META - Signatures

[Maijin]

META - ZIGNATURE

Docs

• Documentation (r2book) * https://radare.gitbooks.io/radare2book/content/signatures/zignatures.html
• Tests * https://github.com/radare/radare2-regressions/blob/master/t/cmd_zignature
• Command * z?
• BlogPost * http://radare.today/posts/zignatures/
• .c involved:
  • https://github.com/radare/radare2/blob/master/libr/core/cmd_zign.c

Fixes

• zos if rules name/content exist should raise warnings
• zg shuold walk the basic blocks, but the function length (otherwise we will be comparing with data inside the function, mixed functions can share basic blocks huge functions, when in fact they are just small ones with far nodes)

Enhancements

• Split the info inside the signatures with the one that makes sense for matching and the one that must be imported (comments, local flags etc.)
• Zignatures, creating function doesn't use the name from the zig Zignatures, creating function doesn't use the name from the zig #13140
• Fix rasign2 tool Fix rasign2 tool #9336
• Decompilation of the function to metric zigns
• DFG of prime numbers to metric zigns
• Add types info in zignaturez
• Add function size (or multiple blocks, in case of function split in chunks) to metric zigns
• Add fcn signature
• Add fcn calling convention
• Add comments
• Add local flags
• Add Warning when the name is too long
• Make command z parsing friendly
• Do not hardcode preludes in https://github.com/radare/radare2/blob/master/libr/core/cmd_search.c#L213 add zignature equivalent:

za prelude_ppc_A a 7c0802a6
za prelude_arm_16_A a f0b5
za prelude_arm_32_A a 00482de9
za prelude_arm_64_A a f657bda9
za prelude_arm_64_B a fd7bbfa9
za prelude_arm_64_C a fc6fbea9
za prelude_arm_64_D a 27bd00
za prelude_x86_32_A a 8bff558bec
za prelude_x86_32_B a 5589e5
za prelude_x86_32_C a 558bec
za prelude_x86_64_A a 554889e5
za prelude_x86_64_B a 55488bec

• Add remaining preludes from https://github.com/vivisect/vivisect/blob/master/vivisect/analysis/i386/__init__.py
• Use Zignature for WinMain detection #832
• Use Zignature for ELF Main detection #7472
• Flirt to Zignature converter (zfz flirt_file > zignatures.sig)
• Automatic loading decision of Zignature Databases Automatic loading decision of Zignature Databases #16084

[XVilka]

@sivaramaaa here you can have an interest in the part of the zignature that will allow to save/load the function arguments and their types. I think it is heavily related to your task.

[malware-kitten]

Reading through this list of zignature ideas and I think I can help with the function preludes.

In CSE's assemblyline tool they have a Binary Ninja script that will do a linear sweep based upon a pretty comprehensive list of preludes. Highlighted here -> https://bitbucket.org/cse-assemblyline/alsvc_binja/src/31f03aec9afde2e9a610381ed8f1e6164a25e647/binja.py?at=master&fileviewer=file-view-default#binja.py-391

These could probably be used to create a zignature list for functions.

[radare]

many of those things are done, soeone should update the ticks