// - Get initial entropy // - Get PE section data // - Add filtered library void imageLoadCallback(IMG img,void *){ Section item; static int va_hooked = 0; //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ProcInfo *proc_info = ProcInfo::getInstance(); //get the address of the first instruction proc_info->setFirstINSaddress(IMG_Entry(img)); //get the program name proc_info->setProcName(IMG_Name(img)); //get the initial entropy MYINFO("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYINFO("----------------------------------------------"); //retrieve the section of the PE for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } //DEBUG proc_info->PrintSections(); } //build the filtered libtrary list FilterHandler *filterH = FilterHandler::getInstance(); ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){ /* searching for VirtualAlloc */ RTN rtn = RTN_FindByName( img, "VirtualAlloc"); if(rtn != RTN_Invalid()){ MYINFO("BECCATO LA VIRTUAL ALLOC\n"); ADDRINT va_address = RTN_Address(rtn); MYINFO("Address of VirtualAlloc: %08x\n" , va_address); RTN_Open(rtn); RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)VirtualAllocHook , IARG_G_ARG0_CALLEE , IARG_G_ARG1_CALLEE , IARG_G_RESULT0, IARG_END); RTN_Close(rtn); } filterH->addLibrary(name,startAddr,endAddr); } }
// - Get initial entropy // - Get PE section data // - Add filtered library // - Add protected libraries void imageLoadCallback(IMG img,void *){ Section item; static int va_hooked = 0; ProcInfo *proc_info = ProcInfo::getInstance(); FilterHandler *filterHandler = FilterHandler::getInstance(); //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); proc_info->setMainIMGAddress(startAddr, endAddr); //get the address of the first instruction proc_info->setFirstINSaddress(IMG_Entry(img)); //get the program name proc_info->setProcName(IMG_Name(img)); //get the initial entropy MYINFO("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYINFO("----------------------------------------------"); //create Report File Report::getInstance()->initializeReport(proc_info->getProcName(), startAddr, endAddr , initial_entropy); //retrieve the section of the PE for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } proc_info->PrintSections(); } //build the filtered libtrary list ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img)){ //*** If you need to protect other sections of other dll put them here *** // check if there are some fuction that has top be hooked in this DLL hookFun.hookDispatcher(img); // check if we have to filter this library during thwe instrumentation proc_info->addLibrary(name,startAddr,endAddr); if(filterHandler->IsNameInFilteredArray(name)){ filterHandler->addToFilteredLibrary(name,startAddr,endAddr); MYINFO("Added to the filtered array the module %s\n" , name); } } }
static void Instruction(INS ins, void *v) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)do_count, IARG_END); // Filters out non memory reference instructions. if (!INS_IsMemoryRead(ins) && !INS_IsMemoryWrite(ins)) return; // Filters out references to stack. if (INS_IsStackRead(ins) || INS_IsStackWrite(ins)) return; // Filters out instructions out of main executable. IMG img = IMG_FindByAddress(INS_Address(ins)); if (!IMG_Valid(img) || !IMG_IsMainExecutable(img)) return; unsigned i; unsigned int mem_op = INS_MemoryOperandCount(ins); for (i = 0; i < mem_op; i++) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)check_addr, IARG_INST_PTR, IARG_MEMORYOP_EA, i, IARG_END); } }
VOID onImageLoad(IMG img, VOID *data) { SYM sym; if (IMG_IsMainExecutable(img)) { bool foundStatic = false; bool foundDynamic = false; for (sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym)) { if (SYM_Name(sym).find("statdyn_app_staticFunction") != string::npos) { assert(SYM_Dynamic(sym) == false); foundStatic = true; } if (SYM_Name(sym).find("statdyn_app_dynamicFunction") != string::npos) { assert(SYM_Dynamic(sym) == true); foundDynamic = true; } } assert(foundStatic == true); assert(foundDynamic == true); } }
void img_load (IMG img, void *v) { struct event_imload *imevent; char buffer[512]; size_t length; /* fprintf(logfp, "load %s off=%08x low=%08x high=%08x start=%08x size=%08x\n", IMG_Name(img).c_str(), IMG_LoadOffset(img), IMG_LowAddress(img), IMG_HighAddress(img), IMG_StartAddress(img), IMG_SizeMapped(img));*/ imevent = (struct event_imload *)buffer; length = IMG_Name(img).length(); if (length > sizeof(buffer) - sizeof(struct event_imload)) length = sizeof(buffer) - sizeof(struct event_imload); imevent->comm.type = ET_IMLOAD; imevent->comm.tid = PIN_ThreadId(); imevent->struct_size = (int)((char *)imevent->name - (char *)imevent) + length + 1; imevent->addr = IMG_LowAddress(img); imevent->size = IMG_HighAddress(img) - IMG_LowAddress(img); imevent->entry = IMG_Entry(img); imevent->ismain = IMG_IsMainExecutable(img); memcpy(imevent->name, IMG_Name(img).c_str(), length); imevent->name[length] = '\0'; tb_write((event_common *)imevent, (size_t)imevent->struct_size); osdep_iterate_symbols(img, process_symbol, (void *)&img); tb_flush(PIN_ThreadId()); fprintf(logfp, "img+ %08x+%08x %s\n", IMG_StartAddress(img), IMG_SizeMapped(img), IMG_Name(img).c_str()); }
/* * Called when a new image is loaded. * Currently only acts when the main executable is loaded to set exename global. */ static void ImageLoad(IMG img, VOID * v) { // XXX: check if this works correctly when execv() is used. if (IMG_IsMainExecutable(img)) { exename = path_resolve(IMG_Name(img)); pid = getpid(); PROVLOG_EXEC(exename, pid); // Add stdin/stdout/stderr to watched file descriptors. // This should take place while loading the image in order to have // exename available. if ( atoi(TrackStdin.Value().c_str()) ) { ufd_t ufd = ufdmap.get(STDIN_FILENO); std::string fdn = fdname(STDIN_FILENO); fdset.insert(STDIN_FILENO); LOG( "Watching fd" + decstr(STDIN_FILENO) + " (" + fdn + ").\n"); PROVLOG_OPEN(ufd, fdn, fcntl(STDIN_FILENO, F_GETFL), 0); } if ( atoi(TrackStdout.Value().c_str()) ) { ufd_t ufd = ufdmap.get(STDOUT_FILENO); std::string fdn = fdname(STDOUT_FILENO); fdset.insert(STDOUT_FILENO); LOG( "Watching fd" + decstr(STDOUT_FILENO) + " (" + fdn + ").\n"); PROVLOG_OPEN(ufd, fdn, fcntl(STDOUT_FILENO, F_GETFL), 0); } if ( atoi(TrackStderr.Value().c_str()) ) { ufd_t ufd = ufdmap.get(STDERR_FILENO); std::string fdn = fdname(STDERR_FILENO); fdset.insert(STDERR_FILENO); LOG( "Watching fd" + decstr(STDERR_FILENO) + " (" + fdn + ").\n"); PROVLOG_OPEN(ufd, fdn, fcntl(STDERR_FILENO, F_GETFL), 0); } } }
VOID Routine(RTN rtn, VOID *v) { RTN_Open(rtn); RTN_NAME * rn = new RTN_NAME; if (KnobOnly){ if(IMG_IsMainExecutable(SEC_Img(RTN_Sec(rtn))) \ /*&& std::strcmp(IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str(),"/usr/lib/libSystem.B.dylib")!=0 \*/ || std::strcmp(IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str(),"/usr/lib/system/libsystem_malloc.dylib")==0) { funcList.push_back(RTN_Name(rtn)); cerr << "Getting "<< RTN_Name(rtn) <<endl ; //RTN_Close(rtn); //return ; } } if(KnobOnly && find (funcList.begin(), funcList.end(), RTN_Name(rtn)) == funcList.end()){ cerr << "excluding : " << RTN_Name(rtn) ; cerr << IMG_Name(SEC_Img(RTN_Sec(rtn))) << endl; RTN_Close(rtn); return; } // The RTN goes away when the image is unloaded, so save it now // because we need it in the fin rn->_name = RTN_Name(rtn); rn->_image = IMG_Name(SEC_Img(RTN_Sec(rtn))).c_str(); rn->_address = RTN_Address(rtn); //_address = RTN_Address(rtn); // Insert a call at the entry point of a routine to increment the call count RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)print, IARG_PTR, rn,IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END); RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)ret,IARG_PTR,rn,IARG_FUNCRET_EXITPOINT_VALUE, IARG_END); //INS_InsertCall(RTN_InsTail(rtn), IPOINT_BEFORE, (AFUNPTR)ret, IARG_END); RTN_Close(rtn); }
/* * Instrumentation-time routine looking for the routine we'd like to instrument. */ static VOID ImageLoad(IMG img, VOID * v) { if (IMG_IsMainExecutable(img)) { *outFile << "In main application image" << endl; // Search for the assembly routine in the application RTN AsmRtn = RTN_FindByName(img, "operImmCmds"); if (!RTN_Valid(AsmRtn)) { AsmRtn = RTN_FindByName(img, "_operImmCmds"); } if (RTN_Valid(AsmRtn)) { *outFile << "Function operImmCmds found" << endl; RTN_Open(AsmRtn); // Go over each of the routine's instructions for (INS ins = RTN_InsHead(AsmRtn); INS_Valid(ins); ins = INS_Next(ins)) { Instruction(ins, 0); } RTN_Close(AsmRtn); *outFile << "Done with function operImmCmds" << endl; } else { *outFile << "Function operImmCmds not found!" << endl; } } }
/* ===================================================================== */ VOID ImageLoad(IMG img, VOID *v) { BOOL jitMode = (v==0); if (IMG_IsMainExecutable(img)) { fprintf(stdout, "Image %s is loaded in %s mode\n", IMG_Name(img).c_str(), (jitMode?"JIT":"PROBE")); } }
void report_image_structure(IMG img, int depth){ UINT32 I1 = IMG_Id(img); string I2 = IMG_Name(img); int I3 = IMG_IsMainExecutable( img ); int I4 = IMG_IsStaticExecutable( img ); ADDRINT I5 = IMG_LoadOffset(img); ADDRINT I6 = IMG_LowAddress(img); ADDRINT I7 = IMG_HighAddress(img); ADDRINT I8 = IMG_LoadOffset(img); ADDRINT I9 = IMG_StartAddress(img); ADDRINT I10 = IMG_Entry(img); USIZE I11 = IMG_SizeMapped( img ); IMG_TYPE I12 = IMG_Type(img); char I13[128]; int k ; for ( k = 0; k< depth ; k ++ ) TraceFile << "\t" ; TraceFile << "<IMAGE-LOAD>" << " I1:" << I1 << " I2:" << I2 << " I3:" << I3 << " I4:" << I4 << " I5:" << hex<< I5 << " I6:"<< I6 << " I7:" << I7 << " I8:" << I8 << " I9:"<< I9 << " I10:"<< I10 << " I11:" << I11 ; switch ( I12 ){ case IMG_TYPE_STATIC: strcpy( I13 ,"static" ); break; case IMG_TYPE_SHARED: strcpy( I13 ,"shared" ); break; case IMG_TYPE_INVALID: strcpy( I13 ,"invalid" ); break; case IMG_TYPE_LAST: strcpy( I13 ,"last" ); break; case IMG_TYPE_SHAREDLIB: strcpy( I13 ,"shared-lib" ); break; case IMG_TYPE_RELOCATABLE: strcpy( I13 ,"relocatable" ); break; case IMG_TYPE_DYNAMIC_CODE: strcpy( I13 ,"dynamic-code" ); break; default: strcpy( I13 ,"UNKNOWN" ); break; } TraceFile << " I12:" << I12 << " I13:" << I13 << endl; for( SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ report_section_structure( sec, depth + 1 ); } /* */ for (SYM sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym)){ report_sym_structure( sym, depth +1 ); } for ( k = 0; k< depth ; k ++ ) TraceFile << "\t" ; TraceFile << "</IMAGE-LOAD>" << endl; }
static void InstrumentRtn(RTN rtn, VOID *) { ADDRINT a = RTN_Address(rtn); IMG img = IMG_FindByAddress(a); if (IMG_Valid(img) && IMG_IsMainExecutable(img)) { RTN_Open(rtn); RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(FunctionHook), IARG_ADDRINT, a, IARG_END); RTN_Close(rtn); } }
static VOID imageLoad(IMG img, VOID *v) { TraceFile << "in image callback of image: " << IMG_Name(img).c_str() << endl; if ( IMG_IsMainExecutable(img)) { RTN rtn = RTN_FindByName(img, "AfterAttach"); if (RTN_Valid(rtn)) { RTN_ReplaceProbed(rtn, AFUNPTR(afterAttachProbe)); } } }
static BOOL traceFromExecutable(TRACE trace) { RTN rtn = TRACE_Rtn(trace); if (!RTN_Valid(rtn)) return FALSE; SEC sec = RTN_Sec(rtn); if (!SEC_Valid(sec)) return FALSE; IMG img = SEC_Img(sec); if (!IMG_Valid(img)) return FALSE; return IMG_IsMainExecutable(img); }
/* ===================================================================== * Called upon image load to instrument the function GlobalFunction * ===================================================================== */ static void Image(IMG img, VOID *) { if (IMG_IsMainExecutable(img)) { RTN rtn = RTN_FindByName(img, "GlobalFunction"); ASSERT(RTN_Valid(rtn), "Failed to find GlobalFunction() in main application image"); RTN_Open(rtn); INS ins = RTN_InsHeadOnly(rtn); INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(DoBreakpoint), IARG_THREAD_ID, IARG_CONTEXT, IARG_END); RTN_Close(rtn); } }
// Pin calls this function every time a new img is loaded VOID ImageLoad(IMG img, VOID *v) { if (!IMG_IsMainExecutable(img)) return; printf("%s loaded\n", IMG_Name(img).c_str()); fflush(stdout); ADDRINT imageBase = IMG_LowAddress(img); WINDOWS::PIMAGE_DATA_DIRECTORY pExpDir = GetExportDirectory(imageBase); if ((pExpDir == 0) || (pExpDir->Size == 0)) { // Failure: Executable image lacks export directory. printf("ERROR: No export directory in executable image\n"); fflush(stdout); exit(3); } ADDRINT exportBase = imageBase + pExpDir->VirtualAddress; // First check that bytes in export directory range do not belong to a RTN for (ADDRINT addr = exportBase; addr < exportBase + pExpDir->Size; ++addr) { if (RTN_FindByAddress(addr) != RTN_Invalid()) { // Test failure. Byte in export directory belongs to a RTN. printf("ERROR: Data from export directory included in RTN\n"); fflush(stdout); exit(1); } } // Second check RTN size. RTN range should not overlap with export directory range. for (SEC sec = IMG_SecHead(img); sec != SEC_Invalid(); sec = SEC_Next(sec)) { for (RTN rtn = SEC_RtnHead(sec); rtn != RTN_Invalid(); rtn = RTN_Next(rtn)) { if (((RTN_Address(rtn) <= exportBase) && (RTN_Address(rtn) + RTN_Size(rtn) > exportBase)) || ((RTN_Address(rtn) > exportBase) && (exportBase + pExpDir->Size > RTN_Address(rtn)))) { // Test failure. RTN overlaps with export directory. printf("ERROR: RTN overlaps with export directory\n"); fflush(stdout); exit(2); } } } return; }
void imageLoadCallback(IMG img,void *){ //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ProcInfo *proc_info = ProcInfo::getInstance(); proc_info->setFirstINSaddress(IMG_Entry(img)); MYLOG("INIT : %08x", proc_info->getFirstINSaddress()); MYLOG("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYLOG("----------------------------------------------"); for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ Section item; item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } proc_info->PrintSections(); } FilterHandler *filterH = FilterHandler::getInstance(); ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){ filterH->addLibrary(name,startAddr,endAddr); } }
static VOID on_module_loading(IMG img, VOID *data) { if (IMG_IsMainExecutable(img)) { RTN routine = RTN_FindByName(img, "foo"); if (!RTN_Valid(routine)) { routine = RTN_FindByName(img, "_foo"); } if (RTN_Valid(routine)) { foo_ptr = RTN_ReplaceProbed(routine, (AFUNPTR)(foo_rep)); } } }
static VOID ImageLoad(IMG img, VOID *v) { outFile << IMG_Name(img) << endl; if (IMG_IsMainExecutable(img)) { RTN doReleaseRtn = RTN_FindByName(img, "DoRelease"); if (!RTN_Valid(doReleaseRtn)) { cerr << "TOOL ERROR: Unable to find the DoRelease function in the application." << endl; PIN_ExitProcess(1); } RTN_Open(doReleaseRtn); RTN_InsertCall(doReleaseRtn, IPOINT_BEFORE, AFUNPTR(OnDoRelease), IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END); RTN_Close(doReleaseRtn); } }
VOID instrumentTrace(TRACE trace, VOID *v) { IMG img = IMG_FindByAddress(TRACE_Address(trace)); if (!IMG_Valid(img) || !IMG_IsMainExecutable(img)) return; const char* imageName = IMG_Name(img).c_str(); for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { processMemoryWriteInstruction(ins, imageName); processMemoryReadInstruction(ins, imageName); } } }
/* ===================================================================== */ VOID ImageLoad(IMG img, VOID *v) { if (!IMG_IsMainExecutable(img)) { return; } const char * name = "check_sp_value"; RTN rtn = RTN_FindByName(img, name); if (RTN_Valid(rtn)) { PROTO proto = PROTO_Allocate(PIN_PARG(int), CALLINGSTD_DEFAULT, name, PIN_PARG(void*), PIN_PARG_END() ); if ( ! PIN_IsProbeMode() ) { RTN_ReplaceSignature( rtn, AFUNPTR(check_sp_value), IARG_PROTOTYPE, proto, IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_REG_VALUE, REG_STACK_PTR, IARG_REG_VALUE, REG_ESP, IARG_REG_VALUE, REG_SP, IARG_END); } else if (RTN_IsSafeForProbedReplacement(rtn)) { RTN_ReplaceSignatureProbed( rtn, AFUNPTR(check_sp_value), IARG_PROTOTYPE, proto, IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_REG_VALUE, REG_STACK_PTR, IARG_REG_VALUE, REG_ESP, IARG_REG_VALUE, REG_SP, IARG_END); } PROTO_Free( proto); } }
VOID Image(IMG img, VOID *v) { if(IMG_IsMainExecutable(img)) { for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)) { for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn)) { if (RTN_Name(rtn) == "_NotifyPinAfterMmap" || RTN_Name(rtn) == "NotifyPinAfterMmap") { RTN_Open(rtn); RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)MmapAfter, IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END); RTN_Close(rtn); } } } } }
static VOID tpss_on_module_loading(IMG img, VOID *data) { unsigned long origAttrs = 0; if (IMG_Valid(img)) { if (IMG_IsMainExecutable(img)) { g_tpss_entry_point = (void(*)())RTN_ReplaceProbed( RTN_FindByAddress(IMG_Entry(img)), (AFUNPTR)tpss_mainStartup); } else { tpss_instrument_module(img, data); } } }
static VOID imageLoad(IMG img, VOID *v) { // Just instrument the main image. if (!IMG_IsMainExecutable(img)) return; for (SEC sec=IMG_SecHead(img); SEC_Valid(sec); sec=SEC_Next(sec)) { for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn=RTN_Next(rtn)) { RTN_Open(rtn); for (INS ins=RTN_InsHead(rtn); INS_Valid(ins); ins=INS_Next(ins)) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)incCount, IARG_END); } RTN_Close(rtn); } } }
VOID ImageLoad(IMG img, VOID *v) { if (IMG_IsMainExecutable(img)) { std::cout << "Processing image " << IMG_Name( img ) << std::endl; RTN rtn = RTN_FindByName( img, "Add2" ); if (RTN_Valid( rtn )) { pf_Add = (AFUNPTR)RTN_Address( rtn ); fprintf( out, "address of application function = 0x%x\n", pf_Add ); fflush(out); } else std::cout << "Cannot find Add2" << std::endl; } }
// Instrumentation of the modules VOID image_instrumentation(IMG img, VOID * v) { ADDRINT module_low_limit = IMG_LowAddress(img), module_high_limit = IMG_HighAddress(img); if(IMG_IsMainExecutable(img)) return; const std::string image_path = IMG_Name(img); std::pair<std::string, std::pair<ADDRINT, ADDRINT> > module_info = std::make_pair( image_path, std::make_pair( module_low_limit, module_high_limit ) ); module_list.insert(module_info); if(is_module_should_be_blacklisted(image_path)) modules_blacklisted.insert(module_info); }
/* ===================================================================== */ VOID ImageLoad(IMG img, VOID *v) { std::cerr << "Loading " << IMG_Name(img).c_str() << " Start " << hex << IMG_LowAddress(img) << " End " << IMG_HighAddress(img) << endl; // if no module passed, just use the main executable string module = KnobModuleToLog.Value(); if (module.empty() && IMG_IsMainExecutable( img ) ) { module = IMG_Name(img); } // keep in mind this is case sensitive... if (module.empty() || IMG_Name( img ).rfind( module.c_str() ) == string::npos) { return; } moduleStart = IMG_LowAddress(img); moduleEnd = IMG_HighAddress(img); moduleSize = moduleEnd - moduleStart; if (gLogStart != -1) { gLogStart += moduleStart; } if (gLogStop != -1) { gLogStop += moduleStart; } std::cerr << "Module size is: " << moduleSize << endl; logBuffer = (WINDOWS::BYTE *)calloc(moduleSize,sizeof(WINDOWS::BYTE)); if (logBuffer == NULL) { std::cerr << "Unable to allocate enough heapspace, how friggen big is this module?" << endl; return; } std::cerr << "Creating hit count for instructions in module: " << IMG_Name(img).c_str() << endl; }
VOID ImageLoad(IMG img, VOID *v) { if (inMain) { cout << "Loaded " << IMG_Name(img) << endl; } if (IMG_IsMainExecutable(img)) { RTN mainRtn = RTN_FindByName(img, "_main"); if (!RTN_Valid(mainRtn)) mainRtn = RTN_FindByName(img, "main"); if (!RTN_Valid(mainRtn)) { cout << "Can't find the main routine in " << IMG_Name(img) << endl; exit(1); } RTN_Open(mainRtn); RTN_InsertCall(mainRtn, IPOINT_BEFORE, AFUNPTR(MainBefore), IARG_END); RTN_InsertCall(mainRtn, IPOINT_AFTER, AFUNPTR(MainAfter), IARG_END); RTN_Close(mainRtn); } }
// Writes the image load event to the file "imgLog" static void LogImageLoad(IMG img, void *v) { // Ensure that we can't overflow when we read it back. ASSERTX (IMG_Name(img).length() < MAX_FILENAME_LENGTH); ADDRESS_RANGE range = FindImageTextMargin(img); // Log the data needed to restore it fprintf(imgLog, "L '%s' %llx %lx %llx %d \n", IMG_Name(img).c_str(), (unsigned long long)range._low, (long)(range._high - range._low), (unsigned long long)IMG_LoadOffset(img), (int)IMG_IsMainExecutable(img)); for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)) { if (SEC_Type(sec) != SEC_TYPE_EXEC) { continue; } for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn)) { if (RTN_IsArtificial(rtn)) { continue; } fprintf(imgLog, "\t'%s' %llx\n", RTN_Name(rtn).c_str(), (unsigned long long)RTN_Address(rtn)); } } fprintf(imgLog, "%s", END_RTN_LIST); }
VOID onImageLoad(IMG img, VOID *v) { if (IMG_IsMainExecutable(img)) { fprintf(generated, "1\n"); } }
// - Get initial entropy // - Get PE section data // - Add filtered library void imageLoadCallback(IMG img,void *){ /*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){ MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str()); } }*/ Section item; static int va_hooked = 0; ProcInfo *proc_info = ProcInfo::getInstance(); FilterHandler *filterHandler = FilterHandler::getInstance(); //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); proc_info->setMainIMGAddress(startAddr, endAddr); //get the address of the first instruction proc_info->setFirstINSaddress(IMG_Entry(img)); //get the program name proc_info->setProcName(IMG_Name(img)); //get the initial entropy MYINFO("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYINFO("----------------------------------------------"); //retrieve the section of the PE for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } //DEBUG proc_info->PrintSections(); } //build the filtered libtrary list ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img)){ if(name.find("ntdll")!= std::string::npos){ for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ if(strcmp(SEC_Name(sec).c_str(),".text")==0){ proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec)); } } } //*** If you need to protect other sections of other dll put them here *** hookFun.hookDispatcher(img); proc_info->addLibrary(name,startAddr,endAddr); if(filterHandler->IsNameInFilteredArray(name)){ filterHandler->addToFilteredLibrary(name,startAddr,endAddr); MYINFO("Added to the filtered array the module %s\n" , name); } } }