void emu_track_and_source_free(struct emu_track_and_source *et)
{
if (et->static_instr_table != NULL)
emu_hashtable_free(et->static_instr_table);
if (et->static_instr_graph != NULL)
emu_graph_free(et->static_instr_graph);
if (et->run_instr_table != NULL)
emu_hashtable_free(et->run_instr_table);
if (et->run_instr_graph != NULL)
emu_graph_free(et->run_instr_graph);
free(et);
}
void emu_env_linux_free(struct emu_env_linux *eel)
{
emu_hashtable_free(eel->syscall_hooks_by_name);
free(eel->syscall_hookx);
free(eel->hooks);
// emu_profile_free(eel->profile);
free(eel);
}
int graph_draw(struct emu_graph *graph)
{
struct emu_vertex *ev;
struct instr_vertex *iv;
FILE *f = fopen(opts.graphfile,"w+");
struct emu_graph *sgraph = emu_graph_new();
struct emu_hashtable *ht = emu_hashtable_new(2047, emu_hashtable_ptr_hash, emu_hashtable_ptr_cmp);
struct emu_vertex *nev;
struct instr_vertex *niv=NULL;
printf("copying vertexes\n");
for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) )
{
iv = (struct instr_vertex *)ev->data;
nev = emu_vertex_new();
emu_graph_vertex_add(sgraph, nev);
niv = instr_vertex_copy(iv);
nev->data = niv;
emu_hashtable_insert(ht, (void *)iv, nev);
ev->color = white;
}
printf("optimizing graph\n");
for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) )
{
// ignore known
if ( ev->color == black )
continue;
printf("vertex %p\n", (void *)ev);
// find the first in a chain
iv = (struct instr_vertex *)ev->data;
while ( emu_edges_length(ev->backedges) == 1 && emu_edges_length(ev->edges) <= 1 && ev->color == white && iv->dll == NULL && iv->syscall == NULL )
{
ev->color = grey;
struct emu_vertex *xev = emu_edges_first(ev->backedges)->destination;
iv = (struct instr_vertex *)xev->data;
if ( emu_edges_length(xev->backedges) > 1 || emu_edges_length(xev->edges) > 1 || iv->dll != NULL || iv->syscall != NULL )
break;
ev = xev;
printf(" -> vertex %p\n",(void *)ev);
}
iv = (struct instr_vertex *)ev->data;
// create the new vertex
nev = (struct emu_vertex *)emu_hashtable_search(ht, (void *)iv)->value;
niv = (struct instr_vertex *)nev->data;
iv = (struct instr_vertex *)ev->data;
printf("going forwards from %p\n", (void *)ev);
while ( emu_edges_length(ev->edges) == 1 && emu_edges_length(ev->backedges) <= 1 && ev->color != black && iv->dll == NULL && iv->syscall == NULL )
{
ev->color = black;
struct emu_vertex *xev = emu_edges_first(ev->edges)->destination;
iv = (struct instr_vertex *)xev->data;
if ( emu_edges_length(xev->backedges) > 1 || emu_edges_length(xev->edges) > 1 ||
iv->dll != NULL || iv->syscall != NULL )
break;
ev = xev;
iv = (struct instr_vertex *)ev->data;
emu_string_append_char(niv->instr_string, emu_string_char(iv->instr_string));
printf(" -> vertex %p\n",(void *)ev);
}
ev->color = black;
printf("copying edges for %p\n",(void *)ev);
struct emu_edge *ee;
for ( ee = emu_edges_first(ev->edges); !emu_edges_attail(ee); ee = emu_edges_next(ee) )
{
struct instr_vertex *ivto = emu_vertex_data_get(ee->destination);
struct emu_hashtable_item *ehi = emu_hashtable_search(ht, (void *)ivto);
struct emu_vertex *to = (struct emu_vertex *)ehi->value;
if ( 1 )// nev != to )//&& to->color != black )
{
struct emu_edge *nee = emu_vertex_edge_add(nev, to);
nee->count = ee->count;
nee->data = ee->data;
printf(" -> %p\n", (void *)to);
}
}
}
graph->vertex_destructor = instr_vertex_destructor;
// emu_graph_free(graph);
graph = sgraph;
emu_hashtable_free(ht);
fprintf(f, "digraph G {\n\t//rankdir=LR\n\tnode [fontname=Courier, labeljust=r];\n");
#if 0
int numdlls=0;
while ( env->loaded_dlls[numdlls] != NULL )
{
int has_dll = 0;
struct emu_string *fs = emu_string_new();
emu_string_append_format(fs, "\t subgraph cluster%i {\n\t\t node [shape=box, style=filled, color=\".7 .3 1.0\"];\n\t\tstyle=filled;\n\t\tcolor=lightgrey;\n\t\tlabel=\"%s\"\n\t\t", numdlls, env->loaded_dlls[numdlls]->dllname);
for ( ev = emu_vertexes_first(graph->vertexes); !emu_vertexes_attail(ev); ev = emu_vertexes_next(ev) )
{
struct instr_vertex *iv = emu_vertex_data_get(ev);
if ( iv->dll == env->loaded_dlls[numdlls] )
{
emu_string_append_format(fs, "\t\%i [label = \"%s\"];\n", iv->eip, emu_string_char(iv->instr_string));
has_dll = 1;
}
}
emu_string_append_char(fs, "\t}\n");
fprintf(f, "%s", emu_string_char(fs));
numdlls++;
}
int32_t emu_shellcode_test(struct emu *e, uint8_t *data, uint16_t size)
{
logPF(e);
/*
bool found_good_candidate_after_getpc = false;
uint32_t best_eip=0;
*/
// This check avoids a floating point exception further down the line
if(size < 2)
{
return -1;
}
uint32_t offset;
struct emu_list_root *el;
el = emu_list_create();
for ( offset=0; offset<size ; offset++ )
{
if ( emu_getpc_check(e, (uint8_t *)data, size, offset) != 0 )
{
logDebug(e, "possible getpc at offset %i (%08x)\n", offset, offset);
struct emu_list_item *eli = emu_list_item_create();
eli->uint32 = offset;
emu_list_insert_last(el, eli);
}
}
if ( emu_list_length(el) == 0 )
{
emu_list_destroy(el);
return -1;
}
{
struct emu_cpu *cpu = emu_cpu_get(e);
struct emu_memory *mem = emu_memory_get(e);
/* write the code to the offset */
emu_memory_write_block(mem, STATIC_OFFSET, data, size);
/* set the registers to the initial values */
int reg;
for ( reg=0;reg<8;reg++ )
emu_cpu_reg32_set(cpu,reg ,0x0);
emu_cpu_reg32_set(cpu, esp, 0x00120000);
emu_cpu_eip_set(cpu, 0);
/* set the flags */
emu_cpu_eflags_set(cpu,0x0);
}
struct emu_track_and_source *etas = emu_track_and_source_new();
logDebug(e, "creating static callgraph\n");
/* create the static analysis graph
set memory read only so instructions can't change it*/
emu_memory_mode_ro(emu_memory_get(e));
emu_source_instruction_graph_create(e, etas, STATIC_OFFSET, size);
emu_memory_mode_rw(emu_memory_get(e));
struct emu_hashtable *eh = emu_hashtable_new(size+4/4, emu_hashtable_ptr_hash, emu_hashtable_ptr_cmp);
struct emu_list_item *eli;
// struct emu_env_w32 *env = emu_env_w32_new(e);
struct emu_list_root *results = emu_list_create();
for ( eli = emu_list_first(el); !emu_list_attail(eli); eli = emu_list_next(eli) )
{
logDebug(e, "testing offset %i %08x\n", eli->uint32, eli->uint32);
emu_shellcode_run_and_track(e, data, size, eli->uint32, 256, etas, eh,
results, false);
}
/* for all positions we got, take the best, maybe take memory access into account later */
emu_list_qsort(results, tested_positions_cmp);
if ( ((struct emu_stats *)emu_list_first(results)->data)->cpu.steps != 256 )
{
emu_hashtable_free(eh);
eh = emu_hashtable_new(size+4/4, emu_hashtable_ptr_hash, emu_hashtable_ptr_cmp);
logDebug(e, "brute force!\n");
struct emu_list_root *new_results = emu_list_create();
for ( eli = emu_list_first(results); !emu_list_attail(eli); eli = emu_list_next(eli) )
{
struct emu_stats *es = (struct emu_stats *)eli->data;
logDebug(e, "brute at offset 0x%08x \n",es->eip - STATIC_OFFSET);
emu_shellcode_run_and_track(e, data, size, es->eip - STATIC_OFFSET, 256, etas, eh,
new_results, true);
}
emu_list_concat(results, new_results);
emu_list_destroy(new_results);
emu_list_qsort(results, tested_positions_cmp);
/* uniq */
for ( eli = emu_list_first(results); !emu_list_attail(eli); eli = emu_list_next(eli) )
{
struct emu_list_item *next = emu_list_next(eli);
if (!emu_list_attail(next) &&
((struct emu_stats *)eli->data)->eip == ((struct emu_stats *)next->data)->eip )
{
emu_stats_free(next->data);
emu_list_remove(next);
free(next);
}
}
}
emu_hashtable_free(eh);
emu_list_destroy(el);
// emu_env_w32_free(env);
emu_track_and_source_free(etas);
{
struct emu_list_item *eli;
for ( eli = emu_list_first(results); !emu_list_attail(eli); eli = emu_list_next(eli) )
{
struct emu_stats *es = (struct emu_stats *)eli->data;
logDebug(e, "b offset 0x%08x steps %i\n",es->eip, es->cpu.steps);
}
}
eli = emu_list_first(results);
struct emu_stats *es = (struct emu_stats *)eli->data;
if ( es->cpu.steps > 100 )
{
offset = es->eip;
}
else
{
offset = -1;
}
for (eli = emu_list_first(results); !emu_list_attail(eli); eli = emu_list_next(eli))
{
emu_stats_free((struct emu_stats *)eli->data);
}
emu_list_destroy(results);
return offset - STATIC_OFFSET;
}
