From b30221b44f37bcbd76f23a8eba32874a7ec463cf Mon Sep 17 00:00:00 2001 From: VyacheslavIurevich Date: Thu, 11 Jul 2024 23:19:52 +0300 Subject: [PATCH 1/3] feat: addition of function PLT checker Signed-off-by: VyacheslavIurevich --- src/function_is_plt.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 src/function_is_plt.py diff --git a/src/function_is_plt.py b/src/function_is_plt.py new file mode 100644 index 0000000..c864c0e --- /dev/null +++ b/src/function_is_plt.py @@ -0,0 +1,26 @@ +'''Check if input function is PLT jump''' + +#pylint: disable=wrong-import-order +import pyhidra # pylint: disable=import-error +from elftools.elf.elffile import ELFFile # pylint: disable=import-error +pyhidra.start() + +def get_got_bounds(path): + '''Get GOT section addresses bounds''' + elffile = ELFFile(path) + section = elffile.get_section_by_name('.got') + return section.header.sh_addr, section.header.sh_addr + section.header.sh_size - 2 + +def function_is_plt(function, program, path): + '''Check if input function is PLT jump''' + listing = program.getListing() + body = function.getBody() + for address in body.getAddresses(True): + code_unit = str(listing.getCodeUnitAt(address)) + if code_unit.startswith("JMP qword ptr"): + words = code_unit.split() + address_str = words[-1][1:-1] # removing [] + address = int(address_str, 16) + got_start, got_end = get_got_bounds(path) + return got_start <= address - 16 ** 5 <= got_end + return False From 3362f6896f21c8f0b18c779bd1af8e9324c22503 Mon Sep 17 00:00:00 2001 From: VyacheslavIurevich Date: Fri, 12 Jul 2024 09:57:33 +0300 Subject: [PATCH 2/3] feat: addition of image base instead of const Signed-off-by: VyacheslavIurevich --- src/function_is_plt.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/src/function_is_plt.py b/src/function_is_plt.py index c864c0e..f882fbf 100644 --- a/src/function_is_plt.py +++ b/src/function_is_plt.py @@ -7,12 +7,15 @@ def get_got_bounds(path): '''Get GOT section addresses bounds''' - elffile = ELFFile(path) - section = elffile.get_section_by_name('.got') - return section.header.sh_addr, section.header.sh_addr + section.header.sh_size - 2 + with open(path, "rb") as file: + elf = ELFFile(file) + section = elf.get_section_by_name('.got') + return section.header.sh_addr, section.header.sh_addr + section.header.sh_size - 2 -def function_is_plt(function, program, path): +def function_is_plt(function, path): '''Check if input function is PLT jump''' + program = function.getProgram() + image_base = int(str(program.getImageBase()), 16) listing = program.getListing() body = function.getBody() for address in body.getAddresses(True): @@ -22,5 +25,5 @@ def function_is_plt(function, program, path): address_str = words[-1][1:-1] # removing [] address = int(address_str, 16) got_start, got_end = get_got_bounds(path) - return got_start <= address - 16 ** 5 <= got_end + return got_start <= address - image_base <= got_end return False From fbf6e95e670fa91f803d31396c15652c4ce520de Mon Sep 17 00:00:00 2001 From: VyacheslavIurevich Date: Fri, 12 Jul 2024 10:03:20 +0300 Subject: [PATCH 3/3] fix: move GOT bounds parsing out of cycle Signed-off-by: VyacheslavIurevich --- src/function_is_plt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/function_is_plt.py b/src/function_is_plt.py index f882fbf..0b67932 100644 --- a/src/function_is_plt.py +++ b/src/function_is_plt.py @@ -18,12 +18,12 @@ def function_is_plt(function, path): image_base = int(str(program.getImageBase()), 16) listing = program.getListing() body = function.getBody() + got_start, got_end = get_got_bounds(path) for address in body.getAddresses(True): code_unit = str(listing.getCodeUnitAt(address)) if code_unit.startswith("JMP qword ptr"): words = code_unit.split() address_str = words[-1][1:-1] # removing [] address = int(address_str, 16) - got_start, got_end = get_got_bounds(path) return got_start <= address - image_base <= got_end return False