Move workflow_objc to API repo, remove CFString & relptr renderers

Author: 0cyn

plugins/workflow_objc/.clang-format

@@ -0,0 +1,4 @@
+---
+BasedOnStyle:	WebKit
+...
+

plugins/workflow_objc/.gitignore

@@ -0,0 +1,7 @@
+build/
+
+cmake-build-*/
+.idea/
+
+.cache/
+compile_commands.json

plugins/workflow_objc/BinaryNinja.h

@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2022-2023 Jon Palmisciano. All rights reserved.
+ *
+ * Use of this source code is governed by the BSD 3-Clause license; the full
+ * terms of the license can be found in the LICENSE.txt file.
+ */
+
+#pragma once
+
+#include <binaryninjaapi.h>
+
+using AnalysisContextRef = BinaryNinja::Ref<BinaryNinja::AnalysisContext>;
+using BinaryViewRef = BinaryNinja::Ref<BinaryNinja::BinaryView>;
+using LLILFunctionRef = BinaryNinja::Ref<BinaryNinja::LowLevelILFunction>;
+using SymbolRef = BinaryNinja::Ref<BinaryNinja::Symbol>;
+using TypeRef = BinaryNinja::Ref<BinaryNinja::Type>;
+
+using BinaryViewPtr = BinaryNinja::BinaryView*;
+using TypePtr = BinaryNinja::Type*;
+
+using BinaryViewID = std::size_t;

plugins/workflow_objc/CMakeLists.txt

@@ -0,0 +1,46 @@
+cmake_minimum_required(VERSION 3.14 FATAL_ERROR)
+
+project(workflow_objc)
+
+
+if((NOT BN_API_PATH) AND (NOT BN_INTERNAL_BUILD))
+  set(BN_API_PATH $ENV{BN_API_PATH})
+  if(NOT BN_API_PATH)
+    message(FATAL_ERROR "Provide path to Binary Ninja API source in BN_API_PATH")
+  endif()
+endif()
+if(NOT BN_INTERNAL_BUILD)
+  set(HEADLESS ON CACHE BOOL "")
+  add_subdirectory(${BN_API_PATH} ${PROJECT_BINARY_DIR}/api)
+endif()
+
+# Binary Ninja plugin ----------------------------------------------------------
+
+set(PLUGIN_SOURCE
+  GlobalState.h
+  GlobalState.cpp
+  MessageHandler.cpp
+  MessageHandler.h
+  Plugin.cpp
+  Workflow.h
+  Workflow.cpp)
+
+add_library(workflow_objc SHARED ${PLUGIN_SOURCE})
+target_link_libraries(workflow_objc binaryninjaapi)
+target_compile_features(workflow_objc PRIVATE cxx_std_17 c_std_99)
+
+# Library targets linking against the Binary Ninja API need to be compiled with
+# position-independent code on Linux.
+if(${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
+  target_compile_options(workflow_objc PRIVATE "-fPIC")
+endif()
+
+# Configure plugin output directory for internal builds, otherwise configure
+# plugin installation for public builds.
+if(BN_INTERNAL_BUILD)
+  set_target_properties(workflow_objc PROPERTIES
+    LIBRARY_OUTPUT_DIRECTORY ${BN_CORE_PLUGIN_DIR}
+    RUNTIME_OUTPUT_DIRECTORY ${BN_CORE_PLUGIN_DIR})
+else()
+  bn_install_plugin(workflow_objc)
+endif()

plugins/workflow_objc/CONTRIBUTING.md

@@ -0,0 +1,26 @@
+# Contribution Guidelines
+
+Contributions in the form of issues and pull requests are welcome! See the
+sections below if you are contributing code.
+
+## Conventions
+
+Refer to the [WebKit Style Guide](https://webkit.org/code-style-guidelines/)
+when in doubt.
+
+## Formatting
+
+Let `clang-format` take care of it. The built-in WebKit style is used.
+
+```sh
+clang-format -i --style=WebKit <file>
+```
+
+- Split long lines when it improves readability. 80 columns is the preferred
+maximum line length, but use some judgement and don't split lines just because a
+semicolon exceeds the length limit, etc.
+
+## Testing
+
+If you are making changes to the core analysis library, run the test suite and
+ensure that there are no unexpected changes to analysis behavior.

plugins/workflow_objc/Constants.h

@@ -0,0 +1,10 @@
+/*
+ * Copyright (c) 2022-2023 Jon Palmisciano. All rights reserved.
+ *
+ * Use of this source code is governed by the BSD 3-Clause license; the full
+ * terms of the license can be found in the LICENSE.txt file.
+ */
+
+#pragma once
+
+constexpr auto PluginLoggerName = "Plugin.Objective-C";

plugins/workflow_objc/GlobalState.cpp

@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2022-2023 Jon Palmisciano. All rights reserved.
+ *
+ * Use of this source code is governed by the BSD 3-Clause license; the full
+ * terms of the license can be found in the LICENSE.txt file.
+ */
+
+#include "GlobalState.h"
+
+#include <set>
+#include <shared_mutex>
+#include <unordered_map>
+
+static std::unordered_map<BinaryViewID, MessageHandler*> g_messageHandlers;
+static std::shared_mutex g_messageHandlerLock;
+static std::unordered_map<BinaryViewID, SharedAnalysisInfo> g_viewInfos;
+static std::shared_mutex g_viewInfoLock;
+static std::set<BinaryViewID> g_ignoredViews;
+
+
+MessageHandler* GlobalState::messageHandler(BinaryViewRef bv)
+{
+    std::unique_lock<std::shared_mutex> lock(g_messageHandlerLock);
+    auto messageHandler = g_messageHandlers.find(id(bv));
+    if (messageHandler != g_messageHandlers.end())
+        return messageHandler->second;
+    auto newMessageHandler = new MessageHandler(bv);
+    g_messageHandlers[id(bv)] = newMessageHandler;
+    return newMessageHandler;
+}
+
+BinaryViewID GlobalState::id(BinaryViewRef bv)
+{
+    return bv->GetFile()->GetSessionId();
+}
+
+void GlobalState::addIgnoredView(BinaryViewRef bv)
+{
+    g_ignoredViews.insert(id(std::move(bv)));
+}
+
+bool GlobalState::viewIsIgnored(BinaryViewRef bv)
+{
+    return g_ignoredViews.count(id(std::move(bv))) > 0;
+}
+
+SharedAnalysisInfo GlobalState::analysisInfo(BinaryViewRef data)
+{
+    {
+        std::shared_lock<std::shared_mutex> lock(g_viewInfoLock);
+        if (auto it = g_viewInfos.find(id(data)); it != g_viewInfos.end())
+            if (data->GetStart() == it->second->imageBase)
+                return it->second;
+    }
+
+    std::unique_lock<std::shared_mutex> lock(g_viewInfoLock);
+    SharedAnalysisInfo info = std::make_shared<AnalysisInfo>();
+    info->imageBase = data->GetStart();
+
+    if (auto objcStubs = data->GetSectionByName("__objc_stubs"))
+    {
+        info->objcStubsStartEnd = {objcStubs->GetStart(), objcStubs->GetEnd()};
+        info->hasObjcStubs = true;
+    }
+
+    auto meta = data->QueryMetadata("Objective-C");
+    if (!meta)
+    {
+        g_viewInfos[id(data)] = info;
+        return info;
+    }
+
+    auto metaKVS = meta->GetKeyValueStore();
+    if (metaKVS["version"]->GetUnsignedInteger() != 1)
+    {
+        BinaryNinja::LogError("workflow_objc: Invalid metadata version received!");
+        g_viewInfos[id(data)] = info;
+        return info;
+    }
+    for (const auto& selAndImps : metaKVS["selRefImplementations"]->GetArray())
+        info->selRefToImp[selAndImps->GetArray()[0]->GetUnsignedInteger()] = selAndImps->GetArray()[1]->GetUnsignedIntegerList();
+    for (const auto& selAndImps : metaKVS["selImplementations"]->GetArray())
+        info->selToImp[selAndImps->GetArray()[0]->GetUnsignedInteger()] = selAndImps->GetArray()[1]->GetUnsignedIntegerList();
+
+    g_viewInfos[id(data)] = info;
+    return info;
+}
+
+bool GlobalState::hasAnalysisInfo(BinaryViewRef data)
+{
+    return data->QueryMetadata("Objective-C") != nullptr;
+}
+
+bool GlobalState::hasFlag(BinaryViewRef bv, const std::string& flag)
+{
+    return bv->QueryMetadata(flag);
+}
+
+void GlobalState::setFlag(BinaryViewRef bv, const std::string& flag)
+{
+    bv->StoreMetadata(flag, new BinaryNinja::Metadata("YES"));
+}

plugins/workflow_objc/GlobalState.h

@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2022-2023 Jon Palmisciano. All rights reserved.
+ *
+ * Use of this source code is governed by the BSD 3-Clause license; the full
+ * terms of the license can be found in the LICENSE.txt file.
+ */
+
+#pragma once
+
+#include <condition_variable>
+#include "BinaryNinja.h"
+
+#include "MessageHandler.h"
+
+/**
+ * Namespace to hold metadata flag key constants.
+ */
+namespace Flag {
+
+constexpr auto DidRunWorkflow = "objectiveNinja.didRunWorkflow";
+constexpr auto DidRunStructureAnalysis = "objectiveNinja.didRunStructureAnalysis";
+
+}
+
+struct AnalysisInfo {
+    std::uint64_t imageBase;
+    bool hasObjcStubs = false;
+    std::pair<uint64_t, uint64_t> objcStubsStartEnd;
+    std::unordered_map<uint64_t, std::vector<uint64_t>> selRefToImp;
+    std::unordered_map<uint64_t, std::vector<uint64_t>> selToImp;
+};
+
+typedef std::shared_ptr<AnalysisInfo> SharedAnalysisInfo;
+
+/**
+ * Global state/storage interface.
+ */
+class GlobalState {
+    /**
+     * Get the ID for a view.
+     */
+    static BinaryViewID id(BinaryViewRef);
+
+public:
+    /**
+     * Get the analysis info for a view.
+     */
+    static SharedAnalysisInfo analysisInfo(BinaryViewRef);
+
+    /**
+     * Get ObjC Message Handler for a view
+     */
+    static MessageHandler* messageHandler(BinaryViewRef);
+
+    /**
+     * Check if analysis info exists for a view.
+     */
+    static bool hasAnalysisInfo(BinaryViewRef);
+
+    /**
+     * Add a view to the list of ignored views.
+     */
+    static void addIgnoredView(BinaryViewRef);
+
+    /**
+     * Check if a view is ignored.
+     */
+    static bool viewIsIgnored(BinaryViewRef);
+
+    /**
+     * Check if the a metadata flag is present for a view.
+     */
+    static bool hasFlag(BinaryViewRef, const std::string&);
+
+    /**
+     * Set a metadata flag for a view.
+     */
+    static void setFlag(BinaryViewRef, const std::string&);
+};

plugins/workflow_objc/LICENSE.txt

@@ -0,0 +1,26 @@
+Copyright (c) 2022-2023 Jon Palmisciano
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors
+   may be used to endorse or promote products derived from this software without
+   specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

plugins/workflow_objc/MessageHandler.cpp

@@ -0,0 +1,63 @@
+#include "MessageHandler.h"
+
+using namespace BinaryNinja;
+
+MessageHandler::MessageHandler(Ref<BinaryView> data)
+{
+    m_msgSendFunctions = findMsgSendFunctions(data);
+}
+
+std::set<uint64_t> MessageHandler::findMsgSendFunctions(BinaryNinja::Ref<BinaryNinja::BinaryView> data)
+{
+    std::set<uint64_t> results;
+
+    const auto authStubsSection = data->GetSectionByName("__auth_stubs");
+    const auto stubsSection = data->GetSectionByName("__stubs");
+    const auto authGotSection = data->GetSectionByName("__auth_got");
+    const auto gotSection = data->GetSectionByName("__got");
+    const auto laSymbolPtrSection = data->GetSectionByName("__la_symbol_ptr");
+
+    // Shorthand to check if a symbol lies in a given section.
+    auto sectionContains = [](Ref<Section> section, Ref<Symbol> symbol) {
+        const auto start = section->GetStart();
+        const auto length = section->GetLength();
+        const auto address = symbol->GetAddress();
+
+        return (uint64_t)(address - start) <= length;
+    };
+
+    // There can be multiple `_objc_msgSend` symbols in the same binary; there
+    // may even be lots. Some of them are valid, others aren't. In order of
+    // preference, `_objc_msgSend` symbols in the following sections are
+    // preferred:
+    //
+    //   1. __auth_stubs
+    //   2. __stubs
+    //   3. __auth_got
+    //   4. __got
+    //   ?. __la_symbol_ptr
+    //
+    // There is often an `_objc_msgSend` symbol that is a stub function, found
+    // in the `__stubs` section, which will come with an imported symbol of the
+    // same name in the `__got` section. Not all `__objc_msgSend` calls will be
+    // routed through the stub function, making it important to make note of
+    // both symbols' addresses. Furthermore, on ARM64, the `__auth{stubs,got}`
+    // sections are preferred over their unauthenticated counterparts.
+    const auto candidates = data->GetSymbolsByName("_objc_msgSend");
+    for (const auto& c : candidates) {
+        if ((authStubsSection && sectionContains(authStubsSection, c))
+            || (stubsSection && sectionContains(stubsSection, c))
+            || (authGotSection && sectionContains(authGotSection, c))
+            || (gotSection && sectionContains(gotSection, c))
+            || (laSymbolPtrSection && sectionContains(laSymbolPtrSection, c))) {
+            results.insert(c->GetAddress());
+        }
+    }
+
+    return results;
+}
+
+bool MessageHandler::isMessageSend(uint64_t functionAddress)
+{
+    return m_msgSendFunctions.count(functionAddress);
+}