FindFunc is an IDA Professional plugin to seek out code features that comprise a sure meeting or byte sample, reference a sure title or string, or conform to numerous different constraints. This isn’t a competitor to instruments like Diaphora or BinNavi, however it’s supreme to discover a identified perform in a brand new binary for circumstances the place classical bindiffing fails.
Filtering with Guidelines
The principle performance of FindFunc is letting the person specify a set of “Guidelines” or constraints {that a} code perform in IDA Professional has to fulfill. FF will then discover and checklist all features that fulfill ALL guidelines (so at present all Guidelines are in an AND-conjunction). Exception: Guidelines might be “inverted” to be adverse matches. Such guidelines thus conform to “AND NOT”.
FF will schedule the foundations in a sensible order to attenuate processing time. Characteristic overview:
- Presently 6 Guidelines accessible, see under
- Code matching respects Addressing-Dimension-Prefix and Operand-Dimension-Prefix
- Conscious of perform chunks
- Sensible scheduling of guidelines for efficiency
- Saving/Loading guidelines from/to file in easy ascii format
- A number of unbiased Tabs for experimentation
- Copying guidelines between Tabs through clipboard (similar format as file format)
- Saving complete session (all tabs) to file
- Superior copying of instruction bytes (all, opcodes solely, all besides immediates)
Button “Search Capabilities” clears current outcomes and begins a recent search, “Refine Outcomes” considers solely outcomes of the earlier search.
Superior Binary Copying
A secondary function of FF is the choice to repeat binary illustration of directions with the next choices:
- copy all -> copy all bytes to the clipboard
- copy with out immediates -> clean out (AA ?? BB) any rapid values within the instruction bytes
- opcode solely -> will clean out every little thing besides the precise opcode(s) of the instruction (and prefixes)
See “superior copying” part under for particulars. This function properly enhances the Byte Sample rule!
Constructing and Set up
FindFunc is an IDA Professional python plugin with out exterior bundle dependencies. It may be put in by downloading the repository and copying file findfuncmain.py and folder findfunc to your IDA Professional plugin listing. No constructing is required.
Necessities: IDA Professional 7.x (7.6+) with python3 surroundings. FindFunc is designed for x86/x64 structure solely. It has been examined with IDA 7.6/7.7, python 3.9 and IDAPython 7.4.0 on Home windows 10.
Presently the next six guidelines can be found. They’re sorted right here from heavy to gentle with regard to efficiency impression. With giant databases it’s a good suggestion to first lower down the candidate-functions with an inexpensive rule, earlier than doing heavy matching through e.g. Code Guidelines. FF will routinely schedule guidelines in a sensible approach.
Code Sample
Rule for filtering perform based mostly on them containing a given meeting code snippet. That is NOT a text-search for IDAs textual disassembly illustration, however somewhat performs superior matching of the underlying instruction. The snippet could comprise many consecutive directions, one per line. Perform chunks are supported. Helps particular wildcard matching, along with literal meeting:
- “move” -> matches any instruction with any operands
- “mov* any,any” -> matches directions with mnemonic “mov*” (e.g. mov, movzx, …) and any two arguments.
- “mov eax, r32” -> matches any instruction with mnemonic “mov”, first operand register eax and second operand any 32-bit register.
- Analogue: r for any register, r8/r16/r32/r64 for register of a selected width, “imm” for any rapid
- “mov r64, imm” -> matches any transfer of a continuing to a 64bit register
- “any r64,r64” -> matches any operation between two 64bit registers
- mov -> matches any instruction of mov mnemonic
extra examples:
mov r64, [r32 * 8 + 0x100]
mov r, [r * 8 - 0x100]
mov r64, [r32 * 8 + imm]
move
mov r, phrase [eax + r32 * 8 - 0x100]
any r64, r64
push imm
push any
Gotchas: Watch out when copying over meeting from IDA. IDA mingles native variable names and different info into the instruction which results in matching failure. Additionally, labels are usually not supported (“name sub_123456”).
Notice that Code Patterns is the costliest Rule, and if solely Code Guidelines are current FF has no choice however to disassemble the whole database. This will take as much as a number of minutes for very giant binaries. See notes on efficiency under.
Rapid Worth (Fixed)
The perform should comprise the given rapid a minimum of as soon as in any place. An instantaneous worth is a price mounted within the binary illustration of the instruction. Examples for directions matching rapid worth 0x100:
mov eax, 0x100
mov eax, [0x100]
and al, [eax + ebx*8 + 0x100]
push 0x100
Notice: IDA performs intensive matching of any measurement and any place of the rapid. If you already know it to be of a selected width of 4 or 8 bytes, a byte sample could be a little sooner.
Byte Sample
The perform should comprise the given byte sample a minimum of as soon as. The sample is of the identical format as IDAs binary search, and thus helps wildcards – the right match for the advanced-copy function!
Examples:
11 22 33 44 aa bb cc
11 22 33 ?? ?? bb cc -> ?? might be any byte
Notice: Sample matching is quiet quick and a superb candidate to chop down matches shortly!
String Reference
The perform should reference the given string a minimum of as soon as. The string is matched in response to pythons ‘fnmatch’ module, and thus helps wildcard-like matching. Matching is carried out case-insensitive. Strings of the next codecs are thought of: [idaapi.STRTYPE_C, idaapi.STRTYPE_C_16] (this may be modified within the Config class).
Examples:
- “TestString” -> perform should reference the precise string (casing ignored) a minimum of as soon as
- “TestStr*” -> perform should reference a string beginning with ‘TestStr (e.g. TestString, TestStrong) a minimum of as soon as (casing ignored)
Notice: String matching is quick and a good selection to chop down candidates shortly!
Identify Reference
The perform should reference the given title/label a minimum of as soon as. The title/label is matched in response to pythons ‘fnmatch’ module, and thus helps wildcard-like matching. Matching is carried out case-insensitive.
Examples:
- “memset” -> perform should reference a location named “memset” a minimum of as soon as
- “mem*” -> perform should reference a location beginning with “mem” (memset, memcpy, memcmp) a minimum of as soon as
Notice: Identify matching may be very quick and supreme to chop down candidates shortly!
Perform Dimension
The scale of the perform have to be inside the given restrict: “min <= functionsize <= max”. Knowledge is entered as a string of the shape “min,max”. The scale of a perform contains all of its chunks.
Notice: Perform measurement matching may be very quick and supreme to chop down candidates shortly!
Keyboard Shortcuts & GUI
For ease of use FF can be utilized through the next keyboard shortcuts:
- Ctrl+Alt+F -> launch/present TabWidget (predominant GUI)
- Ctrl+F -> begin search with at present enabled guidelines
- Ctrl+R -> refine current outcomes with at present enabled guidelines
- Guidelines
- Ctrl+C -> copy chosen guidelines to clipboard
- Ctrl+V -> paste guidelines from clipboard into present tab (appends)
- Ctrl+S -> save chosen guidelines to file
- Ctrl+L -> load chosen guidelines from file (appends)
- Ctrl+A -> choose all guidelines
- Del -> delete chosen guidelines
- Save Session
- Ctrl+Shift+S -> Save session to file
- Ctrl+Shift+L -> Load session from file
Additional GUI utilization
- Guidelines might be edited by double-clicking the Knowledge column
- Guidelines might be inverted (adverse match) by double-clicking the invert-match column
- Guidelines might be enabled/disabled by double-clicking the enabled-column
- Tabs might be renamed by double-clicking them
- Sorting is supported each for Rule-Record and Outcome-Record
- Double-click Outcome merchandise to leap to it in IDA
- perform title: soar to perform begin
- some other column: soar to match of final matched rule
- Checkbox Profile: Outputs profiling info for the search
- Checkbox Debug: Dumps detailed debugging output for code rule matching – solely use it if few features make it to the code checking rule, in any other case it’d take very lengthy!
Superior Binary Copy
Often we need to seek for binary patterns of meeting, however with out hardcoded addresses and values (immediates), and even solely the precise opcodes of the instruction. FindFunc makes this straightforward by including three copy choices to the disassembly-popupmenu:
Copy all bytes
Copies all instruction bytes as hex-string to clipboard, to be used in a Byte-Sample-Rule (or IDAs binary search).
B8 44332211 mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov phrase ptr ss:[esp+70],ax
will likely be copied as
b8 44 33 22 11 68 00 00 00 01 66 89 44 24 70
Copy solely non-immediate bytes
Copies instruction bytes for given instruction, masking out any rapid values. Instance:
B8 44332211 mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov phrase ptr ss:[esp+70],ax
will likely be copied as
b8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 66 89 44 24 ??
Copy solely opcodes
Copy all instruction bytes as hex-string to clipboard, masking out any bytes that aren’t the precise opcode (together with sib, modrm, however conserving legacy prefixes).
B8 44332211 mov eax,11223344
68 00000001 push 1000000
66:894424 70 mov phrase ptr ss:[esp+70],ax
will likely be copied as
b8 ?? ?? ?? ?? 68 ?? ?? ?? ?? 66 89 ?? ?? ??
Notice: This can be a “finest effort” utilizing IDAs API, thus there could also be few circumstances the place it solely works partially. For a 100% right resolution we must ship a devoted x86 disasm library.
Related outcomes might be achieved with Code Sample Guidelines, however this could be sooner, each for person interplay and the precise search.
Copy disasm
Copies chosen disassembly to clipboard, because it seems in IDA.
Efficiency
A quick phrase on efficiency:
- title, string, funcsize are virtually free in all circumstances
- bytepattern is nearly free for patterns size > 2
- rapid is tough: We are able to use idaapi search, or we are able to disassemble the whole database and search ourselves – we could have to do that anyhow if we’re on the lookout for code patterns. BUT: scanning for code patterns is actually less expensive than scanning for an instantaneous. An api-search for all matches is comparatively pricey – about 1/8 as pricey as disassembling the whole database. So: If we lower down matches with low cost guidelines first, then we significantly revenue from disassembling the remaining features and on the lookout for the rapid ourselves, particularly if a code-rule is current anyhow. Nevertheless: If no low cost choices exist and we have now to disassemble giant components of the database anyhow (on account of presence of code sample guidelines), then utilizing one rapid rule as a pre-filter can significantly repay. api-searching ONE rapid is roughly equal to 1/8 looking for any variety of code-pattern guidelines – though this additionally is dependent upon many various components…
- code sample are the costliest by far, nevertheless checking one sample vs checking many may be very comparable.
Todo (unordered):
- jcc pseudo-mnemonic
- Permit named areas in CodeRules (‘name memset’)
- ‘ignore all following operands’ choice
- Rule for parameters to API calls inside perform
- Rule for guardian/callsite/little one perform necessities
- Rule for perform parameters
- Regex-rule
- string/title: casing choice
- routinely convert rapid guidelines to byte sample if relevant?
- settings: case sensitivity, string sorts, vary, …
- Hexray guidelines?
- OR mixture of guidelines
- Pythonification of code 😉
- Parallelization
- Computerized technology of guidelines to determine a perform?
