Nytro Posted March 13, 2019 Report Share Posted March 13, 2019 Automating GHIDRA: Writing a Script to Find Banned Functions by Michael Fowl | Mar 9, 2019 | AppSec, Exploit Development, Malware Analysis At VDA Labs we get excited about Reverse Engineering tools, and the recent release of NSA’s GHIDRA does not disappoint. The fact that it is free, supports many different CPU architectures, contains decompiler functionality, and allows many Reverse Engineers to work on the same project via a Team server, are some of the highlights. Another area of immediate interest to us was the scripting functionality. Much like IDA Pro, it is very easy to write scripts to help automate Reverse Engineering tasks. A Quick Script While playing with this functionality, we quickly wrote a script that searches through a program for the use of any unsafe functions. While not overly complicated, it demonstrates how fast and easy it is to extend GHIDRA’s functionality. We hope you have as much fun scripting GHIDRA as us! Get the script at VDA Labs’ Github! # This script locates potentially dangerous functions that could introduce a vulnerability if they are used incorrectly. #@author: VDA Labs (Michael Fowl) #@category Functions print "Searching for banned functions..." # Microsoft SDL banned.h list. blist = (["strcpy", "strcpyA", "strcpyW", "wcscpy", "_tcscpy", "_mbscpy", "StrCpy", "StrCpyA", "StrCpyW", "lstrcpy", "lstrcpyA", "lstrcpyW", "_tccpy", "_mbccpy", "_ftcscpy", "strcat", "strcatA", "strcatW", "wcscat", "_tcscat", "_mbscat", "StrCat", "StrCatA", "StrCatW", "lstrcat", "lstrcatA", "lstrcatW", "StrCatBuff", "StrCatBuffA", "StrCatBuffW", "StrCatChainW", "_tccat", "_mbccat", "_ftcscat", "sprintfW", "sprintfA", "wsprintf", "wsprintfW", "wsprintfA", "sprintf", "swprintf", "_stprintf", "wvsprintf", "wvsprintfA", "wvsprintfW", "vsprintf", "_vstprintf", "vswprintf", "strncpy", "wcsncpy", "_tcsncpy", "_mbsncpy", "_mbsnbcpy", "StrCpyN", "StrCpyNA", "StrCpyNW", "StrNCpy", "strcpynA", "StrNCpyA", "StrNCpyW", "lstrcpyn", "lstrcpynA", "lstrcpynW", "strncat", "wcsncat", "_tcsncat", "_mbsncat", "_mbsnbcat", "StrCatN", "StrCatNA", "StrCatNW", "StrNCat", "StrNCatA", "StrNCatW", "lstrncat", "lstrcatnA", "lstrcatnW", "lstrcatn", "gets", "_getts", "_gettws", "IsBadWritePtr", "IsBadHugeWritePtr", "IsBadReadPtr", "IsBadHugeReadPtr", "IsBadCodePtr", "IsBadStringPtr"]) # loop through program functions function = getFirstFunction() while function is not None: for banned in blist: if function.getName() == banned: print "%s found at %s" % (function.getName(),function.getEntryPoint()) #function.setComment("Badness!") function = getFunctionAfter(function) print view raw FindBannedFunctions.py hosted with ❤ by GitHub How to Run a GHIDRA Script Running one of the 238 included scripts, or adding your own script is quite easy. Simply drop the script on one of these directories. Another option is creating your own script in the “Script Manager” interface. After creating the “FindBannedFunctions.py” GHIDRA script, simply run it on any program like is shown below. The output for an example ARM program we are reversing in some of our previous IoT hacking blogs, should look something like the screen capture below. Simply double-click any of the identified memory addresses to visit the Banned Function entry point. Once there, you can press “Ctrl-Shift-F” to find any Cross-references where the Banned Function is used in the application. Happy GHIDRA scripting! And if you need any reverse engineering support — we’d love to help. Sursa: https://www.vdalabs.com/2019/03/09/automating-ghidra-writing-a-script-to-find-banned-functions/ Quote Link to comment Share on other sites More sharing options...