Lifting int 0x2e to LLIL_SYSCALL with Binary Ninja

Windows (at times) use the int 0x2e instruction to execute syscalls. The following image shows a diassembly of the ZwAccessCheck syscall from ntdll.dll: Binary Ninja (as of Version 2.4.3050-dev) is not able to lift the int 0x2e instruction. The int 0x2e branch in ZwAccessCheck i…
Read more...

Parsing Windows Syscall Numbers with Binary Ninja

Binary Ninja is a great platform for automating some reverse engineering tasks, especially with the headless mode available for commercial licenses. In this post, we will use Binary Ninja to automate extracting Windows syscall numbers from ntdll.dll. binaryninja.open_view is a co…
Read more...

Binary Ninja Rust Hello World

Binary Ninja has experimental support for writing plugins in Rust and the provided template is a good starting point for figuring out how to write one. This post will cover some (hopefully useful) getting started tips. A sample plugin can be found on GitHub. rust-toolchain.toml …
Read more...

ProLink PRC2402M V1.0.18 Multiple Vulnerabilities

All vulnerabilities mentioned in this post were tested against firmware version V1.0.18, older versions might be affected as well. Affected devices should be updated to V1.0.23 to resolve the issues. Proof-of-concept exploits for all vulnerabilities can be found here: https://git…
Read more...

Generating Binary Ninja Dash Docset

The default method to generate Dash docsets for Binary Ninja does not work with a personal license as it requires the ability to run Binary Ninja in headless mode, a capability only available with the commercial license. Luckily, Binary Ninja ships the API documentation as HTML f…
Read more...