VOID MemWrite(THREADID tid, ADDRINT ea, ADDRINT eip ) { IMG imgR; string retName = "ANON", rR = "unknown"; thread_data_t *tdata = get_tls(tid); list<ADDRINT>::const_iterator sp_iter; for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) { if ( *sp_iter == ea ) break; } if ( sp_iter != tdata->data_sp.end() ) { PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } rR = RTN_FindNameByAddress((ADDRINT)eip); OutFile[tid] << tid << hex << "return address overwrite!!! " << ea << " " << eip << " " << retName << " " << rR << endl; } }
static void Instruction(INS ins, void *v) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)do_count, IARG_END); // Filters out non memory reference instructions. if (!INS_IsMemoryRead(ins) && !INS_IsMemoryWrite(ins)) return; // Filters out references to stack. if (INS_IsStackRead(ins) || INS_IsStackWrite(ins)) return; // Filters out instructions out of main executable. IMG img = IMG_FindByAddress(INS_Address(ins)); if (!IMG_Valid(img) || !IMG_IsMainExecutable(img)) return; unsigned i; unsigned int mem_op = INS_MemoryOperandCount(ins); for (i = 0; i < mem_op; i++) { INS_InsertPredicatedCall( ins, IPOINT_BEFORE, (AFUNPTR)check_addr, IARG_INST_PTR, IARG_MEMORYOP_EA, i, IARG_END); } }
VOID WriteMem(UINT64 insAddr, std::string insDis, UINT32 opCount, REG reg_r, UINT64 memOp) { std::list<struct mallocArea>::iterator i; UINT64 addr = memOp; PIN_LockClient(); IMG img = IMG_FindByAddress(addr); PIN_UnlockClient(); SEC sec; if (opCount != 2){ return; } /* Check if the address is in a section */ for(sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)){ if (addr >= SEC_Address(sec) && addr < (SEC_Address(sec) + SEC_Size(sec))) return; } /* Check if the address is mapped */ for(i = mallocAreaList.begin(); i != mallocAreaList.end(); i++){ if (i->status == ALLOCATE && addr >= i->base && addr < (i->base + i->size)) return; if (i->status == FREE && addr >= i->base && addr < (i->base + i->size)){ std::cout << std::hex << insAddr << ": " << insDis << " -- Use after free in " << addr << std::endl; return; } } /* check if the address is in a stack area */ if (addr > 0x700000000000) return; std::cout << std::hex << insAddr << ": " << insDis << " -- Heap overflow in " << addr << std::endl; }
static void InstrumentRtn(RTN rtn, VOID *) { ADDRINT a = RTN_Address(rtn); IMG img = IMG_FindByAddress(a); if (IMG_Valid(img) && IMG_IsMainExecutable(img)) { RTN_Open(rtn); RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(FunctionHook), IARG_ADDRINT, a, IARG_END); RTN_Close(rtn); } }
static VOID Instruction(INS ins, VOID *v) { IMG img = IMG_FindByAddress(INS_Address(ins)); if (IMG_Valid(img)) { numTimesImgFoundInInstrumentation++; } else { numTimesImgNotFoundInInstrumentation++; } INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)AnalysisFindImg, IARG_INST_PTR, IARG_END); }
static VOID AnalysisFindImg (ADDRINT ip) { PIN_LockClient(); IMG img = IMG_FindByAddress(ip); PIN_UnlockClient(); if (IMG_Valid(img)) { numTimesImgFoundInAnalysis++; } else { numTimesImgNotFoundInAnalysis++; } }
VOID instrumentTrace(TRACE trace, VOID *v) { IMG img = IMG_FindByAddress(TRACE_Address(trace)); if (!IMG_Valid(img) || !IMG_IsMainExecutable(img)) return; const char* imageName = IMG_Name(img).c_str(); for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) { for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins)) { processMemoryWriteInstruction(ins, imageName); processMemoryReadInstruction(ins, imageName); } } }
VOID PIN_FAST_ANALYSIS_CALL LogBBL(ADDRINT addr) { PIN_LockClient(); IMG img = IMG_FindByAddress(addr); PIN_UnlockClient(); if (IMG_Valid(img)){ std::set<ADDRINT> *s = bbls[IMG_Name(img)]; if (s == NULL){ s = new std::set<ADDRINT> (); bbls[IMG_Name(img)] = s; } s->insert(addr - IMG_LowAddress(img)); } }
// Pin calls this function before a code sequence is executed for the first time VOID TraceCalls(INS ins, VOID *v) { // If we don't have a proper config, we cannot instrument anything if (config == NULL) { return; } ADDRINT addr = INS_Address(ins); IMG img = IMG_FindByAddress(addr); // We are interested only calls from the JITted code. That code is not part of any valid image if (IMG_Valid(img) && img != config->img) { return; } // We don't know the origins of the calls (only the targets) so we need to instrument every call if (INS_IsCall(ins)) { bool ok = false; if (INS_RegRContain(ins, REG_EAX) || INS_RegRContain(ins, REG_EDX)) { ok = true; } else if (INS_IsDirectCall(ins)) { ADDRINT target_addr = INS_DirectBranchOrCallTargetAddress(ins); IMG target_img = IMG_FindByAddress(target_addr); if (!IMG_Valid(img) || img == config->img) { ok = true; } } if (ok) { // Select which call analysis function to use depending on whether we are in fast mode AFUNPTR analysisFunc = (AFUNPTR)MethodCallAnalysis; if (KnobFast.Value()) { analysisFunc = (AFUNPTR)MethodCallAnalysisFast; } ADDRINT ret_addr = INS_NextAddress(ins); INS_InsertIfCall(ins, IPOINT_BEFORE, (AFUNPTR)ShouldCallBeAnalyzed, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_ADDRINT, ret_addr, IARG_BRANCH_TARGET_ADDR, IARG_END); INS_InsertThenCall(ins, IPOINT_BEFORE, analysisFunc, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_ADDRINT, ret_addr, IARG_BRANCH_TARGET_ADDR, IARG_END); returnAddressToInstument[ret_addr] = true; return; } } if (returnAddressToInstument.find(addr) != returnAddressToInstument.end()) { // Select which call analysis function to use depending on whether we are in fast mode AFUNPTR analysisFuncIf = (AFUNPTR)ShouldReturnAddressBeAnalyzed; AFUNPTR analysisFuncThen = (AFUNPTR)ReturnValueAnalysis; if (KnobFast.Value()) { analysisFuncIf = (AFUNPTR)ShouldReturnAddressBeAnalyzedFast; analysisFuncThen = (AFUNPTR)ReturnValueAnalysisFast; } INS_InsertIfCall(ins, IPOINT_BEFORE, analysisFuncIf, IARG_ADDRINT, addr, IARG_END); INS_InsertThenCall(ins, IPOINT_BEFORE, analysisFuncThen, IARG_ADDRINT, addr, IARG_REG_VALUE, REG_EAX, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_END); return; } }
VOID PrintUntouchedRanges(SEC sec) { // Make a bool vector big enough to describe the whole section, 1 bool per byte vector<bool> touched(SEC_Size(sec)); // Put the rtn's that are touched in a set set<RTN> rtnSet; // Mark the ranges for bbls that have been executed for (list<const BBLSTATS*>::const_iterator bi = statsList.begin(); bi != statsList.end(); bi++) { const BBLSTATS * stats = *bi; // Is this bbl contained in the section? if (stats->_start < SEC_Address(sec) || stats->_start >= SEC_Address(sec) + SEC_Size(sec)) continue; // Is the bbl executed? if (!stats->_executed) continue; RTN rtn = RTN_FindByAddress(stats->_start); if (RTN_Valid(rtn)) rtnSet.insert(rtn); // Mark all the bytes of the bbl as executed for (ADDRINT i = stats->_start - SEC_Address(sec); i < stats->_start + stats->_size - SEC_Address(sec); i++) { ASSERTX(i < SEC_Size(sec)); touched[i] = true; } } // Print the routines that are not touched out << " Routines that are not executed" << endl; for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn)) { if (rtnSet.find(rtn) == rtnSet.end()) { out << " " << RTN_Name(rtn) << endl; } } // Print the ranges of untouched addresses out << " Code ranges that are not executed" << endl; string rtnName = ""; for (UINT32 i = 0; i < SEC_Size(sec);) { // Find the first not touched address while(touched[i]) { i++; if (i == SEC_Size(sec)) return; } UINT32 start = i; // Find the first touched address while(!touched[i] && i < SEC_Size(sec)) i++; ADDRINT startAddress = SEC_Address(sec) + start; // Print the rtn name, if it has changed IMG img = IMG_FindByAddress(startAddress); string imgName = (IMG_Valid(img) ? IMG_Name(img) : "InvalidImg"); RTN rtn = RTN_FindByAddress(startAddress); string newName = (RTN_Valid(rtn) ? RTN_Name(rtn) : "InvalidRtn"); if (rtnName != newName) { out << " Image: " << imgName << " Rtn: " << newName << endl; rtnName = newName; } out << " " << SEC_Address(sec) + start << ":" << SEC_Address(sec) + i - 1 << endl; } }
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push ) { PIN_GetLock(&lock, tid+1); unsigned int dep = 0, i = 0; IMG imgR, imgT; string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown"; thread_data_t *tdata = get_tls(tid); list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp); list<ADDRINT>::iterator ret_iter;// = (*tdata).find(sp); tulist::iterator tup_iter;// = (*tdata).find(sp); /******************* Uncomment this code to check ONLY for landing pad violations. START HERE ************/ /* i = 0; for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) { ++i; if ( target == (tup_iter->get<1>()) ) { RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << " " << std::dec << i << endl; ++gotoCount; // Keeps track of no of times ret addr was relocated but landing pad are correct tdata->tuplist.erase( tup_iter ); break; } } if ( tup_iter != tdata->tuplist.end() ) { PIN_ReleaseLock(&lock); return; } else { // Landing Pad Violation // Getting the names of Image and rtn will make this really SLOW. Comment this before the File IO to make it faster PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); // This checks if the LP violation source or target is in Linker. // These are not Violation as Linker takes and passes control many times without // a call or ret. if ( LD_PATH == targetName || LD_PATH == retName ) goto overRide; OutFile[tid] << tid << hex << "Landing Pad Violation -1 " << sp << " " << target << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; overRide: PIN_ReleaseLock(&lock); return; } */ /********* TO CHECK ONLY FOR LANDING PAD VIOLATIONS - END HERE *********************************/ /**** No need to comment the below code when checking only for LP violation as this function would return before reaching here *****/ /* Check if stack pointer value i.e. return address location is present */ for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) { ++dep; if ( *sp_iter == sp ) break; } --dep; if (push) { OutFile[tid] << std::dec << tid << "PUSH FOUND" << endl; tdata->data_sp.erase(tdata->data_sp.begin()); PIN_ReleaseLock(&lock); return; } if (sp_iter == tdata->data_sp.end()) { /* This is the case where Ret Address is relocated to some other location on stack e.g Libffi does this to make ffi call portable accross ABIs */ i = 0; for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) { ++i; if ( target == (tup_iter->get<1>() ) ) { RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl; ++gotoCount; tdata->tuplist.erase( tup_iter ); break; } } if ( tup_iter != tdata->tuplist.end() ) { PIN_ReleaseLock(&lock); return; } PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); OutFile[tid] << tid << hex << "Landing Pad Violation -2 " << sp << " " << *(tdata->data_sp.begin()) << " " << target << " " << tup_iter->get<0>() << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; PIN_ReleaseLock(&lock); return; } if ( sp_iter != tdata->data_sp.begin() ) OutFile[tid] << tid << hex <<"ret address not in the beginning!! " << target <<" "<< eip << " " << sp << " " << *(tdata->data_sp.begin()) << " " << dec << dep<< endl; depth -= dep; tdata->data_sp.erase( tdata->data_sp.begin(), sp_iter); tdata->data_sp.erase(sp_iter); PIN_ReleaseLock(&lock); }
instruction::instruction(const INS& ins) { this->address = INS_Address(ins); this->next_address = INS_NextAddress(ins); // this->opcode = INS_Mnemonic(ins); this->opcode_size = static_cast<uint8_t>(INS_Size(ins)); this->opcode_buffer = std::shared_ptr<uint8_t>(new uint8_t[this->opcode_size], std::default_delete<uint8_t[]>()); PIN_SafeCopy(opcode_buffer.get(), reinterpret_cast<const VOID*>(this->address), this->opcode_size); this->disassemble = INS_Disassemble(ins); // including image, routine auto img = IMG_FindByAddress(this->address); this->including_image = IMG_Valid(img) ? IMG_Name(img) : ""; // this->including_routine = RTN_FindNameByAddress(this->address); PIN_LockClient(); auto routine = RTN_FindByAddress(this->address); PIN_UnlockClient(); if (RTN_Valid(routine)) { auto routine_mangled_name = RTN_Name(routine); this->including_routine_name = PIN_UndecorateSymbolName(routine_mangled_name, UNDECORATION_NAME_ONLY); } else this->including_routine_name = ""; // has fall through this->has_fall_through = INS_HasFallThrough(ins); // is call, ret or syscall this->is_call = INS_IsCall(ins); this->is_branch = INS_IsBranch(ins); this->is_ret = INS_IsRet(ins); this->is_syscall = INS_IsSyscall(ins); this->category = static_cast<xed_category_enum_t>(INS_Category(ins)); this->iclass = static_cast<xed_iclass_enum_t>(INS_Opcode(ins)); // read registers auto read_reg_number = INS_MaxNumRRegs(ins); for (decltype(read_reg_number) reg_id = 0; reg_id < read_reg_number; ++reg_id) { this->src_registers.push_back(INS_RegR(ins, reg_id)); } // written registers auto written_reg_number = INS_MaxNumWRegs(ins); for (decltype(written_reg_number) reg_id = 0; reg_id < written_reg_number; ++reg_id) { this->dst_registers.push_back(INS_RegW(ins, reg_id)); } auto is_special_reg = [](const REG& reg) -> bool { return (reg >= REG_MM_BASE); }; this->is_special = std::any_of(std::begin(this->src_registers), std::end(this->src_registers), is_special_reg) || std::any_of(std::begin(this->dst_registers), std::end(this->dst_registers), is_special_reg) || (this->category == XED_CATEGORY_X87_ALU) || (this->iclass == XED_ICLASS_XEND) || (this->category == XED_CATEGORY_LOGICAL_FP) || (this->iclass == XED_ICLASS_PUSHA) || (this->iclass == XED_ICLASS_PUSHAD) || (this->iclass == XED_ICLASS_PUSHF) || (this->iclass == XED_ICLASS_PUSHFD) || (this->iclass == XED_ICLASS_PUSHFQ); // is memory read, write this->is_memory_read = INS_IsMemoryRead(ins); this->is_memory_write = INS_IsMemoryWrite(ins); this->is_memory_read2 = INS_HasMemoryRead2(ins); }
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push) { // cout << "RET " << tid << hex << " " << sp << " " << target << " " << eip << " " << push << endl; // return; unsigned int dep = 0; IMG imgR, imgT; string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown"; list<ADDRINT> *tdata = data_ar[tid]; list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp); list<ADDRINT>::iterator dep_iter;// = (*tdata).find(sp); for (sp_iter = (*tdata).begin(); sp_iter != (*tdata).end(); sp_iter++) { ++dep; if ( *sp_iter == sp ) break; } --dep; if (push) { OutFile << "PUSH FOUND" << endl; (*tdata).erase((*tdata).begin()); //cout << "RET FROM RET-1" << tid<<endl; return; } if ( target >= (start+FFI_CALL_UNIX64) && target <= (start+FF64END) ) { OutFile << tid << " RET-2-FF64 " << hex << eip << " " << target << " " << sp << endl; } if ( eip >= (start+FFI_CALL_UNIX64) && eip <= (start+FF64END) ) { OutFile << tid << " RET-FRM-FF64 " << hex << eip << " " << target << " " << sp << endl; } /* if ( eip >= (ANONST) && eip <= (ANONEND) ) { OutFile << tid << " RET-I " << hex << eip << " " << target << " " << sp << endl; } if ( target >= (ANONST) && target <= (ANONEND) ) { OutFile << tid << " RET-T " << hex << eip << " " << target << " " << sp << endl; } */ if (sp_iter == (*tdata).end()) { // cerr << hex << "ret address not found!! " << sp << " " << *(RetAddrLocs.begin()) PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); OutFile << tid << hex << "ret address not found!! " << sp << " " << *((*tdata).begin()) << " " << target << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; //cout << "RET FROM RET-2" << tid <<endl; return; } if (sp_iter != (*tdata).begin()) OutFile << hex <<"ret address not in the beginning!! " << target <<" "<< eip << " " << sp << " " << *((*tdata).begin()) << " " << dec << dep<< endl; // depth -= distance((*tdata).begin(), sp_iter) + 1; depth -= dep; // OutFile << "Distance " << distance(RetAddrLocs.begin(), sp_iter) << endl; // for (int i=0; i < depth; i++) cerr << " "; // cerr << hex << tid << " ret " << sp << " " << target << endl; // if ( sp_iter == RetAddrLocs.begin() ) { // RetAddrLocs.erase(sp_iter); // return; // } (*tdata).erase((*tdata).begin(), sp_iter); (*tdata).erase(sp_iter); //cout << "RET FROM RET-3" << tid<<endl; }
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push ) { PIN_GetLock(&lock, tid+1); unsigned int dep = 0, i = 0; IMG imgR, imgT; string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown"; thread_data_t *tdata = get_tls(tid); /* list<ADDRINT> *tdata = data_ar[tid]; list<ADDRINT> *retId = ret_ad[tid]; */ list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp); list<ADDRINT>::iterator ret_iter;// = (*tdata).find(sp); tulist::iterator tup_iter;// = (*tdata).find(sp); for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) { ++dep; if ( *sp_iter == sp ) break; } --dep; /* This is the case where Ret Address is relocated to some other location on stack */ i = 0; for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) { ++i; if ( target == (tup_iter->get<1>()) && ( (tup_iter->get<0>() == (target - 0x5)) || ( tup_iter->get<0>() == (target - 0x2)) ) ) { RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl; ++gotoCount; tdata->tuplist.erase( tup_iter ); break; } } //cout << " CHECK1" << endl; if ( tup_iter != tdata->tuplist.end() ) { PIN_ReleaseLock(&lock); return; } else { PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); if ( LD_PATH == targetName || LD_PATH == retName ) goto overRide; OutFile[tid] << tid << hex << "LP not found!! " << sp << " " << target << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; overRide: PIN_ReleaseLock(&lock); return; } if (push) { OutFile[tid] << std::dec << tid << "PUSH FOUND" << endl; tdata->data_sp.erase(tdata->data_sp.begin()); PIN_ReleaseLock(&lock); return; } if (sp_iter == tdata->data_sp.end()) { /* This is the case where Ret Address is relocated to some other location on stack */ i = 0; for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) { ++i; if ( target == (tup_iter->get<1>()) && ( (tup_iter->get<0>() == (target - 0x5)) || ( tup_iter->get<0>() == (target - 0x2)) ) ) { RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl; ++gotoCount; tdata->tuplist.erase( tup_iter ); break; } } //cout << " CHECK1" << endl; if ( tup_iter != tdata->tuplist.end() ) { PIN_ReleaseLock(&lock); return; } PIN_LockClient(); imgR = IMG_FindByAddress((ADDRINT)eip); imgT = IMG_FindByAddress((ADDRINT)target); PIN_UnlockClient(); if ( IMG_Valid(imgR) ) { retName = IMG_Name(imgR); } if ( IMG_Valid(imgT) ) { targetName = IMG_Name(imgT); } rR = RTN_FindNameByAddress((ADDRINT)eip); tR = RTN_FindNameByAddress((ADDRINT)target); //cout << hex << tup_iter->get<0>() << ":" << tup_iter->get<1>() << endl; OutFile[tid] << tid << hex << "ret address not found!! " << sp << " " << *(tdata->data_sp.begin()) << " " << target << " " << tup_iter->get<0>() << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl; PIN_ReleaseLock(&lock); return; } if ( sp_iter != tdata->data_sp.begin() ) OutFile[tid] << tid << hex <<"ret address not in the beginning!! " << target <<" "<< eip << " " << sp << " " << *(tdata->data_sp.begin()) << " " << dec << dep<< endl; depth -= dep; tdata->data_sp.erase( tdata->data_sp.begin(), sp_iter); tdata->data_sp.erase(sp_iter); PIN_ReleaseLock(&lock); }
VOID Instruction(INS ins, VOID *v) { PIN_LockClient(); IMG img = IMG_FindByAddress(INS_Address(ins)); PIN_UnlockClient(); if (IMG_Valid(img) && IMG_IsMainExecutable(img)){ if (INS_IsCall(ins)){ INS_InsertCall( ins, IPOINT_BEFORE, (AFUNPTR)PrologueAnalysis, IARG_ADDRINT, INS_Address(ins), IARG_ADDRINT, INS_NextAddress(ins), IARG_PTR, new string(INS_Disassemble(ins)), IARG_END); } else if (INS_IsRet(ins)){ INS_InsertCall( ins, IPOINT_BEFORE, (AFUNPTR)EpilogueAnalysis, IARG_ADDRINT, INS_Address(ins), IARG_ADDRINT, INS_NextAddress(ins), IARG_PTR, new string(INS_Disassemble(ins)), IARG_END); } else if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsWritten(ins, 0)){ INS_InsertCall( ins, IPOINT_BEFORE, (AFUNPTR)WriteMem, IARG_ADDRINT, INS_Address(ins), IARG_PTR, new string(INS_Disassemble(ins)), IARG_UINT32, INS_OperandCount(ins), IARG_UINT32, INS_OperandReg(ins, 1), IARG_MEMORYOP_EA, 0, IARG_END); } /* Value Set Analysis */ if (INS_Opcode(ins) == XED_ICLASS_MOV && INS_RegR(ins, 0) == REG_RBP && INS_RegR(ins, 1) == REG_INVALID() && INS_IsMemoryWrite(ins)){ INS_InsertCall( ins, IPOINT_BEFORE, (AFUNPTR)ValueSetAnalysis, IARG_ADDRINT, INS_Address(ins), IARG_PTR, new string(INS_Disassemble(ins)), IARG_REG_VALUE, REG_RSP, IARG_REG_VALUE, REG_RBP, IARG_MEMORYOP_EA, 0, IARG_END); } /* Analyzes stack overflow */ if (INS_MemoryOperandIsWritten(ins, 0)){ INS_InsertCall( ins, IPOINT_BEFORE, (AFUNPTR)WriteMemAnalysis, IARG_ADDRINT, INS_Address(ins), IARG_PTR, new string(INS_Disassemble(ins)), IARG_MEMORYOP_EA, 0, IARG_END); } /* Timer Handler - And instruction counter */ INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)timerHandler, IARG_ADDRINT, INS_Address(INS_Prev(ins)), IARG_ADDRINT, INS_Address(ins), IARG_ADDRINT, INS_Address(INS_Next(ins)), IARG_PTR, new string(INS_Disassemble(ins)), IARG_END); } }