search

Vector35 / idb-rs

IDB parser
Other
5 stars 1 forks source link

Failure to parse `ComRAT-Orchestrator-ForDistribution.i64` #8

Open emesare opened 3 days ago

emesare commented 3 days ago

ComRAT-Orchestrator-ForDistribution.i64.txt

thread 'test::parse_idbs' panicked at src/lib.rs:671:17:
til io error: failed to fill whole buffer

Stack backtrace:
   0: std::backtrace_rs::backtrace::libunwind::trace
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/std/src/../../backtrace/src/backtrace/libunwind.rs:104:5
   1: std::backtrace_rs::backtrace::trace_unsynchronized
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2: std::backtrace::Backtrace::create
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/std/src/backtrace.rs:331:13
   3: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
             at /Users/emesare/.cargo/registry/src/index.crates.io-6f17d22bba15001f/anyhow-1.0.89/src/error.rs:564:25
   4: <core::result::Result<T,F> as core::ops::try_trait::FromResidual<core::result::Result<core::convert::Infallible,E>>>::from_residual
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/result.rs:1959:27

5: idb_rs::til::TILMacro::read
             at ./src/til.rs:379:26

   6: idb_rs::til::section::TILSection::read_macros_normal::{{closure}}
             at ./src/til/section.rs:402:22
   7: core::iter::adapters::map::map_try_fold::{{closure}}
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/map.rs:96:28
   8: core::iter::traits::iterator::Iterator::try_fold
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/traits/iterator.rs:2462:21
   9: <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::try_fold
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/map.rs:122:9
  10: <core::iter::adapters::GenericShunt<I,R> as core::iter::traits::iterator::Iterator>::try_fold
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/mod.rs:201:9
  11: core::iter::traits::iterator::Iterator::try_for_each
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/traits/iterator.rs:2524:9
  12: <core::iter::adapters::GenericShunt<I,R> as core::iter::traits::iterator::Iterator>::next
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/mod.rs:184:14
  13: alloc::vec::Vec<T,A>::extend_desugared
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/mod.rs:2930:35
  14: <alloc::vec::Vec<T,A> as alloc::vec::spec_extend::SpecExtend<T,I>>::spec_extend
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/spec_extend.rs:17:9
  15: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter_nested::SpecFromIterNested<T,I>>::from_iter
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/spec_from_iter_nested.rs:43:9
  16: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter::SpecFromIter<T,I>>::from_iter
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/spec_from_iter.rs:33:9
  17: <alloc::vec::Vec<T> as core::iter::traits::collect::FromIterator<T>>::from_iter
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/mod.rs:2836:9
  18: core::iter::traits::iterator::Iterator::collect
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/traits/iterator.rs:2054:9
  19: <core::result::Result<V,E> as core::iter::traits::collect::FromIterator<core::result::Result<A,E>>>::from_iter::{{closure}}
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/result.rs:1930:51
  20: core::iter::adapters::try_process
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/mod.rs:170:17
  21: <core::result::Result<V,E> as core::iter::traits::collect::FromIterator<core::result::Result<A,E>>>::from_iter
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/result.rs:1930:9
  22: core::iter::traits::iterator::Iterator::collect
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/traits/iterator.rs:2054:9
  23: idb_rs::til::section::TILSection::read_macros_normal
             at ./src/til/section.rs:401:25
  24: idb_rs::til::section::TILSection::read_macros
             at ./src/til/section.rs:394:13
  25: idb_rs::til::section::TILSection::read_inner::{{closure}}
             at ./src/til/section.rs:103:22
  26: core::bool::<impl bool>::then
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/bool.rs:60:24
  27: idb_rs::til::section::TILSection::read_inner
             at ./src/til/section.rs:100:22
  28: idb_rs::til::section::TILSection::read
             at ./src/til/section.rs:86:17
  29: idb_rs::IDBParser<I>::read_til_section::{{closure}}
             at ./src/lib.rs:75:34
  30: idb_rs::read_section
             at ./src/lib.rs:129:18
  31: idb_rs::IDBParser<I>::read_til_section
             at ./src/lib.rs:71:9
  32: idb_rs::test::parse_idbs
             at ./src/lib.rs:666:33
  33: idb_rs::test::parse_idbs::{{closure}}
             at ./src/lib.rs:603:20
rbran commented 2 days ago

I could not reproduce this error, instead I get an invalid use of BT_UNK:

$ cargo run --bin idb-tools -- -i resources/idbs/ComRAT-Orchestrator-ForDistribution.i64 dump-til

Error: parsing `TILTypeInfo::tiinfo`

Caused by:
    forbidden use of BT_UNK
rbran commented 2 days ago

This error is caused by the existence of til ordinal aliases. It seems that before the first type on the TIL Sector, it will include some kind of mapping ordinal -> ordinal, it's unclear how to parse those types or why they exist.

My guess is that he verify if the flag value is too small, if so, is a ordinal mapping, otherwise it parses it as a regular type.

rbran commented 1 day ago

Original problem was fixed on https://github.com/rbran/idb-rs/commit/5957e9e13be9fd73f2851b9b8b53e1aae2305123

But now it's unable to parse the type: void __fastcall stringstream__basic_ios__sub_180007CF0_Destructor(basic_ios *__shifted(stringstream,0x94) a1);. Probably due to the type complexity.