capa icon indicating copy to clipboard operation
capa copied to clipboard
verified publisher icon mandiant

binja: crash when trying to get LLIL of a function that is not properly analyzed

Open xusheng6 opened this issue 1 year ago • 2 comments

While running capa on 2f7f5fb5de175e770d7eae87666f9831.elf_, I get this crash:

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/Users/xusheng/capa/capa/main.py", line 1103, in <module>
    sys.exit(main())
             ^^^^^^
  File "/Users/xusheng/capa/capa/main.py", line 994, in main
    capabilities, counts = find_capabilities(rules, extractor, disable_progress=args.quiet)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/common.py", line 75, in find_capabilities
    return find_static_capabilities(ruleset, extractor, disable_progress=disable_progress, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/static.py", line 168, in find_static_capabilities
    function_matches, bb_matches, insn_matches, feature_count = find_code_capabilities(ruleset, extractor, f)
                                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/static.py", line 115, in find_code_capabilities
    features, bmatches, imatches = find_basic_block_capabilities(ruleset, extractor, fh, bb)
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/static.py", line 71, in find_basic_block_capabilities
    ifeatures, imatches = find_instruction_capabilities(ruleset, extractor, f, bb, insn)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/static.py", line 38, in find_instruction_capabilities
    for feature, addr in itertools.chain(
  File "/Users/xusheng/capa/capa/features/extractors/binja/extractor.py", line 95, in extract_insn_features
    yield from capa.features.extractors.binja.insn.extract_features(fh, bbh, ih)
  File "/Users/xusheng/capa/capa/features/extractors/binja/insn.py", line 559, in extract_features
    for feature, ea in inst_handler(f, bbh, insn):
  File "/Users/xusheng/capa/capa/features/extractors/binja/insn.py", line 167, in extract_insn_bytes_features
    llil = func.get_llil_at(ih.address)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/Binary Ninja.app/Contents/Resources/python/binaryninja/function.py", line 1811, in get_llil_at
    return self.get_low_level_il_at(addr, arch)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/Binary Ninja.app/Contents/Resources/python/binaryninja/function.py", line 1791, in get_low_level_il_at
    llil = self.llil
           ^^^^^^^^^
  File "/Applications/Binary Ninja.app/Contents/Resources/python/binaryninja/function.py", line 987, in llil
    raise ILException(f"Low level IL was not loaded for {self!r}")
binaryninja.exceptions.ILException: Low level IL was not loaded for <func: x86_64@0x4a6290>

This crash happens because we are trying to access the IL instruction without making sure it exists in the first place. The function is quite complex and it times-out on the default analysis time limit.

We might want to use get_llils_at instead which will return an empty list in this case. See also https://github.com/Vector35/binaryninja-api/issues/6205

What puzzles me is that we have not seen it before -- this crash should have been noticed long before

xusheng6 avatar Dec 03 '24 09:12 xusheng6

Note this is related to but different from https://github.com/mandiant/capa/issues/2249. In #2249, the issue is the function can be analyzed properly, but we are not tracking the total analysis time on it perperly, and as a result, it eventually exceeds the analysis time limit and bails out. In this new issue, the function is actually too complex to analyze and it exceeds the analysis time directly

xusheng6 avatar Dec 03 '24 13:12 xusheng6

@williballenthin please add binja tag on this issue, https://github.com/mandiant/capa/issues/2520, and https://github.com/mandiant/capa/issues/2525

xusheng6 avatar Dec 10 '24 04:12 xusheng6

I believe this has been fixed by https://github.com/Vector35/binaryninja-api/issues/6170#issuecomment-2786352435, but I will need to verify that

xusheng6 avatar Sep 16 '25 12:09 xusheng6

Did you have a chance to take a look yet?

mr-tz avatar Oct 17 '25 08:10 mr-tz

Did you have a chance to take a look yet?

Not yet, but will do. I believe a fix was already ready, but we have not merged it yet

xusheng6 avatar Oct 20 '25 08:10 xusheng6

This has been fixed by https://github.com/Vector35/binaryninja-api/issues/6170#issuecomment-2786352435, we can close the issue

xusheng6 avatar Oct 20 '25 10:10 xusheng6

Thanks!

mr-tz avatar Oct 20 '25 15:10 mr-tz