Ahmed Abd El-Mawgood, profile picture
Uploaded byAhmed Abd El-Mawgood
118 views

args_types

This document discusses improvements made to function argument and type detection in Radare2. The improvements included providing uniform ways to work with local variables and define argument types, which required changing how syscalls and type information are handled. The detection works by matching strings in ESIL to locate and type variables, then naming and registering them. Support for additional architectures, variable types, and calling conventions was added, improving Radare2's ability to automatically detect function arguments and local variable types.

Embed presentation

Download to read offline
Function Argument Detection And Type Matching In Radare2 Oddcoder (@anoddcoder) Xvilka (@akochkov) R2Con 2016 1
GSoC ● Improving and fixing current types support ● Providing an uniform way to work with local variables ● Providing an uniform way to define argument types ● Very complex task involving a code refactoring ● http://radare.org/gsoc/2016/ideas.html#title_3
Task implications ● It required a change of the way to handle syscalls. ● Changing the ‘t*’ commands syntax and set. ● Changing the ‘af*’ commands syntax and set. ● It was required to simplify fetching types information to radeco.
Future directions ● It’s planned to add integration with signatures mechanisms. ● Supporting object-oriented programming data structures. ● Integration with demangling. ● Integration with DWARF/PDB/etc debug information.
$ whoami ● Computer and communication engineering student. ● Hobbyist system software developer, exploitation, etc.. ● Active developer at Radare2 project. ● Participant in Google Summer Of Code 2016.
A word of gratitude
Problems I was trying to solve ● Auto detect formal arguments and local variables. ● Gather type information about them.
Rules of the game No constraint solvers No debugging. Architecture independent Modular and easy to extend.
Challenges ● A bit of everything is implemented. ● That was my first time to work on large code bases. ● I had to learn a lot on the fly.
Function Arguments/Locals ● Worked on x86 only. ● No 2 variables with same name in the whole binary. ● Only [ebp + stuff] could be manipulated. ● No stack based, or register based args/locals.
● It is arch independent. ● variables are local to their function. ● Adding support for stack based, or register based args/ locals. Function Arguments/Locals
Old R2
New R2
How does Automatic detection work ? It is all strings matching on ESIL.
How does Automatic detection work ? 1. Locate candidate var.
How does Automatic detection work ? 1. Locate candidate var. NUMBER,SP, + NUMBER,BP, + NUMBER,BP, -
How does Automatic detection work ? 1. Locate candidate var. 2. Identify type of candidate var.
How does Automatic detection work ? 1. Locate candidate var. 2. Identify type of candidate var. NUMBER,BP, + (arg) NUMBER,BP, - (local) NUMBER,SP, + (?)
How does Automatic detection work ? 1. Locate candidate var. 2. Identify type of candidate var. 3. Naming and registering var.
How does Automatic detection work ? 1. Locate candidate var. 2. Identify type of candidate var. 3. Naming and registering var. local_(Number)h [_counter] var_(Number)h [_counter]
Type Matching ● Implementing type hints for standard function. ● Depends on calling convention of that function. ● Needs emulation to avoid confusion with stack & registers tracing.
What is Calling Convention? ● It is the way functions call another another function. ● How arguments are arranged in the stack ? ● Who cleans the callee stack ? ● Where is the return value placed ?
Cdecl ● Most common calling convention in linux i386. ● Arguments are pushed right to left on the stack. ● Return value is put in eax. ● The caller is the one who cleans the stack.
Cdecl memset (0xffff2048, ‘A’, 0x100);
Cdecl memset (0xffff2048, ‘A’, 0x100); push 0x100 push 0x41 push 0xffff2048 call memset
Stdcall ● Popular on i386 windows machines. ● Arguments pushed left to right on the stack. ● Return value is also put in eax. ● Callee cleans its own stack frame.
Stdcall memset (0xffff2048, ‘A’, 0x100);
Stdcall memset (0xffff2048, ‘A’, 0x100); push 0xffff2048 push 0x41 push 0x100 call memset
X64 Windows ABI ● Arguments passed into RCX, RDX, R8, R9, then the remaining arguments are put on stack right to left. ● Return value is put into rax
And much more ● And there are lots of other calling conventions. ● Calling conventions for each architecture, and for each Operating system. ● Even some programming languages and some compilers got their own calling conventions (ABI)
Why would we care ?
We already had this.
And we turned it into that
And this is our final goal
Implementation details 1. Read next instruction.
Implementation details 1. Read next instruction. 2. Record that instruction for traceback.
Implementation details 1. Read next instruction. 2. Record that instruction for traceback. 3. Record stack and register accesses.
Implementation details 1. Read next instruction. 2. Record that instruction for traceback. 3. Record stack and register accesses. 4. Go to step 1 .
Implementation details 1. Read next instruction. 2. Record that instruction for traceback. 3. Record stack and register accesses. 4. Go to step 1 . → This loop is interrupted when we find a call instruction
Implementation details Interesting stuff starts when we catch a call instruction.
Implementation details 1- Grab function’s definition from types database.
Implementation details 1- Grab function’s definition from types database. 2- Do the math to calculate the location of all arguments.
Implementation details 1- Grab function’s definition from types database. 2- Do the math to calculate the location of all arguments. 3- Search the trace log for writing to these locations.
Implementation details Now it is up to us what to do with all that information.
SHOW TIME
Let's add types SDB(s)
See also GitHub issue https://github.com/radare/radare2/issues/3655 RT (Radare Today) article http://radare.today/posts/GSOC-The-last-commit-213c6f/ Calling convention db docs: https://github.com/radare/radare2/blob/master/doc/calling-conventions.md Types db docs: https://github.com/radare/radare2/blob/master/doc/types.md

More Related Content

PPTX
Dart PPT.pptx
byDSCMESCOE
 
PDF
Functional Programming in C# and F#
byAlfonso Garcia-Caro
 
PDF
Fundamentals of Computing and C Programming - Part 1
byKarthik Srini B R
 
PDF
Semantic Analysis of a C Program
byDebarati Das
 
DOCX
Ecet 330 Enthusiastic Study / snaptutorial.com
byStephenson033
 
PDF
Language-Independent Detection of Object-Oriented Design Patterns
byESUG
 
DOCX
Sp imp gtu
byParas Patel
 
PDF
How to Learn Java Programming
byJava2Blog
 
Dart PPT.pptx
byDSCMESCOE
 
Functional Programming in C# and F#
byAlfonso Garcia-Caro
 
Fundamentals of Computing and C Programming - Part 1
byKarthik Srini B R
 
Semantic Analysis of a C Program
byDebarati Das
 
Ecet 330 Enthusiastic Study / snaptutorial.com
byStephenson033
 
Language-Independent Detection of Object-Oriented Design Patterns
byESUG
 
Sp imp gtu
byParas Patel
 
How to Learn Java Programming
byJava2Blog
 

What's hot

PDF
(2) cpp imperative programming
byNico Ludwig
 
PDF
Embedded C - Optimization techniques
byEmertxe Information Technologies Pvt Ltd
 
ODP
Using ANTLR on real example - convert "string combined" queries into paramete...
byAlexey Diyan
 
PPTX
Antlr part2 getting_started_in_java
byMorteza Zakeri
 
PDF
Learn C# Programming - Decision Making & Loops
byEng Teong Cheah
 
PPTX
An Introduction to ANTLR
byMorteza Zakeri
 
ODP
ANTLR4 and its testing
byKnoldus Inc.
 
PPTX
Binary Studio Academy PRO: ANTLR course by Alexander Vasiltsov (lesson 1)
byBinary Studio
 
PPT
C++ to java
byAjmal Ak
 
PPTX
C++
byAL- AMIN
 
PDF
Keywords in python
byPushpakBhoge
 
DOCX
C# note
byDr. Somnath Sinha
 
ODP
Convention-Based Syntactic Descriptions
byRay Toal
 
PPTX
Lifting variability from C to mbeddr-C
byFederico Tomassetti
 
PPT
20130329 introduction to linq
byLearningTech
 
PPTX
Site visit presentation 2012 12 14
byMitchell Wand
 
DOCX
Hd2
byPrakash Rao
 
PDF
New c sharp4_features_part_ii
byNico Ludwig
 
(2) cpp imperative programming
byNico Ludwig
 
Embedded C - Optimization techniques
byEmertxe Information Technologies Pvt Ltd
 
Using ANTLR on real example - convert "string combined" queries into paramete...
byAlexey Diyan
 
Antlr part2 getting_started_in_java
byMorteza Zakeri
 
Learn C# Programming - Decision Making & Loops
byEng Teong Cheah
 
An Introduction to ANTLR
byMorteza Zakeri
 
ANTLR4 and its testing
byKnoldus Inc.
 
Binary Studio Academy PRO: ANTLR course by Alexander Vasiltsov (lesson 1)
byBinary Studio
 
C++ to java
byAjmal Ak
 
C++
byAL- AMIN
 
Keywords in python
byPushpakBhoge
 
C# note
byDr. Somnath Sinha
 
Convention-Based Syntactic Descriptions
byRay Toal
 
Lifting variability from C to mbeddr-C
byFederico Tomassetti
 
20130329 introduction to linq
byLearningTech
 
Site visit presentation 2012 12 14
byMitchell Wand
 
Hd2
byPrakash Rao
 
New c sharp4_features_part_ii
byNico Ludwig
 

Viewers also liked

PDF
A. Ciammola - L’esercizio per l’industria
byIstituto nazionale di statistica
 
PDF
Missione Istituzionale e cambiamento organizzativo degli Enti di Area Vasta
bycittametro
 
PDF
L'esperienza della citta metropolitana di Bari
bycittametro
 
PPTX
Seminario 8 Síntesis de polimetacrilato de metilo
byIPN
 
PDF
Soal psikotes beserta jawabannya
byMohammad Handika
 
PPS
Inauguracion Beijing 2008
byvianblanca
 
PDF
apb desa
byFormasi Org
 
DOCX
JIJO RESUME Catering Manager
byJijo Thankachan
 
DOCX
SOAL TRY OUT FISIKA SMP
bywuryantopss
 
PDF
Альона Тудан “World of bugs: let’s find together”
byDakiry
 
DOCX
Eido Khater Moamen Hemaida
byeido khater
 
DOC
Acordo ponto 21
bytarapeulta
 
A. Ciammola - L’esercizio per l’industria
byIstituto nazionale di statistica
 
Missione Istituzionale e cambiamento organizzativo degli Enti di Area Vasta
bycittametro
 
L'esperienza della citta metropolitana di Bari
bycittametro
 
Seminario 8 Síntesis de polimetacrilato de metilo
byIPN
 
Soal psikotes beserta jawabannya
byMohammad Handika
 
Inauguracion Beijing 2008
byvianblanca
 
apb desa
byFormasi Org
 
JIJO RESUME Catering Manager
byJijo Thankachan
 
SOAL TRY OUT FISIKA SMP
bywuryantopss
 
Альона Тудан “World of bugs: let’s find together”
byDakiry
 
Eido Khater Moamen Hemaida
byeido khater
 
Acordo ponto 21
bytarapeulta
 

Similar to args_types

PPT
8871077.ppt
byssuserc28b3c
 
PDF
Embedded C - Lecture 2
byMohamed Abdallah
 
PDF
Data Structure - Lecture 2 - Recursion Stack Queue.pdf
bydonotreply20
 
PPTX
Verilog presentation final
byAnkur Gupta
 
PPTX
embedded C.pptx
bymohammedahmed539376
 
PPT
Verilog tutorial
byMaryala Srinivas
 
PDF
Intro. to static analysis
byChong-Kuan Chen
 
PDF
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
PPTX
Compiler Design Notes for rgpv 6tth sem students
byMedhanshAgrawal
 
PDF
Verilog Tasks & Functions
byanand hd
 
PDF
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
byTyler Shields
 
PPTX
Functional verification using System verilog introduction
byJuhaMichel
 
PPT
Mod02 compilers
byPeter Haase
 
PDF
GooglePropsal
byAhmed Abd El-Mawgood
 
PPT
Advanced driver debugging (13005399) copy
byBurlacu Sergiu
 
PDF
VIT351 Software Development VI Unit1
byYOGESH SINGH
 
PDF
46630497 fun-pointer-1
byAmIt Prasad
 
PDF
Experimental dtrace
byMatthew Ahrens
 
PPTX
Real Time Debugging - What to do when a breakpoint just won't do
byLloydMoore
 
PPTX
chapter-6 slide.pptx
bycricketreview
 
8871077.ppt
byssuserc28b3c
 
Embedded C - Lecture 2
byMohamed Abdallah
 
Data Structure - Lecture 2 - Recursion Stack Queue.pdf
bydonotreply20
 
Verilog presentation final
byAnkur Gupta
 
embedded C.pptx
bymohammedahmed539376
 
Verilog tutorial
byMaryala Srinivas
 
Intro. to static analysis
byChong-Kuan Chen
 
The Ultimate Serial Port Detective – Baudowl
byCysinfo Cyber Security Community
 
Compiler Design Notes for rgpv 6tth sem students
byMedhanshAgrawal
 
Verilog Tasks & Functions
byanand hd
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
byTyler Shields
 
Functional verification using System verilog introduction
byJuhaMichel
 
Mod02 compilers
byPeter Haase
 
GooglePropsal
byAhmed Abd El-Mawgood
 
Advanced driver debugging (13005399) copy
byBurlacu Sergiu
 
VIT351 Software Development VI Unit1
byYOGESH SINGH
 
46630497 fun-pointer-1
byAmIt Prasad
 
Experimental dtrace
byMatthew Ahrens
 
Real Time Debugging - What to do when a breakpoint just won't do
byLloydMoore
 
chapter-6 slide.pptx
bycricketreview
 

args_types

  • 1.
    Function Argument Detection AndType Matching In Radare2 Oddcoder (@anoddcoder) Xvilka (@akochkov) R2Con 2016 1
  • 2.
    GSoC ● Improving andfixing current types support ● Providing an uniform way to work with local variables ● Providing an uniform way to define argument types ● Very complex task involving a code refactoring ● http://radare.org/gsoc/2016/ideas.html#title_3
  • 3.
    Task implications ● Itrequired a change of the way to handle syscalls. ● Changing the ‘t*’ commands syntax and set. ● Changing the ‘af*’ commands syntax and set. ● It was required to simplify fetching types information to radeco.
  • 4.
    Future directions ● It’splanned to add integration with signatures mechanisms. ● Supporting object-oriented programming data structures. ● Integration with demangling. ● Integration with DWARF/PDB/etc debug information.
  • 5.
    $ whoami ● Computerand communication engineering student. ● Hobbyist system software developer, exploitation, etc.. ● Active developer at Radare2 project. ● Participant in Google Summer Of Code 2016.
  • 6.
    A word ofgratitude
  • 7.
    Problems I wastrying to solve ● Auto detect formal arguments and local variables. ● Gather type information about them.
  • 8.
    Rules of thegame No constraint solvers No debugging. Architecture independent Modular and easy to extend.
  • 9.
    Challenges ● A bitof everything is implemented. ● That was my first time to work on large code bases. ● I had to learn a lot on the fly.
  • 10.
    Function Arguments/Locals ● Workedon x86 only. ● No 2 variables with same name in the whole binary. ● Only [ebp + stuff] could be manipulated. ● No stack based, or register based args/locals.
  • 11.
    ● It isarch independent. ● variables are local to their function. ● Adding support for stack based, or register based args/ locals. Function Arguments/Locals
  • 12.
  • 13.
  • 14.
    How does Automaticdetection work ? It is all strings matching on ESIL.
  • 15.
    How does Automaticdetection work ? 1. Locate candidate var.
  • 16.
    How does Automaticdetection work ? 1. Locate candidate var. NUMBER,SP, + NUMBER,BP, + NUMBER,BP, -
  • 17.
    How does Automaticdetection work ? 1. Locate candidate var. 2. Identify type of candidate var.
  • 18.
    How does Automaticdetection work ? 1. Locate candidate var. 2. Identify type of candidate var. NUMBER,BP, + (arg) NUMBER,BP, - (local) NUMBER,SP, + (?)
  • 19.
    How does Automaticdetection work ? 1. Locate candidate var. 2. Identify type of candidate var. 3. Naming and registering var.
  • 20.
    How does Automaticdetection work ? 1. Locate candidate var. 2. Identify type of candidate var. 3. Naming and registering var. local_(Number)h [_counter] var_(Number)h [_counter]
  • 21.
    Type Matching ● Implementingtype hints for standard function. ● Depends on calling convention of that function. ● Needs emulation to avoid confusion with stack & registers tracing.
  • 22.
    What is CallingConvention? ● It is the way functions call another another function. ● How arguments are arranged in the stack ? ● Who cleans the callee stack ? ● Where is the return value placed ?
  • 23.
    Cdecl ● Most commoncalling convention in linux i386. ● Arguments are pushed right to left on the stack. ● Return value is put in eax. ● The caller is the one who cleans the stack.
  • 24.
  • 25.
    Cdecl memset (0xffff2048, ‘A’,0x100); push 0x100 push 0x41 push 0xffff2048 call memset
  • 26.
    Stdcall ● Popular oni386 windows machines. ● Arguments pushed left to right on the stack. ● Return value is also put in eax. ● Callee cleans its own stack frame.
  • 27.
  • 28.
    Stdcall memset (0xffff2048, ‘A’,0x100); push 0xffff2048 push 0x41 push 0x100 call memset
  • 29.
    X64 Windows ABI ●Arguments passed into RCX, RDX, R8, R9, then the remaining arguments are put on stack right to left. ● Return value is put into rax
  • 30.
    And much more ●And there are lots of other calling conventions. ● Calling conventions for each architecture, and for each Operating system. ● Even some programming languages and some compilers got their own calling conventions (ABI)
  • 31.
  • 32.
  • 33.
    And we turnedit into that
  • 34.
    And this isour final goal
  • 35.
  • 36.
    Implementation details 1. Readnext instruction. 2. Record that instruction for traceback.
  • 37.
    Implementation details 1. Readnext instruction. 2. Record that instruction for traceback. 3. Record stack and register accesses.
  • 38.
    Implementation details 1. Readnext instruction. 2. Record that instruction for traceback. 3. Record stack and register accesses. 4. Go to step 1 .
  • 39.
    Implementation details 1. Readnext instruction. 2. Record that instruction for traceback. 3. Record stack and register accesses. 4. Go to step 1 . → This loop is interrupted when we find a call instruction
  • 40.
    Implementation details Interesting stuffstarts when we catch a call instruction.
  • 41.
    Implementation details 1- Grabfunction’s definition from types database.
  • 42.
    Implementation details 1- Grabfunction’s definition from types database. 2- Do the math to calculate the location of all arguments.
  • 43.
    Implementation details 1- Grabfunction’s definition from types database. 2- Do the math to calculate the location of all arguments. 3- Search the trace log for writing to these locations.
  • 44.
    Implementation details Now itis up to us what to do with all that information.
  • 45.
  • 46.
  • 47.
    See also GitHub issuehttps://github.com/radare/radare2/issues/3655 RT (Radare Today) article http://radare.today/posts/GSOC-The-last-commit-213c6f/ Calling convention db docs: https://github.com/radare/radare2/blob/master/doc/calling-conventions.md Types db docs: https://github.com/radare/radare2/blob/master/doc/types.md