Initial commit

Author: todd-manning

LICENSE

@@ -0,0 +1,26 @@
+Copyright (c) 2017 Duo Security, Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,36 @@
+# Duo Labs IDAPython Repository
+
+This IDAPython repository contains a few Python modules developed for use with IDA Pro from the researchers at Duo Labs. There are currently two modules being released. These modules are discussed in the blog post at <duo.sc/personal-protection>, and in the associated paper [Examining Personal Protection Devices
+Hardware & Firmware Research Methodology in Action](https://duo.com/assets/ebooks/Duo-Labs-Personal-Protection-Devices.pdf).
+
+We also wish to thank two contributors that discussed ARM code detection heuristics during the development of this code: Luis Miras and Josh Mitchell. 
+
++ Cortex M Firmware (cortex_m_firmware.py) -- 
+This Cortex M Firmware module grooms an IDA Pro database containing firmware from an ARM Cortex M microcontroller. This module will annotate the firmware vector table, which contains a number of function pointers. This vector table annotation will cause IDA Pro to perform auto analysis against the functions these pointers point to. The Cortex M Firmware module also calls into the Amnesia module to automate discovery of additional code in the firmware image using the Amnesia heuristics.
+
+This example shows the most common usage of the code, for loading firmware images with the vector table located at address 0x0:
+```python
+from cortex_m_firmware import *
+cortex = CortexMFirmware(auto=True)
+```
+
+This example shows how to annotate multiple vector tables in a firmware:
+```python
+from cortex_m_firmware import *
+cortex = CortexMFirmware()
+cortex.annotate_vector_table(0x4000)
+cortex.annotate_vector_table(0x10000)
+cortex.find_functions()
+```
+
++ Amnesia (amnesia.py) -- 
+Amnesia is an IDAPython module designed to use byte level heuristics to find ARM thumb instructions in undefined bytes in an IDA Pro database. Currently, the heuristics in this module find code in a few different ways. Some instructions identify and define new code by looking for comon byte sequences that correspond to particular ARM opcodes. Other functions in this module define new functions based on sequences of defined instructions.
+
+```python
+class Amnesia:
+ def find_function_epilogue_bxlr(self, makecode=False)
+ def find_pushpop_registers_thumb(self, makecode=False)
+ def find_pushpop_registers_arm(self, makecode=False)
+ def make_new_functions_heuristic_push_regs(self, makefunction=False)
+ def nonfunction_first_instruction_heuristic(self, makefunction=False)
+```

amnesia.py

@@ -0,0 +1,222 @@
+import idc
+import ida_bytes
+import ida_funcs
+import ida_search
+import idautils
+
+import re
+
+class Amnesia:
+    '''
+    Filename:       amnesia.py
+    Description:    IDA Python module for finding code in ARM binaries. 
+    Contributors:   [email protected], [email protected], jmitch
+    
+    Notes:
+    ------
+    This code currently focuses more on Thumb detection. 
+    Lots more work to do here on ARM and Thumb detection. 
+    For ARM Cortex, this code works pretty well. It also 
+    gave some good results with ARM Mach-o binaries. 
+    
+    This code will undergo continued development. Development might break scripts.
+    '''
+    
+    printflag = False
+    
+    def find_function_epilogue_bxlr(self, makecode=False):
+        '''
+        Find opcode bytes corresponding to BX LR.
+        This is a common way to return from a function call.
+        Using the IDA API, convert these opcodes to code. This kicks off IDA analysis.
+        '''
+        EAstart = idc.MinEA()
+        EAend   = idc.MaxEA()
+    
+        ea = EAstart
+        length = 2 # this code isn't tolerant to values other than 2 right now
+
+        fmt_string = "Possible BX LR 0x%08x == "
+        for i in range(length):
+            fmt_string += "%02x "
+    
+        while ea < EAend:
+            instructions = []
+            for i in range(length):
+                instructions.append(idc.Byte(ea + i))
+
+            if not ida_bytes.isCode(ida_bytes.getFlags(ea)) and instructions[0] == 0x70 and instructions[1] == 0x47:
+                if self.printflag:
+                    print fmt_string % (ea, instructions[0], instructions[1])
+                if makecode:
+                    idc.MakeCode(ea)
+            ea = ea + length
+
+    def find_pushpop_registers_thumb(self, makecode=False):
+        '''
+        Look for opcodes that push registers onto the stack, which are indicators of function prologues.
+        Using the IDA API, convert these opcodes to code. This kicks off IDA analysis.
+        '''
+        
+        '''
+        thumb register list from [email protected]
+        '''
+        
+        thumb_reg_list = [0x00, 0x02, 0x08, 0x0b, 0x0e, 0x10, 0x1c, 0x1f, 0x30, 0x30, 0x38, 0x3e, 0x4e, 
+        0x55, 0x70, 0x72, 0x73, 0x7c, 0x7f, 0x80, 0x90, 0xb0, 0xf0, 0xf3, 0xf7, 0xf8, 0xfe, 0xff]
+        
+        EAstart = idc.MinEA()
+        EAend   = idc.MaxEA()
+    
+        ea = EAstart
+        length = 2 # this code isn't tolerant to values other than 2 right now
+
+        fmt_string = "Possible Function 0x%08x == "
+        for i in range(length):
+            fmt_string += "%02x "
+    
+        while ea < EAend:
+            instructions = []
+            for i in range(length):
+                instructions.append(idc.Byte(ea + i))
+
+            if not ida_bytes.isCode(ida_bytes.getFlags(ea)) and instructions[0] in thumb_reg_list and (instructions[1] == 0xb5 or instructions[1]== 0xbd):
+                if self.printflag:
+                    print fmt_string % (ea, instructions[0], instructions[1])
+                if makecode:
+                    idc.MakeCode(ea)
+            ea = ea + length
+
+    def find_pushpop_registers_arm(self, makecode=False):
+        '''
+        Find opcodes for PUSH/POP registers in ARM mode
+        Using the IDA API, convert these opcodes to code. This kicks off IDA analysis.
+        
+        bigup jmitch
+        ** ** 2d e9 and ** ** bd e8
+        '''
+        
+        EAstart = idc.MinEA()
+        EAend   = idc.MaxEA()
+    
+        ea = EAstart
+        length = 2 # this code isn't tolerant to values other than 2 right now
+
+        fmt_string = "Possible %s {REGS} 0x%08x == "
+        for i in range(length):
+            fmt_string += "%02x "
+    
+        while ea < EAend:
+            instructions = []
+            for i in range(length):
+                instructions.append(idc.Byte(ea + i))
+
+            # print BX LR bytes
+            if not ida_bytes.isCode(ida_bytes.getFlags(ea)) and      \
+            (instructions[0] == 0xbd and instructions[1] == 0xe8): 
+                if self.printflag:
+                    print fmt_string % ("POP ", ea, instructions[0], instructions[1])
+                if makecode:
+                    idc.MakeCode(ea)
+            
+            if not ida_bytes.isCode(ida_bytes.getFlags(ea)) and      \
+            (instructions[0] == 0x2d and instructions[1] == 0xe9)    \
+            :
+                if self.printflag:
+                    print fmt_string % ("PUSH", ea, instructions[0], instructions[1])
+                if makecode: 
+                    idc.MakeCode(ea)
+            ea = ea + length
+
+    def make_new_functions_heuristic_push_regs(self, makefunction=False):
+        '''
+        After converting bytes to instructions, Look for PUSH instructions that are likely the beginning of functions.
+        Convert these code areas to functions.
+        '''
+        EAstart = idc.MinEA()
+        EAend   = idc.MaxEA()
+        ea = EAstart
+        
+        while ea < EAend:
+            if self.printflag:
+                print "EA %08x" % ea
+            
+            ea_function_start = idc.GetFunctionAttr(ea, idc.FUNCATTR_START)
+            
+            # If ea is inside a defined function, skip to end of function
+            if ea_function_start != idc.BADADDR:
+                ea = idc.FindFuncEnd(ea)
+                continue
+
+            # If current ea is code
+            if ida_bytes.isCode(ida_bytes.getFlags(ea)):
+                # Looking for prologues that do PUSH {register/s}
+                mnem = idc.GetMnem(ea)
+                
+                # 
+                if (
+                    mnem == "PUSH"
+                ):
+                    if makefunction:
+                        if self.printflag:
+                            print "Converting code to function @ %08x" % ea
+                        idc.MakeFunction(ea)
+
+                    eanewfunction = idc.FindFuncEnd(ea)
+                    if eanewfunction != idc.BADADDR:
+                        ea = eanewfunction
+                        continue
+
+            nextcode = ida_search.find_code(ea, idc.SEARCH_DOWN)
+            
+            if nextcode != idc.BADADDR:
+                ea = nextcode
+            else:
+                ea += 1
+
+    def nonfunction_first_instruction_heuristic(self, makefunction=False):
+        EAstart = idc.MinEA()
+        EAend   = idc.MaxEA()
+        ea = EAstart
+        
+        flag_code_outside_function = False
+        self.printflag = False
+        
+        while ea < EAend:
+
+            # skip functions, next instruction will be the target to inspect
+            function_name = idc.GetFunctionName(ea)
+            if function_name != "":
+
+                flag_code_outside_function = False
+
+                # skip to end of function and keep going
+                # ea = idc.FindFuncEnd(ea)
+                #if self.printflag:
+                #    print "Skipping function %s" % (function_name)
+
+                ea = ida_search.find_not_func(ea, 1)
+                continue
+
+            elif ida_bytes.isCode(ida_bytes.getFlags(ea)):
+
+                # code that is not a function
+                # get mnemonic to see if this is a push
+                mnem = idc.GetMnem(ea)
+                
+                if makefunction and (mnem == "PUSH" or mnem == "PUSH.W" or mnem == "STM" or mnem=="MOV"):
+                    if self.printflag:
+                        print "nonfunction_first_instruction_heuristic() making function %08x" % ea
+                    idc.MakeFunction(ea)
+                    flag_code_outside_function = False
+                    ea =ida_search.find_not_func(ea, 1)
+                    continue
+                
+                else:
+                    if self.printflag:
+                        print "nonfunction_first_instruction_heuristic() other instruction %08x\t'%s'" % (ea, mnem)
+                    ea = idc.NextFunction(ea)
+                    continue
+
+            ea += 1
+