Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Annotate API calls via wrapper/thunk functions #62

Open
confile opened this issue Oct 3, 2018 · 13 comments
Open

Annotate API calls via wrapper/thunk functions #62

confile opened this issue Oct 3, 2018 · 13 comments

Comments

@confile
Copy link

confile commented Oct 3, 2018

I tried to run the MSDN Annotations plugin but it turns out that it does not work well with IDA 7.1 Pro.
It creates a Segment .msdn with content but it does not change the Symbols as expected.

malware-windows_10_pro_x64
@mr-tz
Copy link
Contributor

mr-tz commented Oct 3, 2018

Does it fail to annotate all calls or just this one?
It appears that the plugin fails to identify the function call. Is there a cross-reference from the import table to the CreateFileA call?

@confile
Copy link
Author

confile commented Oct 3, 2018
edited
Loading

It fails to annotate everything. But, I can see the additional segment called .msdn.

Is there a cross-reference from the import table to the CreateFileA call?

What do you mean by that?

I attached to files I checked.
reverseMe.exe.zip

@confile
Copy link
Author

confile commented Oct 4, 2018

Here is the IDA output I get

malware-windows_10_pro_x64

@confile
Copy link
Author

confile commented Oct 4, 2018

@mr-tz Do you have any idea how to solve this?

@mr-tz
Copy link
Contributor

mr-tz commented Oct 4, 2018

The sample calls the functions from the import address table via an intermediate thunk function. For example the call to CreateFileA is made via the function at offset 0x401283. The plugin does not currently support the annotation of function arguments for such calls.

@confile
Copy link
Author

confile commented Oct 5, 2018

Could you please add this to the plugin?

@mr-tz mr-tz changed the title MSDN Annotations not working with IDA 7.1 Annotate API calls via wrapper/thunk functions Oct 5, 2018
@mr-tz
Copy link
Contributor

mr-tz commented Oct 5, 2018
edited
Loading

It shouldn't be too hard to add this feature, but I cannot promise a solution soon. We will keep this issue open to track it.

@mr-tz mr-tz mentioned this issue Oct 5, 2018
Closed
@confile
Copy link
Author

confile commented Oct 6, 2018

@mr-tz Could you give me some hint where to start, then I will try to add it and push a change?

@mr-tz
Copy link
Contributor

mr-tz commented Oct 8, 2018

Thanks, that would be great! One solution would be to add the respective call offsets to the library_calls dictionary.

@confile
Copy link
Author

confile commented Oct 9, 2018

Well, then you have to give some more details on what to do.

@williballenthin
Copy link
Contributor

you need to update the implementation of the get_imports function called here: https://github.com/fireeye/flare-ida/blob/master/python/flare/IDB_MSDN_Annotator/__init__.py#L527

you should enumerate functions and detect when they are thunks to other imports, mark them as such, and find a way to update the library_calls dictionary, as @mr-tz suggested. if you have trouble following the information flow, try adding some calls to logging.debug(…) so you can see the data formats.

@confile
Copy link
Author

confile commented Oct 13, 2018

Any more hint which APIs are relevant here?

@mr-tz
Copy link
Contributor

mr-tz commented Oct 16, 2018

I would probably look at the following functions first:

  • idc.get_func_flags() using idc.FUNC_THUNK
  • idc.get_func_name()
  • idautils.Functions() might help as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@confile @williballenthin @mr-tz