search

sibears / IDAGolangHelper

Set of IDA Pro scripts for parsing GoLang types information stored in compiled binary
1.01k stars 150 forks source link

Exceptions when run against MIPS64 binaries #7

Open recvfrom opened 6 years ago

recvfrom commented 6 years ago

The script has some issues when run against MIPS64 Go binaries:

Trying to determine the Go version from module data:

Traceback (most recent call last):
  File "_ctypes/callbacks.c", line 315, in 'calling callback function'
  File "C:\Program Files\IDA 7.1\python\ida_kernwin.py", line 5840, in helper_cb
    r = self.handler(button_code)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master/go_entry.py", line 51, in OnButton1
    GO_SETTINGS.findModuleData()
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\__init__.py", line 37, in findModuleData
    fmd = Firstmoduledata.findFirstModuleData(gopcln_addr, self.bt_obj)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\Firstmoduledata.py", line 8, in findFirstModuleData
    possible_addr = idautils.XrefsTo(addr).next().frm
  File "C:\Program Files\IDA 7.1\python\idautils.py", line 188, in XrefsTo
    if xref.first_to(ea, flags):
  File "C:\Program Files\IDA 7.1\python\ida_xref.py", line 319, in first_to
    return _ida_xref.xrefblk_t_first_to(self, *args)
TypeError: Expected an ea_t type

Trying to rename functions:

Traceback (most recent call last):
  File "_ctypes/callbacks.c", line 315, in 'calling callback function'
  File "C:\Program Files\IDA 7.1\python\ida_kernwin.py", line 5840, in helper_cb
    r = self.handler(button_code)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master/go_entry.py", line 56, in OnButton3
    GO_SETTINGS.renameFunctions()
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\__init__.py", line 52, in renameFunctions
    Gopclntab.rename(gopcln_tab, self.bt_obj)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\Gopclntab.py", line 30, in rename
    pos = beg + 8 #skip header
TypeError: unsupported operand type(s) for +: 'NoneType' and 'int'
grokeus commented 6 years ago

I guess the problem is because of endianness - when I search for gopclntab I try to locate "fb ff ff ff ..." when in MIPS64 this should be "ff ff ff fb" actually I'll fix it tomorrow I hope

grokeus commented 6 years ago

Seems working now on my hello-world sample binary. Will make some test on more binaries later

recvfrom commented 6 years ago

Here's the binary I was analyzing (if you create an account you should be able to download the sample):

https://detux.org/report.php?sha256=9d6809571bec7429098bcb7ca0b12f8cb094d9079c6765b10a9c90b881ee9d37

BTW, your scripts were a big help in analyzing this malware! Thank you! https://blog.talosintelligence.com/2018/03/goscanssh-analysis.html

grokeus commented 6 years ago

Yes, now script is able to reconstruct function names in that binary, but it fails on finding moduledata because IDA analysis doesn't find xref to gopclntab, so structure recreating won't work until I manually find moduledata location(0x43bf00) and make ptr by hand. I will add some additional logic for searching that ptr.

== That's cool! Initially I started to create this scripts while doing analysis of linux golang malware like Linux.rex or Linux.lady. Glad to see that it now helps not only me ;)