Remove sigs that are too general

williballenthin / siglib

function identification signatures

Apache License 2.0

11 stars 1 forks source link

Remove sigs that are too general #6

Closed mr-tz closed 3 years ago

mr-tz commented 3 years ago

For example

FF25............................................................ 00 0000 0006 :0000 _BSTR_UserFree@8 ^0002 BSTR_UserFree 
FF25............................................................ 00 0000 0006 :0000 _BSTR_UserMarshal@12 ^0002 BSTR_UserMarshal 
...

pcf supports the -M## option to increase the min number of defined bytes.

Can we identify other patterns that likely will FP?

williballenthin commented 3 years ago

does the above FP often? this looks like a signature for a wrapper function, which requires the reference name to match, and that could be pretty complex.

williballenthin commented 3 years ago

good call on -M##, i hadn't read that closely yet.

mr-tz commented 3 years ago

hm yeah, I just thought intuitively, how useful can this be?

disassembles to a jmp ff 25 00 00 00 00 jmp DWORD PTR ds:0x0

mr-tz commented 3 years ago

never mind, seems to be useful for recursive flirt matching