parascope

Weggli ruleset scanner for binaries and source code. Organise your weggli rules and scan source code and binaries in parallel!

Build/installation

To build and install parascope requires IDA Pro v9.0 and access to the latest SDK.

Install via crates.io:

export IDASDKDIR=/path/to/sdk
cargo install parascope

Build/install from source:

export IDASDKDIR=/path/to/sdk
cargo install --path .

Examples and usage

Scan a single binary and output the rule matches to stdout:

parascope --display -r rules /path/of/binary

Scan all binaries in the given directory and stream rule matches to results.jsonl:

parascope -o results.jsonl -r rules /directory/of/binaries

Scan the C source code in the given directory and stream rule matches to results.jsonl:

parascope -m c -o results.jsonl -r rules /directory/of/source-code

Complete set of capabilities:

Weggli ruleset scanner for source code and binaries

Usage: parascope [OPTIONS] --rules <rules> <INPUT>

Arguments:
  <INPUT>
          File or directory to scan

Options:
  -m, --mode <mode>
          Analysis mode

          [default: binary]

          Possible values:
          - binary: Binary analysis mode (using IDA)
          - c:      Source code analysis mode (C)
          - cxx:    Source code analysis mode (C++)

      --path-filter [<path-filter>...]
          Restrict analysis to files matching the given regular expression.
          For C/C++ analysis if no path filters are given analysis is restricted
          to a set of default file extensions:

          C: c, h
          C++: C, cc, cxx, cpp, H, hh, hxx, hpp, h

          For binary analysis, all files will be analysed. If an existing IDB is
          available, e.g., we have both file and file.i64, only the IDB will be
          used for analysis irrespective of the path filter.

      --display
          Render matches to stdout

      --display-context <display-context>
          Number of lines before/after match to render

          [default: 5]

      --summary
          Render tabular summary to stdout

  -r, --rules <rules>
          File or directory containing wegglir rules

  -o, --output <OUTPUT>
          File to write output results (JSONL)

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

Rules

We use weggli-ruleset to help manage weggli patterns. It provides a yaml-based rule format that allows different (related) patterns to be grouped along with metadata useful for categorising and triaging matches. For example, we can encode the patterns from here, as follows:

id: call-to-unbounded-copy-functions
description: call to unbounded copy functions
severity: medium
tags:
- CWE-120
- CWE-242
- CWE-676
check-patterns:
- name: gets
  regex: func=^gets$
  pattern: |
    { $func(); }
- name: st(r|p)(cpy|cat)
  regex: func=st(r|p)(cpy|cat)$
  pattern: |
    { $func(); }
- name: wc(r|p)(cpy|cat)
  regex: func=wc(r|p)(cpy|cat)$
  pattern: |
    { $func(); }
- name: sprintf
  regex: func=sprintf$
  pattern: |
    { $func(); }
- name: scanf
  regex: func=scanf$
  pattern: |
    { $func(); }

Rulesets & Resources

Below is a list of resources containing weggli patterns/rules that can easily be ported to parascope rules: