reiat.py - 0.5 version

An updated version of reiat.py has been pushed to it's repo. For more information about reiat.py please see the following link. A couple of new features have been added. The first feature is a simple window/viewer. An example can be seen above. The address on the left is where GetProcAddress is originally called. The orange strings are the API names( lpProcName) passed to GetProcAddress. The third column is the addresses of the last reference to the returned values and the fourth row is the type. The type can be one of four values. If the address is saved at a dword address mov  ds:NSSBase64_DecodeBuffer, eax it will have an xref type. If the address of an API is called  call    edi   ;  MiniDumpWriteDump it will have a type of call. If the address is saved to an array or some other register + offset the type will be the register values. An example can be seen below of this type.


"Type" is probably not the best term/description... The last type will be None if the trace of the variables failed. Another feature is all of the data is stored in a list of tuples called log.
The format is the same as the output window (address, string, address, my_type). A couple of bug fixes were also added. An interesting bug was to relying on FUNCATTR_END for testing boundaries of the end of a function. This approach is flawed when dealing with obfuscated code that jumps around. Calling funcAddress = list(FuncItems(address)) and then checking if an address is in the list is a more accurate approach. Code changes.

I'd still like to add a couple of more features. Ashutosh Mehra mentioned some issues around the use of EncodePointer. Simple scenarios are not that hard but anytime more functions or APIs calls are added to flow tracing logic things get complicated quickly. Also, it would be cool to solve this problem. I tried some approaches of adding sections and patching the IDB but I was unsuccessful. If you have an ideas, comments or find bugs please send me an email or ping me on Twitter.

Note:
Most of window/viewer code came from the post Extending IDA with Custom Viewers. There are a lot of great post on the MindShaRE blog. I'd highly recommend reading through them if you haven't already.

No comments:

Post a Comment

Post a Comment