static void Instrument_LEAVE(const xed_inst_t* xi)
{
uint32_t esp = PEMU_get_reg(XED_REG_ESP);
uint32_t ebp = PEMU_get_reg(XED_REG_EBP);
d_set_mem_taint_bysize(esp, 0, ebp - esp + 4); //clear stack memory tag
}
static void Instrument_ADD(const xed_inst_t* xi)
{
xed_reg_enum_t reg_id_0, reg_id_1;
unsigned int imm = 0;
unsigned int mem_addr, taint_s = 0, taint_d = 0;
const xed_operand_t *op_0 = xed_inst_operand(xi, 0);
const xed_operand_t *op_1 = xed_inst_operand(xi, 1);
xed_operand_enum_t op_name_0 = xed_operand_name(op_0);
xed_operand_enum_t op_name_1 = xed_operand_name(op_1);
if(operand_is_mem4(op_name_0, &mem_addr, 0)){
if(operand_is_imm(op_name_1, &imm))
return;
taint_d = t_get_mem_taint(mem_addr);
//yang
int a, b;
PEMU_read_mem(mem_addr, 4, &a);
if (operand_is_reg(op_name_1, ®_id_1)){
taint_s = t_get_reg_taint(reg_id_1);
b = PEMU_get_reg(reg_id_1);
}
if(b<a)
// if((int)get_pc_imm(taint_s) < (int)get_pc_imm(taint_d))
taint_s = taint_d;
t_set_mem_taint_bysize(mem_addr, taint_s,
xed_decoded_inst_operand_length(&xedd_g, 0));
}else if(operand_is_reg(op_name_0, ®_id_0)){
if(operand_is_imm(op_name_1, &imm))
return;
//yang
int a, b;
a = PEMU_get_reg(reg_id_0);
taint_d = t_get_reg_taint(reg_id_0);
if(operand_is_mem4(op_name_1, &mem_addr, 1)){
taint_s = t_get_mem_taint(mem_addr);
PEMU_read_mem(mem_addr, 4, &b);
}else if(operand_is_reg(op_name_1, ®_id_1)){
taint_s = t_get_reg_taint(reg_id_1);
b = PEMU_get_reg(reg_id_1);
}
// if((int)get_pc_imm(taint_s) < (int)get_pc_imm(taint_d))
if(b<a)
taint_s = taint_d;
t_set_reg_taint(reg_id_0, taint_s);
}
}
unsigned int disas_get_target(unsigned int start_pc, struct PEMU_INST *inst)
{
PEMU_read_mem(start_pc, 15, inst->PEMU_inst_buf);
xed_decoded_inst_zero_set_mode(&inst->PEMU_xedd_g, &inst->PEMU_dstate);
xed_error_enum_t xed_error = xed_decode(&inst->PEMU_xedd_g,
XED_STATIC_CAST(const xed_uint8_t *, inst->PEMU_inst_buf), 15);
if (xed_error != XED_ERROR_NONE) {
fprintf(stderr, "error in disas_get_target\n");
exit(0);
}
const xed_inst_t *xi = xed_decoded_inst_inst(&inst->PEMU_xedd_g);
if(xed_decoded_inst_get_iclass(&inst->PEMU_xedd_g) != XED_ICLASS_CALL_NEAR) {
return 0;
}
const xed_operand_t *op = xed_inst_operand(xi, 0);
xed_reg_enum_t reg_id;
xed_operand_enum_t op_name = xed_operand_name(op);
unsigned int dest, tmp;
if(operand_is_relbr(op_name, &dest)){
dest += (start_pc + xed_decoded_inst_get_length(&inst->PEMU_xedd_g));
}else if(operand_is_reg(op_name, ®_id)){
dest = PEMU_get_reg(reg_id);
}else if(operand_is_mem4(op_name, &dest,0)){
PEMU_read_mem(dest, 4, &tmp);
dest = tmp;
}
return dest;
}
static target_ulong Instrument_CALL_NEAR(target_ulong pc)
{
uint32_t mem_addr;
xed_reg_enum_t reg_id;
target_ulong target;
PEMU_read_mem(pc, 15, pemu_inst.PEMU_inst_buf);
xed_decoded_inst_zero_set_mode(&pemu_inst.PEMU_xedd_g, &pemu_inst.PEMU_dstate);
xed_error_enum_t xed_error = xed_decode(&pemu_inst.PEMU_xedd_g,
XED_STATIC_CAST(const xed_uint8_t *, pemu_inst.PEMU_inst_buf), 15);
const xed_inst_t * ins = xed_decoded_inst_inst(&pemu_inst.PEMU_xedd_g);
const xed_operand_t *op = xed_inst_operand(ins, 0);
xed_operand_enum_t op_name = xed_operand_name(op);
if (operand_is_mem(op_name, &mem_addr, 0)) {
PEMU_read_mem(mem_addr,sizeof(target) , &target);
}
else if (operand_is_reg(op_name, ®_id)){
target = PEMU_get_reg(reg_id);
}
else{
int len = xed_decoded_inst_get_length(&pemu_inst.PEMU_xedd_g);
target = xed_decoded_inst_get_branch_displacement(&pemu_inst.PEMU_xedd_g) + pc + len;
}
return target;
}
static void Instrument_LEA(const xed_inst_t* xi)
{
xed_reg_enum_t reg_id;
unsigned int mem_addr, imm;
const xed_operand_t *op_0 = xed_inst_operand(xi, 0);
const xed_operand_t *op_1 = xed_inst_operand(xi, 1);
xed_operand_enum_t op_name_0 = xed_operand_name(op_0);
xed_operand_enum_t op_name_1 = xed_operand_name(op_1);
if(operand_is_mem4(op_name_1, &mem_addr, 1)){
if (operand_is_reg(op_name_0, ®_id)){
int mem_idx = 0;
if (op_name_1 == XED_OPERAND_MEM1)
mem_idx = 1;
xed_reg_enum_t base_regid =
xed_decoded_inst_get_base_reg(&xedd_g, mem_idx);
xed_reg_enum_t index_regid =
xed_decoded_inst_get_index_reg(&xedd_g, mem_idx);
//if(index_regid == XED_REG_INVALID && mem_taint == 0)
// t_set_reg_taint(reg_id, t_get_reg_taint(base_regid));
if(index_regid == XED_REG_INVALID) {
if(find_min_dist(mem_addr, g_base, g_index, g_disp) != 3) {
t_set_reg_taint(reg_id, t_get_reg_taint(base_regid));
}
}
else {
unsigned int a=0, b=0;
if(base_regid != XED_REG_INVALID)
a = PEMU_get_reg(base_regid);
b = PEMU_get_reg(index_regid);
if( a < b)
t_set_reg_taint(reg_id, t_get_reg_taint(index_regid));
else
t_set_reg_taint(reg_id, t_get_reg_taint(base_regid));
}
}else{
fprintf(stderr, "error in Instrument_LEA\n");
exit(0);
}
}else{
fprintf(stderr, "error in Instrument_LEA\n");
exit(0);
}
}
//yang.new
static void Instrument_POPAD(const xed_inst_t *xi)
{
xed_reg_enum_t regs[]={XED_REG_EDI, XED_REG_ESI, XED_REG_EBP,XED_REG_ESP,XED_REG_EBX,XED_REG_EDX, XED_REG_ECX, XED_REG_EAX};
unsigned int mem_addr;
mem_addr = PEMU_get_reg(XED_REG_ESP);
unsigned int i=0;
for(i=0;i<8;i++,mem_addr=mem_addr+4){
d_set_reg_taint(regs[i], d_get_mem_taint(mem_addr));
d_set_mem_taint(mem_addr, 0);
}
}
//yang.new
static void Instrument_PUSHAD(const xed_inst_t *xi)
{
xed_reg_enum_t regs[]={XED_REG_EAX, XED_REG_ECX, XED_REG_EDX,XED_REG_EBX,XED_REG_ESP,XED_REG_EBP, XED_REG_ESI, XED_REG_EDI};
unsigned int mem_addr;
mem_addr = PEMU_get_reg(XED_REG_ESP)-4;
unsigned int i=0;
for(i=0;i<8;i++,mem_addr=mem_addr-4){
t_set_mem_taint(mem_addr, t_get_reg_taint(regs[i]));
}
}
static void Instrument_PUSH(const xed_inst_t* xi)
{
const xed_operand_t *op = xed_inst_operand(xi, 0);
xed_operand_enum_t op_name = xed_operand_name(op);
xed_reg_enum_t reg_id;
unsigned int taint = 0, mem_addr;
if(operand_is_mem4(op_name, &mem_addr, 0)){
taint = d_get_mem_taint(mem_addr);
}else if(operand_is_reg(op_name, ®_id)){
taint = d_get_reg_taint(reg_id);
}
unsigned int esp = PEMU_get_reg(XED_REG_ESP) - 4;
d_set_mem_taint_bysize(esp, taint, 4);
}
void PEMU_print_all_reg(void)
{
fprintf(stdout, "EAX:%x\nEBX:%x\nECX:%x\nEDX:%x\nESI:%x\nEDI:%x\n",
PEMU_get_reg(XED_REG_EAX),
PEMU_get_reg(XED_REG_EBX),
PEMU_get_reg(XED_REG_ECX),
PEMU_get_reg(XED_REG_EDX),
PEMU_get_reg(XED_REG_ESI),
PEMU_get_reg(XED_REG_EDI));
}
static void Instrument_POP(const xed_inst_t* xi)
{
uint32_t mem_addr;
xed_reg_enum_t reg_id;
const xed_operand_t *op = xed_inst_operand(xi, 0);
xed_operand_enum_t op_name = xed_operand_name(op);
uint32_t esp = PEMU_get_reg(XED_REG_ESP);
uint32_t taint = d_get_mem_taint(esp);
if(operand_is_mem4(op_name, &mem_addr, 0)){
d_set_mem_taint_bysize(mem_addr, taint, 4);
}else if(operand_is_reg(op_name, ®_id)){
d_set_reg_taint(reg_id, taint);
}
d_set_mem_taint_bysize(esp, 0, 4);
}
static target_ulong Instrument_CALL_NEAR( const xed_inst_t * ins, target_ulong pc)
{
uint32_t mem_addr;
xed_reg_enum_t reg_id;
target_ulong target;
const xed_operand_t *op = xed_inst_operand(ins, 0);
xed_operand_enum_t op_name = xed_operand_name(op);
if (operand_is_mem(op_name, &mem_addr, 0)) {
PEMU_read_mem(mem_addr,sizeof(target) , &target);
}
else if (operand_is_reg(op_name, ®_id)){
target = PEMU_get_reg(reg_id);
}
else{
int len = xed_decoded_inst_get_length(&xedd_g);
target = xed_decoded_inst_get_branch_displacement(&xedd_g) + pc + len;
}
return target;
}
static target_ulong Instrument_RET(const xed_inst_t * ins) {
target_ulong esp = PEMU_get_reg(XED_REG_ESP);
target_ulong target;
PEMU_read_mem(esp, sizeof(target), &target);
return target;
}
static void Instrument_CALL(const xed_inst_t* xi)
{
#ifdef DEBUG
fprintf(stdout, "txt:instrument_call\n");
#endif
xed_reg_enum_t reg_id;
unsigned int dest = 0, taint = 0;
uint32_t buf;
char *fname;
const xed_operand_t *op = xed_inst_operand(xi, 0);
xed_operand_enum_t op_name = xed_operand_name(op);
API_TYPE type;
INST *inst;
if(operand_is_mem4(op_name, &dest, 0)){
int mem_idx = op_name == XED_OPERAND_MEM1 ? 1 : 0;
xed_reg_enum_t base_regid =
xed_decoded_inst_get_base_reg(&xedd_g, mem_idx);
PEMU_read_mem(dest, 4, &buf);
dest = buf;
if(taint = t_get_reg_taint(base_regid)){
#ifdef DEBUG
fprintf(stdout, "txt: indirect call1\n");
#endif
if(type = is_api_call(dest, &fname)){
goto API_CALL;
}else{
insert_pc_addr(taint, 2);
}
}else if(taint = t_get_mem_taint(dest)){
#ifdef DEBUG
fprintf(stdout, "txt: indirect call2\n");
#endif
if(type = is_api_call(dest, &fname)){
goto API_CALL;
}else{
insert_pc_addr(taint, 2);
}
}
return;
}else if(operand_is_reg(op_name, ®_id)){
#ifdef DEBUG
fprintf(stdout, "txt: indirect call3\n");
#endif
if(taint = t_get_reg_taint(reg_id)){
insert_pc_addr(taint, 2);
dest = PEMU_get_reg(reg_id);
if(type = is_api_call(dest, &fname)){
goto API_CALL;
}else{
insert_pc_addr(taint, 2);
}
}
return;
}else if(operand_is_relbr(op_name, &dest)){
dest += (g_pc + xed_decoded_inst_get_length(&xedd_g));
if(type = is_api_call(dest, &fname)){
#ifdef DEBUG
fprintf(stdout, "is_api_call\t%x\t%x\n", dest, type);
#endif
goto REST;
}
return;
}
API_CALL:
inst = get_inst(taint);
// api_copy(&inst->api_call, get_api_call(dest));
REST:
#ifdef DEBUG
fprintf(stdout, "taint:\t%x\t%x\n", taint, dest);
#endif
t_set_reg_taint(XED_REG_EAX, 0);
handle_api_issues(get_api_call(dest), 0);
}
/*****************interface functions********************/
void handle_data_rewrite(const xed_inst_t* xi) {
unsigned int value = 0, mem_addr = 0, begin = 0, end = 0;
xed_reg_enum_t reg_id_0;
if(data_func[0] == 0){
setup_data_taint();
}
xed_iclass_enum_t opcode = xed_decoded_inst_get_iclass(&xedd_g);
const xed_operand_t *op1 = xed_inst_operand(xi, 1);
xed_operand_enum_t op_name1 = xed_operand_name(op1);
const xed_operand_t *op0 = xed_inst_operand(xi, 0);
xed_operand_enum_t op_name0 = xed_operand_name(op0);
//dependence data store data addresses
unsigned int taint = 0;
int mem_idx;
if(opcode != XED_ICLASS_LEA){
if(operand_is_mem4(op_name0, &mem_addr, 0)){
mem_idx = op_name0 == XED_OPERAND_MEM1 ? 1 : 0;
xed_reg_enum_t base_regid =
xed_decoded_inst_get_base_reg(&xedd_g, mem_idx);
if((base_regid != XED_REG_INVALID)){
if(taint = d_get_reg_taint(base_regid)){
update_mem_val_type(taint, 1, API_NONE, 0);
value = get_mem_val(taint)->val;
insert_dependence_data(mem_addr,xed_decoded_inst_operand_length(&xedd_g, 0));
/*
if(value < mem_addr)//value is root
insert_dependence_data(value,
mem_addr + xed_decoded_inst_operand_length(&xedd_g, 0) - value);
else{
insert_dependence_data(mem_addr,
value > mem_addr + xed_decoded_inst_operand_length(&xedd_g, 0) ?
value : mem_addr + xed_decoded_inst_operand_length(&xedd_g, 0) - mem_addr);
}*/
}
}
}else if(operand_is_mem4(op_name1, &mem_addr, 1)){
mem_idx = op_name1 == XED_OPERAND_MEM1 ? 1 : 0;
xed_reg_enum_t base_regid =
xed_decoded_inst_get_base_reg(&xedd_g, mem_idx);
xed_reg_enum_t index_regid =
xed_decoded_inst_get_index_reg(&xedd_g, mem_idx);
if((base_regid != XED_REG_INVALID)){
int a = 0,b = 0;
a = PEMU_get_reg(base_regid);
b = PEMU_get_reg(index_regid);
if(index_regid!=XED_REG_INVALID && b>a){
if((taint = d_get_reg_taint(index_regid))&&mem_taint==0)
{
update_mem_val_type(taint, 1, API_NONE, 0);
value = get_mem_val(taint)->val;
insert_dependence_data(mem_addr,xed_decoded_inst_operand_length(&xedd_g, 0));
}
}else if((taint = d_get_reg_taint(base_regid))&&mem_taint==0){
update_mem_val_type(taint, 1, API_NONE, 0);
value = get_mem_val(taint)->val;
insert_dependence_data(mem_addr,xed_decoded_inst_operand_length(&xedd_g, 0));
}
}
}
}
//taint source:
if(opcode == XED_ICLASS_PUSH ){
if(operand_is_mem4(op_name0, &mem_addr, 0)){
if(is_dependence_addr(mem_addr) && !is_d_written(mem_addr)){
unsigned int esp = PEMU_get_reg(XED_REG_ESP) - 4;
#ifdef DEBUG
fprintf(stdout, "taint source:\t%x\n", mem_addr);
#endif
d_set_mem_taint_bysize(esp, mem_addr, 4);
PEMU_read_mem(mem_addr, 4, &value);
insert_mem_val(mem_addr, value);
}
}
}else
if(opcode == XED_ICLASS_JMP || opcode == XED_ICLASS_CALL_NEAR) {
if(operand_is_mem4(op_name0, &mem_addr, 0)){
if(is_dependence_addr(mem_addr) && !is_d_written(mem_addr)){
#ifdef DEBUG
fprintf(stdout, "taint source:\t%x\n", mem_addr);
#endif
d_set_mem_taint_bysize(mem_addr, mem_addr, 4);
PEMU_read_mem(mem_addr, 4, &value);
insert_mem_val(mem_addr, value);
}
}
}else{
if(opcode != XED_ICLASS_LEA && operand_is_mem4(op_name1, &mem_addr, 1)){
if(is_dependence_addr(mem_addr) && !is_d_written(mem_addr)){
if(operand_is_reg(op_name0, ®_id_0)){
#ifdef DEBUG
fprintf(stdout, "taint source:\t%x\n", mem_addr);
#endif
d_set_reg_taint(reg_id_0, mem_addr);
PEMU_read_mem(mem_addr, 4, &value);
insert_mem_val(mem_addr, value);
}else{
fprintf(stderr, "error in handle_data_rewrite\n");
exit(0);
}
return;
}
}
}
//propagation
data_func[opcode](xi);
}
/*****************interface functions********************/
void handle_txt_rewrite(const xed_inst_t* xi) {
uint32_t value = 0, taint = 0;
int i = 0;
const xed_operand_t *op;
xed_operand_enum_t op_name;
unsigned int mem_addr;
if(txt_func[0] == 0){
setup_txt_taint();
}
int noperands = xed_inst_noperands(xi);
xed_iclass_enum_t opcode = xed_decoded_inst_get_iclass(&xedd_g);
noperands = noperands > 2 ? 2 : noperands;
for( i = 0; i < noperands ; i++){
/* Immediate */
op = xed_inst_operand(xi, i);
op_name = xed_operand_name(op);
if(opcode == XED_ICLASS_LEA)//hardcode
continue;
if(operand_is_imm(op_name, &value))
insert_pc_imm(g_pc, value);
if(operand_is_mem4(op_name, &mem_addr, i)){
unsigned int taint;
unsigned int displacement = 0;
int mem_idx = op_name == XED_OPERAND_MEM1 ? 1 : 0;
if(xed_operand_written(op))
insert_d_written(mem_addr);
xed_reg_enum_t base_regid =
xed_decoded_inst_get_base_reg(&xedd_g, mem_idx);
xed_reg_enum_t index_regid =
xed_decoded_inst_get_index_reg(&xedd_g, mem_idx);
displacement =
(unsigned int)
xed_decoded_inst_get_memory_displacement(&xedd_g,
mem_idx);
#if 0
if((base_regid != XED_REG_INVALID)) {//indirect mem access
if((taint = t_get_reg_taint(base_regid)) && (mem_taint == 0)) {//base reg
unsigned int imm = get_pc_imm(taint);
//yang
insert_pc_addr(taint, 1);
insert_dependence_data(mem_addr, xed_decoded_inst_operand_length(&xedd_g, i));
} else if(mem_taint != 0) { //displacement
insert_pc_addr(g_pc, 3);
insert_dependence_data(mem_addr, xed_decoded_inst_operand_length(&xedd_g, i));
}
} else if(index_regid != XED_REG_INVALID) {
if((taint = t_get_reg_taint(index_regid)) && (mem_taint ==0)) {
insert_pc_addr(taint, 1);
insert_dependence_data(mem_addr, xed_decoded_inst_operand_length(&xedd_g, i));
} else if(mem_taint != 0) {
insert_pc_addr(g_pc, 3);
insert_dependence_data(mem_addr, xed_decoded_inst_operand_length(&xedd_g, i));
}
} else if(displacement > 0) {//displacement
insert_dependence_data(displacement,
mem_addr + xed_decoded_inst_operand_length(&xedd_g, i) - displacement);
insert_pc_addr(g_pc, 3);
}
#endif
switch(find_min_dist(mem_addr, g_base, g_index, g_disp)) {
case 1:
if(taint = t_get_reg_taint(base_regid)) {
insert_pc_addr(taint, 1);
insert_dependence_data(mem_addr, xed_decoded_inst_operand_length(&xedd_g, i));
}
break;
case 2:
if(taint = t_get_reg_taint(index_regid)) {
insert_pc_addr(taint, 1);
insert_dependence_data(mem_addr, xed_decoded_inst_operand_length(&xedd_g, i));
}
break;
case 3:
insert_dependence_data(displacement,
mem_addr + xed_decoded_inst_operand_length(&xedd_g, i) - displacement);
insert_pc_addr(g_pc, 3);
break;
default:
break;
}
}
}
unsigned int esp;
xed_reg_enum_t dest_r;
op_name = xed_operand_name(xed_inst_operand(xi, 0));
if(value != 0){//taint source
switch(opcode){
case XED_ICLASS_PUSH:
esp = PEMU_get_reg(XED_REG_ESP) - 4;
t_set_mem_taint_bysize(esp, g_pc, 4);
break;
case XED_ICLASS_MOV:
if(operand_is_mem4(op_name, &mem_addr, 0)){
t_set_mem_taint_bysize(mem_addr, g_pc,
xed_decoded_inst_operand_length(&xedd_g, 0));
}else if(operand_is_reg(op_name, &dest_r)){
t_set_reg_taint(dest_r, g_pc);
}
break;
defalut:
break;
}
return;
}
//propagation
txt_func[opcode](xi);
}
static int operand_is_mem(const xed_operand_enum_t op_name, uint32_t* mem_addr,
int operand_i)
{
// xed_reg_enum_t basereg;
switch (op_name) {
/* Memory */
case XED_OPERAND_AGEN:
case XED_OPERAND_MEM0:
case XED_OPERAND_MEM1:{
unsigned long base = 0;
unsigned long index = 0;
unsigned long scale = 1;
unsigned long segbase = 0;
unsigned short segsel = 0;
unsigned long displacement = 0;
// size_t remaining = 0;
/* Set memory index */
int mem_idx = 0;
if (op_name == XED_OPERAND_MEM1)
mem_idx = 1;
// unsigned int memlen =
// xed_decoded_inst_operand_length(&PEMU_xedd_g, operand_i);
/* Initialization */
base = 0;
index = 0;
scale = 0;
segbase = 0;
segsel = 0;
displacement = 0;
xed_reg_enum_t seg_regid =
xed_decoded_inst_get_seg_reg(&xedd_g, mem_idx);
if (seg_regid != XED_REG_INVALID)
segbase =PEMU_get_seg(seg_regid);
// Get Base register
xed_reg_enum_t base_regid =
xed_decoded_inst_get_base_reg(&xedd_g, mem_idx);
if (base_regid != XED_REG_INVALID) {
base = PEMU_get_reg(base_regid);
}
// Get Index register and Scale
xed_reg_enum_t index_regid =
xed_decoded_inst_get_index_reg(&xedd_g, mem_idx);
if (mem_idx == 0 && index_regid != XED_REG_INVALID) {
index = PEMU_get_reg(index_regid);
if (xed_decoded_inst_get_scale
(&xedd_g, operand_i) != 0) {
scale =
(unsigned long)
xed_decoded_inst_get_scale(&xedd_g,
mem_idx);
}
}
displacement =
(unsigned long)
xed_decoded_inst_get_memory_displacement(&xedd_g,
mem_idx);
*mem_addr =
segbase + base + index * scale + displacement;
return 1;
}
default:
return 0;
}
}
static void Instrument_CALL(const xed_inst_t* xi)
{
#ifdef DEBUG
fprintf(stdout, "data:instrument_call\n");
#endif
xed_reg_enum_t reg_id;
uint32_t buf;
unsigned int value = 0, dest = 0;
const xed_operand_t *op = xed_inst_operand(xi, 0);
xed_operand_enum_t op_name = xed_operand_name(op);
char *fname = 0;
unsigned int taint = 0;
API_TYPE type;
//TODO: value may be plt call
if(operand_is_mem4(op_name, &dest, 0)){
int mem_idx = op_name == XED_OPERAND_MEM1 ? 1 : 0;
xed_reg_enum_t base_regid =
xed_decoded_inst_get_base_reg(&xedd_g, mem_idx);
PEMU_read_mem(dest, 4, &buf);
dest = buf;
if(taint = d_get_reg_taint(base_regid)){
if(type = is_api_call(dest, &fname)){
// update_mem_val_type(taint, 2, type, fname);
goto API_CALL;
}else{
update_mem_val_type(taint, 2, API_NONE, 0);
}
}else if(taint = d_get_mem_taint(dest)){
if(type = is_api_call(dest, &fname)){
// update_mem_val_type(taint, 2, type, fname);
goto API_CALL;
}else{
update_mem_val_type(taint, 2, API_NONE, 0);
}
}
/*
else if(taint = t_get_reg_taint(base_regid))
{
uint32_t mem_addr=dest;
PEMU_read_mem(dest, 4, buf);
dest = *(unsigned int*)buf;
insert_mem_val(mem_addr, dest);
if(type = is_api_call(dest, &fname)){
update_mem_val_type(mem_addr, 2, type, fname);
}else{
update_mem_val_type(mem_addr, 2, API_NONE, 0);
}
}else if(base_regid==XED_REG_INVALID)
{
uint32_t mem_addr=dest;
PEMU_read_mem(dest, 4, buf);
dest = *(unsigned int*)buf;
insert_mem_val(mem_addr, dest);
if(type = is_api_call(dest, &fname)){
update_mem_val_type(mem_addr, 2, type, fname);
}else{
update_mem_val_type(mem_addr, 2, API_NONE, 0);
}
}*/
return;
}else if(operand_is_reg(op_name, ®_id)){
if(taint = d_get_reg_taint(reg_id)){
dest = PEMU_get_reg(reg_id);
if(type = is_api_call(dest, &fname)){
// update_mem_val_type(taint, 2, type, fname);
goto API_CALL;
}else{
update_mem_val_type(taint, 2, API_NONE, 0);
}
}
return;
}else if(operand_is_relbr(op_name, &dest)){
dest += (g_pc + xed_decoded_inst_get_length(&xedd_g));
if(type = is_api_call(dest, &fname)){
#ifdef DEBUG
fprintf(stdout, "is_api_call\t%x\t%x\n", dest, type);
#endif
goto REST;
}
return;
}
API_CALL:
update_mem_val_type(taint, 2, type, fname);
//api_copy(&inst->api_call, get_api_call(dest));
REST:
handle_api_issues(get_api_call(dest), 1);
}