PyObject* Python_RTN_CreateAt(PyObject* self, PyObject* args) {
PyObject* address;
PyObject* name;
PyArg_ParseTuple(args, "L|s", &address, &name);
ADDRINT address_object = (ADDRINT) address;
char* name_object = PyString_AsString(name);
RTN* rtn_return = (RTN*) malloc(sizeof(RTN));
*rtn_return = RTN_CreateAt(address_object, name_object);
return Py_BuildValue("L", rtn_return);
}
VOID rtnInst(IMG img, VOID *v)
{
// for(IMG temp = img; IMG_Valid(temp); temp = IMG_Next(temp))
// out <<IMG_Name(img)<<endl;
// char * temp = "KVWebSvr.dll";
string dllname = IMG_Name(img);
RTN dispatchRtn;
ADDRINT funaddr;
if(dllname.find("KVWebSvr.dll")!=string::npos)
{
out <<dllname<<"start address 0x " <<IMG_LowAddress(img) <<endl;
out <<dllname<<"end address 0x "<<IMG_HighAddress(img) <<endl;
funaddr = IMG_LowAddress(img)+0x18060;
// RTN_CreateAt(0x100183b0,"sub_100183b0");//022D8060
// RTN_CreateAt(0x022D8060,"sub_invoke");
// dispatchRtn = RTN_FindByName(img, "sub_invoke");
RTN_CreateAt(funaddr,"sub_invoke");
// RTN_CreateAt(0x10019210,"sub_10019210");
dispatchRtn = RTN_FindByName(img, "sub_invoke");
// dispatchRtn = RTN_FindByAddress(0x100183b0);
if (RTN_Valid(dispatchRtn))
{
out << "find the taint source function" << endl;
RTN_Open(dispatchRtn);
RTN_InsertCall(dispatchRtn,IPOINT_BEFORE,(AFUNPTR)InvokeFunTaint,IARG_END);
// RTN_InsertCall(dispatchRtn, IPOINT_BEFORE, (AFUNPTR)InputFunAddTaint,
// IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
// IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
// IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
// IARG_END);
RTN_Close(dispatchRtn);
// out << RTN_Address(dispatchRtn)<< endl;
}
}
//function-level taint
inst_func_summary(img);
}
// This routine is executed for each image
VOID ImageLoad(IMG img, VOID *v)
{
if (!FlashPlayerConfigBuilder::instance().isSupportedFlashPlayer(img))
{
return;
}
LOGF("Found supported Flash Player image: %s (0x%x - 0x%x)\n", IMG_Name(img).c_str(), IMG_LowAddress(img), IMG_HighAddress(img));
config = FlashPlayerConfigBuilder::instance().getConfig();
// config->setInterpRVA needs to be chosen in such way that
// the value of _invoker can be found from [ESI+config->invinvokerOffsetInMethodInfookerOffset]
RTN setInterp = RTN_CreateAt(config->loadOffset + config->setInterpRVA, "setInterp");
// config->setInterpRVA needs to be chosen in such way that
// the value of _implGPR can be found from EAX
RTN verifyOnCall = RTN_CreateAt(config->loadOffset + config->verifyOnCallRVA, "verifyOnCall");
if (setInterp == RTN_Invalid() || verifyOnCall == RTN_Invalid())
{
LOGF("Instrumenting Flash Player failed. Check setInterp and verifyOnCall RVAs in config.\n");
return;
}
RTN_Open(setInterp);
RTN_InsertCall(setInterp, IPOINT_BEFORE, (AFUNPTR)InterpretedMethodVerified, IARG_REG_VALUE, REG_ESI, IARG_END);
RTN_Close(setInterp);
RTN_Open(verifyOnCall);
if(config->m_flash_version == VER_15){
RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_ECX, IARG_END);
}
else{
RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_EAX, IARG_END);
}
RTN_Close(verifyOnCall);
// Register TraceCalls to be called to instrument instructions
INS_AddInstrumentFunction(TraceCalls, 0);
}
int rtn_create_at (lua_State *L) {
ADDRINT v1 = lua_tonumber(L,1);
string v2 = lua_tostring(L,2);
RTN_to_lua(L, RTN_CreateAt(v1,v2));
return 1;
}
// Replay the image log.
// We run this before the each instruction of the code as an analysis routine.
// So we eat up the image loads one instruction at a time!
// We can also call it before PIN_StartProgram, to check that queuing
// the replay calls up works.
//
static void ReplayImageEntry()
{
if (feof(imgLog))
return;
char tag = fgetc(imgLog);
switch (tag)
{
case 'L':
{
string imageName;
ADDRINT startAddr;
ADDRINT offset;
USIZE size;
BOOL mainExe;
vector<RTN_INFO> rtns;
ParseImageLoadLine(imageName, &startAddr, &size, &offset, &mainExe, &rtns);
if (KnobVerbose)
fprintf (stderr, "Replaying load for %s, address: %llx offset: %llx, size: %lx\n", imageName.c_str(), (unsigned long long)startAddr, (unsigned long long)offset, (long)size);
// Create a temporary IMG object
IMG img = IMG_CreateAt(imageName.c_str(), startAddr, size, offset, mainExe);
ASSERT(IMG_Valid(img), "IMG_CreateAt for " + imageName + " is invalid");
// Populate the IMG object with recorded RTNs
PIN_LockClient();
for (vector<RTN_INFO>::iterator it = rtns.begin(); it < rtns.end(); it++)
{
RTN rtn = RTN_CreateAt(it->startAddr, it->name);
ASSERT(RTN_Valid(rtn), "Failed to create RTN " + it->name + " at address " + hexstr(it->startAddr));
}
// And, finally, inform Pin that it is all there, which will invoke
// image load callbacks.
IMG_ReplayImageLoad(img);
PIN_UnlockClient();
break;
}
case 'U':
{
string imageName;
ParseImageUnloadLine(imageName);
IMG img = FindNamedImg(imageName);
if (KnobVerbose)
fprintf (stderr, "Replaying unload for %s\n", imageName.c_str());
// And, finally, inform Pin that it has gone, which will invoke
// image unload callbacks.
PIN_LockClient();
PIN_ReplayImageUnload(img);
PIN_UnlockClient();
break;
}
default:
fprintf (trace, "Unexpected line in log file starting with '%c'\n", tag);
exit(1);
}
}
static RTN RTN_CreateAt_detour(ADDRINT addr, const char *name)
{
// RTN_CreateAt takes a std::string as parameter,
// hence the detour function
return RTN_CreateAt(addr, name);
}