binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Stack string detection combines multiple short strings into a longer one

Open xusheng6 opened this issue 1 year ago • 2 comments

In the following screenshot, we can see there are multiple null-terminated strings on the stack:

Screenshot 2024-08-02 at 5 46 09 PM

However, the stack string detection combines them and thinks it is a longer string:

Screenshot 2024-08-02 at 5 47 21 PM

We should either automatically detect the case and create multiple strings from it, or, at least offer a way to override the behavior of the stack string detection and make it possible for the user to fix the situation

xusheng6 avatar Aug 02 '24 09:08 xusheng6

I tested and found that settings the type of _Str2_4 at rbp-0x4b produces weird result: the HLIL does not set the first two bytes of the string:

Screenshot 2024-08-02 at 6 10 28 PM

Though it looks normal at the disassembly:

Screenshot 2024-08-02 at 6 11 18 PM

xusheng6 avatar Aug 02 '24 10:08 xusheng6

malware warning, pw: infected

18390775977.zip

xusheng6 avatar Aug 06 '24 14:08 xusheng6