will be parsed but nothing will be done with the additional memory. Next, simply map them where you'd like them to go by adding segments (from the BN console after loading the file):

virtualAddressBase = 0x10000 #Where do you want to map in the segment
length = 0x2000 #Round up from the size of memmap1, or add extra
                #padding if you want the mapped region to be bigger and padded with zeros
data_offset = #original size of executable + 1
data_length = #size of memmap1
flags = enums.SegmentFlag.SegmentContainsData | enums.SegmentFlag.SegmentContainsCode
bv.add_user_segment(virtualAddressBase, length, data_offset, data_length, flags)
#add additional mappings as desired

(the flag enum is documented here)

The other approach is to write your own loader from scratch. This is appropriate in some situations where the original executable doesn't have structure (it's a flat shellcode dump and you want to do multiple memory mappings yourself. The process is similar to the above, but you'd register your own loader(such as this example) doing add_auto_segment instead of add_user_segment. Auto segments are those that will be automatically created by a loader each time the file is open. User segments are those that you want to be serialized and saved as a part of the analysis database as the loader itself doesn't automatically do it each time (as is the case with our appended memory regions as shown above).

Once #920 is resolved we'll likely add in a better UI for doing memory mappings to make this process smoother, but hopefully that explains the process for now.

Updating an existing view

If you already have an existing Binary VIew with annotations you don't want to lose and want to add some new data, you can use bv.parent_view.write from within the current console to append to the raw view, and then use the above methods to add the segment and section information as appropriate.