VOID ImageLoad (IMG img, VOID *v) { uint32_t id = IMG_Id (img); std::string iname = IMG_Name(img); if (id==1) // this is the first image, extract the path and the name of the executable { string ename, epath; MIAMIU::ExtractNameAndPath(iname, epath, ename); MIAMI::MiamiOptions *mo = MIAMI::mdriver.getProgramOptions(); mo->addExecutableName(ename); mo->addExecutablePath(epath); } // print info about the sections in this image, for debugging // comment out in production runs #if DEBUG_CFG_COUNTS DEBUG_CFG(4, cerr << "Image: " << iname << ", id " << id << hex << " load offser=0x" << IMG_LoadOffset(img) << ", low addr=0x" << IMG_LowAddress(img) << ", high addr=0x" << IMG_HighAddress(img) << ", start addr=0x" << IMG_StartAddress(img) << ", mapped size=0x" << IMG_SizeMapped(img) << dec << ", has the following sections:" << endl; for (SEC sec= IMG_SecHead(img) ; SEC_Valid(sec) ; sec = SEC_Next(sec)) { cerr << "Section " << SEC_Name(sec) << " of type " << SEC_Type(sec) << " at address 0x" << hex << SEC_Address(sec) << " of size 0x" << SEC_Size(sec) << dec << "/" << SEC_Size(sec) << " bytes:" << " valid? " << SEC_Valid(sec) << ", mapped? " << SEC_Mapped(sec) << ", executable? " << SEC_IsExecutable(sec) << ", readable? " << SEC_IsReadable(sec) << ", writable? " << SEC_IsWriteable(sec) << endl; } )
VOID Trace(TRACE trace, VOID *v) { const BOOL print_args = KnobPrintArgs.Value(); for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { INS tail = BBL_InsTail(bbl); if( INS_IsCall(tail) ) { if( INS_IsDirectBranchOrCall(tail) ) { const ADDRINT target = INS_DirectBranchOrCallTargetAddress(tail); if( print_args ) { INS_InsertPredicatedCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args), IARG_PTR, Target2String(target), IARG_G_ARG0_CALLER, IARG_END); } else { INS_InsertPredicatedCall(tail, IPOINT_BEFORE, AFUNPTR(do_call), IARG_PTR, Target2String(target), IARG_END); } } else { if( print_args ) { INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args_indirect), IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_G_ARG0_CALLER, IARG_END); } else { INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_indirect), IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END); } } } else { // sometimes code is not in an image RTN rtn = TRACE_Rtn(trace); // also track stup jumps into share libraries if( RTN_Valid(rtn) && !INS_IsDirectBranchOrCall(tail) && ".plt" == SEC_Name( RTN_Sec( rtn ) )) { if( print_args ) { INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_args_indirect), IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_G_ARG0_CALLER, IARG_END); } else { INS_InsertCall(tail, IPOINT_BEFORE, AFUNPTR(do_call_indirect), IARG_BRANCH_TARGET_ADDR, IARG_BRANCH_TAKEN, IARG_END); } } } } }
int main(INT32 argc, CHAR **argv) { PIN_InitSymbols(); if( PIN_Init(argc,argv) ) { return Usage(); } IMG img = IMG_Open(KnobInputFile); if (!IMG_Valid(img)) { std::cout << "Could not open " << KnobInputFile.Value() << endl; exit(1); } std::cout << hex; rtnInternalRangeList.clear(); for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)) { std::cout << "Section: " << setw(8) << SEC_Address(sec) << " " << SEC_Name(sec) << endl; for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn)) { std::cout << " Rtn: " << setw(8) << hex << RTN_Address(rtn) << " " << RTN_Name(rtn) << endl; string path; INT32 line; PIN_GetSourceLocation(RTN_Address(rtn), NULL, &line, &path); if (path != "") { std::cout << "File " << path << " Line " << line << endl; } RTN_Open(rtn); if (!INS_Valid(RTN_InsHead(rtn))) { RTN_Close(rtn); continue; } RTN_INTERNAL_RANGE rtnInternalRange; rtnInternalRange.start = INS_Address(RTN_InsHead(rtn)); rtnInternalRange.end = INS_Address(RTN_InsHead(rtn)) + INS_Size(RTN_InsHead(rtn)); INS lastIns = INS_Invalid(); for (INS ins = RTN_InsHead(rtn); INS_Valid(ins); ins = INS_Next(ins)) { std::cout << " " << setw(8) << hex << INS_Address(ins) << " " << INS_Disassemble(ins) << endl; if (INS_Valid(lastIns)) { if ((INS_Address(lastIns) + INS_Size(lastIns)) == INS_Address(ins)) { rtnInternalRange.end = INS_Address(ins)+INS_Size(ins); } else { rtnInternalRangeList.push_back(rtnInternalRange); std::cout << " rtnInternalRangeList.push_back " << setw(8) << hex << rtnInternalRange.start << " " << setw(8) << hex << rtnInternalRange.end << endl; // make sure this ins has not already appeared in this RTN for (vector<RTN_INTERNAL_RANGE>::iterator ri = rtnInternalRangeList.begin(); ri != rtnInternalRangeList.end(); ri++) { if ((INS_Address(ins) >= ri->start) && (INS_Address(ins)<ri->end)) { std::cout << "***Error - above instruction already appeared in this RTN\n"; std::cout << " in rtnInternalRangeList " << setw(8) << hex << ri->start << " " << setw(8) << hex << ri->end << endl; exit (1); } } rtnInternalRange.start = INS_Address(ins); rtnInternalRange.end = INS_Address(ins) + INS_Size(ins); } } lastIns = ins; } RTN_Close(rtn); rtnInternalRangeList.clear(); } } IMG_Close(img); }
static const char *SEC_Name_detour(SEC sec) { return strdup(SEC_Name(sec).c_str()); }
// - Get initial entropy // - Get PE section data // - Add filtered library void imageLoadCallback(IMG img,void *){ /*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){ MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str()); } }*/ Section item; static int va_hooked = 0; ProcInfo *proc_info = ProcInfo::getInstance(); FilterHandler *filterHandler = FilterHandler::getInstance(); //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); proc_info->setMainIMGAddress(startAddr, endAddr); //get the address of the first instruction proc_info->setFirstINSaddress(IMG_Entry(img)); //get the program name proc_info->setProcName(IMG_Name(img)); //get the initial entropy MYINFO("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYINFO("----------------------------------------------"); //retrieve the section of the PE for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } //DEBUG proc_info->PrintSections(); } //build the filtered libtrary list ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img)){ if(name.find("ntdll")!= std::string::npos){ for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ if(strcmp(SEC_Name(sec).c_str(),".text")==0){ proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec)); } } } //*** If you need to protect other sections of other dll put them here *** hookFun.hookDispatcher(img); proc_info->addLibrary(name,startAddr,endAddr); if(filterHandler->IsNameInFilteredArray(name)){ filterHandler->addToFilteredLibrary(name,startAddr,endAddr); MYINFO("Added to the filtered array the module %s\n" , name); } } }