BannedFunctions.py

# This script is a simple script to locate functions within a program
# that are on the Microsoft "banned functions list" inside of banned.h
#@author Jaime Geiger
#@category Vulnerability Research
#@keybinding Ctrl-Shift-Alt-B
#@menupath Tools.Plugins.Banned Functions

banned = ["strcpy","strcpyA","strcpyW","wcscpy","_tcscpy","_mbscpy","StrCpy","StrCpyA","StrCpyW","lstrcpy","lstrcpyA","lstrcpyW","_tccpy","_mbccpy","_ftcscpy","strcat","strcatA","strcatW","wcscat","_tcscat","_mbscat","StrCat","StrCatA","StrCatW","lstrcat","lstrcatA","lstrcatW","StrCatBuff","StrCatBuffA","StrCatBuffW","StrCatChainW","_tccat","_mbccat","_ftcscat","wvsprintf","wvsprintfA","wvsprintfW","vsprintf","_vstprintf","vswprintf","strncpy","wcsncpy","_tcsncpy","_mbsncpy","_mbsnbcpy","StrCpyN","StrCpyNA","StrCpyNW","StrNCpy","strcpynA","StrNCpyA","StrNCpyW","lstrcpyn","lstrcpynA","lstrcpynW","strncat","wcsncat","_tcsncat","_mbsncat","_mbsnbcat","StrCatN","StrCatNA","StrCatNW","StrNCat","StrNCatA","StrNCatW","lstrncat","lstrcatnA","lstrcatnW","lstrcatn","IsBadWritePtr","IsBadHugeWritePtr","IsBadReadPtr","IsBadHugeReadPtr","IsBadCodePtr","IsBadStringPtr","gets","_getts","_gettws","RtlCopyMemory","CopyMemory","wnsprintf","wnsprintfA","wnsprintfW","sprintfW","sprintfA","wsprintf","wsprintfW","wsprintfA","sprintf","swprintf","_stprintf","_snwprintf","_snprintf","_sntprintf","_vsnprintf","vsnprintf","_vsnwprintf","_vsntprintf","wvnsprintf","wvnsprintfA","wvnsprintfW","strtok","_tcstok","wcstok","_mbstok","makepath","_tmakepath","_makepath","_wmakepath","_splitpath","_tsplitpath","_wsplitpath","scanf","wscanf","_tscanf","sscanf","swscanf","_stscanf","snscanf","snwscanf","_sntscanf","_itoa","_itow","_i64toa","_i64tow","_ui64toa","_ui64tot","_ui64tow","_ultoa","_ultot","_ultow","CharToOem","CharToOemA","CharToOemW","OemToChar","OemToCharA","OemToCharW","CharToOemBuffA","CharToOemBuffW","alloca","_alloca","strlen","wcslen","_mbslen","_mbstrlen","StrLen","lstrlen","ChangeWindowMessageFilter","PathAddBackslash","PathAddBackslashA","PathAddBackslashW","PathAddExtension","PathAddExtensionA","PathAddExtensionW","PathAppend","PathAppendA","PathAppendW","PathCanonicalize","PathCanonicalizeA","PathCanonicalizeW","PathCombine","PathCombineA","PathCombineW","PathRenameExtension","PathRenameExtensionA","PathRenameExtensionW"]
symtable = currentProgram.getSymbolTable()
funcmgr = currentProgram.getFunctionManager()
in_app = {}

for bf in banned:
	bannedsym = symtable.getExternalSymbol(bf)
	if not bannedsym or bannedsym.getReferenceCount() == 0:
		# no import by that name or unused
		continue
	in_app.update({bf: bannedsym.getReferenceCount()})
	bannedrefs = bannedsym.getReferences()
	for ref in bannedrefs:
		func = funcmgr.getFunctionContaining(ref.getFromAddress())
		fname = func.getName() if func else "<NO NAME>"
		print("{} used at 0x{:x} in {}".format(bf, ref.getFromAddress().getUnsignedOffset(), fname))
	

print("\n\nSummary")
print("="*30)
print("Found references to {} banned functions".format(len(list(in_app.keys()))))
for k, v in in_app.items():
	print("{} called {} times".format(k, v))