// We have to instrument traces in order to instrument each BBL, the API doesn't have a BBL_AddInstrumentFunction VOID trace_instrumentation(TRACE trace, VOID *v) { // We don't want to instrument the BBL contained in the Windows API if(is_address_in_blacklisted_modules(TRACE_Address(trace))) return; for(BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // What's going on under the hood // LOG("[INSTRU] BBL Address: " + hexstr(BBL_Address(bbl)) + ", " + hexstr(BBL_NumIns(bbl)) + "\n"); // Insert a call to handle_basic_block before every basic block, passing the number of instructions BBL_InsertCall( bbl, IPOINT_ANYWHERE, (AFUNPTR)handle_basic_block, IARG_FAST_ANALYSIS_CALL, // Use a faster linkage for calls to analysis functions. Add PIN_FAST_ANALYSIS_CALL to the declaration between the return type and the function name. You must also add IARG_FAST_ANALYSIS_CALL to the InsertCall. For example: IARG_UINT32, BBL_NumIns(bbl), IARG_ADDRINT, BBL_Address(bbl), IARG_END ); } }
void Trace(TRACE trace, void *v) { // for each bbl in the application trace... for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // args: bbl=bbl, IPOINT_BEFORE=insert before bbl, checkBBL=ptr to function to insert, // IARG_PTR=function argument type, BBL_Address(bbl)=function argument, IARG_END=end of arguement marker BBL_InsertCall(bbl, IPOINT_BEFORE, (AFUNPTR)checkBBL, IARG_PTR, BBL_Address(bbl), IARG_END); } }
VOID Trace(TRACE trace, VOID *v) { if ( KnobNoSharedLibs.Value() && IMG_Type(SEC_Img(RTN_Sec(TRACE_Rtn(trace)))) == IMG_TYPE_SHAREDLIB) return; for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { // Insert instrumentation to count the number of times the bbl is executed BBLSTATS * bblstats = new BBLSTATS(BBL_Address(bbl), BBL_Size(bbl)); INS_InsertCall(BBL_InsHead(bbl), IPOINT_BEFORE, AFUNPTR(docount), IARG_PTR, &(bblstats->_executed), IARG_END); // Remember the counter and stats so we can compute a summary at the end statsList.push_back(bblstats); } }
VOID Trace(TRACE trace, VOID *v) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { BBL_InsertCall(bbl, IPOINT_ANYWHERE, (AFUNPTR)LogBBL, IARG_FAST_ANALYSIS_CALL, IARG_ADDRINT, BBL_Address(bbl), IARG_END); } }
VOID Trace(TRACE trace, VOID *v) { if(TAINT_Analysis_On&&TAINT_Instrumentation_On) { for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { if(bbl_taintedmem) BBL_InsertCall(bbl,IPOINT_BEFORE,(AFUNPTR)bblBegin,IARG_END); for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)checkEIP,IARG_INST_PTR,IARG_END); if(INS_IsCall(ins))//detect overflow of stack { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)MemofRetAddr, IARG_MEMORYOP_EA, 0, IARG_END); } if ( INS_Opcode(ins) >= XED_ICLASS_MOV && INS_Opcode(ins) <= XED_ICLASS_MOVZX )//&& INS_Address(ins) == 0x7c80a2f0)//||INS_Address(ins)==0x7c80a2f3))//||( (INS_Opcode(ins) >= XED_ICLASS_POP) && (INS_Opcode(ins) <= XED_ICLASS_POPFQ))||((INS_Opcode(ins) >= XED_ICLASS_PUSH) && (INS_Opcode(ins) <= XED_ICLASS_PUSHFQ))||(INS_Opcode(ins) == XED_ICLASS_LEA)) { if (INS_has_immed(ins)) { if (INS_IsMemoryWrite(ins)) //immed -> mem { INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)ImmedCleanMem, IARG_MEMORYOP_EA, 0, IARG_END); } else //immed -> reg { REG insreg1 = INS_get_write_reg(ins); INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)ImmedCleanReg, IARG_ADDRINT, (ADDRINT)insreg1, IARG_END); } } else if (INS_IsMemoryRead(ins)) //mem -> reg { //in this case we call MemTaintReg to copy the taint if relevant REG insreg2 = INS_get_write_reg(ins); REG basereg2 = INS_get_mem_basereg(ins); REG indexreg2 = INS_get_mem_indexreg(ins); //ADDRINT insadd = INS_Address(ins); //string insdis = INS_Disassemble(ins); //out << "instruction 2 opcode " << INS_Opcode(ins)<<endl; INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)MemTaintReg, IARG_MEMORYOP_EA, 0, IARG_UINT32,INS_MemoryScale(ins), IARG_ADDRINT, (ADDRINT)basereg2, IARG_ADDRINT, (ADDRINT)indexreg2, IARG_ADDRINT, (ADDRINT)insreg2, IARG_UINT32, INS_Opcode(ins), IARG_INST_PTR, IARG_END); } else if (INS_IsMemoryWrite(ins)) //reg -> mem { //in this case we call RegTaintMem to copy the taint if relevant REG insreg3 = INS_get_read_reg(ins); REG basereg3 = INS_get_memwr_basereg(ins); REG indexreg3 = INS_get_memwr_indexreg(ins); //ADDRINT insadd = INS_Address(ins); //IARG_INST_PTR INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegTaintMem, IARG_ADDRINT,(ADDRINT)insreg3, IARG_UINT32,INS_MemoryScale(ins), IARG_ADDRINT, (ADDRINT)basereg3, IARG_ADDRINT, (ADDRINT)indexreg3, IARG_MEMORYOP_EA, 0, IARG_UINT32, INS_Opcode(ins), IARG_INST_PTR, IARG_END); } else if (INS_RegR(ins, 0) != REG_INVALID()) //reg -> reg { //in this case we call RegTaintReg REG Rreg = INS_get_read_reg(ins); REG Wreg = INS_get_write_reg(ins); //ADDRINT insadd = INS_Address(ins); INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)RegTaintReg, IARG_ADDRINT, (ADDRINT)Rreg, IARG_ADDRINT, (ADDRINT)Wreg, IARG_UINT32, INS_Opcode(ins), IARG_INST_PTR, IARG_END); } else //should never happen { out << "serious error?!\n" << endl; } } // IF opcode is a MOV /* if(bbl_taintedmem == 1&&INS_IsBranch(ins)) { out << BBL_Address(bbl) <<endl; out << INS_Address(ins)<<endl; out << INS_NextAddress(ins)<<endl; out << INS_DirectBranchOrCallTargetAddress(ins)<<endl; out << " taintBBL: "<<endl; out << INS_Disassemble(ins) <<endl; if(INS_NextAddress(ins)>=BBL_Address(bbl)&&INS_NextAddress(ins)<=INS_Address(ins)) { out << "find bbl loop"<<endl; //bblLoop = 1; } } */ if(bbl_taintedmem ==1 && ins==BBL_InsTail(bbl)) { // out <<"find tainted bbl " <<endl; // out <<"bbl start address: "<< BBL_Address(bbl) <<endl; // out <<"bbl size: "<<BBL_Size(bbl) << endl; // out <<"bbl head: "<< INS_Disassemble(BBL_InsHead(bbl))<<endl; // out <<"bbl tail: "<< INS_Disassemble(ins) <<endl; if(INS_DirectBranchOrCallTargetAddress(ins)>=BBL_Address(bbl)&&INS_DirectBranchOrCallTargetAddress(ins)<=INS_Address(ins)) { out<<endl<<"this tainted bbl is a loop"<<endl; //BBL_InsertCall(bbl,IPOINT_AFTER,(AFUNPTR)loopBblEnd,IARG_END); } } }// For INS } // For BBL }//for enable DTA } // VOID Trace