예제 #1
0
static VOID
LogImageLoad(IMG img)
{
	const string name = IMG_Name(img);
	ADDRINT low 	= IMG_LowAddress(img);
	ADDRINT high	= IMG_HighAddress(img);

	EmitLibraryLoadEvent(PIN_ThreadId(), IMG_Name(img), 
				IMG_LowAddress(img), IMG_HighAddress(img));
}
예제 #2
0
파일: rop_vec.cpp 프로젝트: llubu/ROP
VOID ImageLoad(IMG img, VOID *v)
{
    if ( IMG_Name(img) == TARLIB ) {
//	cout << IMG_Name(img) << " " << hex << IMG_LowAddress(img) << " " << IMG_HighAddress(img) << " "
//	    << IMG_NumRegions(img) << endl;
	start = IMG_LowAddress(img);
	end = IMG_HighAddress(img);
	Stat << hex << start << ":" << end << endl;
	cout << hex << start << ":" << end <<" "<< (start + FFI_CALL_UNIX64) << " " << (start+FF64END) <<  endl;
    }
    Stat << hex << IMG_Name(img) << " " << IMG_LowAddress(img) << " " << IMG_HighAddress(img) << " " <<endl;// IMG_NumRegions(img) << endl;
}
예제 #3
0
// - Get initial entropy
// - Get PE section data 
// - Add filtered library
// - Add protected libraries 
void imageLoadCallback(IMG img,void *){
	Section item;
	static int va_hooked = 0;
	ProcInfo *proc_info = ProcInfo::getInstance();
	FilterHandler *filterHandler = FilterHandler::getInstance();
	//get the initial entropy of the PE
	//we have to consder only the main executable and avìvoid the libraries
	if(IMG_IsMainExecutable(img)){		
		ADDRINT startAddr = IMG_LowAddress(img);
		ADDRINT endAddr = IMG_HighAddress(img);
		proc_info->setMainIMGAddress(startAddr, endAddr);
		//get the  address of the first instruction
		proc_info->setFirstINSaddress(IMG_Entry(img));
		//get the program name
		proc_info->setProcName(IMG_Name(img));
		//get the initial entropy
		MYINFO("----------------------------------------------");
		float initial_entropy = proc_info->GetEntropy();
		proc_info->setInitialEntropy(initial_entropy);
		MYINFO("----------------------------------------------");	
		//create Report File
		Report::getInstance()->initializeReport(proc_info->getProcName(), startAddr, endAddr , initial_entropy);
		//retrieve the section of the PE
		for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
			item.name = SEC_Name(sec);
			item.begin = SEC_Address(sec);
			item.end = item.begin + SEC_Size(sec);
			proc_info->insertSection(item);
		}
		proc_info->PrintSections();
	}
	//build the filtered libtrary list
	ADDRINT startAddr = IMG_LowAddress(img);
	ADDRINT endAddr = IMG_HighAddress(img);
	const string name = IMG_Name(img); 
	if(!IMG_IsMainExecutable(img)){
		
		//*** If you need to protect other sections of other dll put them here ***
		// check if there are some fuction that has top be hooked in this DLL
		hookFun.hookDispatcher(img);
		// check if we have to filter this library during thwe instrumentation
		proc_info->addLibrary(name,startAddr,endAddr);
		if(filterHandler->IsNameInFilteredArray(name)){
			filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
			MYINFO("Added to the filtered array the module %s\n" , name);
		}
	}
}
예제 #4
0
void img_load (IMG img, void *v)
{
	struct event_imload *imevent;
	char buffer[512];
	size_t length;

/*	fprintf(logfp, "load %s off=%08x low=%08x high=%08x start=%08x size=%08x\n",
			IMG_Name(img).c_str(),
			IMG_LoadOffset(img), IMG_LowAddress(img), IMG_HighAddress(img),
			IMG_StartAddress(img), IMG_SizeMapped(img));*/

	imevent = (struct event_imload *)buffer;
	length = IMG_Name(img).length();
	if (length > sizeof(buffer) - sizeof(struct event_imload))
		length = sizeof(buffer) - sizeof(struct event_imload);
	imevent->comm.type = ET_IMLOAD;
	imevent->comm.tid = PIN_ThreadId();
	imevent->struct_size = (int)((char *)imevent->name - (char *)imevent) + length + 1;
	imevent->addr = IMG_LowAddress(img);
	imevent->size = IMG_HighAddress(img) - IMG_LowAddress(img);
	imevent->entry = IMG_Entry(img);
	imevent->ismain = IMG_IsMainExecutable(img);
	memcpy(imevent->name, IMG_Name(img).c_str(), length);
	imevent->name[length] = '\0';
	tb_write((event_common *)imevent, (size_t)imevent->struct_size);

	osdep_iterate_symbols(img, process_symbol, (void *)&img);
	tb_flush(PIN_ThreadId());

	fprintf(logfp, "img+ %08x+%08x %s\n", IMG_StartAddress(img), IMG_SizeMapped(img), IMG_Name(img).c_str());
}
예제 #5
0
//return the entropy value of the entire program
float ProcInfo::GetEntropy(){
	IMG binary_image = APP_ImgHead();
	// trick in order to convert a ln in log2
	const double d1log2 = 1.4426950408889634073599246810023;
	double Entropy = 0.0;
	unsigned long Entries[256];
	unsigned char* Buffer;
	//calculate the entropy only on the main module address space
	ADDRINT start_address = IMG_LowAddress(binary_image);
	ADDRINT end_address = IMG_HighAddress(binary_image);
	UINT32 size = end_address - start_address;
	// copy the main module in a buffer in order to analyze it
	Buffer = (unsigned char *)malloc(size);
	PIN_SafeCopy(Buffer , (void const *)start_address , size);
	// set to all zero the matrix of the bytes occurrence
	memset(Entries, 0, sizeof(unsigned long) * 256);
	// increment the counter of the current read byte (Buffer[i])in the occurence matrix (Entries)
	for (unsigned long i = 0; i < size; i++)
		Entries[Buffer[i]]++;
	// do the shannon formula on the occurence matrix ( H = sum(P(i)*log2(P(i)) )
	for (unsigned long i = 0; i < 256; i++)
	{
		double Temp = (double) Entries[i] / (double) size;
		if (Temp > 0)
			Entropy += - Temp*(log(Temp)*d1log2); 
	}
	return Entropy;
}
예제 #6
0
VOID  Image(IMG img, VOID *v){
        char    szFilePath[260];
        unsigned long index;
        
        GetLock(&lock, 1);
        if (process_start != 0){
                ReleaseLock(&lock);
                return;
        }
        if (IMG_Valid(img)){
                memset(szFilePath, 0, sizeof(szFilePath));
                strncpy(szFilePath, IMG_Name(img).c_str(), sizeof(szFilePath)-1);
                index = 0;
                while (szFilePath[index] != 0){
                        szFilePath[index] = tolower(szFilePath[index]);
                        index++;
                }
                
                if (strstr(szFilePath, KnobProcessToTrace.Value().c_str())){
                        process_start = IMG_LowAddress(img);
                        process_end   = IMG_HighAddress(img);
                }
        }
        ReleaseLock(&lock);
        
}
예제 #7
0
static void process_symbol (void *priv, const char *name, ADDRINT addr)
{
	struct event_symbol *sbevent;
	char buffer[512];
	size_t length;
	IMG *img = (IMG *)priv;

	assert(addr >= IMG_LowAddress(*img) && addr < IMG_HighAddress(*img));

	sbevent = (struct event_symbol *)buffer;
	sbevent->comm.type = ET_SYMBOL;
	sbevent->comm.tid = PIN_ThreadId();

	length = strlen(name);
	assert(length > 0);
	if (length > sizeof(buffer) - sizeof(struct event_symbol))
		length = sizeof(buffer) - sizeof(struct event_symbol);
	sbevent->struct_size = (int)((char *)sbevent->name - (char *)sbevent) + length + 1;
	sbevent->addr = addr;
	memcpy(sbevent->name, name, length);
	//sbevent->name[length] = '\0'; // It gives error: array subscript is above array bounds 
	{ char *arr = sbevent->name; arr[length] = '\0'; }
	tb_write((event_common *)sbevent, (size_t)sbevent->struct_size);
	fprintf(logfp, "sym %08x %s\n", addr, name);
}
예제 #8
0
static void reportError(ADDRINT addr)
{
    fprintf (stderr, "BAD Fetch from 0x%08x\n", addr);
    for (IMG img= APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img))
    {
        fprintf (stderr, "%-30s: 0x%08x:0x%08x\n", IMG_Name(img).c_str(),
                 IMG_LowAddress(img),IMG_HighAddress(img));
    }
    exit (-1);
}
예제 #9
0
void report_image_structure(IMG img, int depth){
  UINT32 I1 = IMG_Id(img);
  string I2 = IMG_Name(img);
  int I3 = IMG_IsMainExecutable( img );
  int I4 = IMG_IsStaticExecutable( img );
  ADDRINT I5 = IMG_LoadOffset(img);
  ADDRINT I6 = IMG_LowAddress(img);
  ADDRINT I7 = IMG_HighAddress(img);
  ADDRINT I8 = IMG_LoadOffset(img);
  ADDRINT I9 = IMG_StartAddress(img);
  ADDRINT I10 = IMG_Entry(img);
  USIZE   I11 = IMG_SizeMapped( img );
  IMG_TYPE I12 = IMG_Type(img);
  char I13[128];

  int k ; 
  for ( k = 0; k< depth ; k ++ )
    TraceFile << "\t" ; 
  TraceFile << "<IMAGE-LOAD>" << " I1:" << I1 << " I2:" << I2 << " I3:" << I3 << " I4:" << I4 << " I5:" << hex<< I5 << " I6:"<< I6 << " I7:" << I7 << " I8:" << I8 << " I9:"<< I9  << " I10:"<< I10  << " I11:" << I11 ;

  switch ( I12 ){
  case IMG_TYPE_STATIC:
    strcpy( I13 ,"static" ); break;
  case IMG_TYPE_SHARED:
    strcpy( I13 ,"shared" ); break;
  case IMG_TYPE_INVALID:
    strcpy( I13 ,"invalid" ); break;
  case IMG_TYPE_LAST:
    strcpy( I13 ,"last" ); break;
  case IMG_TYPE_SHAREDLIB:
    strcpy( I13 ,"shared-lib" ); break;
  case IMG_TYPE_RELOCATABLE:
    strcpy( I13 ,"relocatable" ); break;
  case IMG_TYPE_DYNAMIC_CODE:
    strcpy( I13 ,"dynamic-code" ); break;
  default:
    strcpy( I13 ,"UNKNOWN" ); break;      }

  TraceFile << " I12:" << I12 << " I13:" << I13 << endl;

  for( SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
    report_section_structure( sec, depth + 1   ); 
  }

  /* */

  for (SYM sym = IMG_RegsymHead(img); SYM_Valid(sym); sym = SYM_Next(sym)){
    report_sym_structure( sym, depth +1 );
  }
 
  for ( k = 0; k< depth ; k ++ )
    TraceFile << "\t" ; 
  TraceFile << "</IMAGE-LOAD>" << endl;
}
// - Get initial entropy
// - Get PE section data 
// - Add filtered library
void imageLoadCallback(IMG img,void *){

	Section item;
	static int va_hooked = 0;

	//get the initial entropy of the PE
	//we have to consder only the main executable and avìvoid the libraries
	if(IMG_IsMainExecutable(img)){
		
		ProcInfo *proc_info = ProcInfo::getInstance();
		//get the  address of the first instruction
		proc_info->setFirstINSaddress(IMG_Entry(img));
		//get the program name
		proc_info->setProcName(IMG_Name(img));
		//get the initial entropy
		MYINFO("----------------------------------------------");
		float initial_entropy = proc_info->GetEntropy();
		proc_info->setInitialEntropy(initial_entropy);
		MYINFO("----------------------------------------------");
		//retrieve the section of the PE
		for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
			item.name = SEC_Name(sec);
			item.begin = SEC_Address(sec);
			item.end = item.begin + SEC_Size(sec);
			proc_info->insertSection(item);
		}
		//DEBUG
		proc_info->PrintSections();
	}
	//build the filtered libtrary list
	FilterHandler *filterH = FilterHandler::getInstance();
	ADDRINT startAddr = IMG_LowAddress(img);
	ADDRINT endAddr = IMG_HighAddress(img);
	const string name = IMG_Name(img); 

	if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){	

		/* searching for VirtualAlloc */ 
		RTN rtn = RTN_FindByName( img, "VirtualAlloc");
		if(rtn != RTN_Invalid()){
			MYINFO("BECCATO LA VIRTUAL ALLOC\n");
			ADDRINT va_address = RTN_Address(rtn);
			MYINFO("Address of VirtualAlloc: %08x\n" , va_address);

			RTN_Open(rtn); 	
			RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)VirtualAllocHook , IARG_G_ARG0_CALLEE , IARG_G_ARG1_CALLEE , IARG_G_RESULT0, IARG_END);
			RTN_Close(rtn);
		
		}

		filterH->addLibrary(name,startAddr,endAddr);

	}
}
예제 #11
0
파일: MyPinTool.cpp 프로젝트: imholulu/DTA
VOID rtnInst(IMG img, VOID *v)
{
//	for(IMG temp = img; IMG_Valid(temp); temp = IMG_Next(temp))

//	out <<IMG_Name(img)<<endl;
	
//	char * temp = "KVWebSvr.dll";
	string dllname = IMG_Name(img);
	RTN dispatchRtn;
	ADDRINT funaddr;
	if(dllname.find("KVWebSvr.dll")!=string::npos)
	{
		

		out <<dllname<<"start address 0x " <<IMG_LowAddress(img) <<endl;
		out <<dllname<<"end address 0x "<<IMG_HighAddress(img) <<endl;

		funaddr = IMG_LowAddress(img)+0x18060;

//		RTN_CreateAt(0x100183b0,"sub_100183b0");//022D8060

//		RTN_CreateAt(0x022D8060,"sub_invoke");

//		dispatchRtn = RTN_FindByName(img, "sub_invoke");

		RTN_CreateAt(funaddr,"sub_invoke");

//		RTN_CreateAt(0x10019210,"sub_10019210");

		dispatchRtn = RTN_FindByName(img, "sub_invoke");
//		dispatchRtn = RTN_FindByAddress(0x100183b0);

		if (RTN_Valid(dispatchRtn))
		{
			out << "find the taint source function" << endl;
			RTN_Open(dispatchRtn);
			RTN_InsertCall(dispatchRtn,IPOINT_BEFORE,(AFUNPTR)InvokeFunTaint,IARG_END);

//			RTN_InsertCall(dispatchRtn, IPOINT_BEFORE, (AFUNPTR)InputFunAddTaint,
//                       IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
//                       IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
//					   IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
//                       IARG_END);

			RTN_Close(dispatchRtn);
//			out << RTN_Address(dispatchRtn)<< endl;
		}
	}


	//function-level taint

	inst_func_summary(img);
}
예제 #12
0
// Print the list of images currently loaded, with some information about each.
static VOID PrintImageList()
{
    for (IMG img= APP_ImgHead(); IMG_Valid(img); img = IMG_Next(img))
    {
        int nSecs;
        int nRtns;

        CountImageSecsAndRtns (img, &nSecs, &nRtns);
        fprintf (trace, "   L  %-40s %2d [0x%lx:0x%lx] offset 0x%lx %2d SECs %4d RTNs\n", IMG_Name(img).c_str(), IMG_Id(img),
                 (unsigned long)IMG_LowAddress(img), (unsigned long)IMG_HighAddress(img), (unsigned long)IMG_LoadOffset(img), nSecs, nRtns);
    }    
}
void ImageLoad (IMG img, void *context)
{
    fprintf (stderr, "Notified of load of %s at [%p,%p]\n",
             IMG_Name(img).c_str(),
             (char *)IMG_LowAddress(img), (char *)IMG_HighAddress(img));
    
    // See if this is ntdll.dll
    
    char szName[_MAX_FNAME];
    char szExt[_MAX_EXT];
    
    _splitpath_s (IMG_Name(img).c_str(),
                  NULL, 0,
                  NULL, 0,
                  szName, _MAX_FNAME,
                  szExt, _MAX_EXT);
    strcat_s (szName, _MAX_FNAME, szExt);
    
    if (0 != _stricmp ("ntdll.dll", szName))
        return;
    
    RTN rtn = RTN_FindByName (img, "RtlAllocateHeap");	
    
    if (RTN_Invalid() == rtn)
    {
        fprintf (stderr, "Failed to find RtlAllocateHeap in %s\n",
                 IMG_Name(img).c_str());
        return;
    }
    fprintf(stderr,"Replacing\n");
    PROTO protoRtlAllocateHeap =
        PROTO_Allocate (PIN_PARG(void *), 
                        CALLINGSTD_STDCALL, 
                        "RtlAllocateHeap", 
                        PIN_PARG(WINDOWS::PVOID), // HeapHandle
                        PIN_PARG(WINDOWS::ULONG), // Flags
                        PIN_PARG(WINDOWS::SIZE_T), // Size
                        PIN_PARG_END());
    
    
    RTN_ReplaceSignature (rtn, (AFUNPTR)replacement_RtlAllocateHeap,
                          IARG_PROTOTYPE, protoRtlAllocateHeap,
                          IARG_ORIG_FUNCPTR,
                          IARG_FUNCARG_ENTRYPOINT_VALUE, 0,
                          IARG_FUNCARG_ENTRYPOINT_VALUE, 1,
                          IARG_FUNCARG_ENTRYPOINT_VALUE, 2,
                          IARG_CONTEXT,
                          IARG_END);
    
    
    PROTO_Free (protoRtlAllocateHeap);
}
예제 #14
0
VOID ImageLoad(IMG img, VOID *v){
	//printf("image name : %s\n", IMG_Name(img).c_str());
	if (process_start != 0) return;
        
        if (strstr(IMG_Name(img).c_str(), KnobProcessToTrace.Value().c_str())){
                process_start = IMG_LowAddress(img);
                process_end   = IMG_HighAddress(img);
        } 
	

        //printf("Loading %.08x-%.08x : %s\n", 	IMG_LowAddress(img),
        //					IMG_HighAddress(img),
        //					IMG_Name(img).c_str());
}
예제 #15
0
파일: main.cpp 프로젝트: ispras/Triton
    /*
     * Callback when an image is loaded.
     * This callback must be called even outside the range analysis.
     */
    static void callbackImageLoad(IMG img) {
      /* Mutex */
      PIN_LockClient();

      /* Collect image information */
      std::string imagePath     = IMG_Name(img);
      triton::__uint imageBase  = IMG_LowAddress(img);
      triton::__uint imageSize  = (IMG_HighAddress(img) + 1) - imageBase;

      /* Execute the Python callback */
      tracer::pintool::callbacks::imageLoad(imagePath, imageBase, imageSize);

      /* Mutex */
      PIN_UnlockClient();
    }
//--------------------------------------------------------------------------------------
VOID ImageLoad(IMG Image, VOID *v)
{
    // get image characteristics
    ADDRINT	AddrStart = IMG_LowAddress(Image);
    ADDRINT	AddrEnd = IMG_HighAddress(Image);
    const string &ImagePath = IMG_Name(Image);

    // save full image path for module 
    m_ModulePathList.push_back(ImagePath);

    // get image file name from full path
    string *ImageName = NameFromPath(ImagePath);

    // add image information into the list
    m_ModuleList[ImageName] = std::make_pair(AddrStart, AddrEnd);
}
예제 #17
0
// Instrumentation of the modules
VOID image_instrumentation(IMG img, VOID * v)
{
    ADDRINT module_low_limit = IMG_LowAddress(img), module_high_limit = IMG_HighAddress(img); 

    if(IMG_IsMainExecutable(img))
        return;

    const std::string image_path = IMG_Name(img);

    std::pair<std::string, std::pair<ADDRINT, ADDRINT> > module_info = std::make_pair(
        image_path,
        std::make_pair(
            module_low_limit,
            module_high_limit
        )
    );

    module_list.insert(module_info);

    if(is_module_should_be_blacklisted(image_path))
        modules_blacklisted.insert(module_info);
}
float ProcInfo::GetEntropy(){

	IMG binary_image = APP_ImgHead();

	const double d1log2 = 1.4426950408889634073599246810023;
	double Entropy = 0.0;
	unsigned long Entries[256];
	unsigned char* Buffer;

	ADDRINT start_address = IMG_LowAddress(binary_image);
	ADDRINT end_address = IMG_HighAddress(binary_image);
	UINT32 size = end_address - start_address;

	Buffer = (unsigned char *)malloc(size);

	MYLOG("size to dump is %d" , size);
	MYLOG("Start address is %08x" , start_address);
	MYLOG("Start address is %08x" , end_address);
	MYLOG("IMAGE NAME IS %s" , IMG_Name(binary_image));

	PIN_SafeCopy(Buffer , (void const *)start_address , size);

	memset(Entries, 0, sizeof(unsigned long) * 256);

	for (unsigned long i = 0; i < size; i++)
		Entries[Buffer[i]]++;
	for (unsigned long i = 0; i < 256; i++)
	{
		double Temp = (double) Entries[i] / (double) size;
		if (Temp > 0)
			Entropy += - Temp*(log(Temp)*d1log2); 
	}

	MYLOG("ENTROPY IS %f" , Entropy);

	return Entropy;
}
예제 #19
0
/* ===================================================================== */
VOID ImageLoad(IMG img, VOID *v)
{
	std::cerr << "Loading " << IMG_Name(img).c_str() << " Start " << hex << IMG_LowAddress(img) << " End " << IMG_HighAddress(img) << endl;
	// if no module passed, just use the main executable
	string module = KnobModuleToLog.Value();
	if (module.empty() && IMG_IsMainExecutable( img ) )
	{
		module = IMG_Name(img);
	}
	// keep in mind this is case sensitive...
	if (module.empty() || IMG_Name( img ).rfind( module.c_str() ) == string::npos) 
	{
		return;
	}
	moduleStart = IMG_LowAddress(img);
	moduleEnd = IMG_HighAddress(img);
	moduleSize = moduleEnd - moduleStart;
	if (gLogStart != -1)
	{
		gLogStart += moduleStart;
	}
	
	if (gLogStop != -1)
	{
		gLogStop += moduleStart;
	}

	std::cerr << "Module size is: " << moduleSize << endl;
	logBuffer = (WINDOWS::BYTE *)calloc(moduleSize,sizeof(WINDOWS::BYTE));
	if (logBuffer == NULL)
	{
		std::cerr << "Unable to allocate enough heapspace, how friggen big is this module?" << endl;
		return;
	}
	std::cerr << "Creating hit count for instructions in module: " << IMG_Name(img).c_str() << endl;

}
void imageLoadCallback(IMG img,void *){
	//get the initial entropy of the PE
	//we have to consder only the main executable and avìvoid the libraries
	if(IMG_IsMainExecutable(img)){
		
		ProcInfo *proc_info = ProcInfo::getInstance();

		proc_info->setFirstINSaddress(IMG_Entry(img));

		MYLOG("INIT : %08x", proc_info->getFirstINSaddress());

		MYLOG("----------------------------------------------");
		float initial_entropy = proc_info->GetEntropy();
		proc_info->setInitialEntropy(initial_entropy);
		MYLOG("----------------------------------------------");


		for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
			Section item;
			item.name = SEC_Name(sec);
			item.begin = SEC_Address(sec);
			item.end = item.begin + SEC_Size(sec);
			proc_info->insertSection(item);
		}

		proc_info->PrintSections();

	}
	FilterHandler *filterH = FilterHandler::getInstance();
	ADDRINT startAddr = IMG_LowAddress(img);
	ADDRINT endAddr = IMG_HighAddress(img);
	const string name = IMG_Name(img); 
	if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){		
		filterH->addLibrary(name,startAddr,endAddr);
	}
}
예제 #21
0
VOID ImageLoad (IMG img, VOID *v)
{
   uint32_t id = IMG_Id (img);
   std::string iname = IMG_Name(img);

   if (id==1)  // this is the first image, extract the path and the name of the executable
   {
      string ename, epath;
      MIAMIU::ExtractNameAndPath(iname, epath, ename);
      MIAMI::MiamiOptions *mo = MIAMI::mdriver.getProgramOptions();
      mo->addExecutableName(ename);
      mo->addExecutablePath(epath);
   }
   
   // print info about the sections in this image, for debugging
   // comment out in production runs
#if DEBUG_CFG_COUNTS
   DEBUG_CFG(4,
      cerr << "Image: " << iname << ", id " << id << hex
           << " load offser=0x" << IMG_LoadOffset(img)
           << ", low addr=0x" << IMG_LowAddress(img)
           << ", high addr=0x" << IMG_HighAddress(img)
           << ", start addr=0x" << IMG_StartAddress(img)
           << ", mapped size=0x" << IMG_SizeMapped(img) << dec
           << ", has the following sections:" << endl;
      for (SEC sec= IMG_SecHead(img) ; SEC_Valid(sec) ; sec = SEC_Next(sec))
      {
         cerr << "Section " << SEC_Name(sec) << " of type " << SEC_Type(sec)
              << " at address 0x" << hex << SEC_Address(sec) << " of size 0x" 
              << SEC_Size(sec) << dec << "/" << SEC_Size(sec) << " bytes:"
              << " valid? " << SEC_Valid(sec) << ", mapped? " << SEC_Mapped(sec)
              << ", executable? " << SEC_IsExecutable(sec) 
              << ", readable? " << SEC_IsReadable(sec)
              << ", writable? " << SEC_IsWriteable(sec) << endl;
      }
   )
예제 #22
0
VOID ImageLoad (IMG img, VOID *v)
{
    printf ("loaded image %s lowAddr %p highAddr %p loadOffset %p\n", IMG_Name(img).c_str(),
            (void *)IMG_LowAddress(img), (void *)IMG_HighAddress(img), (void *)IMG_LoadOffset(img));
}
예제 #23
0
파일: main.cpp 프로젝트: fa15073/Sulo
// This routine is executed for each image
VOID ImageLoad(IMG img, VOID *v)
{
	if (!FlashPlayerConfigBuilder::instance().isSupportedFlashPlayer(img))
	{
		return;
	}
	
	LOGF("Found supported Flash Player image: %s (0x%x - 0x%x)\n", IMG_Name(img).c_str(), IMG_LowAddress(img), IMG_HighAddress(img));
	config = FlashPlayerConfigBuilder::instance().getConfig();

	// config->setInterpRVA needs to be chosen in such way that 
	// the value of _invoker can be found from [ESI+config->invinvokerOffsetInMethodInfookerOffset]
	RTN setInterp = RTN_CreateAt(config->loadOffset + config->setInterpRVA, "setInterp");
			
	// config->setInterpRVA needs to be chosen in such way that
	// the value of _implGPR can be found from EAX
	RTN verifyOnCall = RTN_CreateAt(config->loadOffset + config->verifyOnCallRVA, "verifyOnCall");
			
	if (setInterp == RTN_Invalid() || verifyOnCall == RTN_Invalid())
	{
		LOGF("Instrumenting Flash Player failed. Check setInterp and verifyOnCall RVAs in config.\n");
		return;
	}

	RTN_Open(setInterp);
	RTN_InsertCall(setInterp, IPOINT_BEFORE, (AFUNPTR)InterpretedMethodVerified, IARG_REG_VALUE, REG_ESI, IARG_END);
	RTN_Close(setInterp);

	RTN_Open(verifyOnCall);
	if(config->m_flash_version == VER_15){
		RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_ECX, IARG_END);
	}
	else{
		RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_EAX, IARG_END);
	}
	RTN_Close(verifyOnCall);

	// Register TraceCalls to be called to instrument instructions
	INS_AddInstrumentFunction(TraceCalls, 0);
}
// - Get initial entropy
// - Get PE section data 
// - Add filtered library
void imageLoadCallback(IMG img,void *){

	/*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
		for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){
			MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str());
		}
	}*/

	Section item;
	static int va_hooked = 0;
	ProcInfo *proc_info = ProcInfo::getInstance();
	FilterHandler *filterHandler = FilterHandler::getInstance();

	//get the initial entropy of the PE
	//we have to consder only the main executable and avìvoid the libraries
	if(IMG_IsMainExecutable(img)){
		
		ADDRINT startAddr = IMG_LowAddress(img);
		ADDRINT endAddr = IMG_HighAddress(img);
		proc_info->setMainIMGAddress(startAddr, endAddr);
		//get the  address of the first instruction
		proc_info->setFirstINSaddress(IMG_Entry(img));
		//get the program name
		proc_info->setProcName(IMG_Name(img));
		//get the initial entropy
		MYINFO("----------------------------------------------");
		float initial_entropy = proc_info->GetEntropy();
		proc_info->setInitialEntropy(initial_entropy);
		MYINFO("----------------------------------------------");
		//retrieve the section of the PE
		for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){
			item.name = SEC_Name(sec);
			item.begin = SEC_Address(sec);
			item.end = item.begin + SEC_Size(sec);
			proc_info->insertSection(item);
		}
		//DEBUG
		proc_info->PrintSections();
	}
	//build the filtered libtrary list
	ADDRINT startAddr = IMG_LowAddress(img);
	ADDRINT endAddr = IMG_HighAddress(img);
	const string name = IMG_Name(img); 
	
	if(!IMG_IsMainExecutable(img)){	
		
		if(name.find("ntdll")!= std::string::npos){
		
		  for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){

			if(strcmp(SEC_Name(sec).c_str(),".text")==0){
				proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec));
			}
	      }
		}

		//*** If you need to protect other sections of other dll put them here ***

		hookFun.hookDispatcher(img);		
		
		proc_info->addLibrary(name,startAddr,endAddr);

		if(filterHandler->IsNameInFilteredArray(name)){
			filterHandler->addToFilteredLibrary(name,startAddr,endAddr);
			MYINFO("Added to the filtered array the module %s\n" , name);
		}
	}
	
}
예제 #25
0
파일: finalTool.cpp 프로젝트: llubu/ROP
VOID ImageLoad(IMG img, VOID *v)
{
    Stat << hex << IMG_Name(img) << " " << IMG_LowAddress(img) << " " << IMG_HighAddress(img) << " " <<endl;
}