From c13abf60571f064e4d7bb03668d75793dcd28c51 Mon Sep 17 00:00:00 2001 From: Xusheng Date: Fri, 9 Jun 2023 15:51:20 +0800 Subject: [PATCH] Convert the script to a BN plugin --- __init__.py | 81 ++++++++++++++++++++++++++++++++++++++++++++++++ add_xfg_xrefs.py | 71 ------------------------------------------ plugin.json | 39 +++++++++++++++++++++++ 3 files changed, 120 insertions(+), 71 deletions(-) create mode 100644 __init__.py delete mode 100644 add_xfg_xrefs.py create mode 100644 plugin.json diff --git a/__init__.py b/__init__.py new file mode 100644 index 0000000..b9683ff --- /dev/null +++ b/__init__.py @@ -0,0 +1,81 @@ +from binaryninja import * + + +def get_xfg_hashes(bv): + IMAGE_GUARD_FLAG_FID_XFG = 8 + xfg_hashes = {} + + sym = bv.get_symbol_by_raw_name('__gfids_table') + if not sym: + return + + var = bv.get_data_var_at(sym.address) + if not var: + return + + for func_table in var.value: + if not isinstance(func_table, dict): + continue + + addr = func_table['rvAddr'] + bv.start + if not (func_table['metadata'] & IMAGE_GUARD_FLAG_FID_XFG): + continue + + try: + xfg_hash = bv.read_int(addr - 8, 8) & 0xffffffffffffffff + except: + continue + + if xfg_hash in xfg_hashes: + xfg_hashes[xfg_hash].append(addr) + else: + xfg_hashes[xfg_hash] = [addr] + + return xfg_hashes + + +def get_xfg_pointer(bv): + sym = bv.get_symbol_by_raw_name('__load_configuration_directory_table') + if not sym: + return + + var = bv.get_data_var_at(sym.address) + if not var: + return + + if var.value['guardFlags'] == 0: + return + + xfg_pointer = var.value['guardXFGDispatchFunctionPointer'] + return xfg_pointer + + +def add_xfg_xref(bv, function): + if bv.view_type != 'PE': + log_warn('xfg only works with PE files') + return + + xfg_pointer = get_xfg_pointer(bv) + # log_warn('xfg_pointer: 0x%x' % xfg_pointer) + + xfg_hashes = get_xfg_hashes(bv) + # log_warn('xfg_hashes: %s' % xfg_hashes) + + bv.begin_undo_actions() + for ref in bv.get_code_refs(xfg_pointer): + value = ref.function.get_reg_value_at(ref.address, 'r10') + if value.type != RegisterValueType.ConstantValue: + continue + + val = value.value & 0xffffffffffffffff | 1 + if val not in xfg_hashes: + continue + + for addr in xfg_hashes[val]: + log_warn('adding xref: 0x%x ==> 0x%x' % (ref.address, addr)) + ref.function.add_user_code_ref(ref.address, addr) + + bv.commit_undo_actions() + + +PluginCommand.register_for_address("Add XFG Xref", "Add XFG Xref", add_xfg_xref) diff --git a/add_xfg_xrefs.py b/add_xfg_xrefs.py deleted file mode 100644 index 1e194c2..0000000 --- a/add_xfg_xrefs.py +++ /dev/null @@ -1,71 +0,0 @@ -# -# -def get_xfg_hashes(): - IMAGE_GUARD_FLAG_FID_XFG = 8 - xfg_hashes = {} - - sym = bv.get_symbol_by_raw_name('__gfids_table') - if not sym: - return - - var = bv.get_data_var_at(sym.address) - if not var: - return - - for func_table in var.value: - if not isinstance(func_table, dict): - continue - - addr = func_table['rvAddr'] + bv.start - if not (func_table['metadata'] & IMAGE_GUARD_FLAG_FID_XFG): - continue - - try: - xfg_hash = bv.read_int(addr - 8, 8) & 0xffffffffffffffff - except: - continue - - if xfg_hash in xfg_hashes: - xfg_hashes[xfg_hash].append(addr) - else: - xfg_hashes[xfg_hash] = [addr] - - return xfg_hashes - - -def get_xfg_pointer(): - sym = bv.get_symbol_by_raw_name('__load_configuration_directory_table') - if not sym: - return - - var = bv.get_data_var_at(sym.address) - if not var: - return - - if var.value['guardFlags'] == 0: - return - - xfg_pointer = var.value['guardXFGDispatchFunctionPointer'] - return xfg_pointer - - -xfg_pointer = get_xfg_pointer() -log_warn('xfg_pointer: 0x%x' % xfg_pointer) - -xfg_hashes = get_xfg_hashes() -log_warn('xfg_hashes: %s' % xfg_hashes) - - -for ref in bv.get_code_refs(xfg_pointer): - value = ref.function.get_reg_value_at(ref.address, 'r10') - if value.type != RegisterValueType.ConstantValue: - continue - - val = value.value & 0xffffffffffffffff | 1 - if not val in xfg_hashes: - continue - - for addr in xfg_hashes[val]: - log_warn('adding xref: %x ==> %x' % (ref.address, addr)) - ref.function.add_user_code_ref(ref.address, addr) - \ No newline at end of file diff --git a/plugin.json b/plugin.json new file mode 100644 index 0000000..d275eae --- /dev/null +++ b/plugin.json @@ -0,0 +1,39 @@ +{ + "pluginmetadataversion": 2, + "name": "Add XFG Xref", + "type": [ + "helper" + ], + "api": [ + "python3" + ], + "description": "Add xref from caller to callee based on XFG hashes", + "longdescription": "", + "license": { + "name": "MIT", + "text": "Copyright (c) \n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + }, + "platforms": [ + "Darwin", + "Linux", + "Windows" + ], + "installinstructions": { + "Darwin": "", + "Linux": "", + "Windows": "" + }, + "dependencies": { + "pip": [ + ], + "apt": [ + ], + "installers": [ + ], + "other": [ + ] + }, + "version": "1.0.0", + "author": "Xusheng", + "minimumbinaryninjaversion": 3164 +}