Matching on immediates
Closed this issue · 1 comments
Hello, first, thank you for publishing this, especially the huge database of signatures
I wanted to ask if you were still actively maintaining this and/or if you had any interest in implementing an additional method for searching, which I'll briefly describe. tl; dr applying the signature checks to immediate loads directly into registers- to complement searching of memory
I recently encountered a target (RISC-style fixed-width instruction set, proprietary embedded firmware) that makes a habit of loading crypto constants as immediates- e.g. for SHA1 and the constant 0x67452301 (along with other constants for SHA1, all in a single function)
movhi r3, 0x6745
addi r3, r3, 0x2301 # 0x67452301
Do you have any interest in supporting searching for matches in immediates like this? I believe the comment in this example was added via the CPU plugin for this architecture and is not otherwise a part of the IDB file/IDA analysis, so to do this properly one would have to either:
- Assume that these comments are present- the responsibility of the user to put into place in one way or another or...
- Perform the analysis in the plugin, looking for mov/add/sub instructions
The former is simpler as it requires no knowledge of the CPU architecture. The latter is by no means impossible, but would be somewhat architecture dependent I think, and may be beyond the scope of what you'd like to have as findcrypt functionality. However, a skeleton to allow the user to plug in the architecture-specific instructions used to accomplish these operations would still be immensely helpful
As far as whether this is worth your effort or not- I'm not sure how common this pattern is, though I'm sure it's present in other fixed-width instruction sets depending on how the code was written. Maybe it's not worth the effort for you and I'll have to write it myself for the few projects I've encountered this pattern on (which is fine)
Any interest in / do you have the time to add this as a feature? Or would you accept a PR?
Obviously this would really only be useful for signatures matching the width of a register for the target- 4 bytes for the general purpose registers in most cases, longer if using the various architecture-specific special registers. It would be possible to match across multiple registers if the instructions were consecutive, but this could get a bit more complicated, having to take into consideration the ordering of the constants, among other things
There are also some much more complicated patterns which I think would have to just be accepted as too much work to identify- e.g. where a register has some base value, and then multiple different constants are generated from it. The analysis for that really starts to go further beyond basic analysis of two consecutive immediate operations and would probably be best to accept as too much work for what may be a very limited/specialized case
Thanks again, this plugin has been a huge time-saver for me
https://github.com/Accenture/Condstanta is not exactly comparable, but it's a good enough foundation to work from to do what I'm looking for
It will be a very hacky solution and won't need to use yara, but I can borrow the extensive collection of byte signatures from your project and utilize them programmatically with Condstanta. Setting the threshold for number of occurrences to >= 4 or 5 for a function