binaryninja-api icon indicating copy to clipboard operation
binaryninja-api copied to clipboard
verified publisher icon Vector35

Removing a memory region does not delete/hide analysis artifacts (datavars, functions, etc.) in that region

Open negasora opened this issue 1 year ago • 3 comments

Repro steps:

  1. Open a.txt
  2. Add a memory region: bv.memory_map.add_memory_region("a", 0xdeadbeef, b'A'*0x8)
  3. Rename the variable a in main
  4. Notice bv.data_vars now includes 3735928559: <var 0xdeadbeef: void>
  5. Remove the memory region: bv.memory_map.remove_memory_region("a")
  6. Notice that bv.data_vars still includes 3735928559: <var 0xdeadbeef: void>

negasora avatar Sep 12 '24 17:09 negasora

I think this is also true with functions, or any other analysis artifacts related to the newly added memory region

xusheng6 avatar Sep 12 '24 17:09 xusheng6

I can see the desire for this in the UI but having the remove_memory_region API do that seems a little heavy handed as you should just be able to remove the data vars and functions in that region with the API easily as well.

plafosse avatar Sep 24 '24 14:09 plafosse

I believe I've been affected by this issue. I'm using the debugger with a Windows binary. When I'm debugging, I define some structures in memory (heap, stack) for the analysis. After doing this several times, I started noticing that my decompilation started getting trashed by "random" symbols defined in the middle of the code.

What I think is happening is that the data variable defined on the heap survives between runs and then when I'm unlucky the .text is rebased to overlap when the ASLR places the binary over an address which was heap/stack. in some previous run.

I haven't kept track of all the addresses so I'm not 100% sure this is what's happening but it seems consistent with the description in this bug.

ZetaTwo avatar Sep 30 '24 21:09 ZetaTwo