search

das-labor / panopticon

A libre cross-platform disassembler.
https://panopticon.re
GNU General Public License v3.0
1.43k stars 78 forks source link

Adds basic PLT resolution for mach and elf binaries #321

Closed m4b closed 7 years ago

m4b commented 7 years ago

Adds new PLT resolution scheme for mach and elf binaries.

  1. Adds a function::FunctionKind (I think we'll want to reexport as FunctionKind perhaps);
  2. Adds new methods on program and function to rewrite matching function names that are plt stubs to their appropriate type and name

Also:

  1. --reverse-deps flag for printing every function that calls the given function -f
  2. better coloring
  3. --il to dump rreil (in color, along with the mnemonic it implements, good for surveying what needs to be implemented)
  4. fix a bug omitting some actual ELF functions in the plt
  5. add mutable function iterator
coveralls commented 7 years ago

Coverage Status

Coverage decreased (-0.3%) to 59.325% when pulling abfd28d50143c2aa871e846e0e3eaac8b66db407 on m4b/plt_resolution into 6051091a38c7b4358f1ea1ad7f92d9427f5b676f on master.

coveralls commented 7 years ago

Coverage Status

Coverage decreased (-0.3%) to 59.369% when pulling 5149ca2ca1d2031c76d707315fda41a1971333f1 on m4b/plt_resolution into 6051091a38c7b4358f1ea1ad7f92d9427f5b676f on master.

coveralls commented 7 years ago

Coverage Status

Coverage decreased (-1.2%) to 58.435% when pulling 56b3366832e0dbb82412cb9c481491d064998f47 on m4b/plt_resolution into 6051091a38c7b4358f1ea1ad7f92d9427f5b676f on master.

coveralls commented 7 years ago

Coverage Status

Coverage decreased (-1.3%) to 58.372% when pulling 56b3366832e0dbb82412cb9c481491d064998f47 on m4b/plt_resolution into 6051091a38c7b4358f1ea1ad7f92d9427f5b676f on master.

m4b commented 7 years ago

Some obligatory screenshots:

il dump

screenshot from 2017-08-14 22-58-01

reverse deps

screenshot from 2017-08-14 23-02-01

panic in libc ;)

m4b@efrit ::  [ ~/projects/panopticon/cli ] panop /usr/lib/libc.so.6 --reverse-deps -f printf
thread 'main' panicked at '__memcpy_chk_ssse3_back has a call address 0x7fac3ea, but there isn't a function with that address in the program object', /checkout/src/libcore/option.rs:823:4
note: Run with `RUST_BACKTRACE=1` for a backtrace.
flanfly commented 7 years ago

@m4b does it again! ❇️ 🥇

flanfly commented 7 years ago

btw, it didn't panic when running it against my libc 😕

m4b commented 7 years ago

I should have clarified, the panic is because the reverse deps check makes sure that any function in the call addresses is also a resolved function in the program object.

This is a good assertion imho, but if we don't want to panic can just skip and warn for that call address.

The function could be missing if for example it couldn't disassemble it because it encountered and error or some fancy instruction, etc.

I'll test some more to see which function it is, should be deterministic since the call address is checkable in gdb, etc.

@flanfly while you're here, could you help to implement leaq in RREIL? I've been investigating it but it would be great if you could give a pointer, or knew what to do