VOID PrintUntouchedRanges(SEC sec) { // Make a bool vector big enough to describe the whole section, 1 bool per byte vector<bool> touched(SEC_Size(sec)); // Put the rtn's that are touched in a set set<RTN> rtnSet; // Mark the ranges for bbls that have been executed for (list<const BBLSTATS*>::const_iterator bi = statsList.begin(); bi != statsList.end(); bi++) { const BBLSTATS * stats = *bi; // Is this bbl contained in the section? if (stats->_start < SEC_Address(sec) || stats->_start >= SEC_Address(sec) + SEC_Size(sec)) continue; // Is the bbl executed? if (!stats->_executed) continue; RTN rtn = RTN_FindByAddress(stats->_start); if (RTN_Valid(rtn)) rtnSet.insert(rtn); // Mark all the bytes of the bbl as executed for (ADDRINT i = stats->_start - SEC_Address(sec); i < stats->_start + stats->_size - SEC_Address(sec); i++) { ASSERTX(i < SEC_Size(sec)); touched[i] = true; } } // Print the routines that are not touched out << " Routines that are not executed" << endl; for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn)) { if (rtnSet.find(rtn) == rtnSet.end()) { out << " " << RTN_Name(rtn) << endl; } } // Print the ranges of untouched addresses out << " Code ranges that are not executed" << endl; string rtnName = ""; for (UINT32 i = 0; i < SEC_Size(sec);) { // Find the first not touched address while(touched[i]) { i++; if (i == SEC_Size(sec)) return; } INT32 start = i; // Find the first touched address while(!touched[i] && i < SEC_Size(sec)) i++; ADDRINT startAddress = SEC_Address(sec) + start; // Print the rtn name, if it has changed IMG img = IMG_FindByAddress(startAddress); string imgName = (IMG_Valid(img) ? IMG_Name(img) : "InvalidImg"); RTN rtn = RTN_FindByAddress(startAddress); string newName = (RTN_Valid(rtn) ? RTN_Name(rtn) : "InvalidRtn"); if (rtnName != newName) { out << " Image: " << imgName << " Rtn: " << newName << endl; rtnName = newName; } out << " " << SEC_Address(sec) + start << ":" << SEC_Address(sec) + i - 1 << endl; } }
// - Get initial entropy // - Get PE section data // - Add filtered library void imageLoadCallback(IMG img,void *){ /*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){ MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str()); } }*/ Section item; static int va_hooked = 0; ProcInfo *proc_info = ProcInfo::getInstance(); FilterHandler *filterHandler = FilterHandler::getInstance(); //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); proc_info->setMainIMGAddress(startAddr, endAddr); //get the address of the first instruction proc_info->setFirstINSaddress(IMG_Entry(img)); //get the program name proc_info->setProcName(IMG_Name(img)); //get the initial entropy MYINFO("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYINFO("----------------------------------------------"); //retrieve the section of the PE for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } //DEBUG proc_info->PrintSections(); } //build the filtered libtrary list ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img)){ if(name.find("ntdll")!= std::string::npos){ for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ if(strcmp(SEC_Name(sec).c_str(),".text")==0){ proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec)); } } } //*** If you need to protect other sections of other dll put them here *** hookFun.hookDispatcher(img); proc_info->addLibrary(name,startAddr,endAddr); if(filterHandler->IsNameInFilteredArray(name)){ filterHandler->addToFilteredLibrary(name,startAddr,endAddr); MYINFO("Added to the filtered array the module %s\n" , name); } } }