REG INS_get_memwr_basereg(INS ins) { for (unsigned int i = 0; i < INS_OperandCount(ins); i++) { if (INS_OperandIsMemory(ins, i) && INS_OperandWritten(ins, i)) { return REG_FullRegName(INS_OperandMemoryBaseReg(ins, i)); } } return REG_INVALID(); }
REG INS_get_mem_indexreg(INS ins) { for (unsigned int i = 0; i < INS_OperandCount(ins); i++) { if (INS_OperandIsMemory(ins, i) && INS_OperandRead(ins, i)) { return REG_FullRegName(INS_OperandMemoryIndexReg(ins, i)); } } return REG_INVALID(); }
void convert_load_addr(INS ins, void* v) { if (INS_Opcode(ins) == XED_ICLASS_MOV && INS_IsMemoryRead(ins) && INS_OperandIsReg(ins, 0) && INS_OperandIsMemory(ins, 1)) { // op0 <- *op1 INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(convert), IARG_MEMORYREAD_EA, IARG_END); } }
void SEMAPHORE::cXADD(INS &ins) { // pointeur vers fonction à appeler void (*callback)() = nullptr; // XADD : opérande 0 est soit mémoire, soit registre, opérande 1 tjs registre REG regSrc = INS_OperandReg(ins, 1); UINT32 regSrcSize = getRegSize(regSrc); if (!regSrcSize) return; // registre non géré en marquage else if (INS_OperandIsMemory(ins, 0)) // XADD_M (opérande 0 = mémoire) { switch (regSrcSize) { case 1: callback = (AFUNPTR) sXADD_M<8>; break; case 2: callback = (AFUNPTR) sXADD_M<16>; break; case 4: callback = (AFUNPTR) sXADD_M<32>; break; #if TARGET_IA32E case 8: callback = (AFUNPTR) sXADD_M<64>; break; #endif } INS_InsertCall (ins, IPOINT_BEFORE, callback, IARG_THREAD_ID, IARG_UINT32, regSrc, IARG_REG_VALUE, regSrc, IARG_MEMORYWRITE_EA, IARG_INST_PTR, IARG_END); } else // XADD_R (opérande 0 = registre) { REG regDest = INS_OperandReg(ins, 0); switch (getRegSize(regDest)) { case 1: callback = (AFUNPTR) sXADD_R<8>; break; case 2: callback = (AFUNPTR) sXADD_R<16>; break; case 4: callback = (AFUNPTR) sXADD_R<32>; break; #if TARGET_IA32E case 8: callback = (AFUNPTR) sXADD_R<64>; break; #endif } INS_InsertCall (ins, IPOINT_BEFORE, callback, IARG_THREAD_ID, IARG_UINT32, regSrc, IARG_REG_VALUE, regSrc, IARG_UINT32, regDest, IARG_REG_VALUE, regDest, IARG_INST_PTR, IARG_END); } } // cXADD
void processMemoryWriteInstruction(INS ins, const char* imageName) { UINT32 memoryOperandCount = INS_MemoryOperandCount(ins); for (UINT32 i = 0; i < memoryOperandCount; ++i) { if (INS_MemoryOperandIsWritten(ins, i) && INS_OperandIsMemory(ins, i)) { INS_InsertPredicatedCall(ins, IPOINT_BEFORE, (AFUNPTR) Write, IARG_THREAD_ID, IARG_MEMORYOP_EA, i, IARG_REG_VALUE, REG_STACK_PTR, //pass current stack ptr IARG_PTR, imageName, IARG_INST_PTR, IARG_MEMORYWRITE_SIZE, IARG_CALL_ORDER, CALL_ORDER_FIRST + 30, IARG_END); } } }
void taint_ins(INS ins, void *v) { uint32_t opcode = INS_Opcode(ins); uint32_t opcount = INS_OperandCount(ins); // the generic stuff only supports up to 5 operands if(opcount < 6 && taint_handler_count[opcode] != 0) { // first we have to build up the flags, which is kind of expensive. uint32_t flags = 0; for (uint32_t i = 0; i < opcount; i++) { uint32_t op_flag = 0; if(INS_OperandIsMemory(ins, i) != 0) { op_flag |= T_MEM; } if(INS_OperandIsAddressGenerator(ins, i) != 0) { op_flag |= T_ADR; } if(INS_OperandIsReg(ins, i) != 0) { op_flag |= T_REG; } if(INS_OperandIsImmediate(ins, i) != 0) { op_flag |= T_IMM; } if(INS_OperandRead(ins, i) != 0) { op_flag |= T_RD; } if(INS_OperandWritten(ins, i) != 0) { op_flag |= T_WR; } flags |= op_flag << (6 * i); } for (uint32_t i = 0; i < taint_handler_count[opcode]; i++) { if(taint_handler_flag[opcode][i] == flags) { taint_prop_handle(ins, taint_handler_fn[opcode][i], taint_handler_args[opcode][i]); return; } } } }
VOID EmulateLoad(INS ins, VOID* v) { if (INS_Opcode(ins) == XED_ICLASS_MOV && INS_IsMemoryRead(ins) && INS_OperandIsReg(ins, 0) && INS_OperandIsMemory(ins, 1)) { // op0 <- *op1 INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(DoLoad), IARG_UINT32, REG(INS_OperandReg(ins, 0)), IARG_MEMORYREAD_EA, IARG_RETURN_REGS, INS_OperandReg(ins, 0), IARG_END); INS_Delete(ins); } }
VOID RewriteBases(INS ins, BOOL * live) { for (UINT32 i = 0; i < INS_OperandCount(ins); i++) { if (!INS_OperandIsMemory(ins, i)) continue; if (INS_OperandMemoryIndexReg(ins, i) != REG_INVALID()) { CheckEffectiveAddress(ins); return; } REG baseReg = INS_OperandMemoryBaseReg(ins, i); // If no basereg is used, then it must be an absolute address if (baseReg == REG_INVALID()) continue; // No need to rewrite stack references if (baseReg == REG_ESP) continue; // If we reach this point, we have an instruction that // must be rewritten, but if the memory operand is // implicit, we can't rewrite the base register if (INS_OperandIsImplicit(ins, i)) { CheckEffectiveAddress(ins); return; } REG shadowReg = ShadowReg(baseReg); INS_OperandMemorySetBaseReg(ins, i, shadowReg); // Remember to write the shadow register live[RegIndex(baseReg)] = true; } }
VOID Instruction(INS ins, VOID *v) { INT32 count = INS_OperandCount(ins); for (INT32 i = 0; i < 5; i++) { if (i >= count) { dis << " "; continue; } else if (INS_OperandIsAddressGenerator(ins, i)) dis << "AGN"; else if (INS_OperandIsMemory(ins, i)) { dis << "MEM"; dis << " " << REG_StringShort(INS_OperandMemoryBaseReg(ins, i)); } else if (INS_OperandIsReg(ins, i)) dis << "REG"; else if (INS_OperandIsImmediate(ins, i)) dis << "IMM"; else if (INS_OperandIsDisplacement(ins, i)) dis << "DSP"; else dis << "XXX"; if (INS_OperandIsImplicit(ins, i)) dis << ":IMP "; else dis << " "; } dis << INS_Disassemble(ins) << endl; }
VOID EmulateLoad(INS ins, VOID* v) { // Find the instructions that move a value from memory to a register if (INS_Opcode(ins) == XED_ICLASS_MOV && INS_IsMemoryRead(ins) && INS_OperandIsReg(ins, 0) && INS_OperandIsMemory(ins, 1)) { // op0 <- *op1 INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(DoLoad), IARG_UINT32, REG(INS_OperandReg(ins, 0)), IARG_MEMORYREAD_EA, IARG_RETURN_REGS, INS_OperandReg(ins, 0), IARG_END); // Delete the instruction INS_Delete(ins); } }
VOID HandleAccess (INS ins, BOOL isRead, BOOL *hasSegmentedMemAccess) { UINT32 operandCount = INS_OperandCount (ins); UINT32 i, displacement, scale; REG baseReg = REG_INVALID(), indexReg = REG_INVALID(); *hasSegmentedMemAccess = FALSE; for (i=0; i<operandCount; i++) { if (INS_OperandIsMemory (ins, i) && (INS_OperandMemorySegmentReg (ins, i) == TESTED_SEG_REG ) && ((isRead && INS_OperandRead (ins, i)) || (!isRead && INS_OperandWritten (ins, i))) ) { displacement = INS_OperandMemoryDisplacement (ins, i); baseReg = INS_OperandMemoryBaseReg (ins, i); indexReg = INS_OperandMemoryIndexReg (ins, i); scale = INS_OperandMemoryScale (ins, i); *hasSegmentedMemAccess = TRUE; break; } } /*fprintf(trace, " SegMemAccess-%s (hasSegmentedMemAccess %d) (operand %d) %p %s\n", isRead?"READ":"WRITE", *hasSegmentedMemAccess, i, INS_Address(ins), INS_Disassemble(ins).c_str());*/ if (baseReg != REG_INVALID()) { if (indexReg != REG_INVALID()) { if (isRead) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessBaseIndexDispl, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_UINT32, BASE_INDEX_DISPLACEMENT_ADDRESSING_READ_TYPE, IARG_REG_VALUE, baseReg, IARG_REG_VALUE, indexReg, IARG_UINT32, scale, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } else { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessBaseIndexDispl, IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_UINT32, BASE_INDEX_DISPLACEMENT_ADDRESSING_WRITE_TYPE, IARG_REG_VALUE, baseReg, IARG_REG_VALUE, indexReg, IARG_UINT32, scale, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } } else { if (isRead) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessBaseDispl, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_UINT32, BASE_DISPLACEMENT_ADDRESSING_READ_TYPE, IARG_REG_VALUE, baseReg, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } else { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessBaseDispl, IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_UINT32, BASE_DISPLACEMENT_ADDRESSING_WRITE_TYPE, IARG_REG_VALUE, baseReg, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } } } else if (indexReg != REG_INVALID()) { if (isRead) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessIndexDispl, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_UINT32, INDEX_DISPLACEMENT_ADDRESSING_READ_TYPE, IARG_REG_VALUE, indexReg, IARG_UINT32, scale, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } else { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessIndexDispl, IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_UINT32, INDEX_DISPLACEMENT_ADDRESSING_WRITE_TYPE, IARG_REG_VALUE, indexReg, IARG_UINT32, scale, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } } else if (*hasSegmentedMemAccess) { if (isRead) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessDispl, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_UINT32, DISPLACEMENT_ONLY_ADDRESSING_READ_TYPE, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } else { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessDispl, IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_UINT32, DISPLACEMENT_ONLY_ADDRESSING_WRITE_TYPE, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } } }
VOID HandleAccess (INS ins, BOOL isRead) { UINT32 operandCount = INS_OperandCount (ins); UINT32 i, displacement=0, scale=0; REG baseReg = REG_INVALID(), indexReg = REG_INVALID(); BOOL instrumented = FALSE; for (i=0; i<operandCount; i++) { if ( ((INS_OperandIsMemory (ins, i) && isRead && INS_OperandRead (ins, i)) || (INS_OperandIsMemory (ins, i) && !isRead && INS_OperandWritten (ins, i))) ) { displacement = INS_OperandMemoryDisplacement (ins, i); baseReg = INS_OperandMemoryBaseReg (ins, i); indexReg = INS_OperandMemoryIndexReg (ins, i); scale = INS_OperandMemoryScale (ins, i); break; } } if (baseReg != REG_INVALID()) { if (indexReg != REG_INVALID()) { if (isRead) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessBaseIndexDispl, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_UINT32, BASE_INDEX_DISPLACEMENT_ADDRESSING_READ_TYPE, IARG_REG_VALUE, baseReg, IARG_REG_VALUE, indexReg, IARG_UINT32, scale, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } else { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessBaseIndexDispl, IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_UINT32, BASE_INDEX_DISPLACEMENT_ADDRESSING_WRITE_TYPE, IARG_REG_VALUE, baseReg, IARG_REG_VALUE, indexReg, IARG_UINT32, scale, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } instrumented = TRUE; } else { if (isRead) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessBaseDispl, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_UINT32, BASE_DISPLACEMENT_ADDRESSING_READ_TYPE, IARG_REG_VALUE, baseReg, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } else { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessBaseDispl, IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_UINT32, BASE_DISPLACEMENT_ADDRESSING_WRITE_TYPE, IARG_REG_VALUE, baseReg, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } instrumented = TRUE; } } else { if (isRead) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessDispl, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_UINT32, DISPLACEMENT_ONLY_ADDRESSING_READ_TYPE, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } else { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessDispl, IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_UINT32, DISPLACEMENT_ONLY_ADDRESSING_WRITE_TYPE, IARG_UINT32, displacement, IARG_THREAD_ID, IARG_END); } instrumented = TRUE; } ASSERTX (instrumented); // must delete this INS - since it's memory address is 16bit, cannot be sure // it accesses valid memory - so we are only testing the IARG_MEMORY(READ/WRITE)_EA // on these instructions INS_Delete(ins); }
VOID Emulate2Address(OPCODE opcode, INS ins, ADDRINT (*OpRM)(ADDRINT,ADDRINT*), ADDRINT (*OpRV)(ADDRINT,ADDRINT), VOID (*OpMV)(ADDRINT*,ADDRINT)) { if (INS_Opcode(ins) != opcode) return; if (INS_OperandIsMemory(ins, 0) // This will filter out segment overrides && INS_IsMemoryWrite(ins)) { if (INS_OperandIsReg(ins, 1) && REG_is_gr(INS_OperandReg(ins, 1))) { // Source register, dst memory INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(OpMV), IARG_MEMORYWRITE_EA, IARG_REG_VALUE, INS_OperandReg(ins, 1), IARG_END); INS_Delete(ins); } else { ASSERTX(!INS_OperandIsMemory(ins, 1)); } } else if (INS_OperandIsReg(ins, 0)) { REG dst = INS_OperandReg(ins, 0); if ((dst == REG_SEG_GS) || (dst == REG_SEG_FS)) return; if (INS_OperandIsReg(ins, 1)) { // Source register, dst register INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(OpRV), IARG_REG_VALUE, INS_OperandReg(ins, 0), IARG_REG_VALUE, INS_OperandReg(ins, 1), IARG_RETURN_REGS, INS_OperandReg(ins, 0), IARG_END); INS_Delete(ins); } else if (INS_OperandIsMemory(ins, 1) // This will filter out segment overrides && INS_IsMemoryRead(ins)) { // Source register, dst register INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(OpRM), IARG_REG_VALUE, INS_OperandReg(ins, 0), IARG_MEMORYREAD_EA, IARG_RETURN_REGS, INS_OperandReg(ins, 0), IARG_END); INS_Delete(ins); } } #if 0 if (KnobCount == icount) fprintf(stderr,"Last one %s\n",INS_Disassemble(ins).c_str()); else if (icount > KnobCount) return; icount++; #endif }
VOID Instruction(INS ins, VOID *v) { if (INS_IsMemoryRead(ins) && !instrumentedReadFromIpWithNoOffset) { BOOL readsFromIpWithNoOffset = FALSE; for (UINT32 i = 0; i < INS_OperandCount(ins); i++) { if (!INS_OperandIsMemory(ins, i)) continue; if (INS_OperandMemoryBaseReg(ins, i) == REG_INST_PTR && INS_OperandMemoryDisplacement(ins, i)==0) { readsFromIpWithNoOffset = TRUE; break; } } if (!readsFromIpWithNoOffset) { return; } instrumentedReadFromIpWithNoOffset = TRUE; // only instrument one of these printf ("Instrumenting [ip] read %p %s\n", INS_Address(ins), INS_Disassemble(ins).c_str()); globalIpOfReadRecordedAtInstrumentationTime = INS_Address(ins); globalReadInsSize = INS_Size(ins); fflush (stdout); INS_InsertCall(ins,IPOINT_BEFORE, (AFUNPTR)IpReadBefore, IARG_INST_PTR, IARG_MEMORYREAD_EA, IARG_REG_VALUE, REG_INST_PTR, IARG_END); INS_InsertCall(ins,IPOINT_AFTER, (AFUNPTR)IpReadAfter, IARG_REG_VALUE, REG_INST_PTR, IARG_END); } else if (INS_IsMemoryWrite(ins) && !instrumentedWriteFromIpWithNoOffset) { /* const xed_decoded_inst_t* xedd = INS_XedDec(ins); xed_reg_enum_t breg1 = xed_decoded_inst_get_base_reg(xedd,0); if (breg1== XED_REG_RIP) { readsFromIpWithNoOffset = TRUE; } */ BOOL writesFromIpWithNoOffset = FALSE; for (UINT32 i = 0; i < INS_OperandCount(ins); i++) { if (!INS_OperandIsMemory(ins, i)) continue; if (INS_OperandMemoryBaseReg(ins, i) == REG_INST_PTR && INS_OperandMemoryDisplacement(ins, i)==0) { writesFromIpWithNoOffset = TRUE; break; } } if (!writesFromIpWithNoOffset) { return; } instrumentedReadFromIpWithNoOffset = TRUE; // only instrument one of these printf ("Instrumenting [ip] write %p %s\n", INS_Address(ins), INS_Disassemble(ins).c_str()); globalIpOfWriteRecordedAtInstrumentationTime = INS_Address(ins); globalWriteInsSize = INS_Size(ins); fflush (stdout); INS_InsertCall(ins,IPOINT_BEFORE, (AFUNPTR)IpWriteBefore, IARG_INST_PTR, IARG_MEMORYWRITE_EA, IARG_REG_VALUE, REG_INST_PTR, IARG_END); INS_InsertCall(ins,IPOINT_AFTER, (AFUNPTR)IpWriteAfter, IARG_REG_VALUE, REG_INST_PTR, IARG_END); } }
VOID Instruction(INS ins, VOID *v){ /** * INS_InsertCall(INS ins, IPOINT action, AFUNPTR funptr, ...) * * insert a call to 'docount' relative to instruction 'ins' * * ins: instruction to instrument * action: specifies before/after, etc. IPOINT_BEFORE is always valid for all instructions. * funptr: insert a call to funptr. * ...: list of arguments to pass funptr, terminated with IARG_END */ //INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)stat_ins, IARG_END); InsCount ++; //string ins_cat = CATEGORY_StringShort(INS_Category(ins)); int num_ops = INS_OperandCount(ins); //total #operands int memOperands = INS_MemoryOperandCount(ins); //#mem_operands string op_string = ""; //string to record all operands stringstream sstm; //string stream int num_mems = 0; for(int ii=0; ii<num_ops; ii++){ //iterate each operand if(INS_OperandIsImmediate(ins, ii)){ //immediate auto value = INS_OperandImmediate(ins, ii); sstm.str(""); //empty sstm << "$" << value; op_string += " " + sstm.str(); } else if(INS_OperandIsReg(ins, ii)){ //register auto reg = REG_StringShort(INS_OperandReg(ins, ii)); sstm.str(""); sstm << "%" << reg; op_string += " " + sstm.str(); } else if(INS_OperandIsMemory(ins, ii) && memOperands>0){ //memory string mem_type = "memXX"; if(INS_MemoryOperandIsRead(ins, num_mems)) { mem_type = "memR"; } else if(INS_MemoryOperandIsWritten(ins, num_mems)) { mem_type = "memW"; } if(INS_MemoryOperandIsRead(ins, num_mems) && INS_MemoryOperandIsWritten(ins, num_mems)) { mem_type = "memRW"; } ++ num_mems; op_string += " " + mem_type; //true if this operand is a memory reference, //Note: this does not include LEA operands. } else if(INS_OperandIsMemory(ins, ii) && memOperands==0){ //NOP assert(INS_IsNop(ins)); } else { //TRUE if memory operand uses predefined base register and this register can not be changed //Example: movs ds:(esi), es:(edi) There are two fixed operands string other_type = ""; if(INS_OperandIsFixedMemop(ins, ii)) other_type = "FM"; //true if this operand is a displacement (e.g. branch offset) else if(INS_OperandIsBranchDisplacement(ins, ii)) other_type = "BD"; //true if this operand is implied by the opcode (e.g. the stack write in a push instruction) else if(INS_OperandIsImplicit(ins, ii)) other_type = "IM"; else { assert(INS_IsLea(ins)); other_type = "lea"; } op_string += " " + other_type; } } assert(num_mems == memOperands); assert(num_ops <= 6); //record ins INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)record_ins, IARG_THREAD_ID, IARG_UINT32, INS_Opcode(ins), IARG_UINT32, num_ops, IARG_PTR, new string(op_string), IARG_END); if (INS_IsXchg(ins) && INS_OperandReg(ins, 0)==REG_BX && INS_OperandReg(ins, 1)==REG_BX) { //INS_InsertPredictedCall() is used to call analysis functions. //This API function prevents pollution of the memory analysis by calling an analysis function only if a particular //instruction is actualy executed, i.e., only if the instruction is executed. INS_InsertPredicatedCall(ins, IPOINT_BEFORE, (AFUNPTR)handleHook, IARG_THREAD_ID, IARG_REG_VALUE, REG_GAX, #ifdef TARGET_IA32 IARG_REG_VALUE, REG_GDX, #else IARG_REG_VALUE, REG_GBX, #endif IARG_REG_VALUE, REG_GCX, IARG_END); } }
VOID instruction(INS ins, void *v) { UINT32 numOperands = INS_OperandCount(ins); int numOpMems = 0; for (unsigned int i = 0; i < numOperands; i++) { //check number of reads and writes if (INS_OperandIsMemory(ins, i)) numOpMems++; } if (numOpMems > 2) { std::cout << "number of operands = " << numOpMems << std::endl; } const ADDRINT iaddr = INS_Address(ins); UINT32 idx; struct PC item; item.refs = 0; item.miss = 0; item.pc = iaddr; iCachePC.push_back(item); idx = iCachePC.size() - 1; INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR) iCacheCount, IARG_ADDRINT, iaddr, IARG_UINT32, idx, IARG_END); if (INS_IsMemoryRead(ins)) { struct PC readItem; readItem.refs = 0; readItem.miss = 0; readItem.pc = iaddr; readItem.isLoad = 1; dCachePC.push_back(readItem); UINT32 idx2 = dCachePC.size()-1; INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR) dCacheCount, IARG_ADDRINT, iaddr, IARG_MEMORYREAD_EA, IARG_MEMORYREAD_SIZE, IARG_UINT32, idx2, IARG_UINT32, 1, IARG_UINT32, 0, IARG_END); if (INS_HasMemoryRead2(ins)) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR) dCacheCount, IARG_ADDRINT, iaddr, IARG_MEMORYREAD2_EA, IARG_MEMORYREAD_SIZE, IARG_UINT32, idx2, IARG_UINT32, 1, IARG_UINT32, 1, IARG_END); } } if (INS_IsMemoryWrite(ins)) { struct PC writeItem; writeItem.refs = 0; writeItem.miss = 0; writeItem.pc = iaddr; writeItem.isLoad = 0; dCachePC.push_back(writeItem); UINT32 idx2 = dCachePC.size()-1; INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR) dCacheCount, IARG_ADDRINT, iaddr, IARG_MEMORYWRITE_EA, IARG_MEMORYWRITE_SIZE, IARG_UINT32, idx2, IARG_UINT32, 0, IARG_UINT32, 0, IARG_END); } }
void log_ins(INS ins) { // dump the instruction INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &execute_instruction, IARG_INST_PTR, IARG_PTR, strdup(INS_Disassemble(ins).c_str()), IARG_END); // reads memory (1) if(INS_IsMemoryRead(ins) != 0) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_read_memory, IARG_MEMORYREAD_EA, IARG_MEMORYREAD_SIZE, IARG_END); } // reads memory (2) if(INS_HasMemoryRead2(ins) != 0) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_read_memory, IARG_MEMORYREAD2_EA, IARG_MEMORYREAD_SIZE, IARG_END); } IPOINT after = IPOINT_AFTER; if(INS_IsCall(ins) != 0) { // TODO is this correct? after = IPOINT_TAKEN_BRANCH; } else if(INS_IsSyscall(ins) != 0) { // TODO support syscalls return; } else if(INS_HasFallThrough(ins) == 0 && (INS_IsBranch(ins) != 0 || INS_IsRet(ins) != 0)) { // TODO is this correct? after = IPOINT_TAKEN_BRANCH; } // dump written memory if(INS_IsMemoryWrite(ins) != 0) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_written_memory_before, IARG_MEMORYWRITE_EA, IARG_MEMORYWRITE_SIZE, IARG_END); INS_InsertCall(ins, after, (AFUNPTR) &dump_written_memory_after, IARG_END); } // dump all affected registers for (UINT32 i = 0; i < INS_OperandCount(ins); i++) { if(INS_OperandIsMemory(ins, i) != 0) { if(INS_OperandMemoryBaseReg(ins, i) != REG_INVALID()) { REG base_reg = INS_OperandMemoryBaseReg(ins, i); if(g_reg_index[base_reg] != 0) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_reg_before, IARG_UINT32, g_reg_index[base_reg]-1, IARG_REG_VALUE, INS_OperandMemoryBaseReg(ins, i), IARG_END); INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_r_after, IARG_UINT32, g_reg_index[base_reg]-1, IARG_END); } } if(INS_OperandMemoryIndexReg(ins, i) != REG_INVALID()) { REG index_reg = INS_OperandMemoryIndexReg(ins, i); if(g_reg_index[index_reg] != 0) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_reg_before, IARG_UINT32, g_reg_index[index_reg]-1, IARG_REG_VALUE, INS_OperandMemoryIndexReg(ins, i), IARG_END); INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_r_after, IARG_UINT32, g_reg_index[index_reg]-1, IARG_END); } } } if(INS_OperandIsReg(ins, i) != 0) { REG reg_index = REG_FullRegName(INS_OperandReg(ins, i)); if(INS_OperandReadAndWritten(ins, i) != 0) { if(g_reg_index[reg_index] != 0) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_reg_before, IARG_UINT32, g_reg_index[reg_index]-1, IARG_REG_VALUE, reg_index, IARG_END); INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_rw_after, IARG_UINT32, g_reg_index[reg_index]-1, IARG_REG_VALUE, reg_index, IARG_END); } } else if(INS_OperandRead(ins, i) != 0) { if(g_reg_index[reg_index] != 0) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_reg_before, IARG_UINT32, g_reg_index[reg_index]-1, IARG_REG_VALUE, reg_index, IARG_END); INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_r_after, IARG_UINT32, g_reg_index[reg_index]-1, IARG_END); } } else if(INS_OperandWritten(ins, i) != 0) { if(g_reg_index[reg_index] != 0) { INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_w_after, IARG_UINT32, g_reg_index[reg_index]-1, IARG_REG_VALUE, reg_index, IARG_END); } } } } INS_InsertCall(ins, after, (AFUNPTR) &print_newline, IARG_END); }
VOID Ins( INS ins, VOID *v ) { if (KnobDetach > 0 && scount > KnobDetach) return; if (KnobLog) { void *addr = Addrint2VoidStar(INS_Address(ins)); string disasm = INS_Disassemble(ins); PrintIns(addr, disasm.c_str()); } scount++; if (INS_Opcode(ins) == XED_ICLASS_PUSH) { if (INS_OperandIsImmediate(ins, 0)) { ADDRINT value = INS_OperandImmediate(ins, 0); INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuPushValue), IARG_REG_VALUE, REG_STACK_PTR, IARG_ADDRINT, value, IARG_RETURN_REGS, REG_STACK_PTR, IARG_END); INS_Delete(ins); } else if(INS_OperandIsReg(ins, 0)) { REG reg = INS_OperandReg(ins, 0); INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuPushValue), IARG_REG_VALUE, REG_STACK_PTR, IARG_REG_VALUE, reg, IARG_RETURN_REGS, REG_STACK_PTR, IARG_END); INS_Delete(ins); } else if(INS_OperandIsMemory(ins, 0)) { INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuPushMem), IARG_REG_VALUE, REG_STACK_PTR, IARG_MEMORYREAD_EA, IARG_RETURN_REGS, REG_STACK_PTR, IARG_END); INS_Delete(ins); } else { fprintf(stderr, "EmuPush: unsupported operand type (%p:'%s')\n", Addrint2VoidStar(INS_Address(ins)), INS_Disassemble(ins).c_str()); } } else if (INS_Opcode(ins) == XED_ICLASS_POP) { if(INS_OperandIsReg(ins, 0)) { INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuPopReg), IARG_REG_VALUE, REG_STACK_PTR, IARG_REG_REFERENCE, INS_OperandReg(ins, 0), IARG_RETURN_REGS, REG_STACK_PTR, IARG_END); INS_Delete(ins); } else if(INS_OperandIsMemory(ins, 0)) { INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuPopMem), IARG_REG_VALUE, REG_STACK_PTR, IARG_MEMORYWRITE_EA, IARG_RETURN_REGS, REG_STACK_PTR, IARG_END); INS_Delete(ins); } else { fprintf(stderr, "EmuPop: unsupported operand type (%p:'%s')\n", Addrint2VoidStar(INS_Address(ins)), INS_Disassemble(ins).c_str()); } } else if (INS_Opcode(ins) == XED_ICLASS_LEAVE) { INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuLeave), IARG_REG_VALUE, REG_STACK_PTR, IARG_REG_REFERENCE, REG_GBP, IARG_RETURN_REGS, REG_STACK_PTR, IARG_END); INS_Delete(ins); } else if (INS_IsCall(ins)) { INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuCall), IARG_ADDRINT, INS_NextAddress(ins), IARG_BRANCH_TARGET_ADDR, IARG_REG_REFERENCE, REG_STACK_PTR, IARG_RETURN_REGS, scratchReg, IARG_END); INS_InsertIndirectJump(ins, IPOINT_AFTER, scratchReg); INS_Delete(ins); } else if (INS_IsRet(ins)) { UINT64 imm = 0; if (INS_OperandCount(ins) > 0 && INS_OperandIsImmediate(ins, 0)) { imm = INS_OperandImmediate(ins, 0); } INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuRet), IARG_CALL_ORDER, CALL_ORDER_FIRST, IARG_REG_REFERENCE, REG_STACK_PTR, IARG_ADDRINT, (ADDRINT)imm, IARG_RETURN_REGS, scratchReg, IARG_END); INS_InsertIndirectJump(ins, IPOINT_AFTER, scratchReg); INS_Delete(ins); } else if (INS_IsIndirectBranchOrCall(ins)) { // This is not a call (it was checked before) so this is indirect jump INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(EmuIndJmp), IARG_BRANCH_TARGET_ADDR, IARG_RETURN_REGS, scratchReg, IARG_END); INS_InsertIndirectJump(ins, IPOINT_AFTER, scratchReg); INS_Delete(ins); } }