REG INS_get_memwr_basereg(INS ins)
{
for (unsigned int i = 0; i < INS_OperandCount(ins); i++)
{
if (INS_OperandIsMemory(ins, i) && INS_OperandWritten(ins, i))
{
return REG_FullRegName(INS_OperandMemoryBaseReg(ins, i));
}
}
return REG_INVALID();
}
// returns the full name of the first register operand written
REG INS_get_write_reg(INS ins)
{
for (unsigned int i = 0; i < INS_OperandCount(ins); i++)
{
if (INS_OperandIsReg(ins, i) && INS_OperandWritten(ins, i))
{
return REG_FullRegName(INS_OperandReg(ins, i));
}
}
return REG_INVALID();
}
void taint_ins(INS ins, void *v)
{
uint32_t opcode = INS_Opcode(ins);
uint32_t opcount = INS_OperandCount(ins);
// the generic stuff only supports up to 5 operands
if(opcount < 6 && taint_handler_count[opcode] != 0) {
// first we have to build up the flags, which is kind of expensive.
uint32_t flags = 0;
for (uint32_t i = 0; i < opcount; i++) {
uint32_t op_flag = 0;
if(INS_OperandIsMemory(ins, i) != 0) {
op_flag |= T_MEM;
}
if(INS_OperandIsAddressGenerator(ins, i) != 0) {
op_flag |= T_ADR;
}
if(INS_OperandIsReg(ins, i) != 0) {
op_flag |= T_REG;
}
if(INS_OperandIsImmediate(ins, i) != 0) {
op_flag |= T_IMM;
}
if(INS_OperandRead(ins, i) != 0) {
op_flag |= T_RD;
}
if(INS_OperandWritten(ins, i) != 0) {
op_flag |= T_WR;
}
flags |= op_flag << (6 * i);
}
for (uint32_t i = 0; i < taint_handler_count[opcode]; i++) {
if(taint_handler_flag[opcode][i] == flags) {
taint_prop_handle(ins, taint_handler_fn[opcode][i],
taint_handler_args[opcode][i]);
return;
}
}
}
}
void log_ins(INS ins)
{
// dump the instruction
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &execute_instruction,
IARG_INST_PTR, IARG_PTR, strdup(INS_Disassemble(ins).c_str()),
IARG_END);
// reads memory (1)
if(INS_IsMemoryRead(ins) != 0) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_read_memory,
IARG_MEMORYREAD_EA, IARG_MEMORYREAD_SIZE, IARG_END);
}
// reads memory (2)
if(INS_HasMemoryRead2(ins) != 0) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_read_memory,
IARG_MEMORYREAD2_EA, IARG_MEMORYREAD_SIZE, IARG_END);
}
IPOINT after = IPOINT_AFTER;
if(INS_IsCall(ins) != 0) {
// TODO is this correct?
after = IPOINT_TAKEN_BRANCH;
}
else if(INS_IsSyscall(ins) != 0) {
// TODO support syscalls
return;
}
else if(INS_HasFallThrough(ins) == 0 && (INS_IsBranch(ins) != 0 ||
INS_IsRet(ins) != 0)) {
// TODO is this correct?
after = IPOINT_TAKEN_BRANCH;
}
// dump written memory
if(INS_IsMemoryWrite(ins) != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_written_memory_before, IARG_MEMORYWRITE_EA,
IARG_MEMORYWRITE_SIZE, IARG_END);
INS_InsertCall(ins, after, (AFUNPTR) &dump_written_memory_after,
IARG_END);
}
// dump all affected registers
for (UINT32 i = 0; i < INS_OperandCount(ins); i++) {
if(INS_OperandIsMemory(ins, i) != 0) {
if(INS_OperandMemoryBaseReg(ins, i) != REG_INVALID()) {
REG base_reg = INS_OperandMemoryBaseReg(ins, i);
if(g_reg_index[base_reg] != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_reg_before,
IARG_UINT32, g_reg_index[base_reg]-1,
IARG_REG_VALUE, INS_OperandMemoryBaseReg(ins, i),
IARG_END);
INS_InsertCall(ins, after,
(AFUNPTR) &dump_reg_r_after,
IARG_UINT32, g_reg_index[base_reg]-1, IARG_END);
}
}
if(INS_OperandMemoryIndexReg(ins, i) != REG_INVALID()) {
REG index_reg = INS_OperandMemoryIndexReg(ins, i);
if(g_reg_index[index_reg] != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_reg_before,
IARG_UINT32, g_reg_index[index_reg]-1,
IARG_REG_VALUE, INS_OperandMemoryIndexReg(ins, i),
IARG_END);
INS_InsertCall(ins, after,
(AFUNPTR) &dump_reg_r_after,
IARG_UINT32, g_reg_index[index_reg]-1, IARG_END);
}
}
}
if(INS_OperandIsReg(ins, i) != 0) {
REG reg_index = REG_FullRegName(INS_OperandReg(ins, i));
if(INS_OperandReadAndWritten(ins, i) != 0) {
if(g_reg_index[reg_index] != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_reg_before,
IARG_UINT32, g_reg_index[reg_index]-1,
IARG_REG_VALUE, reg_index, IARG_END);
INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_rw_after,
IARG_UINT32, g_reg_index[reg_index]-1,
IARG_REG_VALUE, reg_index, IARG_END);
}
}
else if(INS_OperandRead(ins, i) != 0) {
if(g_reg_index[reg_index] != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_reg_before,
IARG_UINT32, g_reg_index[reg_index]-1,
IARG_REG_VALUE, reg_index, IARG_END);
INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_r_after,
IARG_UINT32, g_reg_index[reg_index]-1, IARG_END);
}
}
else if(INS_OperandWritten(ins, i) != 0) {
if(g_reg_index[reg_index] != 0) {
INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_w_after,
IARG_UINT32, g_reg_index[reg_index]-1,
IARG_REG_VALUE, reg_index, IARG_END);
}
}
}
}
INS_InsertCall(ins, after, (AFUNPTR) &print_newline, IARG_END);
}
VOID HandleAccess (INS ins, BOOL isRead, BOOL *hasSegmentedMemAccess)
{
UINT32 operandCount = INS_OperandCount (ins);
UINT32 i, displacement, scale;
REG baseReg = REG_INVALID(), indexReg = REG_INVALID();
*hasSegmentedMemAccess = FALSE;
for (i=0; i<operandCount; i++)
{
if (INS_OperandIsMemory (ins, i) &&
(INS_OperandMemorySegmentReg (ins, i) == TESTED_SEG_REG ) &&
((isRead && INS_OperandRead (ins, i)) || (!isRead && INS_OperandWritten (ins, i)))
)
{
displacement = INS_OperandMemoryDisplacement (ins, i);
baseReg = INS_OperandMemoryBaseReg (ins, i);
indexReg = INS_OperandMemoryIndexReg (ins, i);
scale = INS_OperandMemoryScale (ins, i);
*hasSegmentedMemAccess = TRUE;
break;
}
}
/*fprintf(trace, " SegMemAccess-%s (hasSegmentedMemAccess %d) (operand %d) %p %s\n",
isRead?"READ":"WRITE", *hasSegmentedMemAccess, i, INS_Address(ins), INS_Disassemble(ins).c_str());*/
if (baseReg != REG_INVALID())
{
if (indexReg != REG_INVALID())
{
if (isRead)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessBaseIndexDispl,
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_UINT32, BASE_INDEX_DISPLACEMENT_ADDRESSING_READ_TYPE,
IARG_REG_VALUE, baseReg,
IARG_REG_VALUE, indexReg,
IARG_UINT32, scale,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessBaseIndexDispl,
IARG_INST_PTR,
IARG_MEMORYWRITE_EA,
IARG_UINT32, BASE_INDEX_DISPLACEMENT_ADDRESSING_WRITE_TYPE,
IARG_REG_VALUE, baseReg,
IARG_REG_VALUE, indexReg,
IARG_UINT32, scale,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
}
else
{
if (isRead)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessBaseDispl,
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_UINT32, BASE_DISPLACEMENT_ADDRESSING_READ_TYPE,
IARG_REG_VALUE, baseReg,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessBaseDispl,
IARG_INST_PTR,
IARG_MEMORYWRITE_EA,
IARG_UINT32, BASE_DISPLACEMENT_ADDRESSING_WRITE_TYPE,
IARG_REG_VALUE, baseReg,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
}
}
else if (indexReg != REG_INVALID())
{
if (isRead)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessIndexDispl,
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_UINT32, INDEX_DISPLACEMENT_ADDRESSING_READ_TYPE,
IARG_REG_VALUE, indexReg,
IARG_UINT32, scale,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessIndexDispl,
IARG_INST_PTR,
IARG_MEMORYWRITE_EA,
IARG_UINT32, INDEX_DISPLACEMENT_ADDRESSING_WRITE_TYPE,
IARG_REG_VALUE, indexReg,
IARG_UINT32, scale,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
}
else if (*hasSegmentedMemAccess)
{
if (isRead)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessDispl,
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_UINT32, DISPLACEMENT_ONLY_ADDRESSING_READ_TYPE,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeSegmentedMemAccessDispl,
IARG_INST_PTR,
IARG_MEMORYWRITE_EA,
IARG_UINT32, DISPLACEMENT_ONLY_ADDRESSING_WRITE_TYPE,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
}
}
// Is called for every instruction and instruments reads and writes
VOID Instruction(INS ins, VOID *v)
{
BOOL readsMemory, writesMemory, hasReadSegmentedMemAccess, hasWriteSegmentedMemAccess;
if (INS_EffectiveAddressWidth(ins)==16)
{
if (INS_SegmentRegPrefix(ins) == TESTED_SEG_REG)
{
readsMemory = INS_SegPrefixIsMemoryRead(ins);
writesMemory = INS_SegPrefixIsMemoryWrite(ins);
if(readsMemory)
{
if (INS_IsMemoryRead(ins))
{
HandleSegmentedAccess (ins, TRUE /* isRead*/, &hasReadSegmentedMemAccess) ;
}
}
if (writesMemory)
{
if (INS_IsMemoryWrite(ins))
{
HandleSegmentedAccess (ins, FALSE /* isRead*/, &hasWriteSegmentedMemAccess);
}
}
if (!hasReadSegmentedMemAccess && !hasWriteSegmentedMemAccess)
{
fprintf(trace, "**ERROR SegMemAccess-Lies %p %s\n", INS_Address(ins), INS_Disassemble(ins).c_str());
hadError = TRUE;
}
else
{
fprintf (trace, "Instrumented ins: %x %s\n",
INS_Address(ins), INS_Disassemble(ins).c_str());
}
fflush(trace);
}
else if (INS_IsMemoryRead(ins) || INS_IsMemoryWrite(ins))
{
fprintf (trace, "Instrumented ins: %x %s\n",
INS_Address(ins), INS_Disassemble(ins).c_str());
fflush (trace);
HandleAccess (ins, INS_IsMemoryRead(ins)) ;
}
}
#ifndef TARGET_LINUX
UINT32 operandCount = INS_OperandCount (ins);
UINT32 i;
for (i=0; i<operandCount; i++)
{
if (INS_OperandIsReg (ins, i) && REG_is_seg(INS_OperandReg (ins, i)) && INS_OperandWritten(ins, i))
{
fprintf(trace, "**ERROR SegOperand-WRITE, not supported %p %s\n", INS_Address(ins), INS_Disassemble(ins).c_str());
fflush(trace);
hadError = TRUE;
}
}
#endif
/*fprintf(trace, "%p %s\n", INS_Address(ins), INS_Disassemble(ins).c_str());
fflush (trace);*/
}
VOID HandleAccess (INS ins, BOOL isRead)
{
UINT32 operandCount = INS_OperandCount (ins);
UINT32 i, displacement=0, scale=0;
REG baseReg = REG_INVALID(), indexReg = REG_INVALID();
BOOL instrumented = FALSE;
for (i=0; i<operandCount; i++)
{
if (
((INS_OperandIsMemory (ins, i) && isRead && INS_OperandRead (ins, i)) ||
(INS_OperandIsMemory (ins, i) && !isRead && INS_OperandWritten (ins, i)))
)
{
displacement = INS_OperandMemoryDisplacement (ins, i);
baseReg = INS_OperandMemoryBaseReg (ins, i);
indexReg = INS_OperandMemoryIndexReg (ins, i);
scale = INS_OperandMemoryScale (ins, i);
break;
}
}
if (baseReg != REG_INVALID())
{
if (indexReg != REG_INVALID())
{
if (isRead)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessBaseIndexDispl,
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_UINT32, BASE_INDEX_DISPLACEMENT_ADDRESSING_READ_TYPE,
IARG_REG_VALUE, baseReg,
IARG_REG_VALUE, indexReg,
IARG_UINT32, scale,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessBaseIndexDispl,
IARG_INST_PTR,
IARG_MEMORYWRITE_EA,
IARG_UINT32, BASE_INDEX_DISPLACEMENT_ADDRESSING_WRITE_TYPE,
IARG_REG_VALUE, baseReg,
IARG_REG_VALUE, indexReg,
IARG_UINT32, scale,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
instrumented = TRUE;
}
else
{
if (isRead)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessBaseDispl,
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_UINT32, BASE_DISPLACEMENT_ADDRESSING_READ_TYPE,
IARG_REG_VALUE, baseReg,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessBaseDispl,
IARG_INST_PTR,
IARG_MEMORYWRITE_EA,
IARG_UINT32, BASE_DISPLACEMENT_ADDRESSING_WRITE_TYPE,
IARG_REG_VALUE, baseReg,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
instrumented = TRUE;
}
}
else
{
if (isRead)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessDispl,
IARG_INST_PTR,
IARG_MEMORYREAD_EA,
IARG_UINT32, DISPLACEMENT_ONLY_ADDRESSING_READ_TYPE,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
else
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE, (AFUNPTR)AnalyzeMemAccessDispl,
IARG_INST_PTR,
IARG_MEMORYWRITE_EA,
IARG_UINT32, DISPLACEMENT_ONLY_ADDRESSING_WRITE_TYPE,
IARG_UINT32, displacement,
IARG_THREAD_ID,
IARG_END);
}
instrumented = TRUE;
}
ASSERTX (instrumented);
// must delete this INS - since it's memory address is 16bit, cannot be sure
// it accesses valid memory - so we are only testing the IARG_MEMORY(READ/WRITE)_EA
// on these instructions
INS_Delete(ins);
}
