void RtlTest::registerTests(CppUnit::TestSuite* suite) {
MYTEST(testAppend);
MYTEST(testClone);
MYTEST(testVisitor);
MYTEST(testIsCompare);
MYTEST(testSetConscripts);
}
void TypeTest::registerTests(CppUnit::TestSuite* suite) {
// Note: there is nothing left to test in Util (for now)
MYTEST(testTypeLong);
MYTEST(testNotEqual);
MYTEST(testCompound);
MYTEST(testDataInterval);
MYTEST(testDataIntervalOverlaps);
}
ADDRINT handleWrite(ADDRINT eip, ADDRINT write_addr,void *fakeWriteH){
FakeWriteHandler fakeWrite = *(FakeWriteHandler *)fakeWriteH;
//get the new address of the memory operand (same as before if it is inside the whitelist otherwise a NULL poiter)
ADDRINT fakeAddr = fakeWrite.getFakeWriteAddress(write_addr);
if(write_addr == 0){
return write_addr; // let the program trigger its exception if it want
}
if(fakeAddr != write_addr){
MYTEST("handleWrite_evasion %08x",write_addr);
MYINFO("suspicious write from %08x in %s in %08x redirected to %08x", eip, RTN_FindNameByAddress(write_addr).c_str(), write_addr, fakeAddr);
MYINFO("Binary writes %08x\n" , *(unsigned int *)(fakeAddr));
}
return fakeAddr;
}
ADDRINT handleRead(ADDRINT eip, ADDRINT read_addr,void *fake_mem_h){
FakeReadHandler fake_mem = *(FakeReadHandler *)fake_mem_h;
//get the new address of the memory operand (same as before if it is inside the whitelist otherwise a NULL poiter)
ADDRINT fake_addr = fake_mem.getFakeMemory(read_addr, eip);
if(fake_addr == NULL){
MYINFO("%08x in %s reading %08x",eip, RTN_FindNameByAddress(eip).c_str() , read_addr);
}
if(read_addr == 0){
return read_addr; // let the program trigger its exception if it want
}
if (fake_addr != read_addr){
if(read_addr < KUSER_SHARED_DATA_ADDRESS || read_addr > KUSER_SHARED_DATA_ADDRESS + KUSER_SHARED_DATA_SIZE){
MYTEST("handleRead_evasion %08x read at %08x",eip,read_addr);
}
MYINFO("ip : %08x in %s reading %08x and it has been redirected to : %08x",eip, RTN_FindNameByAddress(eip).c_str() , read_addr, fake_addr);
}
return fake_addr;
}
void PINshield::avoidEvasion(INS ins){
ADDRINT curEip = INS_Address(ins);
ProcInfo *pInfo = ProcInfo::getInstance();
Config *config = Config::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//Filter instructions inside a known library (only graphic dll)
if(filterHandler->isFilteredLibraryInstruction(curEip)){
return;
}
// Pattern matching in order to avoid the dead path of obsidium
if(strcmp( (INS_Disassemble(ins).c_str() ),"xor eax, dword ptr [edx+ecx*8+0x4]") == 0){
MYTEST("Obsidium_evasion");
REGSET regsIn;
REGSET_AddAll(regsIn);
REGSET regsOut;
REGSET_AddAll(regsOut);
if(INS_HasFallThrough(ins)){
INS_InsertCall(ins,IPOINT_AFTER,(AFUNPTR)KillObsidiumDeadPath, IARG_PARTIAL_CONTEXT, ®sIn, ®sOut,IARG_END);
}
}
// 1 - single instruction detection
if(config->ANTIEVASION_MODE_INS_PATCHING && this->evasionPatcher.patchDispatcher(ins, curEip)){
return;
}
// 2 - memory read
// Checking if there is a read at addresses that the application shouldn't be aware of
if(config->ANTIEVASION_MODE_SREAD){
for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) {
if (INS_MemoryOperandIsRead(ins,op)) {
//if first read initialize the FakeReadHandler
if(firstRead == 0){
fakeMemH.initFakeMemory();
firstRead=1;
}
REG scratchReg = GetScratchReg(op);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(handleRead),
IARG_INST_PTR,
IARG_MEMORYOP_EA, op,
IARG_PTR, &fakeMemH,
IARG_RETURN_REGS, scratchReg,
IARG_END);
INS_RewriteMemoryOperand(ins, op, scratchReg);
}
}
}
//3. memory write filter
if(config->ANTIEVASION_MODE_SWRITE){
for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) {
if(INS_MemoryOperandIsWritten(ins,op) && INS_IsMov(ins)){
REG writeReg = GetScratchReg(op);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(handleWrite),
IARG_INST_PTR,
IARG_MEMORYOP_EA, op,
IARG_PTR, &fakeWriteH,
IARG_RETURN_REGS, writeReg, // this is an output param
IARG_END);
INS_RewriteMemoryOperand(ins, op, writeReg);
}
}
}
}
void DfaTest::registerTests(CppUnit::TestSuite* suite) {
MYTEST(testMeetInt);
MYTEST(testMeetSize);
MYTEST(testMeetPointer);
MYTEST(testMeetUnion);
}
void ProcTest::registerTests(CppUnit::TestSuite* suite) {
MYTEST(testName);
}
void FrontendTest::registerTests(CppUnit::TestSuite* suite) {
MYTEST(test1);
}
