Skip to content

ida-explorer: replace deprecated IDA API find_binary with bin_search #2011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Mar 11, 2024
Merged

ida-explorer: replace deprecated IDA API find_binary with bin_search #2011

merged 7 commits into from
Mar 11, 2024

Conversation

fariss
Copy link
Collaborator

@fariss fariss commented Feb 24, 2024
edited
Loading

This change closes #1606 by replacing the deprecated IDA API find_binary with bin_search.

Checklist

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

@fariss fariss changed the title Replace deprecated search api ida-explorer: replace deprecated IDA API find_binary with bin_search Feb 24, 2024
@fariss fariss marked this pull request as ready for review February 24, 2024 20:06
mike-hunhoff
mike-hunhoff requested changes Feb 25, 2024
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @s-ff ! This looks great so far, I’ve left comments for you to address. No need for a new PR - push changes to this existing PR (CI runs with each push). Also, please locally execute and post here the results of running our IDA test script. Let us know here if you have any questions about running our IDA test script.

@fariss
Copy link
Collaborator Author

fariss commented Feb 28, 2024

Hi @mike-hunhoff,

I have run the test_ida_features.py test script using the following steps:

  1. From my repo, I ran pip install . to install flare-capa with my changes.
  2. Copy capa_explorer.py to IDA plugins folder.
  3. While the target test file mimikatz.exe_ is loaded in IDA, I ran the script using : File > Script file... (or Alt+F7)
Here is the output of the test: 
Python>
--------------------------------------------------------------------------------
PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-basic block-7
PASS: test_ida_feature_counts/mimikatz-function=0x4702FD-characteristic(calls from)-0
PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-characteristic(calls from)-3
PASS: test_ida_feature_counts/mimikatz-function=0x4556E5-characteristic(calls to)-0
PASS: test_ida_feature_counts/mimikatz-function=0x40B1F1-characteristic(calls to)-3
SKIP: test_ida_features/294b8d...-function=0x404970,bb=0x404970,insn=0x40499F-string(\r\n\x00:ht)-False
SKIP: test_ida_features/64d9f-function=0x10001510,bb=0x100015B0-offset(0x4000)-True
SKIP: test_ida_features/7351f.elf-file-os(linux)-True
SKIP: test_ida_features/7351f.elf-file-os(windows)-False
SKIP: test_ida_features/7351f.elf-file-format(elf)-True
SKIP: test_ida_features/7351f.elf-file-format(pe)-False
SKIP: test_ida_features/7351f.elf-file-arch(i386)-False
SKIP: test_ida_features/7351f.elf-file-arch(amd64)-True
SKIP: test_ida_features/7351f.elf-function=0x408753-string(/dev/null)-True
SKIP: test_ida_features/7351f.elf-function=0x408753,bb=0x408781-api(open)-True
SKIP: test_ida_features/773290...-function=0x140001140-string(%s:\\\\OfficePackagesForWDAG)-True
SKIP: test_ida_features/79abd...-function=0x10002385,bb=0x10002385-characteristic(call $+5)-True
SKIP: test_ida_features/946a9...-function=0x10001510,bb=0x100015c0-characteristic(call $+5)-True
SKIP: test_ida_features/a1982...-function=0x4014D0-characteristic(cross section flow)-True
SKIP: test_ida_features/al-khaser x64-function=0x14004B4F0-api(__vcrt_GetModuleHandle)-True
SKIP: test_ida_features/c91887...-function=0x40156F-api(CloseClipboard)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CreatePipe)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.SetHandleInformation)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CloseHandle)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.WriteFile)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(CreatePipe)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(SetHandleInformation)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(CloseHandle)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(WriteFile)-True
SKIP: test_ida_features/ea2876-file-export(vresion.GetFileVersionInfoA)-True
SKIP: test_ida_features/ea2876-file-characteristic(forwarded export)-True
SKIP: test_ida_features/kernel32-file-export(BaseThreadInitThunk)-True
SKIP: test_ida_features/kernel32-file-export(lstrlenW)-True
SKIP: test_ida_features/kernel32-file-export(nope)-False
SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True
SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True
SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(gs access)-True
SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(cross section flow)-False
SKIP: test_ida_features/kernel32-64-function=0x1800017D0-characteristic(peb access)-True
SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True
SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True
PASS: test_ida_features/mimikatz-file-string(SCardControl)-True
PASS: test_ida_features/mimikatz-file-string(SCardTransmit)-True
PASS: test_ida_features/mimikatz-file-string(ACR  > )-True
PASS: test_ida_features/mimikatz-file-string(nope)-False
PASS: test_ida_features/mimikatz-file-section(.text)-True
PASS: test_ida_features/mimikatz-file-section(.nope)-False
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptSetHashParam)-True
PASS: test_ida_features/mimikatz-file-import(CryptSetHashParam)-True
PASS: test_ida_features/mimikatz-file-import(kernel32.IsWow64Process)-True
PASS: test_ida_features/mimikatz-file-import(IsWow64Process)-True
PASS: test_ida_features/mimikatz-file-import(msvcrt.exit)-True
PASS: test_ida_features/mimikatz-file-import(cabinet.#11)-True
PASS: test_ida_features/mimikatz-file-import(#11)-False
PASS: test_ida_features/mimikatz-file-import(#nope)-False
PASS: test_ida_features/mimikatz-file-import(nope)-False
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-file-import(CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-file-import(CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-file-os(windows)-True
PASS: test_ida_features/mimikatz-file-arch(i386)-True
PASS: test_ida_features/mimikatz-file-format(pe)-True
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(loop)-False
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(tight loop)-False
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(stack string)-False
PASS: test_ida_features/mimikatz-function=0x401000-number(0x0)-True
PASS: test_ida_features/mimikatz-function=0x401000-bytes(FD FF 59 F6 47)-False
PASS: test_ida_features/mimikatz-function=0x401000,bb=0x401000-characteristic(tight loop)-False
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(push)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(movzx)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(xor)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(in)-False
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(out)-False
PASS: test_ida_features/mimikatz-function=0x40105D-number(0xFF)-True
PASS: test_ida_features/mimikatz-function=0x40105D-number(0x3136B0)-True
PASS: test_ida_features/mimikatz-function=0x40105D-number(0xC)-False
PASS: test_ida_features/mimikatz-function=0x40105D-number(0x10)-False
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x0)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0xC)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x8)-False
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x10)-False
PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardControl)-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardTransmit)-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(ACR  > )-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(nope)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 54 00 72 00 61 00 6E 00 73 00 6D 00 69 00 74 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(41 00 43 00 52 00 20 00 20 00 3E 00 20 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(6E 6F 70 65)-False
PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(nzxor)-False
PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(calls to)-True
PASS: test_ida_features/mimikatz-function=0x40105D-os(windows)-True
PASS: test_ida_features/mimikatz-function=0x40105D-arch(i386)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[1].number(0xFF)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[0].number(0xFF)-False
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[0].offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[1].offset(0x4)-False
PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x1)-True
PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x2)-True
PASS: test_ida_features/mimikatz-function=0x401517-characteristic(loop)-True
PASS: test_ida_features/mimikatz-function=0x401517-bytes(CA 3B 0E 00 00 00 F8 AF 47)-True
PASS: test_ida_features/mimikatz-function=0x401553-number(0xFFFFFFFF)-True
PASS: test_ida_features/mimikatz-function=0x401873,bb=0x4018B2,insn=0x4018C0-number(0x2)-True
PASS: test_ida_features/mimikatz-function=0x401CC7,bb=0x401CDE,insn=0x401CF6-offset(0x10)-False
PASS: test_ida_features/mimikatz-function=0x401D64,bb=0x401D73,insn=0x401D85-offset(0x80000000)-False
PASS: test_ida_features/mimikatz-function=0x402203,bb=0x402221,insn=0x40223C-offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x402EC4-characteristic(tight loop)-True
PASS: test_ida_features/mimikatz-function=0x402EC4,bb=0x402F8E-characteristic(tight loop)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContextW)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContext)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptGenKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptImportKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptDestroyKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptGenKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptImportKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptDestroyKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(Nope)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.Nope)-False
PASS: test_ida_features/mimikatz-function=0x404414-bytes(01 80 00 00 40 EA 47 00)-True
PASS: test_ida_features/mimikatz-function=0x40640e-characteristic(recursive call)-True
PASS: test_ida_features/mimikatz-function=0x40B3C6-api(LocalFree)-True
PASS: test_ida_features/mimikatz-function=0x410DFC-characteristic(nzxor)-True
PASS: test_ida_features/mimikatz-function=0x410dfc-characteristic(nzxor)-True
PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(recursive call)-False
PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(indirect call)-True
PASS: test_ida_features/mimikatz-function=0x43e543-number(0xFFFFFFF0)-True
PASS: test_ida_features/mimikatz-function=0x44570F-bytes(FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF)-False
PASS: test_ida_features/mimikatz-function=0x44EDEF-string(INPUTEVENT)-True
PASS: test_ida_features/mimikatz-function=0x44EDEF-bytes(49 00 4E 00 50 00 55 00 54 00 45 00 56 00 45 00 4E 00 54 00)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(stack string)-True
PASS: test_ida_features/mimikatz-function=0x4556E5-api(advapi32.LsaQueryInformationPolicy)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-api(LsaQueryInformationPolicy)-True
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(peb access)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(gs access)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(cross section flow)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(indirect call)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(calls from)-True
PASS: test_ida_features/mimikatz-function=0x456BB9-characteristic(calls to)-False
PASS: test_ida_features/mimikatz-function=0x456BB9-format(pe)-True
PASS: test_ida_features/mimikatz-function=0x46D534-characteristic(nzxor)-False
PASS: test_ida_features/mimikatz-function=0x46D6CE-string((null))-True
PASS: test_ida_features/mimikatz-function=0x4702FD-characteristic(calls from)-False
PASS: test_ida_features/mimikatz-function=0x47153B,bb=0x4717AB,insn=0x4717B1-number(-0x30)-False
PASS: test_ida_features/mimikatz-function=0x471EAB,bb=0x471ED8,insn=0x471EE6-number(0x4)-False
SKIP: test_ida_features/pma12-04-file-characteristic(embedded pe)-True
SKIP: test_ida_features/pma16-01-file-function-name(__aulldiv)-True
SKIP: test_ida_features/pma16-01-file-os(windows)-True
SKIP: test_ida_features/pma16-01-file-os(linux)-False
SKIP: test_ida_features/pma16-01-file-arch(i386)-True
SKIP: test_ida_features/pma16-01-file-arch(amd64)-False
SKIP: test_ida_features/pma16-01-file-format(pe)-True
SKIP: test_ida_features/pma16-01-file-format(elf)-False
SKIP: test_ida_features/pma16-01-function=0x4021B0-regex(string =~ HTTP/1.0)-True
SKIP: test_ida_features/pma16-01-function=0x402F40-regex(string =~ www.practicalmalwareanalysis.com)-True
SKIP: test_ida_features/pma16-01-function=0x402F40-substring(practicalmalwareanalysis.com)-True
SKIP: test_ida_features/pma16-01-function=0x404356-os(windows)-True
SKIP: test_ida_features/pma16-01-function=0x404356-arch(i386)-True
SKIP: test_ida_features/pma16-01-function=0x404356-format(pe)-True
SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-os(windows)-True
SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-arch(i386)-True
PASS: test_ida_features/mimikatz-file-import(cabinet.FCIAddFile)-True
DONE

mike-hunhoff
mike-hunhoff reviewed Feb 29, 2024
View reviewed changes
capa/features/extractors/ida/helpers.py Outdated
Comment on lines 30 to 31
patterns = ida_bytes.compiled_binpat_vec_t()
encoding = ida_nalt.get_default_encoding_idx(ida_nalt.BPU_1B)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

find_byte_sequence may be called many times. Can we move the initialization of patterns and encoding to the beginning of the file at the global scope so they are only called once? If so, while making this change let's update their names to be more descriptive, e.g. IDA_BYTES_PATTERNS and IDA_NALT_ENCODING.

Copy link
Collaborator Author

@fariss fariss Mar 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As requested, I have declared the global variables for reuse.

Copy link
Collaborator

@mike-hunhoff mike-hunhoff Mar 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@s-ff please confirm that both of these can be reused without needing to reinitialize before each use.

@fariss fariss requested a review from mike-hunhoff March 1, 2024 07:24
mike-hunhoff
mike-hunhoff reviewed Mar 1, 2024
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please confirm that IDA_BYTES_PATTERNS can be reused as it appears that ida_bytes.parse_bin_pat_str modifies it when called.

@fariss
Copy link
Collaborator Author

fariss commented Mar 10, 2024
edited
Loading

Hi @mike-hunhoff,

Good point - ida_bytes.parse_bin_pat_str does indeed change the first input passed to it. Thus, it doesn't make sense decalring a global variable IDA_BYTES_PATTERNS. On the other hand ida_nalt.get_default_encoding_idx(ida_nalt.BPU_1B) could be used a global variable for reuse.

Here is a snippet demonstrating this case:

grafik

Here is the output of the test: 
--------------------------------------------------------------------------------
PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-basic block-7
PASS: test_ida_feature_counts/mimikatz-function=0x4702FD-characteristic(calls from)-0
PASS: test_ida_feature_counts/mimikatz-function=0x40E5C2-characteristic(calls from)-3
PASS: test_ida_feature_counts/mimikatz-function=0x4556E5-characteristic(calls to)-0
PASS: test_ida_feature_counts/mimikatz-function=0x40B1F1-characteristic(calls to)-3
SKIP: test_ida_features/294b8d...-function=0x404970,bb=0x404970,insn=0x40499F-string(\r\n\x00:ht)-False
SKIP: test_ida_features/64d9f-function=0x10001510,bb=0x100015B0-offset(0x4000)-True
SKIP: test_ida_features/7351f.elf-file-os(linux)-True
SKIP: test_ida_features/7351f.elf-file-os(windows)-False
SKIP: test_ida_features/7351f.elf-file-format(elf)-True
SKIP: test_ida_features/7351f.elf-file-format(pe)-False
SKIP: test_ida_features/7351f.elf-file-arch(i386)-False
SKIP: test_ida_features/7351f.elf-file-arch(amd64)-True
SKIP: test_ida_features/7351f.elf-function=0x408753-string(/dev/null)-True
SKIP: test_ida_features/7351f.elf-function=0x408753,bb=0x408781-api(open)-True
SKIP: test_ida_features/773290...-function=0x140001140-string(%s:\\\\OfficePackagesForWDAG)-True
SKIP: test_ida_features/79abd...-function=0x10002385,bb=0x10002385-characteristic(call $+5)-True
SKIP: test_ida_features/946a9...-function=0x10001510,bb=0x100015c0-characteristic(call $+5)-True
SKIP: test_ida_features/a1982...-function=0x4014D0-characteristic(cross section flow)-True
SKIP: test_ida_features/al-khaser x64-function=0x14004B4F0-api(__vcrt_GetModuleHandle)-True
SKIP: test_ida_features/c91887...-function=0x40156F-api(CloseClipboard)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CreatePipe)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.SetHandleInformation)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.CloseHandle)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(kernel32.WriteFile)-False
SKIP: test_ida_features/c91887...-function=0x401A77-api(CreatePipe)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(SetHandleInformation)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(CloseHandle)-True
SKIP: test_ida_features/c91887...-function=0x401A77-api(WriteFile)-True
SKIP: test_ida_features/ea2876-file-export(vresion.GetFileVersionInfoA)-True
SKIP: test_ida_features/ea2876-file-characteristic(forwarded export)-True
SKIP: test_ida_features/kernel32-file-export(BaseThreadInitThunk)-True
SKIP: test_ida_features/kernel32-file-export(lstrlenW)-True
SKIP: test_ida_features/kernel32-file-export(nope)-False
SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True
SKIP: test_ida_features/kernel32-64-function=0x180001010-api(RtlVirtualUnwind)-True
SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(gs access)-True
SKIP: test_ida_features/kernel32-64-function=0x180001068-characteristic(cross section flow)-False
SKIP: test_ida_features/kernel32-64-function=0x1800017D0-characteristic(peb access)-True
SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True
SKIP: test_ida_features/kernel32-64-function=0x1800202B0-api(RtlCaptureContext)-True
PASS: test_ida_features/mimikatz-file-string(SCardControl)-True
PASS: test_ida_features/mimikatz-file-string(SCardTransmit)-True
PASS: test_ida_features/mimikatz-file-string(ACR  > )-True
PASS: test_ida_features/mimikatz-file-string(nope)-False
PASS: test_ida_features/mimikatz-file-section(.text)-True
PASS: test_ida_features/mimikatz-file-section(.nope)-False
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptSetHashParam)-True
PASS: test_ida_features/mimikatz-file-import(CryptSetHashParam)-True
PASS: test_ida_features/mimikatz-file-import(kernel32.IsWow64Process)-True
PASS: test_ida_features/mimikatz-file-import(IsWow64Process)-True
PASS: test_ida_features/mimikatz-file-import(msvcrt.exit)-True
PASS: test_ida_features/mimikatz-file-import(cabinet.#11)-True
PASS: test_ida_features/mimikatz-file-import(#11)-False
PASS: test_ida_features/mimikatz-file-import(#nope)-False
PASS: test_ida_features/mimikatz-file-import(nope)-False
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-file-import(advapi32.CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-file-import(CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-file-import(CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-file-os(windows)-True
PASS: test_ida_features/mimikatz-file-arch(i386)-True
PASS: test_ida_features/mimikatz-file-format(pe)-True
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(loop)-False
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(tight loop)-False
PASS: test_ida_features/mimikatz-function=0x401000-characteristic(stack string)-False
PASS: test_ida_features/mimikatz-function=0x401000-number(0x0)-True
PASS: test_ida_features/mimikatz-function=0x401000-bytes(FD FF 59 F6 47)-False
PASS: test_ida_features/mimikatz-function=0x401000,bb=0x401000-characteristic(tight loop)-False
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(push)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(movzx)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(xor)-True
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(in)-False
PASS: test_ida_features/mimikatz-function=0x40105D-mnemonic(out)-False
PASS: test_ida_features/mimikatz-function=0x40105D-number(0xFF)-True
PASS: test_ida_features/mimikatz-function=0x40105D-number(0x3136B0)-True
PASS: test_ida_features/mimikatz-function=0x40105D-number(0xC)-False
PASS: test_ida_features/mimikatz-function=0x40105D-number(0x10)-False
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x0)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0xC)-True
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x8)-False
PASS: test_ida_features/mimikatz-function=0x40105D-offset(0x10)-False
PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardControl)-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(SCardTransmit)-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(ACR  > )-True
PASS: test_ida_features/mimikatz-function=0x40105D-string(nope)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 43 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(53 00 43 00 61 00 72 00 64 00 54 00 72 00 61 00 6E 00 73 00 6D 00 69 00 74 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(41 00 43 00 52 00 20 00 20 00 3E 00 20 00)-False
PASS: test_ida_features/mimikatz-function=0x40105D-bytes(6E 6F 70 65)-False
PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(nzxor)-False
PASS: test_ida_features/mimikatz-function=0x40105D-characteristic(calls to)-True
PASS: test_ida_features/mimikatz-function=0x40105D-os(windows)-True
PASS: test_ida_features/mimikatz-function=0x40105D-arch(i386)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[1].number(0xFF)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x401073-operand[0].number(0xFF)-False
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[0].offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x40105D,bb=0x4010B0-operand[1].offset(0x4)-False
PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x1)-True
PASS: test_ida_features/mimikatz-function=0x4011FB-offset(-0x2)-True
PASS: test_ida_features/mimikatz-function=0x401517-characteristic(loop)-True
PASS: test_ida_features/mimikatz-function=0x401517-bytes(CA 3B 0E 00 00 00 F8 AF 47)-True
PASS: test_ida_features/mimikatz-function=0x401553-number(0xFFFFFFFF)-True
PASS: test_ida_features/mimikatz-function=0x401873,bb=0x4018B2,insn=0x4018C0-number(0x2)-True
PASS: test_ida_features/mimikatz-function=0x401CC7,bb=0x401CDE,insn=0x401CF6-offset(0x10)-False
PASS: test_ida_features/mimikatz-function=0x401D64,bb=0x401D73,insn=0x401D85-offset(0x80000000)-False
PASS: test_ida_features/mimikatz-function=0x402203,bb=0x402221,insn=0x40223C-offset(0x4)-True
PASS: test_ida_features/mimikatz-function=0x402EC4-characteristic(tight loop)-True
PASS: test_ida_features/mimikatz-function=0x402EC4,bb=0x402F8E-characteristic(tight loop)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContextW)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptAcquireContext)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptGenKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptImportKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.CryptDestroyKey)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContextW)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptAcquireContext)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptGenKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptImportKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(CryptDestroyKey)-True
PASS: test_ida_features/mimikatz-function=0x403BAC-api(Nope)-False
PASS: test_ida_features/mimikatz-function=0x403BAC-api(advapi32.Nope)-False
PASS: test_ida_features/mimikatz-function=0x404414-bytes(01 80 00 00 40 EA 47 00)-True
PASS: test_ida_features/mimikatz-function=0x40640e-characteristic(recursive call)-True
PASS: test_ida_features/mimikatz-function=0x40B3C6-api(LocalFree)-True
PASS: test_ida_features/mimikatz-function=0x410DFC-characteristic(nzxor)-True
PASS: test_ida_features/mimikatz-function=0x410dfc-characteristic(nzxor)-True
PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(recursive call)-False
PASS: test_ida_features/mimikatz-function=0x4175FF-characteristic(indirect call)-True
PASS: test_ida_features/mimikatz-function=0x43e543-number(0xFFFFFFF0)-True
PASS: test_ida_features/mimikatz-function=0x44570F-bytes(FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF)-False
PASS: test_ida_features/mimikatz-function=0x44EDEF-string(INPUTEVENT)-True
PASS: test_ida_features/mimikatz-function=0x44EDEF-bytes(49 00 4E 00 50 00 55 00 54 00 45 00 56 00 45 00 4E 00 54 00)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(stack string)-True
PASS: test_ida_features/mimikatz-function=0x4556E5-api(advapi32.LsaQueryInformationPolicy)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-api(LsaQueryInformationPolicy)-True
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(peb access)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(gs access)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(cross section flow)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(indirect call)-False
PASS: test_ida_features/mimikatz-function=0x4556E5-characteristic(calls from)-True
PASS: test_ida_features/mimikatz-function=0x456BB9-characteristic(calls to)-False
PASS: test_ida_features/mimikatz-function=0x456BB9-format(pe)-True
PASS: test_ida_features/mimikatz-function=0x46D534-characteristic(nzxor)-False
PASS: test_ida_features/mimikatz-function=0x46D6CE-string((null))-True
PASS: test_ida_features/mimikatz-function=0x4702FD-characteristic(calls from)-False
PASS: test_ida_features/mimikatz-function=0x47153B,bb=0x4717AB,insn=0x4717B1-number(-0x30)-False
PASS: test_ida_features/mimikatz-function=0x471EAB,bb=0x471ED8,insn=0x471EE6-number(0x4)-False
SKIP: test_ida_features/pma12-04-file-characteristic(embedded pe)-True
SKIP: test_ida_features/pma16-01-file-function-name(__aulldiv)-True
SKIP: test_ida_features/pma16-01-file-os(windows)-True
SKIP: test_ida_features/pma16-01-file-os(linux)-False
SKIP: test_ida_features/pma16-01-file-arch(i386)-True
SKIP: test_ida_features/pma16-01-file-arch(amd64)-False
SKIP: test_ida_features/pma16-01-file-format(pe)-True
SKIP: test_ida_features/pma16-01-file-format(elf)-False
SKIP: test_ida_features/pma16-01-function=0x4021B0-regex(string =~ HTTP/1.0)-True
SKIP: test_ida_features/pma16-01-function=0x402F40-regex(string =~ www.practicalmalwareanalysis.com)-True
SKIP: test_ida_features/pma16-01-function=0x402F40-substring(practicalmalwareanalysis.com)-True
SKIP: test_ida_features/pma16-01-function=0x404356-os(windows)-True
SKIP: test_ida_features/pma16-01-function=0x404356-arch(i386)-True
SKIP: test_ida_features/pma16-01-function=0x404356-format(pe)-True
SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-os(windows)-True
SKIP: test_ida_features/pma16-01-function=0x404356,bb=0x4043B9-arch(i386)-True
PASS: test_ida_features/mimikatz-file-import(cabinet.FCIAddFile)-True
DONE

Please let me know if you need anything else before you merge this.

@fariss fariss requested a review from mike-hunhoff March 10, 2024 06:50
mike-hunhoff
mike-hunhoff approved these changes Mar 11, 2024
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@mike-hunhoff mike-hunhoff merged commit 9d1f110 into mandiant:master Mar 11, 2024
@h4rdee h4rdee mentioned this pull request Sep 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-hunhoff mike-hunhoff mike-hunhoff approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ida-explorer: use IDA API bin_search not find_binary
2 participants
@fariss @mike-hunhoff