Initial release

Author: stephen-f0

.gitignore

@@ -0,0 +1,2 @@
+.vscode/
+*$py.class

README.md

@@ -0,0 +1,140 @@
+<p align="center">
+  <img src="images/logo.png" alt="stack string explorer logo" height=200/>
+</p>
+
+# Stack String Explorer
+Stack String Explorer is a ghidra plugin to find and report stack strings (and other constant strings)
+
+- Adds identified strings in the defined strings window for easy search and filtering
+- Inserts comments above stack strings in listing & decompilation views
+- Reconstructs strings formed by multiple instructions
+- Analysis scope options (single function, selection, full binary)
+- Headless analyser support
+- Find repeated use of similar strings across the code base
+
+![Stack Strings Demo](images/StackStringsToolInUse.gif)
+
+Through optimizations or deliberate obfuscation, sometimes strings are stored as immediates in instruction operands rather than helpful heap locations. Tools like ghidra display these as hex constants and make no effort to reconstruct or decode them. Stack String Explorer searches a binary for any such constant strings and displays them such that they can be grouped and filtered.
+
+## ⬇️ Installation
+- Install Ghidra https://github.com/NationalSecurityAgency/ghidra/
+- Clone this repo
+- Add the `ghidra_scripts` directory as an addition Ghdira scripts directory. To do this:
+  * Open `Window -> Script Manager` <img src=images/ScriptManagerIcon.png alt="Script Manger Icon" height=25> and click `Manage Script Directories` <img src=images/ManageScriptDirectories.png alt="Manage Script Directories Icon" height=25>
+  * Click the plus button and add the path to this repo's `ghidra_scripts` directory.
+
+## ▶️ Usage
+#### GUI:
+- Open a binary in ghidra and navigate to `Window -> Script Manager` <img src=images/ScriptManagerIcon.png alt="Script Manager Icon" height=25>
+- Search for `StackStringExplorer.py` and double click the name to run
+- Refresh the Defined Strings window <img src="images/refresh.png" alt="Refresh Icon" height=25> or check the console to see new strings
+
+<img src=images/ScriptManager.png alt="Script Manger">
+
+#### Headless:
+- Set up `StackStringExplorer.properties` (see below)
+- Run the command: `$ analyzeHeadless <PROJECT_PATH> <PROJECT_NAME> -import <TARGET_FILENAME> -postScript StackStringExplorer.py`
+
+## ⚙️ Settings
+#### GUI:
+Click through the popups on program start. A default configuration is provided. Below is a full explanation of each setting should you need to diverge from the defaults.
+
+#### Headless:
+Download the `StackStringExplorer.properties` file and place in the same location as `StackStringExplorer.py`. Write your configuration choice after the `=` on each line. Lines that start with `#` or `!` are ignored. Domain selection is not available in headless mode, it will always run on all functions.
+
+---
+### 👟 Domain
+Which part of the program to analyze
+
+| Option            | Description                                                                   |
+|-------------------|-------------------------------------------------------------------------------|
+| Current Selection | Run on all discovered instructions in the selected region                     |
+| Current Function  | Run on all discovered instructions in the function the cursor is currently in |
+| All Functions     | Run on all discovered functions                                               |
+
+---
+### 🔧 General Settings
+| Settings                   | Description                                                                                                                                                                                                                                                                                    |
+|----------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Minimum String Length      | The shortest length of string to identify. Use to reduce false positives.                                                                                                                                                                                                                      |
+| Lookahead                  | The number of instructions to search after an instruction containing a string for more components of the same string. If the lookahead is too small, strings may be reported as multiple sub strings. If the lookahead is too large, unrelated string components may be concatenated together. |
+| Minimum Length of Interest | The minimum number of characters moved in a single instruction for it to be considered of interest e.g. if a string is moved in 3 byte blocks it will be discarded with a length of interest greater than 3.                                                                                   |
+| Reverse                    | Whether to reverse the order in which string components are concatenated.                                                                                                                                                                                                                      |
+
+---
+### 📊 Analysis
+Which analysis techniques to run
+
+| Option            | Description                                                                                                                 |
+|-------------------|-----------------------------------------------------------------------------------------------------------------------------|
+| Simple Scrape     | Grabs all scalar arguments to instructions in the order they are used, concatenating nearby constants.                       |
+| Simulate Regional | Simulates regions of instructions around instructions of interest independently, then extracts strings from modified memory. |
+| Simulate All      | Simulates all the instructions in the domain then extracts strings from modified memory.                                     |
+
+
+---
+### 📮 Address Filtering
+How strictly to filter out strings which might be addresses
+
+| Option | Description                                                                                                                                  |
+|--------|----------------------------------------------------------------------------------------------------------------------------------------------|
+| None   | Don't filter out any strings based on how much they resemble an address.                                                                      |
+| Some   | Filter out constants that are within 255 bytes of the address of the originating instruction. This generally removes return addresses.        |
+| All    | Filter out any constants marked as addresses by their OperandType. If an operand has been incorrectly flagged, this may remove valid strings. |
+
+---
+### 📝 Output
+How to display the results
+
+| Option                 | Description                                                                                                                                                                                                                        |
+|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Print to console       | Stack strings will be printed to the console with their length and the location of the originating instruction.                                                                                                                    |
+| Add pre-comment        | Adds a comment above each originating instruction with the extracted string. If the string spans multiple instructions only the first will be commented.                                                                           |
+| Add to defined strings | Adds strings to the defined strings window. This is implemented by adding strings to a memory overlay block and adding cross reference to the originating instruction. **This requires an exclusive checkout for shared projects** |
+
+The Defined Strings window must be refreshed <img src="images/refresh.png" alt="Refresh Icon" height=25> for the stack strings to appear.
+
+Strings that have already been added to defined strings by a previous run of this program will not be reported again in the console and will not be added to defined strings twice. The comment will be replaced regardless of previous script executions.
+
+## 📐 Support and Limitations
+Stack String Explorer operates on Pcode and can support any architecture Ghidra supports. It relies on Ghidra's identification of functions and instructions.
+
+
+#### Simple Scrape
+Finds any constants used in any form so will find every string regardless of how it is built.
+If the string is accessed out of order, it may reorder parts of a string or concatenate unrelated strings.
+
+#### Simulate Regional
+Simulates where each string is stored in memory so it is able to order string components correctly and separate strings stored in different locations. It supports strings formed using move or store-like instructions, as well as inferring strings from compare-like instructions.
+
+Simulate Regional is the best option for the majority of applications, however it may miss some context before an instruction of interest and fail to notice strings components are related
+
+#### Simulate All
+Operates in the same manner as Simulate Regional and is able to identify the correct component order.
+When run on large section, e.g. All Functions or Current Function, it can encounter ambiguity if multiple strings are stored in the same location during the simulated range. This leads to components being reported individually and concatenation of unrelated components.
+
+Simulate All is best used in specific areas to manually increase the range of the simulation where Simulate Regional has missed some context, particularly if there is relevant context in the instructions preceding the instruction containing the scalar string.
+
+### General Limitations
+- If the same string is found in multiple places it will be added only once to the defined strings window with multiple cross references to the different locations. However, if the same string is found in a new location on a separate run of the program, it will be added separately and not included in the same list of cross references.
+
+## 🧶 Examples
+
+Identifies strings moved over multiple instructions
+![Moved over multiple instructions example](images/MovedOverMultipleInstructionsExample.png)
+
+Identifies strings moved to locations other than the stack
+![Moved to non-stack location example](images/NonStackExample.png)
+
+## 📁 File structure
+- `ghidra_scripts`
+  - `StackStringExplorer.py` - contains the main loader for this script. It gets the parameters, sets up analysis techniques, and runs the analysis. It relies heavily on the scripts in `stackstring_helper_scripts`
+
+- `stackstring_helper_scripts`
+  - `technique.py` - contains an abstract class describing a generic analysis technique
+  - `regional_technique` - contains an abstract class describing an analysis technique that runs only - instructions around ones likely to contain a string
+  - `simulator.py`, `scraper.py`, `region_simulator` - contain classes for each of the analysis   - techniques
+  - `abstract_address.py`, `stack_string.py` - contain classes used by the simulator to represent   - values stored in memory
+  - `parameters.py` - contains a class for describing the input configuration of the program
+  - `general_utilities`, `specific_utilities`, `io_utilities` - contain functions used across other files
+  - `stack_strings_enums` - contains enums used across other files

ghidra_scripts/StackStringExplorer.properties

@@ -0,0 +1,47 @@
+# Apply configuration for Headless mode
+
+# Simple Scrape - grabs all constants in the order they are used
+# Simulate Regional - simulates a region of code around an instruction of interest
+# then extracts strings from modified memory
+# Simulate All - simulates all the instructions then extracts strings from modified memory
+# 
+# Simple scrape is brute force and reliable, but fails if strings are not created
+# in order. It can also concatenate unrelated strings.
+# 
+# Simulate regional is the most nuanced and accurate technique, but only simulates forward from a
+# seen string so may miss some context.
+# 
+# Simulate all is brute force and unreliable. It often misses strings if they are created
+# using the same registers and has too much ambiguity to stitch together the correct string.
+# This mode should be used on specific selections when a look-behind is desired and simulate
+# regional is insufficient.
+# In the majority of cases, Simple Scrape or Simulate Regional are superior to Simulate All.
+
+# Select True/False for whether to run each analysis technique
+Analysis Enable Simple Scrape = False
+Analysis Enable Simulate Regions = True
+Analysis Enable Simulate All = False
+
+# Select the minimum length of string to report
+Config Minimum String Length (discard shorter strings) = 3
+# Select the number of instructions to look ahead from an instruction of interest for
+# further instructions building the same string.
+# The larger the lookahead the more likely unrelated strings are to interfere with each other
+# The smaller the lookahead the more likely related string components are to be reported seperately
+Config Lookahead (no. instructions between string components) = 3
+# Select the minimum number of characters accessed by a single instruction to make it
+# an instruction of interest
+Config Minimum length of interest (discard strings moved in smaller blocks) = 2
+# Select True/False for whether the string components should be built into one long string
+# in the opposite order to how they are stored on memory
+Config Reverse the order of string components? = False
+# Select level of filtering for strings that may actually be addresses
+# none - Don't filter out any addresses
+# some - Filter out some addresses based on file location
+# all - Aggressively filter addresses based on OperandType
+Config Address Filtering: = all
+
+# Select True/False for whether to output the results in each way
+Output Print to console = True
+Output Add pre-comment = False
+Output Add to defined strings (Requires Exclusive Checkout) = False

ghidra_scripts/StackStringExplorer.py

@@ -0,0 +1,184 @@
+"""
+Finds stack strings and displays according to user preferences
+"""
+
+# Finds stack strings and adds to defined strings
+# @author
+# @category Strings
+
+import os
+import sys
+
+# Add . to the system path to allow importing library code
+sys.path.insert(
+    0,
+    os.path.join(
+        os.path.dirname(os.path.dirname(os.path.abspath(__file__))),
+        "stackstring_helper_scripts",
+    ),
+)
+# pylint: disable=wrong-import-position
+from technique import Technique
+from simulator import Simulator
+from region_simulator import RegionSimulator
+from scraper import Scraper
+from stack_strings_enums import (
+    AnalysisTechnique,
+    Domain,
+)
+from specific_utilities import check_parameters
+from parameters import Parameters
+from io_utilities import (
+    display,
+    get_preferences_gui,
+    get_preferences_headless,
+)
+
+try:
+    # Typing information for VSCode - Ghidra will not load this section
+    # Requires ghidra_stubs from https://github.com/VDOO-Connected-Trust/ghidra-pyi-generator
+    import typing
+
+    if typing.TYPE_CHECKING:
+        from typing import List
+        from ghidra.ghidra_builtins import (
+            currentProgram,
+            currentSelection,
+            currentAddress,
+            monitor,
+            getFunctionContaining,
+            getInstructionAt,
+            isRunningHeadless,
+        )
+
+        # pylint: disable=pointless-statement
+        currentProgram, currentSelection, currentAddress, monitor
+        getFunctionContaining, getInstructionAt, isRunningHeadless,
+# pylint: disable=bare-except
+except:
+    pass
+
+
+def stack_strings(params):
+    # type: (Parameters) -> None
+    """
+    Detects stack strings within a program
+
+    :param params: A Parameters object encapsulating the inputs for the program
+    """
+
+    # identified strings
+    strings = []
+    simple_scrape = AnalysisTechnique.SIMPLE_SCRAPE_GUI in params.analysis_techniques
+    simulate_regional = (
+        AnalysisTechnique.SIMULATE_REGIONAL_GUI in params.analysis_techniques
+    )
+    simulate_all = AnalysisTechnique.SIMULATE_ALL_GUI in params.analysis_techniques
+
+    # Collect instructions
+    instruction_sets = []
+
+    # Current Selection
+    if params.domain == Domain.CURRENT_SELECTION:
+        if currentSelection is None:
+            raise ValueError("No Selection Found")
+
+        instruction_set = []
+        address_iterator = currentSelection.getAddresses(True)
+
+        for address in address_iterator:
+            inst = getInstructionAt(address)
+            if inst is not None and inst not in instruction_set:
+                instruction_set.append(inst)
+
+        instruction_sets.append(instruction_set)
+
+    # Current Function
+    elif params.domain == Domain.CURRENT_FUNCTION:
+        func = getFunctionContaining(currentAddress)
+        if func is None:
+            raise ValueError("No Function Found")
+
+        func_body = func.getBody()
+        listing = currentProgram.getListing()
+        inst_iterator = listing.getInstructions(func_body, True)
+
+        instruction_sets.append(inst_iterator)
+
+    # All functions
+    elif params.domain == Domain.ALL_FUNCTIONS:
+        # get each function
+        func_iterator = currentProgram.getFunctionManager().getFunctionsNoStubs(True)
+        for func in func_iterator:
+
+            func_body = func.getBody()
+            listing = currentProgram.getListing()
+            inst_iterator = listing.getInstructions(func_body, True)
+
+            instruction_sets.append(inst_iterator)
+
+    # set up analysis
+    techniques = []  # type: List[Technique]
+
+    if simple_scrape:
+        scraper = Scraper(
+            params.look_ahead,
+            params.min_length,
+            params.len_of_interest,
+            params.address_filtering_intensity,
+        )
+        techniques.append(scraper)
+    if simulate_regional:
+        region_simulator = RegionSimulator(
+            params.look_ahead,
+            params.min_length,
+            params.len_of_interest,
+            params.reverse,
+            params.address_filtering_intensity,
+        )
+        techniques.append(region_simulator)
+    if simulate_all:
+        all_simulator = Simulator(
+            params.reverse, params.min_length, params.address_filtering_intensity
+        )
+        techniques.append(all_simulator)
+
+    # set up progress tracking
+    monitor.initialize(len(instruction_sets))
+    monitor.setMessage("Scanning for strings...")
+
+    # Analyse instructions
+    for instruction_set in instruction_sets:
+
+        # get each pcode instruction in this set
+        for inst in instruction_set:
+            op_iterator = inst.getPcode()
+            for op in op_iterator:
+                # run analysis
+                for technique in techniques:
+                    technique.run(inst, op)
+
+        # end analysis and decode strings for this function
+        for technique in techniques:
+            technique.end_function()
+            strings.extend(technique.get_strings())
+            technique.reset()
+
+        monitor.incrementProgress()
+
+    # output the strings
+    removed_duplicates = []
+    for string in strings:
+        if string not in removed_duplicates:
+            removed_duplicates.append(string)
+
+    display(removed_duplicates, params.output_options)
+
+
+if __name__ == "__main__":
+    if isRunningHeadless():
+        parameters = get_preferences_headless()
+    else:
+        parameters = get_preferences_gui()
+    check_parameters(parameters)
+    stack_strings(parameters)