search

momalab / ICSREF

A tool for reverse engineering industrial control systems binaries.
MIT License
159 stars 46 forks source link

Targets with dynamic memory layout #2

Open emblip opened 5 years ago

emblip commented 5 years ago

Hi! I'm wondering how would you approach binaries with targets memory layout being dynamically allocated?

I've been playing around trying to reverse some HMI+PLC -type of devices. To be more exact, Exor eTOP50x-series devices. These utilize ARM core on SoC. They run Exor's own "jMobile" generated project files to handle the HMI side and majority of anything else, anything not UI-related, are plain old CODESYS V2.3 binaries. Oh, and all this mess is running on top of WinCE6. Those CODESYS files are compiled as armv7 binaries but only way to make any sense of the binaries is to manually identify allocated memory layout (codesys only tells that the memory is automatically allocated and nothing more). And most of the things ICSREF automatically identifies (such as function boundaries & header information) are there and mostly in such a way one would expect... but header addresses don't make any sense and those strings used as identifiers are different than the ones used in the PRG_analysis.py ... I made some progress by manually identifying forementioned addresses & strings... And by modifying the PRG_analysis.py accordingly, but never got the analysis to complete successfully.. most far I've gotten it to run was up to 'find static libraries' -routine... nevertheless, the generaterd work-in-progress HEX proved to be very useful.

Anyway, I believe this situation / class of devices are out of scope for ICSREF anyway - at least for now? And since I got satisfactory results anyway, this is query is mostly just out of curiosity.

Anyway, very impressive & interesting work! I sure hope this project has a future!

tkeliris commented 5 years ago

Hello @emblip , thank you for your interest in our work!

The Exor devices sound lovely to work with (not). That being said, we'd love to have a look at some of the binaries you are looking at and try to further expand the ICSREF device base. We welcome push requests to the samples directory in this repo, or just send an email to our addresses (you can find them on our NDSS paper).

I'm trying to understand what you mean by dynamically allocated memory layouts here. Do you mean that the binary has a structure that is unknown up until runtime? That seems unlikely. Are you referring to programs that make use of heap memory? If so, nothing (at least from a theoretical standpoint) prevents ICSREF to analyze the static parts of the binary even in this case. That being said, ICSREF is a static analysis framework, if you are interested in analyzing the contents of such dynamic memories you need dynamic analysis.