search

mandiant / flare-ida

IDA Pro utilities from FLARE team
Apache License 2.0
2.23k stars 466 forks source link

shellcode_hash_search crash with 64 bit IDA (7.3) #73

Closed OevreFlataeker closed 5 years ago

OevreFlataeker commented 5 years ago

The shellcode_hash_search plugin crashes during execution due to an apparently 64 bit integer size problem with the underlying SQLite DB.

---------------------------------------------------------------------------------------------
Python 2.7.13 (v2.7.13:a06454b1afa1, Dec 17 2016, 20:53:40) [MSC v.1500 64 bit (AMD64)] 
IDAPython 64-bit v7.3.0 final (serial 0) (c) The IDAPython Team <idapython@googlegroups.com>
---------------------------------------------------------------------------------------------
shellcode_hash: Starting up
shellcode_hash: Processing current segment only: 0x00000000 - 0x00000207
shellcode_hash: 0x000000a3: ror13AddHash32Dll:0xe553a458 kernel32.dll!VirtualAlloc
shellcode_hash: 0x000000bd: ror13AddHash32Dll:0x0726774c kernel32.dll!LoadLibraryA
shellcode_hash: 0x0000012f: ror13AddHash32Dll:0xc99cc96a dnsapi.dll!DnsQuery_A
shellcode_hash: 0x00000198: ror13AddHash32Dll:0x56a2b5f0 kernel32.dll!ExitProcess
shellcode_hash: 0x000001a4: ror13AddHash32Dll:0xe035f044 kernel32.dll!Sleep
shellcode_hash: 0x000001e4: ror13AddHash32Dll:0xcc8e00f4 kernel32.dll!lstrlenA
shellcode_hash: Exception: Python int too large to convert to SQLite INTEGER
Traceback (most recent call last):
  File "C:\D\flare-ida\python\flare\shellcode_hash_search.py", line 342, in lookForOpArgs
    hits = self.dbstore.getSymbolByTypeHash(h.hashType, opval)
  File "C:\D\flare-ida\python\flare\shellcode_hash_search.py", line 192, in getSymbolByTypeHash
    cur = self.conn.execute(sql_lookup_hash_type_value, (hashVal, hashType))
OverflowError: Python int too large to convert to SQLite INTEGER
shellcode_hash: 0x000000bc: ror13AddHash32Dll:0x0726774c kernel32.dll!LoadLibraryA
shellcode_hash: Exception: Python int too large to convert to SQLite INTEGER
Traceback (most recent call last):
  File "C:\D\flare-ida\python\flare\shellcode_hash_search.py", line 342, in lookForOpArgs
    hits = self.dbstore.getSymbolByTypeHash(h.hashType, opval)
  File "C:\D\flare-ida\python\flare\shellcode_hash_search.py", line 192, in getSymbolByTypeHash
    cur = self.conn.execute(sql_lookup_hash_type_value, (hashVal, hashType))
OverflowError: Python int too large to convert to SQLite INTEGER
shellcode_hash: 0x00000197: ror13AddHash32Dll:0x56a2b5f0 kernel32.dll!ExitProcess
shellcode_hash: Exception: Python int too large to convert to SQLite INTEGER
Traceback (most recent call last):
  File "C:\D\flare-ida\python\flare\shellcode_hash_search.py", line 342, in lookForOpArgs
    hits = self.dbstore.getSymbolByTypeHash(h.hashType, opval)
  File "C:\D\flare-ida\python\flare\shellcode_hash_search.py", line 192, in getSymbolByTypeHash
    cur = self.conn.execute(sql_lookup_hash_type_value, (hashVal, hashType))
OverflowError: Python int too large to convert to SQLite INTEGER
shellcode_hash: Exception: Python int too large to convert to SQLite INTEGER
Traceback (most recent call last):
  File "C:\D\flare-ida\python\flare\shellcode_hash_search.py", line 342, in lookForOpArgs
    hits = self.dbstore.getSymbolByTypeHash(h.hashType, opval)
  File "C:\D\flare-ida\python\flare\shellcode_hash_search.py", line 192, in getSymbolByTypeHash
    cur = self.conn.execute(sql_lookup_hash_type_value, (hashVal, hashType))
OverflowError: Python int too large to convert to SQLite INTEGER
shellcode_hash: Done

Apparently the problem arises due to the storing of the hashes as INT in the SQLite not as string?

Please ref: https://www.google.com/search?q=64+bit+"Python+int+too+large+to+convert+to+SQLite+INTEGER"

jhsmith commented 5 years ago

Should be resolved in #79. Please try this the new version and let us know if you encounter more issues.