bool DarunGrim::DiffDatabaseFiles(const char *src_storage_filename, DWORD source_address, const char *target_storage_filename, DWORD target_address, const char *output_storage_filename)
{
Logger.Log(10, "%s: (output storage: %s)\n", __FUNCTION__, output_storage_filename);
Logger.Log(10, " source_address: %x\n", source_address);
Logger.Log(10, " target_address: %x\n", target_address);
pDiffMachine->SetSource((char *)src_storage_filename, 1, source_address);
pDiffMachine->SetTarget((char *)target_storage_filename, 1, target_address);
pDiffMachine->SetLoadIDAController(true);
pDiffMachine->Load((char *)output_storage_filename);
pSourceController = pDiffMachine->GetSourceController();
pTargetController = pDiffMachine->GetTargetController();
Logger.Log(10, "Analyze\n");
pDiffMachine->Analyze();
if (pStorageDB)
delete pStorageDB;
Logger.Log(10, "Save\n");
pStorageDB = new DBWrapper((char *)output_storage_filename);
SetDatabase(pStorageDB);
pDiffMachine->Save(*pStorageDB);
return TRUE;
}
void DarunGrim::RunIDAToCreateDGF(const char *ida_filename, unsigned long StartAddress, unsigned long EndAddress)
{
char *idc_filename = WriteToTemporaryFile(RUN_DARUNGRIM_PLUGIN_STR,
EscapedLogFilename ? EscapedLogFilename : "",
EscapedOutputFilename ? EscapedOutputFilename : "",
StartAddress,
EndAddress);
if (idc_filename)
{
//Run IDA
Logger.Log(10, "Analyzing [%s]( %s )\n", ida_filename, idc_filename);
if (IDALogFilename[0])
{
Logger.Log(10, "Executing \"%s\" -A -L\"%s\" -S\"%s\" \"%s\"", IDAPath, IDALogFilename, idc_filename, ida_filename);
Execute(TRUE, "\"%s\" -A -L\"%s\" -S\"%s\" \"%s\"", IDAPath, IDALogFilename, idc_filename, ida_filename);
}
else
{
Logger.Log(10, "Executing \"%s\" -A -S\"%s\" \"%s\"", IDAPath, idc_filename, ida_filename);
Execute(TRUE, "\"%s\" -A -S\"%s\" \"%s\"", IDAPath, idc_filename, ida_filename);
}
free(idc_filename);
}
}
BOOL IDAController::LoadIDARawDataFromSocket(SOCKET socket)
{
Socket = socket;
ClientAnalysisInfo = NULL;
char shared_memory_name[1024];
_snprintf(shared_memory_name, 1024, TEXT("DG Shared Memory - %u - %u"),
GetCurrentProcessId(),
GetCurrentThreadId());
Logger.Log( 10, LOG_IDA_CONTROLLER, "%s: ID = %d InitDataSharer\n", __FUNCTION__);
#define SHARED_MEMORY_SIZE 100000
if(!InitDataSharer(&IDADataSharer,
shared_memory_name,
SHARED_MEMORY_SIZE,
TRUE))
{
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d InitDataSharer failed\n", __FUNCTION__);
return FALSE;
}
char data[1024+sizeof(DWORD)];
*(DWORD *)data = SHARED_MEMORY_SIZE;
memcpy(data+sizeof(DWORD), shared_memory_name, strlen(shared_memory_name)+1);
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d SendTLVData SEND_ANALYSIS_DATA\n", __FUNCTION__);
if(SendTLVData(SEND_ANALYSIS_DATA, (PBYTE)data, sizeof(DWORD)+strlen(shared_memory_name)+1))
{
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d LoadIDARawData\n", __FUNCTION__);
LoadIDARawData((PBYTE (*)(PVOID Context, BYTE *Type, DWORD *Length))GetData, (PVOID)&IDADataSharer);
return TRUE;
}
return FALSE;
}
void IDAController::DumpBlockInfo(DWORD block_address)
{
int addresses_number;
char *type_descriptions[] = {"Cref From", "Cref To", "Call", "Dref From", "Dref To"};
for(int i = 0;i<sizeof(types)/sizeof(int);i++)
{
DWORD *addresses = GetMappedAddresses(
block_address,
types[i],
&addresses_number);
if(addresses)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d %s: ", __FUNCTION__, m_FileID, type_descriptions[i]);
for(int j = 0;j<addresses_number;j++)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d %X ", __FUNCTION__, m_FileID, addresses[j]);
}
Logger.Log(10, LOG_IDA_CONTROLLER, "\n");
}
}
char *hex_str = GetFingerPrintStr(block_address);
if(hex_str)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d fingerprint: %s\n", __FUNCTION__, m_FileID, hex_str);
free(hex_str);
}
}
BOOL DarunGrim::AcceptIDAClient(IDAController *pIDAController, bool RetrieveData)
{
SOCKET ClientSocket = accept(ListeningSocket, NULL, NULL);
Logger.Log(10, "%s: accepting=%d\n", __FUNCTION__, ClientSocket);
if (ClientSocket == INVALID_SOCKET)
{
int error = WSAGetLastError();
Logger.Log(10, "Socket error=%d\n", error);
return FALSE;
}
else
{
if (RetrieveData)
{
Logger.Log(10, "%s: Calling LoadIDARawDataFromSocket\n", __FUNCTION__);
pIDAController->LoadIDARawDataFromSocket(ClientSocket);
}
else
{
Logger.Log(10, "%s: SetSocket\n", __FUNCTION__);
pIDAController->SetSocket(ClientSocket);
}
return TRUE;
}
return FALSE;
}
void DarunGrim::SetLogParameters(int newLogOutputType, int newDebugLevel, const char *newLogFile)
{
printf("SetLogParameters: %d %d %s\n", newLogOutputType, newDebugLevel, newLogFile);
Logger.Log(10, "%s: entry\n", __FUNCTION__ );
Logger.SetOutputType(newLogOutputType);
if (newLogFile)
Logger.SetLogFilename(newLogFile);
Logger.SetDebugLevel(newDebugLevel);
}
int ReadFileInfo(void *arg, int argc, char **argv, char **names)
{
for(int i=0;i<argc;i++)
{
Logger.Log(0,"%s: %s\n",names[i],argv[i]);
}
Logger.Log(0, "\n");
return 0;
}
int LogWorker::svc()
{
while (1)
{
LogOperation* request;
if (m_queue.dequeue(request) == -1)
break;
request->call();
delete request;
}
return 0;
}
multimap <DWORD, DWORD> *IDAController::LoadAddressToFunctionMap()
{
int Count = 0;
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d GetFunctionAddresses\n", __FUNCTION__);
list <DWORD> *FunctionAddresses = GetFunctionAddresses();
if(FunctionAddresses)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d Function %u entries\n", __FUNCTION__, m_FileID, FunctionAddresses->size());
multimap <DWORD, DWORD> *AddressToFunctionMap = new multimap <DWORD, DWORD>;
if(AddressToFunctionMap)
{
list <DWORD>::iterator FunctionAddressIter;
for(FunctionAddressIter = FunctionAddresses->begin();FunctionAddressIter != FunctionAddresses->end();FunctionAddressIter++)
{
list <BLOCK> FunctionMemberBlocks = GetFunctionMemberBlocks(*FunctionAddressIter);
list <BLOCK>::iterator FunctionMemberBlocksIter;
for(FunctionMemberBlocksIter = FunctionMemberBlocks.begin();
FunctionMemberBlocksIter != FunctionMemberBlocks.end();
FunctionMemberBlocksIter++
)
{
AddressToFunctionMap->insert(pair <DWORD, DWORD>((*FunctionMemberBlocksIter).Start, *FunctionAddressIter));
}
}
}
FunctionAddresses->clear();
delete FunctionAddresses;
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d AddressToFunctionMap %u entries\n", __FUNCTION__, m_FileID, AddressToFunctionMap->size());
return AddressToFunctionMap;
/*
hash_map <DWORD, DWORD>::iterator AddressToFunctionMapIter;
DWORD FunctionAddress = 0;
for(AddressToFunctionMapIter = AddressToFunctionMap->begin();AddressToFunctionMapIter != AddressToFunctionMap->end();AddressToFunctionMapIter++)
{
if(FunctionAddress != AddressToFunctionMapIter->first)
{
FunctionAddress = AddressToFunctionMapIter->first;
Logger.Log( 10, LOG_IDA_CONTROLLER, "%x\n", FunctionAddress);
}
Logger.Log( 10, LOG_IDA_CONTROLLER, "\t%x\n", AddressToFunctionMapIter->second);
}*/
}
return NULL;
}
bool DarunGrim::Analyze()
{
Logger.Log(10, "%s: entry\n", __FUNCTION__ );
int source_file_id=1;
int target_file_id=2;
if( pStorageDB )
{
pDiffMachine->SetRetrieveDataForAnalysis(TRUE);
pDiffMachine->SetSource(pStorageDB, source_file_id);
pDiffMachine->SetSource(pStorageDB, target_file_id);
pDiffMachine->Load(pStorageDB);
pSourceController = pDiffMachine->GetSourceController();
pTargetController = pDiffMachine->GetTargetController();
}
else if( pSourceController && pTargetController )
{
pDiffMachine->SetSource(pSourceController);
pDiffMachine->SetTarget(pTargetController);
}
if( pDiffMachine )
{
pDiffMachine->Analyze();
pDiffMachine->Save( *pStorageDB );
}
return TRUE;
}
int ReadOneLocationInfoCallback(void *arg, int argc, char **argv, char **names)
{
POneLocationInfo p_one_location_info = (POneLocationInfo)arg;
p_one_location_info->StartAddress = strtoul10(argv[0]);
p_one_location_info->EndAddress = strtoul10(argv[1]);
p_one_location_info->Flag = strtoul10(argv[2]);
p_one_location_info->FunctionAddress = strtoul10(argv[3]);
p_one_location_info->BlockType = strtoul10(argv[4]);
p_one_location_info->FingerprintLen = strlen(argv[5]);
Logger.Log(11, LOG_IDA_CONTROLLER | LOG_ONE_LOCATION_INFO, "%s: %x Block Type: %d\n", __FUNCTION__, p_one_location_info->StartAddress, p_one_location_info->BlockType);
if (p_one_location_info->BlockType == FUNCTION_BLOCK)
{
Logger.Log(11, LOG_IDA_CONTROLLER | LOG_ONE_LOCATION_INFO, "%s: Function Block: %x\n", __FUNCTION__, p_one_location_info->StartAddress);
}
return 0;
}
int ReadBasicBlockCallback(void *arg, int argc, char **argv, char **names)
{
PBasicBlock p_basic_block = (PBasicBlock)arg;
p_basic_block->StartAddress = strtoul10(argv[0]);
p_basic_block->EndAddress = strtoul10(argv[1]);
p_basic_block->Flag = strtoul10(argv[2]);
p_basic_block->FunctionAddress = strtoul10(argv[3]);
p_basic_block->BlockType = strtoul10(argv[4]);
p_basic_block->FingerprintLen = strlen(argv[5]);
Logger.Log(11, LOG_IDA_CONTROLLER | LOG_BASIC_BLOCK, "%s: %X Block Type: %d\n", __FUNCTION__, p_basic_block->StartAddress, p_basic_block->BlockType);
if (p_basic_block->BlockType == FUNCTION_BLOCK)
{
Logger.Log(11, LOG_IDA_CONTROLLER | LOG_BASIC_BLOCK, "%s: Function Block: %X\n", __FUNCTION__, p_basic_block->StartAddress);
}
return 0;
}
void IDAController::DumpAnalysisInfo()
{
if(ClientAnalysisInfo)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "OriginalFilePath = %s\n", ClientAnalysisInfo->file_info.OriginalFilePath);
Logger.Log(10, LOG_IDA_CONTROLLER, "ComputerName = %s\n", ClientAnalysisInfo->file_info.ComputerName);
Logger.Log(10, LOG_IDA_CONTROLLER, "UserName = %s\n", ClientAnalysisInfo->file_info.UserName);
Logger.Log(10, LOG_IDA_CONTROLLER, "CompanyName = %s\n", ClientAnalysisInfo->file_info.CompanyName);
Logger.Log(10, LOG_IDA_CONTROLLER, "FileVersion = %s\n", ClientAnalysisInfo->file_info.FileVersion);
Logger.Log(10, LOG_IDA_CONTROLLER, "FileDescription = %s\n", ClientAnalysisInfo->file_info.FileDescription);
Logger.Log(10, LOG_IDA_CONTROLLER, "InternalName = %s\n", ClientAnalysisInfo->file_info.InternalName);
Logger.Log(10, LOG_IDA_CONTROLLER, "ProductName = %s\n", ClientAnalysisInfo->file_info.ProductName);
Logger.Log(10, LOG_IDA_CONTROLLER, "ModifiedTime = %s\n", ClientAnalysisInfo->file_info.ModifiedTime);
Logger.Log(10, LOG_IDA_CONTROLLER, "MD5Sum = %s\n", ClientAnalysisInfo->file_info.MD5Sum);
Logger.Log(10, LOG_IDA_CONTROLLER, "fingerprint_hash_map = %u\n", ClientAnalysisInfo->fingerprint_hash_map.size());
}
}
DarunGrim::DarunGrim():
pStorageDB(NULL),
pSourceController(NULL),
pTargetController(NULL),
pDiffMachine(NULL),
IsLoadedSourceFile( false ),
EscapedOutputFilename(NULL),
EscapedLogFilename(NULL),
ListeningSocket(INVALID_SOCKET),
IDACommandProcessorThreadId(-1)
{
LogOperation::InitLog();
Logger.SetCategory( "DarunGrim" );
Logger.Log(10, "%s: entry\n", __FUNCTION__ );
pDiffMachine = new DiffMachine();
IDAPath = _strdup(DEFAULT_IDA_PATH);
GenerateIDALogFilename();
}
BOOL IDAController::Load()
{
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: %s\n", __FUNCTION__, m_StorageDB->GetDatabaseName());
m_StorageDB->ExecuteStatement(m_StorageDB->ReadRecordStringCallback, &m_OriginalFilePath, "SELECT OriginalFilePath FROM FileInfo WHERE id = %u", m_FileID);
LoadBasicBlock();
LoadMapInfo(&(ClientAnalysisInfo->map_info_hash_map), TargetFunctionAddress, true);
return TRUE;
}
void DarunGrim::ConnectToDarunGrim(const char *ida_filename)
{
char *idc_filename = WriteToTemporaryFile(CONNECT_TO_DARUNGRIM_STR, EscapedLogFilename ? EscapedLogFilename : "");
if (idc_filename)
{
//Run IDA
Logger.Log(10, "Analyzing [%s]( %s )\n", ida_filename, idc_filename);
Logger.Log(10, "\"%s\" -S\"%s\" \"%s\"", IDAPath, EscapedLogFilename, idc_filename, ida_filename);
if (IDALogFilename[0])
{
Execute(TRUE, "\"%s\" -L\"%s\" -S\"%s\" \"%s\"", IDAPath, IDALogFilename, idc_filename, ida_filename);
}
else
{
Execute(TRUE, "\"%s\" -S\"%s\" \"%s\"", IDAPath, idc_filename, ida_filename);
}
free(idc_filename);
}
}
bool DarunGrim::StartIDAListener(unsigned short port)
{
StopIDAListener();
ListeningPort = port;
if (ListeningPort>0)
{
ListeningSocket = CreateListener(NULL, port);
Logger.Log(10, "%s: ListeningSocket=%d\n", __FUNCTION__, ListeningSocket);
return TRUE;
}
return FALSE;
}
static int ReadAddressToFunctionMapResultsCallback(void *arg, int argc, char **argv, char **names)
{
hash_map <DWORD, DWORD> *AddressToFunctionMap = (hash_map <DWORD, DWORD> *)arg;
if(AddressToFunctionMap)
{
#if DEBUG_LEVEL > 1
Logger.Log( 10, "%s: ID = %d strtoul10(%s) = 0x%X, strtoul10(%s) = 0x%X\n", __FUNCTION__, m_FileID, argv[0], strtoul10(argv[0]), argv[1], strtoul10(argv[1]));
#endif
AddressToFunctionMap->insert(pair <DWORD, DWORD>(strtoul10(argv[0]), strtoul10(argv[1])));
}
return 0;
}
static int ReadFunctionAddressesCallback(void *arg, int argc, char **argv, char **names)
{
hash_set <DWORD> *FunctionAddressHash = (hash_set <DWORD> *)arg;
if (FunctionAddressHash)
{
#if DEBUG_LEVEL > 1
if (DebugLevel & 1) Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d strtoul10(%s) = 0x%X\n", __FUNCTION__, m_FileID, argv[0], strtoul10(argv[0]));
#endif
FunctionAddressHash->insert(strtoul10(argv[0]));
}
return 0;
}
BOOL IDAController::FixFunctionAddresses()
{
BOOL IsFixed = FALSE;
Logger.Log(10, LOG_IDA_CONTROLLER, "%s", __FUNCTION__);
multimap <DWORD, DWORD> *AddressToFunctionMap = LoadAddressToFunctionMap();
multimap <DWORD, DWORD>::iterator AddressToFunctionMapIter;
if( m_StorageDB )
m_StorageDB->BeginTransaction();
for(AddressToFunctionMapIter = AddressToFunctionMap->begin();AddressToFunctionMapIter != AddressToFunctionMap->end();AddressToFunctionMapIter++)
{
//StartAddress: AddressToFunctionMapIter->first
//FunctionAddress: AddressToFunctionMapIter->second
//Update
Logger.Log(20, LOG_IDA_CONTROLLER, "Updating OneLocationInfoTable Address = %x Function = %x\r\n",
AddressToFunctionMapIter->second,
AddressToFunctionMapIter->first);
if( m_StorageDB )
m_StorageDB->ExecuteStatement(NULL, NULL, UPDATE_ONE_LOCATION_INFO_TABLE_FUNCTION_ADDRESS_STATEMENT,
AddressToFunctionMapIter->second,
AddressToFunctionMapIter->second == AddressToFunctionMapIter->first ? FUNCTION_BLOCK:UNKNOWN_BLOCK,
m_FileID,
AddressToFunctionMapIter->first);
IsFixed = TRUE;
}
Logger.Log(10, LOG_IDA_CONTROLLER, "\r\n");
if( m_StorageDB )
m_StorageDB->EndTransaction();
AddressToFunctionMap->clear();
delete AddressToFunctionMap;
return IsFixed;
}
char *IDAController::GetDisasmLines(unsigned long StartAddress, unsigned long EndAddress)
{
#ifdef USE_LEGACY_MAP
//Look for p_analysis_info->address_disassembly_hash_map first
multimap <DWORD, string>::iterator address_disassembly_hash_map_pIter;
address_disassembly_hash_map_pIter = ClientAnalysisInfo->address_disassembly_hash_map.find(StartAddress);
if(address_disassembly_hash_map_pIter != ClientAnalysisInfo->address_disassembly_hash_map.end())
{
return _strdup(address_disassembly_hash_map_pIter->second.c_str());
}
CodeBlock code_block;
code_block.StartAddress = StartAddress;
if(Socket == INVALID_SOCKET)
return strdup("");
multimap <DWORD, PBasicBlock>::iterator address_hash_map_pIter;
if(EndAddress == 0)
{
address_hash_map_pIter = ClientAnalysisInfo->address_hash_map.find(StartAddress);
if(address_hash_map_pIter != ClientAnalysisInfo->address_hash_map.end())
{
PBasicBlock pBasicBlock = (PBasicBlock)address_hash_map_pIter->second;
EndAddress = pBasicBlock->EndAddress;
}
}
code_block.EndAddress = EndAddress;
DisasmLine = NULL;
if(SendTLVData(GET_DISASM_LINES, (PBYTE)&code_block, sizeof(code_block)))
{
char type;
DWORD length;
PBYTE data = RecvTLVData(Socket, &type, &length);
if(data)
DisasmLine = (char *)data;
return (char *)data;
}
return strdup("");
#else
char *DisasmLines = NULL;
if( m_StorageDB )
m_StorageDB->ExecuteStatement(m_StorageDB->ReadRecordStringCallback, &DisasmLines, "SELECT DisasmLines FROM BasicBlock WHERE FileID = %u and StartAddress = %u", m_FileID, StartAddress);
if(DisasmLines)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "DisasmLines = %s\n", DisasmLines);
return DisasmLines;
}
return _strdup("");
#endif
}
BOOL IDAController::FixFunctionAddresses()
{
BOOL is_fixed = FALSE;
Logger.Log(10, LOG_IDA_CONTROLLER, "%s", __FUNCTION__);
LoadBlockToFunction();
if( m_StorageDB )
m_StorageDB->BeginTransaction();
for (multimap <DWORD, DWORD>::iterator it = BlockToFunction.begin();
it != BlockToFunction.end();
it++
)
{
//StartAddress: it->first
//FunctionAddress: it->second
Logger.Log(10, LOG_IDA_CONTROLLER, "Updating BasicBlockTable Address = %X Function = %X\n",
it->second,
it->first);
if( m_StorageDB )
m_StorageDB->ExecuteStatement(NULL, NULL, UPDATE_BASIC_BLOCK_TABLE_FUNCTION_ADDRESS_STATEMENT,
it->second,
it->second == it->first ? FUNCTION_BLOCK : UNKNOWN_BLOCK,
m_FileID,
it->first);
is_fixed = TRUE;
}
if( m_StorageDB )
m_StorageDB->EndTransaction();
ClearBlockToFunction();
return is_fixed;
}
multimap <DWORD, DWORD> *IDAController::LoadFunctionMembersMap()
{
Logger.Log(10, LOG_IDA_CONTROLLER, "LoadFunctionMembersMap\n");
list <DWORD> *FunctionAddresses = GetFunctionAddresses();
if(FunctionAddresses)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "Retrieved Functions Addresses(%u entries)\n", FunctionAddresses->size());
multimap <DWORD, DWORD> *FunctionMembers = new multimap <DWORD, DWORD>;
if(FunctionMembers)
{
list <DWORD>::iterator FunctionAddressIter;
for(FunctionAddressIter = FunctionAddresses->begin();FunctionAddressIter != FunctionAddresses->end();FunctionAddressIter++)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "Function %x: ", *FunctionAddressIter);
list <BLOCK> FunctionMemberBlocks = GetFunctionMemberBlocks(*FunctionAddressIter);
list <BLOCK>::iterator FunctionMemberBlocksIter;
for(FunctionMemberBlocksIter = FunctionMemberBlocks.begin();
FunctionMemberBlocksIter != FunctionMemberBlocks.end();
FunctionMemberBlocksIter++
)
{
Logger.Log(10, LOG_IDA_CONTROLLER, "%x ", (*FunctionMemberBlocksIter).Start);
FunctionMembers->insert(pair <DWORD, DWORD>(*FunctionAddressIter, (*FunctionMemberBlocksIter).Start));
}
Logger.Log(10, LOG_IDA_CONTROLLER, "\n");
}
}
FunctionAddresses->clear();
delete FunctionAddresses;
return FunctionMembers;
}
return NULL;
}
static int ReadFunctionMemberAddressesCallback(void *arg, int argc, char **argv, char **names)
{
list <BLOCK> *p_address_list = (list <BLOCK> *)arg;
if (p_address_list)
{
#if DEBUG_LEVEL > 1
if (DebugLevel & 1) Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d strtoul10(%s) = 0x%X\n", __FUNCTION__, m_FileID, argv[0], strtoul10(argv[0]));
#endif
BLOCK block;
block.Start = strtoul10(argv[0]);
block.End = strtoul10(argv[1]);
p_address_list->push_back(block);
}
return 0;
}
bool DarunGrim::OpenDatabase(char *storage_filename)
{
Logger.Log(10, "%s: entry\n", __FUNCTION__ );
if( pStorageDB )
delete pStorageDB;
pStorageDB = new DBWrapper(storage_filename);
pStorageDB->ExecuteStatement(NULL, NULL, CREATE_ONE_LOCATION_INFO_TABLE_STATEMENT);
pStorageDB->ExecuteStatement(NULL, NULL, CREATE_ONE_LOCATION_INFO_TABLE_FUNCTION_ADDRESS_INDEX_STATEMENT);
pStorageDB->ExecuteStatement(NULL, NULL, CREATE_ONE_LOCATION_INFO_TABLE_START_ADDRESS_INDEX_STATEMENT);
pStorageDB->ExecuteStatement(NULL, NULL, CREATE_ONE_LOCATION_INFO_TABLE_END_ADDRESS_INDEX_STATEMENT);
pStorageDB->ExecuteStatement(NULL, NULL, CREATE_MAP_INFO_TABLE_STATEMENT);
pStorageDB->ExecuteStatement(NULL, NULL, CREATE_MAP_INFO_TABLE_SRCBLOCK_INDEX_STATEMENT);
pStorageDB->ExecuteStatement(NULL, NULL, CREATE_FILE_INFO_TABLE_STATEMENT);
return TRUE;
}
bool DarunGrim::CreateDGF(
char *storage_filename,
char *log_filename,
char *ida_log_filename_for_source,
char *ida_log_filename_for_target,
unsigned long start_address_for_source, unsigned long end_address_for_source,
unsigned long start_address_for_target, unsigned long end_address_for_target )
{
Logger.Log(10, "%s: entry\n", __FUNCTION__ );
SetOutputFilename(storage_filename);
SetLogFilename( log_filename );
SetIDALogFilename( ida_log_filename_for_source );
RunIDAToCreateDGF( SourceFilename.c_str(), start_address_for_source, end_address_for_source );
SetIDALogFilename( ida_log_filename_for_target );
RunIDAToCreateDGF( TargetFilename.c_str(), start_address_for_target, end_address_for_target );
return OpenDatabase(storage_filename);
}
int ReadMapInfoCallback(void *arg, int argc, char **argv, char **names)
{
//Logger.Log( 10, "%s: %s %s %s %s\n", __FUNCTION__, m_FileID, argv[0], argv[1], argv[2], argv[3]);
multimap <DWORD, PMapInfo> *p_map_info_hash_map = (multimap <DWORD, PMapInfo> *)arg;
PMapInfo p_map_info = new MapInfo;
p_map_info->Type = strtoul10(argv[0]);
p_map_info->SrcBlock = strtoul10(argv[1]);
p_map_info->SrcBlockEnd = strtoul10(argv[2]);
p_map_info->Dst = strtoul10(argv[3]);
#if DEBUG_LEVEL > 1
Logger.Log( 10, "%s: ID = %d strtoul10(%s) = 0x%X, strtoul10(%s) = 0x%X, strtoul10(%s) = 0x%X, strtoul10(%s) = 0x%X\n", __FUNCTION__, m_FileID,
argv[0], strtoul10(argv[0]),
argv[1], strtoul10(argv[1]),
argv[2], strtoul10(argv[2]),
argv[3], strtoul10(argv[3])
);
#endif
p_map_info_hash_map->insert(AddrPMapInfo_Pair(p_map_info->SrcBlock, p_map_info));
return 0;
}
bool DarunGrim::AcceptIDAClientsFromSocket( const char *storage_filename )
{
Logger.Log(10, "%s: entry\n", __FUNCTION__ );
if( storage_filename )
{
if( pStorageDB )
delete pStorageDB;
pStorageDB = new DBWrapper( (char *) storage_filename );
}
if( pStorageDB )
{
SetDatabase( pStorageDB );
}
StartIDAListener(DARUNGRIM_PORT);
pSourceController=new IDAController( pStorageDB );
pTargetController=new IDAController( pStorageDB );
//Create a thread that will call ConnectToDarunGrim one by one
DWORD dwThreadId;
CreateThread( NULL, 0, ConnectToDarunGrimThread, ( PVOID )this, 0, &dwThreadId );
AcceptIDAClient( pSourceController, pDiffMachine? FALSE:pStorageDB?TRUE:FALSE );
SetLoadedSourceFile( TRUE );
CreateThread( NULL, 0, ConnectToDarunGrimThread, ( PVOID )this, 0, &dwThreadId );
AcceptIDAClient( pTargetController, pDiffMachine? FALSE:pStorageDB?TRUE:FALSE );
if( !pDiffMachine )
{
Analyze();
}
CreateIDACommandProcessorThread();
StopIDAListener();
return TRUE;
}
DarunGrim::~DarunGrim()
{
Logger.Log(10, "%s: entry\n", __FUNCTION__ );
if( pStorageDB )
{
pStorageDB->CloseDatabase();
delete pStorageDB;
}
if( pDiffMachine )
delete pDiffMachine;
StopIDAListener();
if (IDAPath)
free(IDAPath);
if (EscapedOutputFilename)
free(EscapedOutputFilename);
if (EscapedLogFilename)
free(EscapedLogFilename);
}
void IDAController::GenerateFingerprintHashMap()
{
multimap <DWORD, PBasicBlock>::iterator address_hash_map_pIter;
list <AddressPair> AddressPairs;
multimap <DWORD, PBasicBlock>::iterator iter;
for(iter = ClientAnalysisInfo->address_hash_map.begin();
iter != ClientAnalysisInfo->address_hash_map.end();
iter++)
{
DWORD address = iter->first;
multimap <DWORD, PMapInfo>::iterator map_info_hash_map_iter;
int matched_children_count = 0;
DWORD matched_child_addr = 0L;
for(map_info_hash_map_iter = ClientAnalysisInfo->map_info_hash_map.find(address);
map_info_hash_map_iter != ClientAnalysisInfo->map_info_hash_map.end();
map_info_hash_map_iter++
)
{
if(map_info_hash_map_iter->first != address)
break;
PMapInfo p_map_info = map_info_hash_map_iter->second;
if(p_map_info->Type == CREF_FROM)
{
matched_child_addr = map_info_hash_map_iter->second->Dst;
matched_children_count++;
}
}
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d 0x%X children count: %u\n", __FUNCTION__, m_FileID, address, matched_children_count);
if(matched_children_count == 1 && matched_child_addr != 0L)
{
int matched_parents_count = 0;
for(map_info_hash_map_iter = ClientAnalysisInfo->map_info_hash_map.find(matched_child_addr);
map_info_hash_map_iter != ClientAnalysisInfo->map_info_hash_map.end();
map_info_hash_map_iter++
)
{
if(map_info_hash_map_iter->first != matched_child_addr)
break;
PMapInfo p_map_info = map_info_hash_map_iter->second;
if(p_map_info->Type == CREF_TO || p_map_info->Type == CALLED)
matched_parents_count++;
}
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d 0x%X -> 0x%X parent count: %u\n", __FUNCTION__, m_FileID, address, matched_child_addr, matched_parents_count);
if(matched_parents_count == 1)
{
address_hash_map_pIter = ClientAnalysisInfo->address_hash_map.find(matched_child_addr);
if(address_hash_map_pIter != ClientAnalysisInfo->address_hash_map.end())
{
PBasicBlock pBasicBlock = (PBasicBlock)address_hash_map_pIter->second;
if(pBasicBlock->FunctionAddress != matched_child_addr)
{
AddressPair address_pair;
address_pair.address = address;
address_pair.child_address = matched_child_addr;
AddressPairs.push_back(address_pair);
}
}
}
}
}
list <AddressPair>::iterator AddressPairsIter;
for(AddressPairsIter = AddressPairs.begin();
AddressPairsIter != AddressPairs.end();
AddressPairsIter++)
{
DWORD address = (*AddressPairsIter).address;
DWORD child_address = (*AddressPairsIter).child_address;
Logger.Log(10, LOG_IDA_CONTROLLER, "%s: ID = %d Joining 0x%X-0x%X\n", __FUNCTION__, m_FileID, address, child_address);
DWORD matched_child_addr = 0L;
multimap <DWORD, PMapInfo>::iterator map_info_hash_map_iter;
for(map_info_hash_map_iter = ClientAnalysisInfo->map_info_hash_map.find(child_address);
map_info_hash_map_iter != ClientAnalysisInfo->map_info_hash_map.end();
map_info_hash_map_iter++
)
{
if(map_info_hash_map_iter->first != child_address)
break;
PMapInfo p_map_info = map_info_hash_map_iter->second;
PMapInfo p_new_map_info = (PMapInfo)malloc(sizeof(MapInfo));
p_new_map_info->SrcBlockEnd = address;
p_new_map_info->SrcBlock = address;
p_new_map_info->Dst = p_map_info->Dst;
p_new_map_info->Type = p_map_info->Type;
ClientAnalysisInfo->map_info_hash_map.insert(AddrPMapInfo_Pair(address, p_new_map_info));
}
for(map_info_hash_map_iter = ClientAnalysisInfo->map_info_hash_map.find(address);
map_info_hash_map_iter != ClientAnalysisInfo->map_info_hash_map.end();
map_info_hash_map_iter++
)
{
if(map_info_hash_map_iter->first != address)
break;
PMapInfo p_map_info = map_info_hash_map_iter->second;
if(p_map_info->Dst == child_address)
{
ClientAnalysisInfo->map_info_hash_map.erase(map_info_hash_map_iter);
break;
}
}
multimap <DWORD, string>::iterator child_address_disassembly_hash_map_iter;
child_address_disassembly_hash_map_iter = ClientAnalysisInfo->address_disassembly_hash_map.find(child_address);
if(child_address_disassembly_hash_map_iter != ClientAnalysisInfo->address_disassembly_hash_map.end())
{
multimap <DWORD, string>::iterator address_disassembly_hash_map_iter;
address_disassembly_hash_map_iter = ClientAnalysisInfo->address_disassembly_hash_map.find(address);
if(address_disassembly_hash_map_iter != ClientAnalysisInfo->address_disassembly_hash_map.end())
{
address_disassembly_hash_map_iter->second += child_address_disassembly_hash_map_iter->second;
}
}
multimap <DWORD, unsigned char *>::iterator child_address_fingerprint_hash_map_iter;
child_address_fingerprint_hash_map_iter = ClientAnalysisInfo->address_fingerprint_hash_map.find(child_address);
if(child_address_fingerprint_hash_map_iter != ClientAnalysisInfo->address_fingerprint_hash_map.end())
{
multimap <DWORD, unsigned char *>::iterator address_fingerprint_hash_map_iter;
address_fingerprint_hash_map_iter = ClientAnalysisInfo->address_fingerprint_hash_map.find(address);
if(address_fingerprint_hash_map_iter != ClientAnalysisInfo->address_fingerprint_hash_map.end())
{
//TODO: address_fingerprint_hash_map_iter->second += child_address_fingerprint_hash_map_iter->second;
}
}
ClientAnalysisInfo->address_hash_map.erase((*AddressPairsIter).child_address);
ClientAnalysisInfo->address_name_hash_map.erase((*AddressPairsIter).child_address);
ClientAnalysisInfo->map_info_hash_map.erase((*AddressPairsIter).child_address);
ClientAnalysisInfo->address_disassembly_hash_map.erase((*AddressPairsIter).child_address);
ClientAnalysisInfo->address_fingerprint_hash_map.erase((*AddressPairsIter).child_address);
}
AddressPairs.clear();
multimap <DWORD, unsigned char *>::iterator address_fingerprint_hash_map_Iter;
for(address_fingerprint_hash_map_Iter = ClientAnalysisInfo->address_fingerprint_hash_map.begin();
address_fingerprint_hash_map_Iter != ClientAnalysisInfo->address_fingerprint_hash_map.end();
address_fingerprint_hash_map_Iter++)
{
ClientAnalysisInfo->fingerprint_hash_map.insert(FingerPrintAddress_Pair(address_fingerprint_hash_map_Iter->second, address_fingerprint_hash_map_Iter->first));
}
GenerateTwoLevelFingerPrint();
}