function detection doesn't find callbacks f. eg. CreateThread, SetWindowsHookEx, etc.

[pinkflawd]

Function detection misses callback functions in Windows binaries, found to be true at least for CreateThread callback handlers and SetWindowsHookEx handlers.

Below, 0x1000282d should be a function address, but is handled as dword.

0x10002080      50             push eax
0x10002081      53             push ebx
0x10002082      ff75d4         push dword [ebp - local_2ch]
0x10002085      682d280010     push 0x1000282d
0x1000208a      53             push ebx
0x1000208b      53             push ebx
0x1000208c      ff1574400010   call dword [sym.imp.KERNEL32.dll_CreateThread] ; sym.imp.KERNEL32.dll_CreateThread

[radare]

can you share a sample bin?

[pinkflawd]

f1b203fc38f047010d7071cd5f106045.zip

[trufae]

i dont see the same disasm at that offset. i mostly find refs to data in pushes, not code

[pinkflawd]

oh right different binary. here a SetWindowsHookEx call is located in pdf @ 0x10012536, the callback thats not detected is 0x10013318:

0x10012550      50             push eax
0x10012551      6818330110     push 0x10013318
0x10012556      6a03           push 3
0x10012558      ff15a4820110   call dword [sym.imp.USER32.dll_SetWindowsHookExW] ; sym.imp.USER32.dll_SetWindowsHookExW
0x1001255e      eb13           jmp 0x10012573

also CreateThread is present in 0x1000f974:

0x1000fb12      8b3d34810110   mov edi, dword [sym.imp.KERNEL32.dll_CreateThread] 
0x1000fb18      8d45f0         lea eax, [ebp - local_10h]
0x1000fb1b      50             push eax
0x1000fb1c      6a04           push 4
0x1000fb1e      53             push ebx
0x1000fb1f      688fff0010     push 0x1000ff8f
0x1000fb24      53             push ebx
0x1000fb25      53             push ebx
0x1000fb26      ffd7           call edi

hope that helps

[Maijin]

I Don't see changes:

[radare]

Use afr or aa

On 04 Oct 2016, at 21:11, Maijin [email protected] wrote:

I Don't see changes:

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.

[radare]

And u have to analize to get anything in the disasm

On 04 Oct 2016, at 21:11, Maijin [email protected] wrote:

I Don't see changes:

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.

[Maijin]

It's analysed

[Maijin]

[pinkflawd]

Works, in a sense, when I issue an 'afr' command for each function where I suspect indirectly referenced code. This way I go through my binaries, get all the functions that e.g. contain a CreateThread, then 'afr' these again to have radare generate functions for the thread handler function.
Thats cool.
Would there be a way to add this analysis to e.g. aaa command, so callbacks are analyzed automatically? With my method, by definition, I always miss something.

[radare]

aa should run afr but the problem is that its probably analizing in different order and overlapping some functions.

you can try to set e anal.calls=true before aa and see if that solves the problem if not you can also do this:

e anal.hasnext=true
aac; afr;afr @@ sym*

sorry i have not much time lately to look deeper on this issue

On 13 Oct 2016, at 12:47, pinkflawd [email protected] wrote:

Works, in a sense, when I issue an 'afr' command for each function where I suspect indirectly referenced code. This way I go through my binaries, get all the functions that e.g. contain a CreateThread, then 'afr' these again to have radare generate functions for the thread handler function.
Thats cool.
Would there be a way to add this analysis to e.g. aaa command, so callbacks are analyzed automatically? With my method, by definition, I always miss something.

—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub #5890 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AA3-lq21IS278VmOZDE60w8e6nuSfbXcks5qzgxfgaJpZM4KLDSd.

[pinkflawd]

Awesome :D Second option works like charm :) Thanks a lot!
The pic is on top before, bottom is after, works like graph face lift ^^ 8 more functions found

[trufae]

😍😍😍

On 14 Oct 2016, at 16:46, pinkflawd [email protected] wrote:

Awesome :D Second option works like charm :) Thanks a lot!
The pic is on top before, bottom is after, works like graph face lift ^^ 8 more functions found

https://cloud.githubusercontent.com/assets/5487036/19391603/a3dc5794-922d-11e6-927d-327b676cae71.png
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub #5890 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AGIjG8vaZTFBYu0ePJRen0ILf_MwkyHHks5qz5W3gaJpZM4KLDSd.

[ret2libc]

This has not received any activity in the last years. Was the issue fixed? If not, could you share a reproducer (the one listed has a password)?

[Maijin]

Always same password "infected".