static VOID
LogImageLoad(IMG img)
{
const string name = IMG_Name(img);
ADDRINT low = IMG_LowAddress(img);
ADDRINT high = IMG_HighAddress(img);
EmitLibraryLoadEvent(PIN_ThreadId(), IMG_Name(img),
IMG_LowAddress(img), IMG_HighAddress(img));
}
VOID ImageLoad(IMG img, VOID *v)
{
if ( IMG_Name(img) == TARLIB ) {
// cout << IMG_Name(img) << " " << hex << IMG_LowAddress(img) << " " << IMG_HighAddress(img) << " "
// << IMG_NumRegions(img) << endl;
start = IMG_LowAddress(img);
end = IMG_HighAddress(img);
Stat << hex << start << ":" << end << endl;
cout << hex << start << ":" << end <<" "<< (start + FFI_CALL_UNIX64) << " " << (start+FF64END) << endl;
}
Stat << hex << IMG_Name(img) << " " << IMG_LowAddress(img) << " " << IMG_HighAddress(img) << " " <<endl;// IMG_NumRegions(img) << endl;
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
// - Add protected libraries
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//create Report File
Report::getInstance()->initializeReport(proc_info->getProcName(), startAddr, endAddr , initial_entropy);
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
//*** If you need to protect other sections of other dll put them here ***
// check if there are some fuction that has top be hooked in this DLL
hookFun.hookDispatcher(img);
// check if we have to filter this library during thwe instrumentation
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
void img_load (IMG img, void *v)
{
struct event_imload *imevent;
char buffer[512];
size_t length;
/* fprintf(logfp, "load %s off=%08x low=%08x high=%08x start=%08x size=%08x\n",
IMG_Name(img).c_str(),
IMG_LoadOffset(img), IMG_LowAddress(img), IMG_HighAddress(img),
IMG_StartAddress(img), IMG_SizeMapped(img));*/
imevent = (struct event_imload *)buffer;
length = IMG_Name(img).length();
if (length > sizeof(buffer) - sizeof(struct event_imload))
length = sizeof(buffer) - sizeof(struct event_imload);
imevent->comm.type = ET_IMLOAD;
imevent->comm.tid = PIN_ThreadId();
imevent->struct_size = (int)((char *)imevent->name - (char *)imevent) + length + 1;
imevent->addr = IMG_LowAddress(img);
imevent->size = IMG_HighAddress(img) - IMG_LowAddress(img);
imevent->entry = IMG_Entry(img);
imevent->ismain = IMG_IsMainExecutable(img);
memcpy(imevent->name, IMG_Name(img).c_str(), length);
imevent->name[length] = '\0';
tb_write((event_common *)imevent, (size_t)imevent->struct_size);
osdep_iterate_symbols(img, process_symbol, (void *)&img);
tb_flush(PIN_ThreadId());
fprintf(logfp, "img+ %08x+%08x %s\n", IMG_StartAddress(img), IMG_SizeMapped(img), IMG_Name(img).c_str());
}
//return the entropy value of the entire program
float ProcInfo::GetEntropy(){
IMG binary_image = APP_ImgHead();
// trick in order to convert a ln in log2
const double d1log2 = 1.4426950408889634073599246810023;
double Entropy = 0.0;
unsigned long Entries[256];
unsigned char* Buffer;
//calculate the entropy only on the main module address space
ADDRINT start_address = IMG_LowAddress(binary_image);
ADDRINT end_address = IMG_HighAddress(binary_image);
UINT32 size = end_address - start_address;
// copy the main module in a buffer in order to analyze it
Buffer = (unsigned char *)malloc(size);
PIN_SafeCopy(Buffer , (void const *)start_address , size);
// set to all zero the matrix of the bytes occurrence
memset(Entries, 0, sizeof(unsigned long) * 256);
// increment the counter of the current read byte (Buffer[i])in the occurence matrix (Entries)
for (unsigned long i = 0; i < size; i++)
Entries[Buffer[i]]++;
// do the shannon formula on the occurence matrix ( H = sum(P(i)*log2(P(i)) )
for (unsigned long i = 0; i < 256; i++)
{
double Temp = (double) Entries[i] / (double) size;
if (Temp > 0)
Entropy += - Temp*(log(Temp)*d1log2);
}
return Entropy;
}
VOID Image(IMG img, VOID *v){
char szFilePath[260];
unsigned long index;
GetLock(&lock, 1);
if (process_start != 0){
ReleaseLock(&lock);
return;
}
if (IMG_Valid(img)){
memset(szFilePath, 0, sizeof(szFilePath));
strncpy(szFilePath, IMG_Name(img).c_str(), sizeof(szFilePath)-1);
index = 0;
while (szFilePath[index] != 0){
szFilePath[index] = tolower(szFilePath[index]);
index++;
}
if (strstr(szFilePath, KnobProcessToTrace.Value().c_str())){
process_start = IMG_LowAddress(img);
process_end = IMG_HighAddress(img);
}
}
ReleaseLock(&lock);
}
static void process_symbol (void *priv, const char *name, ADDRINT addr)
{
struct event_symbol *sbevent;
char buffer[512];
size_t length;
IMG *img = (IMG *)priv;
assert(addr >= IMG_LowAddress(*img) && addr < IMG_HighAddress(*img));
sbevent = (struct event_symbol *)buffer;
sbevent->comm.type = ET_SYMBOL;
sbevent->comm.tid = PIN_ThreadId();
length = strlen(name);
assert(length > 0);
if (length > sizeof(buffer) - sizeof(struct event_symbol))
length = sizeof(buffer) - sizeof(struct event_symbol);
sbevent->struct_size = (int)((char *)sbevent->name - (char *)sbevent) + length + 1;
sbevent->addr = addr;
memcpy(sbevent->name, name, length);
//sbevent->name[length] = '\0'; // It gives error: array subscript is above array bounds
{ char *arr = sbevent->name; arr[length] = '\0'; }
tb_write((event_common *)sbevent, (size_t)sbevent->struct_size);
fprintf(logfp, "sym %08x %s\n", addr, name);
}
static void reportError(ADDRINT addr)
{
fprintf (stderr, "BAD Fetch from 0x%08x\n", addr);
for (IMG img= APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img))
{
fprintf (stderr, "%-30s: 0x%08x:0x%08x\n", IMG_Name(img).c_str(),
IMG_LowAddress(img),IMG_HighAddress(img));
}
exit (-1);
}
void report_image_structure(IMG img, int depth){
UINT32 I1 = IMG_Id(img);
string I2 = IMG_Name(img);
int I3 = IMG_IsMainExecutable( img );
int I4 = IMG_IsStaticExecutable( img );
ADDRINT I5 = IMG_LoadOffset(img);
ADDRINT I6 = IMG_LowAddress(img);
ADDRINT I7 = IMG_HighAddress(img);
ADDRINT I8 = IMG_LoadOffset(img);
ADDRINT I9 = IMG_StartAddress(img);
ADDRINT I10 = IMG_Entry(img);
USIZE I11 = IMG_SizeMapped( img );
IMG_TYPE I12 = IMG_Type(img);
char I13[128];
int k ;
for ( k = 0; k< depth ; k ++ )
TraceFile << "\t" ;
TraceFile << "<IMAGE-LOAD>" << " I1:" << I1 << " I2:" << I2 << " I3:" << I3 << " I4:" << I4 << " I5:" << hex<< I5 << " I6:"<< I6 << " I7:" << I7 << " I8:" << I8 << " I9:"<< I9 << " I10:"<< I10 << " I11:" << I11 ;
switch ( I12 ){
case IMG_TYPE_STATIC:
strcpy( I13 ,"static" ); break;
case IMG_TYPE_SHARED:
strcpy( I13 ,"shared" ); break;
case IMG_TYPE_INVALID:
strcpy( I13 ,"invalid" ); break;
case IMG_TYPE_LAST:
strcpy( I13 ,"last" ); break;
case IMG_TYPE_SHAREDLIB:
strcpy( I13 ,"shared-lib" ); break;
case IMG_TYPE_RELOCATABLE:
strcpy( I13 ,"relocatable" ); break;
case IMG_TYPE_DYNAMIC_CODE:
strcpy( I13 ,"dynamic-code" ); break;
default:
strcpy( I13 ,"UNKNOWN" ); break; }
TraceFile << " I12:" << I12 << " I13:" << I13 << endl;
for( SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
report_section_structure( sec, depth + 1 );
}
/* */
for (SYM sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym)){
report_sym_structure( sym, depth +1 );
}
for ( k = 0; k< depth ; k ++ )
TraceFile << "\t" ;
TraceFile << "</IMAGE-LOAD>" << endl;
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
Section item;
static int va_hooked = 0;
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ProcInfo *proc_info = ProcInfo::getInstance();
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
FilterHandler *filterH = FilterHandler::getInstance();
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){
/* searching for VirtualAlloc */
RTN rtn = RTN_FindByName( img, "VirtualAlloc");
if(rtn != RTN_Invalid()){
MYINFO("BECCATO LA VIRTUAL ALLOC\n");
ADDRINT va_address = RTN_Address(rtn);
MYINFO("Address of VirtualAlloc: %08x\n" , va_address);
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)VirtualAllocHook , IARG_G_ARG0_CALLEE , IARG_G_ARG1_CALLEE , IARG_G_RESULT0, IARG_END);
RTN_Close(rtn);
}
filterH->addLibrary(name,startAddr,endAddr);
}
}
VOID rtnInst(IMG img, VOID *v)
{
// for(IMG temp = img; IMG_Valid(temp); temp = IMG_Next(temp))
// out <<IMG_Name(img)<<endl;
// char * temp = "KVWebSvr.dll";
string dllname = IMG_Name(img);
RTN dispatchRtn;
ADDRINT funaddr;
if(dllname.find("KVWebSvr.dll")!=string::npos)
{
out <<dllname<<"start address 0x " <<IMG_LowAddress(img) <<endl;
out <<dllname<<"end address 0x "<<IMG_HighAddress(img) <<endl;
funaddr = IMG_LowAddress(img)+0x18060;
// RTN_CreateAt(0x100183b0,"sub_100183b0");//022D8060
// RTN_CreateAt(0x022D8060,"sub_invoke");
// dispatchRtn = RTN_FindByName(img, "sub_invoke");
RTN_CreateAt(funaddr,"sub_invoke");
// RTN_CreateAt(0x10019210,"sub_10019210");
dispatchRtn = RTN_FindByName(img, "sub_invoke");
// dispatchRtn = RTN_FindByAddress(0x100183b0);
if (RTN_Valid(dispatchRtn))
{
out << "find the taint source function" << endl;
RTN_Open(dispatchRtn);
RTN_InsertCall(dispatchRtn,IPOINT_BEFORE,(AFUNPTR)InvokeFunTaint,IARG_END);
// RTN_InsertCall(dispatchRtn, IPOINT_BEFORE, (AFUNPTR)InputFunAddTaint,
// IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
// IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
// IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
// IARG_END);
RTN_Close(dispatchRtn);
// out << RTN_Address(dispatchRtn)<< endl;
}
}
//function-level taint
inst_func_summary(img);
}
// Print the list of images currently loaded, with some information about each.
static VOID PrintImageList()
{
for (IMG img= APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img))
{
int nSecs;
int nRtns;
CountImageSecsAndRtns (img, &nSecs, &nRtns);
fprintf (trace, " L %-40s %2d [0x%lx:0x%lx] offset 0x%lx %2d SECs %4d RTNs\n", IMG_Name(img).c_str(), IMG_Id(img),
(unsigned long)IMG_LowAddress(img), (unsigned long)IMG_HighAddress(img), (unsigned long)IMG_LoadOffset(img), nSecs, nRtns);
}
}
void ImageLoad (IMG img, void *context)
{
fprintf (stderr, "Notified of load of %s at [%p,%p]\n",
IMG_Name(img).c_str(),
(char *)IMG_LowAddress(img), (char *)IMG_HighAddress(img));
// See if this is ntdll.dll
char szName[_MAX_FNAME];
char szExt[_MAX_EXT];
_splitpath_s (IMG_Name(img).c_str(),
NULL, 0,
NULL, 0,
szName, _MAX_FNAME,
szExt, _MAX_EXT);
strcat_s (szName, _MAX_FNAME, szExt);
if (0 != _stricmp ("ntdll.dll", szName))
return;
RTN rtn = RTN_FindByName (img, "RtlAllocateHeap");
if (RTN_Invalid() == rtn)
{
fprintf (stderr, "Failed to find RtlAllocateHeap in %s\n",
IMG_Name(img).c_str());
return;
}
fprintf(stderr,"Replacing\n");
PROTO protoRtlAllocateHeap =
PROTO_Allocate (PIN_PARG(void *),
CALLINGSTD_STDCALL,
"RtlAllocateHeap",
PIN_PARG(WINDOWS::PVOID), // HeapHandle
PIN_PARG(WINDOWS::ULONG), // Flags
PIN_PARG(WINDOWS::SIZE_T), // Size
PIN_PARG_END());
RTN_ReplaceSignature (rtn, (AFUNPTR)replacement_RtlAllocateHeap,
IARG_PROTOTYPE, protoRtlAllocateHeap,
IARG_ORIG_FUNCPTR,
IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
IARG_CONTEXT,
IARG_END);
PROTO_Free (protoRtlAllocateHeap);
}
VOID ImageLoad(IMG img, VOID *v){
//printf("image name : %s\n", IMG_Name(img).c_str());
if (process_start != 0) return;
if (strstr(IMG_Name(img).c_str(), KnobProcessToTrace.Value().c_str())){
process_start = IMG_LowAddress(img);
process_end = IMG_HighAddress(img);
}
//printf("Loading %.08x-%.08x : %s\n", IMG_LowAddress(img),
// IMG_HighAddress(img),
// IMG_Name(img).c_str());
}
/*
* Callback when an image is loaded.
* This callback must be called even outside the range analysis.
*/
static void callbackImageLoad(IMG img) {
/* Mutex */
PIN_LockClient();
/* Collect image information */
std::string imagePath = IMG_Name(img);
triton::__uint imageBase = IMG_LowAddress(img);
triton::__uint imageSize = (IMG_HighAddress(img) + 1) - imageBase;
/* Execute the Python callback */
tracer::pintool::callbacks::imageLoad(imagePath, imageBase, imageSize);
/* Mutex */
PIN_UnlockClient();
}
//--------------------------------------------------------------------------------------
VOID ImageLoad(IMG Image, VOID *v)
{
// get image characteristics
ADDRINT AddrStart = IMG_LowAddress(Image);
ADDRINT AddrEnd = IMG_HighAddress(Image);
const string &ImagePath = IMG_Name(Image);
// save full image path for module
m_ModulePathList.push_back(ImagePath);
// get image file name from full path
string *ImageName = NameFromPath(ImagePath);
// add image information into the list
m_ModuleList[ImageName] = std::make_pair(AddrStart, AddrEnd);
}
// Instrumentation of the modules
VOID image_instrumentation(IMG img, VOID * v)
{
ADDRINT module_low_limit = IMG_LowAddress(img), module_high_limit = IMG_HighAddress(img);
if(IMG_IsMainExecutable(img))
return;
const std::string image_path = IMG_Name(img);
std::pair<std::string, std::pair<ADDRINT, ADDRINT> > module_info = std::make_pair(
image_path,
std::make_pair(
module_low_limit,
module_high_limit
)
);
module_list.insert(module_info);
if(is_module_should_be_blacklisted(image_path))
modules_blacklisted.insert(module_info);
}
float ProcInfo::GetEntropy(){
IMG binary_image = APP_ImgHead();
const double d1log2 = 1.4426950408889634073599246810023;
double Entropy = 0.0;
unsigned long Entries[256];
unsigned char* Buffer;
ADDRINT start_address = IMG_LowAddress(binary_image);
ADDRINT end_address = IMG_HighAddress(binary_image);
UINT32 size = end_address - start_address;
Buffer = (unsigned char *)malloc(size);
MYLOG("size to dump is %d" , size);
MYLOG("Start address is %08x" , start_address);
MYLOG("Start address is %08x" , end_address);
MYLOG("IMAGE NAME IS %s" , IMG_Name(binary_image));
PIN_SafeCopy(Buffer , (void const *)start_address , size);
memset(Entries, 0, sizeof(unsigned long) * 256);
for (unsigned long i = 0; i < size; i++)
Entries[Buffer[i]]++;
for (unsigned long i = 0; i < 256; i++)
{
double Temp = (double) Entries[i] / (double) size;
if (Temp > 0)
Entropy += - Temp*(log(Temp)*d1log2);
}
MYLOG("ENTROPY IS %f" , Entropy);
return Entropy;
}
/* ===================================================================== */
VOID ImageLoad(IMG img, VOID *v)
{
std::cerr << "Loading " << IMG_Name(img).c_str() << " Start " << hex << IMG_LowAddress(img) << " End " << IMG_HighAddress(img) << endl;
// if no module passed, just use the main executable
string module = KnobModuleToLog.Value();
if (module.empty() && IMG_IsMainExecutable( img ) )
{
module = IMG_Name(img);
}
// keep in mind this is case sensitive...
if (module.empty() || IMG_Name( img ).rfind( module.c_str() ) == string::npos)
{
return;
}
moduleStart = IMG_LowAddress(img);
moduleEnd = IMG_HighAddress(img);
moduleSize = moduleEnd - moduleStart;
if (gLogStart != -1)
{
gLogStart += moduleStart;
}
if (gLogStop != -1)
{
gLogStop += moduleStart;
}
std::cerr << "Module size is: " << moduleSize << endl;
logBuffer = (WINDOWS::BYTE *)calloc(moduleSize,sizeof(WINDOWS::BYTE));
if (logBuffer == NULL)
{
std::cerr << "Unable to allocate enough heapspace, how friggen big is this module?" << endl;
return;
}
std::cerr << "Creating hit count for instructions in module: " << IMG_Name(img).c_str() << endl;
}
void imageLoadCallback(IMG img,void *){
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ProcInfo *proc_info = ProcInfo::getInstance();
proc_info->setFirstINSaddress(IMG_Entry(img));
MYLOG("INIT : %08x", proc_info->getFirstINSaddress());
MYLOG("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYLOG("----------------------------------------------");
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
Section item;
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
proc_info->PrintSections();
}
FilterHandler *filterH = FilterHandler::getInstance();
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){
filterH->addLibrary(name,startAddr,endAddr);
}
}
VOID ImageLoad (IMG img, VOID *v)
{
uint32_t id = IMG_Id (img);
std::string iname = IMG_Name(img);
if (id==1) // this is the first image, extract the path and the name of the executable
{
string ename, epath;
MIAMIU::ExtractNameAndPath(iname, epath, ename);
MIAMI::MiamiOptions *mo = MIAMI::mdriver.getProgramOptions();
mo->addExecutableName(ename);
mo->addExecutablePath(epath);
}
// print info about the sections in this image, for debugging
// comment out in production runs
#if DEBUG_CFG_COUNTS
DEBUG_CFG(4,
cerr << "Image: " << iname << ", id " << id << hex
<< " load offser=0x" << IMG_LoadOffset(img)
<< ", low addr=0x" << IMG_LowAddress(img)
<< ", high addr=0x" << IMG_HighAddress(img)
<< ", start addr=0x" << IMG_StartAddress(img)
<< ", mapped size=0x" << IMG_SizeMapped(img) << dec
<< ", has the following sections:" << endl;
for (SEC sec= IMG_SecHead(img) ; SEC_Valid(sec) ; sec = SEC_Next(sec))
{
cerr << "Section " << SEC_Name(sec) << " of type " << SEC_Type(sec)
<< " at address 0x" << hex << SEC_Address(sec) << " of size 0x"
<< SEC_Size(sec) << dec << "/" << SEC_Size(sec) << " bytes:"
<< " valid? " << SEC_Valid(sec) << ", mapped? " << SEC_Mapped(sec)
<< ", executable? " << SEC_IsExecutable(sec)
<< ", readable? " << SEC_IsReadable(sec)
<< ", writable? " << SEC_IsWriteable(sec) << endl;
}
)
VOID ImageLoad (IMG img, VOID *v)
{
printf ("loaded image %s lowAddr %p highAddr %p loadOffset %p\n", IMG_Name(img).c_str(),
(void *)IMG_LowAddress(img), (void *)IMG_HighAddress(img), (void *)IMG_LoadOffset(img));
}
// This routine is executed for each image
VOID ImageLoad(IMG img, VOID *v)
{
if (!FlashPlayerConfigBuilder::instance().isSupportedFlashPlayer(img))
{
return;
}
LOGF("Found supported Flash Player image: %s (0x%x - 0x%x)\n", IMG_Name(img).c_str(), IMG_LowAddress(img), IMG_HighAddress(img));
config = FlashPlayerConfigBuilder::instance().getConfig();
// config->setInterpRVA needs to be chosen in such way that
// the value of _invoker can be found from [ESI+config->invinvokerOffsetInMethodInfookerOffset]
RTN setInterp = RTN_CreateAt(config->loadOffset + config->setInterpRVA, "setInterp");
// config->setInterpRVA needs to be chosen in such way that
// the value of _implGPR can be found from EAX
RTN verifyOnCall = RTN_CreateAt(config->loadOffset + config->verifyOnCallRVA, "verifyOnCall");
if (setInterp == RTN_Invalid() || verifyOnCall == RTN_Invalid())
{
LOGF("Instrumenting Flash Player failed. Check setInterp and verifyOnCall RVAs in config.\n");
return;
}
RTN_Open(setInterp);
RTN_InsertCall(setInterp, IPOINT_BEFORE, (AFUNPTR)InterpretedMethodVerified, IARG_REG_VALUE, REG_ESI, IARG_END);
RTN_Close(setInterp);
RTN_Open(verifyOnCall);
if(config->m_flash_version == VER_15){
RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_ECX, IARG_END);
}
else{
RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_EAX, IARG_END);
}
RTN_Close(verifyOnCall);
// Register TraceCalls to be called to instrument instructions
INS_AddInstrumentFunction(TraceCalls, 0);
}
// - Get initial entropy
// - Get PE section data
// - Add filtered library
void imageLoadCallback(IMG img,void *){
/*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){
MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str());
}
}*/
Section item;
static int va_hooked = 0;
ProcInfo *proc_info = ProcInfo::getInstance();
FilterHandler *filterHandler = FilterHandler::getInstance();
//get the initial entropy of the PE
//we have to consder only the main executable and avìvoid the libraries
if(IMG_IsMainExecutable(img)){
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
proc_info->setMainIMGAddress(startAddr, endAddr);
//get the address of the first instruction
proc_info->setFirstINSaddress(IMG_Entry(img));
//get the program name
proc_info->setProcName(IMG_Name(img));
//get the initial entropy
MYINFO("----------------------------------------------");
float initial_entropy = proc_info->GetEntropy();
proc_info->setInitialEntropy(initial_entropy);
MYINFO("----------------------------------------------");
//retrieve the section of the PE
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
item.name = SEC_Name(sec);
item.begin = SEC_Address(sec);
item.end = item.begin + SEC_Size(sec);
proc_info->insertSection(item);
}
//DEBUG
proc_info->PrintSections();
}
//build the filtered libtrary list
ADDRINT startAddr = IMG_LowAddress(img);
ADDRINT endAddr = IMG_HighAddress(img);
const string name = IMG_Name(img);
if(!IMG_IsMainExecutable(img)){
if(name.find("ntdll")!= std::string::npos){
for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
if(strcmp(SEC_Name(sec).c_str(),".text")==0){
proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec));
}
}
}
//*** If you need to protect other sections of other dll put them here ***
hookFun.hookDispatcher(img);
proc_info->addLibrary(name,startAddr,endAddr);
if(filterHandler->IsNameInFilteredArray(name)){
filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
MYINFO("Added to the filtered array the module %s\n" , name);
}
}
}
VOID ImageLoad(IMG img, VOID *v)
{
Stat << hex << IMG_Name(img) << " " << IMG_LowAddress(img) << " " << IMG_HighAddress(img) << " " <<endl;
}