MallocOvfChecker/MallocOvfChecker.py at main · cy1337/MallocOvfChecker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#Generates a list of malloc calls using arithmetic to calculate a size
#@author Craig Young
#@category CodeAnalysis

from ghidra.app.decompiler import DecompInterface
from ghidra.program.model.pcode import Varnode, PcodeOp
from ghidra.program.model.symbol import RefType
from ghidra.util.task import ConsoleTaskMonitor
from ghidra.app.tablechooser import TableChooserDialog, TableChooserExecutor, AddressableRowObject

# Setup the decompiler
monitor = ConsoleTaskMonitor()
decomp_interface = DecompInterface()
decomp_interface.openProgram(currentProgram)

# Perform backward slice from a varnode
def backward_slice(varnode, visited=None, collected=None):
    if visited is None:
        visited = set()
    if collected is None:
        collected = set()
    if varnode is None or varnode in visited:
        return collected
    visited.add(varnode)
    def_op = varnode.getDef()
    if def_op:
        collected.add(def_op)
        for i in range(def_op.getNumInputs()):
            backward_slice(def_op.getInput(i), visited, collected)
    return collected

# Return influencing op info if ADD or MULT with variable
def find_add_or_mult_op(influencing_ops):
    for op in influencing_ops:
        if op.getOpcode() in (PcodeOp.INT_ADD, PcodeOp.INT_MULT):
            for i in range(op.getNumInputs()):
                input_var = op.getInput(i)
                if input_var is not None and not input_var.isConstant():
                    return (op.getSeqnum().getTarget(), op.getMnemonic())
    return None

# Decompile a function and check for questionable malloc calls
def check_func(func, malloc_addr):
    entries = []
    decompiled = decomp_interface.decompileFunction(func, 60, monitor)
    if not decompiled.decompileCompleted():
        return entries
    high_func = decompiled.getHighFunction()
    if high_func is None:
        return entries
    for op in high_func.getPcodeOps():
        if op.getOpcode() == PcodeOp.CALL:
            call_target = op.getInput(0).getAddress()
            if call_target != malloc_addr or op.getNumInputs() != 2:
                continue
            malloc_arg = op.getInput(1)
            influencing_ops = backward_slice(malloc_arg)
            info = find_add_or_mult_op(influencing_ops)
            if info:
                infl_addr, op_type = info
                entries.append(MallocWarning(func.getName(), op.getSeqnum().getTarget(), infl_addr, op_type))
    return entries

# Inspect currentProgram for suspicious malloc calls
def check_program():
    malloc_addr = None
    function_manager = currentProgram.getFunctionManager()
    for f in function_manager.getFunctions(True):
        if f.getName() == "malloc":
            malloc_addr = f.getEntryPoint()
            break
    if malloc_addr is None:
        print("[ * ] No malloc symbol found")
        exit()

    calling_funcs = set()
    for ref in getReferencesTo(malloc_addr):
        if ref.getReferenceType() != RefType.UNCONDITIONAL_CALL:
            continue
        func = getFunctionContaining(ref.getFromAddress())
        if func is None or func in calling_funcs:
            continue
        calling_funcs.add(func)

    warnings = []
    for func in calling_funcs:
        warnings.extend(check_func(func, malloc_addr))

    if warnings:
        for w in warnings:
            print(str(w))

        class WarningExecutor(TableChooserExecutor):
            def __init__(self):
                TableChooserExecutor.__init__(self)

            def execute(self, warning):
                goTo(warning.getAddress())

            def getButtonName(self):
                return "Go To Call"

        dialog = createTableChooserDialog("Malloc Arithmetic", WarningExecutor())
        for row in warnings:
            dialog.add(row)
        dialog.show()
    else:
        print("No issues found with malloc argument calculations.")

# Represents a warning instance where a call to malloc is influenced by
# arithmetic (ADD or MULT) involving a non-constant input.
# Stores the function name, call site address, influencing operation address,
# and the type of operation that influenced the allocation size.
class MallocWarning(AddressableRowObject):
    def __init__(self, funcName, callAddr, inflAddr, opType):
        self.funcName = funcName
        self._address = callAddr
        self.inflAddr = inflAddr
        self.opType = opType

    def __str__(self):
        return "{}: call at {} influenced by {} at {}".format(self.funcName, self._address, self.opType, self.inflAddr)

    def getAddress(self):
        return self._address

check_program()