Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
921 stars 208 forks source link

Not get all function info from DWARF #5183

Open Proteas opened 7 months ago

Proteas commented 7 months ago

Version and Platform (required):

Bug Description:

  1. Binary Ninja not get function names from DWARF. 2.Binary Ninja not to get function boundary info from DWARF.

Steps To Reproduce:

  1. Download and install KDK: https://github.com/dortania/KdkSupportPkg/releases/download/23E214/Kernel_Debug_Kit_14.4_build_23E214.dmg.
  2. kernel.release.t8103 and kernel.release.t8103.dSYM are in dir /System/Library/Kernels, copy them to other place.
  3. Rename kernel.release.t8103.dSYM to kernel.release.t8103_dSYM.
  4. File | Open with Options...
  5. Select kernel.release.t8103
  6. Select External Debug Info File: kernel.release.t8103_dSYM/Contents/Resources/DWARF/kernel.release.t8103
  7. Load them.

Expected Behavior:

  1. Load function info from DWARF.

Screenshots: out

Additional Information:

  1. seems that function info from DWARF has a low priority by design.
xusheng6 commented 7 months ago

This is likely due to a symbol already exists at the address, and DWARF parser is shy of adding another one. This is a known problem and is tracked by an internal issue.

The good news is we actually support multiple symbols at the same address, we just need some UI changes to support presenting the info to the user

xusheng6 commented 7 months ago

Related to https://github.com/Vector35/binaryninja/issues/680

Proteas commented 7 months ago

Between 0xFFFFFE00072A8548 and 0xFFFFFE00072ACF20, there should be 10 functions. However, only 3 are shown by Binary Ninja. Do you mean that Binary Ninja has identified all the 10 functions but not shown them?

xusheng6 commented 7 months ago

Between 0xFFFFFE00072A8548 and 0xFFFFFE00072ACF20, there should be 10 functions. However, only 3 are shown by Binary Ninja. Do you mean that Binary Ninja has identified all the 10 functions but not shown them?

It seems like the dwarf importer missed these functions. I just looked at the two functions you highlighted and saw they already have a name, so I kinda think existing symbols is the problem.

I installed the DMG you linked, but I cannot seem to find the kernel.release.t8103.dSYM in /System/Library/Kernels. Is the path correct?

Proteas commented 7 months ago

I forgot to mention a step: install the .pkg file inside the DMG.

xusheng6 commented 7 months ago

I forgot to mention a step: install the .pkg file inside the DMG.

Yeah I have installed that. However, for some reason, the file is not there. Could you please send the dSYM to binaryninja@vector35.com, or join our slack (https://slack.binary.ninja/) and share the file with us?

Proteas commented 7 months ago

The file is large. Please check the directory: /Library/Developer/KDKs/KDK_14.4_23E214.kdk/System/Library/Kernels.

Proteas commented 7 months ago

If you want to uninstall it, delete /Library/Developer/KDKs/KDK_14.4_23E214.kdk.

xusheng6 commented 7 months ago

I find the files, thx for the path! I see there are some DWARD related messages being printed out when I open the file:

[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0x00000001 (`bool`) with `unsigned long`
[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0xfffffe000701fe20 (`char[0x11]`) with `char const[0x11]`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0xfffffe000701fe20 (`char const[0x11]`) with `char[0x11]`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0x00000001 (`unsigned long`) with `bool`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0x00000001 (`bool`) with `unsigned long`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0xfffffe000701fe20 (`char[0x11]`) with `char const[0x11]`
[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF information is invalid (infinite abstract origin reference cycle). Debug information may be incomplete.
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0xfffffe0007026680 (`char[0x5]`) with `char const[0x5]`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0x00000001 (`unsigned long`) with `bool`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0x00000001 (`bool`) with `bool`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0x00000000 (`bool`) with `bool`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0xfffffe000703c15e (`char[0x5]`) with `char const[0x5]`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0x00000001 (`bool`) with `int`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0x00000000 (`bool`) with `bool`
[Default] DWARF info contains duplicate data variable definition. Overwriting data variable at 0xfffffe000703c154 (`char[0x2]`) with `char const[0x2]`

There might be some issues with our DWARF parsing. We will look into this

xusheng6 commented 7 months ago

V35 folks should search for lose which by route title to find the relevant files