/**
* Converts a PIN instruction object into a disassembled string.
**/
std::string dumpInstruction(INS ins)
{
std::stringstream ss;
ADDRINT address = INS_Address(ins);
// Generate address and module information
ss << "0x" << setfill('0') << setw(8) << uppercase << hex << address << "::" << getModule(address) << " ";
// Generate instruction byte encoding
for (int i=0;i<INS_Size(ins);i++)
{
ss << setfill('0') << setw(2) << (((unsigned int) *(unsigned char*)(address + i)) & 0xFF) << " ";
}
for (int i=INS_Size(ins);i<8;i++)
{
ss << " ";
}
// Generate diassembled string
ss << INS_Disassemble(ins);
// Look up call information for direct calls
if (INS_IsCall(ins) && INS_IsDirectBranchOrCall(ins))
{
ss << " -> " << RTN_FindNameByAddress(INS_DirectBranchOrCallTargetAddress(ins));
}
return ss.str();
}
/* Instrumentation of each instruction
* that uses a memory operand
*/
VOID Instruction(INS ins, VOID *v) {
trace_enter();
if (!INS_IsStackRead(ins)) {
for (UINT32 memopIdx = 0; memopIdx < INS_MemoryOperandCount(ins); memopIdx++) {
if (INS_MemoryOperandIsWritten(ins, memopIdx)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) update_stack_heap_region,
IARG_CONST_CONTEXT,
IARG_MEMORYOP_EA, memopIdx,
IARG_END);
UINT32 opIdx = INS_MemoryOperandIndexToOperandIndex(ins, memopIdx);
REG base_reg = INS_OperandMemoryBaseReg(ins, opIdx);
if (base_reg != REG_INVALID()) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) check_parameter_out,
IARG_REG_VALUE, base_reg,
IARG_END);
}
}
}
}
if (INS_IsCall(ins)) {
if (INS_IsDirectCall(ins)) {
ADDRINT addr = INS_DirectBranchOrCallTargetAddress(ins);
FID fid = fn_lookup_by_address(addr);
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_call,
IARG_CONST_CONTEXT,
IARG_UINT32, fid,
IARG_END);
}
else {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_indirect_call,
IARG_CONST_CONTEXT,
IARG_BRANCH_TARGET_ADDR,
IARG_END);
}
}
if (INS_IsRet(ins)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_ret,
IARG_CONST_CONTEXT,
IARG_END);
}
trace_leave();
}
VOID Instruction(INS ins, VOID *v) {
if (!init)
Commence();
if (INS_IsCall(ins)) {
if (INS_IsDirectCall(ins)) {
ADDRINT addr = INS_DirectBranchOrCallTargetAddress(ins);
FID fid = fn_lookup_by_address(addr);
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_call,
IARG_CONST_CONTEXT,
IARG_UINT32, fid,
IARG_BOOL, false,
IARG_END);
}
else {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_icall,
IARG_CONST_CONTEXT,
IARG_BRANCH_TARGET_ADDR,
IARG_BOOL, false,
IARG_END);
}
}
if (INS_IsIndirectBranchOrCall(ins)) {
if (!INS_IsCall(ins)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_icall,
IARG_CONST_CONTEXT,
IARG_BRANCH_TARGET_ADDR,
IARG_BOOL, true,
IARG_END);
}
}
if (INS_IsRet(ins)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_ret,
IARG_CONST_CONTEXT,
IARG_END);
}
return;
}
VOID CallTrace(TRACE trace, INS ins)
{
if (!KnobTraceCalls)
return;
// RTN = TRACE_Rtn(trace);
// ADDRINT rtn_addr = RTN_Address(rtn);
if (INS_IsBranchOrCall(ins) && !INS_IsDirectBranchOrCall(ins)) {
// Indirect Call
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmitIndirectCall),
IARG_THREAD_ID,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END
);
} else if (INS_IsDirectBranchOrCall(ins)) {
// Direct call..
ADDRINT target = INS_DirectBranchOrCallTargetAddress(ins);
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmitDirectCall),
IARG_THREAD_ID,
IARG_INST_PTR,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END
);
} else if (INS_IsRet(ins)) {
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmitReturn),
IARG_THREAD_ID,
IARG_INST_PTR,
IARG_FUNCRET_EXITPOINT_VALUE,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END
);
}
}
// Pin calls this function every time a new instruction is encountered
VOID Instruction(INS ins, VOID *v)
{
//get the address of the current instruction
ADDRINT address = INS_Address(ins);
//get the string rapresentation of the address
string addr = StringFromAddrint(address);
//if we reach the address of the conditional jump (discover by hand with immunity)
//we substitute this instruction with an uncoditional jump in order o force the execution path
if(addr.compare("0x00411a10") == 0){
//get the jmp target address
ADDRINT tgt = INS_DirectBranchOrCallTargetAddress(ins);
string addr2 = StringFromAddrint(tgt);
//insert the incoditional jmp
INS_InsertDirectJump(ins, IPOINT_BEFORE, tgt);
//fprintf(file, "%s\n", addr2.c_str());
//remove the conditional jmp instruction
INS_Delete(ins);
}
}
VOID Ins( INS ins, VOID *v )
{
if (KnobDetach > 0 && scount > KnobDetach)
return;
if (KnobLog)
{
void *addr = Addrint2VoidStar(INS_Address(ins));
string disasm = INS_Disassemble(ins);
PrintIns(addr, disasm.c_str());
}
scount++;
// call and return need also stack manipulation (see emu_stack.cpp)
// conditional jumps need handling the condition (not supported yet)
if (INS_IsCall(ins) || INS_IsRet(ins) || INS_Category(ins) == XED_CATEGORY_COND_BR)
return;
if (INS_IsIndirectBranchOrCall(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuIndJmp),
IARG_BRANCH_TARGET_ADDR,
IARG_RETURN_REGS, scratchReg, IARG_END);
INS_InsertIndirectJump(ins, IPOINT_AFTER, scratchReg);
INS_Delete(ins);
}
else if (INS_IsDirectBranchOrCall(ins))
{
ADDRINT tgt = INS_DirectBranchOrCallTargetAddress(ins);
INS_InsertDirectJump(ins, IPOINT_AFTER, tgt);
INS_Delete(ins);
}
}
VOID Ins(INS ins, VOID *v)
{
if (!INS_IsCall(ins))
return;
if (foobarAddress != 0
&& INS_IsDirectBranchOrCall(ins)
&& INS_DirectBranchOrCallTargetAddress(ins) == foobarAddress)
{
TraceFile << "Instrument call to foobar" << endl;
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(FoobarArgs), IARG_G_ARG0_CALLER, IARG_G_ARG1_CALLER, IARG_END);
}
static BOOL first = true;
if (!first)
return;
first = false;
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(CallArgs), IARG_G_ARG0_CALLER, IARG_END);
}
VOID Trace(TRACE trace, VOID *v)
{
const BOOL print_args = KnobPrintArgs.Value();
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
INS tail = BBL_InsTail(bbl);
if( INS_IsCall(tail) )
{
if( INS_IsDirectBranchOrCall(tail) )
{
const ADDRINT target = INS_DirectBranchOrCallTargetAddress(tail);
if( print_args )
{
INS_InsertPredicatedCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args),
IARG_PTR, Target2String(target), IARG_G_ARG0_CALLER, IARG_END);
}
else
{
INS_InsertPredicatedCall(tail, IPOINT_BEFORE, AFUNPTR(do_call),
IARG_PTR, Target2String(target), IARG_END);
}
}
else
{
if( print_args )
{
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args_indirect),
IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_G_ARG0_CALLER, IARG_END);
}
else
{
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_indirect),
IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END);
}
}
}
else
{
// sometimes code is not in an image
RTN rtn = TRACE_Rtn(trace);
// also track stup jumps into share libraries
if( RTN_Valid(rtn) && !INS_IsDirectBranchOrCall(tail) && ".plt" == SEC_Name( RTN_Sec( rtn ) ))
{
if( print_args )
{
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args_indirect),
IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_G_ARG0_CALLER, IARG_END);
}
else
{
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_indirect),
IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END);
}
}
}
}
}
// -------------------------------------------------------------
// Trace instrumentation function
// -------------------------------------------------------------
void I_Trace(TRACE trace, void *v) {
BOOL isPLT = IsPLT(TRACE_Rtn(trace));
#if DEBUG_INS
printf("-- Instrumenting trace %X of function %s\n",
TRACE_Address(trace), RTN_Valid(TRACE_Rtn(trace)) ? RTN_Name(TRACE_Rtn(trace)).c_str() : "<unknown_routine>");
#endif
// scan BBLs within the current trace
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
// instrument memory reads and writes
for(INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
Instruction(ins);
INS tail = BBL_InsTail(bbl);
// skip system calls
if ( INS_IsSyscall(tail) ) continue;
// instrument .plt stub calls
if ( isPLT ) {
#if DEBUG_INS
printf(" > .plt stub call\n");
#endif
if (gSetup.callingSite) {
if (gSetup.memBuf)
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallCSBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallCS,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
else {
if (gSetup.memBuf)
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCall,
IARG_FAST_ANALYSIS_CALL,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
continue;
}
// instrument all calls and returns
if ( INS_IsCall(tail) ) {
// direct call
if( INS_IsDirectBranchOrCall(tail) ) {
// get target address
ADDRINT target = Target2FunAddr(INS_DirectBranchOrCallTargetAddress(tail));
#if DEBUG_INS
printf(" > Direct call to %s\n", Target2RtnName(target).c_str());
#endif
// instrument direct call: target address determined here
if (gSetup.callingSite) {
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCallCSBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCallCS,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
else {
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCallBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCall,
IARG_FAST_ANALYSIS_CALL,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
}
// indirect call: target address determined at call time
else {
#if DEBUG_INS
printf(" > Indirect call\n");
#endif
// instrument indirect call
if (gSetup.callingSite) {
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallCSBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallCS,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
else {
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCall,
IARG_FAST_ANALYSIS_CALL,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
}
continue;
}
if ( INS_IsRet(tail) ) {
#if DEBUG_INS
printf(" > return\n");
#endif
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessReturnBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessReturn,
IARG_FAST_ANALYSIS_CALL,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
}
}
// Returns a pointer to an IRBuilder object.
// It is up to the user to delete it when times come.
IRBuilder *createIRBuilder(INS ins) {
uint64 address = INS_Address(ins);
std::string disas = INS_Disassemble(ins);
INT32 opcode = INS_Opcode(ins);
IRBuilder *ir = nullptr;
switch (opcode) {
case XED_ICLASS_ADC:
ir = new AdcIRBuilder(address, disas);
break;
case XED_ICLASS_ADD:
ir = new AddIRBuilder(address, disas);
break;
case XED_ICLASS_AND:
ir = new AndIRBuilder(address, disas);
break;
case XED_ICLASS_ANDNPD:
ir = new AndnpdIRBuilder(address, disas);
break;
case XED_ICLASS_ANDNPS:
ir = new AndnpsIRBuilder(address, disas);
break;
case XED_ICLASS_ANDPD:
ir = new AndpdIRBuilder(address, disas);
break;
case XED_ICLASS_ANDPS:
ir = new AndpsIRBuilder(address, disas);
break;
case XED_ICLASS_BSWAP:
ir = new BswapIRBuilder(address, disas);
break;
case XED_ICLASS_CALL_FAR:
case XED_ICLASS_CALL_NEAR:
ir = new CallIRBuilder(address, disas);
break;
case XED_ICLASS_CBW:
ir = new CbwIRBuilder(address, disas);
break;
case XED_ICLASS_CDQE:
ir = new CdqeIRBuilder(address, disas);
break;
case XED_ICLASS_CLC:
ir = new ClcIRBuilder(address, disas);
break;
case XED_ICLASS_CLD:
ir = new CldIRBuilder(address, disas);
break;
case XED_ICLASS_CMC:
ir = new CmcIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVB:
ir = new CmovbIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVBE:
ir = new CmovbeIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVL:
ir = new CmovlIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVLE:
ir = new CmovleIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNB:
ir = new CmovnbIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNBE:
ir = new CmovnbeIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNL:
ir = new CmovnlIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNLE:
ir = new CmovnleIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNO:
ir = new CmovnoIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNP:
ir = new CmovnpIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNS:
ir = new CmovnsIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNZ:
ir = new CmovnzIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVO:
ir = new CmovoIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVP:
ir = new CmovpIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVS:
ir = new CmovsIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVZ:
ir = new CmovzIRBuilder(address, disas);
break;
case XED_ICLASS_CMP:
ir = new CmpIRBuilder(address, disas);
break;
case XED_ICLASS_CQO:
ir = new CqoIRBuilder(address, disas);
break;
case XED_ICLASS_CWDE:
ir = new CwdeIRBuilder(address, disas);
break;
case XED_ICLASS_DEC:
ir = new DecIRBuilder(address, disas);
break;
case XED_ICLASS_DIV:
ir = new DivIRBuilder(address, disas);
break;
case XED_ICLASS_IDIV:
ir = new IdivIRBuilder(address, disas);
break;
case XED_ICLASS_IMUL:
ir = new ImulIRBuilder(address, disas);
break;
case XED_ICLASS_INC:
ir = new IncIRBuilder(address, disas);
break;
case XED_ICLASS_JB:
ir = new JbIRBuilder(address, disas);
break;
case XED_ICLASS_JBE:
ir = new JbIRBuilder(address, disas);
break;
case XED_ICLASS_JL:
ir = new JlIRBuilder(address, disas);
break;
case XED_ICLASS_JLE:
ir = new JleIRBuilder(address, disas);
break;
case XED_ICLASS_JMP:
ir = new JmpIRBuilder(address, disas);
break;
case XED_ICLASS_JNB:
ir = new JnbIRBuilder(address, disas);
break;
case XED_ICLASS_JNBE:
ir = new JnbeIRBuilder(address, disas);
break;
case XED_ICLASS_JNL:
ir = new JnlIRBuilder(address, disas);
break;
case XED_ICLASS_JNLE:
ir = new JnleIRBuilder(address, disas);
break;
case XED_ICLASS_JNO:
ir = new JnoIRBuilder(address, disas);
break;
case XED_ICLASS_JNP:
ir = new JnpIRBuilder(address, disas);
break;
case XED_ICLASS_JNS:
ir = new JnsIRBuilder(address, disas);
break;
case XED_ICLASS_JNZ:
ir = new JnzIRBuilder(address, disas);
break;
case XED_ICLASS_JO:
ir = new JoIRBuilder(address, disas);
break;
case XED_ICLASS_JP:
ir = new JpIRBuilder(address, disas);
break;
case XED_ICLASS_JS:
ir = new JsIRBuilder(address, disas);
break;
case XED_ICLASS_JZ:
ir = new JzIRBuilder(address, disas);
break;
case XED_ICLASS_LEA:
ir = new LeaIRBuilder(address, disas);
break;
case XED_ICLASS_LEAVE:
ir = new LeaveIRBuilder(address, disas);
break;
case XED_ICLASS_MOV:
ir = new MovIRBuilder(address, disas);
break;
case XED_ICLASS_MOVAPD:
ir = new MovapdIRBuilder(address, disas);
break;
case XED_ICLASS_MOVAPS:
ir = new MovapsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVDQA:
ir = new MovdqaIRBuilder(address, disas);
break;
case XED_ICLASS_MOVDQU:
ir = new MovdquIRBuilder(address, disas);
break;
case XED_ICLASS_MOVHLPS:
ir = new MovhlpsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVHPD:
ir = new MovhpdIRBuilder(address, disas);
break;
case XED_ICLASS_MOVHPS:
ir = new MovhpsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVLHPS:
ir = new MovlhpsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVLPD:
ir = new MovlpdIRBuilder(address, disas);
break;
case XED_ICLASS_MOVLPS:
ir = new MovlpsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVSX:
case XED_ICLASS_MOVSXD:
ir = new MovsxIRBuilder(address, disas);
break;
case XED_ICLASS_MOVZX:
ir = new MovzxIRBuilder(address, disas);
break;
case XED_ICLASS_MUL:
ir = new MulIRBuilder(address, disas);
break;
case XED_ICLASS_NEG:
ir = new NegIRBuilder(address, disas);
break;
case XED_ICLASS_NOT:
ir = new NotIRBuilder(address, disas);
break;
case XED_ICLASS_OR:
ir = new OrIRBuilder(address, disas);
break;
case XED_ICLASS_ORPD:
ir = new OrpdIRBuilder(address, disas);
break;
case XED_ICLASS_ORPS:
ir = new OrpsIRBuilder(address, disas);
break;
case XED_ICLASS_POP:
ir = new PopIRBuilder(address, disas);
break;
case XED_ICLASS_PUSH:
ir = new PushIRBuilder(address, disas);
break;
case XED_ICLASS_RET_FAR:
case XED_ICLASS_RET_NEAR:
ir = new RetIRBuilder(address, disas);
break;
case XED_ICLASS_ROL:
ir = new RolIRBuilder(address, disas);
break;
case XED_ICLASS_ROR:
ir = new RorIRBuilder(address, disas);
break;
case XED_ICLASS_SAR:
ir = new SarIRBuilder(address, disas);
break;
case XED_ICLASS_SBB:
ir = new SbbIRBuilder(address, disas);
break;
case XED_ICLASS_SETB:
ir = new SetbIRBuilder(address, disas);
break;
case XED_ICLASS_SETBE:
ir = new SetbeIRBuilder(address, disas);
break;
case XED_ICLASS_SETL:
ir = new SetlIRBuilder(address, disas);
break;
case XED_ICLASS_SETLE:
ir = new SetleIRBuilder(address, disas);
break;
case XED_ICLASS_SETNB:
ir = new SetnbIRBuilder(address, disas);
break;
case XED_ICLASS_SETNBE:
ir = new SetnbeIRBuilder(address, disas);
break;
case XED_ICLASS_SETNL:
ir = new SetnlIRBuilder(address, disas);
break;
case XED_ICLASS_SETNLE:
ir = new SetnleIRBuilder(address, disas);
break;
case XED_ICLASS_SETNO:
ir = new SetnoIRBuilder(address, disas);
break;
case XED_ICLASS_SETNP:
ir = new SetnpIRBuilder(address, disas);
break;
case XED_ICLASS_SETNS:
ir = new SetnsIRBuilder(address, disas);
break;
case XED_ICLASS_SETNZ:
ir = new SetnzIRBuilder(address, disas);
break;
case XED_ICLASS_SETO:
ir = new SetoIRBuilder(address, disas);
break;
case XED_ICLASS_SETP:
ir = new SetpIRBuilder(address, disas);
break;
case XED_ICLASS_SETS:
ir = new SetsIRBuilder(address, disas);
break;
case XED_ICLASS_SETZ:
ir = new SetzIRBuilder(address, disas);
break;
case XED_ICLASS_SHL:
// XED_ICLASS_SAL is also a SHL
ir = new ShlIRBuilder(address, disas);
break;
case XED_ICLASS_SHR:
ir = new ShrIRBuilder(address, disas);
break;
case XED_ICLASS_STC:
ir = new StcIRBuilder(address, disas);
break;
case XED_ICLASS_STD:
ir = new StdIRBuilder(address, disas);
break;
case XED_ICLASS_SUB:
ir = new SubIRBuilder(address, disas);
break;
case XED_ICLASS_TEST:
ir = new TestIRBuilder(address, disas);
break;
case XED_ICLASS_XADD:
ir = new XaddIRBuilder(address, disas);
break;
case XED_ICLASS_XCHG:
ir = new XchgIRBuilder(address, disas);
break;
case XED_ICLASS_XOR:
ir = new XorIRBuilder(address, disas);
break;
case XED_ICLASS_XORPD:
ir = new XorpdIRBuilder(address, disas);
break;
case XED_ICLASS_XORPS:
ir = new XorpsIRBuilder(address, disas);
break;
default:
ir = new NullIRBuilder(address, disas);
break;
}
// Populate the operands
const uint32 n = INS_OperandCount(ins);
for (uint32 i = 0; i < n; ++i) {
IRBuilderOperand::operand_t type;
uint32 size = 0;
uint64 val = 0;
//Effective address = Displacement + BaseReg + IndexReg * Scale
uint64 displacement = 0;
uint64 baseReg = ID_INVALID;
uint64 indexReg = ID_INVALID;
uint64 memoryScale = 0;
/* Special case */
if (INS_IsDirectBranchOrCall(ins)){
ir->addOperand(TritonOperand(IRBuilderOperand::IMM, INS_DirectBranchOrCallTargetAddress(ins), 0));
if (INS_MemoryOperandIsWritten(ins, 0))
ir->addOperand(TritonOperand(IRBuilderOperand::MEM_W, 0, INS_MemoryWriteSize(ins)));
break;
}
/* Immediate */
if (INS_OperandIsImmediate(ins, i)) {
type = IRBuilderOperand::IMM;
val = INS_OperandImmediate(ins, i);
}
/* Register */
else if (INS_OperandIsReg(ins, i)) {
type = IRBuilderOperand::REG;
REG reg = INS_OperandReg(ins, i);
val = PINConverter::convertDBIReg2TritonReg(reg); // store the register ID.
if (REG_valid(reg)) {
// check needed because instructions like "xgetbv 0" make
// REG_Size crash.
size = REG_Size(reg);
}
}
/* Memory */
else if (INS_MemoryOperandCount(ins) > 0) {
/* Memory read */
if (INS_MemoryOperandIsRead(ins, 0)) {
type = IRBuilderOperand::MEM_R;
size = INS_MemoryReadSize(ins);
}
/* Memory write */
else {
type = IRBuilderOperand::MEM_W;
size = INS_MemoryWriteSize(ins);
}
}
/* load effective address instruction */
else if (INS_OperandIsAddressGenerator(ins, i)) {
REG reg;
type = IRBuilderOperand::LEA;
displacement = INS_OperandMemoryDisplacement(ins, i);
memoryScale = INS_OperandMemoryScale(ins, i);
reg = INS_OperandMemoryBaseReg(ins, i);
if (REG_valid(reg))
baseReg = PINConverter::convertDBIReg2TritonReg(reg);
reg = INS_OperandMemoryIndexReg(ins, i);
if (REG_valid(reg))
indexReg = PINConverter::convertDBIReg2TritonReg(reg);
}
/* Undefined */
else {
// std::cout << "[DEBUG] Unknown kind of operand: " << INS_Disassemble(ins) << std::endl;
continue;
}
ir->addOperand(TritonOperand(type, val, size, displacement, baseReg, indexReg, memoryScale));
}
// Setup the opcode in the IRbuilder
ir->setOpcode(opcode);
ir->setOpcodeCategory(INS_Category(ins));
ir->setNextAddress(INS_NextAddress(ins));
return ir;
}
// Pin calls this function before a code sequence is executed for the first time
VOID TraceCalls(INS ins, VOID *v)
{
// If we don't have a proper config, we cannot instrument anything
if (config == NULL)
{
return;
}
ADDRINT addr = INS_Address(ins);
IMG img = IMG_FindByAddress(addr);
// We are interested only calls from the JITted code. That code is not part of any valid image
if (IMG_Valid(img) && img != config->img)
{
return;
}
// We don't know the origins of the calls (only the targets) so we need to instrument every call
if (INS_IsCall(ins))
{
bool ok = false;
if (INS_RegRContain(ins, REG_EAX) || INS_RegRContain(ins, REG_EDX))
{
ok = true;
}
else if (INS_IsDirectCall(ins))
{
ADDRINT target_addr = INS_DirectBranchOrCallTargetAddress(ins);
IMG target_img = IMG_FindByAddress(target_addr);
if (!IMG_Valid(img) || img == config->img)
{
ok = true;
}
}
if (ok)
{
// Select which call analysis function to use depending on whether we are in fast mode
AFUNPTR analysisFunc = (AFUNPTR)MethodCallAnalysis;
if (KnobFast.Value())
{
analysisFunc = (AFUNPTR)MethodCallAnalysisFast;
}
ADDRINT ret_addr = INS_NextAddress(ins);
INS_InsertIfCall(ins, IPOINT_BEFORE, (AFUNPTR)ShouldCallBeAnalyzed, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_ADDRINT, ret_addr, IARG_BRANCH_TARGET_ADDR, IARG_END);
INS_InsertThenCall(ins, IPOINT_BEFORE, analysisFunc, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_ADDRINT, ret_addr, IARG_BRANCH_TARGET_ADDR, IARG_END);
returnAddressToInstument[ret_addr] = true;
return;
}
}
if (returnAddressToInstument.find(addr) != returnAddressToInstument.end())
{
// Select which call analysis function to use depending on whether we are in fast mode
AFUNPTR analysisFuncIf = (AFUNPTR)ShouldReturnAddressBeAnalyzed;
AFUNPTR analysisFuncThen = (AFUNPTR)ReturnValueAnalysis;
if (KnobFast.Value())
{
analysisFuncIf = (AFUNPTR)ShouldReturnAddressBeAnalyzedFast;
analysisFuncThen = (AFUNPTR)ReturnValueAnalysisFast;
}
INS_InsertIfCall(ins, IPOINT_BEFORE, analysisFuncIf, IARG_ADDRINT, addr, IARG_END);
INS_InsertThenCall(ins, IPOINT_BEFORE, analysisFuncThen, IARG_ADDRINT, addr, IARG_REG_VALUE, REG_EAX, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_END);
return;
}
}
static void I_Trace(TRACE trace, void *v)
{
//FIXME if (PIN_IsSignalHandler()) {Sequence_ProcessSignalHandler(head)};
for(BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
INS tail = BBL_InsTail(bbl);
// All memory reads/writes
for( INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins) ) {
if( INS_IsMemoryRead(ins)
|| INS_HasMemoryRead2(ins)
|| INS_IsMemoryWrite(ins)
) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR)A_DoMem,
IARG_BOOL, INS_IsMemoryWrite(ins),
(INS_IsMemoryWrite(ins) ? IARG_MEMORYWRITE_EA : (INS_IsMemoryRead(ins) ? IARG_MEMORYREAD_EA : IARG_MEMORYREAD2_EA)),
IARG_INST_PTR,
IARG_END);
}
#if defined(TARGET_IA32) && defined (TARGET_WINDOWS)
// on ia-32 windows need to identify
// push
// ret
// in order to process callstack correctly
if (ins != tail)
{
INS_InsertPredicatedCall(ins, IPOINT_BEFORE,
(AFUNPTR)ProcessInst,
IARG_INST_PTR,
IARG_END);
if (INS_Opcode(ins)==XED_ICLASS_PUSH)
{
RecordPush (ins);
}
}
#endif
}
// All calls and returns
if( INS_IsSyscall(tail) ) {
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessSyscall,
IARG_INST_PTR,
IARG_SYSCALL_NUMBER,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_SYSCALL_ARG0,
IARG_END);
} else {
if( INS_IsCall(tail) ) {
if( INS_IsDirectBranchOrCall(tail) ) {
ADDRINT target = INS_DirectBranchOrCallTargetAddress(tail);
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCall,
IARG_INST_PTR,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
} else if( !IsPLT(trace) ) {
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCall,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
}
if( IsPLT(trace) ) {
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessStub,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
if( INS_IsRet(tail) ) {
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessReturn,
IARG_INST_PTR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
}
}
}
VOID trace_instrument(TRACE trace, VOID *v){
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)){
/* iterate over all basic blocks */
string codelet_string = "";
// this writes disassembly
char codelet_buffer[65536*2]; int cbs = 0;
INS head = BBL_InsHead(bbl);
INS tail = BBL_InsTail(bbl);
ADDRINT stage_entry = INS_Address( head );
ADDRINT target = 0;
if (INS_IsCall(tail)){
if( INS_IsDirectBranchOrCall(tail)){
target = INS_DirectBranchOrCallTargetAddress(tail);}}
INS cur ;
int branch_id = slp_count;
/* If compression is turned off (default), only output the addresses of
* the BBL once
*/
if (!KnobNoCompress){
/* Instrument the head instruction right before it is called, but also
* before we instrument the instructions in the basic block
*/
string msg_pre = "\n@@BBL(" + decstr( branch_id ) + ") STAGE " + Target2String(stage_entry)->c_str() + "\n" ;
INS_InsertCall(head, IPOINT_BEFORE, AFUNPTR(string_report),
IARG_PTR, new string(msg_pre),
IARG_END);
}
/* Walk the list of instructions inside the BBL. Disassemble each, and add
* it to the codelet string. Also, instrument each instruction at the
* point before it is called with the do_count function.
*/
for ( cur = head; INS_Valid( cur ); cur = INS_Next(cur ) ){
cbs += sprintf( codelet_buffer + cbs , "\n\t@%llx\t%s", INS_Address( cur ), INS_Disassemble( cur ).c_str() );
INS_InsertCall(cur, IPOINT_BEFORE, (AFUNPTR)do_count, IARG_ADDRINT, INS_Address( cur ), IARG_END);
}
/* Finish off the codelet assembly string with an out message and
* address ranges of the BBL
*/
cbs += sprintf( codelet_buffer + cbs , "\n\t}BBL.OUT [%d] %llx - %llx\n", branch_id, INS_Address( head ), INS_Address( tail ));
/* If compression is turned on, output the codelet every single time we
* hit the same block.
*/
if(KnobNoCompress){
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(string_report),
IARG_PTR, new string(codelet_buffer),
IARG_END);
slp_count ++;
}
else{
/* add the mapped BBL to output */
TraceFile.write(codelet_buffer, cbs);
/* Instrument the tail instruction by inserting just before it is called
*/
string msg_post = "+@@BBL(" + decstr( branch_id ) + ") ACHIEVE : GOTO " + Target2String(target)->c_str();
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(string_report),
IARG_PTR, new string(msg_post),
IARG_END);
slp_count ++;
}
}
}
VOID Trace(TRACE trace, VOID *v)
{
if(TAINT_Analysis_On&&TAINT_Instrumentation_On)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
if(bbl_taintedmem)
BBL_InsertCall(bbl,IPOINT_BEFORE,(AFUNPTR)bblBegin,IARG_END);
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)checkEIP,IARG_INST_PTR,IARG_END);
if(INS_IsCall(ins))//detect overflow of stack
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)MemofRetAddr,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
if ( INS_Opcode(ins) >= XED_ICLASS_MOV && INS_Opcode(ins) <= XED_ICLASS_MOVZX )//&& INS_Address(ins) == 0x7c80a2f0)//||INS_Address(ins)==0x7c80a2f3))//||( (INS_Opcode(ins) >= XED_ICLASS_POP) && (INS_Opcode(ins) <= XED_ICLASS_POPFQ))||((INS_Opcode(ins) >= XED_ICLASS_PUSH) && (INS_Opcode(ins) <= XED_ICLASS_PUSHFQ))||(INS_Opcode(ins) == XED_ICLASS_LEA))
{
if (INS_has_immed(ins))
{
if (INS_IsMemoryWrite(ins)) //immed -> mem
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)ImmedCleanMem,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
else //immed -> reg
{
REG insreg1 = INS_get_write_reg(ins);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)ImmedCleanReg,
IARG_ADDRINT, (ADDRINT)insreg1,
IARG_END);
}
}
else if (INS_IsMemoryRead(ins)) //mem -> reg
{
//in this case we call MemTaintReg to copy the taint if relevant
REG insreg2 = INS_get_write_reg(ins);
REG basereg2 = INS_get_mem_basereg(ins);
REG indexreg2 = INS_get_mem_indexreg(ins);
//ADDRINT insadd = INS_Address(ins);
//string insdis = INS_Disassemble(ins);
//out << "instruction 2 opcode " << INS_Opcode(ins)<<endl;
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)MemTaintReg,
IARG_MEMORYOP_EA, 0,
IARG_UINT32,INS_MemoryScale(ins),
IARG_ADDRINT, (ADDRINT)basereg2,
IARG_ADDRINT, (ADDRINT)indexreg2,
IARG_ADDRINT, (ADDRINT)insreg2,
IARG_UINT32, INS_Opcode(ins),
IARG_INST_PTR,
IARG_END);
}
else if (INS_IsMemoryWrite(ins)) //reg -> mem
{
//in this case we call RegTaintMem to copy the taint if relevant
REG insreg3 = INS_get_read_reg(ins);
REG basereg3 = INS_get_memwr_basereg(ins);
REG indexreg3 = INS_get_memwr_indexreg(ins);
//ADDRINT insadd = INS_Address(ins);
//IARG_INST_PTR
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegTaintMem,
IARG_ADDRINT,(ADDRINT)insreg3,
IARG_UINT32,INS_MemoryScale(ins),
IARG_ADDRINT, (ADDRINT)basereg3,
IARG_ADDRINT, (ADDRINT)indexreg3,
IARG_MEMORYOP_EA, 0,
IARG_UINT32, INS_Opcode(ins),
IARG_INST_PTR,
IARG_END);
}
else if (INS_RegR(ins, 0) != REG_INVALID()) //reg -> reg
{
//in this case we call RegTaintReg
REG Rreg = INS_get_read_reg(ins);
REG Wreg = INS_get_write_reg(ins);
//ADDRINT insadd = INS_Address(ins);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegTaintReg,
IARG_ADDRINT, (ADDRINT)Rreg,
IARG_ADDRINT, (ADDRINT)Wreg,
IARG_UINT32, INS_Opcode(ins),
IARG_INST_PTR,
IARG_END);
}
else //should never happen
{
out << "serious error?!\n" << endl;
}
} // IF opcode is a MOV
/*
if(bbl_taintedmem == 1&&INS_IsBranch(ins))
{
out << BBL_Address(bbl) <<endl;
out << INS_Address(ins)<<endl;
out << INS_NextAddress(ins)<<endl;
out << INS_DirectBranchOrCallTargetAddress(ins)<<endl;
out << " taintBBL: "<<endl;
out << INS_Disassemble(ins) <<endl;
if(INS_NextAddress(ins)>=BBL_Address(bbl)&&INS_NextAddress(ins)<=INS_Address(ins))
{
out << "find bbl loop"<<endl;
//bblLoop = 1;
}
}
*/
if(bbl_taintedmem ==1 && ins==BBL_InsTail(bbl))
{
// out <<"find tainted bbl " <<endl;
// out <<"bbl start address: "<< BBL_Address(bbl) <<endl;
// out <<"bbl size: "<<BBL_Size(bbl) << endl;
// out <<"bbl head: "<< INS_Disassemble(BBL_InsHead(bbl))<<endl;
// out <<"bbl tail: "<< INS_Disassemble(ins) <<endl;
if(INS_DirectBranchOrCallTargetAddress(ins)>=BBL_Address(bbl)&&INS_DirectBranchOrCallTargetAddress(ins)<=INS_Address(ins))
{
out<<endl<<"this tainted bbl is a loop"<<endl;
//BBL_InsertCall(bbl,IPOINT_AFTER,(AFUNPTR)loopBblEnd,IARG_END);
}
}
}// For INS
} // For BBL
}//for enable DTA
} // VOID Trace
