/* ===================================================================== */
VOID Instruction(INS ins, VOID *v)
{
/*
if (INS_RegWContain(ins, REG_STACK_PTR)) {
if (INS_IsSub(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)StackRegSubBefore,
IARG_INST_PTR,
IARG_ADDRINT, ins.q(),
IARG_REG_VALUE, REG_STACK_PTR, IARG_END);
INS_InsertCall(ins, IPOINT_AFTER, (AFUNPTR)StackRegSubAfter,
IARG_REG_VALUE, REG_STACK_PTR, IARG_END);
}
if (INS_Opcode(ins) == XED_ICLASS_ADD) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)StackRegAddBefore,
IARG_INST_PTR,
IARG_ADDRINT, ins.q(),
IARG_REG_VALUE, REG_STACK_PTR, IARG_END);
INS_InsertCall(ins, IPOINT_AFTER, (AFUNPTR)StackRegAddAfter,
IARG_REG_VALUE, REG_STACK_PTR, IARG_END);
}
}
*/
UINT32 memOperands = INS_MemoryOperandCount(ins);
// Instrument each memory operand. If the operand is both read and written
// it will be processed twice.
// Iterating over memory operands ensures that instructions on IA-32 with
// two read operands (such as SCAS and CMPS) are correctly handled.
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
const UINT32 size = INS_MemoryOperandSize(ins, memOp);
// const BOOL single = (size <= 4);
if (INS_MemoryOperandIsRead(ins, memOp))
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)MemReadBefore,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_ADDRINT, size,
IARG_ADDRINT, ins.q(),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, REG_GBP,
IARG_BOOL, INS_IsStackRead(ins), IARG_END);
}
if (INS_MemoryOperandIsWritten(ins, memOp))
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)MemWriteBefore,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_ADDRINT, size,
IARG_ADDRINT, ins.q(),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, REG_GBP,
IARG_BOOL, INS_IsStackWrite(ins), IARG_END);
}
}
}
VOID Instruction(INS ins, VOID * v) {
if(INS_IsMemoryWrite(ins)) {
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(CaptureWriteEa),
IARG_THREAD_ID, IARG_MEMORYWRITE_EA, IARG_END);
if(INS_HasFallThrough(ins)) {
INS_InsertPredicatedCall(ins, IPOINT_AFTER,
AFUNPTR(EmitWrite),
IARG_THREAD_ID,
IARG_MEMORYWRITE_SIZE,
IARG_END);
}
if(INS_IsBranchOrCall(ins)) {
INS_InsertPredicatedCall(ins, IPOINT_TAKEN_BRANCH,
AFUNPTR(EmitWrite),
IARG_THREAD_ID,
IARG_MEMORYWRITE_SIZE,
IARG_END);
}
}
UINT32 memOperands = INS_MemoryOperandCount(ins);
int write_operands = 0;
for(UINT32 memOp = 0; memOp < memOperands; memOp++) {
if(INS_MemoryOperandIsWritten(ins, memOp)) {
write_operands++;
}
}
assert(write_operands <= 1);
}
// Is called for every instruction and instruments reads and writes
VOID Instruction(INS ins, VOID *v)
{
// Instruments memory accesses using a predicated call, i.e.
// the instrumentation is called iff the instruction will actually be executed.
//
// On the IA-32 and Intel(R) 64 architectures conditional moves and REP
// prefixed instructions appear as predicated instructions in Pin.
UINT32 memOperands = INS_MemoryOperandCount(ins);
// Iterate over each memory operand of the instruction.
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
if (INS_MemoryOperandIsRead(ins, memOp))
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemRead,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
// Note that in some architectures a single memory operand can be
// both read and written (for instance incl (%eax) on IA-32)
// In that case we instrument it once for read and once for write.
if (INS_MemoryOperandIsWritten(ins, memOp))
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
}
}
VOID PolymorphicCodeHandlerModule::inspectTrace(TRACE trace){
// set the range of address in which the current trace resides
this->trace_head = TRACE_Address(trace);
this->trace_tail = trace_head + TRACE_Size(trace);
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
// for ech instruction we have to check if it has been overwritten by a previous instruction of the current trace (polimiorfic code detection)
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(checkIfWrittenAddress),
IARG_INST_PTR,
IARG_CONTEXT,
IARG_UINT32, INS_Size(ins),
IARG_PTR, this,
IARG_END);
for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) {
if(INS_MemoryOperandIsWritten(ins,op)){
// for each write operation we have to check if the traget address is inside the current trace (attempt to write polimorfic code)
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(polimorficCodeHandler),
IARG_INST_PTR,
IARG_MEMORYOP_EA, op,
IARG_PTR, this,
IARG_END);
}
}
}
}
}
/* Instrumentation of each instruction
* that uses a memory operand
*/
VOID Instruction(INS ins, VOID *v) {
trace_enter();
if (!INS_IsStackRead(ins)) {
for (UINT32 memopIdx = 0; memopIdx < INS_MemoryOperandCount(ins); memopIdx++) {
if (INS_MemoryOperandIsWritten(ins, memopIdx)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) update_stack_heap_region,
IARG_CONST_CONTEXT,
IARG_MEMORYOP_EA, memopIdx,
IARG_END);
UINT32 opIdx = INS_MemoryOperandIndexToOperandIndex(ins, memopIdx);
REG base_reg = INS_OperandMemoryBaseReg(ins, opIdx);
if (base_reg != REG_INVALID()) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) check_parameter_out,
IARG_REG_VALUE, base_reg,
IARG_END);
}
}
}
}
if (INS_IsCall(ins)) {
if (INS_IsDirectCall(ins)) {
ADDRINT addr = INS_DirectBranchOrCallTargetAddress(ins);
FID fid = fn_lookup_by_address(addr);
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_call,
IARG_CONST_CONTEXT,
IARG_UINT32, fid,
IARG_END);
}
else {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_indirect_call,
IARG_CONST_CONTEXT,
IARG_BRANCH_TARGET_ADDR,
IARG_END);
}
}
if (INS_IsRet(ins)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR) fn_ret,
IARG_CONST_CONTEXT,
IARG_END);
}
trace_leave();
}
VOID Instruction(INS ins, VOID *v)
{
UINT32 memOperands = INS_MemoryOperandCount(ins);
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
if (INS_MemoryOperandIsWritten(ins, memOp))
{
INS_InsertPredicatedCall(ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite, IARG_INST_PTR, IARG_MEMORYOP_EA, memOp, IARG_END);
}
}
}
//--------------------------------------------------------------------------
static VOID trace_cb(TRACE trace, VOID *v)
{
// Visit every basic block in the trace
for ( BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl) )
{
for( INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins=INS_Next(ins) )
{
ADDRINT ea = INS_Address(ins);
if ( !valid_ea(ea) )
continue;
if ( was_writen(ea) )
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)check_unpacked_cb,
IARG_INST_PTR,
IARG_CONST_CONTEXT,
IARG_THREAD_ID,
IARG_END);
}
// Instruments memory accesses using a predicated call, i.e.
// the instrumentation is called iff the instruction will actually be executed.
//
// The IA-64 architecture has explicitly predicated instructions.
// On the IA-32 and Intel(R) 64 architectures conditional moves and REP
// prefixed instructions appear as predicated instructions in Pin.
UINT32 mem_operands = INS_MemoryOperandCount(ins);
// Iterate over each memory operand of the instruction.
for ( UINT32 mem_op = 0; mem_op < mem_operands; mem_op++ )
{
// Note that in some architectures a single memory operand can be
// both read and written (for instance incl (%eax) on IA-32)
// In that case we instrument it once for read and once for write.
if ( INS_MemoryOperandIsWritten(ins, mem_op) )
{
INS_InsertIfPredicatedCall(ins, IPOINT_BEFORE, (AFUNPTR)valid_ea,
IARG_MEMORYOP_EA,
mem_op,
IARG_END);
INS_InsertThenPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)record_mem_write_cb,
IARG_INST_PTR,
IARG_MEMORYOP_EA, mem_op,
IARG_END);
}
}
}
}
}
void processMemoryWriteInstruction(INS ins, const char* imageName)
{
UINT32 memoryOperandCount = INS_MemoryOperandCount(ins);
for (UINT32 i = 0; i < memoryOperandCount; ++i)
{
if (INS_MemoryOperandIsWritten(ins, i) && INS_OperandIsMemory(ins, i))
{
INS_InsertPredicatedCall(ins, IPOINT_BEFORE, (AFUNPTR) Write,
IARG_THREAD_ID, IARG_MEMORYOP_EA, i, IARG_REG_VALUE,
REG_STACK_PTR, //pass current stack ptr
IARG_PTR, imageName, IARG_INST_PTR, IARG_MEMORYWRITE_SIZE,
IARG_CALL_ORDER, CALL_ORDER_FIRST + 30, IARG_END);
}
}
}
static VOID instrument_instruction(INS ins, VOID *v) {
UINT32 memops = INS_MemoryOperandCount(ins);
for (UINT32 memop = 0; memop < memops; memop++) {
if (INS_MemoryOperandIsRead(ins, memop)) {
INS_InsertPredicatedCall(ins, IPOINT_BEFORE, (AFUNPTR)rec_memread,
IARG_INST_PTR, IARG_MEMORYOP_EA, memop, IARG_END);
}
if (INS_MemoryOperandIsWritten(ins, memop)) {
INS_InsertPredicatedCall(ins, IPOINT_BEFORE,
(AFUNPTR)rec_memwrite, IARG_INST_PTR, IARG_MEMORYOP_EA, memop,
IARG_END);
}
}
}
VOID
insInstruction(INS ins, VOID *v)
{
UINT32 memOperands = INS_MemoryOperandCount(ins);
for (UINT32 i = 0; i < memOperands; i++) {
if (!INS_MemoryOperandIsWritten(ins, i))
continue;
INS_InsertFillBufferPredicated(
ins, IPOINT_BEFORE, buf,
IARG_INST_PTR, offsetof(struct record, pc),
IARG_MEMORYOP_EA, i, offsetof(struct record, ea),
IARG_END);
}
}
VOID Instruction(INS ins, VOID *v)
{
if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsRead(ins, 0) && INS_OperandIsReg(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)ReadMem,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_UINT32, INS_OperandCount(ins),
IARG_UINT32, INS_OperandReg(ins, 0),
IARG_MEMORYOP_EA, 0,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
else if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMem,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_UINT32, INS_OperandCount(ins),
IARG_UINT32, INS_OperandReg(ins, 1),
IARG_MEMORYOP_EA, 0,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
else if (INS_OperandCount(ins) > 1 && INS_OperandIsReg(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)spreadRegTaint,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_UINT32, INS_OperandCount(ins),
IARG_UINT32, INS_RegR(ins, 0),
IARG_UINT32, INS_RegW(ins, 0),
IARG_END);
}
if (INS_OperandCount(ins) > 1 && INS_OperandIsReg(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)followData,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_UINT32, INS_RegR(ins, 0),
IARG_END);
}
}
VOID Instruction(INS ins, VOID *v)
{
if (INS_MemoryOperandIsRead(ins, 0) && INS_OperandIsReg(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)ReadMem,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_MEMORYOP_EA, 0,
IARG_END);
}
else if (INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMem,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_MEMORYOP_EA, 0,
IARG_END);
}
}
// Is called for every instruction and instruments reads and writes
VOID Instruction(INS ins, VOID *v)
{
// Instruments memory accesses using a predicated call, i.e.
// the instrumentation is called iff the instruction will actually be executed.
//
// On the IA-32 and Intel(R) 64 architectures conditional moves and REP
// prefixed instructions appear as predicated instructions in Pin.
UINT32 memOperands = INS_MemoryOperandCount(ins);
// Iterate over each memory operand of the instruction.
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
/*if (INS_MemoryOperandIsRead(ins, memOp))
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemRead,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}*/
// Note that in some architectures a single memory operand can be
// both read and written (for instance incl (%eax) on IA-32)
// In that case we instrument it once for read and once for write.
if (INS_MemoryOperandIsWritten(ins, memOp))
{
xed_decoded_inst_t* xedd = INS_XedDec(ins);
xed_syntax_enum_t syntax = XED_SYNTAX_INTEL; // XED_SYNTAX_ATT, XED_SYNTAX_XED
const UINT32 BUFLEN = 100;
//char buffer[BUFLEN];
ADDRINT addr = INS_Address(ins);
BOOL ok = xed_format(syntax, xedd, writeInstruction, BUFLEN, static_cast<UINT64>(addr));
if (ok){
}
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
}
}
VOID Routine(RTN rtn, VOID *v) {
std::string name = PIN_UndecorateSymbolName(RTN_Name(rtn).c_str(),
UNDECORATION_NAME_ONLY);
std::vector<std::string>::iterator it;
for (it = userFuncs.begin(); it != userFuncs.end(); ++it) {
std::string userFunc = *it;
if (name.find(userFunc) == std::string::npos) continue;
RTN_Open(rtn);
// For each instruction of the routine
for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins)) {
UINT32 memOperands = INS_MemoryOperandCount(ins);
// Iterate over each memory operand of the instruction.
for (UINT32 memOp = 0; memOp < memOperands; memOp++) {
if (INS_IsStackRead(ins) || INS_IsStackWrite(ins))
break;
if (INS_MemoryOperandIsRead(ins, memOp)) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemRead,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp, IARG_THREAD_ID,
IARG_END);
}
if (INS_MemoryOperandIsWritten(ins, memOp)) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp, IARG_THREAD_ID,
IARG_END);
}
}
}
RTN_Close(rtn);
}
}
VOID CheckMagicValue(INS ins, VOID *v) {
UINT32 memOperands = INS_MemoryOperandCount(ins);
for (UINT32 memOp = 0; memOp < memOperands; memOp++) {
if (INS_MemoryOperandIsRead(ins, memOp)) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)CheckMagicOnRead,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END
);
}
if (INS_MemoryOperandIsWritten(ins, memOp)) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)CheckMagicOnWrite,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END
);
}
}
}
VOID Instruction(INS ins, VOID *v)
{
if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsRead(ins, 0) && INS_OperandIsReg(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)ReadMem,
IARG_PTR, ins,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
else if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMem,
IARG_PTR, ins,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
else if (INS_OperandCount(ins) > 1 && INS_OperandIsReg(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)spreadRegTaint,
IARG_PTR, ins,
IARG_END);
}
}
VOID Instruction(INS ins, VOID *v)
{
PIN_LockClient();
IMG img = IMG_FindByAddress(INS_Address(ins));
PIN_UnlockClient();
if (IMG_Valid(img) && IMG_IsMainExecutable(img)){
if (INS_IsCall(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)PrologueAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_NextAddress(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
else if (INS_IsRet(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)EpilogueAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_NextAddress(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
else if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMem,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_UINT32, INS_OperandCount(ins),
IARG_UINT32, INS_OperandReg(ins, 1),
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Value Set Analysis */
if (INS_Opcode(ins) == XED_ICLASS_MOV &&
INS_RegR(ins, 0) == REG_RBP &&
INS_RegR(ins, 1) == REG_INVALID() &&
INS_IsMemoryWrite(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)ValueSetAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_REG_VALUE, REG_RSP,
IARG_REG_VALUE, REG_RBP,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Analyzes stack overflow */
if (INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMemAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Timer Handler - And instruction counter */
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)timerHandler,
IARG_ADDRINT, INS_Address(INS_Prev(ins)),
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_Address(INS_Next(ins)),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
}
void PINshield::avoidEvasion(INS ins){
ADDRINT curEip = INS_Address(ins);
ProcInfo *pInfo = ProcInfo::getInstance();
Config *config = Config::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//Filter instructions inside a known library (only graphic dll)
if(filterHandler->isFilteredLibraryInstruction(curEip)){
return;
}
// Pattern matching in order to avoid the dead path of obsidium
if(strcmp( (INS_Disassemble(ins).c_str() ),"xor eax, dword ptr [edx+ecx*8+0x4]") == 0){
MYTEST("Obsidium_evasion");
REGSET regsIn;
REGSET_AddAll(regsIn);
REGSET regsOut;
REGSET_AddAll(regsOut);
if(INS_HasFallThrough(ins)){
INS_InsertCall(ins,IPOINT_AFTER,(AFUNPTR)KillObsidiumDeadPath, IARG_PARTIAL_CONTEXT, ®sIn, ®sOut,IARG_END);
}
}
// 1 - single instruction detection
if(config->ANTIEVASION_MODE_INS_PATCHING && this->evasionPatcher.patchDispatcher(ins, curEip)){
return;
}
// 2 - memory read
// Checking if there is a read at addresses that the application shouldn't be aware of
if(config->ANTIEVASION_MODE_SREAD){
for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) {
if (INS_MemoryOperandIsRead(ins,op)) {
//if first read initialize the FakeReadHandler
if(firstRead == 0){
fakeMemH.initFakeMemory();
firstRead=1;
}
REG scratchReg = GetScratchReg(op);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(handleRead),
IARG_INST_PTR,
IARG_MEMORYOP_EA, op,
IARG_PTR, &fakeMemH,
IARG_RETURN_REGS, scratchReg,
IARG_END);
INS_RewriteMemoryOperand(ins, op, scratchReg);
}
}
}
//3. memory write filter
if(config->ANTIEVASION_MODE_SWRITE){
for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) {
if(INS_MemoryOperandIsWritten(ins,op) && INS_IsMov(ins)){
REG writeReg = GetScratchReg(op);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(handleWrite),
IARG_INST_PTR,
IARG_MEMORYOP_EA, op,
IARG_PTR, &fakeWriteH,
IARG_RETURN_REGS, writeReg, // this is an output param
IARG_END);
INS_RewriteMemoryOperand(ins, op, writeReg);
}
}
}
}
VOID Instruction(INS ins, void * v)
{
UINT32 memOperands = INS_MemoryOperandCount(ins);
// Instrument each memory operand. If the operand is both read and written
// it will be processed twice.
// Iterating over memory operands ensures that instructions on IA-32 with
// two read operands (such as SCAS and CMPS) are correctly handled.
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
const UINT32 size = INS_MemoryOperandSize(ins, memOp);
const BOOL single = (size <= 4);
if (INS_MemoryOperandIsRead(ins, memOp))
{
if( KnobTrackLoads )
{
// map sparse INS addresses to dense IDs
const ADDRINT iaddr = INS_Address(ins);
const UINT32 instId = profile.Map(iaddr);
if( single )
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR) LoadSingle,
IARG_MEMORYOP_EA, memOp,
IARG_UINT32, instId,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR) LoadMulti,
IARG_MEMORYOP_EA, memOp,
IARG_UINT32, size,
IARG_UINT32, instId,
IARG_END);
}
}
else
{
if( single )
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR) LoadSingleFast,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR) LoadMultiFast,
IARG_MEMORYOP_EA, memOp,
IARG_UINT32, size,
IARG_END);
}
}
}
if (INS_MemoryOperandIsWritten(ins, memOp))
{
if( KnobTrackStores )
{
const ADDRINT iaddr = INS_Address(ins);
const UINT32 instId = profile.Map(iaddr);
if( single )
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR) StoreSingle,
IARG_MEMORYOP_EA, memOp,
IARG_UINT32, instId,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR) StoreMulti,
IARG_MEMORYOP_EA,memOp,
IARG_UINT32, size,
IARG_UINT32, instId,
IARG_END);
}
}
else
{
if( single )
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR) StoreSingleFast,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR) StoreMultiFast,
IARG_MEMORYOP_EA, memOp,
IARG_UINT32, size,
IARG_END);
}
}
}
}
}
// This function is called before every instruction is executed
VOID instrument_routine(RTN rtn, void *ip)
{
string name = RTN_Name(rtn);
if(name == "ivan")
{
RTN_Open(rtn);
for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins))
{
int opCount = INS_OperandCount(ins);
int opcode = INS_Opcode(ins);
if(INS_IsMemoryRead(ins))
{
for(int i = 0; i< opCount; i++)
{
if(INS_MemoryOperandIsRead(ins,i))
{
/*
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RecordMemRead,IARG_PTR,ins,
IARG_INST_PTR,
IARG_MEMORYOP_EA, i,
IARG_END);
*/
cout<<"opcode:"<<INS_Opcode(ins)<<", mnemonic: "<<INS_Mnemonic(ins)<<endl;
if(INS_Opcode(ins)!= XED_ICLASS_RET_NEAR)
{
REG scratchReg = GetScratchReg(i);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(GetMemAddress),
IARG_MEMORYOP_EA, i, IARG_RETURN_REGS, scratchReg, IARG_END);
INS_RewriteMemoryOperand(ins, i, scratchReg);
}
}
}
}
if(INS_IsMemoryWrite(ins))
{
for(int i = 0; i< opCount; i++)
{
/*
if(INS_OperandIsImmediate(ins,i))
{
cout<<"immediate "<<INS_OperandImmediate(ins,i)<<endl;
}
*/
if(INS_MemoryOperandIsWritten(ins,i) && INS_HasFallThrough(ins))
{
/*
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)RecordMemWrite,
IARG_INST_PTR,
IARG_MEMORYOP_EA, i,
IARG_END);
INS_InsertCall(
ins, IPOINT_AFTER, (AFUNPTR)RecordMemWrite,
IARG_INST_PTR,
IARG_MEMORYOP_EA, i,
IARG_END);
*/
if(opcode != XED_ICLASS_PUSH)
{
REG scratchReg = GetScratchReg(i);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(GetMemAddress),
IARG_MEMORYOP_EA, i, IARG_RETURN_REGS, scratchReg, IARG_END);
INS_RewriteMemoryOperand(ins, i, scratchReg);
}
}
}
}
}
RTN_Close(rtn);
}
}
/* Trace instrumentation */
static void TRACE_Instrumentation(TRACE trace, VOID *v) {
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) {
/* Check if the analysis me be unlocked */
tracer::pintool::checkUnlockAnalysis(INS_Address(ins));
if (!tracer::pintool::analysisTrigger.getState())
/* Analysis locked */
continue;
if (tracer::pintool::instructionBlacklisted(INS_Address(ins)) == true || tracer::pintool::instructionWhitelisted(INS_Address(ins)) == false)
/* Insruction blacklisted */
continue;
/* Prepare the Triton's instruction */
triton::arch::Instruction* tritonInst = new triton::arch::Instruction();
/* Save memory read1 informations */
if (INS_IsMemoryRead(ins)) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)saveMemoryAccess,
IARG_PTR, tritonInst,
IARG_MEMORYREAD_EA,
IARG_MEMORYREAD_SIZE,
IARG_END);
}
/* Save memory read2 informations */
if (INS_HasMemoryRead2(ins)) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)saveMemoryAccess,
IARG_PTR, tritonInst,
IARG_MEMORYREAD2_EA,
IARG_MEMORYREAD_SIZE,
IARG_END);
}
/* Callback before */
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)callbackBefore,
IARG_PTR, tritonInst,
IARG_INST_PTR,
IARG_UINT32, INS_Size(ins),
IARG_CONTEXT,
IARG_THREAD_ID,
IARG_END);
/* Callback after */
/* Syscall after context must be catcher with INSERT_POINT.SYSCALL_EXIT */
if (INS_IsSyscall(ins) == false) {
IPOINT where = IPOINT_AFTER;
if (INS_HasFallThrough(ins) == false)
where = IPOINT_TAKEN_BRANCH;
INS_InsertCall(ins, where, (AFUNPTR)callbackAfter, IARG_PTR, tritonInst, IARG_CONTEXT, IARG_THREAD_ID, IARG_END);
}
/* I/O memory monitoring for snapshot */
if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsWritten(ins, 0)) {
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)callbackSnapshot,
IARG_MEMORYOP_EA, 0,
IARG_UINT32, INS_MemoryWriteSize(ins),
IARG_END);
}
}
}
}
VOID Instruction(INS ins, VOID *v){
/**
* INS_InsertCall(INS ins, IPOINT action, AFUNPTR funptr, ...)
*
* insert a call to 'docount' relative to instruction 'ins'
*
* ins: instruction to instrument
* action: specifies before/after, etc. IPOINT_BEFORE is always valid for all instructions.
* funptr: insert a call to funptr.
* ...: list of arguments to pass funptr, terminated with IARG_END
*/
//INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)stat_ins, IARG_END);
InsCount ++;
//string ins_cat = CATEGORY_StringShort(INS_Category(ins));
int num_ops = INS_OperandCount(ins); //total #operands
int memOperands = INS_MemoryOperandCount(ins); //#mem_operands
string op_string = ""; //string to record all operands
stringstream sstm; //string stream
int num_mems = 0;
for(int ii=0; ii<num_ops; ii++){ //iterate each operand
if(INS_OperandIsImmediate(ins, ii)){ //immediate
auto value = INS_OperandImmediate(ins, ii);
sstm.str(""); //empty
sstm << "$" << value;
op_string += " " + sstm.str();
} else if(INS_OperandIsReg(ins, ii)){ //register
auto reg = REG_StringShort(INS_OperandReg(ins, ii));
sstm.str("");
sstm << "%" << reg;
op_string += " " + sstm.str();
} else if(INS_OperandIsMemory(ins, ii) && memOperands>0){ //memory
string mem_type = "memXX";
if(INS_MemoryOperandIsRead(ins, num_mems)) {
mem_type = "memR";
} else if(INS_MemoryOperandIsWritten(ins, num_mems)) {
mem_type = "memW";
}
if(INS_MemoryOperandIsRead(ins, num_mems) && INS_MemoryOperandIsWritten(ins, num_mems)) {
mem_type = "memRW";
}
++ num_mems;
op_string += " " + mem_type;
//true if this operand is a memory reference,
//Note: this does not include LEA operands.
} else if(INS_OperandIsMemory(ins, ii) && memOperands==0){ //NOP
assert(INS_IsNop(ins));
} else {
//TRUE if memory operand uses predefined base register and this register can not be changed
//Example: movs ds:(esi), es:(edi) There are two fixed operands
string other_type = "";
if(INS_OperandIsFixedMemop(ins, ii))
other_type = "FM";
//true if this operand is a displacement (e.g. branch offset)
else if(INS_OperandIsBranchDisplacement(ins, ii))
other_type = "BD";
//true if this operand is implied by the opcode (e.g. the stack write in a push instruction)
else if(INS_OperandIsImplicit(ins, ii))
other_type = "IM";
else {
assert(INS_IsLea(ins));
other_type = "lea";
}
op_string += " " + other_type;
}
}
assert(num_mems == memOperands);
assert(num_ops <= 6);
//record ins
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)record_ins,
IARG_THREAD_ID,
IARG_UINT32,
INS_Opcode(ins),
IARG_UINT32, num_ops,
IARG_PTR, new string(op_string),
IARG_END);
if (INS_IsXchg(ins) && INS_OperandReg(ins, 0)==REG_BX && INS_OperandReg(ins, 1)==REG_BX)
{
//INS_InsertPredictedCall() is used to call analysis functions.
//This API function prevents pollution of the memory analysis by calling an analysis function only if a particular
//instruction is actualy executed, i.e., only if the instruction is executed.
INS_InsertPredicatedCall(ins, IPOINT_BEFORE, (AFUNPTR)handleHook, IARG_THREAD_ID, IARG_REG_VALUE, REG_GAX,
#ifdef TARGET_IA32
IARG_REG_VALUE, REG_GDX,
#else
IARG_REG_VALUE, REG_GBX,
#endif
IARG_REG_VALUE, REG_GCX, IARG_END);
}
}
// -------------------------------------------------------------
// Instruction instrumentation function
// -------------------------------------------------------------
// Is called for every instruction and instruments reads and writes
VOID Instruction(INS ins) {
// Instruments memory accesses using a predicated call, i.e.
// the instrumentation is called iff the instruction will actually be executed.
//
// The IA-64 architecture has explicitly predicated instructions.
// On the IA-32 and Intel(R) 64 architectures conditional moves and REP
// prefixed instructions appear as predicated instructions in Pin.
UINT32 memOperands = INS_MemoryOperandCount(ins);
// Iterate over each memory operand of the instruction.
for (UINT32 memOp = 0; memOp < memOperands; memOp++) {
if (INS_MemoryOperandIsRead(ins, memOp)) {
#if DEBUG_INS
printf("-- Instrumenting read operation at instruction address %X\n", INS_Address(ins));
#endif
if (gSetup.memBuf) { // if using memory operations buffering, bypass user-defined callbacks
INS_InsertFillBufferPredicated(ins, IPOINT_BEFORE, buf_id,
IARG_MEMORYOP_EA, memOp, offsetof(STool_TMemRec, addr),
IARG_BOOL, FALSE, offsetof(STool_TMemRec, isWrite),
IARG_END);
}
else if (gSetup.memRead) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE,
(AFUNPTR)A_MemRead,
IARG_FAST_ANALYSIS_CALL,
IARG_THREAD_ID,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
}
// Note that in some architectures a single memory operand can be
// both read and written (for instance incl (%eax) on IA-32)
// In that case we instrument it once for read and once for write.
if (INS_MemoryOperandIsWritten(ins, memOp)) {
#if DEBUG_INS
printf("-- Instrumenting write operation at instruction address %X\n", INS_Address(ins));
#endif
if (gSetup.memBuf) { // if using memory operations buffering, bypass user-defined callbacks
INS_InsertFillBufferPredicated(ins, IPOINT_BEFORE, buf_id,
IARG_MEMORYOP_EA, memOp, offsetof(STool_TMemRec, addr),
IARG_BOOL, TRUE, offsetof(STool_TMemRec, isWrite),
IARG_END);
}
else if (gSetup.memWrite) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE,
(AFUNPTR)A_MemWrite,
IARG_FAST_ANALYSIS_CALL,
IARG_THREAD_ID,
IARG_MEMORYOP_EA, memOp,
IARG_END);
}
}
}
}
// Returns a pointer to an IRBuilder object.
// It is up to the user to delete it when times come.
IRBuilder *createIRBuilder(INS ins) {
uint64 address = INS_Address(ins);
std::string disas = INS_Disassemble(ins);
INT32 opcode = INS_Opcode(ins);
IRBuilder *ir = nullptr;
switch (opcode) {
case XED_ICLASS_ADC:
ir = new AdcIRBuilder(address, disas);
break;
case XED_ICLASS_ADD:
ir = new AddIRBuilder(address, disas);
break;
case XED_ICLASS_AND:
ir = new AndIRBuilder(address, disas);
break;
case XED_ICLASS_ANDNPD:
ir = new AndnpdIRBuilder(address, disas);
break;
case XED_ICLASS_ANDNPS:
ir = new AndnpsIRBuilder(address, disas);
break;
case XED_ICLASS_ANDPD:
ir = new AndpdIRBuilder(address, disas);
break;
case XED_ICLASS_ANDPS:
ir = new AndpsIRBuilder(address, disas);
break;
case XED_ICLASS_BSWAP:
ir = new BswapIRBuilder(address, disas);
break;
case XED_ICLASS_CALL_FAR:
case XED_ICLASS_CALL_NEAR:
ir = new CallIRBuilder(address, disas);
break;
case XED_ICLASS_CBW:
ir = new CbwIRBuilder(address, disas);
break;
case XED_ICLASS_CDQE:
ir = new CdqeIRBuilder(address, disas);
break;
case XED_ICLASS_CLC:
ir = new ClcIRBuilder(address, disas);
break;
case XED_ICLASS_CLD:
ir = new CldIRBuilder(address, disas);
break;
case XED_ICLASS_CMC:
ir = new CmcIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVB:
ir = new CmovbIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVBE:
ir = new CmovbeIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVL:
ir = new CmovlIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVLE:
ir = new CmovleIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNB:
ir = new CmovnbIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNBE:
ir = new CmovnbeIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNL:
ir = new CmovnlIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNLE:
ir = new CmovnleIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNO:
ir = new CmovnoIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNP:
ir = new CmovnpIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNS:
ir = new CmovnsIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVNZ:
ir = new CmovnzIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVO:
ir = new CmovoIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVP:
ir = new CmovpIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVS:
ir = new CmovsIRBuilder(address, disas);
break;
case XED_ICLASS_CMOVZ:
ir = new CmovzIRBuilder(address, disas);
break;
case XED_ICLASS_CMP:
ir = new CmpIRBuilder(address, disas);
break;
case XED_ICLASS_CQO:
ir = new CqoIRBuilder(address, disas);
break;
case XED_ICLASS_CWDE:
ir = new CwdeIRBuilder(address, disas);
break;
case XED_ICLASS_DEC:
ir = new DecIRBuilder(address, disas);
break;
case XED_ICLASS_DIV:
ir = new DivIRBuilder(address, disas);
break;
case XED_ICLASS_IDIV:
ir = new IdivIRBuilder(address, disas);
break;
case XED_ICLASS_IMUL:
ir = new ImulIRBuilder(address, disas);
break;
case XED_ICLASS_INC:
ir = new IncIRBuilder(address, disas);
break;
case XED_ICLASS_JB:
ir = new JbIRBuilder(address, disas);
break;
case XED_ICLASS_JBE:
ir = new JbIRBuilder(address, disas);
break;
case XED_ICLASS_JL:
ir = new JlIRBuilder(address, disas);
break;
case XED_ICLASS_JLE:
ir = new JleIRBuilder(address, disas);
break;
case XED_ICLASS_JMP:
ir = new JmpIRBuilder(address, disas);
break;
case XED_ICLASS_JNB:
ir = new JnbIRBuilder(address, disas);
break;
case XED_ICLASS_JNBE:
ir = new JnbeIRBuilder(address, disas);
break;
case XED_ICLASS_JNL:
ir = new JnlIRBuilder(address, disas);
break;
case XED_ICLASS_JNLE:
ir = new JnleIRBuilder(address, disas);
break;
case XED_ICLASS_JNO:
ir = new JnoIRBuilder(address, disas);
break;
case XED_ICLASS_JNP:
ir = new JnpIRBuilder(address, disas);
break;
case XED_ICLASS_JNS:
ir = new JnsIRBuilder(address, disas);
break;
case XED_ICLASS_JNZ:
ir = new JnzIRBuilder(address, disas);
break;
case XED_ICLASS_JO:
ir = new JoIRBuilder(address, disas);
break;
case XED_ICLASS_JP:
ir = new JpIRBuilder(address, disas);
break;
case XED_ICLASS_JS:
ir = new JsIRBuilder(address, disas);
break;
case XED_ICLASS_JZ:
ir = new JzIRBuilder(address, disas);
break;
case XED_ICLASS_LEA:
ir = new LeaIRBuilder(address, disas);
break;
case XED_ICLASS_LEAVE:
ir = new LeaveIRBuilder(address, disas);
break;
case XED_ICLASS_MOV:
ir = new MovIRBuilder(address, disas);
break;
case XED_ICLASS_MOVAPD:
ir = new MovapdIRBuilder(address, disas);
break;
case XED_ICLASS_MOVAPS:
ir = new MovapsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVDQA:
ir = new MovdqaIRBuilder(address, disas);
break;
case XED_ICLASS_MOVDQU:
ir = new MovdquIRBuilder(address, disas);
break;
case XED_ICLASS_MOVHLPS:
ir = new MovhlpsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVHPD:
ir = new MovhpdIRBuilder(address, disas);
break;
case XED_ICLASS_MOVHPS:
ir = new MovhpsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVLHPS:
ir = new MovlhpsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVLPD:
ir = new MovlpdIRBuilder(address, disas);
break;
case XED_ICLASS_MOVLPS:
ir = new MovlpsIRBuilder(address, disas);
break;
case XED_ICLASS_MOVSX:
case XED_ICLASS_MOVSXD:
ir = new MovsxIRBuilder(address, disas);
break;
case XED_ICLASS_MOVZX:
ir = new MovzxIRBuilder(address, disas);
break;
case XED_ICLASS_MUL:
ir = new MulIRBuilder(address, disas);
break;
case XED_ICLASS_NEG:
ir = new NegIRBuilder(address, disas);
break;
case XED_ICLASS_NOT:
ir = new NotIRBuilder(address, disas);
break;
case XED_ICLASS_OR:
ir = new OrIRBuilder(address, disas);
break;
case XED_ICLASS_ORPD:
ir = new OrpdIRBuilder(address, disas);
break;
case XED_ICLASS_ORPS:
ir = new OrpsIRBuilder(address, disas);
break;
case XED_ICLASS_POP:
ir = new PopIRBuilder(address, disas);
break;
case XED_ICLASS_PUSH:
ir = new PushIRBuilder(address, disas);
break;
case XED_ICLASS_RET_FAR:
case XED_ICLASS_RET_NEAR:
ir = new RetIRBuilder(address, disas);
break;
case XED_ICLASS_ROL:
ir = new RolIRBuilder(address, disas);
break;
case XED_ICLASS_ROR:
ir = new RorIRBuilder(address, disas);
break;
case XED_ICLASS_SAR:
ir = new SarIRBuilder(address, disas);
break;
case XED_ICLASS_SBB:
ir = new SbbIRBuilder(address, disas);
break;
case XED_ICLASS_SETB:
ir = new SetbIRBuilder(address, disas);
break;
case XED_ICLASS_SETBE:
ir = new SetbeIRBuilder(address, disas);
break;
case XED_ICLASS_SETL:
ir = new SetlIRBuilder(address, disas);
break;
case XED_ICLASS_SETLE:
ir = new SetleIRBuilder(address, disas);
break;
case XED_ICLASS_SETNB:
ir = new SetnbIRBuilder(address, disas);
break;
case XED_ICLASS_SETNBE:
ir = new SetnbeIRBuilder(address, disas);
break;
case XED_ICLASS_SETNL:
ir = new SetnlIRBuilder(address, disas);
break;
case XED_ICLASS_SETNLE:
ir = new SetnleIRBuilder(address, disas);
break;
case XED_ICLASS_SETNO:
ir = new SetnoIRBuilder(address, disas);
break;
case XED_ICLASS_SETNP:
ir = new SetnpIRBuilder(address, disas);
break;
case XED_ICLASS_SETNS:
ir = new SetnsIRBuilder(address, disas);
break;
case XED_ICLASS_SETNZ:
ir = new SetnzIRBuilder(address, disas);
break;
case XED_ICLASS_SETO:
ir = new SetoIRBuilder(address, disas);
break;
case XED_ICLASS_SETP:
ir = new SetpIRBuilder(address, disas);
break;
case XED_ICLASS_SETS:
ir = new SetsIRBuilder(address, disas);
break;
case XED_ICLASS_SETZ:
ir = new SetzIRBuilder(address, disas);
break;
case XED_ICLASS_SHL:
// XED_ICLASS_SAL is also a SHL
ir = new ShlIRBuilder(address, disas);
break;
case XED_ICLASS_SHR:
ir = new ShrIRBuilder(address, disas);
break;
case XED_ICLASS_STC:
ir = new StcIRBuilder(address, disas);
break;
case XED_ICLASS_STD:
ir = new StdIRBuilder(address, disas);
break;
case XED_ICLASS_SUB:
ir = new SubIRBuilder(address, disas);
break;
case XED_ICLASS_TEST:
ir = new TestIRBuilder(address, disas);
break;
case XED_ICLASS_XADD:
ir = new XaddIRBuilder(address, disas);
break;
case XED_ICLASS_XCHG:
ir = new XchgIRBuilder(address, disas);
break;
case XED_ICLASS_XOR:
ir = new XorIRBuilder(address, disas);
break;
case XED_ICLASS_XORPD:
ir = new XorpdIRBuilder(address, disas);
break;
case XED_ICLASS_XORPS:
ir = new XorpsIRBuilder(address, disas);
break;
default:
ir = new NullIRBuilder(address, disas);
break;
}
// Populate the operands
const uint32 n = INS_OperandCount(ins);
for (uint32 i = 0; i < n; ++i) {
IRBuilderOperand::operand_t type;
uint32 size = 0;
uint64 val = 0;
//Effective address = Displacement + BaseReg + IndexReg * Scale
uint64 displacement = 0;
uint64 baseReg = ID_INVALID;
uint64 indexReg = ID_INVALID;
uint64 memoryScale = 0;
/* Special case */
if (INS_IsDirectBranchOrCall(ins)){
ir->addOperand(TritonOperand(IRBuilderOperand::IMM, INS_DirectBranchOrCallTargetAddress(ins), 0));
if (INS_MemoryOperandIsWritten(ins, 0))
ir->addOperand(TritonOperand(IRBuilderOperand::MEM_W, 0, INS_MemoryWriteSize(ins)));
break;
}
/* Immediate */
if (INS_OperandIsImmediate(ins, i)) {
type = IRBuilderOperand::IMM;
val = INS_OperandImmediate(ins, i);
}
/* Register */
else if (INS_OperandIsReg(ins, i)) {
type = IRBuilderOperand::REG;
REG reg = INS_OperandReg(ins, i);
val = PINConverter::convertDBIReg2TritonReg(reg); // store the register ID.
if (REG_valid(reg)) {
// check needed because instructions like "xgetbv 0" make
// REG_Size crash.
size = REG_Size(reg);
}
}
/* Memory */
else if (INS_MemoryOperandCount(ins) > 0) {
/* Memory read */
if (INS_MemoryOperandIsRead(ins, 0)) {
type = IRBuilderOperand::MEM_R;
size = INS_MemoryReadSize(ins);
}
/* Memory write */
else {
type = IRBuilderOperand::MEM_W;
size = INS_MemoryWriteSize(ins);
}
}
/* load effective address instruction */
else if (INS_OperandIsAddressGenerator(ins, i)) {
REG reg;
type = IRBuilderOperand::LEA;
displacement = INS_OperandMemoryDisplacement(ins, i);
memoryScale = INS_OperandMemoryScale(ins, i);
reg = INS_OperandMemoryBaseReg(ins, i);
if (REG_valid(reg))
baseReg = PINConverter::convertDBIReg2TritonReg(reg);
reg = INS_OperandMemoryIndexReg(ins, i);
if (REG_valid(reg))
indexReg = PINConverter::convertDBIReg2TritonReg(reg);
}
/* Undefined */
else {
// std::cout << "[DEBUG] Unknown kind of operand: " << INS_Disassemble(ins) << std::endl;
continue;
}
ir->addOperand(TritonOperand(type, val, size, displacement, baseReg, indexReg, memoryScale));
}
// Setup the opcode in the IRbuilder
ir->setOpcode(opcode);
ir->setOpcodeCategory(INS_Category(ins));
ir->setNextAddress(INS_NextAddress(ins));
return ir;
}
// Is called for every instruction and instruments reads and writes
VOID Instruction(INS ins, VOID *v)
{
if(fixed_pim_flag)
{
fixed_pim_count++;
return;
}
UINT32 memOperands = INS_MemoryOperandCount(ins);
if(gen_pim_flag)
{
if(memOperands != 0)
gen_pim_mem_ref++;
else
gen_pim_comp_ref++;
return;
}
if(memOperands != 0)
reg_mem_ref++;
else
reg_comp_ref++;
return;
#if 0
UINT32 memOperands = INS_MemoryOperandCount(ins);
RTN rtn = INS_Rtn(ins);
if ( RTN_Valid(rtn) && fixed_pim_flag)
{
FixPimCount();
//INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)FixPimCount, IARG_END);
// icount++;//++insNoRtnDiscoveredCount;
//INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)InsNativeCount, IARG_END);
}
else if ( RTN_IsDynamic(rtn) && gen_pim_flag)
{
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
if ((INS_MemoryOperandIsRead(ins, memOp) || INS_MemoryOperandIsWritten(ins, memOp)) )
{
/* INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)GenPimMemCount,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);*/
GenPimMemCount();
//INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)GenPimMemCount, IARG_END);
}
else {
GenPimCoRef();
//INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)GenPimCoRef, IARG_END);
}
}
}
else
{
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
if (INS_MemoryOperandIsRead(ins, memOp) || INS_MemoryOperandIsWritten(ins, memOp))
{
/*INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)RegMemRef,
IARG_INST_PTR,
IARG_MEMORYOP_EA, memOp,
IARG_END);*/
RegMemRef();
//INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegMemRef, IARG_END);
}
else
{ RegCoRef();
// INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegCoRef, IARG_END);
}
}
}
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_END);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)FixPimCount, IARG_END);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)GenPimMemCount, IARG_END);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)GenPimCoRef, IARG_END);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegMemRef, IARG_END);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegCoRef, IARG_END);
#endif
}
// Pin calls this function every time a new instruction is encountered
VOID Instruction(INS ins, VOID *v)
{
string *disptr = new string(INS_Disassemble(ins));
// reads
if (INS_IsMemoryRead(ins)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR)readMemoryFunc,
IARG_FAST_ANALYSIS_CALL,
IARG_MEMORYREAD_EA,
IARG_MEMORYREAD_PTR,
IARG_THREAD_ID,
IARG_PTR, disptr,
IARG_INST_PTR,
IARG_END);
}
// writes
if (INS_IsMemoryWrite(ins)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR)writeMemoryFunc,
IARG_FAST_ANALYSIS_CALL,
IARG_THREAD_ID,
IARG_MEMORYWRITE_EA,
IARG_MEMORYWRITE_PTR ,
IARG_INST_PTR,
IARG_PTR, disptr,
IARG_END);
}
UINT32 memOperands = INS_MemoryOperandCount(ins);
if (!INS_IsVgather(ins) && memOperands)
{
// OPs
for (UINT32 memOp = 0; memOp < memOperands; memOp++)
{
if (INS_MemoryOperandIsRead(ins, memOp) ||
INS_MemoryOperandIsWritten(ins, memOp)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR)opMemoryFunc,
IARG_FAST_ANALYSIS_CALL,
IARG_MEMORYOP_EA, memOp,
IARG_MEMORYOP_PTR, memOp,
IARG_INST_PTR ,
IARG_PTR, disptr,
IARG_END);
}
}
}
// READ2
if (INS_HasMemoryRead2(ins)) {
INS_InsertCall(ins,
IPOINT_BEFORE,
(AFUNPTR)read2MemoryFunc,
IARG_FAST_ANALYSIS_CALL,
IARG_MEMORYREAD_EA,
IARG_MEMORYREAD_PTR,
IARG_MEMORYREAD2_EA,
IARG_MEMORYREAD2_PTR,
IARG_THREAD_ID,
IARG_PTR, disptr,
IARG_CONTEXT,
IARG_INST_PTR,
IARG_END);
}
}