VulFi – Plugin To IDA Pro Which Can Be Used To Assist During Bug Hunting In Binaries

The VulFi (Vulnerability Finder) tool is a plugin to IDA Pro which can be used to assist during bug hunting in binaries. Its main objective is to provide a single view with all cross-references to the most interesting functions (such as strcpy, sprintf, system, etc.). For cases where a Hexrays

In the right-click context menu within the VulFi view, you can also remove the item from the results or remove all items. Please note that any comments or status updates will be lost after performing this operation.

Investigation

Whenever you would like to inspect the detected instance of a possible

Custom Set of Rules

It is also possible to load a custom file with set of multiple rules. To create a custom rule file with the below structure you can use the included template file here.

[   // An array of rules
    {
        "name": "RULE NAME", // The name of the rule
        "alt_names":[
            "function_name_to_look_for" // List of all function names that should be matched against the conditions defined in this rule
        ],
        "wrappers":true,    // Look for wrappers of the above functions as well (note that the wrapped function has to also match the rule)
        "mark_if":{
            "High":"True",  // If evaluates to True, mark with priority High (see Rules below)
            "Medium":"False", // If evaluates to True, mark with priority Medium (see Rules below)
            "Low": "False" // If evaluates to True, mark with priority Low (see Rules below)
        }
    }
]

An example rule that looks for all cross-references to function malloc and checks whether its paramter is not constant and whether the return value of the function is checked is shown below:

{
    "name": "Possible Null Pointer Dereference",
    "alt_names":[
        "malloc",
        "_malloc",
        ".malloc"
    ],
    "wrappers":false,
    "mark_if":{
        "High":"not param[0].is_constant() and not function_call.return_value_checked()",
        "Medium":"False",
        "Low": "False"
    }
}

Rules

Available Variables

• param[<index>]: Used to access the parameter to a function call (index starts at 0)
• function_call: Used to access the function call event
• param_count: Holds the count of parameters that were passed to a function

Available Functions

• Is parameter a constant: param[<index>].is_constant()
• Get numeric value of parameter: param[<index>].number_value()
• Get string value of parameter: param[<index>].string_value()
• Is parameter set to null after the call: param[<index>].set_to_null_after_call()
• Is return value of a function checked: function_call.return_value_checked(<constant_to_check>)

Examples

• Mark all calls to a function where third parameter is > 5: param[2].number_value() > 5
• Mark all calls to a function where the second parameter contains “%s”: "%s" in param[1].string_value()
• Mark all calls to a function where the second parameter is not constant: not param[1].is_constant()
• Mark all calls to a function where the return value is validated against the value that is equal to the number of parameters: function_call.return_value_checked(param_count)
• Mark all calls to a function where the return value is validated against any value: function_call.return_value_checked()
• Mark all calls to a function where none of the parameters starting from the third are constants: all(not p.is_constant() for p in param[2:])
• Mark all calls to a function where any of the parameters are constant: any(p.is_constant() for p in param)
• Mark all calls to a function: True

Issues and Warnings

• When you request the parameter with index that is out of bounds any call to a function will be marked as Low priority. This is a way to avoid missing cross references where it was not possible to correctly get all parameters (this mainly applies to disassembly mode).
• When you search within the VulFi view and change context out of the view and come back, the view will not load. You can solve this either by terminating the search operation before switching the context, moving the VulFi view to the side-view so that it is always visible or by closing and re-opening the view (no data will be lost).
• Scans for more exotic architectures end with a lot of false positives.