VOID Instruction(INS ins, void *v)
{
// The subcases of direct branch and indirect branch are
// broken into "call" or "not call". Call is for a subroutine
// These are left as subcases in case the programmer wants
// to extend the statistics to see how sub cases of branches behave
if( INS_IsRet(ins) )
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) br_predict,
IARG_INST_PTR, IARG_BRANCH_TAKEN, IARG_END);
}
else if( INS_IsSyscall(ins) )
{
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) br_predict,
IARG_INST_PTR, IARG_BRANCH_TAKEN, IARG_END);
}
else if (INS_IsDirectBranchOrCall(ins))
{
if( INS_IsCall(ins) ) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) br_predict,
IARG_INST_PTR, IARG_BRANCH_TAKEN, IARG_END);
}
else {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) br_predict,
IARG_INST_PTR, IARG_BRANCH_TAKEN, IARG_END);
}
}
else if( INS_IsIndirectBranchOrCall(ins) )
{
if( INS_IsCall(ins) ) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) br_predict,
IARG_INST_PTR, IARG_BRANCH_TAKEN, IARG_END);
}
else {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) br_predict,
IARG_INST_PTR, IARG_BRANCH_TAKEN, IARG_END);
}
}
}
VOID CallTrace(TRACE trace, INS ins)
{
if (!KnobTraceCalls)
return;
// RTN = TRACE_Rtn(trace);
// ADDRINT rtn_addr = RTN_Address(rtn);
if (INS_IsBranchOrCall(ins) && !INS_IsDirectBranchOrCall(ins)) {
// Indirect Call
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmitIndirectCall),
IARG_THREAD_ID,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END
);
} else if (INS_IsDirectBranchOrCall(ins)) {
// Direct call..
ADDRINT target = INS_DirectBranchOrCallTargetAddress(ins);
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmitDirectCall),
IARG_THREAD_ID,
IARG_INST_PTR,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END
);
} else if (INS_IsRet(ins)) {
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmitReturn),
IARG_THREAD_ID,
IARG_INST_PTR,
IARG_FUNCRET_EXITPOINT_VALUE,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END
);
}
}
VOID Ins( INS ins, VOID *v )
{
if (KnobDetach > 0 && scount > KnobDetach)
return;
if (KnobLog)
{
void *addr = Addrint2VoidStar(INS_Address(ins));
string disasm = INS_Disassemble(ins);
PrintIns(addr, disasm.c_str());
}
scount++;
// call and return need also stack manipulation (see emu_stack.cpp)
// conditional jumps need handling the condition (not supported yet)
if (INS_IsCall(ins) || INS_IsRet(ins) || INS_Category(ins) == XED_CATEGORY_COND_BR)
return;
if (INS_IsIndirectBranchOrCall(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuIndJmp),
IARG_BRANCH_TARGET_ADDR,
IARG_RETURN_REGS, scratchReg, IARG_END);
INS_InsertIndirectJump(ins, IPOINT_AFTER, scratchReg);
INS_Delete(ins);
}
else if (INS_IsDirectBranchOrCall(ins))
{
ADDRINT tgt = INS_DirectBranchOrCallTargetAddress(ins);
INS_InsertDirectJump(ins, IPOINT_AFTER, tgt);
INS_Delete(ins);
}
}
VOID Instruction(INS ins, VOID *v)
{
//if (RTN_Valid(INS_Rtn(ins)) && RTN_Name(INS_Rtn(ins)) == "__SEH_epilog4") {
// cerr << "image " << IMG_Name(SEC_Img(RTN_Sec(INS_Rtn(ins)))) << endl;
//}
if (INS_IsRet(ins)) {
INS prev = INS_Prev(ins);
//cout<< "CALL TO RET" << endl;
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Ret),
IARG_THREAD_ID,
IARG_REG_VALUE, REG_ESP,
IARG_BRANCH_TARGET_ADDR,
IARG_INST_PTR,
IARG_UINT32, (INS_Valid(prev) && INS_Opcode(prev) == XED_CATEGORY_PUSH),
IARG_END);
}
else if (INS_IsCall(ins)) {
//cout << "CALL TO CALL" << endl;
INS_InsertCall(ins, IPOINT_TAKEN_BRANCH, AFUNPTR(Call),
IARG_THREAD_ID,
IARG_REG_VALUE, REG_ESP,
IARG_BRANCH_TARGET_ADDR,
IARG_INST_PTR,
IARG_END);
}
else if (INS_IsMemoryWrite(ins)) {
//cout<< "CALL TO MEWRITE" << endl;
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(MemWrite),
IARG_THREAD_ID,
IARG_MEMORYWRITE_EA,
IARG_END);
}
}
VOID Instruction(INS ins, VOID *v)
{
ADDRINT nextIns;
if (INS_IsRet(ins)) {
INS prev = INS_Prev(ins);
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(Ret),
IARG_THREAD_ID,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_INST_PTR,
IARG_UINT32, (INS_Valid(prev) && INS_Opcode(prev) == XED_CATEGORY_PUSH),
IARG_END);
}
else if (INS_IsCall(ins)) {
nextIns = INS_NextAddress(ins);
INS_InsertCall(ins, IPOINT_TAKEN_BRANCH, AFUNPTR(Call),
IARG_THREAD_ID,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_INST_PTR,
IARG_ADDRINT, nextIns,
IARG_END);
}
else if (INS_IsMemoryWrite(ins)) {
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(MemWrite),
IARG_THREAD_ID,
IARG_MEMORYWRITE_EA,
IARG_INST_PTR,
IARG_END);
}
}
/*
* Instruction
* Catches Syscall, Return, Store functions and calls appropriate handler
*/
VOID Instruction(INS ins, VOID *v)
{
if (INS_IsSyscall(ins) && INS_HasFallThrough(ins))
{
// Arguments and syscall number is only available before
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(SysBefore),
IARG_INST_PTR, IARG_SYSCALL_NUMBER,
IARG_SYSARG_VALUE, 0, IARG_SYSARG_VALUE, 1,
IARG_SYSARG_VALUE, 2, IARG_SYSARG_VALUE, 3,
IARG_SYSARG_VALUE, 4, IARG_SYSARG_VALUE, 5,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
else if (INS_Valid(ins))
{
if(INS_IsRet(ins))
{
INS_InsertCall(ins, IPOINT_TAKEN_BRANCH, AFUNPTR(Return),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
else if(INS_IsStackWrite(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(StackWrite),
IARG_MEMORYWRITE_EA,
IARG_MEMORYWRITE_SIZE,
IARG_END);
}
else if(INS_IsMemoryWrite(ins) && !(INS_IsBranchOrCall(ins)))
{
INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(MemoryWrite),
IARG_MEMORYWRITE_EA,
IARG_MEMORYWRITE_SIZE,
IARG_END);
}
}
}
void log_ins(INS ins)
{
// dump the instruction
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &execute_instruction,
IARG_INST_PTR, IARG_PTR, strdup(INS_Disassemble(ins).c_str()),
IARG_END);
// reads memory (1)
if(INS_IsMemoryRead(ins) != 0) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_read_memory,
IARG_MEMORYREAD_EA, IARG_MEMORYREAD_SIZE, IARG_END);
}
// reads memory (2)
if(INS_HasMemoryRead2(ins) != 0) {
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR) &dump_read_memory,
IARG_MEMORYREAD2_EA, IARG_MEMORYREAD_SIZE, IARG_END);
}
IPOINT after = IPOINT_AFTER;
if(INS_IsCall(ins) != 0) {
// TODO is this correct?
after = IPOINT_TAKEN_BRANCH;
}
else if(INS_IsSyscall(ins) != 0) {
// TODO support syscalls
return;
}
else if(INS_HasFallThrough(ins) == 0 && (INS_IsBranch(ins) != 0 ||
INS_IsRet(ins) != 0)) {
// TODO is this correct?
after = IPOINT_TAKEN_BRANCH;
}
// dump written memory
if(INS_IsMemoryWrite(ins) != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_written_memory_before, IARG_MEMORYWRITE_EA,
IARG_MEMORYWRITE_SIZE, IARG_END);
INS_InsertCall(ins, after, (AFUNPTR) &dump_written_memory_after,
IARG_END);
}
// dump all affected registers
for (UINT32 i = 0; i < INS_OperandCount(ins); i++) {
if(INS_OperandIsMemory(ins, i) != 0) {
if(INS_OperandMemoryBaseReg(ins, i) != REG_INVALID()) {
REG base_reg = INS_OperandMemoryBaseReg(ins, i);
if(g_reg_index[base_reg] != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_reg_before,
IARG_UINT32, g_reg_index[base_reg]-1,
IARG_REG_VALUE, INS_OperandMemoryBaseReg(ins, i),
IARG_END);
INS_InsertCall(ins, after,
(AFUNPTR) &dump_reg_r_after,
IARG_UINT32, g_reg_index[base_reg]-1, IARG_END);
}
}
if(INS_OperandMemoryIndexReg(ins, i) != REG_INVALID()) {
REG index_reg = INS_OperandMemoryIndexReg(ins, i);
if(g_reg_index[index_reg] != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_reg_before,
IARG_UINT32, g_reg_index[index_reg]-1,
IARG_REG_VALUE, INS_OperandMemoryIndexReg(ins, i),
IARG_END);
INS_InsertCall(ins, after,
(AFUNPTR) &dump_reg_r_after,
IARG_UINT32, g_reg_index[index_reg]-1, IARG_END);
}
}
}
if(INS_OperandIsReg(ins, i) != 0) {
REG reg_index = REG_FullRegName(INS_OperandReg(ins, i));
if(INS_OperandReadAndWritten(ins, i) != 0) {
if(g_reg_index[reg_index] != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_reg_before,
IARG_UINT32, g_reg_index[reg_index]-1,
IARG_REG_VALUE, reg_index, IARG_END);
INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_rw_after,
IARG_UINT32, g_reg_index[reg_index]-1,
IARG_REG_VALUE, reg_index, IARG_END);
}
}
else if(INS_OperandRead(ins, i) != 0) {
if(g_reg_index[reg_index] != 0) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR) &dump_reg_before,
IARG_UINT32, g_reg_index[reg_index]-1,
IARG_REG_VALUE, reg_index, IARG_END);
INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_r_after,
IARG_UINT32, g_reg_index[reg_index]-1, IARG_END);
}
}
else if(INS_OperandWritten(ins, i) != 0) {
if(g_reg_index[reg_index] != 0) {
INS_InsertCall(ins, after, (AFUNPTR) &dump_reg_w_after,
IARG_UINT32, g_reg_index[reg_index]-1,
IARG_REG_VALUE, reg_index, IARG_END);
}
}
}
}
INS_InsertCall(ins, after, (AFUNPTR) &print_newline, IARG_END);
}
// -------------------------------------------------------------
// Trace instrumentation function
// -------------------------------------------------------------
void I_Trace(TRACE trace, void *v) {
BOOL isPLT = IsPLT(TRACE_Rtn(trace));
#if DEBUG_INS
printf("-- Instrumenting trace %X of function %s\n",
TRACE_Address(trace), RTN_Valid(TRACE_Rtn(trace)) ? RTN_Name(TRACE_Rtn(trace)).c_str() : "<unknown_routine>");
#endif
// scan BBLs within the current trace
for (BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
// instrument memory reads and writes
for(INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins))
Instruction(ins);
INS tail = BBL_InsTail(bbl);
// skip system calls
if ( INS_IsSyscall(tail) ) continue;
// instrument .plt stub calls
if ( isPLT ) {
#if DEBUG_INS
printf(" > .plt stub call\n");
#endif
if (gSetup.callingSite) {
if (gSetup.memBuf)
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallCSBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallCS,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
else {
if (gSetup.memBuf)
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCall,
IARG_FAST_ANALYSIS_CALL,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
continue;
}
// instrument all calls and returns
if ( INS_IsCall(tail) ) {
// direct call
if( INS_IsDirectBranchOrCall(tail) ) {
// get target address
ADDRINT target = Target2FunAddr(INS_DirectBranchOrCallTargetAddress(tail));
#if DEBUG_INS
printf(" > Direct call to %s\n", Target2RtnName(target).c_str());
#endif
// instrument direct call: target address determined here
if (gSetup.callingSite) {
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCallCSBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCallCS,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
else {
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCallBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCall,
IARG_FAST_ANALYSIS_CALL,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
}
// indirect call: target address determined at call time
else {
#if DEBUG_INS
printf(" > Indirect call\n");
#endif
// instrument indirect call
if (gSetup.callingSite) {
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallCSBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallCS,
IARG_FAST_ANALYSIS_CALL,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
else {
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCallBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCall,
IARG_FAST_ANALYSIS_CALL,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
}
continue;
}
if ( INS_IsRet(tail) ) {
#if DEBUG_INS
printf(" > return\n");
#endif
if (gSetup.memBuf)
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessReturnBuf,
IARG_FAST_ANALYSIS_CALL,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_CONTEXT,
IARG_END);
else
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessReturn,
IARG_FAST_ANALYSIS_CALL,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_THREAD_ID,
IARG_END);
}
}
}
static void I_Trace(TRACE trace, void *v)
{
//FIXME if (PIN_IsSignalHandler()) {Sequence_ProcessSignalHandler(head)};
for(BBL bbl = TRACE_BblHead(trace); BBL_Valid(bbl); bbl = BBL_Next(bbl)) {
INS tail = BBL_InsTail(bbl);
// All memory reads/writes
for( INS ins = BBL_InsHead(bbl); INS_Valid(ins); ins = INS_Next(ins) ) {
if( INS_IsMemoryRead(ins)
|| INS_HasMemoryRead2(ins)
|| INS_IsMemoryWrite(ins)
) {
INS_InsertCall(ins, IPOINT_BEFORE,
(AFUNPTR)A_DoMem,
IARG_BOOL, INS_IsMemoryWrite(ins),
(INS_IsMemoryWrite(ins) ? IARG_MEMORYWRITE_EA : (INS_IsMemoryRead(ins) ? IARG_MEMORYREAD_EA : IARG_MEMORYREAD2_EA)),
IARG_INST_PTR,
IARG_END);
}
#if defined(TARGET_IA32) && defined (TARGET_WINDOWS)
// on ia-32 windows need to identify
// push
// ret
// in order to process callstack correctly
if (ins != tail)
{
INS_InsertPredicatedCall(ins, IPOINT_BEFORE,
(AFUNPTR)ProcessInst,
IARG_INST_PTR,
IARG_END);
if (INS_Opcode(ins)==XED_ICLASS_PUSH)
{
RecordPush (ins);
}
}
#endif
}
// All calls and returns
if( INS_IsSyscall(tail) ) {
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessSyscall,
IARG_INST_PTR,
IARG_SYSCALL_NUMBER,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_SYSCALL_ARG0,
IARG_END);
} else {
if( INS_IsCall(tail) ) {
if( INS_IsDirectBranchOrCall(tail) ) {
ADDRINT target = INS_DirectBranchOrCallTargetAddress(tail);
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessDirectCall,
IARG_INST_PTR,
IARG_ADDRINT, target,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
} else if( !IsPLT(trace) ) {
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessIndirectCall,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
}
if( IsPLT(trace) ) {
INS_InsertCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessStub,
IARG_INST_PTR,
IARG_BRANCH_TARGET_ADDR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
if( INS_IsRet(tail) ) {
INS_InsertPredicatedCall(tail, IPOINT_BEFORE,
(AFUNPTR)A_ProcessReturn,
IARG_INST_PTR,
IARG_REG_VALUE, REG_STACK_PTR,
IARG_END);
}
}
}
}
instruction::instruction(const INS& ins)
{
this->address = INS_Address(ins);
this->next_address = INS_NextAddress(ins);
// this->opcode = INS_Mnemonic(ins);
this->opcode_size = static_cast<uint8_t>(INS_Size(ins));
this->opcode_buffer = std::shared_ptr<uint8_t>(new uint8_t[this->opcode_size], std::default_delete<uint8_t[]>());
PIN_SafeCopy(opcode_buffer.get(), reinterpret_cast<const VOID*>(this->address), this->opcode_size);
this->disassemble = INS_Disassemble(ins);
// including image, routine
auto img = IMG_FindByAddress(this->address);
this->including_image = IMG_Valid(img) ? IMG_Name(img) : "";
// this->including_routine = RTN_FindNameByAddress(this->address);
PIN_LockClient();
auto routine = RTN_FindByAddress(this->address);
PIN_UnlockClient();
if (RTN_Valid(routine)) {
auto routine_mangled_name = RTN_Name(routine);
this->including_routine_name = PIN_UndecorateSymbolName(routine_mangled_name, UNDECORATION_NAME_ONLY);
}
else this->including_routine_name = "";
// has fall through
this->has_fall_through = INS_HasFallThrough(ins);
// is call, ret or syscall
this->is_call = INS_IsCall(ins);
this->is_branch = INS_IsBranch(ins);
this->is_ret = INS_IsRet(ins);
this->is_syscall = INS_IsSyscall(ins);
this->category = static_cast<xed_category_enum_t>(INS_Category(ins));
this->iclass = static_cast<xed_iclass_enum_t>(INS_Opcode(ins));
// read registers
auto read_reg_number = INS_MaxNumRRegs(ins);
for (decltype(read_reg_number) reg_id = 0; reg_id < read_reg_number; ++reg_id) {
this->src_registers.push_back(INS_RegR(ins, reg_id));
}
// written registers
auto written_reg_number = INS_MaxNumWRegs(ins);
for (decltype(written_reg_number) reg_id = 0; reg_id < written_reg_number; ++reg_id) {
this->dst_registers.push_back(INS_RegW(ins, reg_id));
}
auto is_special_reg = [](const REG& reg) -> bool {
return (reg >= REG_MM_BASE);
};
this->is_special =
std::any_of(std::begin(this->src_registers), std::end(this->src_registers), is_special_reg) ||
std::any_of(std::begin(this->dst_registers), std::end(this->dst_registers), is_special_reg) ||
(this->category == XED_CATEGORY_X87_ALU) || (this->iclass == XED_ICLASS_XEND) || (this->category == XED_CATEGORY_LOGICAL_FP) ||
(this->iclass == XED_ICLASS_PUSHA) || (this->iclass == XED_ICLASS_PUSHAD) || (this->iclass == XED_ICLASS_PUSHF) ||
(this->iclass == XED_ICLASS_PUSHFD) || (this->iclass == XED_ICLASS_PUSHFQ);
// is memory read, write
this->is_memory_read = INS_IsMemoryRead(ins);
this->is_memory_write = INS_IsMemoryWrite(ins);
this->is_memory_read2 = INS_HasMemoryRead2(ins);
}
VOID Ins( INS ins, VOID *v )
{
if (KnobDetach > 0 && scount > KnobDetach)
return;
if (KnobLog)
{
void *addr = Addrint2VoidStar(INS_Address(ins));
string disasm = INS_Disassemble(ins);
PrintIns(addr, disasm.c_str());
}
scount++;
if (INS_Opcode(ins) == XED_ICLASS_PUSH)
{
if (INS_OperandIsImmediate(ins, 0))
{
ADDRINT value = INS_OperandImmediate(ins, 0);
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuPushValue),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_ADDRINT, value,
IARG_RETURN_REGS, REG_STACK_PTR, IARG_END);
INS_Delete(ins);
}
else if(INS_OperandIsReg(ins, 0))
{
REG reg = INS_OperandReg(ins, 0);
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuPushValue),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_VALUE, reg,
IARG_RETURN_REGS, REG_STACK_PTR, IARG_END);
INS_Delete(ins);
}
else if(INS_OperandIsMemory(ins, 0))
{
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuPushMem),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_MEMORYREAD_EA,
IARG_RETURN_REGS, REG_STACK_PTR, IARG_END);
INS_Delete(ins);
}
else
{
fprintf(stderr, "EmuPush: unsupported operand type (%p:'%s')\n",
Addrint2VoidStar(INS_Address(ins)), INS_Disassemble(ins).c_str());
}
}
else if (INS_Opcode(ins) == XED_ICLASS_POP)
{
if(INS_OperandIsReg(ins, 0))
{
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuPopReg),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_REFERENCE, INS_OperandReg(ins, 0),
IARG_RETURN_REGS, REG_STACK_PTR, IARG_END);
INS_Delete(ins);
}
else if(INS_OperandIsMemory(ins, 0))
{
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuPopMem),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_MEMORYWRITE_EA,
IARG_RETURN_REGS, REG_STACK_PTR, IARG_END);
INS_Delete(ins);
}
else
{
fprintf(stderr, "EmuPop: unsupported operand type (%p:'%s')\n",
Addrint2VoidStar(INS_Address(ins)), INS_Disassemble(ins).c_str());
}
}
else if (INS_Opcode(ins) == XED_ICLASS_LEAVE)
{
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuLeave),
IARG_REG_VALUE, REG_STACK_PTR,
IARG_REG_REFERENCE, REG_GBP,
IARG_RETURN_REGS, REG_STACK_PTR, IARG_END);
INS_Delete(ins);
}
else if (INS_IsCall(ins))
{
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuCall),
IARG_ADDRINT, INS_NextAddress(ins),
IARG_BRANCH_TARGET_ADDR,
IARG_REG_REFERENCE, REG_STACK_PTR,
IARG_RETURN_REGS, scratchReg, IARG_END);
INS_InsertIndirectJump(ins, IPOINT_AFTER, scratchReg);
INS_Delete(ins);
}
else if (INS_IsRet(ins))
{
UINT64 imm = 0;
if (INS_OperandCount(ins) > 0 && INS_OperandIsImmediate(ins, 0))
{
imm = INS_OperandImmediate(ins, 0);
}
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuRet),
IARG_CALL_ORDER, CALL_ORDER_FIRST,
IARG_REG_REFERENCE, REG_STACK_PTR,
IARG_ADDRINT, (ADDRINT)imm,
IARG_RETURN_REGS, scratchReg, IARG_END);
INS_InsertIndirectJump(ins, IPOINT_AFTER, scratchReg);
INS_Delete(ins);
}
else if (INS_IsIndirectBranchOrCall(ins))
{
// This is not a call (it was checked before) so this is indirect jump
INS_InsertCall(ins, IPOINT_BEFORE,
AFUNPTR(EmuIndJmp),
IARG_BRANCH_TARGET_ADDR,
IARG_RETURN_REGS, scratchReg, IARG_END);
INS_InsertIndirectJump(ins, IPOINT_AFTER, scratchReg);
INS_Delete(ins);
}
}
VOID Instruction(INS ins, VOID *v)
{
PIN_LockClient();
IMG img = IMG_FindByAddress(INS_Address(ins));
PIN_UnlockClient();
if (IMG_Valid(img) && IMG_IsMainExecutable(img)){
if (INS_IsCall(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)PrologueAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_NextAddress(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
else if (INS_IsRet(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)EpilogueAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_NextAddress(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
else if (INS_OperandCount(ins) > 1 && INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMem,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_UINT32, INS_OperandCount(ins),
IARG_UINT32, INS_OperandReg(ins, 1),
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Value Set Analysis */
if (INS_Opcode(ins) == XED_ICLASS_MOV &&
INS_RegR(ins, 0) == REG_RBP &&
INS_RegR(ins, 1) == REG_INVALID() &&
INS_IsMemoryWrite(ins)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)ValueSetAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_REG_VALUE, REG_RSP,
IARG_REG_VALUE, REG_RBP,
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Analyzes stack overflow */
if (INS_MemoryOperandIsWritten(ins, 0)){
INS_InsertCall(
ins, IPOINT_BEFORE, (AFUNPTR)WriteMemAnalysis,
IARG_ADDRINT, INS_Address(ins),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_MEMORYOP_EA, 0,
IARG_END);
}
/* Timer Handler - And instruction counter */
INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)timerHandler,
IARG_ADDRINT, INS_Address(INS_Prev(ins)),
IARG_ADDRINT, INS_Address(ins),
IARG_ADDRINT, INS_Address(INS_Next(ins)),
IARG_PTR, new string(INS_Disassemble(ins)),
IARG_END);
}
}
