sibears / idagolanghelper Goto Github PK

View Code? Open in Web Editor NEW

989.0 989.0 151.0 27 KB

Set of IDA Pro scripts for parsing GoLang types information stored in compiled binary

Python 100.00%

ida

idagolanghelper's People

Contributors

Stargazers

Watchers

Forkers

x3sphiorx akpotter knooow explife0011 crackercat sigma-random zjgcjy albus12138 wgwjifeng blacktrace gavz idkwim tiancheng-luo dnhdang94 obaby nevinhappy piowind voraka beaquant kernullist cnsheds snyiu100 supertanglang zaza6677 fzxcp3 foolzzz johndoex1 modulexcite mostobriv gitmesam unixfreaxjp peterzzx alwayslovestudy ruthless2012 arryboom pkthammer lanzsec prowes5 haorenshazina bigric3 hailongeric xfbird qq431169079 freemanzyq backwardn svieg wbaby avgirl zack7wong xgreat clem1 xdnice li4n0 pxx199181 firehak ohyeah521 minhtranca alifeline zaddach jm33-m0 peta909 driest tronegacy marsmanchina trietptm-on-coding-algorithms huluxia happysky2046 beyondcy 0xricksanchez keesoulken y1024 evilares uncia wxsbsd ohc192 silascutler mewbak kernweak alexander-hanel shuixi2013 zu1kbackup reposities pombredanne ith4cker hasiblatif lvrongnan wanqinggit aplus123 ssst0n3 poemoriarty hasherezade org-mars dylanyang17 anttutu ls306056885 c4h2o4 froyorab xforsecw12lab clayne hatchetxuexi

idagolanghelper's Issues

IDA Pro7.5 && Python3 not working

I tried to modify the code in Gopclntab.py

before
def rename(beg, ptr, make_funcs = True):
....
name = idc.get_strlit_contents(base + name_offset)
name = Utils.relaxName(name)
Utils.rename(func_addr, name)

after
def rename(beg, ptr, make_funcs = True):
.....
name = idc.get_strlit_contents(base + name_offset)
name = name.decode("utf-8")
name = Utils.relaxName(name)
Utils.rename(func_addr, name)

Possible don't need auto create all types

There are REALLY many different types exists in average binary. Maybe will be more efficient give a list of types for choosing which types needs to be added to IDA

Broken in 7.4

Hey! Just as a heads up, this plugin needs refactoring in IDA7.4. Basically renaming a variety of ida APIs since they shut off the 6.95 compatibility:
(reference: https://www.hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtml)

Error finding LineTable in some binaries

When examining the NotRobin binaries from a FireEye report, the script can't find FB FF FF FF 00 00 and fails due to Gopclntab.findGoPcLn() returning an invalid offset. This function became even more troublesome after updating API calls due to ida_search.find_binary() requiring a start and end offset for the search.

I've made an update that I'll try to push soon that works in every Go binary I've tested so far. Some binaries in the report were also go 1.13.x, so I updated the string search as well. If it's acceptable, below is a quick snippet of my solution for the LineTable search:

end_ea = idc.get_segm_end(0)
possible_loc = ida_search.find_binary(0, end_ea, lookup, 16, idc.SEARCH_DOWN)

EDIT: I hope "LineTable" was the correct term? I'm not familiar with Go and found the term in their source here.

How to install this plugin on IDA ?

I copied all the files under C:\Program Files (x86)\IDA 6.95\plugins and open IDA but I don't see the plugin.
Is there other way to install it ?

Exceptions when run against MIPS64 binaries

The script has some issues when run against MIPS64 Go binaries:

Trying to determine the Go version from module data:

Traceback (most recent call last):
  File "_ctypes/callbacks.c", line 315, in 'calling callback function'
  File "C:\Program Files\IDA 7.1\python\ida_kernwin.py", line 5840, in helper_cb
    r = self.handler(button_code)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master/go_entry.py", line 51, in OnButton1
    GO_SETTINGS.findModuleData()
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\__init__.py", line 37, in findModuleData
    fmd = Firstmoduledata.findFirstModuleData(gopcln_addr, self.bt_obj)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\Firstmoduledata.py", line 8, in findFirstModuleData
    possible_addr = idautils.XrefsTo(addr).next().frm
  File "C:\Program Files\IDA 7.1\python\idautils.py", line 188, in XrefsTo
    if xref.first_to(ea, flags):
  File "C:\Program Files\IDA 7.1\python\ida_xref.py", line 319, in first_to
    return _ida_xref.xrefblk_t_first_to(self, *args)
TypeError: Expected an ea_t type

Trying to rename functions:

Traceback (most recent call last):
  File "_ctypes/callbacks.c", line 315, in 'calling callback function'
  File "C:\Program Files\IDA 7.1\python\ida_kernwin.py", line 5840, in helper_cb
    r = self.handler(button_code)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master/go_entry.py", line 56, in OnButton3
    GO_SETTINGS.renameFunctions()
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\__init__.py", line 52, in renameFunctions
    Gopclntab.rename(gopcln_tab, self.bt_obj)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\Gopclntab.py", line 30, in rename
    pos = beg + 8 #skip header
TypeError: unsupported operand type(s) for +: 'NoneType' and 'int'

Error in recreating structures if interface is used as field

Creating interfaces was not very tested, so in go1.10 compiler was found such type:

ast_Object{
Kind ast_Kind;
name string;
Decl interface{};
Data interface{};
Type interface{};
}

this type is failing during creation

ida7.7 and python3.8：i got unsupported operand type(s) for +: 'NoneType' and 'int' in Gopclntab.py, line 64， anyone knows why,Please

Mark non-returning Go runtime functions

Feature request:

For Go runtime functions that don't return (Ex: panic) it looks like the compiler inserts an illegal instruction after the call as a sanity checking mechanism in case the function did return. This stackexchange post has more details:

https://reverseengineering.stackexchange.com/questions/17665/undefined-instruction-in-go-binary-compiled-for-arm

In the case of ARM binaries, these instructions cause function creation in IDA Pro to fail with the following error message: The function has undefined instruction/data at the specified address. (and the address referenced is that of the 0xF7FABCFD instruction.)

Talking with IDA Pro support, the solution is to mark the non-returning function as such in IDA. IDA will stop looking for instructions after this function call, and function creation will succeed.

I'm not sure of the best way to implement this, but one approach would be to search for the undefined instruction for each architecture, look for a function call right above that, and mark that function as non-returning (maybe with some sanity checks.) I'll aim to implement this approach when I have a chance, and will submit a pull request once finished.

AttributeError: 'module' object has no attribute 'inf_get_min_ea'

I've tried many versions of ida pro, but I still can't import the script.
Here is the error message.：
\go_entry.py: 'module' object has no attribute 'inf_get_min_ea'
Traceback (most recent call last):
File "C:\Program Files\IDA 7.2\python\ida_idaapi.py", line 572, in IDAPython_ExecScript
execfile(script, g)
File "/go_entry.py", line 15, in
GO_SETTINGS = GO_Utils.GoSettings()
File "\GO_Utils_init_.py", line 16, in init
self.bt_obj = Utils.get_bitness(ida_ida.inf_get_min_ea())
AttributeError: 'module' object has no attribute 'inf_get_min_ea'

Go 1.7+ string

Need to add some UI-based way to call https://gitlab.com/zaytsevgu/goutils/blob/master/go17_string.py this code

Update for Python 3

Python 2 has officially hit end of life status and IDA has begun offering the user a choice between Python 2 or Python 3 with new IDA installations. Eventually this will default to Python 3. Is there any interest in updating the project for Python 3 if someone were to get it started or working?

File "Z:/tools/reverse/ida/IDAGolangHelper\GO_Utils\Utils.py", line 30, in relaxName
    name = name.replace('.', '_').replace("<-", '_chan_left_').replace('*', '_ptr_').replace('-', '_').replace(';','').replace('"', '').replace('\\', '')
TypeError: a bytes-like object is required, not 'str's