Awesome
<img alt="preview" src="https://github.com/rikodot/binja_native_sigscan/blob/main/preview.gif" width="800">Plugin now available in Binary Ninja's plugin manager
(allows to receive updates automatically)<br> <img alt="plugin" src="https://github.com/rikodot/binja_native_sigscan/blob/main/plugin.jpg" width="800">
Extra features:
- option to use custom wildcard when dealing with NORM signatures (credit: @c0dycode)
if there has been an update to Binary Ninja and this plugin has not been updated yet, please open an issue to alert me
Functional improvements against Binary Ninja python sigmaker plugin:
- signature finding:
- lighting fast
- signature creation example one:
- instruction:
C7 44 24 34 00 00 00 00 mov dword [rsp+0x34 {var_54}], 0x0
- binja python sigmaker resolves to
C7 44 24 34 00 00 ? ?
- wrong - ida c++ sigmaker resolves to
C7 44 24 ? ? ? ? ?
(correct) - to fix this, you must flip this condition AKA first test 4 bytes and then 1 byte
- instruction:
- signature creation example two:
- instruction:
C7 44 24 30 07 00 00 00 mov dword [rsp+0x30 {var_58}], 0x7
- binja python sigmaker resolves to
C7 44 24 30 ? ? ? ?
(wrong) - ida c++ sigmaker resolves to
C7 44 24 ? ? ? ? ?
(correct) - problem lays in the way of seeking and reading, specifically any calculations with
br.offset
and reading usingbr.read32()
orbr.read8()
around the same place as in the problem above; c++ equivalent functions arebr.Seek(addr)
andbr.Read32()
orbr.Read8()
, so what I have done was changing way of reading bytes at specific values to reading from absolute position in the binary usingbv->Read(dest, offset, len)
- instruction:
- works with normal signatures (e.g.
49 28 15 ? ? 30
) and commonly used code signatures (e.g."\x49\x28\x15\x00\x00\x30", "xxx??x"
) so no matter what your use case might be, it should be ready to go
Advantages against IDA C++ sigmaker plugin:
- signature creation example one:
- instruction:
83 7C 24 20 0F cmp dword [rsp+0x20 {var_68}], 0xf
- ida c++ sigmaker resolves to
83 7C 24 ? ?
- we resolve to
83 7C 24 20 0F
(better I suppose - binja api does this by default)
- instruction:
- signature creation example two:
- instruction:
8B 54 24 24 mov edx, dword [rsp+0x24]
- ida c++ sigmaker resolves to
8B 54 24 24
- we resolve to
8B 54 24 ?
(better I suppose - binja api does this by default)
- instruction:
Usage
RECOMMENDED: Download plugin directly from Binary Ninja's plugin manager in order to receive updates automatically
- first copy compiled plugin into the plugins folder (
%appdata%\Binary Ninja\plugins\
or~/.binaryninja/plugins/
) - note that you can use both normal signatures (e.g.
49 28 15 ? ? 30
) and code signatures (e.g."\x49\x28\x15\x00\x00\x30", "xxx??x"
) - finding signatures:
- right click into the main frame or use topbar navigation
Plugins->Find <type> sig
and enter the signature - all hits will be written into the log bar along with their addresses, simply left click on a green highlited address to follow it
- right click into the main frame or use topbar navigation
- creating signatures
- select a piece of code within the main frame in
Linear
orGraph
view - right click into the main frame or use topbar navigation
Plugins->Create <type> sig from range
- signature is written into the log bar (on windows also copied directly to the clipboard), if you want to copy previously created signature, simply find it in the log bar, right click it and hit copy to avoid recreating it or use Ctrl+C shortcut
- select a piece of code within the main frame in
Build process
- get git link to currently installed version from
C:\Program Files\Vector35\BinaryNinja\api_REVISION.txt
(in my case, at the time of creating this repository, it ishttps://github.com/Vector35/binaryninja-api/tree/d2e0420679ad9cfc0a25ccf768cdfef7bb14c978
) - clone and build (change the hash in
git reset
command)
git clone https://github.com/Vector35/binaryninja-api --recurse-submodules
cd binaryninja-api
git reset --hard d2e0420679ad9cfc0a25ccf768cdfef7bb14c978
cd examples
git clone https://github.com/rikodot/binja_native_sigscan
cd binja_native_sigscan
cmake -S . -B build
- launch newly generated Visual Studio .sln project located in (...\binaryninja-api\examples\binja_native_sigscan\build) and build the project or use
cmake --build build -j8
instead - to load the plugin, copy compiled binary into the plugins folder
- on windows
copy ".\build\Release\sigscan.dll" "%appdata%\Binary Ninja\plugins\sigscan.dll"
- on linux
cp ./build/out/bin/libsigscan.so ~/.binaryninja/plugins/libsigscan.so
- on windows
- you need to have same Binary Ninja version installed as the API version you are compiling
Building using Github Actions
- based on sample_plugin_cpp
Backstory
I have been using IDA for majority of my reverse engineering career and recently decided to switch to Binary Ninja. I work with signatures on daily basis and this plugin is a must for me. Although there already is a community plugin for the exact same purpose, it is frankly unusable for binaries over 50KB in size as it is incredibly slow and on top of that contains two bugs causing creation of signatures with wrongly placed wild bytes resulting in signatures not being compatible with different compilations of the same binary. I still want to note that the python version was a nice resource in creation of this version.