Kali Linux

FindFunc : Advanced Filtering/Finding of Functions in IDA Pro

FindFunc is an IDA Pro plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints. This is not a competitor to tools like Diaphora or BinNavi, but it is ideal to find a known function in a new binary for cases where classical bindiffing fails.

Filtering with Rules

The main functionality of FindFunc is letting the user specify a set of “Rules” or constraints that a code function in IDA Pro has to satisfy. FF will then find and list all functions that satisfy ALL rules (so currently all Rules are in an AND-conjunction). Exception: Rules can be “inverted” to be negative matches. Such rules thus conform to “AND NOT”.

FF will schedule the rules in a smart order to minimize processing time. Feature overview:

Currently 6 Rules available, see below
Code matching respects Addressing-Size-Prefix and Operand-Size-Prefix
Aware of function chunks
Smart scheduling of rules for performance
Saving/Loading rules from/to file in simple ascii format
Several independent Tabs for experimentation
Copying rules between Tabs via clipboard (same format as file format)
Saving entire session (all tabs) to file
Advanced copying of instruction bytes (all, opcodes only, all except immediates)

Button “Search Functions” clears existing results and starts a fresh search, “Refine Results” considers only results of the previous search.

Advanced Binary Copying

A secondary feature of FF is the option to copy binary representation of instructions with the following options:

copy all -> copy all bytes to the clipboard
copy without immediates -> blank out (AA ?? BB) any immediate values in the instruction bytes
opcode only -> will blank out everything except the actual opcode(s) of the instruction (and prefixes)

See “advanced copying” section below for details. This feature nicely complements the Byte Pattern rule!

Building and Installation

FindFunc is an IDA Pro python plugin without external package dependencies. It can be installed by downloading the repository and copying file findfuncmain.py and folder findfunc to your IDA Pro plugin directory. No building is required.

Requirements: IDA Pro 7.x (7.6+) with python3 environment. FindFunc is designed for x86/x64 architecture only. It has been tested with IDA 7.6/7.7, python 3.9 and IDAPython 7.4.0 on Windows 10.

Available Rules

Currently the following six rules are available. They are sorted here from heavy to light with regard to performance impact. With large databases it is a good idea to first cut down the candidate-functions with a cheap rule, before doing heavy matching via e.g. Code Rules. FF will automatically schedule rules in a smart way.

Code Pattern

Rule for filtering function based on them containing a given assembly code snippet. This is NOT a text-search for IDAs textual disassembly representation, but rather performs advanced matching of the underlying instruction. The snippet may contain many consecutive instructions, one per line. Function chunks are supported. Supports special wildcard matching, in addition to literal assembly:

“pass” -> matches any instruction with any operands
“mov* any,any” -> matches instructions with mnemonic “mov*” (e.g. mov, movzx, …) and any two arguments.
“mov eax, r32” -> matches any instruction with mnemonic “mov”, first operand register eax and second operand any 32-bit register.
- Analogue: r for any register, r8/r16/r32/r64 for register of a specific width, “imm” for any immediate
“mov r64, imm” -> matches any move of a constant to a 64bit register
“any r64,r64” -> matches any operation between two 64bit registers
mov -> matches any instruction of mov mnemonic

more examples:

mov r64, [r32 * 8 + 0x100]
mov r, [r * 8 – 0x100]
mov r64, [r32 * 8 + imm]
pass
mov r, word [eax + r32 * 8 – 0x100]
any r64, r64
push imm
push any

Gotchas: Be careful when copying over assembly from IDA. IDA mingles local variable names and other information into the instruction which leads to matching failure. Also, labels are not supported (“call sub_123456”).

Note that Code Patterns is the most expensive Rule, and if only Code Rules are present FF has no option but to disassemble the entire database. This can take up to several minutes for very large binaries. See notes on performance below.

Immediate Value (Constant)

The function must contain the given immediate at least once in any position. An immediate value is a value fixed in the binary representation of the instruction. Examples for instructions matching immediate value 0x100:

mov eax, 0x100
mov eax, [0x100]
and al, [eax + ebx*8 + 0x100]
push 0x100

Note: IDA performs extensive matching of any size and any position of the immediate. If you know it to be of a specific width of 4 or 8 bytes, a byte pattern can be a little faster.

Byte Pattern

The function must contain the given byte pattern at least once. The pattern is of the same format as IDAs binary search, and thus supports wildcards – the perfect match for the advanced-copy feature!

Examples:

11 22 33 44 aa bb cc
11 22 33 ?? ?? bb cc -> ?? can be any byte

String Reference

The function must reference the given string at least once. The string is matched according to pythons ‘fnmatch’ module, and thus supports wildcard-like matching. Matching is performed case-insensitive. Strings of the following formats are considered: [idaapi.STRTYPE_C, idaapi.STRTYPE_C_16] (this can be changed in the Config class).

Examples:

“TestString” -> function must reference the exact string (casing ignored) at least once
“TestStr*” -> function must reference a string starting with ‘TestStr (e.g. TestString, TestStrong) at least once (casing ignored)

Note: String matching is fast and a good choice to cut down candidates quickly!

Name Reference

The function must reference the given name/label at least once. The name/label is matched according to pythons ‘fnmatch’ module, and thus supports wildcard-like matching. Matching is performed case-insensitive.

Examples:

“memset” -> function must reference a location named “memset” at least once
“mem*” -> function must reference a location starting with “mem” (memset, memcpy, memcmp) at least once

Note: Name matching is very fast and ideal to cut down candidates quickly!

Function Size

The size of the function must be within the given limit: “min <= functionsize <= max”. Data is entered as a string of the form “min,max”. The size of a function includes all of its chunks.

Note: Function size matching is very fast and ideal to cut down candidates quickly!

Keyboard Shortcuts & GUI

For ease of use FF can be used via the following keyboard shortcuts:

Ctrl+Alt+F -> launch/show TabWidget (main GUI)
- Or View->FindFunc
Ctrl+F -> start search with currently enabled rules
Ctrl+R -> refine existing results with currently enabled rules
Rules
- Ctrl+C -> copy selected rules to clipboard
- Ctrl+V -> paste rules from clipboard into current tab (appends)
- Ctrl+S -> save selected rules to file
- Ctrl+L -> load selected rules from file (appends)
- Ctrl+A -> select all rules
- Del -> delete selected rules
Save Session
- Ctrl+Shift+S -> Save session to file
- Ctrl+Shift+L -> Load session from file

Further GUI usage

Rules can be edited by double-clicking the Data column
Rules can be inverted (negative match) by double-clicking the invert-match column
Rules can be enabled/disabled by double-clicking the enabled-column
Tabs can be renamed by double-clicking them
Sorting is supported both for Rule-List and Result-List
Double-click Result item to jump to it in IDA
- function name: jump to function start
- any other column: jump to match of last matched rule
Checkbox Profile: Outputs profiling information for the search
Checkbox Debug: Dumps detailed debugging output for code rule matching – only use it if few functions make it to the code checking rule, otherwise it might take very long!

Advanced Binary Copy

Frequently we want to search for binary patterns of assembly, but without hardcoded addresses and values (immediates), or even only the actual opcodes of the instruction. FindFunc makes this easy by adding three copy options to the disassembly-popupmenu: