int main(int argc, char * argv[]){ //If we want to debug the program manually setup the proper options in order to attach an external debugger if(Config::ATTACH_DEBUGGER){ initDebug(); } MYINFO("Strating prototype ins"); FilterHandler *filterH = FilterHandler::getInstance(); //set the filters for the libraries MYINFO("%s",Config::FILTER_WRITES_ENABLES.c_str()); filterH->setFilters(Config::FILTER_WRITES_ENABLES); //get the start time of the execution (benchmark) tStart = clock(); // Initialize pin PIN_InitSymbols(); if (PIN_Init(argc, argv)) return Usage(); INS_AddInstrumentFunction(Instruction,0); PIN_AddThreadStartFunction(OnThreadStart, 0); // Register ImageUnload to be called when an image is unloaded IMG_AddInstrumentFunction(imageLoadCallback, 0); // Register Fini to be called when the application exits PIN_AddFiniFunction(Fini, 0); // Start the program, never returns PIN_StartProgram(); return 0; }
// - retrive the stack base address static VOID OnThreadStart(THREADID, CONTEXT *ctxt, INT32, VOID *){ ADDRINT stackBase = PIN_GetContextReg(ctxt, REG_STACK_PTR); FilterHandler *filterH = FilterHandler::getInstance(); filterH->setStackBase(stackBase); }
// - Get initial entropy // - Get PE section data // - Add filtered library void imageLoadCallback(IMG img,void *){ Section item; static int va_hooked = 0; //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ProcInfo *proc_info = ProcInfo::getInstance(); //get the address of the first instruction proc_info->setFirstINSaddress(IMG_Entry(img)); //get the program name proc_info->setProcName(IMG_Name(img)); //get the initial entropy MYINFO("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYINFO("----------------------------------------------"); //retrieve the section of the PE for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } //DEBUG proc_info->PrintSections(); } //build the filtered libtrary list FilterHandler *filterH = FilterHandler::getInstance(); ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){ /* searching for VirtualAlloc */ RTN rtn = RTN_FindByName( img, "VirtualAlloc"); if(rtn != RTN_Invalid()){ MYINFO("BECCATO LA VIRTUAL ALLOC\n"); ADDRINT va_address = RTN_Address(rtn); MYINFO("Address of VirtualAlloc: %08x\n" , va_address); RTN_Open(rtn); RTN_InsertCall(rtn, IPOINT_AFTER, (AFUNPTR)VirtualAllocHook , IARG_G_ARG0_CALLEE , IARG_G_ARG1_CALLEE , IARG_G_RESULT0, IARG_END); RTN_Close(rtn); } filterH->addLibrary(name,startAddr,endAddr); } }
// - Get initial entropy // - Get PE section data // - Add filtered library // - Add protected libraries void imageLoadCallback(IMG img,void *){ Section item; static int va_hooked = 0; ProcInfo *proc_info = ProcInfo::getInstance(); FilterHandler *filterHandler = FilterHandler::getInstance(); //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); proc_info->setMainIMGAddress(startAddr, endAddr); //get the address of the first instruction proc_info->setFirstINSaddress(IMG_Entry(img)); //get the program name proc_info->setProcName(IMG_Name(img)); //get the initial entropy MYINFO("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYINFO("----------------------------------------------"); //create Report File Report::getInstance()->initializeReport(proc_info->getProcName(), startAddr, endAddr , initial_entropy); //retrieve the section of the PE for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } proc_info->PrintSections(); } //build the filtered libtrary list ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img)){ //*** If you need to protect other sections of other dll put them here *** // check if there are some fuction that has top be hooked in this DLL hookFun.hookDispatcher(img); // check if we have to filter this library during thwe instrumentation proc_info->addLibrary(name,startAddr,endAddr); if(filterHandler->IsNameInFilteredArray(name)){ filterHandler->addToFilteredLibrary(name,startAddr,endAddr); MYINFO("Added to the filtered array the module %s\n" , name); } } }
int mainOLD(int argc, char** argv) { cout << "creating cloud..."; PointCloud<PointXYZ>::Ptr cloud = createCloud("bun.pcd"); cout << "DONE" << endl; cout << "filtering cloud..."; FilterHandler * filter = new FilterHandler(cloud, "bun_filtered.pcd"); cloud = filter->passThroughFilter("z", 0.0, 1); cout << "DONE" << endl; cout << "calculating normals..."; NormalCalculator * normals = new NormalCalculator(cloud); normals->getReady(20); normals->calculate(); cout << "DONE" << endl; cout << "merging normals with cloud..."; PointCloud<PointNormal>::Ptr cloud_w_normals = normals->mergeCloudWithNormals(); cout << "DONE" << endl; cout << "building the mesh..."; PolygonMesh mesh = buildMesh(cloud_w_normals, "bun.vtk", 0.025, 2.5, 100, M_PI/4, M_PI/18, 2*M_PI/3, false); cout << "DONE" << endl; showMesh(mesh); return 0; }
void imageLoadCallback(IMG img,void *){ //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ProcInfo *proc_info = ProcInfo::getInstance(); proc_info->setFirstINSaddress(IMG_Entry(img)); MYLOG("INIT : %08x", proc_info->getFirstINSaddress()); MYLOG("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYLOG("----------------------------------------------"); for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ Section item; item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } proc_info->PrintSections(); } FilterHandler *filterH = FilterHandler::getInstance(); ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img) && filterH->isKnownLibrary(name)){ filterH->addLibrary(name,startAddr,endAddr); } }
int main(int argc, char * argv[]) { MYLOG("Strating prototype ins\n"); FilterHandler *filterH = FilterHandler::getInstance(); filterH->setFilters("teb"); tStart = clock(); // Initialize pin PIN_InitSymbols(); if (PIN_Init(argc, argv)) return Usage(); // TRACE_AddInstrumentFunction(Trace,0); INS_AddInstrumentFunction(Instruction,0); PIN_AddThreadStartFunction(OnThreadStart, 0); // Register ImageLoad to be called when an image is loaded IMG_AddInstrumentFunction(imageLoadCallback, 0); // Register ImageUnload to be called when an image is unloaded IMG_AddUnloadFunction(ImageUnloadCallback, 0); //PIN_AddApplicationStartFunction(bootstrap, 0); // Register Fini to be called when the application exits PIN_AddFiniFunction(Fini, 0); // Start the program, never returns PIN_StartProgram(); return 0; }
void PINshield::avoidEvasion(INS ins){ ADDRINT curEip = INS_Address(ins); ProcInfo *pInfo = ProcInfo::getInstance(); Config *config = Config::getInstance(); FilterHandler *filterHandler = FilterHandler::getInstance(); //Filter instructions inside a known library (only graphic dll) if(filterHandler->isFilteredLibraryInstruction(curEip)){ return; } // Pattern matching in order to avoid the dead path of obsidium if(strcmp( (INS_Disassemble(ins).c_str() ),"xor eax, dword ptr [edx+ecx*8+0x4]") == 0){ MYTEST("Obsidium_evasion"); REGSET regsIn; REGSET_AddAll(regsIn); REGSET regsOut; REGSET_AddAll(regsOut); if(INS_HasFallThrough(ins)){ INS_InsertCall(ins,IPOINT_AFTER,(AFUNPTR)KillObsidiumDeadPath, IARG_PARTIAL_CONTEXT, ®sIn, ®sOut,IARG_END); } } // 1 - single instruction detection if(config->ANTIEVASION_MODE_INS_PATCHING && this->evasionPatcher.patchDispatcher(ins, curEip)){ return; } // 2 - memory read // Checking if there is a read at addresses that the application shouldn't be aware of if(config->ANTIEVASION_MODE_SREAD){ for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) { if (INS_MemoryOperandIsRead(ins,op)) { //if first read initialize the FakeReadHandler if(firstRead == 0){ fakeMemH.initFakeMemory(); firstRead=1; } REG scratchReg = GetScratchReg(op); INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(handleRead), IARG_INST_PTR, IARG_MEMORYOP_EA, op, IARG_PTR, &fakeMemH, IARG_RETURN_REGS, scratchReg, IARG_END); INS_RewriteMemoryOperand(ins, op, scratchReg); } } } //3. memory write filter if(config->ANTIEVASION_MODE_SWRITE){ for (UINT32 op = 0; op<INS_MemoryOperandCount(ins); op++) { if(INS_MemoryOperandIsWritten(ins,op) && INS_IsMov(ins)){ REG writeReg = GetScratchReg(op); INS_InsertCall(ins, IPOINT_BEFORE, AFUNPTR(handleWrite), IARG_INST_PTR, IARG_MEMORYOP_EA, op, IARG_PTR, &fakeWriteH, IARG_RETURN_REGS, writeReg, // this is an output param IARG_END); INS_RewriteMemoryOperand(ins, op, writeReg); } } } }
// - Get initial entropy // - Get PE section data // - Add filtered library void imageLoadCallback(IMG img,void *){ /*for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ for( RTN rtn= SEC_RtnHead(sec); RTN_Valid(rtn); rtn = RTN_Next(rtn) ){ MYINFO("Inside %s -> %s",IMG_Name(img).c_str(),RTN_Name(rtn).c_str()); } }*/ Section item; static int va_hooked = 0; ProcInfo *proc_info = ProcInfo::getInstance(); FilterHandler *filterHandler = FilterHandler::getInstance(); //get the initial entropy of the PE //we have to consder only the main executable and avìvoid the libraries if(IMG_IsMainExecutable(img)){ ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); proc_info->setMainIMGAddress(startAddr, endAddr); //get the address of the first instruction proc_info->setFirstINSaddress(IMG_Entry(img)); //get the program name proc_info->setProcName(IMG_Name(img)); //get the initial entropy MYINFO("----------------------------------------------"); float initial_entropy = proc_info->GetEntropy(); proc_info->setInitialEntropy(initial_entropy); MYINFO("----------------------------------------------"); //retrieve the section of the PE for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ item.name = SEC_Name(sec); item.begin = SEC_Address(sec); item.end = item.begin + SEC_Size(sec); proc_info->insertSection(item); } //DEBUG proc_info->PrintSections(); } //build the filtered libtrary list ADDRINT startAddr = IMG_LowAddress(img); ADDRINT endAddr = IMG_HighAddress(img); const string name = IMG_Name(img); if(!IMG_IsMainExecutable(img)){ if(name.find("ntdll")!= std::string::npos){ for( SEC sec= IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec) ){ if(strcmp(SEC_Name(sec).c_str(),".text")==0){ proc_info->addProtectedSection(SEC_Address(sec),SEC_Address(sec)+SEC_Size(sec)); } } } //*** If you need to protect other sections of other dll put them here *** hookFun.hookDispatcher(img); proc_info->addLibrary(name,startAddr,endAddr); if(filterHandler->IsNameInFilteredArray(name)){ filterHandler->addToFilteredLibrary(name,startAddr,endAddr); MYINFO("Added to the filtered array the module %s\n" , name); } } }