175 lines
6.9 KiB
Plaintext
Executable File
175 lines
6.9 KiB
Plaintext
Executable File
NOTICE: THIS TOOL MUST BE RUN FROM A DOS WINDOW (cmd.exe). Command-line IDA breaks in powershell
|
|
|
|
This is a toolset for automating tests on binaries, mainly utilizing IDA and IDAPython. It targets either a binary file on disk, or a dump of a specified module from a specified executable.
|
|
|
|
The tool is written in python. If you have the build tools installed, you can use the binStar.bat file. All development and testing was done in 64-bit, but there's no reason it should work for 32-bit binaries.
|
|
|
|
---------------------------------- Usage ----------------------------------
|
|
|
|
|
|
Usage:
|
|
|
|
>binStar.bat -c <configuration file>
|
|
|
|
|
|
Requirements:
|
|
Python 2.7.X
|
|
Windows
|
|
IDA
|
|
|
|
|
|
|
|
The configuration file is a JSON formatted text file containing information for the tool, as well as information and tests concerning the target binary file(s).
|
|
|
|
The contents are composed of some strings, along with a number of file paths. The file paths can be absolute or relative.
|
|
NOTE: IF YOU USE RELATIVE PATHS, THEY MUST BE RELATIVE TO THE DIRECTORY FROM WHERE YOU CALL IT
|
|
|
|
|
|
---------------------------------- Application Function ----------------------------------
|
|
|
|
Function
|
|
The toolset performs the following functions:
|
|
Parses configuration file
|
|
If specified, runs dumpIt utility on executable file
|
|
dumpIt runs the executable a new process, waits 20 seconds
|
|
After the delay, it finds the specified module, and writes the memory to disk
|
|
Runs strings check on target file
|
|
Loads specified PDB file into a symbol "Lookup" object in memory
|
|
Once loaded, the Lookup object is 'pickled' into a file on disk
|
|
Reason: PDB files take a while to load, and IDAPython crawls compared to native. At least 2/3rds faster this way
|
|
The command-line version of IDA is launched in autonomous mode, and runs the idaStar python script, which performs the rest of the tests, outlined below
|
|
All of the results are output into two report text files,
|
|
<target_file>.idaStar.report.txt
|
|
<target_file>.binstringsReport.txt
|
|
The strings test is (as expected) quite noisy, so it gets its own file
|
|
|
|
---------------------------------- Tests ----------------------------------
|
|
|
|
|
|
There are a number of tests you are able to run. These are all contained within the idaStar.py file
|
|
Strings search
|
|
This test requires a newline-deliminated text file with strings you want to look out for.
|
|
The tool runs strings on the target file, and searches the list for strings containing any of the "watch" words
|
|
While both contain this test, the automated mode uses 'binStar.py' to benefit from the speed of native python.
|
|
Byte pattern search
|
|
This takes a list of hex strings, and searches the target binary file for matches, and returns all matched addresses.
|
|
Spot Checks
|
|
Spot checks take two strings, an integer (I'd advise base 16...) and a hex string. If the string matches the char array starting at the given address in the target file, it reports True. False otherwise
|
|
String regex search
|
|
Takes a list of perl-style regex's and searches the strings list of the binary for matches
|
|
Symbol regex search
|
|
Takes a list of perl-style regex's and searches the symbol list of the binary's PDB for matches
|
|
|
|
|
|
---------------------------------- Configuration File ----------------------------------
|
|
|
|
The configuration file expects the following format:
|
|
|
|
{
|
|
"target_binaries":
|
|
[
|
|
{
|
|
"filepath":"",
|
|
"dump_module":"",
|
|
"target" : "",
|
|
"cmd_line_args" : "",
|
|
"pdb_file" : "",
|
|
"string_regex_list" : [],
|
|
"symbol_regex_list" : [],
|
|
"strings_file" : "",
|
|
"byte_patterns" : [],
|
|
"spot_checks" : []
|
|
}
|
|
],
|
|
"cfg":{
|
|
"IDAw":"",
|
|
"pylibs":"",
|
|
"dumpIt":"",
|
|
"strings_exe":"",
|
|
"idaStar":"",
|
|
"work_dir":"",
|
|
"log_file":""
|
|
}
|
|
}
|
|
|
|
NOTE: ALL FILE PATHS MUST HAVE THEIR BACKSLASHES ESCAPED: (i.e. "X:\\gta5\\tools_ng\\...")
|
|
This is either a python or JSON thing, but fixing is more trouble than its worth at the moment, sorry.
|
|
|
|
target_binaries
|
|
This is the section containing a list of target file configurations
|
|
|
|
filepath
|
|
This contains the path to the target file, or executable that contains the target module
|
|
dump_module
|
|
This is a boolean, which instructs the tool to dump a module or not. Possible values are "true" or "false", case-insensitive
|
|
target
|
|
This is the name of the target module to dump.
|
|
Optional if dump_module = "false"
|
|
cmd_line_args
|
|
Command line arguments that are passed to the target executable when ran by dumpIt
|
|
Optional
|
|
pdb_file
|
|
File path to PDB symbol file that corresponds to the target binary.
|
|
Optional
|
|
string_regex_list
|
|
List of regex strings to search the binary for
|
|
Optional
|
|
symbol_regex_list
|
|
List of regex strings to search the symbol list for
|
|
Optional
|
|
byte_patterns
|
|
List of hex strings to search the memory for
|
|
Optional
|
|
spot_checks
|
|
List of address, value pairs to check in the binary
|
|
Optional
|
|
|
|
cfg
|
|
Contains config information for the toolset
|
|
|
|
IDAw
|
|
File path to the IDAW64.exe binary.
|
|
pylibs
|
|
File path to the "libs" directory installed with the tool
|
|
This directory is expected to contain three modules, two directories for "construct" and "pdbparse", as well as the "idaStar.py" file
|
|
dumpIt
|
|
File path to the dumpIt executable. The dumpIt project is included with this toolset, so you can modify and compile your own if needed
|
|
strings_exe
|
|
File path to the strings executable. The one included is the TechNet version, but the cygwin works just as well if thats your steez
|
|
idaStar
|
|
File path to the idaStar.py module
|
|
work_dir
|
|
Arbirtrary directory for all dump, working and output files. Will be created if not already
|
|
log_file
|
|
File path for idaStar log.
|
|
Optional. If not specified, will default to "work_dir\\idaStar.log"
|
|
|
|
Here's a sample configuration. It should work if you have GTAV, IDA 6.7, and the build tools all up to date and default install, and the socialclub.pdb in the right folder!!
|
|
|
|
|
|
{
|
|
"target_binaries":
|
|
[
|
|
{
|
|
"filepath":"C:\\Program Files\\Rockstar Games\\Grand Theft Auto V\\GTAVLauncher.exe",
|
|
"dump_module":"true",
|
|
"target" : "socialclub.dll",
|
|
"cmd_line_args" : "-rlrosdomainenv=dev -env=dev -patchenv=dev",
|
|
"pdb_file" : "%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\etc\\socialclub.pdb",
|
|
"string_regex_list" : ["^.*youWontFindMe.*"],
|
|
"symbol_regex_list" : ["^.*youWontFindMe.*"],
|
|
"strings_file" : "%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\etc\\words.txt",
|
|
"byte_patterns" : ["DEADBEEF"],
|
|
"spot_checks" : [{"address":"0x0","value":"AAAA"}]
|
|
}
|
|
],
|
|
"cfg":{
|
|
"IDAw":"C:\\Program Files (x86)\\IDA 6.7\\idaw64.exe",
|
|
"pylibs":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\lib\\",
|
|
"dumpIt":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\bin\\dumpIt.exe",
|
|
"strings_exe":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\bin\\strings.exe",
|
|
"idaStar":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\lib\\idaStar.py",
|
|
"work_dir":"%RS_TOOLSROOT%\\script\\coding\\mod\\binStar\\work\\",
|
|
"log_file":""
|
|
}
|
|
} |