static BOOL DebugInterpreter(THREADID tid, CONTEXT *ctxt, const string &cmd, string *result, VOID *)
{
TINFO_MAP::iterator it = ThreadInfos.find(tid);
if (it == ThreadInfos.end())
return FALSE;
TINFO *tinfo = it->second;
std::string line = TrimWhitespace(cmd);
*result = "";
if (line == "help")
{
result->append("mappings -- Mappings.\n");
return TRUE;
}
else if(line == "mappings")
{
tinfo->_os.str("");
tinfo->_os << "{"; //open JSON
for( IMG img= APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img) )
{
const string& name = LEVEL_PINCLIENT::IMG_Name(img);
tinfo->_os <<"\""<< name << "\":{"; //open img
ADDRINT address = LEVEL_PINCLIENT::IMG_LowAddress(img);
tinfo->_os << "\"start\":" << address << ",";
address = LEVEL_PINCLIENT::IMG_HighAddress(img);
tinfo->_os << "\"end\":" << address << ",";
tinfo->_os << "\"sections\":" << "{"; //open sections
for( SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
const string& name = LEVEL_PINCLIENT::SEC_Name(sec);
if(name != "")
{
tinfo->_os << "\"" << name <<"\":{"; //open section
ADDRINT address = LEVEL_PINCLIENT::SEC_Address(sec);
tinfo->_os << "\"start\":" << address << ",";
USIZE size = LEVEL_PINCLIENT::SEC_Size(sec);
if(SEC_Valid(SEC_Next(sec)))
{
tinfo->_os << "\"size\":" << size << "},"; //close section
}else
{
tinfo->_os << "\"size\":" << size << "}}"; //close section and sections
}
}
}
if(IMG_Valid(IMG_Next(img)))
{
tinfo->_os << "},"; //close img
}else
{
tinfo->_os << "}}"; //close img and json
}
}
*result = tinfo->_os.str();
return TRUE;
}
return FALSE; /* Unknown command */
}
VOID Image(IMG img, void *v)
{
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
RTN_Open(rtn);
numRtnsFoundInImageCallback++;
INS ins = RTN_InsHeadOnly(rtn);
if (INS_Invalid() == ins)
{ // no instruction found - assert that RTN_InsHead(rtn) also doesn't find any INS
ASSERTX (INS_Invalid() == RTN_InsHead(rtn));
RTN_Close(rtn);
continue;
}
if (INS_HasFallThrough(ins))
{
ADDRINT insAddress = INS_Address(ins);
numRtnsInstrumentedFromImageCallback++;
RTN_InsertCall( rtn, IPOINT_BEFORE, AFUNPTR(AtRtn), IARG_ADDRINT, RTN_Address(rtn), IARG_END);
INS_InsertCall (ins, IPOINT_BEFORE, AFUNPTR(BeforeInsHeadOnly), IARG_ADDRINT, INS_Address(ins), IARG_END);
INS_InsertCall (ins, IPOINT_AFTER, AFUNPTR(AfterInsHeadOnly), IARG_ADDRINT, INS_Address(ins), IARG_END);
ins = RTN_InsHead(rtn);
ASSERTX(INS_Invalid() != ins);
ASSERTX(INS_Address(ins)==insAddress);
INS_InsertCall (ins, IPOINT_BEFORE, AFUNPTR(BeforeInsHead), IARG_ADDRINT, insAddress, IARG_END);
INS_InsertCall (ins, IPOINT_AFTER, AFUNPTR(AfterInsHead), IARG_ADDRINT, insAddress, IARG_END);
}
RTN_Close(rtn);
}
}
}
VOID WriteMem(UINT64 insAddr, std::string insDis, UINT32 opCount, REG reg_r, UINT64 memOp)
{
std::list<struct mallocArea>::iterator i;
UINT64 addr = memOp;
PIN_LockClient();
IMG img = IMG_FindByAddress(addr);
PIN_UnlockClient();
SEC sec;
if (opCount != 2){
return;
}
/* Check if the address is in a section */
for(sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)){
if (addr >= SEC_Address(sec) && addr < (SEC_Address(sec) + SEC_Size(sec)))
return;
}
/* Check if the address is mapped */
for(i = mallocAreaList.begin(); i != mallocAreaList.end(); i++){
if (i->status == ALLOCATE && addr >= i->base && addr < (i->base + i->size))
return;
if (i->status == FREE && addr >= i->base && addr < (i->base + i->size)){
std::cout << std::hex << insAddr << ": " << insDis << " -- Use after free in " << addr << std::endl;
return;
}
}
/* check if the address is in a stack area */
if (addr > 0x700000000000)
return;
std::cout << std::hex << insAddr << ": " << insDis << " -- Heap overflow in " << addr << std::endl;
}
// When an image is loaded, check for a MyAlloc function
VOID Image(IMG img, VOID *v)
{
//fprintf(stderr, "Loading %s\n",IMG_name(img));
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
//fprintf(stderr, " sec %s\n", SEC_name(sec).c_str());
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
//fprintf(stderr, " rtn %s\n", RTN_Name(rtn).c_str());
if (RTN_Name(rtn) == STRESSTEST_FN_NAME)
{
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_BEFORE,
(AFUNPTR)StressTestConstContextToolFunc,
IARG_FUNCARG_ENTRYPOINT_REFERENCE, 0,
IARG_FUNCARG_ENTRYPOINT_REFERENCE, 1,
IARG_FUNCARG_ENTRYPOINT_REFERENCE, 2,
IARG_FUNCARG_ENTRYPOINT_REFERENCE, 3,
IARG_FUNCARG_ENTRYPOINT_REFERENCE, 4,
IARG_FUNCARG_ENTRYPOINT_REFERENCE, 5,
IARG_RETURN_IP, // address of inst after caller
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, REG_THREAD_ID,
IARG_CONST_CONTEXT,
IARG_END);
RTN_Close(rtn);
}
}
}
}
VOID ImageLoad(IMG img, VOID *v)
{
printf ("ImageLoad %s\n", IMG_Name(img).c_str());
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (strcmp(RTN_Name(rtn).c_str(), "_dl_debug_state") == 0)
{
printf (" RTN %s at %p\n", RTN_Name(rtn).c_str(), reinterpret_cast<void *>(RTN_Address(rtn)));
printf (" ** found _dl_debug_state\n");
dl_debug_state_Addr = RTN_Address(rtn);
justFoundDlDebugState = TRUE;
}
else if (justFoundDlDebugState)
{
printf (" RTN %s at %p\n", RTN_Name(rtn).c_str(), reinterpret_cast<void *>(RTN_Address(rtn)));
dl_debug_state_AddrEnd = RTN_Address(rtn);
justFoundDlDebugState = FALSE;
printf (" ** _dl_debug_state from %p to %p\n", reinterpret_cast<void *>(dl_debug_state_Addr), reinterpret_cast<void *>(dl_debug_state_AddrEnd));
}
}
}
}
VOID Image(IMG img, VOID * v)
{
if ( (IMG_Name(img).find("ntdll.dll") != string::npos) ||
(IMG_Name(img).find("NTDLL.DLL") != string::npos) ||
(IMG_Name(img).find("NTDLL.dll") != string::npos) )
{
return;
}
if ( (IMG_Name(img).find("MSVCR") != string::npos) ||
(IMG_Name(img).find("msvcr") != string::npos) )
{ // _NLG_Return2 causes problems
return;
}
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (RTN_Name(rtn).find(".text") != string::npos)
{
continue;
}
BOOL canBeProbed = RTN_IsSafeForProbedInsertion(rtn);
if (canBeProbed && RTN_Name(rtn)[0] != '_' && RTN_Name(rtn)[0] != '.')
{
RTN_InsertCallProbed( rtn, IPOINT_BEFORE, AFUNPTR(AtRtn), IARG_PTR, RTN_Name(rtn).c_str(), IARG_TSC, IARG_END);
}
}
}
}
// Writes the image load event to the file "imgLog"
static void LogImageLoad(IMG img, void *v)
{
// Ensure that we can't overflow when we read it back.
ASSERTX (IMG_Name(img).length() < MAX_FILENAME_LENGTH);
ADDRESS_RANGE range = FindImageTextMargin(img);
// Log the data needed to restore it
fprintf(imgLog, "L '%s' %llx %lx %llx %d \n", IMG_Name(img).c_str(), (unsigned long long)range._low,
(long)(range._high - range._low), (unsigned long long)IMG_LoadOffset(img), (int)IMG_IsMainExecutable(img));
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (SEC_Type(sec) != SEC_TYPE_EXEC)
{
continue;
}
for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (RTN_IsArtificial(rtn))
{
continue;
}
fprintf(imgLog, "\t'%s' %llx\n", RTN_Name(rtn).c_str(), (unsigned long long)RTN_Address(rtn));
}
}
fprintf(imgLog, "%s", END_RTN_LIST);
}
VOID Image(IMG img, VOID * v)
{
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
RTN_Open(rtn);
for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins))
{
if( INS_IsPredicated(ins) )
GlobalStatsStatic.predicated[ INS_Category(ins) ]++;
else
GlobalStatsStatic.unpredicated[ INS_Category(ins) ]++;
}
RTN_Close(rtn);
}
}
if( KnobProfileStaticOnly.Value() )
{
Fini(0,0);
exit(0);
}
}
RTN RTN_FindLoop(IMG img, string rtn_name)
{
SEC temp=IMG_SecHead(img);
while(SEC_Valid(temp))
{
//we pick only executable code segment
if(SEC_Type(temp)==SEC_TYPE_EXEC){
RTN myrtn=SEC_RtnHead(temp);
DBG_TRACE("RTNs to be instrumented");
while(RTN_Valid(myrtn))
{
cerr<<RTN_Name(myrtn)<<endl;
if(RTN_Name(myrtn)==rtn_name)
{
cerr<<"Rtn Found:"<<rtn_name<<endl;
return myrtn;
}
myrtn=RTN_Next(myrtn);
}
}
temp=SEC_Next(temp);
}
RTN empty;
return empty;
}
//--------------------------------------------------------------------------
static VOID app_start_cb(VOID *v)
{
IMG img = APP_ImgHead();
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) )
{
ADDRINT sec_ea = SEC_Address(sec);
if ( sec_ea != 0 )
{
ADDRINT check;
size_t bytes = PIN_SafeCopy(&check, (void*)sec_ea, sizeof(ADDRINT));
if ( bytes == sizeof(ADDRINT) )
{
if ( min_ea > sec_ea || min_ea == 0 )
min_ea = sec_ea;
if ( max_ea < sec_ea || max_ea == (unsigned)-1 )
max_ea = sec_ea;
segdata_t seg;
seg.size = SEC_Size(sec);
seg.check = check;
seg.written = false;
seg_bytes[sec_ea] = seg;
//cerr << "Monitoring segment " << SEC_Name(sec) << " " << hexstr(sec_ea)
// << ":" << hexstr(sec_ea+SEC_Size(sec)) << endl;
}
}
}
}
// When an image is loaded, check for a MyAlloc function
VOID Image(IMG img, VOID *v)
{
//fprintf(stderr, "Loading %s\n",IMG_name(img));
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
//fprintf(stderr, " sec %s\n", SEC_name(sec).c_str());
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
//fprintf(stderr, " rtn %s\n", RTN_name(rtn).c_str());
// Swizzle the return value of MyAlloc
if (RTN_Name(rtn) == "MyAlloc")
{
RTN_Open(rtn);
fprintf(stderr, "Adding Swizzle to %s\n", "MyAlloc");
RTN_InsertCall(rtn, IPOINT_AFTER, AFUNPTR(SwizzleRef), IARG_FUNCRET_EXITPOINT_REFERENCE, IARG_END);
RTN_Close(rtn);
}
if (RTN_Name(rtn) == "MyFree")
{
RTN_Open(rtn);
fprintf(stderr, "Adding SwizzleArg to %s\n", "MyFree");
RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(UnswizzleRef), IARG_FUNCARG_ENTRYPOINT_REFERENCE, 0, IARG_END);
RTN_Close(rtn);
}
}
}
}
void DoReplacementFunc( IMG img, char * funcName)
{
RTN rtnToReplace;
printf ("Image %s\n", IMG_Name(img).c_str());
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
printf (" Rtn: %s %s\n", RTN_Name(rtn).c_str(), funcName);
if (strstr( RTN_Name(rtn).c_str(), funcName))
{
//printf (" found\n");
foundFunc = true;
rtnToReplace = rtn;
break;
}
}
if (foundFunc)
{
break;
}
}
if (!foundFunc)
{
return;
}
printf ( "Found %s %x\n", funcName, RTN_Address(rtnToReplace));
// commented out so that absence of pdb file will not cause failure
if (RTN_IsSafeForProbedReplacement(rtnToReplace))
{
printf ( "RTN_ReplaceSignatureProbed on %s\n", funcName);
foundFunc = true;
PROTO protoOfStdCallFunction1ToBeReplacedByPin
= PROTO_Allocate( PIN_PARG(void *),
CALLINGSTD_STDCALL,
"protoOfStdCallFunction1ToBeReplacedByPin",
PIN_PARG(char),
PIN_PARG(int),
PIN_PARG(char),
PIN_PARG(int),
PIN_PARG_END() );
RTN_ReplaceSignatureProbed(rtnToReplace, AFUNPTR(ReplacementFunc),
IARG_PROTOTYPE, protoOfStdCallFunction1ToBeReplacedByPin,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_FUNCARG_ENTRYPOINT_VALUE, 3,
IARG_END);
PROTO_Free( protoOfStdCallFunction1ToBeReplacedByPin );
}
}
void report_image_structure(IMG img, int depth){
UINT32 I1 = IMG_Id(img);
string I2 = IMG_Name(img);
int I3 = IMG_IsMainExecutable( img );
int I4 = IMG_IsStaticExecutable( img );
ADDRINT I5 = IMG_LoadOffset(img);
ADDRINT I6 = IMG_LowAddress(img);
ADDRINT I7 = IMG_HighAddress(img);
ADDRINT I8 = IMG_LoadOffset(img);
ADDRINT I9 = IMG_StartAddress(img);
ADDRINT I10 = IMG_Entry(img);
USIZE I11 = IMG_SizeMapped( img );
IMG_TYPE I12 = IMG_Type(img);
char I13[128];
int k ;
for ( k = 0; k< depth ; k ++ )
TraceFile << "\t" ;
TraceFile << "<IMAGE-LOAD>" << " I1:" << I1 << " I2:" << I2 << " I3:" << I3 << " I4:" << I4 << " I5:" << hex<< I5 << " I6:"<< I6 << " I7:" << I7 << " I8:" << I8 << " I9:"<< I9 << " I10:"<< I10 << " I11:" << I11 ;
switch ( I12 ){
case IMG_TYPE_STATIC:
strcpy( I13 ,"static" ); break;
case IMG_TYPE_SHARED:
strcpy( I13 ,"shared" ); break;
case IMG_TYPE_INVALID:
strcpy( I13 ,"invalid" ); break;
case IMG_TYPE_LAST:
strcpy( I13 ,"last" ); break;
case IMG_TYPE_SHAREDLIB:
strcpy( I13 ,"shared-lib" ); break;
case IMG_TYPE_RELOCATABLE:
strcpy( I13 ,"relocatable" ); break;
case IMG_TYPE_DYNAMIC_CODE:
strcpy( I13 ,"dynamic-code" ); break;
default:
strcpy( I13 ,"UNKNOWN" ); break; }
TraceFile << " I12:" << I12 << " I13:" << I13 << endl;
for( SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
report_section_structure( sec, depth + 1 );
}
/* */
for (SYM sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym)){
report_sym_structure( sym, depth +1 );
}
for ( k = 0; k< depth ; k ++ )
TraceFile << "\t" ;
TraceFile << "</IMAGE-LOAD>" << endl;
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ProcInfo *proc_info = ProcInfo::getInstance();
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
FilterHandler *filterH = FilterHandler::getInstance();
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){
/* searching for VirtualAlloc */
RTN rtn = RTN_FindByName( img, "VirtualAlloc");
if(rtn != RTN_Invalid()){
MYINFO("BECCATO LA VIRTUAL ALLOC\n");
ADDRINT va_address = RTN_Address(rtn);
MYINFO("Address of VirtualAlloc: %08x\n" , va_address);
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)VirtualAllocHook , IARG_G_ARG0_CALLEE , IARG_G_ARG1_CALLEE , IARG_G_RESULT0, IARG_END);
RTN_Close(rtn);
}
filterH->addLibrary(name,startAddr,endAddr);
}
}
VOID Image(IMG img, void * v)
{
cout << "IMG = " << IMG_Name(img) << endl;
for( SEC sec=IMG_SecHead(img); SEC_Valid(sec) ; sec=SEC_Next(sec) )
{
if ( SEC_IsExecutable(sec) )
{
for( RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn) ; rtn=RTN_Next(rtn) )
Routine(rtn,v);
}
}
}
// Pin calls this function every time a new img is loaded
VOID ImageLoad(IMG img, VOID *v)
{
if (!IMG_IsMainExecutable(img))
return;
printf("%s loaded\n", IMG_Name(img).c_str());
fflush(stdout);
ADDRINT imageBase = IMG_LowAddress(img);
WINDOWS::PIMAGE_DATA_DIRECTORY pExpDir = GetExportDirectory(imageBase);
if ((pExpDir == 0) || (pExpDir->Size == 0))
{
// Failure: Executable image lacks export directory.
printf("ERROR: No export directory in executable image\n");
fflush(stdout);
exit(3);
}
ADDRINT exportBase = imageBase + pExpDir->VirtualAddress;
// First check that bytes in export directory range do not belong to a RTN
for (ADDRINT addr = exportBase; addr < exportBase + pExpDir->Size; ++addr)
{
if (RTN_FindByAddress(addr) != RTN_Invalid())
{
// Test failure. Byte in export directory belongs to a RTN.
printf("ERROR: Data from export directory included in RTN\n");
fflush(stdout);
exit(1);
}
}
// Second check RTN size. RTN range should not overlap with export directory range.
for (SEC sec = IMG_SecHead(img); sec != SEC_Invalid(); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); rtn != RTN_Invalid(); rtn = RTN_Next(rtn))
{
if (((RTN_Address(rtn) <= exportBase) && (RTN_Address(rtn) + RTN_Size(rtn) > exportBase)) ||
((RTN_Address(rtn) > exportBase) && (exportBase + pExpDir->Size > RTN_Address(rtn))))
{
// Test failure. RTN overlaps with export directory.
printf("ERROR: RTN overlaps with export directory\n");
fflush(stdout);
exit(2);
}
}
}
return;
}
VOID Image(IMG img, VOID * v)
{
if (strstr (IMG_Name(img).c_str(), "flags_at_analysis_app")==NULL)
{
return;
}
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
// Prepare for processing of RTN, an RTN is not broken up into BBLs,
// it is merely a sequence of INSs
RTN_Open(rtn);
for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins))
{
if (INS_Opcode(ins)==XED_ICLASS_POPF
|| INS_Opcode(ins)==XED_ICLASS_POPFD
|| INS_Opcode(ins)==XED_ICLASS_POPFQ)
{ // popf is the marker
printf ("found popf in rtn %s\n", RTN_Name(rtn).c_str());
if (!INS_Valid(INS_Next(ins)) || !INS_Valid(INS_Next(INS_Next(ins))))
{
printf ("wrong popf marker found\n");
exit (-1);
}
printf ("next ins should be cmp al, 0x81 it is %s\n", INS_Disassemble(INS_Next(ins)).c_str());
printf ("next ins should be xor ecx, ecx it is %s\n", INS_Disassemble(INS_Next(INS_Next(ins))).c_str());
// Insert analysis calls to read the value of the flags register just after the cmp al, 0x81 - the OF flag should be set
INS_InsertIfCall(INS_Next(INS_Next(ins)), IPOINT_BEFORE, (AFUNPTR)IfReturnTrue,
IARG_INST_PTR,
IARG_END);
INS_InsertThenCall(INS_Next(INS_Next(ins)), IPOINT_BEFORE, (AFUNPTR)ThenFunc,
IARG_REG_VALUE, REG_GFLAGS,
IARG_END);
INS_InsertCall(INS_Next(INS_Next(ins)), IPOINT_BEFORE, (AFUNPTR)AnalysisFunc,
IARG_REG_VALUE, REG_GFLAGS,
IARG_END);
}
}
// to preserve space, release data associated with RTN after we have processed it
RTN_Close(rtn);
}
}
}
VOID Image(IMG img, void *v)
{
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
RTN_Open(rtn);
RTN_InsertCall( rtn, IPOINT_BEFORE, AFUNPTR(AtRtn1), IARG_PTR, RTN_Name(rtn).c_str(), IARG_TSC, IARG_INST_PTR , IARG_END);
RTN_InsertCall( rtn, IPOINT_BEFORE, AFUNPTR(AtRtn2), IARG_FAST_ANALYSIS_CALL, IARG_PTR, RTN_Name(rtn).c_str(), IARG_TSC, IARG_INST_PTR , IARG_END);
RTN_Close(rtn);
}
}
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
// - Add protected libraries
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//create Report File
Report::getInstance()->initializeReport(proc_info->getProcName(), startAddr, endAddr , initial_entropy);
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
//*** If you need to protect other sections of other dll put them here ***
// check if there are some fuction that has top be hooked in this DLL
hookFun.hookDispatcher(img);
// check if we have to filter this library during thwe instrumentation
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
VOID Image(IMG img, VOID * v)
{
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
RTN_Open(rtn);
for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins))
{
sandbox.RecordIns(ins);
}
RTN_Close(rtn);
}
}
}
// Grab some detailed information about the image, the number of SECs and RTNs
static VOID CountImageSecsAndRtns (IMG img, int *nSecs, int *nRtns)
{
int numSecs = 0;
int numRtns = 0;
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
numSecs++;
for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
numRtns++;
}
}
*nSecs = numSecs;
*nRtns = numRtns;
}
// Called every time a new image is loaded
// Look for routines that we want to probe
VOID ImageLoad(IMG img, VOID *v)
{
const ANNOTATION *ann = 0;
USIZE num = 0;
printf("Processing %s\n", IMG_Name(img).c_str());
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (SEC_Name(sec) == "MyAnnot")
{
ann = reinterpret_cast<const ANNOTATION*>(SEC_Data(sec));
num = SEC_Size(sec) / sizeof(ANNOTATION);
}
}
if (ann)
{
printf("Found annotations: \n");
for (UINT32 i = 0; i < num; i++)
{
ADDRINT addr = ann[i].addr;
ADDRINT val = ann[i].value;
printf("\t%p %p\t", Addrint2VoidStar(addr), Addrint2VoidStar(val));
if (PIN_IsSafeForProbedInsertion(addr))
{
PIN_InsertCallProbed(addr, AFUNPTR(Notification), IARG_ADDRINT, val, IARG_END);
printf(" - OK\n");
}
else
{
printf(" - Failed\n");
}
}
// Set the write line function, from the image of the annotations (i.e. the main executable).
RTN writeRtn = RTN_FindByName(img, "write_line");
if (RTN_Valid(writeRtn))
{
writeFun = (void (*)(char *))RTN_Funptr(writeRtn);
}
}
printf("Completed %s\n", IMG_Name(img).c_str());
}
/**
* Given an address, this function determines the name of the loaded module the
* address belongs to. If the address does not belong to any module, the empty
* string is returned.
**/
std::string getModule(ADDRINT address)
{
// To find the module name of an address, iterate over all sections of all
// modules until a section is found that contains the address.
for(IMG img=APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img))
{
for(SEC sec=IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (address >= SEC_Address(sec) && address < SEC_Address(sec) + SEC_Size(sec))
{
return extractFilename(IMG_Name(img));
}
}
}
return "";
}
/**
* Determines whether a given address belongs to a known module or not.
**/
bool isUnknownAddress(ADDRINT address)
{
// An address belongs to a known module, if the address belongs to any
// section of any module in the target address space.
for(IMG img=APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img))
{
for(SEC sec=IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (address >= SEC_Address(sec) && address < SEC_Address(sec) + SEC_Size(sec))
{
return false;
}
}
}
return true;
}
// Prints all RTNs in a given IMG to the trace file.
// We use that file later on to see if the record and replay went the same
static VOID PrintRTNs(IMG img)
{
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (SEC_Type(sec) != SEC_TYPE_EXEC)
{
continue;
}
for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (RTN_IsArtificial(rtn))
{
continue;
}
fprintf(trace, "Function '%s' loaded at %llx\n", RTN_Name(rtn).c_str(), (unsigned long long)RTN_Address(rtn));
}
}
}
// Find and return the memory region of an image's executable section
static ADDRESS_RANGE FindImageTextMargin(IMG img)
{
ADDRESS_RANGE res;
ADDRINT low = ~0L;
ADDRINT high = 0L;
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (SEC_Type(sec) != SEC_TYPE_EXEC)
{
continue;
}
low = MIN(low, SEC_Address(sec));
high = MAX(high, SEC_Address(sec) + SEC_Size(sec));
}
res._low = low;
res._high = high;
return res;
}
VOID Image(IMG img, VOID *v)
{
if(IMG_IsMainExecutable(img))
{
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (RTN_Name(rtn) == "_NotifyPinAfterMmap" || RTN_Name(rtn) == "NotifyPinAfterMmap")
{
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_BEFORE, (AFUNPTR)MmapAfter,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0, IARG_END);
RTN_Close(rtn);
}
}
}
}
}
static VOID imageLoad(IMG img, VOID *v)
{
// Just instrument the main image.
if (!IMG_IsMainExecutable(img))
return;
for (SEC sec=IMG_SecHead(img); SEC_Valid(sec); sec=SEC_Next(sec))
{
for (RTN rtn=SEC_RtnHead(sec); RTN_Valid(rtn); rtn=RTN_Next(rtn))
{
RTN_Open(rtn);
for (INS ins=RTN_InsHead(rtn); INS_Valid(ins); ins=INS_Next(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR)incCount, IARG_END);
}
RTN_Close(rtn);
}
}
}
VOID ImageUnload(IMG img, VOID * v)
{
if ( KnobNoSharedLibs.Value()
&& IMG_Type(img) == IMG_TYPE_SHAREDLIB)
return;
out << "Image: " << IMG_Name(img) << endl;
// Visit all the sections of the image that are executable
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
if (SEC_Type(sec) != SEC_TYPE_EXEC)
continue;
out << " Section: " << SEC_Name(sec) << endl;
// Print the addresses of instructions that were not executed
PrintUntouchedRanges(sec);
}
}
// When an image is loaded, check for a MyAlloc function
VOID Image(IMG img, VOID *v)
{
//fprintf(stderr, "Loading %s\n",IMG_name(img));
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
//fprintf(stderr, " sec %s\n", SEC_name(sec).c_str());
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
//fprintf(stderr, " rtn %s\n", RTN_name(rtn).c_str());
// Swizzle the return value of MyAlloc
#if defined(TARGET_MAC)
if (RTN_Name(rtn) == "_MyAlloc")
#else
if (RTN_Name(rtn) == "MyAlloc")
#endif
{
RTN_Open(rtn);
fprintf(stderr, "Adding swizzle to %s\n", "MyAlloc");
RTN_InsertCall(rtn, IPOINT_AFTER, AFUNPTR(Swizzle), IARG_REG_VALUE, REG_GAX, IARG_RETURN_REGS, REG_GAX, IARG_END);
RTN_Close(rtn);
}
#if defined(TARGET_MAC)
if (RTN_Name(rtn) == "_MyFree")
#else
if (RTN_Name(rtn) == "MyFree")
#endif
{
RTN_Open(rtn);
fprintf(stderr, "Adding unswizzle to %s\n", "MyFree");
RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(SwizzleArg), IARG_FUNCARG_ENTRYPOINT_REFERENCE, 0, IARG_END);
RTN_Close(rtn);
}
}
}
}
