def prehook(self, emu, op, eip): if op.mnem == "out": #FIXME arch specific. see above idea. emu.stopEmu() raise Exception("Out instruction...") if op in self.badops: emu.stopEmu() raise v_exc.BadOpBytes(op.va) if op.iflags & envi.IF_RET: self.hasret = True emu.stopEmu() self.lastop = op # Make sure we didn't run into any other # defined locations... if self.vw.isFunction(eip): emu.stopEmu() # FIXME: this is a problem. many time legit code falls into other functions... "hydra" functions are more and more common. raise v_exc.BadOpBytes(op.va) loc = self.vw.getLocation(eip) if loc != None: va, size, ltype, linfo = loc if ltype != vivisect.LOC_OP: emu.stopEmu() raise Exception("HIT LOCTYPE %d AT %.8x" % (ltype, va)) cnt = self.mndist.get(op.mnem, 0) self.mndist[op.mnem] = cnt + 1 self.insn_count += 1
def prehook(self, emu, op, eip): if op.mnem == "out": # FIXME arch specific. see above idea. emu.stopEmu() raise v_exc.BadOutInstruction(op.va) if op in self.badops: emu.stopEmu() raise v_exc.BadOpBytes(op.va) if op.iflags & envi.IF_RET: self.hasret = True emu.stopEmu() self.lastop = op loc = self.vw.getLocation(eip) if loc is not None: va, size, ltype, linfo = loc if ltype != vivisect.LOC_OP: emu.stopEmu() raise Exception("HIT LOCTYPE %d AT 0x%.8x" % (ltype, va)) cnt = self.mndist.get(op.mnem, 0) self.mndist[op.mnem] = cnt + 1 self.insn_count += 1 if self.vw.isNoReturnVa(eip): self.hasret = True emu.stopEmu()
def prehook(self, emu, op, starteip): if op in self.badops: raise v_exc.BadOpBytes(op.va) viv_imp_monitor.AnalysisMonitor.prehook(self, emu, op, starteip) if op.opcode == e_i386const.INS_LEA: # x86 only i = 1 o = op.opers[i] discrete = o.isDiscrete() operva = o.getOperAddr(op, emu) # keep track of the max here, but save it for later too... stackoff = emu.getStackOffset(operva) if stackoff and stackoff >= 0: self.stackmax = max(self.stackmax, stackoff) self.stackargs[stackoff] = True self.operrefs.append( (starteip, i, operva, o.tsize, stackoff, discrete)) # Do return related stuff before we execute the opcode if op.isReturn(): self.endstack = emu.getStackCounter() if len(op.opers): self.retbytes = op.opers[0].imm
def prehook(self, emu, op, starteip): if op in self.badops: raise v_exc.BadOpBytes(op.va) viv_monitor.AnalysisMonitor.prehook(self, emu, op, starteip) if op.iflags & envi.IF_RET: if len(op.opers): self.retbytes = op.opers[0].imm
def prehook(self, emu, op, starteip): if op in self.badops: raise v_exc.BadOpBytes(op.va) viv_imp_monitor.AnalysisMonitor.prehook(self, emu, op, starteip) # Do return related stuff before we execute the opcode if op.isReturn(): self.endstack = emu.getStackCounter() if len(op.opers): self.retbytes = op.opers[0].imm
def prehook(self, emu, op, eip): if op in self.badops: emu.stopEmu() raise v_exc.BadOpBytes(op.va) if op.mnem in STOS: if self.arch == 'i386': reg = emu.getRegister(envi.archs.i386.REG_EDI) elif self.arch == 'amd64': reg = emu.getRegister(envi.archs.amd64.REG_RDI) if self.vw.isValidPointer(reg): self.vw.makePointer(reg, follow=True)
def prehook(self, emu, op, starteip): try: tmode = emu.getFlag(PSR_T_bit) self.last_tmode = tmode if op in self.badops: emu.stopEmu() raise v_exc.BadOpBytes(op.va) viv_monitor.AnalysisMonitor.prehook(self, emu, op, starteip) loctup = emu.vw.getLocation(starteip) if loctup is None: # logger.debug("emulation: prehook: new LOC_OP fva: 0x%x starteip: 0x%x flags: 0x%x", self.fva, starteip, op.iflags) arch = (envi.ARCH_ARMV7, envi.ARCH_THUMB)[(starteip & 1) | tmode] emu.vw.makeCode(starteip & -2, arch=arch) elif loctup[2] != LOC_OP: logger.info( "ARG! emulation found opcode in an existing NON-OPCODE location (0x%x): 0x%x: %s", loctup[0], op.va, op) emu.stopEmu() elif loctup[0] != starteip: logger.info( "ARG! emulation found opcode in a location at the wrong address (0x%x): 0x%x: %s", loctup[0], op.va, op) emu.stopEmu() if op.iflags & envi.IF_RET: self.returns = True if len(op.opers): if hasattr(op.opers, 'imm'): self.retbytes = op.opers[0].imm # ARM gives us nice switchcase handling instructions # FIXME: wrap TB-handling into getBranches(emu) which is called by checkBranches during emulation if op.opcode in (INS_TBH, INS_TBB): if emu.vw.getVaSetRow('SwitchCases', op.va) is None: base, tbl = analyzeTB(emu, op, starteip, self) if None not in (base, tbl): count = len(tbl) self.switchcases += 1 emu.vw.setVaSetRow('SwitchCases', (op.va, op.va, count)) elif op.opcode == INS_MOV: if len(op.opers) >= 2: oper0 = op.opers[0] oper1 = op.opers[1] if isinstance(oper0, e_arm.ArmRegOper) and oper0.reg == REG_LR: if isinstance( oper1, e_arm.ArmRegOper) and oper1.reg == REG_PC: self.last_lr_pc = starteip elif op.opcode == INS_BX: if starteip - self.last_lr_pc <= 4: # this is a call. the compiler updated lr logger.info("CALL by mov lr, pc; bx <foo> at 0x%x", starteip) tgtva = op.opers[-1].getOperValue(op) self.vw.makeFunction(tgtva) elif op.opcode == INS_ADD and op.opers[0].reg == REG_PC: # simple branch code if emu.vw.getVaSetRow('SwitchCases', op.va) is None: base, tbl = analyzeADDPC(emu, op, starteip, self) if None not in (base, tbl): count = len(tbl) self.switchcases += 1 emu.vw.setVaSetRow('SwitchCases', (op.va, op.va, count)) elif op.opcode == INS_SUB and isinstance( op.opers[0], e_arm.ArmRegOper) and op.opers[0].reg == REG_PC: # simple branch code if emu.vw.getVaSetRow('SwitchCases', op.va) is None: base, tbl = analyzeSUBPC(emu, op, starteip, self) if None not in (base, tbl): count = len(tbl) self.switchcases += 1 emu.vw.setVaSetRow('SwitchCases', (op.va, op.va, count)) if op.iflags & envi.IF_BRANCH: try: tgt = op.getOperValue(0, emu) if tgt == op.va: logger.info( "0x%x: +++++++++++++++ infinite loop +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++", op.va) if op.va not in self.infloops: self.infloops.append(op.va) if 'InfiniteLoops' not in vw.getVaSetNames(): vw.addVaSet( 'InfiniteLoops', (('va', vivisect.VASET_ADDRESS, 'function', vivisect.VASET_STRING))) self.vw.setVaSetRow('InfiniteLoops', (op.va, self.fva)) except Exception as e: self.logAnomaly(emu, self.fva, "0x%x: (%r) ERROR: %s" % (op.va, op, e)) logger.info("0x%x: (%r) ERROR: %s", op.va, op, e) except Exception as e: self.logAnomaly(emu, self.fva, "0x%x: (%r) ERROR: %s" % (op.va, op, e)) logger.warning("0x%x: (%r) ERROR: %s", op.va, op, e)