Comments (13)
mr-tz
commented on May 25, 2024
Does it fail to annotate all calls or just this one?
It appears that the plugin fails to identify the function call. Is there a cross-reference from the import table to the CreateFileA call?
from flare-ida.
confile
commented on May 25, 2024
It fails to annotate everything. But, I can see the additional segment called .msdn.
Is there a cross-reference from the import table to the CreateFileA call?
What do you mean by that?
I attached to files I checked.
reverseMe.exe.zip
from flare-ida.
confile
commented on May 25, 2024
Here is the IDA output I get
from flare-ida.
confile
commented on May 25, 2024
@mr-tz Do you have any idea how to solve this?
from flare-ida.
mr-tz
commented on May 25, 2024
The sample calls the functions from the import address table via an intermediate thunk function. For example the call to CreateFileA is made via the function at offset 0x401283. The plugin does not currently support the annotation of function arguments for such calls.
from flare-ida.
confile
commented on May 25, 2024
Could you please add this to the plugin?
from flare-ida.
mr-tz
commented on May 25, 2024
It shouldn't be too hard to add this feature, but I cannot promise a solution soon. We will keep this issue open to track it.
from flare-ida.
confile
commented on May 25, 2024
@mr-tz Could you give me some hint where to start, then I will try to add it and push a change?
from flare-ida.
mr-tz
commented on May 25, 2024
Thanks, that would be great! One solution would be to add the respective call offsets to the library_calls dictionary.
from flare-ida.
confile
commented on May 25, 2024
Well, then you have to give some more details on what to do.
from flare-ida.
williballenthin
commented on May 25, 2024
you need to update the implementation of the get_imports function called here: https://github.com/fireeye/flare-ida/blob/master/python/flare/IDB_MSDN_Annotator/__init__.py#L527
you should enumerate functions and detect when they are thunks to other imports, mark them as such, and find a way to update the library_calls dictionary, as @mr-tz suggested. if you have trouble following the information flow, try adding some calls to logging.debug(…) so you can see the data formats.
from flare-ida.
confile
commented on May 25, 2024
Any more hint which APIs are relevant here?
from flare-ida.
mr-tz
commented on May 25, 2024
I would probably look at the following functions first:
- idc.get_func_flags() using idc.FUNC_THUNK
- idc.get_func_name()
- idautils.Functions() might help as well
from flare-ida.
Related Issues (20)
- shellcode-hashes - create enum of resolved values HOT 9
- MSDN_Crawler issue HOT 13
- idb2pat.py issue on IDA 7.5 HOT 1
- idb2pat sigmake FATAL: Bad xdigit: error HOT 3
- 0 functions applied in IDA from .sig file HOT 10
- 'itertools.count' object has no attribute 'next' HOT 2
- shellcode hashes operand size issue
- Rename Conti hashing algorithm to MurmurHash2 HOT 1
- An error occurred while using argtacker HOT 1
- objc2_xrefs_helper.py MemoryError
- Several errors of objc2_analyzer.py HOT 1
- idb2pat: RIP-relative addressing not handled correctly
- ironstrings alloca_probe stack size calculation errors HOT 2
- Python 3 support HOT 5
- Possible problem with 64 bit code (find_ref_loc fucntion)?
- No table with addresses is getting printed in ironstring, and so many "DEBUG:root..." in the output
- objc2_analyzer.py cannot work for IDA 7.5
- shellcode_hash_search.py has some logic errors HOT 1
- sc_hashes.db: add process name database + filename database
- idb2pat fix bugs HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flare-ida.