Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add nzxor charecteristic in BinExport extractor. #2073

Merged
merged 4 commits into from
May 28, 2024

Conversation

larchchen
Copy link
Contributor

by referencing vivisect implementation.

Checklist

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

Comment on lines 359 to 360
if instruction.address > last_addr - SECURITY_COOKIE_BYTES_DELTA:
return True
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes that the last instruction, ordered by virtual address, will be the exit and the security cookie check is found nearby. While I think this probably mostly works in practice, I don't think its robust. I'd suggest a more complete solution might be: find all terminal basic blocks (no successors) in the function flow graph and consider each of those a potential exit block.

It may also be worth pre-computing the instruction indicies that fall within these ranges, since a function may have hundreds or thousands of instructions, and this routine might get invoked a lot. On the other hand, I think this is only invoked once the mnemonic and operands are checked, so maybe its not a problem in practice.

@larchchen larchchen force-pushed the feat/1755 branch 2 times, most recently from e72d664 to d60e4bc Compare May 8, 2024 14:22
@mr-tz
Copy link
Collaborator

mr-tz commented May 10, 2024

Can you share a sample that contains EOR (and stack cookies) for testing?

@larchchen
Copy link
Contributor Author

larchchen commented May 13, 2024

Can you share a sample that contains EOR (and stack cookies) for testing?

After seeking for some help, it is still quite difficult to get an example using EOR for stack cookie checks.
Most ARM/AArch64 I have checked are using CMP then B.NE for stack checks. Some of them may use ITTTT.

Not sure if it is worth to create a Arm64X PE test file for this case.

@mr-tz
Copy link
Collaborator

mr-tz commented May 13, 2024

That's good information. We don't need to do that check then for the respective binaries. Do you have a AArch64 sample that should match nzxor?

@larchchen
Copy link
Contributor Author

sample d1e6506964edbfffb08c0dd32e1486b11fbced7a4bd870ffe79f110298f0efb8 would do.

image

@mr-tz mr-tz requested a review from mike-hunhoff May 28, 2024 14:11
by referencing vivisect implementation.
@mr-tz mr-tz merged commit 3ed0075 into mandiant:feat/1755 May 28, 2024
6 of 15 checks passed
@mr-tz
Copy link
Collaborator

mr-tz commented May 28, 2024

thanks!

@larchchen larchchen deleted the feat/1755 branch May 28, 2024 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants