def hook(insn):
global a
if insn.getAddress() == 0x400740:
for op in insn.getOperands():
if op.getType() == triton.OPERAND.REG:
addr = pintool.getCurrentRegisterValue(op)
print(hex(addr))
a = addr
print("a:" + str(hex(a)))
for i in range(4):
c = pintool.getCurrentMemoryValue(a + i)
print(str(i) + " : " + str(hex(c)))
if insn.getAddress() == 0x40074a:
print(hex(a))
for i in range(4):
c = pintool.getCurrentMemoryValue(a + i)
print(str(i) + " : " + str(hex(c)))
if insn.getAddress() == 0x40074a:
for op in insn.getOperands():
if op.getType() == triton.OPERAND.MEM:
addr = op.getAddress()
print(hex(addr))
c = pintool.getCurrentMemoryValue(addr)
print(str(hex(c)))
def read_hook(tid):
global a
print("read_hook")
print(hex(a))
for i in range(4):
c = pintool.getCurrentMemoryValue(a + i)
print(str(i) + " : " + str(hex(c)))
def symbolize_inputs(tid):
rsi = pintool.getCurrentRegisterValue(Triton.registers.rsi) # argv
addr = pintool.getCurrentMemoryValue(rsi + (triton.CPUSIZE.QWORD),
triton.CPUSIZE.QWORD) # argv[1]
# symbolize each character in argv[1], i.e the serial (including the terminating NULL)
c = None
s = ''
while c != 0:
c = pintool.getCurrentMemoryValue(addr)
s += chr(c)
Triton.setConcreteMemoryValue(addr, c)
Triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(addr, triton.CPUSIZE.BYTE)).setComment(
'argv[1][%d]' % (len(s) - 1))
addr += 1
print 'Symbolized argv[1]: %s' % (s)
def symbolize_inputs(tid):
rdi = pintool.getCurrentRegisterValue(Triton.registers.rdi) # argc
rsi = pintool.getCurrentRegisterValue(Triton.registers.rsi) # argv
# for each string in argv
while rdi > 1:
addr = pintool.getCurrentMemoryValue(rsi + ((rdi-1)*triton.CPUSIZE.QWORD), triton.CPUSIZE.QWORD)
# symbolize the current argument string (including the terminating NULL)
c = None
s = ''
while c != 0:
c = pintool.getCurrentMemoryValue(addr)
s += chr(c)
Triton.setConcreteMemoryValue(addr, c)
Triton.convertMemoryToSymbolicVariable(triton.MemoryAccess(addr, triton.CPUSIZE.BYTE)).setComment('argv[%d][%d]' % (rdi-1, len(s)-1))
addr += 1
rdi -= 1
print 'Symbolized argument %d: %s' % (rdi, s)
def symbolize_inputs(threadId):
rdi = pintool.getCurrentRegisterValue(Triton.registers.rdi) # argc
rsi = pintool.getCurrentRegisterValue(Triton.registers.rsi) # argv
while rdi > 1:
addr = pintool.getCurrentMemoryValue(
rsi + ((rdi-1) * triton.CPUSIZE.QWORD),
triton.CPUSIZE.QWORD)
c = None
s = ""
while c != 0:
c = pintool.getCurrentMemoryValue(addr)
s += chr(c)
Triton.setConcreteMemoryValue(addr, c)
Triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(addr, triton.CPUSIZE.BYTE)
).setComment(f"argv[{rdi-1}][{len(s)-1}]")
addr += 1
rdi -= 1
print(f"Symbolized argument {rdi}: {s}")
def read_hook(tid):
global symvar_addr
data_len = pintool.getCurrentRegisterValue(Triton.registers.eax)
print("Taint src length : " + str(data_len))
for i in range(data_len):
c = pintool.getCurrentMemoryValue(symvar_addr + i)
Triton.setConcreteMemoryValue(symvar_addr + i, c)
Triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(
symvar_addr + i,
triton.CPUSIZE.BYTE)).setComment('taintedByte ' +
str(hex(symvar_addr + i)) +
' : ' + str(c))
print('Symbolized taintedByte ' + str(hex(symvar_addr)) + ' ~ ' +
str(hex(symvar_addr + i)))
def hook(insn):
global symvar_addr
if insn.getAddress() == 0x400740:
addr = pintool.getCurrentRegisterValue(Triton.registers.rcx)
print(hex(addr))
symvar_addr = addr
print("hook")
for i in range(4):
c = pintool.getCurrentMemoryValue(symvar_addr + i)
print(str(i) + " : " + str(hex(c)))
if insn.getAddress() == taintedIns:
for op in insn.getOperands():
if op.getType() == triton.OPERAND.REG:
print 'Found Target Ins \'%s\'' % (insn)
exploit_mmap(insn, op)
return
def read_hook(tid):
global symvar_addr
print("read_hook")
for i in range(4):
c = pintool.getCurrentMemoryValue(symvar_addr + i)
#print(str(i)+" : "+str(hex(c)))
Triton.setConcreteMemoryValue(symvar_addr + i, c)
Triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(
symvar_addr + i,
triton.CPUSIZE.BYTE)).setComment('taintedByte ' +
str(hex(symvar_addr + i)) +
' : ' + str(c))
print('Symbolized taintedByte ' + str(hex(symvar_addr + i)) + ' : ' +
str(c))
def needMem(ctx, mem):
ctx.setConcreteMemoryValue(mem, Pintool.getCurrentMemoryValue(mem))
return
def needMem(ctx, mem):
ctx.setConcreteMemoryValue(mem, Pintool.getCurrentMemoryValue(mem))
return