Merge branch 'N0fix-fix_i60'

Author: danielplohmann

README.md

@@ -56,6 +56,7 @@ To take full advantage of SMDA's capabilities, make sure to (optionally) install
  * pdbparse (currently as fork from https://github.com/VPaulV/pdbparse to support Python3)
 
 ## Version History
+ * 2025-02-21: v1.14.1 - Fixed changed field names in LIEF usage that broke ELF parsing, added tests for ELF+macOS parsing (THX to @N0fix for the update!)
  * 2025-01-29: v1.14.0 - Bump to LIEF 0.16.0+ (THX to @huettenhain for the ping!). Migrated tests to `pytest`, UTC datetime handling fixes.
  * 2025-01-26: v1.13.24 - Added functionality to import and export SMDA reports as JSON. Fixed byte patterns matching special regex chars (THX to @alexander-hanel!).
  * 2024-07-26: v1.13.23 - Now using OEP as symbol function candidate when available (THX to @alexander-hanel for reporting!).

setup.py

@@ -19,7 +19,7 @@
 setup(
     name='smda',
     # note to self: always change this in config as well.
-    version='1.14.0',
+    version='1.14.1',
     description='A recursive disassmbler optimized for CFG recovery from memory dumps. Based on capstone.',
     long_description_content_type="text/markdown",
     long_description=long_description,

smda/SmdaConfig.py

@@ -5,7 +5,7 @@
 class SmdaConfig(object):
 
     # note to self: always change this in setup.py as well!
-    VERSION = "1.14.0"
+    VERSION = "1.14.1"
     ESCAPER_DOWNWARD_COMPATIBILITY = "1.13.16"
     CONFIG_FILE_PATH = str(os.path.abspath(__file__))
     PROJECT_ROOT = str(os.path.abspath(os.sep.join([CONFIG_FILE_PATH, "..", ".."])))

smda/common/labelprovider/ElfSymbolProvider.py

@@ -43,7 +43,7 @@ def update(self, binary_info):
         self._parseOep(lief_binary)
         # TODO split resolution into API/dynamic part and local symbols
         self._parseExports(lief_binary)
-        self._parseSymbols(lief_binary.static_symbols)
+        self._parseSymbols(lief_binary.symtab_symbols)
         self._parseSymbols(lief_binary.dynamic_symbols)
         for reloc in lief_binary.relocations:
             if reloc.has_symbol:

smda/utility/ElfFileLoader.py

@@ -1,5 +1,5 @@
-import sys
 import logging
+import sys
 
 LOGGER = logging.getLogger(__name__)
 
@@ -99,7 +99,7 @@ def mapBinary(binary):
                 min_virtual_address = min(min_virtual_address, section.virtual_address)
                 min_raw_offset = min(min_raw_offset, section.file_offset)
         else:
-            LOGGER.warn(f"ELF: found possibly bogus section information, trying to parse segments.")
+            LOGGER.warn("ELF: found possibly bogus section information, trying to parse segments.")
         # parse segments regardless
         for segment in elffile.segments:
             if not segment.virtual_address:
@@ -110,7 +110,7 @@ def mapBinary(binary):
             min_raw_offset = min(min_raw_offset, segment.file_offset)
 
         if (max_virtual_address - base_addr) > sys.maxsize:
-            LOGGER.warn(f"ELF: found possibly bogus segment information, trying to parse segments.")
+            LOGGER.warn("ELF: found possibly bogus segment information, trying to parse segments.")
 
         if not max_virtual_address:
             LOGGER.debug("ELF: no section or segment data")
@@ -179,9 +179,9 @@ def getBitness(binary):
         # TODO add machine types whenever we add more architectures
         elffile = lief.parse(binary)
         machine_type = elffile.header.machine_type
-        if machine_type == lief.ELF.ARCH.x86_64:
+        if machine_type == lief.ELF.ARCH.X86_64:
             return 64
-        elif machine_type == lief.ELF.ARCH.i386:
+        elif machine_type == lief.ELF.ARCH.I386:
             return 32
         return 0
 
@@ -207,7 +207,7 @@ def getCodeAreas(binary):
         code_areas = []
         for section in elffile.sections:
             # SHF_EXECINSTR = 4
-            if section.flags & 0x4:
+            if section.flags & lief.ELF.Section.FLAGS.EXECINSTR.value:
                 section_start = section.virtual_address
                 section_size = section.size
                 if section_size % section.alignment != 0:
@@ -216,7 +216,7 @@ def getCodeAreas(binary):
                 code_areas.append([section_start, section_end])    
         for segment in sorted(elffile.segments, key=lambda segment: segment.physical_size, reverse=True):
             # SHF_EXECINSTR = 4
-            if segment.flags & 0x4:
+            if segment.flags.value & lief.ELF.Section.FLAGS.EXECINSTR.value:
                 segment_start = segment.virtual_address
                 segment_size = segment.virtual_size
                 if segment_size % segment.alignment != 0:

smda/utility/MachoFileLoader.py

@@ -139,10 +139,12 @@ def getBitness(binary):
         # TODO add machine types whenever we add more architectures
         macho_file = lief.parse(binary)
         machine_type = macho_file.header.cpu_type
-        if machine_type == lief.MachO.CPU_TYPES.x86_64:
+        if machine_type == lief.MachO.Header.CPU_TYPE.X86_64:
             return 64
-        elif machine_type == lief.MachO.CPU_TYPES.x86:
+        elif machine_type == lief.MachO.Header.CPU_TYPES.X86:
             return 32
+        elif machine_type == Header.CPU_TYPE.ARM64:
+            raise NotImplementedError("SMDA does not support ARM yet.")
         return 0
 
     @staticmethod
@@ -165,14 +167,14 @@ def getCodeAreas(binary):
         # TODO add machine types whenever we add more architectures
         macho_file = lief.parse(binary)
         ins_flags = (
-            lief.MachO.SECTION_FLAGS.PURE_INSTRUCTIONS.value +
-            lief.MachO.SECTION_FLAGS.SELF_MODIFYING_CODE.value +
-            lief.MachO.SECTION_FLAGS.SOME_INSTRUCTIONS.value
+            lief.MachO.Section.FLAGS.PURE_INSTRUCTIONS.value +
+            lief.MachO.Section.FLAGS.SELF_MODIFYING_CODE.value +
+            lief.MachO.Section.FLAGS.SOME_INSTRUCTIONS.value
         )
         code_areas = []
         for section in macho_file.sections:
             # SHF_EXECINSTR = 4
-            if section.flags & ins_flags:
+            if section.flags.value & ins_flags:
                 section_start = section.virtual_address
                 section_size = section.size
                 if section.alignment and section_size % section.alignment != 0:

tests/cat

@@ -0,0 +1,109 @@
+#!/usr/bin/python
+
+import logging
+import os
+import unittest
+
+from smda.utility.FileLoader import FileLoader
+from smda.common.BinaryInfo import BinaryInfo
+from smda.Disassembler import Disassembler
+from smda.common.SmdaReport import SmdaReport
+from smda.common.SmdaFunction import SmdaFunction
+from .context import config
+
+LOG = logging.getLogger(__name__)
+logging.basicConfig(level=logging.INFO, format="%(asctime)-15s %(message)s")
+logging.disable(logging.CRITICAL)
+
+
+class SmdaIntegrationTestSuite(unittest.TestCase):
+    """Run a full example on a memory dump"""
+
+    @classmethod
+    def setUpClass(cls):
+        super(SmdaIntegrationTestSuite, cls).setUpClass()
+
+    def testPeParsingWithCutwail(self):
+        disasm = Disassembler(config)
+        # load encrypted malicious win.cutwail
+        with open(os.path.join(config.PROJECT_ROOT, "tests", "cutwail_xored"), "rb") as f_binary:
+            binary = f_binary.read()
+        decrypted_cutwail = bytearray()
+        for index, byte in enumerate(binary):
+            if isinstance(byte, str):
+                byte = ord(byte)
+            decrypted_cutwail.append(byte ^ (index % 256))
+        cutwail_binary = bytes(decrypted_cutwail)
+        # run FileLoader and disassemble as file
+        loader = FileLoader("/", map_file=True)
+        loader._loadFile(cutwail_binary)
+        file_content = loader.getData()
+        binary_info = BinaryInfo(file_content)
+        binary_info.raw_data = loader.getRawData()
+        binary_info.file_path = ""
+        binary_info.base_addr = loader.getBaseAddress()
+        binary_info.bitness = loader.getBitness()
+        binary_info.code_areas = loader.getCodeAreas()
+        binary_info.oep = binary_info.getOep()
+        cutwail_binary_info = binary_info
+        cutwail_disassembly = disasm._disassemble(binary_info)
+        cutwail_unmapped_disassembly = disasm.disassembleUnmappedBuffer(cutwail_binary)
+        assert cutwail_unmapped_disassembly.num_functions == 33
+
+    def testElfParsingWithBase64(self):
+        disasm = Disassembler(config)
+        # load encrypted benign /bin/cat
+        with open(os.path.join(config.PROJECT_ROOT, "tests", "cat_xored"), "rb") as f_binary:
+            binary = f_binary.read()
+        decrypted_cat = bytearray()
+        for index, byte in enumerate(binary):
+            if isinstance(byte, str):
+                byte = ord(byte)
+            decrypted_cat.append(byte ^ (index % 256))
+        cat_binary = bytes(decrypted_cat)
+        # run FileLoader and disassemble as file
+        loader = FileLoader("/", map_file=True)
+        loader._loadFile(cat_binary)
+        file_content = loader.getData()
+        binary_info = BinaryInfo(file_content)
+        binary_info.raw_data = loader.getRawData()
+        binary_info.file_path = ""
+        binary_info.base_addr = loader.getBaseAddress()
+        binary_info.bitness = loader.getBitness()
+        binary_info.code_areas = loader.getCodeAreas()
+        binary_info.oep = binary_info.getOep()
+        cat_binary_info = binary_info
+        cat_disassembly = disasm._disassemble(binary_info)
+        cat_unmapped_disassembly = disasm.disassembleUnmappedBuffer(cat_binary)
+        assert cat_unmapped_disassembly.num_functions == 150
+
+    def testMacOsParsingWithKomplex(self):
+        disasm = Disassembler(config)
+        # load encrypted malicious osx.komplex
+        with open(os.path.join(config.PROJECT_ROOT, "tests", "komplex_xored"), "rb") as f_binary:
+            binary = f_binary.read()
+        decrypted_komplex = bytearray()
+        for index, byte in enumerate(binary):
+            if isinstance(byte, str):
+                byte = ord(byte)
+            decrypted_komplex.append(byte ^ (index % 256))
+        komplex_binary = bytes(decrypted_komplex)
+        # run FileLoader and disassemble as file
+        loader = FileLoader("/", map_file=True)
+        loader._loadFile(komplex_binary)
+        file_content = loader.getData()
+        binary_info = BinaryInfo(file_content)
+        binary_info.raw_data = loader.getRawData()
+        binary_info.file_path = ""
+        binary_info.base_addr = loader.getBaseAddress()
+        binary_info.bitness = loader.getBitness()
+        binary_info.code_areas = loader.getCodeAreas()
+        binary_info.oep = binary_info.getOep()
+        komplex_binary_info = binary_info
+        komplex_disassembly = disasm._disassemble(binary_info)
+        komplex_unmapped_disassembly = disasm.disassembleUnmappedBuffer(komplex_binary)
+        komplex_unmapped_disassembly.num_functions == 208
+
+
+if __name__ == '__main__':
+    unittest.main()