Example #1
0
int
main(int argc, char *argv[], char *envp[])
{
    std::ios::sync_with_stdio();

    // Our instruction callback.  We can't set its trigger address until after we load the specimen, but we want to register
    // the callback with the simulator before we create the first thread.
    Trigger clone_detection_trigger;

    // All of this is standard boilerplate and documented in the first page of the simulator doxygen.
    RSIM_Linux32 sim;
    sim.install_callback(new RSIM_Tools::UnhandledInstruction); // needed by some versions of ld-linux.so
    sim.install_callback(&clone_detection_trigger);             // it mustn't be destroyed while the simulator's running
    int n = sim.configure(argc, argv, envp);
    sim.exec(argc-n, argv+n);

    // Now that we've loaded the specimen into memory and created its first thread, figure out its original entry point (OEP)
    // and arm the clone_detection_trigger so that it triggers clone detection when the OEP is reached.  This will allow the
    // specimen's dynamic linker to run.
    rose_addr_t trigger_va = sim.get_process()->get_ep_orig_va();
    clone_detection_trigger.arm(trigger_va);

    // Allow the specimen to run until it reaches the clone detection trigger point, at which time a CloneDetector object is
    // thrown for that thread that reaches it first.
    try {
        sim.main_loop();
    } catch (CloneDetector *clone_detector) {
        clone_detector->analyze();
    }

    return 0;
}
Example #2
0
int
main(int argc, char *argv[], char *envp[])
{
    RSIM_Linux32 sim;
    int n = sim.configure(argc, argv, envp);
    sim.install_callback(new RSIM_Tools::UnhandledInstruction);

    /**************************************************************************************************************************
     *                                  Debugging callbacks...
     **************************************************************************************************************************/


#if 0
    /* Parse the ELF container so we can get to the symbol table. */
    char *rose_argv[4];
    rose_argv[0] = argv[0];
    rose_argv[1] = strdup("-rose:read_executable_file_format_only");
    rose_argv[2] = argv[n];
    rose_argv[3] = NULL;
    SgProject *project = frontend(3, rose_argv);

    /* Disassemble when we hit main() */
    rose_addr_t disassemble_va = RSIM_Tools::FunctionFinder().address(project, "main");
    assert(disassemble_va>0);
    sim.install_callback(new RSIM_Tools::MemoryDisassembler(disassemble_va));

    /* Print a stack trace and memory dump for every system call */
    struct SyscallStackTrace: public RSIM_Callbacks::SyscallCallback {
        virtual SyscallStackTrace *clone() {
            return this;
        }
        virtual bool operator()(bool enabled, const Args &args) {
            if (enabled) {
                RTS_Message *trace = args.thread->tracing(TRACE_SYSCALL);
                args.thread->report_stack_frames(trace, "Stack frames for following system call:");
                args.thread->get_process()->mem_showmap(trace, "Memory map for following system call:", "    ");
            }
            return enabled;
        }
    };
    sim.get_callbacks().add_syscall_callback(RSIM_Callbacks::BEFORE, new SyscallStackTrace);
#endif

    /***************************************************************************************************************************
     *                                  The main program...
     ***************************************************************************************************************************/

    sim.exec(argc-n, argv+n);
    sim.install_callback(new MemoryTransactionTester(sim.get_process()->get_ep_orig_va()), RSIM_Callbacks::BEFORE, true);
//    sim.activate();
    sim.main_loop();
//     sim.deactivate();
    sim.describe_termination(stderr);
    sim.terminate_self(); // probably doesn't return
    return 0;
}
Example #3
0
// Main program is almost standard RSIM boilerplate.  The only thing we add is the instantiation and installation of the
// SymbolicBombDetector callback.
int
main(int argc, char *argv[], char *envp[])
{
    RSIM_Linux32 sim;
    sim.install_callback(new RSIM_Tools::UnhandledInstruction);
    int n = sim.configure(argc, argv, envp);
    sim.exec(argc-n, argv+n);
    sim.install_callback(new IntervalAnalysis(sim.get_process()->get_ep_start_va()), RSIM_Callbacks::BEFORE, true);
    sim.main_loop();
    sim.describe_termination(stderr);
    sim.terminate_self();
    return 0;
}
Example #4
0
int
main(int argc, char *argv[], char *envp[])
{
    std::ios::sync_with_stdio();

    // Parse command-line switches understood by MultiWithConversion and leave the rest for the simulator.
    rose_addr_t target_va = 0; // analysis address (i.e., the "arbitrary offset"). Zero implies the program's OEP
    for (int i=1; i<argc; ++i) {
        if (!strcmp(argv[i], "--help") || !strcmp(argv[i], "-h") || !strcmp(argv[i], "-?")) {
            std::cout <<"usage: " <<argv[0] <<" [--target=ADDRESS] [SIMULATOR_SWITCHES] SPECIMEN [SPECIMEN_ARGS...]\n";
            exit(0);
        } else if (!strncmp(argv[i], "--target=", 9)) {
            target_va = strtoull(argv[i]+9, NULL, 0);
            memmove(argv+i, argv+i+1, (argc-- -i)*sizeof(*argv)); // argv has argc+1 elements
            --i;
        } else {
            break;
        }
    }

    // Our instruction callback.  We can't set its trigger address until after we load the specimen, but we want to register
    // the callback with the simulator before we create the first thread.
    SemanticController semantic_controller;

    // All of this (except the part where we register our SemanticController) is standard boilerplate and documented in
    // the first page of doxygen.
    RSIM_Linux32 sim;
    sim.install_callback(new RSIM_Tools::UnhandledInstruction); // needed by some versions of ld-linux.so
    sim.install_callback(&semantic_controller);                 // it mustn't be destroyed while the simulator's running
    int n = sim.configure(argc, argv, envp);
    sim.exec(argc-n, argv+n);

    // Register our instruction callback and tell it to trigger at the specimen's original entry point (OEP).  This will cause
    // our analysis to run as soon as the dynamic linker is finished.  We don't know the OEP until after the sim.exec() call
    // that loads the specimen into memory, so by time we can register our callback, the RSIM_Process has copied 
    rose_addr_t trigger_va = sim.get_process()->get_ep_orig_va();
    semantic_controller.arm(trigger_va, 0==target_va ? trigger_va : target_va);

    //sim.activate();
    sim.main_loop();
    //sim.deactivate();
    sim.describe_termination(stderr);
    sim.terminate_self(); // probably doesn't return
    return 0;
}
Example #5
0
File: x86dis.C Project: KurSh/rose
int
main(int argc, char *argv[], char *envp[])
{
    rose_addr_t trigger_va = 0;         // address at which disassembly is triggered
    std::string trigger_func = "oep";   // name of function at which disassembly is triggered (oep=original entry point)
    AsmUnparser::Organization org = AsmUnparser::ORGANIZED_BY_AST;

    // Parse arguments that we need for ourself.
    for (int i=1; i<argc; i++) {
        if (!strncmp(argv[i], "--trigger=", 10)) {
            // Address (or name of function) that will trigger the disassembly.  When the EIP register contains this value then
            // disassembly will run and the specimen will be terminated.
            char *rest;
            trigger_func = "";
            trigger_va = strtoull(argv[i]+10, &rest, 0);
            if (*rest) {
                trigger_va = 0;
                trigger_func = argv[i]+10;
            }
            memmove(argv+i, argv+i+1, (argc-- - i)*sizeof(*argv));
            --i;
        } else if (!strcmp(argv[i], "--linear")) {
            org = AsmUnparser::ORGANIZED_BY_ADDRESS;
            memmove(argv+i, argv+i+1, (argc-- - i)*sizeof(*argv));
            --i;
        }
    }

    // Initialize the simulator
    RSIM_Linux32 sim;
    int n = sim.configure(argc, argv, envp);
    sim.install_callback(new RSIM_Tools::UnhandledInstruction);
    sim.exec(argc-n, argv+n);
    RSIM_Process *process = sim.get_process();
    RSIM_Thread *main_thread = process->get_main_thread();

    // Find the trigger address
    if (0==trigger_va) {
        if (trigger_func.empty() || !trigger_func.compare("oep")) {
            trigger_va = process->get_ep_orig_va();
        } else if (0==(trigger_va = RSIM_Tools::FunctionFinder().address(process->headers(), trigger_func))) {
            std::cerr <<argv[0] <<": unable to locate address of function: " <<trigger_func <<"\n";
            exit(1);
        }
    }
    
    // Install our disassembler callback to the main thread.  We don't use RSIM_Tools::MemoryDisassembler because we want to
    // cancel the specimen once we disassemble.
    main_thread->install_callback(new MyDisassembler(trigger_va, org));

    // Allow the specimen to run until the disassembly is triggered
    bool disassembled = false;
    sim.activate();
    try {
        sim.main_loop();
    } catch (MyDisassembler*) {
        disassembled = true;
    }
    if (!disassembled) {
        std::cerr <<argv[0] <<": specimen ran to completion without triggering a disassembly.\n";
        exit(1);
    }

    return 0;
}