VulFi (Vulnerability Finder) tool is a plugin to IDA Pro which can be used to assist during bug hunting in binaries. Its main objective is to provide a single view with all cross-references to the most interesting functions (such as strcpy
, sprintf
, system
, etc.). For cases where a Hexrays decompiler can be used, it will attempt to rule out calls to these functions which are not interesting from a vulnerability research perspective (think something like strcpy(dst,"Hello World!")
). Without the decompiler, the rules are much simpler (to not depend on architecture) and thus only rule out the most obvious cases.
Place the vulfi.py
, vulfi_prototypes.json
and vulfi_rules.json
files in the IDA plugin folder (cp vulfi* <IDA_PLUGIN_FOLDER>
).
Before you run VulFi make sure that you have a good understanding of the binary that you work with. Try to identify all standard functions (strcpy
, memcpy
, etc.) and name them accordingly. The plugin is case insensitive and thus MEMCPY
, Memcpy
and memcpy
are all valid names. However, note that the search for the function requires exact match. This means that memcpy?
or std_memcpy
(or any other variant) will not be detected as a standard function and therefore will not be considered when looking for potential vulnerabilities. If you are working with an unknown binary you need to set the compiler options first Options
> Compiler
. After that VulFi will do its best to filter all obvious false positives (such as call to printf
with constant string as a first parameter). Please note that while the plugin is made without any ties to a specific architecture some processors do not have full support for specifying types and in such case VulFi will simply mark all cross-references to potentially dangerous standard functions to allow you to proceed with manual analysis. In these cases, you can benefit from the tracking features of the plugin.
To initiate the scan, select Search
> VulFi
option from the top bar menu. This will either initiate a new scan, or it will read previous results stored inside the idb
/i64
file. The data are automatically saved whenever you save the database.
Once the scan is completed or once the previous results are loaded a table will be presented with a view containing following columns:
Not Checked
is assigned to every new item. The other statuses are False
Positive
, Suspicious
and Vulnerable
. Those can be set using a right-click menu on a given item and should reflect the results of the manual review of the given function call.High
, Medium
and Low
. The priorities are defined along with other rules in vulfi_rules.json
file.In case that there are no data inside the idb
/i64
file or user decides to perform a new scan. The plugin will ask whether it should run the scan using the default included rules or whether it should use a custom rules file. Please note that running a new scan with already existing data does not overwrite the previously found items identified by the rule with the same name as the one with previously stored results. Therefore, running the scan again does not delete existing comments and status updates.
In the right-click context menu within the VulFi view, you can also remove the item from the results or remove all items. Please note that any comments or status updates will be lost after performing this operation.
Whenever you would like to inspect the detected instance of a possible vulnerable function, just double-click anywhere in the desired row and IDA will take you to the memory location which was identified as potentially interesting. Using a right-click and option Set Vulfi Comment
allows you to enter comment for the given instance (to justify the status for example).
The plugin also allows for creating custom rules. These rules could be defined in the IDA interface (ideal for single functions) or supplied as a custom rule file (ideal for rules that aim to cover multiple functions).
When you would like to trace a custom function, which was identified during the analysis, just switch the IDA View to that function, right-click anywhere within its body and select Add current function to VulFi
.
It is also possible to load a custom file with set of multiple rules. To create a custom rule file with the below structure you can use the included template file here.
[ // An array of rules
{
“name”: “RULE NAME”, // The name of the rule
“alt_names”:[
“function_name_to_look_for” // List of all function names that should be matched against the conditions defined in this rule
],
“wrappers”:true, // Look for wrappers of the above functions as well (note that the wrapped function has to also match the rule)
“mark_if”:{
“High”:”True”, // If evaluates to True, mark with priority High (see Rules below)
“Medium”:”False”, // If evaluates to True, mark with priority Medium (see Rules below)
“Low”: “False” // If evaluates to True, mark with priority Low (see Rules below)
}
}
]
An example rule that looks for all cross-references to function malloc
and checks whether its parameter is not constant and whether the return value of the function is checked is shown below:
{
“name”: “Possible Null Pointer Dereference”,
“alt_names”:[
“malloc”,
“_malloc”,
“.malloc”
],
“wrappers”:false,
“mark_if”:{
“High”:”not param[0].is_constant() and not function_call.return_value_checked()”,
“Medium”:”False”,
“Low”: “False”
}
}
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…