IDAGolangHelper icon indicating copy to clipboard operation
IDAGolangHelper copied to clipboard

Published 20 hours ago verified publisher icon sibears

Exceptions when run against MIPS64 binaries

Open recvfrom opened this issue 7 years ago • 4 comments

The script has some issues when run against MIPS64 Go binaries:

Trying to determine the Go version from module data:

Traceback (most recent call last):
  File "_ctypes/callbacks.c", line 315, in 'calling callback function'
  File "C:\Program Files\IDA 7.1\python\ida_kernwin.py", line 5840, in helper_cb
    r = self.handler(button_code)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master/go_entry.py", line 51, in OnButton1
    GO_SETTINGS.findModuleData()
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\__init__.py", line 37, in findModuleData
    fmd = Firstmoduledata.findFirstModuleData(gopcln_addr, self.bt_obj)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\Firstmoduledata.py", line 8, in findFirstModuleData
    possible_addr = idautils.XrefsTo(addr).next().frm
  File "C:\Program Files\IDA 7.1\python\idautils.py", line 188, in XrefsTo
    if xref.first_to(ea, flags):
  File "C:\Program Files\IDA 7.1\python\ida_xref.py", line 319, in first_to
    return _ida_xref.xrefblk_t_first_to(self, *args)
TypeError: Expected an ea_t type

Trying to rename functions:

Traceback (most recent call last):
  File "_ctypes/callbacks.c", line 315, in 'calling callback function'
  File "C:\Program Files\IDA 7.1\python\ida_kernwin.py", line 5840, in helper_cb
    r = self.handler(button_code)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master/go_entry.py", line 56, in OnButton3
    GO_SETTINGS.renameFunctions()
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\__init__.py", line 52, in renameFunctions
    Gopclntab.rename(gopcln_tab, self.bt_obj)
  File "//vmware-host/Shared Folders/vm/IDAGolangHelper-master\GO_Utils\Gopclntab.py", line 30, in rename
    pos = beg + 8 #skip header
TypeError: unsupported operand type(s) for +: 'NoneType' and 'int'

recvfrom avatar Mar 23 '18 22:03 recvfrom

I guess the problem is because of endianness - when I search for gopclntab I try to locate "fb ff ff ff ..." when in MIPS64 this should be "ff ff ff fb" actually I'll fix it tomorrow I hope

grokeus avatar Apr 16 '18 19:04 grokeus

Seems working now on my hello-world sample binary. Will make some test on more binaries later

grokeus avatar Apr 16 '18 20:04 grokeus

Here's the binary I was analyzing (if you create an account you should be able to download the sample):

https://detux.org/report.php?sha256=9d6809571bec7429098bcb7ca0b12f8cb094d9079c6765b10a9c90b881ee9d37

BTW, your scripts were a big help in analyzing this malware! Thank you! https://blog.talosintelligence.com/2018/03/goscanssh-analysis.html

recvfrom avatar Apr 16 '18 20:04 recvfrom

Yes, now script is able to reconstruct function names in that binary, but it fails on finding moduledata because IDA analysis doesn't find xref to gopclntab, so structure recreating won't work until I manually find moduledata location(0x43bf00) and make ptr by hand. I will add some additional logic for searching that ptr.

== That's cool! Initially I started to create this scripts while doing analysis of linux golang malware like Linux.rex or Linux.lady. Glad to see that it now helps not only me ;)

grokeus avatar Apr 17 '18 06:04 grokeus