VOID MemWrite(THREADID tid, ADDRINT ea, ADDRINT eip )
{
IMG imgR;
string retName = "ANON", rR = "unknown";
thread_data_t *tdata = get_tls(tid);
list<ADDRINT>::const_iterator sp_iter;
for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) {
if ( *sp_iter == ea )
break;
}
if ( sp_iter != tdata->data_sp.end() ) {
PIN_LockClient();
imgR = IMG_FindByAddress((ADDRINT)eip);
PIN_UnlockClient();
if ( IMG_Valid(imgR) ) {
retName = IMG_Name(imgR);
}
rR = RTN_FindNameByAddress((ADDRINT)eip);
OutFile[tid] << tid << hex << "return address overwrite!!! " << ea << " "
<< eip << " " << retName << " " << rR << endl;
}
}
static void Instruction(INS ins, void *v)
{
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE,
(AFUNPTR)do_count,
IARG_END);
// Filters out non memory reference instructions.
if (!INS_IsMemoryRead(ins) && !INS_IsMemoryWrite(ins))
return;
// Filters out references to stack.
if (INS_IsStackRead(ins) || INS_IsStackWrite(ins))
return;
// Filters out instructions out of main executable.
IMG img = IMG_FindByAddress(INS_Address(ins));
if (!IMG_Valid(img) || !IMG_IsMainExecutable(img))
return;
unsigned i;
unsigned int mem_op = INS_MemoryOperandCount(ins);
for (i = 0; i < mem_op; i++) {
INS_InsertPredicatedCall(
ins, IPOINT_BEFORE,
(AFUNPTR)check_addr,
IARG_INST_PTR,
IARG_MEMORYOP_EA, i, IARG_END);
}
}
VOID WriteMem(UINT64 insAddr, std::string insDis, UINT32 opCount, REG reg_r, UINT64 memOp)
{
std::list<struct mallocArea>::iterator i;
UINT64 addr = memOp;
PIN_LockClient();
IMG img = IMG_FindByAddress(addr);
PIN_UnlockClient();
SEC sec;
if (opCount != 2){
return;
}
/* Check if the address is in a section */
for(sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec)){
if (addr >= SEC_Address(sec) && addr < (SEC_Address(sec) + SEC_Size(sec)))
return;
}
/* Check if the address is mapped */
for(i = mallocAreaList.begin(); i != mallocAreaList.end(); i++){
if (i->status == ALLOCATE && addr >= i->base && addr < (i->base + i->size))
return;
if (i->status == FREE && addr >= i->base && addr < (i->base + i->size)){
std::cout << std::hex << insAddr << ": " << insDis << " -- Use after free in " << addr << std::endl;
return;
}
}
/* check if the address is in a stack area */
if (addr > 0x700000000000)
return;
std::cout << std::hex << insAddr << ": " << insDis << " -- Heap overflow in " << addr << std::endl;
}
static void InstrumentRtn(RTN rtn, VOID *)
{
ADDRINT a = RTN_Address(rtn);
IMG img = IMG_FindByAddress(a);
if (IMG_Valid(img) &&
IMG_IsMainExecutable(img)) {
RTN_Open(rtn);
RTN_InsertCall(rtn, IPOINT_BEFORE, AFUNPTR(FunctionHook), IARG_ADDRINT, a, IARG_END);
RTN_Close(rtn);
}
}
static VOID Instruction(INS ins, VOID *v)
{
IMG img = IMG_FindByAddress(INS_Address(ins));
if (IMG_Valid(img))
{
numTimesImgFoundInInstrumentation++;
}
else
{
numTimesImgNotFoundInInstrumentation++;
}
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)AnalysisFindImg, IARG_INST_PTR, IARG_END);
}
static VOID AnalysisFindImg (ADDRINT ip)
{
PIN_LockClient();
IMG img = IMG_FindByAddress(ip);
PIN_UnlockClient();
if (IMG_Valid(img))
{
numTimesImgFoundInAnalysis++;
}
else
{
numTimesImgNotFoundInAnalysis++;
}
}
VOID instrumentTrace(TRACE trace, VOID *v)
{
IMG img = IMG_FindByAddress(TRACE_Address(trace));
if (!IMG_Valid(img) || !IMG_IsMainExecutable(img))
return;
const char* imageName = IMG_Name(img).c_str();
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl))
{
for (INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
{
processMemoryWriteInstruction(ins, imageName);
processMemoryReadInstruction(ins, imageName);
}
}
}
VOID PIN_FAST_ANALYSIS_CALL LogBBL(ADDRINT addr)
{
PIN_LockClient();
IMG img = IMG_FindByAddress(addr);
PIN_UnlockClient();
if (IMG_Valid(img)){
std::set<ADDRINT> *s = bbls[IMG_Name(img)];
if (s == NULL){
s = new std::set<ADDRINT> ();
bbls[IMG_Name(img)] = s;
}
s->insert(addr - IMG_LowAddress(img));
}
}
// Pin calls this function before a code sequence is executed for the first time
VOID TraceCalls(INS ins, VOID *v)
{
// If we don't have a proper config, we cannot instrument anything
if (config == NULL)
{
return;
}
ADDRINT addr = INS_Address(ins);
IMG img = IMG_FindByAddress(addr);
// We are interested only calls from the JITted code. That code is not part of any valid image
if (IMG_Valid(img) && img != config->img)
{
return;
}
// We don't know the origins of the calls (only the targets) so we need to instrument every call
if (INS_IsCall(ins))
{
bool ok = false;
if (INS_RegRContain(ins, REG_EAX) || INS_RegRContain(ins, REG_EDX))
{
ok = true;
}
else if (INS_IsDirectCall(ins))
{
ADDRINT target_addr = INS_DirectBranchOrCallTargetAddress(ins);
IMG target_img = IMG_FindByAddress(target_addr);
if (!IMG_Valid(img) || img == config->img)
{
ok = true;
}
}
if (ok)
{
// Select which call analysis function to use depending on whether we are in fast mode
AFUNPTR analysisFunc = (AFUNPTR)MethodCallAnalysis;
if (KnobFast.Value())
{
analysisFunc = (AFUNPTR)MethodCallAnalysisFast;
}
ADDRINT ret_addr = INS_NextAddress(ins);
INS_InsertIfCall(ins, IPOINT_BEFORE, (AFUNPTR)ShouldCallBeAnalyzed, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_ADDRINT, ret_addr, IARG_BRANCH_TARGET_ADDR, IARG_END);
INS_InsertThenCall(ins, IPOINT_BEFORE, analysisFunc, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_ADDRINT, ret_addr, IARG_BRANCH_TARGET_ADDR, IARG_END);
returnAddressToInstument[ret_addr] = true;
return;
}
}
if (returnAddressToInstument.find(addr) != returnAddressToInstument.end())
{
// Select which call analysis function to use depending on whether we are in fast mode
AFUNPTR analysisFuncIf = (AFUNPTR)ShouldReturnAddressBeAnalyzed;
AFUNPTR analysisFuncThen = (AFUNPTR)ReturnValueAnalysis;
if (KnobFast.Value())
{
analysisFuncIf = (AFUNPTR)ShouldReturnAddressBeAnalyzedFast;
analysisFuncThen = (AFUNPTR)ReturnValueAnalysisFast;
}
INS_InsertIfCall(ins, IPOINT_BEFORE, analysisFuncIf, IARG_ADDRINT, addr, IARG_END);
INS_InsertThenCall(ins, IPOINT_BEFORE, analysisFuncThen, IARG_ADDRINT, addr, IARG_REG_VALUE, REG_EAX, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_END);
return;
}
}
VOID PrintUntouchedRanges(SEC sec)
{
// Make a bool vector big enough to describe the whole section, 1 bool per byte
vector<bool> touched(SEC_Size(sec));
// Put the rtn's that are touched in a set
set<RTN> rtnSet;
// Mark the ranges for bbls that have been executed
for (list<const BBLSTATS*>::const_iterator bi = statsList.begin(); bi != statsList.end(); bi++)
{
const BBLSTATS * stats = *bi;
// Is this bbl contained in the section?
if (stats->_start < SEC_Address(sec) || stats->_start >= SEC_Address(sec) + SEC_Size(sec))
continue;
// Is the bbl executed?
if (!stats->_executed)
continue;
RTN rtn = RTN_FindByAddress(stats->_start);
if (RTN_Valid(rtn))
rtnSet.insert(rtn);
// Mark all the bytes of the bbl as executed
for (ADDRINT i = stats->_start - SEC_Address(sec); i < stats->_start + stats->_size - SEC_Address(sec); i++)
{
ASSERTX(i < SEC_Size(sec));
touched[i] = true;
}
}
// Print the routines that are not touched
out << " Routines that are not executed" << endl;
for (RTN rtn = SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn))
{
if (rtnSet.find(rtn) == rtnSet.end())
{
out << " " << RTN_Name(rtn) << endl;
}
}
// Print the ranges of untouched addresses
out << " Code ranges that are not executed" << endl;
string rtnName = "";
for (UINT32 i = 0; i < SEC_Size(sec);)
{
// Find the first not touched address
while(touched[i])
{
i++;
if (i == SEC_Size(sec))
return;
}
UINT32 start = i;
// Find the first touched address
while(!touched[i] && i < SEC_Size(sec)) i++;
ADDRINT startAddress = SEC_Address(sec) + start;
// Print the rtn name, if it has changed
IMG img = IMG_FindByAddress(startAddress);
string imgName = (IMG_Valid(img) ? IMG_Name(img) : "InvalidImg");
RTN rtn = RTN_FindByAddress(startAddress);
string newName = (RTN_Valid(rtn) ? RTN_Name(rtn) : "InvalidRtn");
if (rtnName != newName)
{
out << " Image: " << imgName << " Rtn: " << newName << endl;
rtnName = newName;
}
out << " " << SEC_Address(sec) + start << ":" << SEC_Address(sec) + i - 1 << endl;
}
}
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push )
{
PIN_GetLock(&lock, tid+1);
unsigned int dep = 0, i = 0;
IMG imgR, imgT;
string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown";
thread_data_t *tdata = get_tls(tid);
list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp);
list<ADDRINT>::iterator ret_iter;// = (*tdata).find(sp);
tulist::iterator tup_iter;// = (*tdata).find(sp);
/******************* Uncomment this code to check ONLY for landing pad violations. START HERE ************/
/*
i = 0;
for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) {
++i;
if ( target == (tup_iter->get<1>()) ) {
RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>()
<< " " << std::dec << i << endl;
++gotoCount; // Keeps track of no of times ret addr was relocated but landing pad are correct
tdata->tuplist.erase( tup_iter );
break;
}
}
if ( tup_iter != tdata->tuplist.end() ) {
PIN_ReleaseLock(&lock);
return;
}
else { // Landing Pad Violation
// Getting the names of Image and rtn will make this really SLOW.
Comment this before the File IO to make it faster
PIN_LockClient();
imgR = IMG_FindByAddress((ADDRINT)eip);
imgT = IMG_FindByAddress((ADDRINT)target);
PIN_UnlockClient();
if ( IMG_Valid(imgR) ) {
retName = IMG_Name(imgR);
}
if ( IMG_Valid(imgT) ) {
targetName = IMG_Name(imgT);
}
rR = RTN_FindNameByAddress((ADDRINT)eip);
tR = RTN_FindNameByAddress((ADDRINT)target);
// This checks if the LP violation source or target is in Linker.
// These are not Violation as Linker takes and passes control many times without
// a call or ret.
if ( LD_PATH == targetName || LD_PATH == retName )
goto overRide;
OutFile[tid] << tid << hex << "Landing Pad Violation -1 " << sp << " " << target << " "
<< eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl;
overRide:
PIN_ReleaseLock(&lock);
return;
}
*/
/********* TO CHECK ONLY FOR LANDING PAD VIOLATIONS - END HERE *********************************/
/**** No need to comment the below code when checking only for LP violation as this function
would return before reaching here *****/
/* Check if stack pointer value i.e. return address location is present */
for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) {
++dep;
if ( *sp_iter == sp )
break;
}
--dep;
if (push) {
OutFile[tid] << std::dec << tid << "PUSH FOUND" << endl;
tdata->data_sp.erase(tdata->data_sp.begin());
PIN_ReleaseLock(&lock);
return;
}
if (sp_iter == tdata->data_sp.end()) {
/* This is the case where Ret Address is relocated to some other location on stack e.g
Libffi does this to make ffi call portable accross ABIs */
i = 0;
for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) {
++i;
if ( target == (tup_iter->get<1>() ) ) {
RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>()
<< ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl;
++gotoCount;
tdata->tuplist.erase( tup_iter );
break;
}
}
if ( tup_iter != tdata->tuplist.end() ) {
PIN_ReleaseLock(&lock);
return;
}
PIN_LockClient();
imgR = IMG_FindByAddress((ADDRINT)eip);
imgT = IMG_FindByAddress((ADDRINT)target);
PIN_UnlockClient();
if ( IMG_Valid(imgR) ) {
retName = IMG_Name(imgR);
}
if ( IMG_Valid(imgT) ) {
targetName = IMG_Name(imgT);
}
rR = RTN_FindNameByAddress((ADDRINT)eip);
tR = RTN_FindNameByAddress((ADDRINT)target);
OutFile[tid] << tid << hex << "Landing Pad Violation -2 " << sp << " " << *(tdata->data_sp.begin())
<< " " << target << " " << tup_iter->get<0>() << " " << eip << " "<<targetName << " " << retName
<< " " << tR << " " << rR << endl;
PIN_ReleaseLock(&lock);
return;
}
if ( sp_iter != tdata->data_sp.begin() )
OutFile[tid] << tid << hex <<"ret address not in the beginning!! " << target <<" "<< eip
<< " " << sp << " " << *(tdata->data_sp.begin()) << " " << dec << dep<< endl;
depth -= dep;
tdata->data_sp.erase( tdata->data_sp.begin(), sp_iter);
tdata->data_sp.erase(sp_iter);
PIN_ReleaseLock(&lock);
}
instruction::instruction(const INS& ins)
{
this->address = INS_Address(ins);
this->next_address = INS_NextAddress(ins);
// this->opcode = INS_Mnemonic(ins);
this->opcode_size = static_cast<uint8_t>(INS_Size(ins));
this->opcode_buffer = std::shared_ptr<uint8_t>(new uint8_t[this->opcode_size], std::default_delete<uint8_t[]>());
PIN_SafeCopy(opcode_buffer.get(), reinterpret_cast<const VOID*>(this->address), this->opcode_size);
this->disassemble = INS_Disassemble(ins);
// including image, routine
auto img = IMG_FindByAddress(this->address);
this->including_image = IMG_Valid(img) ? IMG_Name(img) : "";
// this->including_routine = RTN_FindNameByAddress(this->address);
PIN_LockClient();
auto routine = RTN_FindByAddress(this->address);
PIN_UnlockClient();
if (RTN_Valid(routine)) {
auto routine_mangled_name = RTN_Name(routine);
this->including_routine_name = PIN_UndecorateSymbolName(routine_mangled_name, UNDECORATION_NAME_ONLY);
}
else this->including_routine_name = "";
// has fall through
this->has_fall_through = INS_HasFallThrough(ins);
// is call, ret or syscall
this->is_call = INS_IsCall(ins);
this->is_branch = INS_IsBranch(ins);
this->is_ret = INS_IsRet(ins);
this->is_syscall = INS_IsSyscall(ins);
this->category = static_cast<xed_category_enum_t>(INS_Category(ins));
this->iclass = static_cast<xed_iclass_enum_t>(INS_Opcode(ins));
// read registers
auto read_reg_number = INS_MaxNumRRegs(ins);
for (decltype(read_reg_number) reg_id = 0; reg_id < read_reg_number; ++reg_id) {
this->src_registers.push_back(INS_RegR(ins, reg_id));
}
// written registers
auto written_reg_number = INS_MaxNumWRegs(ins);
for (decltype(written_reg_number) reg_id = 0; reg_id < written_reg_number; ++reg_id) {
this->dst_registers.push_back(INS_RegW(ins, reg_id));
}
auto is_special_reg = [](const REG& reg) -> bool {
return (reg >= REG_MM_BASE);
};
this->is_special =
std::any_of(std::begin(this->src_registers), std::end(this->src_registers), is_special_reg) ||
std::any_of(std::begin(this->dst_registers), std::end(this->dst_registers), is_special_reg) ||
(this->category == XED_CATEGORY_X87_ALU) || (this->iclass == XED_ICLASS_XEND) || (this->category == XED_CATEGORY_LOGICAL_FP) ||
(this->iclass == XED_ICLASS_PUSHA) || (this->iclass == XED_ICLASS_PUSHAD) || (this->iclass == XED_ICLASS_PUSHF) ||
(this->iclass == XED_ICLASS_PUSHFD) || (this->iclass == XED_ICLASS_PUSHFQ);
// is memory read, write
this->is_memory_read = INS_IsMemoryRead(ins);
this->is_memory_write = INS_IsMemoryWrite(ins);
this->is_memory_read2 = INS_HasMemoryRead2(ins);
}
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push)
{
// cout << "RET " << tid << hex << " " << sp << " " << target << " " << eip << " " << push << endl;
// return;
unsigned int dep = 0;
IMG imgR, imgT;
string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown";
list<ADDRINT> *tdata = data_ar[tid];
list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp);
list<ADDRINT>::iterator dep_iter;// = (*tdata).find(sp);
for (sp_iter = (*tdata).begin(); sp_iter != (*tdata).end(); sp_iter++) {
++dep;
if ( *sp_iter == sp )
break;
}
--dep;
if (push) {
OutFile << "PUSH FOUND" << endl;
(*tdata).erase((*tdata).begin());
//cout << "RET FROM RET-1" << tid<<endl;
return;
}
if ( target >= (start+FFI_CALL_UNIX64) && target <= (start+FF64END) ) {
OutFile << tid << " RET-2-FF64 " << hex << eip << " " << target << " " << sp << endl;
}
if ( eip >= (start+FFI_CALL_UNIX64) && eip <= (start+FF64END) ) {
OutFile << tid << " RET-FRM-FF64 " << hex << eip << " " << target << " " << sp << endl;
}
/*
if ( eip >= (ANONST) && eip <= (ANONEND) ) {
OutFile << tid << " RET-I " << hex << eip << " " << target << " " << sp << endl;
}
if ( target >= (ANONST) && target <= (ANONEND) ) {
OutFile << tid << " RET-T " << hex << eip << " " << target << " " << sp << endl;
}
*/
if (sp_iter == (*tdata).end()) {
// cerr << hex << "ret address not found!! " << sp << " " << *(RetAddrLocs.begin())
PIN_LockClient();
imgR = IMG_FindByAddress((ADDRINT)eip);
imgT = IMG_FindByAddress((ADDRINT)target);
PIN_UnlockClient();
if ( IMG_Valid(imgR) ) {
retName = IMG_Name(imgR);
}
if ( IMG_Valid(imgT) ) {
targetName = IMG_Name(imgT);
}
rR = RTN_FindNameByAddress((ADDRINT)eip);
tR = RTN_FindNameByAddress((ADDRINT)target);
OutFile << tid << hex << "ret address not found!! " << sp << " " << *((*tdata).begin())
<< " " << target << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl;
//cout << "RET FROM RET-2" << tid <<endl;
return;
}
if (sp_iter != (*tdata).begin())
OutFile << hex <<"ret address not in the beginning!! " << target <<" "<< eip << " " << sp << " " << *((*tdata).begin()) << " " << dec << dep<< endl;
// depth -= distance((*tdata).begin(), sp_iter) + 1;
depth -= dep;
// OutFile << "Distance " << distance(RetAddrLocs.begin(), sp_iter) << endl;
// for (int i=0; i < depth; i++) cerr << " ";
// cerr << hex << tid << " ret " << sp << " " << target << endl;
// if ( sp_iter == RetAddrLocs.begin() ) {
// RetAddrLocs.erase(sp_iter);
// return;
// }
(*tdata).erase((*tdata).begin(), sp_iter);
(*tdata).erase(sp_iter);
//cout << "RET FROM RET-3" << tid<<endl;
}
VOID Ret(THREADID tid, ADDRINT sp, ADDRINT target, ADDRINT eip, UINT32 push )
{
PIN_GetLock(&lock, tid+1);
unsigned int dep = 0, i = 0;
IMG imgR, imgT;
string retName = "ANON", targetName = "ANON", rR = "unknown", tR = "unknown";
thread_data_t *tdata = get_tls(tid);
/*
list<ADDRINT> *tdata = data_ar[tid];
list<ADDRINT> *retId = ret_ad[tid];
*/
list<ADDRINT>::iterator sp_iter;// = (*tdata).find(sp);
list<ADDRINT>::iterator ret_iter;// = (*tdata).find(sp);
tulist::iterator tup_iter;// = (*tdata).find(sp);
for (sp_iter = tdata->data_sp.begin(); sp_iter != tdata->data_sp.end(); sp_iter++) {
++dep;
if ( *sp_iter == sp )
break;
}
--dep;
/* This is the case where Ret Address is relocated to some other location on stack */
i = 0;
for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) {
++i;
if ( target == (tup_iter->get<1>())
&& ( (tup_iter->get<0>() == (target - 0x5))
|| ( tup_iter->get<0>() == (target - 0x2)) ) ) {
RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl;
++gotoCount;
tdata->tuplist.erase( tup_iter );
break;
}
}
//cout << " CHECK1" << endl;
if ( tup_iter != tdata->tuplist.end() ) {
PIN_ReleaseLock(&lock);
return;
}
else {
PIN_LockClient();
imgR = IMG_FindByAddress((ADDRINT)eip);
imgT = IMG_FindByAddress((ADDRINT)target);
PIN_UnlockClient();
if ( IMG_Valid(imgR) ) {
retName = IMG_Name(imgR);
}
if ( IMG_Valid(imgT) ) {
targetName = IMG_Name(imgT);
}
rR = RTN_FindNameByAddress((ADDRINT)eip);
tR = RTN_FindNameByAddress((ADDRINT)target);
if ( LD_PATH == targetName || LD_PATH == retName )
goto overRide;
OutFile[tid] << tid << hex << "LP not found!! " << sp << " " << target << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl;
overRide:
PIN_ReleaseLock(&lock);
return;
}
if (push) {
OutFile[tid] << std::dec << tid << "PUSH FOUND" << endl;
tdata->data_sp.erase(tdata->data_sp.begin());
PIN_ReleaseLock(&lock);
return;
}
if (sp_iter == tdata->data_sp.end()) {
/* This is the case where Ret Address is relocated to some other location on stack */
i = 0;
for ( tup_iter = tdata->tuplist.begin(); tup_iter != tdata->tuplist.end(); tup_iter++ ) {
++i;
if ( target == (tup_iter->get<1>()) && ( (tup_iter->get<0>() == (target - 0x5)) || ( tup_iter->get<0>() == (target - 0x2)) ) ) {
RetFile << tid << " Ret Addr Relocated " << hex << target << " " << tup_iter->get<0>() << ":" << (target - 2) << ":" << (target - tup_iter->get<0>() ) << " " << std::dec << i << endl;
++gotoCount;
tdata->tuplist.erase( tup_iter );
break;
}
}
//cout << " CHECK1" << endl;
if ( tup_iter != tdata->tuplist.end() ) {
PIN_ReleaseLock(&lock);
return;
}
PIN_LockClient();
imgR = IMG_FindByAddress((ADDRINT)eip);
imgT = IMG_FindByAddress((ADDRINT)target);
PIN_UnlockClient();
if ( IMG_Valid(imgR) ) {
retName = IMG_Name(imgR);
}
if ( IMG_Valid(imgT) ) {
targetName = IMG_Name(imgT);
}
rR = RTN_FindNameByAddress((ADDRINT)eip);
tR = RTN_FindNameByAddress((ADDRINT)target);
//cout << hex << tup_iter->get<0>() << ":" << tup_iter->get<1>() << endl;
OutFile[tid] << tid << hex << "ret address not found!! " << sp << " " << *(tdata->data_sp.begin())
<< " " << target << " " << tup_iter->get<0>() << " " << eip << " "<<targetName << " " << retName << " " << tR << " " << rR << endl;
PIN_ReleaseLock(&lock);
return;
}
if ( sp_iter != tdata->data_sp.begin() )
OutFile[tid] << tid << hex <<"ret address not in the beginning!! " << target <<" "<< eip << " " << sp << " " << *(tdata->data_sp.begin()) << " " << dec << dep<< endl;
depth -= dep;
tdata->data_sp.erase( tdata->data_sp.begin(), sp_iter);
tdata->data_sp.erase(sp_iter);
PIN_ReleaseLock(&lock);
}
VOID Instruction(INS ins, VOID *v)
{
PIN_LockClient();
IMG img = IMG_FindByAddress(INS_Address(ins));
PIN_UnlockClient();
if (IMG_Valid(img) && IMG_IsMainExecutable(img)){
if (INS_IsCall(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)PrologueAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_NextAddress(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
else if (INS_IsRet(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)EpilogueAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_NextAddress(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
else if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMem,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_UINT32, INS_OperandCount(ins),
IARG_UINT32, INS_OperandReg(ins, 1),
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Value Set Analysis */
if (INS_Opcode(ins) == XED_ICLASS_MOV &&
INS_RegR(ins, 0) == REG_RBP &&
INS_RegR(ins, 1) == REG_INVALID() &&
INS_IsMemoryWrite(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)ValueSetAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_REG_VALUE, REG_RSP,
IARG_REG_VALUE, REG_RBP,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Analyzes stack overflow */
if (INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMemAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Timer Handler - And instruction counter */
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)timerHandler,
IARG_ADDRINT, INS_Address(INS_Prev(ins)),
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_Address(INS_Next(ins)),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
}
