How to extend popkorn to support memmove ?

[v1k1ngfr]

Hi,

First I would like to thanks sharing for your awesome paper & work ! I read the last annex D, Case Study II and try to add support for memmove : I added the following code to angr_analysis/angr_full_blown.py :

[redacted]
MEMMOVE = False

def check_imports(proj): 
[redacted]
    mymemmove = proj.loader.find_symbol("memmove")
    if mymemmove:
        print("[+] Found memmove: ", hex(mymemmove.rebased_addr))

        MEMMOVE = True
        import_addr['memmove'] = mymemmove.rebased_addr

    else:
        print("memmove import not found!\n")

Then I run it on the Dell driver vulnerable to CVE-2021-21551 :

$ python3 angr_analysis/angr_full_blown.py datasets/my_dataset/dbutil_2_3.sys
Found WDM driver:  0x100068
Driver DEVICE_NAME:  \\\\.\\DBUtil_2_3
Looking for MmMapIoSpace, ZwOpenProcess, ZwMapViewOfSection and memmove Imports..
ZwOpenProcess import not found!
[+] Found MmapIoSpace:  0x100048
ZwMapViewOfSection import not found!
memmove import not found!
DriverObject @ 0x444f0000
[+] Finding the IOCTL Handler.
[redacted]

It didn't find memmove in the import so it fails to find the vuln. I opened the driver in GHIDRA, indeed memmove is not imported.

Did I miss something ?

Have a nice day !