search

synacktiv / bip

BSD 3-Clause "New" or "Revised" License
189 stars 19 forks source link

IDA cause internal error after running IDAPython script including Bip plugin #18

Closed y0ny0ns0n closed 3 years ago

y0ny0ns0n commented 3 years ago

IDA contiguously causing internal error after running following pattern of IDAPython script:

from idautils import *
from idaapi import *
from idc import *
from bip.base import *
from bip.hexrays import *
import os
import re

cnt = 0
for segea in Segments():
    for funcea in Functions(segea, get_segm_end(segea)):
        cnt += 1
        if cnt != 0 and (cnt % 1000) == 0:
            print("[+] search %d functions..." % cnt)

        f = BipFunction(funcea)
        if f.can_decompile == False or len(f.callers) != 0:
            continue

        hf = f.hxcfunc
        cstr = hf.cstr
        args = hf.args
# ...        
# doing some hack( ex: vuln pattern search using regex... )

image

I usually dealing with BIG binary contiains over 20000~ functions( ex: vmware-vmx.exe, win32kbase.sys, hvix64.exe... ). I can't find a root cause of this because there's no error windows poped and no message on Output window except following:

.....
XXXXXX: restored microcode from idb
XXXXXX: restored pseudocode from idb
.....

IDA version: 7.5.201028 Windows x64 (64-bit address size) Bip Version: v1.0

BrunoPujos commented 3 years ago

Hello,

Thank you for reporting this.

The snippet of code you provided should work fine and not create any error, it basically just decompile all the functions in the binary. The size of the binary should not have any impact on it. I just tested your snippet of code on win32kbase.sys and had no problem with it. The warning pop-up is not made by Bip but is produced by IDA, this is the generic error message it produces in a lot of cases when something goes wrong in its internals.

The content of the output window restored microcode from idb and restored pseudocode from idb are just internal log by IDA indicating it has fetch the data used by the decompiler from the IDB and not re-analyze them. This is a standard behavior and is probably not related to the problem you got.

You can try to create a new IDB for a binary triggering your error and relaunch your script: if the problem is due to a corruption of the IDB it will not produce a new error. However I have my doubt this is the problem.

I understand you do not want to share the code for the doing some hack part but without it or without a relaiable way to reproduce that behavior there is not a lot I can do to help you :/ If you can pinpoint more preciselly the problem I may be able to help, however if the problem is in IDA in itself it should be reported to hexrays.

y0ny0ns0n commented 3 years ago

Ok. I will run more testcases to figure out the reason. thx for quick response :)

y0ny0ns0n commented 3 years ago

I checked it. it's just a problem of specific idb not a problem of Bip plugin. sorry for bothering.