/***************************************************************************** 函 数 名 : traceBack 功能描述 : 回溯已经调用的函数栈,解析当前函数调用的信息 输入参数 : const char* cfuncName ADDRINT funcAddr ADDRINT funcBP 输出参数 : 无 返 回 值 : 调用函数 : 被调函数 : 修改历史 : 1.日 期 : 2012年5月16日 作 者 : @zhi 修改内容 : 新生成函数 *****************************************************************************/ VOID traceBack( ADDRINT funcCurSP, ADDRINT funcUpperBP ) { if(g_backTraceFlg) { #if 1 string funcName; std::stack<FuncItem>tmpFuncs; ADDRINT tmpAddr; ADDRINT funcAddr; //待运行函数入栈,后面的插入直接是从该函数开始 //tmpFuncs.push(FuncItem(funcName, funcAddr, funcBP-1)); tmpAddr = *((ADDRINT *)funcCurSP); funcName = RTN_FindNameByAddress(tmpAddr); //获取不到函数名 if("" == funcName) { funcName = "[unknown]"; } PIN_LockClient(); funcAddr = RTN_Address(RTN_FindByAddress(tmpAddr)); PIN_UnlockClient(); ADDRINT funcBP = funcUpperBP; while(0 != funcBP) { tmpFuncs.push(FuncItem(funcName, funcAddr, funcBP)); tmpAddr = *((ADDRINT *)funcBP + 1); funcName = RTN_FindNameByAddress(tmpAddr); //获取不到函数名 if("" == funcName) { funcName = "[unknown]"; } PIN_LockClient(); funcAddr = RTN_Address(RTN_FindByAddress(tmpAddr)); PIN_UnlockClient(); funcBP = *(ADDRINT*) funcBP; } #endif #if 1 tmpAddr =0; while(!tmpFuncs.empty()) { funcPackage(tmpFuncs.top().funcName.c_str(), tmpFuncs.top().funcAddr, tmpAddr); tmpAddr = tmpFuncs.top().upperFuncBP; tmpFuncs.pop(); } #endif g_backTraceFlg = false; } }
VOID MemWrite(THREADID tid, ADDRINT ea, ADDRINT eip ) { IMG imgR; string retName = "ANON", rR = "unknown"; thread_data_t *tdata = get_tls(tid); list<ADDRINT>::const_iterator sp_iter; for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) { if ( *sp_iter == ea ) break; } if ( sp_iter != tdata->data_sp.end() ) { PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } rR = RTN_FindNameByAddress((ADDRINT)eip); OutFile[tid] << tid << hex << "return address overwrite!!! " << ea << " " << eip << " " << retName << " " << rR << endl; } }
/* Check if the analysis must be unlocked */ static bool checkUnlockAnalysis(triton::__uint address) { if (tracer::pintool::options::targetThreadId != -1) return false; /* Unlock the analysis at the entry point from symbol */ if (tracer::pintool::options::startAnalysisFromSymbol != nullptr) { if ((RTN_FindNameByAddress(address) == tracer::pintool::options::startAnalysisFromSymbol)) { tracer::pintool::options::targetThreadId = PIN_ThreadId(); tracer::pintool::toggleWrapper(true); return true; } } /* Unlock the analysis at the entry point from address */ else if (tracer::pintool::options::startAnalysisFromAddress.find(address) != tracer::pintool::options::startAnalysisFromAddress.end()) { tracer::pintool::options::targetThreadId = PIN_ThreadId(); tracer::pintool::toggleWrapper(true); return true; } /* Unlock the analysis at the entry point from offset */ else if (tracer::pintool::options::startAnalysisFromOffset.find(tracer::pintool::getInsOffset(address)) != tracer::pintool::options::startAnalysisFromOffset.end()) { tracer::pintool::options::targetThreadId = PIN_ThreadId(); tracer::pintool::toggleWrapper(true); return true; } return false; }
BaseIRBuilder::BaseIRBuilder(__uint address, const std::string &dis) { RTN rtn; SEC sec; IMG img; this->address = address; this->branchTaken = false; this->branchTargetAddress = 0; this->disas = dis; this->needSetup = false; this->nextAddress = 0; this->imageName = "unknown"; this->sectionName = "unknown"; rtn = RTN_FindByAddress(address); if (RTN_Valid(rtn)) { sec = RTN_Sec(rtn); if (SEC_Valid(sec)) { this->sectionName = SEC_Name(sec); img = SEC_Img(sec); if (IMG_Valid(img)) { this->baseAddress = IMG_LowAddress(img); this->imageName = IMG_Name(img); } } } this->offset = this->address - this->baseAddress; this->routineName = RTN_FindNameByAddress(address); if (this->routineName.empty()) this->routineName = "unknown"; }
/** * Converts a PIN instruction object into a disassembled string. **/ std::string dumpInstruction(INS ins) { std::stringstream ss; ADDRINT address = INS_Address(ins); // Generate address and module information ss << "0x" << setfill('0') << setw(8) << uppercase << hex << address << "::" << getModule(address) << " "; // Generate instruction byte encoding for (int i=0;i<INS_Size(ins);i++) { ss << setfill('0') << setw(2) << (((unsigned int) *(unsigned char*)(address + i)) & 0xFF) << " "; } for (int i=INS_Size(ins);i<8;i++) { ss << " "; } // Generate diassembled string ss << INS_Disassemble(ins); // Look up call information for direct calls if (INS_IsCall(ins) && INS_IsDirectBranchOrCall(ins)) { ss << " -> " << RTN_FindNameByAddress(INS_DirectBranchOrCallTargetAddress(ins)); } return ss.str(); }
// This function is called before every block VOID PIN_FAST_ANALYSIS_CALL docount(UINT32 c, THREADID tid, ADDRINT iAddr) { icount[tid]._count += c; if ((icount[tid]._count - icount[tid]._prev_count) >= sampleRate) { // Arbitrary sample point icount[tid]._prev_count += sampleRate; // Get Pin client lock according to description of PIN_GetSourceLocation() PIN_LockClient(); INT32 lineNumber; string fileName; // Get line info PIN_GetSourceLocation(iAddr, NULL, &lineNumber, &fileName); PIN_UnlockClient(); // RTN_FindNameByAddress() may not be called under Pin client lock string rtnName = RTN_FindNameByAddress(iAddr); if (lineNumber != 0) { icount[tid]._line_number = lineNumber; icount[tid]._file_name = fileName; icount[tid]._rtn_name = rtnName; } } }
/* ===================================================================== */ const string *Target2String(ADDRINT target) { string name = RTN_FindNameByAddress(target); if (name == "") return &invalid; else return new string(name); }
const string& Target2RtnName(ADDRINT target) { const string & name = RTN_FindNameByAddress(target); if (name == "") return *new string("[Unknown routine]"); else return *new string(name); }
ADDRINT handleRead(ADDRINT eip, ADDRINT read_addr,void *fake_mem_h){ FakeReadHandler fake_mem = *(FakeReadHandler *)fake_mem_h; //get the new address of the memory operand (same as before if it is inside the whitelist otherwise a NULL poiter) ADDRINT fake_addr = fake_mem.getFakeMemory(read_addr, eip); if(fake_addr == NULL){ MYINFO("%08x in %s reading %08x",eip, RTN_FindNameByAddress(eip).c_str() , read_addr); } if(read_addr == 0){ return read_addr; // let the program trigger its exception if it want } if (fake_addr != read_addr){ if(read_addr < KUSER_SHARED_DATA_ADDRESS || read_addr > KUSER_SHARED_DATA_ADDRESS + KUSER_SHARED_DATA_SIZE){ MYTEST("handleRead_evasion %08x read at %08x",eip,read_addr); } MYINFO("ip : %08x in %s reading %08x and it has been redirected to : %08x",eip, RTN_FindNameByAddress(eip).c_str() , read_addr, fake_addr); } return fake_addr; }
static void FunctionHook(ADDRINT addr) { std::string s = RTN_FindNameByAddress(addr); // assert(!(disabled && fout.is_open())); // assert(disabled || fout.is_open()); if (s != ".plt") fout << s << std::endl; }
ADDRINT handleWrite(ADDRINT eip, ADDRINT write_addr,void *fakeWriteH){ FakeWriteHandler fakeWrite = *(FakeWriteHandler *)fakeWriteH; //get the new address of the memory operand (same as before if it is inside the whitelist otherwise a NULL poiter) ADDRINT fakeAddr = fakeWrite.getFakeWriteAddress(write_addr); if(write_addr == 0){ return write_addr; // let the program trigger its exception if it want } if(fakeAddr != write_addr){ MYTEST("handleWrite_evasion %08x",write_addr); MYINFO("suspicious write from %08x in %s in %08x redirected to %08x", eip, RTN_FindNameByAddress(write_addr).c_str(), write_addr, fakeAddr); MYINFO("Binary writes %08x\n" , *(unsigned int *)(fakeAddr)); } return fakeAddr; }
int main(INT32 argc, CHAR **argv) { PIN_InitSymbols(); if (PIN_Init(argc,argv)) return 1; IMG img = IMG_Open(KnobInputFile); if (!IMG_Valid(img)) { std::cout << "Could not open " << KnobInputFile.Value() << endl; return 1; } RTN_FindNameByAddress(0x123); PIN_LockClient(); PIN_UnlockClient(); IMG_Close(img); return 0; }
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push ) { PIN_GetLock(&lock, tid+1); unsigned int dep = 0, i = 0; IMG imgR, imgT; string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown"; thread_data_t *tdata = get_tls(tid); list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp); list<ADDRINT>::iterator ret_iter;// = (*tdata).find(sp); tulist::iterator tup_iter;// = (*tdata).find(sp); /******************* Uncomment this code to check ONLY for landing pad violations. START HERE ************/ /* i = 0; for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) { ++i; if ( target == (tup_iter->get<1>()) ) { RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << " " << std::dec << i << endl; ++gotoCount; // Keeps track of no of times ret addr was relocated but landing pad are correct tdata->tuplist.erase( tup_iter ); break; } } if ( tup_iter != tdata->tuplist.end() ) { PIN_ReleaseLock(&lock); return; } else { // Landing Pad Violation // Getting the names of Image and rtn will make this really SLOW. Comment this before the File IO to make it faster PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); // This checks if the LP violation source or target is in Linker. // These are not Violation as Linker takes and passes control many times without // a call or ret. if ( LD_PATH == targetName || LD_PATH == retName ) goto overRide; OutFile[tid] << tid << hex << "Landing Pad Violation -1 " << sp << " " << target << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; overRide: PIN_ReleaseLock(&lock); return; } */ /********* TO CHECK ONLY FOR LANDING PAD VIOLATIONS - END HERE *********************************/ /**** No need to comment the below code when checking only for LP violation as this function would return before reaching here *****/ /* Check if stack pointer value i.e. return address location is present */ for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) { ++dep; if ( *sp_iter == sp ) break; } --dep; if (push) { OutFile[tid] << std::dec << tid << "PUSH FOUND" << endl; tdata->data_sp.erase(tdata->data_sp.begin()); PIN_ReleaseLock(&lock); return; } if (sp_iter == tdata->data_sp.end()) { /* This is the case where Ret Address is relocated to some other location on stack e.g Libffi does this to make ffi call portable accross ABIs */ i = 0; for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) { ++i; if ( target == (tup_iter->get<1>() ) ) { RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl; ++gotoCount; tdata->tuplist.erase( tup_iter ); break; } } if ( tup_iter != tdata->tuplist.end() ) { PIN_ReleaseLock(&lock); return; } PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); OutFile[tid] << tid << hex << "Landing Pad Violation -2 " << sp << " " << *(tdata->data_sp.begin()) << " " << target << " " << tup_iter->get<0>() << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; PIN_ReleaseLock(&lock); return; } if ( sp_iter != tdata->data_sp.begin() ) OutFile[tid] << tid << hex <<"ret address not in the beginning!! " << target <<" "<< eip << " " << sp << " " << *(tdata->data_sp.begin()) << " " << dec << dep<< endl; depth -= dep; tdata->data_sp.erase( tdata->data_sp.begin(), sp_iter); tdata->data_sp.erase(sp_iter); PIN_ReleaseLock(&lock); }
static const char *RTN_FindNameByAddress_detour(ADDRINT addr) { return strdup(RTN_FindNameByAddress(addr).c_str()); }
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push) { // cout << "RET " << tid << hex << " " << sp << " " << target << " " << eip << " " << push << endl; // return; unsigned int dep = 0; IMG imgR, imgT; string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown"; list<ADDRINT> *tdata = data_ar[tid]; list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp); list<ADDRINT>::iterator dep_iter;// = (*tdata).find(sp); for (sp_iter = (*tdata).begin(); sp_iter != (*tdata).end(); sp_iter++) { ++dep; if ( *sp_iter == sp ) break; } --dep; if (push) { OutFile << "PUSH FOUND" << endl; (*tdata).erase((*tdata).begin()); //cout << "RET FROM RET-1" << tid<<endl; return; } if ( target >= (start+FFI_CALL_UNIX64) && target <= (start+FF64END) ) { OutFile << tid << " RET-2-FF64 " << hex << eip << " " << target << " " << sp << endl; } if ( eip >= (start+FFI_CALL_UNIX64) && eip <= (start+FF64END) ) { OutFile << tid << " RET-FRM-FF64 " << hex << eip << " " << target << " " << sp << endl; } /* if ( eip >= (ANONST) && eip <= (ANONEND) ) { OutFile << tid << " RET-I " << hex << eip << " " << target << " " << sp << endl; } if ( target >= (ANONST) && target <= (ANONEND) ) { OutFile << tid << " RET-T " << hex << eip << " " << target << " " << sp << endl; } */ if (sp_iter == (*tdata).end()) { // cerr << hex << "ret address not found!! " << sp << " " << *(RetAddrLocs.begin()) PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); OutFile << tid << hex << "ret address not found!! " << sp << " " << *((*tdata).begin()) << " " << target << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; //cout << "RET FROM RET-2" << tid <<endl; return; } if (sp_iter != (*tdata).begin()) OutFile << hex <<"ret address not in the beginning!! " << target <<" "<< eip << " " << sp << " " << *((*tdata).begin()) << " " << dec << dep<< endl; // depth -= distance((*tdata).begin(), sp_iter) + 1; depth -= dep; // OutFile << "Distance " << distance(RetAddrLocs.begin(), sp_iter) << endl; // for (int i=0; i < depth; i++) cerr << " "; // cerr << hex << tid << " ret " << sp << " " << target << endl; // if ( sp_iter == RetAddrLocs.begin() ) { // RetAddrLocs.erase(sp_iter); // return; // } (*tdata).erase((*tdata).begin(), sp_iter); (*tdata).erase(sp_iter); //cout << "RET FROM RET-3" << tid<<endl; }
int rtn_find_name_by_address (lua_State *L) { ADDRINT v1 = lua_tonumber(L,1); string r = RTN_FindNameByAddress(v1); lua_pushstring(L, r.c_str()); return 1; }
// ------------------------------------------------------------- // STool_RoutineDemangledNameByAddr // ------------------------------------------------------------- // Same as STool_RoutineNameByAddr, but names are fully demangled. const char* STool_RoutineDemangledNameByAddr(ADDRINT rtnAddr, BOOL full) { const string& name = RTN_FindNameByAddress(rtnAddr); if (name == "") return "<unknown_routine>"; else return PIN_UndecorateSymbolName(name, full ? UNDECORATION_COMPLETE : UNDECORATION_NAME_ONLY).c_str(); }
// ------------------------------------------------------------- // STool_RoutineNameByAddr // ------------------------------------------------------------- // Return pointer to the name of the routine to which the instruction // at address rtnAddr belongs, or <unknown routine>, if rtnAddr does not belong to // any routine. // Note: the user should *not* deallocate the returned pointer const char* STool_RoutineNameByAddr(ADDRINT rtnAddr) { const string& name = RTN_FindNameByAddress(rtnAddr); if (name == "") return "<unknown_routine>"; else return name.c_str(); }
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push ) { PIN_GetLock(&lock, tid+1); unsigned int dep = 0, i = 0; IMG imgR, imgT; string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown"; thread_data_t *tdata = get_tls(tid); /* list<ADDRINT> *tdata = data_ar[tid]; list<ADDRINT> *retId = ret_ad[tid]; */ list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp); list<ADDRINT>::iterator ret_iter;// = (*tdata).find(sp); tulist::iterator tup_iter;// = (*tdata).find(sp); for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) { ++dep; if ( *sp_iter == sp ) break; } --dep; /* This is the case where Ret Address is relocated to some other location on stack */ i = 0; for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) { ++i; if ( target == (tup_iter->get<1>()) && ( (tup_iter->get<0>() == (target - 0x5)) || ( tup_iter->get<0>() == (target - 0x2)) ) ) { RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl; ++gotoCount; tdata->tuplist.erase( tup_iter ); break; } } //cout << " CHECK1" << endl; if ( tup_iter != tdata->tuplist.end() ) { PIN_ReleaseLock(&lock); return; } else { PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); if ( LD_PATH == targetName || LD_PATH == retName ) goto overRide; OutFile[tid] << tid << hex << "LP not found!! " << sp << " " << target << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; overRide: PIN_ReleaseLock(&lock); return; } if (push) { OutFile[tid] << std::dec << tid << "PUSH FOUND" << endl; tdata->data_sp.erase(tdata->data_sp.begin()); PIN_ReleaseLock(&lock); return; } if (sp_iter == tdata->data_sp.end()) { /* This is the case where Ret Address is relocated to some other location on stack */ i = 0; for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) { ++i; if ( target == (tup_iter->get<1>()) && ( (tup_iter->get<0>() == (target - 0x5)) || ( tup_iter->get<0>() == (target - 0x2)) ) ) { RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl; ++gotoCount; tdata->tuplist.erase( tup_iter ); break; } } //cout << " CHECK1" << endl; if ( tup_iter != tdata->tuplist.end() ) { PIN_ReleaseLock(&lock); return; } PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); //cout << hex << tup_iter->get<0>() << ":" << tup_iter->get<1>() << endl; OutFile[tid] << tid << hex << "ret address not found!! " << sp << " " << *(tdata->data_sp.begin()) << " " << target << " " << tup_iter->get<0>() << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; PIN_ReleaseLock(&lock); return; } if ( sp_iter != tdata->data_sp.begin() ) OutFile[tid] << tid << hex <<"ret address not in the beginning!! " << target <<" "<< eip << " " << sp << " " << *(tdata->data_sp.begin()) << " " << dec << dep<< endl; depth -= dep; tdata->data_sp.erase( tdata->data_sp.begin(), sp_iter); tdata->data_sp.erase(sp_iter); PIN_ReleaseLock(&lock); }
PyObject* Python_RTN_FindNameByAddress(PyObject* self, PyObject* args) { PyObject* address; PyArg_ParseTuple(args, "L", &address); ADDRINT address_object = (ADDRINT) address; return Py_BuildValue("s", RTN_FindNameByAddress(address_object).c_str()); }