VOID PrintUntouchedRanges(SEC sec)
{
// Make a bool vector big enough to describe the whole section, 1 bool per byte
vector<bool> touched(SEC_Size(sec));
// Put the rtn's that are touched in a set
set<RTN> rtnSet;
// Mark the ranges for bbls that have been executed
for (list<const BBLSTATS*>::const_iterator bi = statsList.begin(); bi != statsList.end(); bi++)
{
const BBLSTATS * stats = *bi;
// Is this bbl contained in the section?
if (stats->_start < SEC_Address(sec) || stats->_start >= SEC_Address(sec) + SEC_Size(sec))
continue;
// Is the bbl executed?
if (!stats->_executed)
continue;
RTN rtn = RTN_FindByAddress(stats->_start);
if (RTN_Valid(rtn))
rtnSet.insert(rtn);
// Mark all the bytes of the bbl as executed
for (ADDRINT i = stats->_start - SEC_Address(sec); i < stats->_start + stats->_size - SEC_Address(sec); i++)
{
ASSERTX(i < SEC_Size(sec));
touched[i] = true;
}
}
// Print the routines that are not touched
out << " Routines that are not executed" << endl;
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (rtnSet.find(rtn) == rtnSet.end())
{
out << " " << RTN_Name(rtn) << endl;
}
}
// Print the ranges of untouched addresses
out << " Code ranges that are not executed" << endl;
string rtnName = "";
for (UINT32 i = 0; i < SEC_Size(sec);)
{
// Find the first not touched address
while(touched[i])
{
i++;
if (i == SEC_Size(sec))
return;
}
INT32 start = i;
// Find the first touched address
while(!touched[i] && i < SEC_Size(sec)) i++;
ADDRINT startAddress = SEC_Address(sec) + start;
// Print the rtn name, if it has changed
IMG img = IMG_FindByAddress(startAddress);
string imgName = (IMG_Valid(img) ? IMG_Name(img) : "InvalidImg");
RTN rtn = RTN_FindByAddress(startAddress);
string newName = (RTN_Valid(rtn) ? RTN_Name(rtn) : "InvalidRtn");
if (rtnName != newName)
{
out << " Image: " << imgName << " Rtn: " << newName << endl;
rtnName = newName;
}
out << " " << SEC_Address(sec) + start << ":" << SEC_Address(sec) + i - 1 << endl;
}
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
/*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){
MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str());
}
}*/
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
if(name.find("ntdll")!= std::string::npos){
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
if(strcmp(SEC_Name(sec).c_str(),".text")==0){
proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec));
}
}
}
//*** If you need to protect other sections of other dll put them here ***
hookFun.hookDispatcher(img);
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
