wpeace-hch / sysnr-funcfinder Goto Github PK

View Code? Open in Web Editor NEW

235.0 15.0 35.0 1.86 MB

A plugin for IDA that renames functions by system call numbers.

Python 100.00%

binary-analysis elf ida ida-plugin malware-analysis

sysnr-funcfinder's Introduction

SysNR-FuncFinder

A plugin for IDA that renames functions by system call numbers.

Update History

Version	Date	Supported Arch	Comment
1.0	2022-11-30	AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM
1.1	2022-12-01	AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM	Fix bug for IDA API version.
1.3	2022-12-27	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM	Add support for EABI ARM32 and Bug fixes.
1.5	2023-02-10	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM	Support finding main function for all architecture.
1.6	2023-02-14	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM	Fix bugs when finding main function.
1.7	2023-03-22	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM	Fix a bug and change some details. (You need to delete old `SysNR-FuncFinder_WPeace.py` because the py-name have changed)
2.0	2023-04-07	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM、PowerPC32	- Add support for PowerPC32 and support finding main function for PowerPC32. - Add support for Indirect-call MIPS.
2.1	2023-04-14	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM、PowerPC32	Fix a bug in MIPS support.
2.3	2023-07-05	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM、PowerPC32	- Fix the bug of overflow in some cases under x64 architecture. - Enhance the search for the main function of the x64 architecture.
2.4	2023-08-31	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM、PowerPC32	Added some function identification under the ARM architecture.
2.5	2023-09-20	ARM32 for EABI、AMD x86-64 architecture、Intel 80386、MIPS I Architecture、Advanced RISC Machines ARM、PowerPC32	Fix a bug when finding main function under the MIPS architecture.

Background

In my daily analysis, many ELF files are stripped, in this condition IDA won't provide any function name, when this happens, analyzing the sample becomes difficult. So I write a plugin that can rename functions by system call numbers.

Install

Just copy the file SysNR-FuncFinder.py and the folder LffPlugDir_WPeace to IDA Plugins folder, then restart IDA Pro to use SysNR-FuncFinder.
NOTE: You need python3 and IDA >= 7.4.

Usage

Edit $\Rightarrow$ WPeace_Plugins $\Rightarrow$ SysNR-FuncFinder
(Or hotkey = "Ctrl-Alt-F")

Example

Contact

You can leave a message for any questions.

sysnr-funcfinder's People

Contributors

Stargazers

Watchers

sysnr-funcfinder's Issues

2.1 版本分析mips错误

SysNR-FuncFinder v2.1 start running...
_WPe_mmap
_WPe_clone
Traceback (most recent call last):
  File "C:/Users/IDA/Desktop/IDA_Pro_7.7/plugins/SysNR-FuncFinder.py", line 142, in activate
    self.plugin.patcher()
  File "C:/Users/IDA/Desktop/IDA_Pro_7.7/plugins/SysNR-FuncFinder.py", line 60, in patcher
    LinuxFuncFinder_Mips32.main()
  File "C:\Users\IDA\Desktop\IDA_Pro_7.7\plugins\LffPlugDir_WPeace\LinuxFuncFinder_Mips32.py", line 577, in main
    ReName_DirectCall()
  File "C:\Users\IDA\Desktop\IDA_Pro_7.7\plugins\LffPlugDir_WPeace\LinuxFuncFinder_Mips32.py", line 457, in ReName_DirectCall
    callNumber = int(opString, 16)
ValueError: invalid literal for int() with base 16: '40+var_24($sp)'

V2.5_X86_ValueError 奇怪的错误

433:
CallNumber = int(opString, 16)
ValueError: invalid literal for int() with base 16: ' offset sub_8099200'

不能正常使用

_启动插件后没有错误但是也没有正常工作，logr如下。
log

SysNR-FuncFinder v2.3 start running...

Error：请确认调用规则是否正确

DEMO.zip
1.可否支持一下arm64?
2.我认为此处匹配不严谨op = re.findall('(?<=0x9).*$', op);，建议匹配到SVC后通过IDAAPI遍历汇编上下文处理
3.有部分混淆的so，ida无法识别成函数，使用函数遍历的方式可能会错过某些SVC，希望考虑以下场景。

Got the error of "list index out of range"

Hi, thank u for this plugin, when i tried it, i got an error,
SysNR-FuncFinder v1.5 start running...
LinuxFuncFinder_x64 finished！总共重命名0个函数
Traceback (most recent call last):
File "D:/IDA_Pro_7.7/plugins/SysNR-FuncFinder_WPeace.py", line 138, in activate
self.plugin.patcher()
File "D:/IDA_Pro_7.7/plugins/SysNR-FuncFinder_WPeace.py", line 53, in patcher
LinuxFuncFinder_x64.main()
File "D:\IDA_Pro_7.7\plugins\LffPlugDir_WPeace\LinuxFuncFinder_x64.py", line 396, in main
RenameStartFunc()
File "D:\IDA_Pro_7.7\plugins\LffPlugDir_WPeace\LinuxFuncFinder_x64.py", line 387, in RenameStartFunc
GetMainFunc(func)
File "D:\IDA_Pro_7.7\plugins\LffPlugDir_WPeace\LinuxFuncFinder_x64.py", line 378, in GetMainFunc
mainAddr = int(mainOP.split("sub_")[1], 16)
IndexError: list index out of range

当前插件仅支持EXEC可执行ELF文件。

报错：
SysNR-FuncFinder v2.2 start running...
当前插件仅支持EXEC可执行ELF文件。

不知道为什么，我手上的ELF文件全都是这样，就算修改后缀名为ELF也不能使用插件
不清楚是BUG还是我的操作问题，因为我看issue里面只有我是这样的

MIPS 32位系统调用号恢复错误。

syscall 4142 程序恢复为：newselect，实际应该为pipe
参考地址：https://syscalls.w3challs.com/?arch=mips_o32