int main(int argc, char * argv[]){
//If we want to debug the program manually setup the proper options in order to attach an external debugger
if(Config::ATTACH_DEBUGGER){
initDebug();
}
MYINFO("Strating prototype ins");
FilterHandler *filterH = FilterHandler::getInstance();
//set the filters for the libraries
MYINFO("%s",Config::FILTER_WRITES_ENABLES.c_str());
filterH->setFilters(Config::FILTER_WRITES_ENABLES);
//get the start time of the execution (benchmark)
tStart = clock();
// Initialize pin
PIN_InitSymbols();
if (PIN_Init(argc, argv)) return Usage();
INS_AddInstrumentFunction(Instruction,0);
PIN_AddThreadStartFunction(OnThreadStart, 0);
// Register ImageUnload to be called when an image is unloaded
IMG_AddInstrumentFunction(imageLoadCallback, 0);
// Register Fini to be called when the application exits
PIN_AddFiniFunction(Fini, 0);
// Start the program, never returns
PIN_StartProgram();
return 0;
}
// - retrive the stack base address
static VOID OnThreadStart(THREADID, CONTEXT *ctxt, INT32, VOID *){
ADDRINT stackBase = PIN_GetContextReg(ctxt, REG_STACK_PTR);
FilterHandler *filterH = FilterHandler::getInstance();
filterH->setStackBase(stackBase);
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ProcInfo *proc_info = ProcInfo::getInstance();
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
FilterHandler *filterH = FilterHandler::getInstance();
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){
/* searching for VirtualAlloc */
RTN rtn = RTN_FindByName( img, "VirtualAlloc");
if(rtn != RTN_Invalid()){
MYINFO("BECCATO LA VIRTUAL ALLOC\n");
ADDRINT va_address = RTN_Address(rtn);
MYINFO("Address of VirtualAlloc: %08x\n" , va_address);
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)VirtualAllocHook , IARG_G_ARG0_CALLEE , IARG_G_ARG1_CALLEE , IARG_G_RESULT0, IARG_END);
RTN_Close(rtn);
}
filterH->addLibrary(name,startAddr,endAddr);
}
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
// - Add protected libraries
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//create Report File
Report::getInstance()->initializeReport(proc_info->getProcName(), startAddr, endAddr , initial_entropy);
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
//*** If you need to protect other sections of other dll put them here ***
// check if there are some fuction that has top be hooked in this DLL
hookFun.hookDispatcher(img);
// check if we have to filter this library during thwe instrumentation
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
int mainOLD(int argc, char** argv)
{
cout << "creating cloud...";
PointCloud<PointXYZ>::Ptr cloud = createCloud("bun.pcd");
cout << "DONE" << endl;
cout << "filtering cloud...";
FilterHandler * filter = new FilterHandler(cloud, "bun_filtered.pcd");
cloud = filter->passThroughFilter("z", 0.0, 1);
cout << "DONE" << endl;
cout << "calculating normals...";
NormalCalculator * normals = new NormalCalculator(cloud);
normals->getReady(20);
normals->calculate();
cout << "DONE" << endl;
cout << "merging normals with cloud...";
PointCloud<PointNormal>::Ptr cloud_w_normals = normals->mergeCloudWithNormals();
cout << "DONE" << endl;
cout << "building the mesh...";
PolygonMesh mesh = buildMesh(cloud_w_normals, "bun.vtk", 0.025, 2.5, 100, M_PI/4, M_PI/18, 2*M_PI/3, false);
cout << "DONE" << endl;
showMesh(mesh);
return 0;
}
void imageLoadCallback(IMG img,void *){
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ProcInfo *proc_info = ProcInfo::getInstance();
proc_info->setFirstINSaddress(IMG_Entry(img));
MYLOG("INIT : %08x", proc_info->getFirstINSaddress());
MYLOG("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYLOG("----------------------------------------------");
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
Section item;
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
proc_info->PrintSections();
}
FilterHandler *filterH = FilterHandler::getInstance();
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){
filterH->addLibrary(name,startAddr,endAddr);
}
}
int main(int argc, char * argv[])
{
MYLOG("Strating prototype ins\n");
FilterHandler *filterH = FilterHandler::getInstance();
filterH->setFilters("teb");
tStart = clock();
// Initialize pin
PIN_InitSymbols();
if (PIN_Init(argc, argv)) return Usage();
// TRACE_AddInstrumentFunction(Trace,0);
INS_AddInstrumentFunction(Instruction,0);
PIN_AddThreadStartFunction(OnThreadStart, 0);
// Register ImageLoad to be called when an image is loaded
IMG_AddInstrumentFunction(imageLoadCallback, 0);
// Register ImageUnload to be called when an image is unloaded
IMG_AddUnloadFunction(ImageUnloadCallback, 0);
//PIN_AddApplicationStartFunction(bootstrap, 0);
// Register Fini to be called when the application exits
PIN_AddFiniFunction(Fini, 0);
// Start the program, never returns
PIN_StartProgram();
return 0;
}
void PINshield::avoidEvasion(INS ins){
ADDRINT curEip = INS_Address(ins);
ProcInfo *pInfo = ProcInfo::getInstance();
Config *config = Config::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//Filter instructions inside a known library (only graphic dll)
if(filterHandler->isFilteredLibraryInstruction(curEip)){
return;
}
// Pattern matching in order to avoid the dead path of obsidium
if(strcmp( (INS_Disassemble(ins).c_str() ),"xor eax, dword ptr [edx+ecx*8+0x4]") == 0){
MYTEST("Obsidium_evasion");
REGSET regsIn;
REGSET_AddAll(regsIn);
REGSET regsOut;
REGSET_AddAll(regsOut);
if(INS_HasFallThrough(ins)){
INS_InsertCall(ins,IPOINT_AFTER,(AFUNPTR)KillObsidiumDeadPath, IARG_PARTIAL_CONTEXT, ®sIn, ®sOut,IARG_END);
}
}
// 1 - single instruction detection
if(config->ANTIEVASION_MODE_INS_PATCHING && this->evasionPatcher.patchDispatcher(ins, curEip)){
return;
}
// 2 - memory read
// Checking if there is a read at addresses that the application shouldn't be aware of
if(config->ANTIEVASION_MODE_SREAD){
for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) {
if (INS_MemoryOperandIsRead(ins,op)) {
//if first read initialize the FakeReadHandler
if(firstRead == 0){
fakeMemH.initFakeMemory();
firstRead=1;
}
REG scratchReg = GetScratchReg(op);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(handleRead),
IARG_INST_PTR,
IARG_MEMORYOP_EA, op,
IARG_PTR, &fakeMemH,
IARG_RETURN_REGS, scratchReg,
IARG_END);
INS_RewriteMemoryOperand(ins, op, scratchReg);
}
}
}
//3. memory write filter
if(config->ANTIEVASION_MODE_SWRITE){
for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) {
if(INS_MemoryOperandIsWritten(ins,op) && INS_IsMov(ins)){
REG writeReg = GetScratchReg(op);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(handleWrite),
IARG_INST_PTR,
IARG_MEMORYOP_EA, op,
IARG_PTR, &fakeWriteH,
IARG_RETURN_REGS, writeReg, // this is an output param
IARG_END);
INS_RewriteMemoryOperand(ins, op, writeReg);
}
}
}
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
/*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){
MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str());
}
}*/
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
if(name.find("ntdll")!= std::string::npos){
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
if(strcmp(SEC_Name(sec).c_str(),".text")==0){
proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec));
}
}
}
//*** If you need to protect other sections of other dll put them here ***
hookFun.hookDispatcher(img);
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}