Comments (17)
Master is always stable
from radare2.
you can use ?*~...
to find out other commands that may register refs with emulation. Also this string should be listed with pdc
too
from radare2.
Can yiu provide a distributable sample or point to a binary to reproduce this? I can add a testcase for this and try different analysis methods to see which one works the best and maybe include it under aaaa
from radare2.
I picked your changes into this rebased PR #22763 and ill try to get it ready before the release. thanks for the effort
from radare2.
The information is there, if you miss it just extend the command to include the missing info and I will evaluate it.
The computed / emulated references are registered with the aae command, so first of all iw ould suggest you to use latest r2 from git, and then try other commands like axj to get the registered xrefs instead of the ones from the graph command. but in any case i agree with you that those refs should be exposed.
Modifying the code should be just 1-2 lines as much. So I would encourage you to do such change to fit your needs.
from radare2.
Additionally it would be great if you can provide a reproducer in form of a test, i dont have the files you are using for testing and having it verified in the testsuite is always good to avoid brokenness at any time
from radare2.
Thank you, will try and will let you know what I find. Really appreciate your help.
Can you provide me a commit ID from the master branch which you would recommend? Thanks!
from radare2.
commit from master recommended for wat?
from radare2.
Commit from master which you consider stable.
from radare2.
The information is there, if you miss it just extend the command to include the missing info and I will evaluate it.
The computed / emulated references are registered with the aae command, so first of all iw ould suggest you to use latest r2 from git, and then try other commands like axj to get the registered xrefs instead of the ones from the graph command. but in any case i agree with you that those refs should be exposed.
Modifying the code should be just 1-2 lines as much. So I would encourage you to do such change to fit your needs.
I tried to follow your suggestion on sample sha256:c7cb8e453252a441522c91d7fccc5065387ce2e1e0e78950f54619eda435b11d (malwarebazaar)
The following commands were run:
[0x00401000]> aaa
<INFO ...>
[0x00401000]> aae
[0x00401000]> s 0x0040629f
[0x0040629f]> pdfj ~{}
<...>
{
"offset": 4219569,
"esil": "edi,eip,4,esp,-=,esp,=[4],eip,=",
"refptr": 0,
"fcn_addr": 4219551,
"fcn_last": 4219622,
"size": 2,
"opcode": "call edi",
"disasm": "call edi",
"bytes": "ffd7",
"family": "cpu",
"type": "rcall",
"reloc": false,
"type_num": 268435460,
"type2_num": 0
}
<...>
[0x0040629f]> ax ~40629f
fcn.004060f8+9 0x406101 > CALL:--x > 0x40629f fcn.0040629f
fcn.0040629f+2 0x4062a1 > DATA:r-- > 0x430138 sym.imp.KERNEL32.dll_HeapAlloc
fcn.0040629f+12 0x4062ab > DATA:r-- > 0x430250 str.WINMM.DLL+12
fcn.0040629f+55 0x4062d6 > DATA:r-- > 0x430250 str.WINMM.DLL+12
My point is, ax
indeed lists the reference to HeapAlloc, but I would like to know which instruction from the pdfj
actually calls this function -- which is call edi
, but this command does not contain refs
section.
Should I parse the esil
fields from the pdfj
command? Or is there an already implemented esil parser?
Thanks in advance for your help.
Note
I would be glad to contribute to the pdfj
command to include emulated refs as well, but I need some help:
- I understand that
r_core_print_disasm_json
function contains the implementation ofpdfj
- the following code contains the completion of one instruction with the
esil
field
pj_k (pj, "esil"); // split key and value to allow empty strings
pj_s (pj, R_STRBUF_SAFEGET (&ds->analop.esil));
- how could I implement to complete the
refs
attribute in case ofrcall
/ucall
instructions?
from radare2.
Update
- found out that with
e asm.emu=true
,pdf
has the information I need in comment:
0x004062a1 8b3d38014300 mov edi, dword [sym.imp.KERNEL32.dll_HeapAlloc] ; [0x430138:4]=0x3020c reloc.KERNEL32.dll_HeapAlloc ; edi=0x3020c reloc.KERNEL32.dll_HeapAlloc
│ 0x004062a7 6a20 push 0x20 ; 32 ; esp=0xfffffff4
│ 0x004062a9 6a08 push 8 ; 8 ; esp=0xfffffff0
│ 0x004062ab ff3550024300 push dword [0x430250] ; esp=0xffffffec
│ 0x004062b1 ffd7 call edi ; esp=0xffffffe8 ; eip=0x3020c reloc.KERNEL32.dll_HeapAlloc
│ ; LPVOID HeapAlloc(-1, -1, ?)
- this is missing from
pdfj
-- there is no call tods_print_esil_anal_init
on commit 1ee768a
from radare2.
The comments displayed as comments when emu.str=true (or asm.emu=true) are computed at disasm time, those are not recorded anywhere unless you perform a specific emulation analysis like aaex
(but there are other commands that can perform this emulation and register the xrefs for the register calls).
Can you give it a try and see if that works for you?
from radare2.
you can use
?*~...
to find out other commands that may register refs with emulation. Also this string should be listed withpdc
too
I tried ?*~...
, searched for esil
and emul
, there are indeed a bunch of possibilities, but still pdfj
would be the best in my case. I have forked the repo and currently working on modifying r_core_print_disasm_json to include the functionality from r_core_print_disasm
Can yiu provide a distributable sample or point to a binary to reproduce this? I can add a testcase for this and try different analysis methods to see which one works the best and maybe include it under aaaa
Yes, I am testing on this sample https://bazaar.abuse.ch/sample/c7cb8e453252a441522c91d7fccc5065387ce2e1e0e78950f54619eda435b11d/
Function 0x0040629f has 2 call
instructions with register parameters (call edi
)
I am trying to modify r_core_print_disasm_json
such that pdfj
includes refs
on these two instructions.
from radare2.
Update
My work-in-progress can be seen on master...attilamester:radare2:feature/22576-pdfj-rcall
- copied some esil-related code from r_core_print_disasm to r_core_print_disasm_json
- since
ds_print_esil_anal
prints the esil info to stdout, used some ugly way of capturing its output into a buffer to add later topdfj
Can you please have a look on this commit and give me hint/direction if this is the way to go? Thanks!
from radare2.
i had a lot of terrible events in my life recently so i couldnt check this out until now. do you have any updates here? can you submit a PR to make it easier fo rme to review? thanks! i think it looks good the way you do that. at the end you want the same info from pd into pdj, right? so you need to do linear emulation.
another approach that could be probably better would be to have an emulation analysis command (there are a bunch of them) but basically to use an anal hint to modify the instructions with the emulated details. this is better approach because it happens once instead of every time, and also performs the emulation recursively following the graph.
This emulation can also register xrefs, and you should be able to see those xrefs in the current pdfj. but im not sure about that. So, to proceed here:
- make a PR with your changes
- add tests
i have a similar issue to resolve in a separate binary, so i;ll do that analysis step and come back to you to see if that fits your needs too.
thanks! and once again sorry for the delay. my life sucks these days
from radare2.
Hi Trufae, I'm sorry to hear that - hope that you are doing fine.
You are right, I wanted the same info from pd into pdj, but I did not manage with the implementation, and found some workaround in my research to overcome this problem - basically, we ignore the dynamic/register calls for now.
If you guys have time to finish the implementation linked above, that is great for the community and future I think, unfortunately I will not have time to continue it, due to the paper deadline approaching. Thank you again.
from radare2.
i think you want to use pdJ instead, that command was added by the cutter guise at the time to not break compat with pdj and reuses the same disasm loop as in pd
. so it should behave the same.
from radare2.
Related Issues (20)
- dbt never shows anything but current function HOT 1
- Debugger Stalls W/ Connect In Profile
- Sql and tables output for zignatures
- Incorrect behavior in Xtensa disassembly backward direction HOT 6
- program execution is stopped with SIGBUS on FreeBSD
- Avoid or filter duplicated function signature entries
- axF is very slow
- afvs does not indicate non-initial struct members when the stack is adjusted
- b64 crash
- cmd_cmp does not honor endian
- sixref asan
- "afbij" otput wrog json format HOT 2
- Build system picks an arbitrary `cc` for `arch-arm64` which breaks compilation HOT 1
- Wrong value of triple on PowerPC: `PowerMacintosh-unknown-darwin` instead of `powerpc-apple-darwin` HOT 3
- Improve iS help message HOT 2
- Segmentation fault when running an invalid command
- :: hangs in a deadlock
- /ad/ search is incomplete HOT 4
- `{` logs array missing commas HOT 3
- `{` WARN printed and missing from JSON `pdg @ sym.main` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from radare2.