stackstring detection miss

[mr-tz]

PMA Lab 01-04

no detection in IDA or viv of stackstring

.text:00401000 55                push    ebp
.text:00401001 8B EC             mov     ebp, esp
.text:00401003 81 EC 20 01 00 00 sub     esp, 120h
.text:00401009 57                push    edi
.text:0040100A A1 10 30 40 00    mov     eax, dword ptr aWinlogonExe ; "winlogon.exe"
.text:0040100F 89 45 EC          mov     dword ptr [ebp+String2], eax
.text:00401012 8B 0D 14 30 40 00 mov     ecx, dword ptr aWinlogonExe+4 ; "ogon.exe"
.text:00401018 89 4D F0          mov     [ebp+var_10], ecx
.text:0040101B 8B 15 18 30 40 00 mov     edx, dword ptr aWinlogonExe+8 ; ".exe"
.text:00401021 89 55 F4          mov     [ebp+var_C], edx
.text:00401024 A0 1C 30 40 00    mov     al, byte ptr aWinlogonExe+0Ch ; ""
.text:00401029 88 45 F8          mov     [ebp+var_8], al
.text:0040102C 8B 0D 20 30 40 00 mov     ecx, dword ptr aNotReal ; "<not real>"
.text:00401032 89 8D E8 FE FF FF mov     dword ptr [ebp+String1], ecx
.text:00401038 8B 15 24 30 40 00 mov     edx, dword ptr aNotReal+4 ; " real>"
.text:0040103E 89 95 EC FE FF FF mov     [ebp+var_114], edx
.text:00401044 66 A1 28 30 40 00 mov     ax, word ptr aNotReal+8 ; "l>"
.text:0040104A 66 89 85 F0 FE FF+mov     [ebp+var_110], ax
.text:0040104A FF
.text:00401051 8A 0D 2A 30 40 00 mov     cl, byte ptr aNotReal+0Ah ; ""
.text:00401057 88 8D F2 FE FF FF mov     [ebp+var_10E], cl
.text:0040105D B9 3E 00 00 00    mov     ecx, 3Eh ; '>'

[williballenthin]

this looks like an inlined memcpy to a destination on the stack. is it a stackstring??? jk i dont really want to debate that.

[mr-tz]

We currently only check if a mov goes directly to the stack. Here it goes to a register first then to the stack. I think this specific pattern is easy enough to adapt. Shall we? If so we should check for prevalence (see #424).