search

Accenture / VulFi

IDA Pro plugin for query based searching within the binary useful mainly for vulnerability research.
Apache License 2.0
534 stars 63 forks source link

a question for use #18

Closed zhefox closed 10 months ago

zhefox commented 10 months ago

How can I write a rule to determine if the arguments of a function are passed by reference to the function that calls it?

Martyx00 commented 10 months ago

This is very hard to do as in C (and also the pseudo-C used by IDA) there is only pass by value. You are actually passing the value of a pointer rather than reference and in this case it may sometimes be impossible to distinguish between simple constant/variable and a pointer.

Anyway, I have put some basic code into the dev branch here: https://github.com/Accenture/VulFi/commit/9a88f82908083fd4271dbaa6deee0825fd02cea4

You can create a custom rule like this:

[
    {
        "name": "RULE NAME",
        "function_names":[
            "func",
            "func2"
        ],
        "wrappers":true,
        "mark_if":{
            "High":"param[0].is_pointer()",
            "Medium":"False",
            "Low": "False"
        }
    }
]

Keep in mind that this will be highly unreliable as there may be a lot of cases where the decompiler output will treat passing pointers as arguments as simple int values.