Include refs on rcall and ucall on pdfj command about radare2 HOT 17 CLOSED

Master is always stable

from radare2.

you can use ?*~... to find out other commands that may register refs with emulation. Also this string should be listed with pdc too

from radare2.

Can yiu provide a distributable sample or point to a binary to reproduce this? I can add a testcase for this and try different analysis methods to see which one works the best and maybe include it under aaaa

from radare2.

I picked your changes into this rebased PR #22763 and ill try to get it ready before the release. thanks for the effort

from radare2.

The information is there, if you miss it just extend the command to include the missing info and I will evaluate it.

The computed / emulated references are registered with the aae command, so first of all iw ould suggest you to use latest r2 from git, and then try other commands like axj to get the registered xrefs instead of the ones from the graph command. but in any case i agree with you that those refs should be exposed.

Modifying the code should be just 1-2 lines as much. So I would encourage you to do such change to fit your needs.

from radare2.

Additionally it would be great if you can provide a reproducer in form of a test, i dont have the files you are using for testing and having it verified in the testsuite is always good to avoid brokenness at any time

from radare2.

Thank you, will try and will let you know what I find. Really appreciate your help.
Can you provide me a commit ID from the master branch which you would recommend? Thanks!

from radare2.

commit from master recommended for wat?

from radare2.

Commit from master which you consider stable.

from radare2.

The information is there, if you miss it just extend the command to include the missing info and I will evaluate it.

The computed / emulated references are registered with the aae command, so first of all iw ould suggest you to use latest r2 from git, and then try other commands like axj to get the registered xrefs instead of the ones from the graph command. but in any case i agree with you that those refs should be exposed.

Modifying the code should be just 1-2 lines as much. So I would encourage you to do such change to fit your needs.

I tried to follow your suggestion on sample sha256:c7cb8e453252a441522c91d7fccc5065387ce2e1e0e78950f54619eda435b11d (malwarebazaar)

The following commands were run:

[0x00401000]> aaa 
<INFO ...>
[0x00401000]> aae
[0x00401000]> s 0x0040629f
[0x0040629f]> pdfj ~{}
<...>
{
      "offset": 4219569,
      "esil": "edi,eip,4,esp,-=,esp,=[4],eip,=",
      "refptr": 0,
      "fcn_addr": 4219551,
      "fcn_last": 4219622,
      "size": 2,
      "opcode": "call edi",
      "disasm": "call edi",
      "bytes": "ffd7",
      "family": "cpu",
      "type": "rcall",
      "reloc": false,
      "type_num": 268435460,
      "type2_num": 0
    }
<...>
[0x0040629f]> ax ~40629f
                          fcn.004060f8+9 0x406101 > CALL:--x > 0x40629f fcn.0040629f
                          fcn.0040629f+2 0x4062a1 > DATA:r-- > 0x430138 sym.imp.KERNEL32.dll_HeapAlloc
                         fcn.0040629f+12 0x4062ab > DATA:r-- > 0x430250 str.WINMM.DLL+12
                         fcn.0040629f+55 0x4062d6 > DATA:r-- > 0x430250 str.WINMM.DLL+12

My point is, ax indeed lists the reference to HeapAlloc, but I would like to know which instruction from the pdfj actually calls this function -- which is call edi, but this command does not contain refs section.

Should I parse the esil fields from the pdfj command? Or is there an already implemented esil parser?

Thanks in advance for your help.

Note

I would be glad to contribute to the pdfj command to include emulated refs as well, but I need some help:

• I understand that r_core_print_disasm_json function contains the implementation of pdfj
• the following code contains the completion of one instruction with the esil field

pj_k (pj, "esil"); // split key and value to allow empty strings
pj_s (pj, R_STRBUF_SAFEGET (&ds->analop.esil));

• how could I implement to complete the refs attribute in case of rcall / ucall instructions?

from radare2.

Update

• found out that with e asm.emu=true, pdf has the information I need in comment:

0x004062a1      8b3d38014300   mov edi, dword [sym.imp.KERNEL32.dll_HeapAlloc] ; [0x430138:4]=0x3020c reloc.KERNEL32.dll_HeapAlloc ; edi=0x3020c reloc.KERNEL32.dll_HeapAlloc
│           0x004062a7      6a20           push 0x20                   ; 32 ; esp=0xfffffff4
│           0x004062a9      6a08           push 8                      ; 8 ; esp=0xfffffff0
│           0x004062ab      ff3550024300   push dword [0x430250]       ; esp=0xffffffec
│           0x004062b1      ffd7           call edi                    ; esp=0xffffffe8 ; eip=0x3020c reloc.KERNEL32.dll_HeapAlloc
│                                                                      ; LPVOID HeapAlloc(-1, -1, ?)

• this is missing from pdfj -- there is no call to ds_print_esil_anal_init on commit 1ee768a

from radare2.

The comments displayed as comments when emu.str=true (or asm.emu=true) are computed at disasm time, those are not recorded anywhere unless you perform a specific emulation analysis like aaex (but there are other commands that can perform this emulation and register the xrefs for the register calls).

Can you give it a try and see if that works for you?

from radare2.

you can use ?*~... to find out other commands that may register refs with emulation. Also this string should be listed with pdc too

I tried ?*~..., searched for esil and emul, there are indeed a bunch of possibilities, but still pdfj would be the best in my case. I have forked the repo and currently working on modifying r_core_print_disasm_json to include the functionality from r_core_print_disasm

Can yiu provide a distributable sample or point to a binary to reproduce this? I can add a testcase for this and try different analysis methods to see which one works the best and maybe include it under aaaa

Yes, I am testing on this sample https://bazaar.abuse.ch/sample/c7cb8e453252a441522c91d7fccc5065387ce2e1e0e78950f54619eda435b11d/
Function 0x0040629f has 2 call instructions with register parameters (call edi)
I am trying to modify r_core_print_disasm_json such that pdfj includes refs on these two instructions.

from radare2.

Update

My work-in-progress can be seen on master...attilamester:radare2:feature/22576-pdfj-rcall

• copied some esil-related code from r_core_print_disasm to r_core_print_disasm_json
• since ds_print_esil_anal prints the esil info to stdout, used some ugly way of capturing its output into a buffer to add later to pdfj

Can you please have a look on this commit and give me hint/direction if this is the way to go? Thanks!

from radare2.

i had a lot of terrible events in my life recently so i couldnt check this out until now. do you have any updates here? can you submit a PR to make it easier fo rme to review? thanks! i think it looks good the way you do that. at the end you want the same info from pd into pdj, right? so you need to do linear emulation.

another approach that could be probably better would be to have an emulation analysis command (there are a bunch of them) but basically to use an anal hint to modify the instructions with the emulated details. this is better approach because it happens once instead of every time, and also performs the emulation recursively following the graph.

This emulation can also register xrefs, and you should be able to see those xrefs in the current pdfj. but im not sure about that. So, to proceed here:

• make a PR with your changes
• add tests

i have a similar issue to resolve in a separate binary, so i;ll do that analysis step and come back to you to see if that fits your needs too.

thanks! and once again sorry for the delay. my life sucks these days

from radare2.

Hi Trufae, I'm sorry to hear that - hope that you are doing fine.
You are right, I wanted the same info from pd into pdj, but I did not manage with the implementation, and found some workaround in my research to overcome this problem - basically, we ignore the dynamic/register calls for now.

If you guys have time to finish the implementation linked above, that is great for the community and future I think, unfortunately I will not have time to continue it, due to the paper deadline approaching. Thank you again.

from radare2.

i think you want to use pdJ instead, that command was added by the cutter guise at the time to not break compat with pdj and reuses the same disasm loop as in pd. so it should behave the same.

from radare2.