Skip to content

Instantly share code, notes, and snippets.

@wumb0

wumb0/BannedFunctions.py

Created November 18, 2019 15:33
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save wumb0/fbf2f443b7811e2613960b4b3b6c5d34 to your computer and use it in GitHub Desktop.
Save wumb0/fbf2f443b7811e2613960b4b3b6c5d34 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
BannedFunctions.py
# This script is a simple script to locate functions within a program
# that are on the Microsoft "banned functions list" inside of banned.h
#@author Jaime Geiger
#@category Vulnerability Research
#@keybinding Ctrl-Shift-Alt-B
#@menupath Tools.Plugins.Banned Functions
banned = ["strcpy","strcpyA","strcpyW","wcscpy","_tcscpy","_mbscpy","StrCpy","StrCpyA","StrCpyW","lstrcpy","lstrcpyA","lstrcpyW","_tccpy","_mbccpy","_ftcscpy","strcat","strcatA","strcatW","wcscat","_tcscat","_mbscat","StrCat","StrCatA","StrCatW","lstrcat","lstrcatA","lstrcatW","StrCatBuff","StrCatBuffA","StrCatBuffW","StrCatChainW","_tccat","_mbccat","_ftcscat","wvsprintf","wvsprintfA","wvsprintfW","vsprintf","_vstprintf","vswprintf","strncpy","wcsncpy","_tcsncpy","_mbsncpy","_mbsnbcpy","StrCpyN","StrCpyNA","StrCpyNW","StrNCpy","strcpynA","StrNCpyA","StrNCpyW","lstrcpyn","lstrcpynA","lstrcpynW","strncat","wcsncat","_tcsncat","_mbsncat","_mbsnbcat","StrCatN","StrCatNA","StrCatNW","StrNCat","StrNCatA","StrNCatW","lstrncat","lstrcatnA","lstrcatnW","lstrcatn","IsBadWritePtr","IsBadHugeWritePtr","IsBadReadPtr","IsBadHugeReadPtr","IsBadCodePtr","IsBadStringPtr","gets","_getts","_gettws","RtlCopyMemory","CopyMemory","wnsprintf","wnsprintfA","wnsprintfW","sprintfW","sprintfA","wsprintf","wsprintfW","wsprintfA","sprintf","swprintf","_stprintf","_snwprintf","_snprintf","_sntprintf","_vsnprintf","vsnprintf","_vsnwprintf","_vsntprintf","wvnsprintf","wvnsprintfA","wvnsprintfW","strtok","_tcstok","wcstok","_mbstok","makepath","_tmakepath","_makepath","_wmakepath","_splitpath","_tsplitpath","_wsplitpath","scanf","wscanf","_tscanf","sscanf","swscanf","_stscanf","snscanf","snwscanf","_sntscanf","_itoa","_itow","_i64toa","_i64tow","_ui64toa","_ui64tot","_ui64tow","_ultoa","_ultot","_ultow","CharToOem","CharToOemA","CharToOemW","OemToChar","OemToCharA","OemToCharW","CharToOemBuffA","CharToOemBuffW","alloca","_alloca","strlen","wcslen","_mbslen","_mbstrlen","StrLen","lstrlen","ChangeWindowMessageFilter","PathAddBackslash","PathAddBackslashA","PathAddBackslashW","PathAddExtension","PathAddExtensionA","PathAddExtensionW","PathAppend","PathAppendA","PathAppendW","PathCanonicalize","PathCanonicalizeA","PathCanonicalizeW","PathCombine","PathCombineA","PathCombineW","PathRenameExtension","PathRenameExtensionA","PathRenameExtensionW"]
symtable = currentProgram.getSymbolTable()
funcmgr = currentProgram.getFunctionManager()
in_app = {}
for bf in banned:
bannedsym = symtable.getExternalSymbol(bf)
if not bannedsym or bannedsym.getReferenceCount() == 0:
# no import by that name or unused
continue
in_app.update({bf: bannedsym.getReferenceCount()})
bannedrefs = bannedsym.getReferences()
for ref in bannedrefs:
func = funcmgr.getFunctionContaining(ref.getFromAddress())
fname = func.getName() if func else "<NO NAME>"
print("{} used at 0x{:x} in {}".format(bf, ref.getFromAddress().getUnsignedOffset(), fname))
print("\n\nSummary")
print("="*30)
print("Found references to {} banned functions".format(len(list(in_app.keys()))))
for k, v in in_app.items():
print("{} called {} times".format(k, v))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment