VOID ReadMem(UINT32 insAddr, std::string insDis, UINT32 opCount, REG reg_r, UINT32 memOp, UINT32 sp)
{
list<UINT32>::iterator i;
list<struct mallocArea>::iterator i2;
UINT32 addr = memOp;
if (opCount != 2)
return;
for(i2 = mallocAreaList.begin(); i2 != mallocAreaList.end(); i2++){
if (addr >= i2->base && addr < (i2->base + i2->size) && i2->status == FREE){
std::cout << std::hex << "[UAF in " << addr << "]\t" << insAddr << ": " << insDis << std::endl;
return;
}
}
for(i = addressTainted.begin(); i != addressTainted.end(); i++){
if (addr == *i){
std::cout << std::hex << "[READ in " << addr << "]\t" << insAddr << ": " << insDis << std::endl;
taintReg(reg_r);
if (sp > addr && addr > 0x700000000000)
std::cout << std::hex << "[UAF in " << addr << "]\t" << insAddr << ": " << insDis << std::endl;
return;
}
}
if (checkAlreadyRegTainted(reg_r)){
std::cout << std::hex << "[READ in " << addr << "]\t" << insAddr << ": " << insDis << std::endl;
removeRegTainted(reg_r);
}
}
VOID spreadRegTaint(UINT32 insAddr, std::string insDis, UINT32 opCount, REG reg_r, REG reg_w)
{
if (opCount != 2)
return;
if (REG_valid(reg_w)){
if (checkAlreadyRegTainted(reg_w) && (!REG_valid(reg_r) || !checkAlreadyRegTainted(reg_r))){
std::cout << "[SPREAD]\t\t" << insAddr << ": " << insDis << std::endl;
std::cout << "\t\t\toutput: "<< REG_StringShort(reg_w) << " | input: " << (REG_valid(reg_r) ? REG_StringShort(reg_r) : "constant") << std::endl;
removeRegTainted(reg_w);
}
else if (!checkAlreadyRegTainted(reg_w) && checkAlreadyRegTainted(reg_r)){
std::cout << "[SPREAD]\t\t" << insAddr << ": " << insDis << std::endl;
std::cout << "\t\t\toutput: " << REG_StringShort(reg_w) << " | input: "<< REG_StringShort(reg_r) << std::endl;
taintReg(reg_w);
}
}
}
VOID ReadMem(UINT64 insAddr, std::string insDis, UINT32 opCount, REG reg_r, UINT64 memOp)
{
list<UINT64>::iterator i;
UINT64 addr = memOp;
if (opCount != 2)
return;
for(i = addressTainted.begin(); i != addressTainted.end(); i++){
if (addr == *i){
std::cout << std::hex << "[READ in " << addr << "]\t" << insAddr << ": " << insDis << std::endl;
taintReg(reg_r);
return ;
}
}
/* if mem != tained and reg == taint => free the reg */
if (checkAlreadyRegTainted(reg_r)){
std::cout << std::hex << "[READ in " << addr << "]\t" << insAddr << ": " << insDis << std::endl;
removeRegTainted(reg_r);
}
}
VOID spreadRegTaint(INS ins)
{
REG reg_r, reg_w;
if (INS_OperandCount(ins) != 2)
return;
reg_r = INS_RegR(ins, 0);
reg_w = INS_RegW(ins, 0);
if (REG_valid(reg_w)){
if (checkAlreadyRegTainted(reg_w) && (!REG_valid(reg_r) || !checkAlreadyRegTainted(reg_r))){
std::cout << "[SPREAD]\t\t" << INS_Address(ins) << ": " << INS_Disassemble(ins) << std::endl;
std::cout << "\t\t\toutput: "<< REG_StringShort(reg_w) << " | input: " << (REG_valid(reg_r) ? REG_StringShort(reg_r) : "constant") << std::endl;
removeRegTainted(reg_w);
}
else if (!checkAlreadyRegTainted(reg_w) && checkAlreadyRegTainted(reg_r)){
std::cout << "[SPREAD]\t\t" << INS_Address(ins) << ": " << INS_Disassemble(ins) << std::endl;
std::cout << "\t\t\toutput: " << REG_StringShort(reg_w) << " | input: "<< REG_StringShort(reg_r) << std::endl;
taintReg(reg_w);
}
}
}
VOID ReadMem(INS ins, UINT64 memOp)
{
list<UINT64>::iterator i;
UINT64 addr = memOp;
REG reg_r;
if (INS_OperandCount(ins) != 2)
return;
reg_r = INS_OperandReg(ins, 0);
for(i = addressTainted.begin(); i != addressTainted.end(); i++){
if (addr == *i){
std::cout << std::hex << "[READ in " << addr << "]\t" << INS_Address(ins) << ": " << INS_Disassemble(ins) << std::endl;
taintReg(reg_r);
return ;
}
}
/* if mem != tained and reg == taint => free the reg */
if (checkAlreadyRegTainted(reg_r)){
std::cout << std::hex << "[READ in " << addr << "]\t" << INS_Address(ins) << ": " << INS_Disassemble(ins) << std::endl;
removeRegTainted(reg_r);
}
}
