int
main(int argc, char *argv[], char *envp[])
{
std::ios::sync_with_stdio();
// Our instruction callback. We can't set its trigger address until after we load the specimen, but we want to register
// the callback with the simulator before we create the first thread.
Trigger clone_detection_trigger;
// All of this is standard boilerplate and documented in the first page of the simulator doxygen.
RSIM_Linux32 sim;
sim.install_callback(new RSIM_Tools::UnhandledInstruction); // needed by some versions of ld-linux.so
sim.install_callback(&clone_detection_trigger); // it mustn't be destroyed while the simulator's running
int n = sim.configure(argc, argv, envp);
sim.exec(argc-n, argv+n);
// Now that we've loaded the specimen into memory and created its first thread, figure out its original entry point (OEP)
// and arm the clone_detection_trigger so that it triggers clone detection when the OEP is reached. This will allow the
// specimen's dynamic linker to run.
rose_addr_t trigger_va = sim.get_process()->get_ep_orig_va();
clone_detection_trigger.arm(trigger_va);
// Allow the specimen to run until it reaches the clone detection trigger point, at which time a CloneDetector object is
// thrown for that thread that reaches it first.
try {
sim.main_loop();
} catch (CloneDetector *clone_detector) {
clone_detector->analyze();
}
return 0;
}
int
main(int argc, char *argv[], char *envp[])
{
RSIM_Linux32 sim;
int n = sim.configure(argc, argv, envp);
InsnStats insn_stats;
SyscallStats call_stats;
sim.install_callback(&insn_stats);
sim.install_callback(&call_stats);
sim.install_callback(new RSIM_Tools::UnhandledInstruction);
sim.exec(argc-n, argv+n);
sim.activate();
sim.main_loop();
sim.deactivate();
#if 0
std::cerr <<"Number of instructions executed: " <<insn_stats.total_insns() <<" (" <<insn_stats.unique_insns() <<" unique)\n";
std::cerr <<"Number of system calls: " <<call_stats.total_calls() <<" (" <<call_stats.unique_calls() <<" unique)\n";
#else
std::cerr <<insn_stats <<call_stats;
#endif
return 0;
}
int
main(int argc, char *argv[], char *envp[])
{
RSIM_Linux32 sim;
int n = sim.configure(argc, argv, envp);
sim.install_callback(new RSIM_Tools::UnhandledInstruction);
/**************************************************************************************************************************
* Debugging callbacks...
**************************************************************************************************************************/
#if 0
/* Parse the ELF container so we can get to the symbol table. */
char *rose_argv[4];
rose_argv[0] = argv[0];
rose_argv[1] = strdup("-rose:read_executable_file_format_only");
rose_argv[2] = argv[n];
rose_argv[3] = NULL;
SgProject *project = frontend(3, rose_argv);
/* Disassemble when we hit main() */
rose_addr_t disassemble_va = RSIM_Tools::FunctionFinder().address(project, "main");
assert(disassemble_va>0);
sim.install_callback(new RSIM_Tools::MemoryDisassembler(disassemble_va));
/* Print a stack trace and memory dump for every system call */
struct SyscallStackTrace: public RSIM_Callbacks::SyscallCallback {
virtual SyscallStackTrace *clone() {
return this;
}
virtual bool operator()(bool enabled, const Args &args) {
if (enabled) {
RTS_Message *trace = args.thread->tracing(TRACE_SYSCALL);
args.thread->report_stack_frames(trace, "Stack frames for following system call:");
args.thread->get_process()->mem_showmap(trace, "Memory map for following system call:", " ");
}
return enabled;
}
};
sim.get_callbacks().add_syscall_callback(RSIM_Callbacks::BEFORE, new SyscallStackTrace);
#endif
/***************************************************************************************************************************
* The main program...
***************************************************************************************************************************/
sim.exec(argc-n, argv+n);
sim.install_callback(new MemoryTransactionTester(sim.get_process()->get_ep_orig_va()), RSIM_Callbacks::BEFORE, true);
// sim.activate();
sim.main_loop();
// sim.deactivate();
sim.describe_termination(stderr);
sim.terminate_self(); // probably doesn't return
return 0;
}
// Main program is almost standard RSIM boilerplate. The only thing we add is the instantiation and installation of the
// SymbolicBombDetector callback.
int
main(int argc, char *argv[], char *envp[])
{
RSIM_Linux32 sim;
sim.install_callback(new RSIM_Tools::UnhandledInstruction);
int n = sim.configure(argc, argv, envp);
sim.exec(argc-n, argv+n);
sim.install_callback(new IntervalAnalysis(sim.get_process()->get_ep_start_va()), RSIM_Callbacks::BEFORE, true);
sim.main_loop();
sim.describe_termination(stderr);
sim.terminate_self();
return 0;
}
int
main(int argc, char *argv[], char *envp[])
{
std::ios::sync_with_stdio();
// Parse command-line switches understood by MultiWithConversion and leave the rest for the simulator.
rose_addr_t target_va = 0; // analysis address (i.e., the "arbitrary offset"). Zero implies the program's OEP
for (int i=1; i<argc; ++i) {
if (!strcmp(argv[i], "--help") || !strcmp(argv[i], "-h") || !strcmp(argv[i], "-?")) {
std::cout <<"usage: " <<argv[0] <<" [--target=ADDRESS] [SIMULATOR_SWITCHES] SPECIMEN [SPECIMEN_ARGS...]\n";
exit(0);
} else if (!strncmp(argv[i], "--target=", 9)) {
target_va = strtoull(argv[i]+9, NULL, 0);
memmove(argv+i, argv+i+1, (argc-- -i)*sizeof(*argv)); // argv has argc+1 elements
--i;
} else {
break;
}
}
// Our instruction callback. We can't set its trigger address until after we load the specimen, but we want to register
// the callback with the simulator before we create the first thread.
SemanticController semantic_controller;
// All of this (except the part where we register our SemanticController) is standard boilerplate and documented in
// the first page of doxygen.
RSIM_Linux32 sim;
sim.install_callback(new RSIM_Tools::UnhandledInstruction); // needed by some versions of ld-linux.so
sim.install_callback(&semantic_controller); // it mustn't be destroyed while the simulator's running
int n = sim.configure(argc, argv, envp);
sim.exec(argc-n, argv+n);
// Register our instruction callback and tell it to trigger at the specimen's original entry point (OEP). This will cause
// our analysis to run as soon as the dynamic linker is finished. We don't know the OEP until after the sim.exec() call
// that loads the specimen into memory, so by time we can register our callback, the RSIM_Process has copied
rose_addr_t trigger_va = sim.get_process()->get_ep_orig_va();
semantic_controller.arm(trigger_va, 0==target_va ? trigger_va : target_va);
//sim.activate();
sim.main_loop();
//sim.deactivate();
sim.describe_termination(stderr);
sim.terminate_self(); // probably doesn't return
return 0;
}
int main(int argc, char *argv[], char *envp[])
{
RSIM_Linux32 sim;
int n = sim.configure(argc, argv, envp);
// Parse the ELF container so we can get to the symbol table. This is normal ROSE static analysis.
char *rose_argv[4];
int rose_argc=0;
rose_argv[rose_argc++] = argv[0];
rose_argv[rose_argc++] = strdup("-rose:read_executable_file_format_only");
rose_argv[rose_argc++] = argv[n];
rose_argv[rose_argc] = NULL;
SgProject *project = frontend(rose_argc, rose_argv);
// Find the address of "main" and "updcrc" functions.
rose_addr_t main_va = RSIM_Tools::FunctionFinder().address(project, "main");
assert(main_va!=0);
rose_addr_t updcrc_va = RSIM_Tools::FunctionFinder().address(project, "updcrc");
assert(updcrc_va!=0);
// Register the analysis callback.
Analysis analysis(main_va, updcrc_va);
sim.install_callback(&analysis);
// The rest is normal boiler plate to run the simulator, except we'll catch the Analysis to terminate the simulation early
// if desired.
sim.install_callback(new RSIM_Tools::UnhandledInstruction);
sim.exec(argc-n, argv+n);
sim.activate();
try {
sim.main_loop();
} catch (Analysis*) {
}
sim.deactivate();
return 0;
}
int main(int argc, char *argv[], char *envp[])
{
/* Configure the simulator by parsing command-line switches. The return value is the index of the executable name in argv. */
RSIM_Linux32 sim;
int n = sim.configure(argc, argv, envp);
/* Parse the ELF container so we can get to the symbol table. */
char *rose_argv[4];
int rose_argc=0;
rose_argv[rose_argc++] = argv[0];
rose_argv[rose_argc++] = strdup("-rose:read_executable_file_format_only");
rose_argv[rose_argc++] = argv[n];
rose_argv[rose_argc] = NULL;
SgProject *project = frontend(rose_argc, rose_argv);
/* Find the address of "main" and "payload" functions. */
rose_addr_t main_addr = RSIM_Tools::FunctionFinder().address(project, "main");
assert(main_addr!=0);
rose_addr_t payload_addr = RSIM_Tools::FunctionFinder().address(project, "payload");
assert(payload_addr!=0);
/* Register the analysis callback. */
Analysis analysis(main_addr, payload_addr);
sim.install_callback(&analysis);
/* Create the initial process object by loading a program and initializing the stack. This also creates the main thread,
* but does not start executing it. */
sim.exec(argc-n, argv+n);
/* Get ready to execute by making the specified simulator active. This sets up signal handlers, etc. We probably don't
* really need it for this demo since the specimen doesn't do anything with signals. In fact, if we're using the Yices
* executable (rather than its library), ROSE will generate spurious SIGCHLD which the simulator will forward to the
* specimen. Of course, in that case, the analysis could temporarily deactivate the simulator. */
sim.activate();
/* Allow executor threads to run and return when the simulated process terminates. */
try {
sim.main_loop();
} catch (Analysis*) {
}
/* Not really necessary since we're not doing anything else. */
sim.deactivate();
return 0;
}
int
main(int argc, char *argv[], char *envp[])
{
rose_addr_t trigger_va = 0; // address at which disassembly is triggered
std::string trigger_func = "oep"; // name of function at which disassembly is triggered (oep=original entry point)
AsmUnparser::Organization org = AsmUnparser::ORGANIZED_BY_AST;
// Parse arguments that we need for ourself.
for (int i=1; i<argc; i++) {
if (!strncmp(argv[i], "--trigger=", 10)) {
// Address (or name of function) that will trigger the disassembly. When the EIP register contains this value then
// disassembly will run and the specimen will be terminated.
char *rest;
trigger_func = "";
trigger_va = strtoull(argv[i]+10, &rest, 0);
if (*rest) {
trigger_va = 0;
trigger_func = argv[i]+10;
}
memmove(argv+i, argv+i+1, (argc-- - i)*sizeof(*argv));
--i;
} else if (!strcmp(argv[i], "--linear")) {
org = AsmUnparser::ORGANIZED_BY_ADDRESS;
memmove(argv+i, argv+i+1, (argc-- - i)*sizeof(*argv));
--i;
}
}
// Initialize the simulator
RSIM_Linux32 sim;
int n = sim.configure(argc, argv, envp);
sim.install_callback(new RSIM_Tools::UnhandledInstruction);
sim.exec(argc-n, argv+n);
RSIM_Process *process = sim.get_process();
RSIM_Thread *main_thread = process->get_main_thread();
// Find the trigger address
if (0==trigger_va) {
if (trigger_func.empty() || !trigger_func.compare("oep")) {
trigger_va = process->get_ep_orig_va();
} else if (0==(trigger_va = RSIM_Tools::FunctionFinder().address(process->headers(), trigger_func))) {
std::cerr <<argv[0] <<": unable to locate address of function: " <<trigger_func <<"\n";
exit(1);
}
}
// Install our disassembler callback to the main thread. We don't use RSIM_Tools::MemoryDisassembler because we want to
// cancel the specimen once we disassemble.
main_thread->install_callback(new MyDisassembler(trigger_va, org));
// Allow the specimen to run until the disassembly is triggered
bool disassembled = false;
sim.activate();
try {
sim.main_loop();
} catch (MyDisassembler*) {
disassembled = true;
}
if (!disassembled) {
std::cerr <<argv[0] <<": specimen ran to completion without triggering a disassembly.\n";
exit(1);
}
return 0;
}
int main(int argc, char *argv[], char *envp[])
{
// Parse (and remove) switches intended for the analysis.
std::string trigger_func, analysis_func;
rose_addr_t trigger_va=0, analysis_va=0;
std::vector<bool> take_branch;
for (int i=1; i<argc; i++) {
if (!strncmp(argv[i], "--trigger=", 10)) {
// name or address of function triggering analysis
char *rest;
trigger_va = strtoull(argv[i]+10, &rest, 0);
if (*rest) {
trigger_va = 0;
trigger_func = argv[i]+10;
}
memmove(argv+i, argv+i+1, (argc-- - i)*sizeof(*argv));
--i;
} else if (!strncmp(argv[i], "--analysis-func=", 16)) {
// name or address of function to analyze
char *rest;
analysis_va = strtoull(argv[i]+16, &rest, 0);
if (*rest) {
analysis_va = 0;
analysis_func = argv[i]+16;
}
memmove(argv+i, argv+i+1, (argc-- - i)*sizeof(*argv));
--i;
} else if (!strncmp(argv[i], "--take-branch=", 14)) {
// --take-branch=STRING. The STRING is a series of boolean values (t/f or 1/0 or y/n) that say what to do when the
// analysis hits a conditional branch instruction and cannot decide whether the branch should be taken or not
// taken. Whatever choice the user specifies here causes the analysis to add a new constraint to the solver.
for (size_t j=14; argv[i][j]; j++)
take_branch.push_back(NULL!=strchr("t1y", argv[i][j]));
memmove(argv+i, argv+i+1, (argc-- -i)*sizeof(*argv));
--i;
}
}
if (trigger_func.empty() && 0==trigger_va) {
std::cerr <<argv[0] <<": --trigger-func=NAME_OR_ADDR is required\n";
return 1;
}
if (analysis_func.empty() && 0==analysis_va) {
std::cerr <<argv[0] <<": --analysis-func=NAME_OR_ADDR is required\n";
return 1;
}
// Parse switches intended for the simulator.
RSIM_Linux32 sim;
int n = sim.configure(argc, argv, envp);
// Parse the ELF container so we can get to the symbol table. This is normal ROSE static analysis.
char *rose_argv[4];
int rose_argc=0;
rose_argv[rose_argc++] = argv[0];
rose_argv[rose_argc++] = strdup("-rose:read_executable_file_format_only");
rose_argv[rose_argc++] = argv[n];
rose_argv[rose_argc] = NULL;
SgProject *project = frontend(rose_argc, rose_argv);
// Find the address of "main" and analysis functions.
if (!trigger_func.empty())
trigger_va = RSIM_Tools::FunctionFinder().address(project, trigger_func);
assert(trigger_va!=0);
if (!analysis_func.empty())
analysis_va = RSIM_Tools::FunctionFinder().address(project, analysis_func);
assert(analysis_va!=0);
// Register the analysis callback.
Analysis analysis(trigger_va, analysis_va, take_branch);
sim.install_callback(&analysis);
// The rest is normal boiler plate to run the simulator, except we'll catch the Analysis to terminate the simulation early
// if desired.
sim.install_callback(new RSIM_Tools::UnhandledInstruction);
sim.exec(argc-n, argv+n);
sim.activate();
try {
sim.main_loop();
} catch (Analysis*) {
}
sim.deactivate();
return 0;
}