search

mandiant / flare-ida

IDA Pro utilities from FLARE team
Apache License 2.0
2.23k stars 466 forks source link

Annotate API calls via wrapper/thunk functions #62

Open confile opened 6 years ago

confile commented 6 years ago

I tried to run the MSDN Annotations plugin but it turns out that it does not work well with IDA 7.1 Pro. It creates a Segment .msdn with content but it does not change the Symbols as expected.

malware-windows_10_pro_x64
mr-tz commented 6 years ago

Does it fail to annotate all calls or just this one? It appears that the plugin fails to identify the function call. Is there a cross-reference from the import table to the CreateFileA call?

confile commented 6 years ago

It fails to annotate everything. But, I can see the additional segment called .msdn.

Is there a cross-reference from the import table to the CreateFileA call?

What do you mean by that?

I attached to files I checked. reverseMe.exe.zip

confile commented 6 years ago

Here is the IDA output I get

malware-windows_10_pro_x64
confile commented 6 years ago

@mr-tz Do you have any idea how to solve this?

mr-tz commented 6 years ago

The sample calls the functions from the import address table via an intermediate thunk function. For example the call to CreateFileA is made via the function at offset 0x401283. The plugin does not currently support the annotation of function arguments for such calls.

confile commented 6 years ago

Could you please add this to the plugin?

mr-tz commented 6 years ago

It shouldn't be too hard to add this feature, but I cannot promise a solution soon. We will keep this issue open to track it.

confile commented 6 years ago

@mr-tz Could you give me some hint where to start, then I will try to add it and push a change?

mr-tz commented 6 years ago

Thanks, that would be great! One solution would be to add the respective call offsets to the library_calls dictionary.

confile commented 6 years ago

Well, then you have to give some more details on what to do.

williballenthin commented 6 years ago

you need to update the implementation of the get_imports function called here: https://github.com/fireeye/flare-ida/blob/master/python/flare/IDB_MSDN_Annotator/__init__.py#L527

you should enumerate functions and detect when they are thunks to other imports, mark them as such, and find a way to update the library_calls dictionary, as @mr-tz suggested. if you have trouble following the information flow, try adding some calls to logging.debug(…) so you can see the data formats.

confile commented 6 years ago

Any more hint which APIs are relevant here?

mr-tz commented 6 years ago

I would probably look at the following functions first: