PyObject* Python_RTN_CreateAt(PyObject* self, PyObject* args) { PyObject* address; PyObject* name; PyArg_ParseTuple(args, "L|s", &address, &name); ADDRINT address_object = (ADDRINT) address; char* name_object = PyString_AsString(name); RTN* rtn_return = (RTN*) malloc(sizeof(RTN)); *rtn_return = RTN_CreateAt(address_object, name_object); return Py_BuildValue("L", rtn_return); }
VOID rtnInst(IMG img, VOID *v) { // for(IMG temp = img; IMG_Valid(temp); temp = IMG_Next(temp)) // out <<IMG_Name(img)<<endl; // char * temp = "KVWebSvr.dll"; string dllname = IMG_Name(img); RTN dispatchRtn; ADDRINT funaddr; if(dllname.find("KVWebSvr.dll")!=string::npos) { out <<dllname<<"start address 0x " <<IMG_LowAddress(img) <<endl; out <<dllname<<"end address 0x "<<IMG_HighAddress(img) <<endl; funaddr = IMG_LowAddress(img)+0x18060; // RTN_CreateAt(0x100183b0,"sub_100183b0");//022D8060 // RTN_CreateAt(0x022D8060,"sub_invoke"); // dispatchRtn = RTN_FindByName(img, "sub_invoke"); RTN_CreateAt(funaddr,"sub_invoke"); // RTN_CreateAt(0x10019210,"sub_10019210"); dispatchRtn = RTN_FindByName(img, "sub_invoke"); // dispatchRtn = RTN_FindByAddress(0x100183b0); if (RTN_Valid(dispatchRtn)) { out << "find the taint source function" << endl; RTN_Open(dispatchRtn); RTN_InsertCall(dispatchRtn,IPOINT_BEFORE,(AFUNPTR)InvokeFunTaint,IARG_END); // RTN_InsertCall(dispatchRtn, IPOINT_BEFORE, (AFUNPTR)InputFunAddTaint, // IARG_FUNCARG_ENTRYPOINT_VALUE, 0, // IARG_FUNCARG_ENTRYPOINT_VALUE, 1, // IARG_FUNCARG_ENTRYPOINT_VALUE, 2, // IARG_END); RTN_Close(dispatchRtn); // out << RTN_Address(dispatchRtn)<< endl; } } //function-level taint inst_func_summary(img); }
// This routine is executed for each image VOID ImageLoad(IMG img, VOID *v) { if (!FlashPlayerConfigBuilder::instance().isSupportedFlashPlayer(img)) { return; } LOGF("Found supported Flash Player image: %s (0x%x - 0x%x)\n", IMG_Name(img).c_str(), IMG_LowAddress(img), IMG_HighAddress(img)); config = FlashPlayerConfigBuilder::instance().getConfig(); // config->setInterpRVA needs to be chosen in such way that // the value of _invoker can be found from [ESI+config->invinvokerOffsetInMethodInfookerOffset] RTN setInterp = RTN_CreateAt(config->loadOffset + config->setInterpRVA, "setInterp"); // config->setInterpRVA needs to be chosen in such way that // the value of _implGPR can be found from EAX RTN verifyOnCall = RTN_CreateAt(config->loadOffset + config->verifyOnCallRVA, "verifyOnCall"); if (setInterp == RTN_Invalid() || verifyOnCall == RTN_Invalid()) { LOGF("Instrumenting Flash Player failed. Check setInterp and verifyOnCall RVAs in config.\n"); return; } RTN_Open(setInterp); RTN_InsertCall(setInterp, IPOINT_BEFORE, (AFUNPTR)InterpretedMethodVerified, IARG_REG_VALUE, REG_ESI, IARG_END); RTN_Close(setInterp); RTN_Open(verifyOnCall); if(config->m_flash_version == VER_15){ RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_ECX, IARG_END); } else{ RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_EAX, IARG_END); } RTN_Close(verifyOnCall); // Register TraceCalls to be called to instrument instructions INS_AddInstrumentFunction(TraceCalls, 0); }
int rtn_create_at (lua_State *L) { ADDRINT v1 = lua_tonumber(L,1); string v2 = lua_tostring(L,2); RTN_to_lua(L, RTN_CreateAt(v1,v2)); return 1; }
// Replay the image log. // We run this before the each instruction of the code as an analysis routine. // So we eat up the image loads one instruction at a time! // We can also call it before PIN_StartProgram, to check that queuing // the replay calls up works. // static void ReplayImageEntry() { if (feof(imgLog)) return; char tag = fgetc(imgLog); switch (tag) { case 'L': { string imageName; ADDRINT startAddr; ADDRINT offset; USIZE size; BOOL mainExe; vector<RTN_INFO> rtns; ParseImageLoadLine(imageName, &startAddr, &size, &offset, &mainExe, &rtns); if (KnobVerbose) fprintf (stderr, "Replaying load for %s, address: %llx offset: %llx, size: %lx\n", imageName.c_str(), (unsigned long long)startAddr, (unsigned long long)offset, (long)size); // Create a temporary IMG object IMG img = IMG_CreateAt(imageName.c_str(), startAddr, size, offset, mainExe); ASSERT(IMG_Valid(img), "IMG_CreateAt for " + imageName + " is invalid"); // Populate the IMG object with recorded RTNs PIN_LockClient(); for (vector<RTN_INFO>::iterator it = rtns.begin(); it < rtns.end(); it++) { RTN rtn = RTN_CreateAt(it->startAddr, it->name); ASSERT(RTN_Valid(rtn), "Failed to create RTN " + it->name + " at address " + hexstr(it->startAddr)); } // And, finally, inform Pin that it is all there, which will invoke // image load callbacks. IMG_ReplayImageLoad(img); PIN_UnlockClient(); break; } case 'U': { string imageName; ParseImageUnloadLine(imageName); IMG img = FindNamedImg(imageName); if (KnobVerbose) fprintf (stderr, "Replaying unload for %s\n", imageName.c_str()); // And, finally, inform Pin that it has gone, which will invoke // image unload callbacks. PIN_LockClient(); PIN_ReplayImageUnload(img); PIN_UnlockClient(); break; } default: fprintf (trace, "Unexpected line in log file starting with '%c'\n", tag); exit(1); } }
static RTN RTN_CreateAt_detour(ADDRINT addr, const char *name) { // RTN_CreateAt takes a std::string as parameter, // hence the detour function return RTN_CreateAt(addr, name); }