// We have to instrument traces in order to instrument each BBL, the API doesn't have a BBL_AddInstrumentFunction
VOID trace_instrumentation(TRACE trace, VOID *v)
{
// We don't want to instrument the BBL contained in the Windows API
if(is_address_in_blacklisted_modules(TRACE_Address(trace)))
return;
for(BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// What's going on under the hood
// LOG("[INSTRU] BBL Address: " + hexstr(BBL_Address(bbl)) + ", " + hexstr(BBL_NumIns(bbl)) + "\n");
// Insert a call to handle_basic_block before every basic block, passing the number of instructions
BBL_InsertCall(
bbl,
IPOINT_ANYWHERE,
(AFUNPTR)handle_basic_block,
IARG_FAST_ANALYSIS_CALL, // Use a faster linkage for calls to analysis functions. Add PIN_FAST_ANALYSIS_CALL to the declaration between the return type and the function name. You must also add IARG_FAST_ANALYSIS_CALL to the InsertCall. For example:
IARG_UINT32,
BBL_NumIns(bbl),
IARG_ADDRINT,
BBL_Address(bbl),
IARG_END
);
}
}
void Trace(TRACE trace, void *v)
{
// for each bbl in the application trace...
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// args: bbl=bbl, IPOINT_BEFORE=insert before bbl, checkBBL=ptr to function to insert,
// IARG_PTR=function argument type, BBL_Address(bbl)=function argument, IARG_END=end of arguement marker
BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)checkBBL, IARG_PTR, BBL_Address(bbl), IARG_END);
}
}
VOID Trace(TRACE trace, VOID *v)
{
if ( KnobNoSharedLibs.Value()
&& IMG_Type(SEC_Img(RTN_Sec(TRACE_Rtn(trace)))) == IMG_TYPE_SHAREDLIB)
return;
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
// Insert instrumentation to count the number of times the bbl is executed
BBLSTATS * bblstats = new BBLSTATS(BBL_Address(bbl), BBL_Size(bbl));
INS_InsertCall(BBL_InsHead(bbl), IPOINT_BEFORE, AFUNPTR(docount), IARG_PTR, &(bblstats->_executed), IARG_END);
// Remember the counter and stats so we can compute a summary at the end
statsList.push_back(bblstats);
}
}
VOID Trace(TRACE trace, VOID *v)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
BBL_InsertCall(bbl, IPOINT_ANYWHERE, (AFUNPTR)LogBBL, IARG_FAST_ANALYSIS_CALL, IARG_ADDRINT, BBL_Address(bbl), IARG_END);
}
}
VOID Trace(TRACE trace, VOID *v)
{
if(TAINT_Analysis_On&&TAINT_Instrumentation_On)
{
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
if(bbl_taintedmem)
BBL_InsertCall(bbl,IPOINT_BEFORE,(AFUNPTR)bblBegin,IARG_END);
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)checkEIP,IARG_INST_PTR,IARG_END);
if(INS_IsCall(ins))//detect overflow of stack
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)MemofRetAddr,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
if ( INS_Opcode(ins) >= XED_ICLASS_MOV && INS_Opcode(ins) <= XED_ICLASS_MOVZX )//&& INS_Address(ins) == 0x7c80a2f0)//||INS_Address(ins)==0x7c80a2f3))//||( (INS_Opcode(ins) >= XED_ICLASS_POP) && (INS_Opcode(ins) <= XED_ICLASS_POPFQ))||((INS_Opcode(ins) >= XED_ICLASS_PUSH) && (INS_Opcode(ins) <= XED_ICLASS_PUSHFQ))||(INS_Opcode(ins) == XED_ICLASS_LEA))
{
if (INS_has_immed(ins))
{
if (INS_IsMemoryWrite(ins)) //immed -> mem
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)ImmedCleanMem,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
else //immed -> reg
{
REG insreg1 = INS_get_write_reg(ins);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)ImmedCleanReg,
IARG_ADDRINT, (ADDRINT)insreg1,
IARG_END);
}
}
else if (INS_IsMemoryRead(ins)) //mem -> reg
{
//in this case we call MemTaintReg to copy the taint if relevant
REG insreg2 = INS_get_write_reg(ins);
REG basereg2 = INS_get_mem_basereg(ins);
REG indexreg2 = INS_get_mem_indexreg(ins);
//ADDRINT insadd = INS_Address(ins);
//string insdis = INS_Disassemble(ins);
//out << "instruction 2 opcode " << INS_Opcode(ins)<<endl;
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)MemTaintReg,
IARG_MEMORYOP_EA, 0,
IARG_UINT32,INS_MemoryScale(ins),
IARG_ADDRINT, (ADDRINT)basereg2,
IARG_ADDRINT, (ADDRINT)indexreg2,
IARG_ADDRINT, (ADDRINT)insreg2,
IARG_UINT32, INS_Opcode(ins),
IARG_INST_PTR,
IARG_END);
}
else if (INS_IsMemoryWrite(ins)) //reg -> mem
{
//in this case we call RegTaintMem to copy the taint if relevant
REG insreg3 = INS_get_read_reg(ins);
REG basereg3 = INS_get_memwr_basereg(ins);
REG indexreg3 = INS_get_memwr_indexreg(ins);
//ADDRINT insadd = INS_Address(ins);
//IARG_INST_PTR
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegTaintMem,
IARG_ADDRINT,(ADDRINT)insreg3,
IARG_UINT32,INS_MemoryScale(ins),
IARG_ADDRINT, (ADDRINT)basereg3,
IARG_ADDRINT, (ADDRINT)indexreg3,
IARG_MEMORYOP_EA, 0,
IARG_UINT32, INS_Opcode(ins),
IARG_INST_PTR,
IARG_END);
}
else if (INS_RegR(ins, 0) != REG_INVALID()) //reg -> reg
{
//in this case we call RegTaintReg
REG Rreg = INS_get_read_reg(ins);
REG Wreg = INS_get_write_reg(ins);
//ADDRINT insadd = INS_Address(ins);
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegTaintReg,
IARG_ADDRINT, (ADDRINT)Rreg,
IARG_ADDRINT, (ADDRINT)Wreg,
IARG_UINT32, INS_Opcode(ins),
IARG_INST_PTR,
IARG_END);
}
else //should never happen
{
out << "serious error?!\n" << endl;
}
} // IF opcode is a MOV
/*
if(bbl_taintedmem == 1&&INS_IsBranch(ins))
{
out << BBL_Address(bbl) <<endl;
out << INS_Address(ins)<<endl;
out << INS_NextAddress(ins)<<endl;
out << INS_DirectBranchOrCallTargetAddress(ins)<<endl;
out << " taintBBL: "<<endl;
out << INS_Disassemble(ins) <<endl;
if(INS_NextAddress(ins)>=BBL_Address(bbl)&&INS_NextAddress(ins)<=INS_Address(ins))
{
out << "find bbl loop"<<endl;
//bblLoop = 1;
}
}
*/
if(bbl_taintedmem ==1 && ins==BBL_InsTail(bbl))
{
// out <<"find tainted bbl " <<endl;
// out <<"bbl start address: "<< BBL_Address(bbl) <<endl;
// out <<"bbl size: "<<BBL_Size(bbl) << endl;
// out <<"bbl head: "<< INS_Disassemble(BBL_InsHead(bbl))<<endl;
// out <<"bbl tail: "<< INS_Disassemble(ins) <<endl;
if(INS_DirectBranchOrCallTargetAddress(ins)>=BBL_Address(bbl)&&INS_DirectBranchOrCallTargetAddress(ins)<=INS_Address(ins))
{
out<<endl<<"this tainted bbl is a loop"<<endl;
//BBL_InsertCall(bbl,IPOINT_AFTER,(AFUNPTR)loopBblEnd,IARG_END);
}
}
}// For INS
} // For BBL
}//for enable DTA
} // VOID Trace
