// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ProcInfo *proc_info = ProcInfo::getInstance();
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
FilterHandler *filterH = FilterHandler::getInstance();
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){
/* searching for VirtualAlloc */
RTN rtn = RTN_FindByName( img, "VirtualAlloc");
if(rtn != RTN_Invalid()){
MYINFO("BECCATO LA VIRTUAL ALLOC\n");
ADDRINT va_address = RTN_Address(rtn);
MYINFO("Address of VirtualAlloc: %08x\n" , va_address);
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)VirtualAllocHook , IARG_G_ARG0_CALLEE , IARG_G_ARG1_CALLEE , IARG_G_RESULT0, IARG_END);
RTN_Close(rtn);
}
filterH->addLibrary(name,startAddr,endAddr);
}
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
// - Add protected libraries
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//create Report File
Report::getInstance()->initializeReport(proc_info->getProcName(), startAddr, endAddr , initial_entropy);
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
//*** If you need to protect other sections of other dll put them here ***
// check if there are some fuction that has top be hooked in this DLL
hookFun.hookDispatcher(img);
// check if we have to filter this library during thwe instrumentation
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
static void Instruction(INS ins, void *v)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE,
(AFUNPTR)do_count,
IARG_END);
// Filters out non memory reference instructions.
if (!INS_IsMemoryRead(ins) && !INS_IsMemoryWrite(ins))
return;
// Filters out references to stack.
if (INS_IsStackRead(ins) || INS_IsStackWrite(ins))
return;
// Filters out instructions out of main executable.
IMG img = IMG_FindByAddress(INS_Address(ins));
if (!IMG_Valid(img) || !IMG_IsMainExecutable(img))
return;
unsigned i;
unsigned int mem_op = INS_MemoryOperandCount(ins);
for (i = 0; i < mem_op; i++) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE,
(AFUNPTR)check_addr,
IARG_INST_PTR,
IARG_MEMORYOP_EA, i, IARG_END);
}
}
VOID onImageLoad(IMG img, VOID *data)
{
SYM sym;
if (IMG_IsMainExecutable(img))
{
bool foundStatic = false;
bool foundDynamic = false;
for (sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym))
{
if (SYM_Name(sym).find("statdyn_app_staticFunction") != string::npos)
{
assert(SYM_Dynamic(sym) == false);
foundStatic = true;
}
if (SYM_Name(sym).find("statdyn_app_dynamicFunction") != string::npos)
{
assert(SYM_Dynamic(sym) == true);
foundDynamic = true;
}
}
assert(foundStatic == true);
assert(foundDynamic == true);
}
}
void img_load (IMG img, void *v)
{
struct event_imload *imevent;
char buffer[512];
size_t length;
/* fprintf(logfp, "load %s off=%08x low=%08x high=%08x start=%08x size=%08x\n",
IMG_Name(img).c_str(),
IMG_LoadOffset(img), IMG_LowAddress(img), IMG_HighAddress(img),
IMG_StartAddress(img), IMG_SizeMapped(img));*/
imevent = (struct event_imload *)buffer;
length = IMG_Name(img).length();
if (length > sizeof(buffer) - sizeof(struct event_imload))
length = sizeof(buffer) - sizeof(struct event_imload);
imevent->comm.type = ET_IMLOAD;
imevent->comm.tid = PIN_ThreadId();
imevent->struct_size = (int)((char *)imevent->name - (char *)imevent) + length + 1;
imevent->addr = IMG_LowAddress(img);
imevent->size = IMG_HighAddress(img) - IMG_LowAddress(img);
imevent->entry = IMG_Entry(img);
imevent->ismain = IMG_IsMainExecutable(img);
memcpy(imevent->name, IMG_Name(img).c_str(), length);
imevent->name[length] = '\0';
tb_write((event_common *)imevent, (size_t)imevent->struct_size);
osdep_iterate_symbols(img, process_symbol, (void *)&img);
tb_flush(PIN_ThreadId());
fprintf(logfp, "img+ %08x+%08x %s\n", IMG_StartAddress(img), IMG_SizeMapped(img), IMG_Name(img).c_str());
}
/*
* Called when a new image is loaded.
* Currently only acts when the main executable is loaded to set exename global.
*/
static void ImageLoad(IMG img, VOID * v) {
// XXX: check if this works correctly when execv() is used.
if (IMG_IsMainExecutable(img)) {
exename = path_resolve(IMG_Name(img));
pid = getpid();
PROVLOG_EXEC(exename, pid);
// Add stdin/stdout/stderr to watched file descriptors.
// This should take place while loading the image in order to have
// exename available.
if ( atoi(TrackStdin.Value().c_str()) ) {
ufd_t ufd = ufdmap.get(STDIN_FILENO);
std::string fdn = fdname(STDIN_FILENO);
fdset.insert(STDIN_FILENO);
LOG( "Watching fd" + decstr(STDIN_FILENO) + " (" + fdn + ").\n");
PROVLOG_OPEN(ufd, fdn, fcntl(STDIN_FILENO, F_GETFL), 0);
}
if ( atoi(TrackStdout.Value().c_str()) ) {
ufd_t ufd = ufdmap.get(STDOUT_FILENO);
std::string fdn = fdname(STDOUT_FILENO);
fdset.insert(STDOUT_FILENO);
LOG( "Watching fd" + decstr(STDOUT_FILENO) + " (" + fdn + ").\n");
PROVLOG_OPEN(ufd, fdn, fcntl(STDOUT_FILENO, F_GETFL), 0);
}
if ( atoi(TrackStderr.Value().c_str()) ) {
ufd_t ufd = ufdmap.get(STDERR_FILENO);
std::string fdn = fdname(STDERR_FILENO);
fdset.insert(STDERR_FILENO);
LOG( "Watching fd" + decstr(STDERR_FILENO) + " (" + fdn + ").\n");
PROVLOG_OPEN(ufd, fdn, fcntl(STDERR_FILENO, F_GETFL), 0);
}
}
}
VOID Routine(RTN rtn, VOID *v)
{
RTN_Open(rtn);
RTN_NAME * rn = new RTN_NAME;
if (KnobOnly){
if(IMG_IsMainExecutable(SEC_Img(RTN_Sec(rtn))) \
/*&& std::strcmp(IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str(),"/usr/lib/libSystem.B.dylib")!=0 \*/
|| std::strcmp(IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str(),"/usr/lib/system/libsystem_malloc.dylib")==0)
{
funcList.push_back(RTN_Name(rtn));
cerr << "Getting "<< RTN_Name(rtn) <<endl ;
//RTN_Close(rtn);
//return ;
}
}
if(KnobOnly && find (funcList.begin(), funcList.end(), RTN_Name(rtn)) == funcList.end()){
cerr << "excluding : " << RTN_Name(rtn) ;
cerr << IMG_Name(SEC_Img(RTN_Sec(rtn))) << endl;
RTN_Close(rtn);
return;
}
// The RTN goes away when the image is unloaded, so save it now
// because we need it in the fin
rn->_name = RTN_Name(rtn);
rn->_image = IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str();
rn->_address = RTN_Address(rtn);
//_address = RTN_Address(rtn);
// Insert a call at the entry point of a routine to increment the call count
RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)print, IARG_PTR, rn,IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END);
RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)ret,IARG_PTR,rn,IARG_FUNCRET_EXITPOINT_VALUE, IARG_END);
//INS_InsertCall(RTN_InsTail(rtn), IPOINT_BEFORE, (AFUNPTR)ret, IARG_END);
RTN_Close(rtn);
}
/*
* Instrumentation-time routine looking for the routine we'd like to instrument.
*/
static VOID ImageLoad(IMG img, VOID * v)
{
if (IMG_IsMainExecutable(img))
{
*outFile << "In main application image" << endl;
// Search for the assembly routine in the application
RTN AsmRtn = RTN_FindByName(img, "operImmCmds");
if (!RTN_Valid(AsmRtn))
{
AsmRtn = RTN_FindByName(img, "_operImmCmds");
}
if (RTN_Valid(AsmRtn))
{
*outFile << "Function operImmCmds found" << endl;
RTN_Open(AsmRtn);
// Go over each of the routine's instructions
for (INS ins = RTN_InsHead(AsmRtn); INS_Valid(ins); ins = INS_Next(ins))
{
Instruction(ins, 0);
}
RTN_Close(AsmRtn);
*outFile << "Done with function operImmCmds" << endl;
}
else
{
*outFile << "Function operImmCmds not found!" << endl;
}
}
}
/* ===================================================================== */
VOID ImageLoad(IMG img, VOID *v)
{
BOOL jitMode = (v==0);
if (IMG_IsMainExecutable(img))
{
fprintf(stdout, "Image %s is loaded in %s mode\n", IMG_Name(img).c_str(), (jitMode?"JIT":"PROBE"));
}
}
void report_image_structure(IMG img, int depth){
UINT32 I1 = IMG_Id(img);
string I2 = IMG_Name(img);
int I3 = IMG_IsMainExecutable( img );
int I4 = IMG_IsStaticExecutable( img );
ADDRINT I5 = IMG_LoadOffset(img);
ADDRINT I6 = IMG_LowAddress(img);
ADDRINT I7 = IMG_HighAddress(img);
ADDRINT I8 = IMG_LoadOffset(img);
ADDRINT I9 = IMG_StartAddress(img);
ADDRINT I10 = IMG_Entry(img);
USIZE I11 = IMG_SizeMapped( img );
IMG_TYPE I12 = IMG_Type(img);
char I13[128];
int k ;
for ( k = 0; k< depth ; k ++ )
TraceFile << "\t" ;
TraceFile << "<IMAGE-LOAD>" << " I1:" << I1 << " I2:" << I2 << " I3:" << I3 << " I4:" << I4 << " I5:" << hex<< I5 << " I6:"<< I6 << " I7:" << I7 << " I8:" << I8 << " I9:"<< I9 << " I10:"<< I10 << " I11:" << I11 ;
switch ( I12 ){
case IMG_TYPE_STATIC:
strcpy( I13 ,"static" ); break;
case IMG_TYPE_SHARED:
strcpy( I13 ,"shared" ); break;
case IMG_TYPE_INVALID:
strcpy( I13 ,"invalid" ); break;
case IMG_TYPE_LAST:
strcpy( I13 ,"last" ); break;
case IMG_TYPE_SHAREDLIB:
strcpy( I13 ,"shared-lib" ); break;
case IMG_TYPE_RELOCATABLE:
strcpy( I13 ,"relocatable" ); break;
case IMG_TYPE_DYNAMIC_CODE:
strcpy( I13 ,"dynamic-code" ); break;
default:
strcpy( I13 ,"UNKNOWN" ); break; }
TraceFile << " I12:" << I12 << " I13:" << I13 << endl;
for( SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
report_section_structure( sec, depth + 1 );
}
/* */
for (SYM sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym)){
report_sym_structure( sym, depth +1 );
}
for ( k = 0; k< depth ; k ++ )
TraceFile << "\t" ;
TraceFile << "</IMAGE-LOAD>" << endl;
}
static void InstrumentRtn(RTN rtn, VOID *)
{
ADDRINT a = RTN_Address(rtn);
IMG img = IMG_FindByAddress(a);
if (IMG_Valid(img) &&
IMG_IsMainExecutable(img)) {
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(FunctionHook), IARG_ADDRINT, a, IARG_END);
RTN_Close(rtn);
}
}
static VOID imageLoad(IMG img, VOID *v)
{
TraceFile << "in image callback of image: " << IMG_Name(img).c_str() << endl;
if ( IMG_IsMainExecutable(img))
{
RTN rtn = RTN_FindByName(img, "AfterAttach");
if (RTN_Valid(rtn))
{
RTN_ReplaceProbed(rtn, AFUNPTR(afterAttachProbe));
}
}
}
static BOOL traceFromExecutable(TRACE trace)
{
RTN rtn = TRACE_Rtn(trace);
if (!RTN_Valid(rtn))
return FALSE;
SEC sec = RTN_Sec(rtn);
if (!SEC_Valid(sec))
return FALSE;
IMG img = SEC_Img(sec);
if (!IMG_Valid(img))
return FALSE;
return IMG_IsMainExecutable(img);
}
/* =====================================================================
* Called upon image load to instrument the function GlobalFunction
* ===================================================================== */
static void Image(IMG img, VOID *)
{
if (IMG_IsMainExecutable(img))
{
RTN rtn = RTN_FindByName(img, "GlobalFunction");
ASSERT(RTN_Valid(rtn), "Failed to find GlobalFunction() in main application image");
RTN_Open(rtn);
INS ins = RTN_InsHeadOnly(rtn);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(DoBreakpoint),
IARG_THREAD_ID, IARG_CONTEXT, IARG_END);
RTN_Close(rtn);
}
}
// Pin calls this function every time a new img is loaded
VOID ImageLoad(IMG img, VOID *v)
{
if (!IMG_IsMainExecutable(img))
return;
printf("%s loaded\n", IMG_Name(img).c_str());
fflush(stdout);
ADDRINT imageBase = IMG_LowAddress(img);
WINDOWS::PIMAGE_DATA_DIRECTORY pExpDir = GetExportDirectory(imageBase);
if ((pExpDir == 0) || (pExpDir->Size == 0))
{
// Failure: Executable image lacks export directory.
printf("ERROR: No export directory in executable image\n");
fflush(stdout);
exit(3);
}
ADDRINT exportBase = imageBase + pExpDir->VirtualAddress;
// First check that bytes in export directory range do not belong to a RTN
for (ADDRINT addr = exportBase; addr < exportBase + pExpDir->Size; ++addr)
{
if (RTN_FindByAddress(addr) != RTN_Invalid())
{
// Test failure. Byte in export directory belongs to a RTN.
printf("ERROR: Data from export directory included in RTN\n");
fflush(stdout);
exit(1);
}
}
// Second check RTN size. RTN range should not overlap with export directory range.
for (SEC sec = IMG_SecHead(img); sec != SEC_Invalid(); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); rtn != RTN_Invalid(); rtn = RTN_Next(rtn))
{
if (((RTN_Address(rtn) <= exportBase) && (RTN_Address(rtn) + RTN_Size(rtn) > exportBase)) ||
((RTN_Address(rtn) > exportBase) && (exportBase + pExpDir->Size > RTN_Address(rtn))))
{
// Test failure. RTN overlaps with export directory.
printf("ERROR: RTN overlaps with export directory\n");
fflush(stdout);
exit(2);
}
}
}
return;
}
void imageLoadCallback(IMG img,void *){
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ProcInfo *proc_info = ProcInfo::getInstance();
proc_info->setFirstINSaddress(IMG_Entry(img));
MYLOG("INIT : %08x", proc_info->getFirstINSaddress());
MYLOG("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYLOG("----------------------------------------------");
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
Section item;
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
proc_info->PrintSections();
}
FilterHandler *filterH = FilterHandler::getInstance();
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){
filterH->addLibrary(name,startAddr,endAddr);
}
}
static VOID on_module_loading(IMG img, VOID *data)
{
if (IMG_IsMainExecutable(img))
{
RTN routine = RTN_FindByName(img, "foo");
if (!RTN_Valid(routine))
{
routine = RTN_FindByName(img, "_foo");
}
if (RTN_Valid(routine))
{
foo_ptr = RTN_ReplaceProbed(routine, (AFUNPTR)(foo_rep));
}
}
}
static VOID ImageLoad(IMG img, VOID *v)
{
outFile << IMG_Name(img) << endl;
if (IMG_IsMainExecutable(img))
{
RTN doReleaseRtn = RTN_FindByName(img, "DoRelease");
if (!RTN_Valid(doReleaseRtn))
{
cerr << "TOOL ERROR: Unable to find the DoRelease function in the application." << endl;
PIN_ExitProcess(1);
}
RTN_Open(doReleaseRtn);
RTN_InsertCall(doReleaseRtn, IPOINT_BEFORE, AFUNPTR(OnDoRelease), IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END);
RTN_Close(doReleaseRtn);
}
}
VOID instrumentTrace(TRACE trace, VOID *v)
{
IMG img = IMG_FindByAddress(TRACE_Address(trace));
if (!IMG_Valid(img) || !IMG_IsMainExecutable(img))
return;
const char* imageName = IMG_Name(img).c_str();
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
processMemoryWriteInstruction(ins, imageName);
processMemoryReadInstruction(ins, imageName);
}
}
}
/* ===================================================================== */
VOID ImageLoad(IMG img, VOID *v)
{
if (!IMG_IsMainExecutable(img))
{
return;
}
const char * name = "check_sp_value";
RTN rtn = RTN_FindByName(img, name);
if (RTN_Valid(rtn))
{
PROTO proto = PROTO_Allocate(PIN_PARG(int),
CALLINGSTD_DEFAULT, name,
PIN_PARG(void*),
PIN_PARG_END() );
if ( ! PIN_IsProbeMode() )
{
RTN_ReplaceSignature(
rtn, AFUNPTR(check_sp_value),
IARG_PROTOTYPE, proto,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, REG_ESP,
IARG_REG_VALUE, REG_SP,
IARG_END);
}
else if (RTN_IsSafeForProbedReplacement(rtn))
{
RTN_ReplaceSignatureProbed(
rtn, AFUNPTR(check_sp_value),
IARG_PROTOTYPE, proto,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, REG_ESP,
IARG_REG_VALUE, REG_SP,
IARG_END);
}
PROTO_Free( proto);
}
}
VOID Image(IMG img, VOID *v)
{
if(IMG_IsMainExecutable(img))
{
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (RTN_Name(rtn) == "_NotifyPinAfterMmap" || RTN_Name(rtn) == "NotifyPinAfterMmap")
{
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)MmapAfter,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END);
RTN_Close(rtn);
}
}
}
}
}
static VOID tpss_on_module_loading(IMG img, VOID *data)
{
unsigned long origAttrs = 0;
if (IMG_Valid(img))
{
if (IMG_IsMainExecutable(img))
{
g_tpss_entry_point =
(void(*)())RTN_ReplaceProbed(
RTN_FindByAddress(IMG_Entry(img)),
(AFUNPTR)tpss_mainStartup);
}
else
{
tpss_instrument_module(img, data);
}
}
}
static VOID imageLoad(IMG img, VOID *v)
{
// Just instrument the main image.
if (!IMG_IsMainExecutable(img))
return;
for (SEC sec=IMG_SecHead(img); SEC_Valid(sec); sec=SEC_Next(sec))
{
for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn=RTN_Next(rtn))
{
RTN_Open(rtn);
for (INS ins=RTN_InsHead(rtn); INS_Valid(ins); ins=INS_Next(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR)incCount, IARG_END);
}
RTN_Close(rtn);
}
}
}
VOID ImageLoad(IMG img, VOID *v)
{
if (IMG_IsMainExecutable(img))
{
std::cout << "Processing image " << IMG_Name( img ) << std::endl;
RTN rtn = RTN_FindByName( img, "Add2" );
if (RTN_Valid( rtn ))
{
pf_Add = (AFUNPTR)RTN_Address( rtn );
fprintf( out, "address of application function = 0x%x\n", pf_Add );
fflush(out);
}
else
std::cout << "Cannot find Add2" << std::endl;
}
}
// Instrumentation of the modules
VOID image_instrumentation(IMG img, VOID * v)
{
ADDRINT module_low_limit = IMG_LowAddress(img), module_high_limit = IMG_HighAddress(img);
if(IMG_IsMainExecutable(img))
return;
const std::string image_path = IMG_Name(img);
std::pair<std::string, std::pair<ADDRINT, ADDRINT> > module_info = std::make_pair(
image_path,
std::make_pair(
module_low_limit,
module_high_limit
)
);
module_list.insert(module_info);
if(is_module_should_be_blacklisted(image_path))
modules_blacklisted.insert(module_info);
}
/* ===================================================================== */
VOID ImageLoad(IMG img, VOID *v)
{
std::cerr << "Loading " << IMG_Name(img).c_str() << " Start " << hex << IMG_LowAddress(img) << " End " << IMG_HighAddress(img) << endl;
// if no module passed, just use the main executable
string module = KnobModuleToLog.Value();
if (module.empty() && IMG_IsMainExecutable( img ) )
{
module = IMG_Name(img);
}
// keep in mind this is case sensitive...
if (module.empty() || IMG_Name( img ).rfind( module.c_str() ) == string::npos)
{
return;
}
moduleStart = IMG_LowAddress(img);
moduleEnd = IMG_HighAddress(img);
moduleSize = moduleEnd - moduleStart;
if (gLogStart != -1)
{
gLogStart += moduleStart;
}
if (gLogStop != -1)
{
gLogStop += moduleStart;
}
std::cerr << "Module size is: " << moduleSize << endl;
logBuffer = (WINDOWS::BYTE *)calloc(moduleSize,sizeof(WINDOWS::BYTE));
if (logBuffer == NULL)
{
std::cerr << "Unable to allocate enough heapspace, how friggen big is this module?" << endl;
return;
}
std::cerr << "Creating hit count for instructions in module: " << IMG_Name(img).c_str() << endl;
}
VOID ImageLoad(IMG img, VOID *v)
{
if (inMain)
{
cout << "Loaded " << IMG_Name(img) << endl;
}
if (IMG_IsMainExecutable(img))
{
RTN mainRtn = RTN_FindByName(img, "_main");
if (!RTN_Valid(mainRtn))
mainRtn = RTN_FindByName(img, "main");
if (!RTN_Valid(mainRtn))
{
cout << "Can't find the main routine in " << IMG_Name(img) << endl;
exit(1);
}
RTN_Open(mainRtn);
RTN_InsertCall(mainRtn, IPOINT_BEFORE, AFUNPTR(MainBefore), IARG_END);
RTN_InsertCall(mainRtn, IPOINT_AFTER, AFUNPTR(MainAfter), IARG_END);
RTN_Close(mainRtn);
}
}
// Writes the image load event to the file "imgLog"
static void LogImageLoad(IMG img, void *v)
{
// Ensure that we can't overflow when we read it back.
ASSERTX (IMG_Name(img).length() < MAX_FILENAME_LENGTH);
ADDRESS_RANGE range = FindImageTextMargin(img);
// Log the data needed to restore it
fprintf(imgLog, "L '%s' %llx %lx %llx %d \n", IMG_Name(img).c_str(), (unsigned long long)range._low,
(long)(range._high - range._low), (unsigned long long)IMG_LoadOffset(img), (int)IMG_IsMainExecutable(img));
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (SEC_Type(sec) != SEC_TYPE_EXEC)
{
continue;
}
for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (RTN_IsArtificial(rtn))
{
continue;
}
fprintf(imgLog, "\t'%s' %llx\n", RTN_Name(rtn).c_str(), (unsigned long long)RTN_Address(rtn));
}
}
fprintf(imgLog, "%s", END_RTN_LIST);
}
VOID onImageLoad(IMG img, VOID *v)
{
if (IMG_IsMainExecutable(img)) {
fprintf(generated, "1\n");
}
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
/*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){
MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str());
}
}*/
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
if(name.find("ntdll")!= std::string::npos){
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
if(strcmp(SEC_Name(sec).c_str(),".text")==0){
proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec));
}
}
}
//*** If you need to protect other sections of other dll put them here ***
hookFun.hookDispatcher(img);
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
