Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failure to parse ComRAT-Orchestrator-ForDistribution.i64 #8

Open
Tracked by #15
emesare opened this issue Oct 5, 2024 · 3 comments
Open
Tracked by #15

Failure to parse ComRAT-Orchestrator-ForDistribution.i64 #8

emesare opened this issue Oct 5, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@emesare
Copy link
Member

emesare commented Oct 5, 2024

ComRAT-Orchestrator-ForDistribution.i64.txt

thread 'test::parse_idbs' panicked at src/lib.rs:671:17:
til io error: failed to fill whole buffer

Stack backtrace:
   0: std::backtrace_rs::backtrace::libunwind::trace
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/std/src/../../backtrace/src/backtrace/libunwind.rs:104:5
   1: std::backtrace_rs::backtrace::trace_unsynchronized
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2: std::backtrace::Backtrace::create
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/std/src/backtrace.rs:331:13
   3: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
             at /Users/emesare/.cargo/registry/src/index.crates.io-6f17d22bba15001f/anyhow-1.0.89/src/error.rs:564:25
   4: <core::result::Result<T,F> as core::ops::try_trait::FromResidual<core::result::Result<core::convert::Infallible,E>>>::from_residual
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/result.rs:1959:27
   
5: idb_rs::til::TILMacro::read
             at ./src/til.rs:379:26

   6: idb_rs::til::section::TILSection::read_macros_normal::{{closure}}
             at ./src/til/section.rs:402:22
   7: core::iter::adapters::map::map_try_fold::{{closure}}
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/map.rs:96:28
   8: core::iter::traits::iterator::Iterator::try_fold
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/traits/iterator.rs:2462:21
   9: <core::iter::adapters::map::Map<I,F> as core::iter::traits::iterator::Iterator>::try_fold
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/map.rs:122:9
  10: <core::iter::adapters::GenericShunt<I,R> as core::iter::traits::iterator::Iterator>::try_fold
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/mod.rs:201:9
  11: core::iter::traits::iterator::Iterator::try_for_each
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/traits/iterator.rs:2524:9
  12: <core::iter::adapters::GenericShunt<I,R> as core::iter::traits::iterator::Iterator>::next
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/mod.rs:184:14
  13: alloc::vec::Vec<T,A>::extend_desugared
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/mod.rs:2930:35
  14: <alloc::vec::Vec<T,A> as alloc::vec::spec_extend::SpecExtend<T,I>>::spec_extend
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/spec_extend.rs:17:9
  15: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter_nested::SpecFromIterNested<T,I>>::from_iter
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/spec_from_iter_nested.rs:43:9
  16: <alloc::vec::Vec<T> as alloc::vec::spec_from_iter::SpecFromIter<T,I>>::from_iter
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/spec_from_iter.rs:33:9
  17: <alloc::vec::Vec<T> as core::iter::traits::collect::FromIterator<T>>::from_iter
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/alloc/src/vec/mod.rs:2836:9
  18: core::iter::traits::iterator::Iterator::collect
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/traits/iterator.rs:2054:9
  19: <core::result::Result<V,E> as core::iter::traits::collect::FromIterator<core::result::Result<A,E>>>::from_iter::{{closure}}
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/result.rs:1930:51
  20: core::iter::adapters::try_process
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/adapters/mod.rs:170:17
  21: <core::result::Result<V,E> as core::iter::traits::collect::FromIterator<core::result::Result<A,E>>>::from_iter
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/result.rs:1930:9
  22: core::iter::traits::iterator::Iterator::collect
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/iter/traits/iterator.rs:2054:9
  23: idb_rs::til::section::TILSection::read_macros_normal
             at ./src/til/section.rs:401:25
  24: idb_rs::til::section::TILSection::read_macros
             at ./src/til/section.rs:394:13
  25: idb_rs::til::section::TILSection::read_inner::{{closure}}
             at ./src/til/section.rs:103:22
  26: core::bool::<impl bool>::then
             at /rustc/aedd173a2c086e558c2b66d3743b344f977621a7/library/core/src/bool.rs:60:24
  27: idb_rs::til::section::TILSection::read_inner
             at ./src/til/section.rs:100:22
  28: idb_rs::til::section::TILSection::read
             at ./src/til/section.rs:86:17
  29: idb_rs::IDBParser<I>::read_til_section::{{closure}}
             at ./src/lib.rs:75:34
  30: idb_rs::read_section
             at ./src/lib.rs:129:18
  31: idb_rs::IDBParser<I>::read_til_section
             at ./src/lib.rs:71:9
  32: idb_rs::test::parse_idbs
             at ./src/lib.rs:666:33
  33: idb_rs::test::parse_idbs::{{closure}}
             at ./src/lib.rs:603:20
@emesare emesare changed the title Fail to parse IDB file Failure to parse IDB file Oct 5, 2024
@emesare emesare changed the title Failure to parse IDB file Failure to parse ComRAT-Orchestrator-ForDistribution.i64 Oct 5, 2024
@emesare emesare added the bug Something isn't working label Oct 5, 2024
@rbran
Copy link
Collaborator

rbran commented Oct 7, 2024

I could not reproduce this error, instead I get an invalid use of BT_UNK:

$ cargo run --bin idb-tools -- -i resources/idbs/ComRAT-Orchestrator-ForDistribution.i64 dump-til

Error: parsing `TILTypeInfo::tiinfo`

Caused by:
    forbidden use of BT_UNK

@rbran
Copy link
Collaborator

rbran commented Oct 7, 2024

This error is caused by the existence of til ordinal aliases. It seems that before the first type on the TIL Sector, it will include some kind of mapping ordinal -> ordinal, it's unclear how to parse those types or why they exist.

My guess is that he verify if the flag value is too small, if so, is a ordinal mapping, otherwise it parses it as a regular type.

@rbran
Copy link
Collaborator

rbran commented Oct 7, 2024

Original problem was fixed on rbran@5957e9e

But now it's unable to parse the type: void __fastcall stringstream__basic_ios__sub_180007CF0_Destructor(basic_ios *__shifted(stringstream,0x94) a1);. Probably due to the type complexity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants