Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

More i386 xrefs #899

Open
wants to merge 9 commits into
base: master
Choose a base branch
from

Conversation

Arker123
Copy link
Collaborator

@Arker123 Arker123 commented Nov 9, 2023

Referring to #885 (comment), this PR supplements additional xrefs discovered separately. For #885, the focus is solely on the UTF-decoder segment. 😄

@@ -465,6 +465,34 @@ def get_struct_string_candidates(pe: pefile.PE) -> Iterable[StructString]:
# dozens of seconds or more (suspect many minutes).


def get_raw_xrefs_rdata_i386(pe: pefile.PE, buf: bytes) -> Iterable[VA]:
"""
scan for raw xrefs in .rdata section
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what are raw xrefs? can you add an example disassembly listing and add some comments, please?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from the screenshots in #885 (comment) I don't see if these are strings and it would help to have some comments explaining what the algorithm looks for

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Raw xrefs refer to unprocessed xrefs in the binary file, indicating points where strings can be divided. I'll add an example with comments.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, can you share a few example binary hashes?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -465,6 +465,48 @@ def get_struct_string_candidates(pe: pefile.PE) -> Iterable[StructString]:
# dozens of seconds or more (suspect many minutes).


def get_raw_xrefs_rdata_i386(pe: pefile.PE, buf: bytes) -> Iterable[VA]:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a few tests for these strings

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def get_raw_xrefs_rdata_i386(pe: pefile.PE, buf: bytes) -> Iterable[VA]:
def get_raw_xrefs_rdata(pe: pefile.PE, buf: bytes) -> Iterable[VA]:

This routine doesn't seem limited to i386 so lets remove that from the function name. Otherwise, we should add a check to the PE architecture to restrict it to i386.

If the data are virtual addresses (rather than RVAs), we could additionally use relocation entries to find pointers and/or verify this data is in fact a pointer.

Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm but let's also wait for @mr-tz

.rdata:004D6240 dd offset unk_4C85B3

From the disassembly, they are called as follows:
.text:00498E56 push ds:off_4D61E0[ecx*4]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where does the length get stored?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not; the raw xrefs are stored without explicit length information. Lengths are not included in this context. Do we need them, or is there a specific reason for considering length storage?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, I don't think we need them. but I wondered how Go is able to use the string data without an associated length.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently, I couldn't find any specific information for Go, but I did come across a similar approach in Rust. I've kept it in the utils.py file, considering the possibility that we might encounter a similar scenario in the future when exploring other languages.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am still curious how this data can be used as a string without the length being stored somewhere.

@Arker123
Copy link
Collaborator Author

Hey @mr-tz, can we merge this?

floss/language/utils.py Outdated Show resolved Hide resolved
Arker123 and others added 2 commits June 24, 2024 10:20
def get_raw_xrefs_rdata_i386(pe: pefile.PE, buf: bytes) -> Iterable[VA]:
"""
scan for raw xrefs in .rdata section.
raw xrefs are 32-bit absolute addresses to strings in .rdata section (i386).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

raw xrefs are 32-bit absolute addresses to strings in .rdata section (i386).

This routine doesn't validate that the destination is string-like data. Should it? If not, lets remove this part of the documentation.

if not buf:
return

low, high = get_image_range(pe)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this appears to be the range of the entire file, not the .rdata section. please update the logic or documentation to make things consistent.

),
],
)
def test_raw_xrefs(request, string, offset, encoding, rust_strings):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think its good that we have integration tests that show the whole system working together to find the strings. I think we should also have some tests for the specific routines that you added, so we can verify their behavior directly. something like test_get_raw_xrefs.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, what should be the best approach to that? As there are not just test_get_raw_xrefs, but also others such as find_i386_push_xrefs, find_lea_xrefs, etc., should we test them too in a separate file or another PR? What are your thoughts?

Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The concept here seems reasonable, though the documentation is inconsistent with the logic, so please fix that and then we can merge.

@Arker123 Arker123 requested a review from williballenthin June 30, 2024 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants