binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

`msvcrt_windows-x86.sig` contains overly broad signatures

Open psifertex opened this issue 3 years ago • 2 comments

Found at least one eggregious function signature in msvcrt_windows-x86.sig that will cause it to match any 32bit x86 function with:

  • save frame pointer prologue
  • call of a function with a single 32bit argument pushed to the stack
  • standard epilogue/return

Here's a screenshot of assembly from a simple hello world app that matches:

Screenshot 2023-01-09 at 3 15 50 PM

Here's the relevant section of the signature library:

Screenshot 2023-01-09 at 3 12 10 PM

We likely need to increase the minimum size function that signatures are attempted to match against and re-generate the libraries. (Because this particular signature contains an epilogue it's likely possible to simply increase the minimum match size but this may have other effects)

psifertex avatar Jan 09 '23 20:01 psifertex

I also experienced a couple of cases where this particular signature file was being over aggressive.

ccarpenter04 avatar Feb 07 '23 00:02 ccarpenter04

Also happens frequently with msvcrt_windows-x86_64.sig. https://dogbolt.org/?id=1701d225-02d4-4210-8f99-9d230c9e0418#Hex-Rays=185&BinaryNinja=54

In this case because of the similarities between c++ vfuncs and constructors they often will match against each other.

emesare avatar Apr 01 '23 00:04 emesare

Closing this as we have enabled WARP by default (as of dev 5.1.7824, users are free to disable sigkit.

Re-open if you see Concurrency::* functions start getting added to the view.

emesare avatar Jul 16 '25 15:07 emesare