Jump to content
Sign in to follow this  
Nytro

Automating GHIDRA: Writing a Script to Find Banned Functions

Recommended Posts

Automating GHIDRA: Writing a Script to Find Banned Functions

by Michael Fowl | Mar 9, 2019 | AppSec, Exploit Development, Malware Analysis

Automating GHIDRA: Writing a Script to Find Banned Functions

At VDA Labs we get excited about Reverse Engineering tools, and the recent release of NSA’s GHIDRA does not disappoint. The fact that it is free, supports many different CPU architectures, contains decompiler functionality, and allows many Reverse Engineers to work on the same project via a Team server, are some of the highlights. Another area of immediate interest to us was the scripting functionality. Much like IDA Pro, it is very easy to write scripts to help automate Reverse Engineering tasks.

A Quick Script

While playing with this functionality, we quickly wrote a script that searches through a program for the use of any unsafe functions. While not overly complicated, it demonstrates how fast and easy it is to extend GHIDRA’s functionality. We hope you have as much fun scripting GHIDRA as us!

Get the script at VDA Labs’ Github!

 

# This script locates potentially dangerous functions that could introduce a vulnerability if they are used incorrectly.
#@author: VDA Labs (Michael Fowl)
#@category Functions
 
print "Searching for banned functions..."
 
# Microsoft SDL banned.h list.
blist = (["strcpy", "strcpyA", "strcpyW", "wcscpy", "_tcscpy", "_mbscpy", "StrCpy",
"StrCpyA", "StrCpyW", "lstrcpy", "lstrcpyA", "lstrcpyW", "_tccpy", "_mbccpy",
"_ftcscpy", "strcat", "strcatA", "strcatW", "wcscat", "_tcscat", "_mbscat",
"StrCat", "StrCatA", "StrCatW", "lstrcat", "lstrcatA", "lstrcatW", "StrCatBuff",
"StrCatBuffA", "StrCatBuffW", "StrCatChainW", "_tccat", "_mbccat", "_ftcscat",
"sprintfW", "sprintfA", "wsprintf", "wsprintfW", "wsprintfA", "sprintf", "swprintf",
"_stprintf", "wvsprintf", "wvsprintfA", "wvsprintfW", "vsprintf", "_vstprintf",
"vswprintf", "strncpy", "wcsncpy", "_tcsncpy", "_mbsncpy", "_mbsnbcpy", "StrCpyN",
"StrCpyNA", "StrCpyNW", "StrNCpy", "strcpynA", "StrNCpyA", "StrNCpyW", "lstrcpyn",
"lstrcpynA", "lstrcpynW", "strncat", "wcsncat", "_tcsncat", "_mbsncat", "_mbsnbcat",
"StrCatN", "StrCatNA", "StrCatNW", "StrNCat", "StrNCatA", "StrNCatW", "lstrncat",
"lstrcatnA", "lstrcatnW", "lstrcatn", "gets", "_getts", "_gettws", "IsBadWritePtr",
"IsBadHugeWritePtr", "IsBadReadPtr", "IsBadHugeReadPtr", "IsBadCodePtr", "IsBadStringPtr"])
 
# loop through program functions
function = getFirstFunction()
while function is not None:
for banned in blist:
if function.getName() == banned:
print "%s found at %s" % (function.getName(),function.getEntryPoint())
#function.setComment("Badness!")
function = getFunctionAfter(function)
print

 

How to Run a GHIDRA Script

Running one of the 238 included scripts, or adding your own script is quite easy. Simply drop the script on one of these directories.

script-dirs.png

Another option is creating your own script in the “Script Manager” interface.

creat-script.png

After creating the “FindBannedFunctions.py” GHIDRA script, simply run it on any program like is shown below.

run-script.png

The output for an example ARM program we are reversing in some of our previous IoT hacking blogs, should look something like the screen capture below.

script-output-1080x569.png

Simply double-click any of the identified memory addresses to visit the Banned Function entry point. Once there, you can press “Ctrl-Shift-F” to find any Cross-references where the Banned Function is used in the application. Happy GHIDRA scripting!  And if you need any reverse engineering support — we’d love to help.

references.png

 

Sursa: https://www.vdalabs.com/2019/03/09/automating-ghidra-writing-a-script-to-find-banned-functions/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...