npm - @sylix/coworker - Versions diffs - 2.0.11 → 2.0.14 - Mend

@sylix/coworker 2.0.11 → 2.0.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/dist/skills/defaults/security/binary-analysis-patterns/SKILL.md ADDED Viewed

@@ -0,0 +1,438 @@
+---
+name: binary-analysis-patterns
+description: Master binary analysis patterns including disassembly, decompilation, control flow analysis, and code pattern recognition. Use when analyzing executables, understanding compiled code, or performing static analysis on binaries.
+---
+# Binary Analysis Patterns
+Comprehensive patterns and techniques for analyzing compiled binaries, understanding assembly code, and reconstructing program logic.
+## Disassembly Fundamentals
+### x86-64 Instruction Patterns
+#### Function Prologue/Epilogue
+```asm
+; Standard prologue
+push rbp           ; Save base pointer
+mov rbp, rsp       ; Set up stack frame
+sub rsp, 0x20      ; Allocate local variables
+; Leaf function (no calls)
+; May skip frame pointer setup
+sub rsp, 0x18      ; Just allocate locals
+; Standard epilogue
+mov rsp, rbp       ; Restore stack pointer
+pop rbp            ; Restore base pointer
+ret
+; Leave instruction (equivalent)
+leave              ; mov rsp, rbp; pop rbp
+ret
+```
+#### Calling Conventions
+**System V AMD64 (Linux, macOS)**
+```asm
+; Arguments: RDI, RSI, RDX, RCX, R8, R9, then stack
+; Return: RAX (and RDX for 128-bit)
+; Caller-saved: RAX, RCX, RDX, RSI, RDI, R8-R11
+; Callee-saved: RBX, RBP, R12-R15
+; Example: func(a, b, c, d, e, f, g)
+mov rdi, [a]       ; 1st arg
+mov rsi, [b]       ; 2nd arg
+mov rdx, [c]       ; 3rd arg
+mov rcx, [d]       ; 4th arg
+mov r8, [e]        ; 5th arg
+mov r9, [f]        ; 6th arg
+push [g]           ; 7th arg on stack
+call func
+```
+**Microsoft x64 (Windows)**
+```asm
+; Arguments: RCX, RDX, R8, R9, then stack
+; Shadow space: 32 bytes reserved on stack
+; Return: RAX
+; Example: func(a, b, c, d, e)
+sub rsp, 0x28      ; Shadow space + alignment
+mov rcx, [a]       ; 1st arg
+mov rdx, [b]       ; 2nd arg
+mov r8, [c]        ; 3rd arg
+mov r9, [d]        ; 4th arg
+mov [rsp+0x20], [e] ; 5th arg on stack
+call func
+add rsp, 0x28
+```
+### ARM Assembly Patterns
+#### ARM64 (AArch64) Calling Convention
+```asm
+; Arguments: X0-X7
+; Return: X0 (and X1 for 128-bit)
+; Frame pointer: X29
+; Link register: X30
+; Function prologue
+stp x29, x30, [sp, #-16]!  ; Save FP and LR
+mov x29, sp                 ; Set frame pointer
+; Function epilogue
+ldp x29, x30, [sp], #16    ; Restore FP and LR
+ret
+```
+#### ARM32 Calling Convention
+```asm
+; Arguments: R0-R3, then stack
+; Return: R0 (and R1 for 64-bit)
+; Link register: LR (R14)
+; Function prologue
+push {fp, lr}
+add fp, sp, #4
+; Function epilogue
+pop {fp, pc}    ; Return by popping PC
+```
+## Control Flow Patterns
+### Conditional Branches
+```asm
+; if (a == b)
+cmp eax, ebx
+jne skip_block
+; ... if body ...
+skip_block:
+; if (a < b) - signed
+cmp eax, ebx
+jge skip_block    ; Jump if greater or equal
+; ... if body ...
+skip_block:
+; if (a < b) - unsigned
+cmp eax, ebx
+jae skip_block    ; Jump if above or equal
+; ... if body ...
+skip_block:
+```
+### Loop Patterns
+```asm
+; for (int i = 0; i < n; i++)
+xor ecx, ecx           ; i = 0
+loop_start:
+cmp ecx, [n]           ; i < n
+jge loop_end
+; ... loop body ...
+inc ecx                ; i++
+jmp loop_start
+loop_end:
+; while (condition)
+jmp loop_check
+loop_body:
+; ... body ...
+loop_check:
+cmp eax, ebx
+jl loop_body
+; do-while
+loop_body:
+; ... body ...
+cmp eax, ebx
+jl loop_body
+```
+### Switch Statement Patterns
+```asm
+; Jump table pattern
+mov eax, [switch_var]
+cmp eax, max_case
+ja default_case
+jmp [jump_table + eax*8]
+; Sequential comparison (small switch)
+cmp eax, 1
+je case_1
+cmp eax, 2
+je case_2
+cmp eax, 3
+je case_3
+jmp default_case
+```
+## Data Structure Patterns
+### Array Access
+```asm
+; array[i] - 4-byte elements
+mov eax, [rbx + rcx*4]        ; rbx=base, rcx=index
+; array[i] - 8-byte elements
+mov rax, [rbx + rcx*8]
+; Multi-dimensional array[i][j]
+; arr[i][j] = base + (i * cols + j) * element_size
+imul eax, [cols]
+add eax, [j]
+mov edx, [rbx + rax*4]
+```
+### Structure Access
+```c
+struct Example {
+    int a;      // offset 0
+    char b;     // offset 4
+    // padding  // offset 5-7
+    long c;     // offset 8
+    short d;    // offset 16
+};
+```
+```asm
+; Accessing struct fields
+mov rdi, [struct_ptr]
+mov eax, [rdi]         ; s->a (offset 0)
+movzx eax, byte [rdi+4] ; s->b (offset 4)
+mov rax, [rdi+8]       ; s->c (offset 8)
+movzx eax, word [rdi+16] ; s->d (offset 16)
+```
+### Linked List Traversal
+```asm
+; while (node != NULL)
+list_loop:
+test rdi, rdi          ; node == NULL?
+jz list_done
+; ... process node ...
+mov rdi, [rdi+8]       ; node = node->next (assuming next at offset 8)
+jmp list_loop
+list_done:
+```
+## Common Code Patterns
+### String Operations
+```asm
+; strlen pattern
+xor ecx, ecx
+strlen_loop:
+cmp byte [rdi + rcx], 0
+je strlen_done
+inc ecx
+jmp strlen_loop
+strlen_done:
+; ecx contains length
+; strcpy pattern
+strcpy_loop:
+mov al, [rsi]
+mov [rdi], al
+test al, al
+jz strcpy_done
+inc rsi
+inc rdi
+jmp strcpy_loop
+strcpy_done:
+; memcpy using rep movsb
+mov rdi, dest
+mov rsi, src
+mov rcx, count
+rep movsb
+```
+### Arithmetic Patterns
+```asm
+; Multiplication by constant
+; x * 3
+lea eax, [rax + rax*2]
+; x * 5
+lea eax, [rax + rax*4]
+; x * 10
+lea eax, [rax + rax*4]  ; x * 5
+add eax, eax            ; * 2
+; Division by power of 2 (signed)
+mov eax, [x]
+cdq                     ; Sign extend to EDX:EAX
+and edx, 7              ; For divide by 8
+add eax, edx            ; Adjust for negative
+sar eax, 3              ; Arithmetic shift right
+; Modulo power of 2
+and eax, 7              ; x % 8
+```
+### Bit Manipulation
+```asm
+; Test specific bit
+test eax, 0x80          ; Test bit 7
+jnz bit_set
+; Set bit
+or eax, 0x10            ; Set bit 4
+; Clear bit
+and eax, ~0x10          ; Clear bit 4
+; Toggle bit
+xor eax, 0x10           ; Toggle bit 4
+; Count leading zeros
+bsr eax, ecx            ; Bit scan reverse
+xor eax, 31             ; Convert to leading zeros
+; Population count (popcnt)
+popcnt eax, ecx         ; Count set bits
+```
+## Decompilation Patterns
+### Variable Recovery
+```asm
+; Local variable at rbp-8
+mov qword [rbp-8], rax  ; Store to local
+mov rax, [rbp-8]        ; Load from local
+; Stack-allocated array
+lea rax, [rbp-0x40]     ; Array starts at rbp-0x40
+mov [rax], edx          ; array[0] = value
+mov [rax+4], ecx        ; array[1] = value
+```
+### Function Signature Recovery
+```asm
+; Identify parameters by register usage
+func:
+    ; rdi used as first param (System V)
+    mov [rbp-8], rdi    ; Save param to local
+    ; rsi used as second param
+    mov [rbp-16], rsi
+    ; Identify return by RAX at end
+    mov rax, [result]
+    ret
+```
+### Type Recovery
+```asm
+; 1-byte operations suggest char/bool
+movzx eax, byte [rdi]   ; Zero-extend byte
+movsx eax, byte [rdi]   ; Sign-extend byte
+; 2-byte operations suggest short
+movzx eax, word [rdi]
+movsx eax, word [rdi]
+; 4-byte operations suggest int/float
+mov eax, [rdi]
+movss xmm0, [rdi]       ; Float
+; 8-byte operations suggest long/double/pointer
+mov rax, [rdi]
+movsd xmm0, [rdi]       ; Double
+```
+## Ghidra Analysis Tips
+### Improving Decompilation
+```java
+// In Ghidra scripting
+// Fix function signature
+Function func = getFunctionAt(toAddr(0x401000));
+func.setReturnType(IntegerDataType.dataType, SourceType.USER_DEFINED);
+// Create structure type
+StructureDataType struct = new StructureDataType("MyStruct", 0);
+struct.add(IntegerDataType.dataType, "field_a", null);
+struct.add(PointerDataType.dataType, "next", null);
+// Apply to memory
+createData(toAddr(0x601000), struct);
+```
+### Pattern Matching Scripts
+```python
+# Find all calls to dangerous functions
+for func in currentProgram.getFunctionManager().getFunctions(True):
+    for ref in getReferencesTo(func.getEntryPoint()):
+        if func.getName() in ["strcpy", "sprintf", "gets"]:
+            print(f"Dangerous call at {ref.getFromAddress()}")
+```
+## IDA Pro Patterns
+### IDAPython Analysis
+```python
+import idaapi
+import idautils
+import idc
+# Find all function calls
+def find_calls(func_name):
+    for func_ea in idautils.Functions():
+        for head in idautils.Heads(func_ea, idc.find_func_end(func_ea)):
+            if idc.print_insn_mnem(head) == "call":
+                target = idc.get_operand_value(head, 0)
+                if idc.get_func_name(target) == func_name:
+                    print(f"Call to {func_name} at {hex(head)}")
+# Rename functions based on strings
+def auto_rename():
+    for s in idautils.Strings():
+        for xref in idautils.XrefsTo(s.ea):
+            func = idaapi.get_func(xref.frm)
+            if func and "sub_" in idc.get_func_name(func.start_ea):
+                # Use string as hint for naming
+                pass
+```
+## Best Practices
+### Analysis Workflow
+1. **Initial triage**: File type, architecture, imports/exports
+2. **String analysis**: Identify interesting strings, error messages
+3. **Function identification**: Entry points, exports, cross-references
+4. **Control flow mapping**: Understand program structure
+5. **Data structure recovery**: Identify structs, arrays, globals
+6. **Algorithm identification**: Crypto, hashing, compression
+7. **Documentation**: Comments, renamed symbols, type definitions
+### Common Pitfalls
+- **Optimizer artifacts**: Code may not match source structure
+- **Inline functions**: Functions may be expanded inline
+- **Tail call optimization**: `jmp` instead of `call` + `ret`
+- **Dead code**: Unreachable code from optimization
+- **Position-independent code**: RIP-relative addressing