How to extend popkorn to support memmove ?

[v1k1ngfr]

Hi,

First I would like to thanks sharing for your awesome paper & work !
I read the last annex D, Case Study II and try to add support for memmove :
I added the following code to angr_analysis/angr_full_blown.py :

[redacted]
MEMMOVE = False

def check_imports(proj): 
[redacted]
    mymemmove = proj.loader.find_symbol("memmove")
    if mymemmove:
        print("[+] Found memmove: ", hex(mymemmove.rebased_addr))

        MEMMOVE = True
        import_addr['memmove'] = mymemmove.rebased_addr

    else:
        print("memmove import not found!\n")

Then I run it on the Dell driver vulnerable to CVE-2021-21551 :

$ python3 angr_analysis/angr_full_blown.py datasets/my_dataset/dbutil_2_3.sys
Found WDM driver:  0x100068
Driver DEVICE_NAME:  \\\\.\\DBUtil_2_3
Looking for MmMapIoSpace, ZwOpenProcess, ZwMapViewOfSection and memmove Imports..
ZwOpenProcess import not found!
[+] Found MmapIoSpace:  0x100048
ZwMapViewOfSection import not found!
memmove import not found!
DriverObject @ 0x444f0000
[+] Finding the IOCTL Handler.
[redacted]

It didn't find memmove in the import so it fails to find the vuln.
I opened the driver in GHIDRA, indeed memmove is not imported.

Did I miss something ?

Have a nice day !

[JJK96]

You are correct, memmove (or memcpy as Ghidra detects it) is not imported, but it is bundled in the application itself. So you would need a different kind of detection mechanism than looking at the import table.

[v1k1ngfr]

ok !
What kind of detection mechanism did you use to manage to support this ?
thanks

[JJK96]

I'm not a developer of this script, so I can't help you with that right now. I just thought to help you one step further in the right direction. Good luck!

[zeze-zeze]

You can use the opcode signature e.g. prefetchnta to find memmove in a binary.

[v1k1ngfr]

I will have a look at this, thanks @zeze-zeze

[JJK96]

@v1k1ngfr did you manage to find a solution? I'm now also running into this problem.