LIEF icon indicating copy to clipboard operation
LIEF copied to clipboard
verified publisher icon lief-project

Accessing load_configuration.guard_flags return an unknown GUARD_CF_FLAGS enum

Open Wenzel opened this issue 5 years ago • 7 comments

Describe the bug Accessing load_configuration.guard_flags returns an unknown GUARD_CF_FLAGS enumeration value.

To Reproduce

  • load a PE binary with lief
  • access guard_flags

Capture d’écran de 2020-10-07 00-02-35

Expected behavior An enumeration of type GUARD_RF_FLAGS should have been returned

Environment (please complete the following information):

  • System and Version : Ubuntu 20.04
  • Target format PE
  • LIEF commit version: 0.10.1-bfe5414

Additional context

I need this feature to test RFG support: https://github.com/Wenzel/checksec.py/issues/77

Thanks !

Wenzel avatar Oct 06 '20 22:10 Wenzel

I think you are looking for: guard_cf_flags_list

romainthomas avatar Oct 07 '20 06:10 romainthomas

Does it resolve your problem ?

romainthomas avatar Oct 10 '20 13:10 romainthomas

Hi @romainthomas ,

thanks for poiting me to guard_cf_flags_list. What I want in the end, is to implement the same check as in winchecksec:isRFG

The equivalent in Python would be

import lief
from lief.PE import GUARD_CF_FLAGS
binary = lief.parse("bin")
cf_flags_list = binary.load_configuration.guard_cf_flags_list
is_rfg = True if GUARD_CF_FLAGS.INSTRUMENTED in cf_flags_list and (GUARD_CF_FLAGS.ENABLE in cf_flags_list or GUARD_CF_FLAGS.STRICT in cf_flags_list) else False

However, the STRICT and ENABLE flags are only available in GUARD_RF_FLAGS.

Assuming that GUARD_CF_FLAGS.INSTRUMENTED is the same as GUARD_RF_FLAGS.INSTRUMENTED, how would I check the ENABLE and STRICT return flow guard flags with guard_cf_flags_list ?

Thanks !

Wenzel avatar Oct 10 '20 13:10 Wenzel

@Wenzel I unified both flags. Let me know if https://github.com/lief-project/LIEF/commit/2d0005dc6089783eed039b569390cc79e8068f15 resolves your problem.

(You have now lief.PE.GUARD_CF_FLAGS.GRF_INSTRUMENTED and lief.PE.GUARD_CF_FLAGS.GCF_INSTRUMENTED)

romainthomas avatar Oct 11 '20 18:10 romainthomas

Thanks for the patch.

How do I install the new python bindings once they are compiled ?

cd build/api/python
make
# lief, lief.so generated
# should I pip install build/api/python/lief_pybind11-prefix/src/lief_pybind11 ?

I did pip install build/api/python/lief_pybind11-prefix/src/lief_pybind11 but I can't see the changes in GUARD_CF_FLAGS enum.

Wenzel avatar Oct 11 '20 19:10 Wenzel

You can download nightly wheel here: https://lief.quarkslab.com/packages/lief/ or

$ git clone [email protected]:lief-project/LIEF.git
$ cd LIEF 
$ python ./setup.py dev

romainthomas avatar Oct 11 '20 19:10 romainthomas

Thanks for the hint, I downloaded the latest nightly and implemented.

I'm looking for RFG binaries to confirm that it works.

Wenzel avatar Oct 11 '20 20:10 Wenzel