Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Thunk assertion fail on Go sample (ELF 64-bit LSB shared object, ARM aarch64) #2524

Closed
mr-tz opened this issue Dec 4, 2024 · 1 comment · Fixed by #2526
Closed

Thunk assertion fail on Go sample (ELF 64-bit LSB shared object, ARM aarch64) #2524

mr-tz opened this issue Dec 4, 2024 · 1 comment · Fixed by #2526
Labels
binexport related to BinExport support bug Something isn't working

Comments

@mr-tz
Copy link
Collaborator

mr-tz commented Dec 4, 2024

For https://www.virustotal.com/gui/file/50f107898c6472a1155354f74b039ce951243cdb9714ef881a917d69b8a71ee0/ and associated BinExport file (available on request).

Traceback (most recent call last):
  File "/usr/local/google/home/moritzraabe/code/capa/.venv/bin/capa", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/google/home/moritzraabe/code/capa/capa/main.py", line 990, in main
    extractor = get_extractor_from_cli(args, input_format, backend)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/google/home/moritzraabe/code/capa/capa/main.py", line 837, in get_extractor_from_cli
    extractor = capa.loader.get_extractor(
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/google/home/moritzraabe/code/capa/capa/loader.py", line 316, in get_extractor
    return capa.features.extractors.binexport2.extractor.BinExport2FeatureExtractor(be2, buf)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/google/home/moritzraabe/code/capa/capa/features/extractors/binexport2/extractor.py", line 47, in __init__
    self.analysis: BinExport2Analysis = BinExport2Analysis(self.be2, self.idx, self.buf)
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/google/home/moritzraabe/code/capa/capa/features/extractors/binexport2/__init__.py", line 259, in __init__
    self._compute_thunks()
  File "/usr/local/google/home/moritzraabe/code/capa/capa/features/extractors/binexport2/__init__.py", line 287, in _compute_thunks
    assert len(thunk_callees) == 1, f"thunk @ {hex(addr)} failed"
           ^^^^^^^^^^^^^^^^^^^^^^^
AssertionError: thunk @ 0x42d8c0 failed

From what I see right now, there's a thunk function identified at VA 0x42d8c0 but this appears to be a regular function so our assertion fails.

Easiest fix: remove the assertion, then the file processes.

I'm afraid a deeper analysis could take some time and could require updates to Ghidra and/or BinExport.
@mr-tz mr-tz added bug Something isn't working binexport related to BinExport support labels Dec 4, 2024
@williballenthin
Copy link
Collaborator

i've also had a little trouble with this assertion, especially when analysis backends don't exactly agree on what a thunk is. i'll take a peek at the BinExport if you'll send it to me.

williballenthin added a commit that referenced this issue Dec 5, 2024
@williballenthin
binexport2: fix handling of incorrect thunks
e3365c7 
closes #2524
@williballenthin williballenthin mentioned this issue Dec 5, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
binexport related to BinExport support bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

binexport2: fix handling of incorrect thunks mandiant/capa
2 participants
@williballenthin @mr-tz