def setUp(self): self._arch_info = X86ArchitectureInformation(ARCH_X86_MODE_32) self._emulator = ReilEmulator(self._arch_info) self._asm_parser = X86Parser(ARCH_X86_MODE_32) self._translator = X86Translator(ARCH_X86_MODE_32)
def __init__(self, binary): self.__binary = binary self.__arch_mode = self.__binary.architecture_mode self.__arch = X86ArchitectureInformation(self.__arch_mode) self.__disassembler = X86Disassembler(self.__arch_mode) self.__translator = X86Translator(self.__arch_mode) self.__bb_builder = CFGRecoverer( RecursiveDescent(self.__disassembler, self.__binary.text_section, self.__translator, self.__arch))
def setUp(self): self.arch_mode = ARCH_X86_MODE_64 self.arch_info = X86ArchitectureInformation(self.arch_mode) self.x86_parser = X86Parser(self.arch_mode) self.x86_translator = X86Translator(self.arch_mode) self.reil_emulator = ReilEmulator(self.arch_info) self.context_filename = "failing_context.data"
def __translate(self, asm_instr): reil_translator = X86Translator(self.arch_info.architecture_mode) # Create ReilContainer instr_container = ReilContainer() instr_seq = ReilSequence() for reil_instr in reil_translator.translate(asm_instr): instr_seq.append(reil_instr) instr_container.add(instr_seq) return instr_container
def test_emulate_x86_64(self): binary = BinaryFile(get_full_path("./samples/bin/loop-simple.x86_64")) arch_mode = ARCH_X86_MODE_64 arch_info = X86ArchitectureInformation(arch_mode) ir_emulator = ReilEmulator(arch_info) disassembler = X86Disassembler(ARCH_X86_MODE_64) ir_translator = X86Translator(ARCH_X86_MODE_64) emu = Emulator(arch_info, ir_emulator, ir_translator, disassembler) emu.load_binary(binary) emu.emulate(0x4004d6, 0x400507, {}, None, False)
def __init__(self, binary, symbols): self.__binary = binary self.__arch_mode = self.__binary.architecture_mode self.__arch = X86ArchitectureInformation(self.__arch_mode) self.__disassembler = X86Disassembler(self.__arch_mode) self.__translator = X86Translator(self.__arch_mode) self.__bb_builder = CFGRecoverer( RecursiveDescent(self.__disassembler, self.__binary.text_section, self.__translator, self.__arch)) self.__container = {} self.__symbols = symbols self.__symbols_by_addr = {} for name, start, end in symbols: self.__symbols_by_addr[start] = (name, end)
def setUp(self): self._arch_info = X86ArchitectureInformation(ARCH_X86_MODE_32) self._smt_solver = SmtSolver() self._smt_translator = SmtTranslator(self._smt_solver, self._arch_info.address_size) self._smt_translator.set_arch_alias_mapper( self._arch_info.alias_mapper) self._smt_translator.set_arch_registers_size( self._arch_info.registers_size) self._x86_parser = X86Parser(ARCH_X86_MODE_32) self._x86_translator = X86Translator(ARCH_X86_MODE_32) self._code_analyzer = CodeAnalyzer(self._smt_solver, self._smt_translator, self._arch_info)
def __init__(self, arch, trace, start_address, options): AsmTraceAnalyzer.__init__(self, arch, trace) self._options = options disassembler = X86Disassembler(arch.architecture_mode) ir_translator = X86Translator(arch.architecture_mode) self._emulator = Emulator(arch, ReilEmulator(arch), ir_translator, disassembler) self._undefined_flags = { "bsf": ["cf", "of", "sf", "af", "pf"], "bt": ["pf"], # TODO Check. "div": ["cf", "of", "sf", "zf", "af", "pf"], "imul": ["pf"], # TODO Check. "shl": ["of"], # TODO Check. "shr": ["of"], # TODO Check. } self._set_regs = True self._next_addr = start_address
def raw_to_IRBlock(raw, thumb=False): # Check for Architecture if (curr_arch_type() == ArchType.ARCH_X86): disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_32) ir_translator = X86Translator(architecture_mode=ARCH_X86_MODE_32) alias_mapper = X86ArchitectureInformation( ARCH_X86_MODE_32).alias_mapper elif (curr_arch_type() == ArchType.ARCH_X64): disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_64) ir_translator = X86Translator(architecture_mode=ARCH_X86_MODE_64) alias_mapper = X86ArchitectureInformation( ARCH_X86_MODE_64).alias_mapper elif (curr_arch_type() == ArchType.ARCH_ARM32 and not thumb): disassembler = ArmDisassembler(architecture_mode=ARCH_ARM_MODE_ARM) ir_translator = ArmTranslator(architecture_mode=ARCH_ARM_MODE_ARM) alias_mapper = ArmArchitectureInformation( ARCH_ARM_MODE_ARM).alias_mapper elif (curr_arch_type() == ArchType.ARCH_ARM32 and thumb): disassembler = ArmDisassembler(architecture_mode=ARCH_ARM_MODE_THUMB) ir_translator = ArmTranslator(architecture_mode=ARCH_ARM_MODE_THUMB) alias_mapper = ArmArchitectureInformation( ARCH_ARM_MODE_THUMB).alias_mapper else: raise Exception("ARCH TYPE NOT SUPPORTED") (irsb, string) = raw_to_REIL(raw, disassembler, ir_translator) if (irsb is None): return (None, string) asm_instr_string = '; '.join(str(i) for i in string) # Check if branch instructions in the middle of the gadget for ins in string[:-1]: if (str(ins)[0:2] == "bl"): return (None, "Branch in the middle of the gadget") res = IRBlock() # Translate instruction by instruction try: for instr in irsb: # print(instr) # DEBUG i = None if (instr.mnemonic == ReilMnemonic.NOP): pass elif (is_calculation_instr(instr.mnemonic)): i = IRInstruction( barf_operation_to_IR(instr.mnemonic), barf_operand_to_IR(instr.operands[0], alias_mapper), barf_operand_to_IR(instr.operands[1], alias_mapper), barf_operand_to_IR(instr.operands[2], alias_mapper)) elif (is_load_instr(instr.mnemonic)): i = IRInstruction( IROperation.LDM, barf_operand_to_IR(instr.operands[0], alias_mapper), ArgEmpty(), barf_operand_to_IR(instr.operands[2], alias_mapper)) elif (is_store_instr(instr.mnemonic)): i = IRInstruction( IROperation.STM, barf_operand_to_IR(instr.operands[0], alias_mapper), ArgEmpty(), barf_operand_to_IR(instr.operands[2], alias_mapper)) elif (is_put_instr(instr.mnemonic)): i = IRInstruction( IROperation.STR, barf_operand_to_IR(instr.operands[0], alias_mapper), ArgEmpty(), barf_operand_to_IR(instr.operands[2], alias_mapper)) elif (instr.mnemonic == ReilMnemonic.BISZ): i = IRInstruction( IROperation.UNKNOWN, ArgEmpty(), ArgEmpty(), barf_operand_to_IR(instr.operands[2], alias_mapper)) elif (instr.mnemonic == ReilMnemonic.JCC): if (isinstance(instr.operands[0], ReilImmediateOperand) and instr.operands[0]._immediate != 0): if (instr.operands[2].size > curr_arch_bits()): i = IRInstruction( IROperation.BSH, barf_operand_to_IR(instr.operands[2], alias_mapper), ArgCst(curr_arch_bits() - instr.operands[2].size, curr_arch_bits()), ArgReg(curr_arch_ip(), curr_arch_bits())) else: i = IRInstruction( IROperation.STR, barf_operand_to_IR(instr.operands[2], alias_mapper), ArgEmpty(), ArgReg(curr_arch_ip(), curr_arch_bits())) else: i = IRInstruction(IROperation.UNKNOWN, ArgEmpty(), ArgEmpty(), ArgReg(curr_arch_ip(), curr_arch_bits())) break elif (instr.mnemonic == ReilMnemonic.BISZ): raise REILOperationNotSupported( "REIL Operation 'BISZ' not supported") else: return (None, string) if (i): res.add_instr(i) # Possible exceptions except RegNotSupported as e: log("In " + asm_instr_string + " | " + str(e)) return (None, string) except CstTooBig as e: log("In " + asm_instr_string + " | " + str(e)) return (None, string) except REILOperationNotSupported as e: log("In " + asm_instr_string + " | " + str(e)) return (None, string) # Succesful return return (res, string)
def setUp(self): self._parser = X86Parser(ARCH_X86_MODE_32) self._translator = X86Translator(ARCH_X86_MODE_32)
def setUp(self): self._arch_mode = ARCH_X86_MODE_32 self._arch_info = X86ArchitectureInformation(self._arch_mode) self._disassembler = X86Disassembler(ARCH_X86_MODE_32) self._translator = X86Translator(ARCH_X86_MODE_32)
def barf_classify(gadget_map, printout=True): arch_mode = ARCH_X86_MODE_32 arch_info = X86ArchitectureInformation(arch_mode) translator = X86Translator(arch_mode) instruction_parser = X86Parser(arch_mode) ir_emulator = ReilEmulator(arch_info) classifier = GadgetClassifier(ir_emulator, arch_info) raw_gadgets = {} typed_gadgets = [] for _, gadget in gadget_map.items(): # Translation cycle: from my emulator to BARF representation classifiable = False barf_instr_list = [] for _, instr in gadget.instructions.items(): # Parse a ROPInstruction into the BARF representation of an x86 instruction barf_instr = instruction_parser.parse("{} {}".format( instr.mnemonic, instr.op_str)) barf_instr.address = instr.address try: # Translate an x86 instruction into a list of REIL instructions reil_transl_instrs = translator.translate(barf_instr) barf_instr.ir_instrs = reil_transl_instrs classifiable = True except TranslationError: classifiable = False finally: barf_instr_list.append(barf_instr) # Classification of the gadgets barf_g = RawGadget(barf_instr_list) raw_gadgets[barf_g.address] = barf_g if classifiable: classified = classifier.classify(barf_g) for tg in classified: typed_gadgets.append(tg) if printout: print_gadgets_raw(list(raw_gadgets.values()), sys.stdout, 'addr', True, 'Raw Gadgets', False) verified = [] unverified = [] solver = Z3Solver() translator = SmtTranslator(solver, arch_info.address_size) code_analyzer = CodeAnalyzer(solver, translator, arch_info) verifier = GadgetVerifier(code_analyzer, arch_info) for tg in typed_gadgets: if verifier.verify(tg): verified.append(tg) else: unverified.append(tg) print_gadgets_typed(verified, sys.stdout, arch_info.address_size, 'Verified classification') print_gadgets_typed(unverified, sys.stdout, arch_info.address_size, 'Unverified classification') for tg in typed_gadgets: if tg.address in raw_gadgets: raw_gadgets.pop(tg.address) print_gadgets_raw(list(raw_gadgets.values()), sys.stdout, 'addr', False, 'Not classified', False) return {tg.address: tg for tg in typed_gadgets}