def runStrings(vw, ea, uselocalagg=True):
'''
Returns a list of (write log entry, decoded strings)
where the write log is the tuple (pc, va, bytes)
for the instruction that wrote the first byte of the string
'''
emu = vw.getEmulator(True, True)
#modify the stack base for the emulator - smaller mask & frame size
# wasn't working for funcs with large locals frame size
emu.stack_map_mask = e_bits.sign_extend(0xfff00000, 4, vw.psize)
emu.stack_map_base = e_bits.sign_extend(0xbfb00000, 4, vw.psize)
emu.stack_pointer = emu.stack_map_base + 16*4096
emu.runFunction(ea, maxhit=1, maxloop=1)
logger = jayutils.getLogger('stack_graph')
if uselocalagg:
#logger.info('Using local agg')
stringList = []
jayutils.path_bfs(emu.path, stack_track_visitor, vw=vw, emu=emu, logger=logger, res=stringList )
return stringList
else:
#logger.info('Using global agg')
agg = StringAccumulator()
jayutils.path_bfs(emu.path, stack_track_visitor, vw=vw, emu=emu, logger=logger, agg=agg )
return agg.stringDict.values()
def getPushArgs(self, va, num, regs=None):
'''
num -> first arg is 1, 2nd is 2, ...
Returns a list of dicts whose key is the arg number (starting at 1, 2.. num)
Each dict for a stack argument is a write log tuple (pc, va bytes)
Each dict for a registry is a tuple (pc, value)
'''
if regs is None:
regs = []
count = 0
touched = []
#func = self.vw.getFunction(va)
#if func is None:
# self.logger.error('Could not get function start from vw 0x%08x -> has analysis been done???', va)
# return []
funcStart = idc.get_func_attr(va, idc.FUNCATTR_START)
#if func != funcStart:
# self.logger.error('IDA & vivisect disagree over function start. Needs to be addressed before process')
# self.logger.error(' IDA: 0x%08x. vivisect: 0x%08x', funcStart, func)
# return []
#map a every (?) va in a function to the pathnode it was found in
if funcStart != self.lastFunc:
emu = self.vw.getEmulator(True, True)
self.logger.debug('Generating va_write_map for function 0x%08x',
funcStart)
self.regMon = RegMonitor(regs)
emu.setEmulationMonitor(self.regMon)
emu.runFunction(funcStart, maxhit=1, maxloop=1)
#cache the last va_write_map for a given function
self.va_write_map = {}
self.va_read_map = {}
self.lastFunc = funcStart
jayutils.path_bfs(emu.path,
build_emu_va_map,
res=self.va_write_map,
emu=emu,
logtype='writelog')
jayutils.path_bfs(emu.path,
build_emu_va_map,
res=self.va_read_map,
emu=emu,
logtype='readlog')
else:
self.logger.debug('Using cached va_write_map')
#self.logger.debug('Len va_write_map: %d', len(self.va_write_map))
#for cVa, wlog in self.va_write_map.items():
# self.logger.debug('0x%08x: %s', cVa, formatWriteLogEntry(wlog))
baseEntry = self.va_write_map.get(va, None)
if baseEntry is None:
self.logger.error(
'Node does not have write log. Requires a call instruction (which writes to the stack) for this to work: 0x%08x',
va)
return []
self.startSp = baseEntry[1]
return self.analyzeTracker(baseEntry, va, num, regs)
def getPushArgs(self, va, num, regs=None):
'''
num -> first arg is 1, 2nd is 2, ...
Returns a list of dicts whose key is the arg number (starting at 1, 2.. num)
Each dict for a stack argument is a write log tuple (pc, va bytes)
Each dict for a registry is a tuple (pc, value)
'''
if regs is None:
regs = []
count = 0
touched = []
#func = self.vw.getFunction(va)
#if func is None:
# self.logger.error('Could not get function start from vw 0x%08x -> has analysis been done???', va)
# return []
funcStart = idc.GetFunctionAttr(va, idc.FUNCATTR_START)
#if func != funcStart:
# self.logger.error('IDA & vivisect disagree over function start. Needs to be addressed before process')
# self.logger.error(' IDA: 0x%08x. vivisect: 0x%08x', funcStart, func)
# return []
#map a every (?) va in a function to the pathnode it was found in
if funcStart != self.lastFunc:
emu = self.vw.getEmulator(True, True)
self.logger.debug('Generating va_write_map for function 0x%08x', funcStart)
self.regMon = RegMonitor(regs)
emu.setEmulationMonitor(self.regMon)
emu.runFunction(funcStart, maxhit=1, maxloop=1)
#cache the last va_write_map for a given function
self.va_write_map = {}
self.va_read_map = {}
self.lastFunc = funcStart
jayutils.path_bfs(emu.path, build_emu_va_map, res=self.va_write_map, emu=emu, logtype='writelog')
jayutils.path_bfs(emu.path, build_emu_va_map, res=self.va_read_map, emu=emu, logtype='readlog')
else:
self.logger.debug('Using cached va_write_map')
#self.logger.debug('Len va_write_map: %d', len(self.va_write_map))
#for cVa, wlog in self.va_write_map.items():
# self.logger.debug('0x%08x: %s', cVa, formatWriteLogEntry(wlog))
baseEntry = self.va_write_map.get(va, None)
if baseEntry is None:
self.logger.error('Node does not have write log. Requires a call instruction (which writes to the stack) for this to work: 0x%08x', va)
return []
self.startSp = baseEntry[1]
return self.analyzeTracker(baseEntry, va, num, regs)
