def __initialize_analyzer(self):
self.__smt_solver = Z3Solver()
self.__smt_translator = SmtTranslator(self.__smt_solver, self.__arch.address_size)
self.__smt_translator.set_arch_alias_mapper(self.__arch.alias_mapper)
self.__smt_translator.set_arch_registers_size(self.__arch.registers_size)
self.__code_analyzer = CodeAnalyzer(self.__smt_solver, self.__smt_translator, self.__arch)
def setUp(self):
self._address_size = 32
self._parser = ReilParser()
self._solver = SmtSolver()
self._translator = SmtTranslator(self._solver, self._address_size)
self._arch_info = X86ArchitectureInformation(ARCH_X86_MODE_32)
self._translator.set_arch_alias_mapper(self._arch_info.alias_mapper)
self._translator.set_arch_registers_size(self._arch_info.registers_size)
def setUp(self):
self._arch_info = X86ArchitectureInformation(ARCH_X86_MODE_32)
self._operand_size = self._arch_info.operand_size
self._memory = MemoryMock()
self._smt_solver = SmtSolver()
self._smt_translator = SmtTranslator(self._smt_solver, self._operand_size)
self._smt_translator.set_arch_alias_mapper(self._arch_info.alias_mapper)
self._smt_translator.set_arch_registers_size(self._arch_info.registers_size)
self._disasm = X86Disassembler()
self._ir_translator = X86Translator()
self._bb_builder = BasicBlockBuilder(self._disasm, self._memory, self._ir_translator)
def setUp(self):
self._arch_info = ArmArchitectureInformation(ARCH_ARM_MODE_ARM)
self._smt_solver = SmtSolver()
self._smt_translator = SmtTranslator(self._smt_solver, self._arch_info.address_size)
self._ir_emulator = ReilEmulator(self._arch_info)
self._smt_translator.set_arch_alias_mapper(self._arch_info.alias_mapper)
self._smt_translator.set_arch_registers_size(self._arch_info.registers_size)
self._code_analyzer = CodeAnalyzer(self._smt_solver, self._smt_translator, self._arch_info)
self._g_classifier = GadgetClassifier(self._ir_emulator, self._arch_info)
self._g_verifier = GadgetVerifier(self._code_analyzer, self._arch_info)
def setUp(self):
self._arch_info = X86ArchitectureInformation(ARCH_X86_MODE_32)
self._smt_solver = SmtSolver()
self._smt_translator = SmtTranslator(self._smt_solver,
self._arch_info.address_size)
self._smt_translator.set_arch_alias_mapper(
self._arch_info.alias_mapper)
self._smt_translator.set_arch_registers_size(
self._arch_info.registers_size)
self._x86_parser = X86Parser(ARCH_X86_MODE_32)
self._x86_translator = X86Translator(ARCH_X86_MODE_32)
self._code_analyzer = CodeAnalyzer(self._smt_solver,
self._smt_translator,
self._arch_info)
def setUp(self):
self._address_size = 32
self._parser = ReilParser()
self._solver = SmtSolver()
self._translator = SmtTranslator(self._solver, self._address_size)
def barf_classify(gadget_map, printout=True):
arch_mode = ARCH_X86_MODE_32
arch_info = X86ArchitectureInformation(arch_mode)
translator = X86Translator(arch_mode)
instruction_parser = X86Parser(arch_mode)
ir_emulator = ReilEmulator(arch_info)
classifier = GadgetClassifier(ir_emulator, arch_info)
raw_gadgets = {}
typed_gadgets = []
for _, gadget in gadget_map.items():
# Translation cycle: from my emulator to BARF representation
classifiable = False
barf_instr_list = []
for _, instr in gadget.instructions.items():
# Parse a ROPInstruction into the BARF representation of an x86 instruction
barf_instr = instruction_parser.parse("{} {}".format(
instr.mnemonic, instr.op_str))
barf_instr.address = instr.address
try:
# Translate an x86 instruction into a list of REIL instructions
reil_transl_instrs = translator.translate(barf_instr)
barf_instr.ir_instrs = reil_transl_instrs
classifiable = True
except TranslationError:
classifiable = False
finally:
barf_instr_list.append(barf_instr)
# Classification of the gadgets
barf_g = RawGadget(barf_instr_list)
raw_gadgets[barf_g.address] = barf_g
if classifiable:
classified = classifier.classify(barf_g)
for tg in classified:
typed_gadgets.append(tg)
if printout:
print_gadgets_raw(list(raw_gadgets.values()), sys.stdout, 'addr', True,
'Raw Gadgets', False)
verified = []
unverified = []
solver = Z3Solver()
translator = SmtTranslator(solver, arch_info.address_size)
code_analyzer = CodeAnalyzer(solver, translator, arch_info)
verifier = GadgetVerifier(code_analyzer, arch_info)
for tg in typed_gadgets:
if verifier.verify(tg):
verified.append(tg)
else:
unverified.append(tg)
print_gadgets_typed(verified, sys.stdout, arch_info.address_size,
'Verified classification')
print_gadgets_typed(unverified, sys.stdout, arch_info.address_size,
'Unverified classification')
for tg in typed_gadgets:
if tg.address in raw_gadgets:
raw_gadgets.pop(tg.address)
print_gadgets_raw(list(raw_gadgets.values()), sys.stdout, 'addr',
False, 'Not classified', False)
return {tg.address: tg for tg in typed_gadgets}
