VOID ImageLoad (IMG img, VOID *v)
{
uint32_t id = IMG_Id (img);
std::string iname = IMG_Name(img);
if (id==1) // this is the first image, extract the path and the name of the executable
{
string ename, epath;
MIAMIU::ExtractNameAndPath(iname, epath, ename);
MIAMI::MiamiOptions *mo = MIAMI::mdriver.getProgramOptions();
mo->addExecutableName(ename);
mo->addExecutablePath(epath);
}
// print info about the sections in this image, for debugging
// comment out in production runs
#if DEBUG_CFG_COUNTS
DEBUG_CFG(4,
cerr << "Image: " << iname << ", id " << id << hex
<< " load offser=0x" << IMG_LoadOffset(img)
<< ", low addr=0x" << IMG_LowAddress(img)
<< ", high addr=0x" << IMG_HighAddress(img)
<< ", start addr=0x" << IMG_StartAddress(img)
<< ", mapped size=0x" << IMG_SizeMapped(img) << dec
<< ", has the following sections:" << endl;
for (SEC sec= IMG_SecHead(img) ; SEC_Valid(sec) ; sec = SEC_Next(sec))
{
cerr << "Section " << SEC_Name(sec) << " of type " << SEC_Type(sec)
<< " at address 0x" << hex << SEC_Address(sec) << " of size 0x"
<< SEC_Size(sec) << dec << "/" << SEC_Size(sec) << " bytes:"
<< " valid? " << SEC_Valid(sec) << ", mapped? " << SEC_Mapped(sec)
<< ", executable? " << SEC_IsExecutable(sec)
<< ", readable? " << SEC_IsReadable(sec)
<< ", writable? " << SEC_IsWriteable(sec) << endl;
}
)
VOID Trace(TRACE trace, VOID *v)
{
const BOOL print_args = KnobPrintArgs.Value();
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
INS tail = BBL_InsTail(bbl);
if( INS_IsCall(tail) )
{
if( INS_IsDirectBranchOrCall(tail) )
{
const ADDRINT target = INS_DirectBranchOrCallTargetAddress(tail);
if( print_args )
{
INS_InsertPredicatedCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args),
IARG_PTR, Target2String(target), IARG_G_ARG0_CALLER, IARG_END);
}
else
{
INS_InsertPredicatedCall(tail, IPOINT_BEFORE, AFUNPTR(do_call),
IARG_PTR, Target2String(target), IARG_END);
}
}
else
{
if( print_args )
{
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args_indirect),
IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_G_ARG0_CALLER, IARG_END);
}
else
{
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_indirect),
IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END);
}
}
}
else
{
// sometimes code is not in an image
RTN rtn = TRACE_Rtn(trace);
// also track stup jumps into share libraries
if( RTN_Valid(rtn) && !INS_IsDirectBranchOrCall(tail) && ".plt" == SEC_Name( RTN_Sec( rtn ) ))
{
if( print_args )
{
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args_indirect),
IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_G_ARG0_CALLER, IARG_END);
}
else
{
INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_indirect),
IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END);
}
}
}
}
}
int main(INT32 argc, CHAR **argv)
{
PIN_InitSymbols();
if( PIN_Init(argc,argv) )
{
return Usage();
}
IMG img = IMG_Open(KnobInputFile);
if (!IMG_Valid(img))
{
std::cout << "Could not open " << KnobInputFile.Value() << endl;
exit(1);
}
std::cout << hex;
rtnInternalRangeList.clear();
for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
{
std::cout << "Section: " << setw(8) << SEC_Address(sec) << " " << SEC_Name(sec) << endl;
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
std::cout << " Rtn: " << setw(8) << hex << RTN_Address(rtn) << " " << RTN_Name(rtn) << endl;
string path;
INT32 line;
PIN_GetSourceLocation(RTN_Address(rtn), NULL, &line, &path);
if (path != "")
{
std::cout << "File " << path << " Line " << line << endl;
}
RTN_Open(rtn);
if (!INS_Valid(RTN_InsHead(rtn)))
{
RTN_Close(rtn);
continue;
}
RTN_INTERNAL_RANGE rtnInternalRange;
rtnInternalRange.start = INS_Address(RTN_InsHead(rtn));
rtnInternalRange.end
= INS_Address(RTN_InsHead(rtn)) + INS_Size(RTN_InsHead(rtn));
INS lastIns = INS_Invalid();
for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins))
{
std::cout << " " << setw(8) << hex << INS_Address(ins) << " " << INS_Disassemble(ins) << endl;
if (INS_Valid(lastIns))
{
if ((INS_Address(lastIns) + INS_Size(lastIns)) == INS_Address(ins))
{
rtnInternalRange.end = INS_Address(ins)+INS_Size(ins);
}
else
{
rtnInternalRangeList.push_back(rtnInternalRange);
std::cout << " rtnInternalRangeList.push_back " << setw(8) << hex << rtnInternalRange.start << " " << setw(8) << hex << rtnInternalRange.end << endl;
// make sure this ins has not already appeared in this RTN
for (vector<RTN_INTERNAL_RANGE>::iterator ri = rtnInternalRangeList.begin(); ri != rtnInternalRangeList.end(); ri++)
{
if ((INS_Address(ins) >= ri->start) && (INS_Address(ins)<ri->end))
{
std::cout << "***Error - above instruction already appeared in this RTN\n";
std::cout << " in rtnInternalRangeList " << setw(8) << hex << ri->start << " " << setw(8) << hex << ri->end << endl;
exit (1);
}
}
rtnInternalRange.start = INS_Address(ins);
rtnInternalRange.end = INS_Address(ins) + INS_Size(ins);
}
}
lastIns = ins;
}
RTN_Close(rtn);
rtnInternalRangeList.clear();
}
}
IMG_Close(img);
}
static const char *SEC_Name_detour(SEC sec)
{
return strdup(SEC_Name(sec).c_str());
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
/*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){
MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str());
}
}*/
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
if(name.find("ntdll")!= std::string::npos){
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
if(strcmp(SEC_Name(sec).c_str(),".text")==0){
proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec));
}
}
}
//*** If you need to protect other sections of other dll put them here ***
hookFun.hookDispatcher(img);
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
