/** * This function is called **/ void traceInst(INS ins, VOID*) { ADDRINT address = INS_Address(ins); if (isUnknownAddress(address)) { // The address is an address that does not belong to any loaded module. // This is potential shellcode. For these instructions a callback // function is inserted that dumps information to the trace file when // the instruction is actually executed. INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(dump_shellcode), IARG_PTR, new std::string(dumpInstruction(ins)), IARG_END ); } else { // The address is a legit address, meaning it is probably not part of // any shellcode. In this case we just log the instruction to dump it // later to show when control flow was transfered from legit code to // shellcode. legitInstructions.push_back(dumpInstruction(ins)); if (legitInstructions.size() > MAX_LEGIT_INSTRUCTION_LOG_SIZE) { // Log only up to MAX_LEGIT_INSTRUCTION_LOG_SIZE instructions or the whole // program before the shellcode will be dumped. legitInstructions.pop_front(); } } }
/** * This function is called **/ void traceInst(INS ins, VOID*) { ADDRINT address = INS_Address(ins); std::string mod_name = getModule( address ); RegList regs; for ( UINT32 i = 0; i < INS_OperandCount(ins); i++ ) { if ( INS_OperandIsReg(ins, i) ) { REG x = INS_OperandReg(ins, i); if ( x != REG_INVALID() ) regs.push_back( x ); } } if (isUnknownAddress(address)) { // The address is an address that does not belong to any loaded module. // This is potential shellcode. For these instructions a callback // function is inserted that dumps information to the trace file when // the instruction is actually executed. INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(dump_shellcode), IARG_PTR, new std::string(dumpInstruction(ins)), IARG_PTR, ®s, IARG_CONTEXT, IARG_END ); } else { if ( !modlist.empty() && (modlist.find(mod_name) == modlist.end()) ) // not concerned return; // The address is a legit address, meaning it is probably not part of // any shellcode. In this case we just log the instruction to dump it // later to show when control flow was transfered from legit code to // shellcode. legitInstructions.push_back(dumpInstruction(ins)); if (legitInstructions.size() > KnobMaxLegitInsLogSize.Value()) { // Log only up to KnobMaxLegitInsLogSize.Value() instructions or the whole // program before the shellcode will be dumped. legitInstructions.pop_front(); } } }