def DIFT_store_address_dependency(self, data, calcAddress, opp, r2):
r = self.get_len(opp)
calc_tm = taint_mark()
data_tm = taint_mark()
print(
"DIFT_store_address_dependancy.219. data={}, calcAddress={}, opp={}"
.format(data, calcAddress, opp))
#calcAddress can either be a reg or taint mark
if type(calcAddress) == taint_mark:
calc_tm = calcAddress
print("DIFT_store_address_dependency.256 if calc_tm : {}".format(
calcAddress))
elif is_reg(calcAddress):
calc_tm.set_vals(calcAddress, True)
print("DIFT_store_address_dependency.258 elif calc_tm : {}".format(
calc_tm))
else:
print("DIFT_store_address_dependency.262 else: {} {} ".format(
type(calcAddress), calcAddress))
calc_tm.set_vals(calcAddress, False)
# calcAddress is a memory address..., but nothing is happening here.
#data is either constant, reg, or tm
if type(data) == taint_mark:
data_tm = data
print(
"DIFT_store_address_dependency.267. elif\n\tstore_address_dep: {} {}"
.format(data, calcAddress))
elif is_reg(data):
data_tm.set_vals(data, True)
print(
"DIFT_store_address_dependency.270. elif\n\tstore_address_dep: {} {}"
.format(data, calcAddress))
elif is_a_constant(data):
print(
"DIFT_store_address_dependency.272. elif\n\t data==const: data={}, "
"calcAddress={}, type(calcAddress)={}".format(
data, calcAddress, type(calcAddress)))
return calc_tm
else:
print("DIFT_store_address_dependency.275. data={}".format(data))
for i in range(r):
to = self.taint.get(data_tm.get_taint_rep(i))
frm = self.taint.get(calc_tm.get_taint_rep(i))
self.taint["vdtmp", i] = self.combine_taint(to, frm)
rt = taint_mark()
# What is tmp here and up there for?!?!
rt.set_vals("vdtmp", True)
rt.len = r
return rt
def DIFT_store_address_dependency(self, data, calcAddress, opp, r2):
r = self.get_arg_length(opp)
calc_tm = taint_mark()
data_tm = taint_mark()
skip = 0
#as long as get_len() works correctly the following should be good
"""
if r >= self.min_size_cutoff:
#skip the rest cause we are 32 or 64 bit and don't care
self.taint["SADtmp", 3] = 0
rt = taint_mark()
rt.set_taint("SADtmp", True)
rt.len = 1
return rt
"""
#calcAddress can either be a reg or taint mark
if is_reg(calcAddress):
calc_tm.set_taint(calcAddress, True)
elif type(calcAddress) == taint_mark:
calc_tm = calcAddress
else:
print("Error.250")
#data is either constant, reg, or taint mark
if type(data) == taint_mark:
data_tm = data
elif is_reg(data):
data_tm.set_taint(data, True)
#minos cares about the size of a constant
#so we will need to adjust this
elif is_a_constant(data):
if r < 4:
self.taint["SADtmp", 3] = 1
skip = 1
else:
self.taint["SADtmp", 3] = 0
skip = 1
else:
print("Error.268")
if not skip:
#Always do the lower 32 bits ex (eax and less)
to = data_tm.get_taint_rep(0)
frm = calc_tm.get_taint_rep(0)
self.taint["SADtmp", 3] = self.combine_taint(to, frm)
rt = taint_mark()
rt.set_taint("SADtmp", True)
rt.len = r
return rt
def DIFT_load_address_dependency(self, address, calcAddress, opp, r2):
address_tm = taint_mark()
address_tm.set_vals(int(address, 16), False)
calc_tm = taint_mark()
r = self.get_len(opp)
taint_rep = calcAddress.get_taint_rep(0) if type(
calcAddress) == taint_mark else calcAddress
print(
"DIFT_load_address_dependancy.219. address={}, calcAddress={}, opp={}, r={}"
.format(address, taint_rep, opp, r))
if type(calcAddress) == taint_mark:
calc_tm = calcAddress
elif is_reg(calcAddress):
calc_tm.set_vals(calcAddress, True)
elif is_a_constant(calcAddress):
#if we don't use anything to calculate address return
return address_tm
else:
print("DIFT_load_address_dependency.227")
for i in range(r):
to = self.taint.get(address_tm.get_taint_rep(i))
frm = self.taint.get(calc_tm.get_taint_rep(i))
self.taint["vdtmp1", i] = self.combine_taint(to, frm)
print(
"DIFT_load_address_dependancy.233. i={}, to={}, frm={}, taint={}"
.format(i, to, frm, self.taint["vdtmp1", i]))
rt = taint_mark()
rt.set_vals("vdtmp1", True)
rt.len = r
return rt
def DIFT_computation_dependency(self, dst, src, r2):
""" DIFT_computation_dependency
: dst = arg1 :
: arg1 :
"""
#always return a taint_mark
#unless you throw an error and die
dst_tm = taint_mark()
src_tm = taint_mark()
#arg1 must always be a reg
if is_reg(dst):
dst_tm.set_vals(dst, True)
else:
print("DIFT_computation_dependency.193. dst={}, src={}".format(
dst, src))
exit() # I commented this out, evidentally...
if is_a_constant(src):
#if arg2 is a constant we just return dst_tm
dst_tm.len = self.get_len(dst)
return dst_tm
elif type(src) == taint_mark:
src_tm = src
elif is_reg(src):
src_tm.set_vals(src, True)
else:
print("Arg2: {}, Arg2 type: {}".format(src, type(src)))
exit()
r = get_arg_length(dst)
for i in range(r):
to = dst_tm.get_taint_rep(i)
frm = src_tm.get_taint_rep(i)
self.taint["vdtmp2", i] = self.combine_taint(to, frm)
rt = taint_mark()
rt.set_vals("vdtmp2", True)
rt.len = r
return rt
def DIFT_computation_dependency(self, arg1, arg2, r2):
#always return a taint_mark
#unless you throw an error and die
dst_tm = taint_mark()
src_tm = taint_mark()
#arg1 seems to always be a reg
if is_reg(arg1):
dst_tm.set_taint(arg1, True)
else:
print("Error in DIFT_computation_dependency line 145")
exit()
if is_a_constant(arg2):
#if arg2 is a constant we just return src_tm
dst_tm.len = self.get_arg_length(arg1)
return dst_tm
elif type(arg2) == taint_mark:
src_tm = arg2
elif is_reg(arg2):
src_tm.set_taint(arg2, True)
else:
print("Error in DIFT_computation_dependency line 157")
exit()
r = self.get_arg_length(arg1)
for i in range(self.size):
to = dst_tm.get_taint_rep(i)
frm = src_tm.get_taint_rep(i)
try:
self.taint["tmp1", i] = self.combine_taint(to, frm)
except KeyError:
break
rt = taint_mark()
rt.set_taint("tmp1", True)
rt.len = r
return rt
def DIFT_load_address_dependency(self, address, calcAddress, opp, r2):
"""
8 and 16 bit immediate values taint their destinations
"""
address_tm = taint_mark()
address_tm.set_taint(int(address, 16), False)
calc_tm = taint_mark()
r = self.get_arg_length(opp)
skip = 0
#print("len opp was {}".format(r))
"""
if r >= self.min_size_cutoff:
#skip the rest cause we are 32 or 64 bit and don't care
self.taint["LADtmp", 3] = 0
rt = taint_mark()
rt.set_taint("LADtmp", True)
rt.len = 1
return rt
"""
if type(calcAddress) == taint_mark:
calc_tm = calcAddress
elif is_reg(calcAddress):
calc_tm.set_taint(calcAddress, True)
elif is_a_constant(calcAddress):
if r < 4:
self.taint["LADtmp", 3] = 1
skip = 1
else:
self.taint["LADtmp", 3] = 0
skip = 1
else:
print("Error.211")
if not skip:
#Always do the lower 32 bits ex (eax)
to = address_tm.get_taint_rep(0)
frm = calc_tm.get_taint_rep(0)
self.taint["LADtmp", 3] = self.combine_taint(to, frm)
rt = taint_mark()
rt.set_taint("LADtmp", True)
rt.len = r
return rt
def DIFT_copy_dependency(self, toLocation, fromData, to_len, r2):
"""
For MINOS if copy to memory is not 32 bit alligned it is tainted
8 and 16 bit pieces of data taint all 32 bits of data
"""
r = 0
to_taint_mark = taint_mark()
from_taint_mark = taint_mark()
#fromData can be a reg, a mem location or a taint_mark from a previous
#calculation
if type(fromData) == taint_mark:
from_taint_mark = fromData
r = fromData.len
elif is_reg(fromData):
from_taint_mark.set_taint(fromData, True)
elif is_a_constant(fromData):
#I might need to fix this so that if it is a immediate < 32 bits
#we taint it
self.clear_taint(to_taint_mark)
return
else:
print("Error.88")
exit()
if r == 0:
r = self.get_reg_length(toLocation)
#make sure taint mark exists first
#return otherwise
if (not from_taint_mark.is_init) or (type(
self.taint.get(from_taint_mark.get_taint_rep(0))) != int):
return
#toLocation can only be a register or a mem location I think
if is_reg(toLocation):
to_taint_mark.set_taint(toLocation, True)
#the following is the integrety check for functions that change (R|E)IP
#need a check here to make sure the register is not rip/eip
#if so we need need to throw an allert to warn of
#"integrety check failed"
reg_name, dc = to_taint_mark.get_taint_rep(0)
if reg_name == "rip":
#instruction is a ret nothing else should set rip
#check from location
fmt = from_taint_mark.get_taint_rep(0)
tm = self.taint.get(fmt)
if tm == 1:
print("Integrety Check Failed exiting!")
print(from_taint_mark.get_taint_rep(0))
return
elif is_a_constant(toLocation):
to_taint_mark.set_taint(int(toLocation, 16), False)
r = to_len
elif type(toLocation) == taint_mark:
r = toLocation.len
else:
print("Make sure toLocation is not a taint_mark?")
exit()
#Do the actual taint copying
for i in range(self.size):
to = to_taint_mark.get_taint_rep(i)
frm = from_taint_mark.get_taint_rep(i)
try:
self.taint[to] = self.taint[frm]
except KeyError:
break
def DIFT_copy_dependency(self,
toLocation,
fromData,
to_len,
r2,
debug=False,
space=''):
# Ignore xmm registers.
r = 0
to_taint_mark = taint_mark()
from_taint_mark = taint_mark()
space += ' '
# toLocation=w2
# fromData=vdtmp1 // The taint we want to propogate from the add ldrb w2, w1, w0
print(
space +
"DIFT_copy_dependancy:83. toLocation={}, type()={}, fromData={}, type={}, to_len={}"
.format(toLocation, type(toLocation), fromData, type(fromData),
to_len))
#fromData can be a reg, a mem location or a taint_mark from a previous
#calculation
# toLocation=tmp, fromData=sp (offset of 44)
if type(fromData) == taint_mark:
from_taint_mark = fromData
r = fromData.len
elif is_reg(fromData):
if True:
print("fromData is register: {}".format(fromData))
from_taint_mark.set_vals(fromData, True)
elif is_a_constant(fromData):
self.clear_taint(to_taint_mark)
return None
else:
print(space +
"DIFT_copy_dependency:100. toLocation={}, fromData={}".
format(toLocation, fromData))
exit()
if self.debug_help:
print("TO LOCATION")
print(toLocation)
print("FROM DATA")
print(fromData)
if type(fromData) == taint_mark:
print(fromData.get_taint_rep(0))
if self.taint.get(fromData.get_taint_rep(0)) != self.arrtype:
print(self.taint.get(from_taint_mark.get_taint_rep(0)))
#make sure taint mark exists first
#return otherwise
if (not from_taint_mark.is_init) or\
(type(self.taint.get(from_taint_mark.get_taint_rep(0))) != self.arrtype):
if self.debug_help or debug:
pstr = {k: len(l) for k, l in self.taint.items() if l != None}
print("DEBUG - self.taint: {}".format(pstr))
print("DEBUG - self.taint.get(FTM) = {}".format(
self.taint.get(from_taint_mark.get_taint_rep(0))))
print("DEBUG - from_taint_mark.get_taint_rep(0) = {}".format(
from_taint_mark.get_taint_rep(0)))
print("\n\t{}\n\t{}".format(
type(self.taint.get(from_taint_mark.get_taint_rep(0))),
self.arrtype))
print(space + 'DIFT_copy_dependancy.130. return nothing {}'.format(
from_taint_mark.is_init))
return
#toLocation can only be a register or a mem location I think
if is_reg(toLocation):
to_taint_mark.set_vals(toLocation, True)
elif is_a_constant(toLocation):
to_taint_mark.set_vals(int(toLocation, 16), False)
r = to_len
elif type(toLocation) == taint_mark:
r = toLocation.len
else:
print(
space +
"DIFT_copy_dependancy.140: type(toLocation)={}, toLocation={}, is_a_constant(toLocation)={}"
.format(type(toLocation), toLocation, is_a_constant(
toLocation)))
exit()
if r == 0:
r = get_reg_length(toLocation)
print(space + 'DIFT_copy_dependancy.146. r={}'.format(r))
#Do the actual taint copying
for i in range(r):
to = to_taint_mark.get_taint_rep(i)
frm = from_taint_mark.get_taint_rep(i)
print(space +
'DIFT_copy_dependancy.152. to={}, from={}'.format(to, frm))
try:
self.taint[to] = self.taint[frm]
print(
space +
'DIFT_copy_dependancy.155. taint[to]=taint=[frm], taint[to]={}, taint[frm]={}'
.format(self.taint[to], self.taint[frm]))
#print(self.taint[to])
except KeyError:
print(space + 'DIFT_copy_dependancy.158. KeyError')
#continue
break