I've found a few examples where SMDA analysis fails, both for the same reason. Looking into the issue, it seems to be in dereferenceQword
method inside DisassemblyResult.py
. It seems like, in some cases, the rel_start_addr
may be too close to the end of the binary buffer. Toy example: binary is 100 bytes, rel_start_addr
is index 94 in the binary buffer, and rel_end_addr
in this case is 102. In this case binary[rel_start_addr:rel_end_addr]
will just return the last 6 bytes of that binary, resulting in an error since struct.unpack("Q", ...)
expects it to be 8 bytes.
An error occurred while disassembling file.
0.085s -> Traceback (most recent call last):
File "/usr/local/lib/python3.8/dist-packages/smda/Disassembler.py", line 57, in disassembleFile
smda_report = self._disassemble(binary_info, timeout=self.config.TIMEOUT)
File "/usr/local/lib/python3.8/dist-packages/smda/Disassembler.py", line 109, in _disassemble
self.disassembly = self.disassembler.analyzeBuffer(binary_info, self._callbackAnalysisTimeout)
File "/usr/local/lib/python3.8/dist-packages/smda/intel/IntelDisassembler.py", line 450, in analyzeBuffer
state = self.analyzeFunction(candidate.addr)
File "/usr/local/lib/python3.8/dist-packages/smda/intel/IntelDisassembler.py", line 331, in analyzeFunction
self._analyzeCallInstruction(i, state)
File "/usr/local/lib/python3.8/dist-packages/smda/intel/IntelDisassembler.py", line 168, in _analyzeCallInstruction
dereferenced = self.disassembly.dereferenceQword(call_destination)
File "/usr/local/lib/python3.8/dist-packages/smda/DisassemblyResult.py", line 154, in dereferenceQword
return struct.unpack("Q", extracted_qword)[0]
struct.error: unpack requires a buffer of 8 bytes
Not sure if it has any connection to the issue but both files seem to be dotnet drivers, so I tried some other similar files and they seemed to be ok. Not sure if this file type has anything to do with this or they're both that just by chance.
In any case, maybe some guard checks regarding size should be implemented? This seems to be a potential issue also in similar methods like dereferenceDword
so it may be good to look at them too.