def test_emulate_arm_thumb(self):
binary = BinaryFile(get_full_path("./samples/bin/loop-simple.arm_thumb"))
arch_mode = ARCH_ARM_MODE_THUMB
arch_info = ArmArchitectureInformation(arch_mode)
ir_emulator = ReilEmulator(arch_info)
disassembler = ArmDisassembler(architecture_mode=ARCH_ARM_MODE_THUMB)
ir_translator = ArmTranslator(architecture_mode=ARCH_ARM_MODE_THUMB)
emu = Emulator(arch_info, ir_emulator, ir_translator, disassembler)
emu.load_binary(binary)
emu.emulate(0x10401, 0x10432, {}, None, True)
def test_emulate_x86_64(self):
binary = BinaryFile(get_full_path("./samples/bin/loop-simple.x86_64"))
arch_mode = ARCH_X86_MODE_64
arch_info = X86ArchitectureInformation(arch_mode)
ir_emulator = ReilEmulator(arch_info)
disassembler = X86Disassembler(ARCH_X86_MODE_64)
ir_translator = X86Translator(ARCH_X86_MODE_64)
emu = Emulator(arch_info, ir_emulator, ir_translator, disassembler)
emu.load_binary(binary)
emu.emulate(0x4004d6, 0x400507, {}, None, False)
def __init__(self, arch, trace, start_address, options):
AsmTraceAnalyzer.__init__(self, arch, trace)
self._options = options
disassembler = X86Disassembler(arch.architecture_mode)
ir_translator = X86Translator(arch.architecture_mode)
self._emulator = Emulator(arch, ReilEmulator(arch), ir_translator,
disassembler)
self._undefined_flags = {
"bsf": ["cf", "of", "sf", "af", "pf"],
"bt": ["pf"], # TODO Check.
"div": ["cf", "of", "sf", "zf", "af", "pf"],
"imul": ["pf"], # TODO Check.
"shl": ["of"], # TODO Check.
"shr": ["of"], # TODO Check.
}
self._set_regs = True
self._next_addr = start_address
def test_emulate_arm(self):
binary = BinaryFile(get_full_path("./samples/bin/loop-simple.arm"))
arch_mode = ARCH_ARM_MODE_ARM
arch_info = ArmArchitectureInformation(arch_mode)
ir_emulator = ReilEmulator(arch_info)
disassembler = ArmDisassembler(architecture_mode=ARCH_ARM_MODE_ARM)
ir_translator = ArmTranslator(architecture_mode=ARCH_ARM_MODE_ARM)
emu = Emulator(arch_info, ir_emulator, ir_translator, disassembler)
emu.load_binary(binary)
emu.emulate(0x10400, 0x10460, {}, None, True)
def test_emulate_x86_64(self):
binary = BinaryFile(get_full_path("./samples/bin/loop-simple.x86_64"))
arch_mode = ARCH_X86_MODE_64
arch_info = X86ArchitectureInformation(arch_mode)
ir_emulator = ReilEmulator(arch_info)
disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_64)
ir_translator = X86Translator(architecture_mode=ARCH_X86_MODE_64)
emu = Emulator(arch_info, ir_emulator, ir_translator, disassembler)
emu.load_binary(binary)
emu.emulate(0x4004d6, 0x400507, {}, None, False)
def __init__(self, arch, trace, start_address, options):
AsmTraceAnalyzer.__init__(self, arch, trace)
self._options = options
disassembler = X86Disassembler(arch.architecture_mode)
ir_translator = X86Translator(arch.architecture_mode)
self._emulator = Emulator(arch, ReilEmulator(arch), ir_translator, disassembler)
self._undefined_flags = {
"bsf": ["cf", "of", "sf", "af", "pf"],
"bt": ["pf"], # TODO Check.
"div": ["cf", "of", "sf", "zf", "af", "pf"],
"imul": ["pf"], # TODO Check.
"shl": ["of"], # TODO Check.
"shr": ["of"], # TODO Check.
}
self._set_regs = True
self._next_addr = start_address
class AsmReplayAnalyzer(AsmTraceAnalyzer):
def __init__(self, arch, trace, start_address, options):
AsmTraceAnalyzer.__init__(self, arch, trace)
self._options = options
disassembler = X86Disassembler(arch.architecture_mode)
ir_translator = X86Translator(arch.architecture_mode)
self._emulator = Emulator(arch, ReilEmulator(arch), ir_translator,
disassembler)
self._undefined_flags = {
"bsf": ["cf", "of", "sf", "af", "pf"],
"bt": ["pf"], # TODO Check.
"div": ["cf", "of", "sf", "zf", "af", "pf"],
"imul": ["pf"], # TODO Check.
"shl": ["of"], # TODO Check.
"shr": ["of"], # TODO Check.
}
self._set_regs = True
self._next_addr = start_address
def initialize(self):
self._trace.set_next_address(self._next_addr)
def before(self):
asm_instr, _, reads, regs = self._trace.current()
# Set registers if necessary (after syscall.)
if self._set_regs:
print("[+] Setting registers...")
self._emulator.set_registers(regs)
# Initialize memory.
self._emulator.set_memory(reads)
def analyze(self):
# Fetch instruction from the trace.
asm_instr, _, _, _ = self._trace.current()
# Execute instruction.
try:
self._next_addr = self._emulator.execute(asm_instr)
self._set_regs = False
except barf.arch.emulator.Syscall:
self._next_addr = None
self._set_regs = True
except barf.arch.emulator.InstructionNotImplemented as e:
print("[-] Instruction not implemented: {:#x} {}".format(
asm_instr.address, e.instruction))
if self._options.abort:
sys.exit(1)
else:
self._next_addr = asm_instr.address + asm_instr.size
self._set_regs = True
def after(self):
state_curr = self._trace.current()
# Advance to the next instruction.
self._trace.set_next_address(self._next_addr)
state_next = self._trace.current()
# Compare contexts.
asm_instr_curr, _, _, regs_curr = state_curr
_, _, _, regs_next = state_next
# Print instruction.
if self._options.verbose:
asm_str = format_asm_instruction(asm_instr_curr, self._options)
print("{:#010x}:\t{}".format(asm_instr_curr.address, asm_str))
if asm_instr_curr.mnemonic in ["sysenter"]:
return
# Fix undefine flags.
if asm_instr_curr.mnemonic in self._undefined_flags:
print("Fixing undefined flags...")
flags_reg = self._arch.flags_register()
flags_next = regs_next[flags_reg]
flags_curr = self._emulator.ir_emulator.registers[flags_reg]
flags_undef = self._undefined_flags[asm_instr_curr.mnemonic]
self._emulator.ir_emulator.registers[flags_reg] = fix_flags(
flags_next, flags_curr, flags_undef, self._arch)
# Check registers values.
cmp_result = compare_contexts(regs_curr, regs_next,
self._emulator.ir_emulator.registers)
if not cmp_result:
print("Contexts don't match!\n\n")
print(
print_contexts(regs_curr,
regs_next,
self._emulator.ir_emulator.registers,
skip=["eax_next", "rax_next"]))
if self._options.abort:
sys.exit(1)
else:
self._set_regs = True
def finalize(self):
self._trace.close()
class AsmReplayAnalyzer(AsmTraceAnalyzer):
def __init__(self, arch, trace, start_address, options):
AsmTraceAnalyzer.__init__(self, arch, trace)
self._options = options
disassembler = X86Disassembler(arch.architecture_mode)
ir_translator = X86Translator(arch.architecture_mode)
self._emulator = Emulator(arch, ReilEmulator(arch), ir_translator, disassembler)
self._undefined_flags = {
"bsf": ["cf", "of", "sf", "af", "pf"],
"bt": ["pf"], # TODO Check.
"div": ["cf", "of", "sf", "zf", "af", "pf"],
"imul": ["pf"], # TODO Check.
"shl": ["of"], # TODO Check.
"shr": ["of"], # TODO Check.
}
self._set_regs = True
self._next_addr = start_address
def initialize(self):
self._trace.set_next_address(self._next_addr)
def before(self):
asm_instr, _, reads, regs = self._trace.current()
# Set registers if necessary (after syscall.)
if self._set_regs:
print("[+] Setting registers...")
self._emulator.set_registers(regs)
# Initialize memory.
self._emulator.set_memory(reads)
def analyze(self):
# Fetch instruction from the trace.
asm_instr, _, _, _ = self._trace.current()
# Execute instruction.
try:
self._next_addr = self._emulator.execute(asm_instr)
self._set_regs = False
except barf.arch.emulator.Syscall:
self._next_addr = None
self._set_regs = True
except barf.arch.emulator.InstructionNotImplemented as e:
print("[-] Instruction not implemented: {:#x} {}".format(asm_instr.address, e.instruction))
if self._options.abort:
sys.exit(1)
else:
self._next_addr = asm_instr.address + asm_instr.size
self._set_regs = True
def after(self):
state_curr = self._trace.current()
# Advance to the next instruction.
self._trace.set_next_address(self._next_addr)
state_next = self._trace.current()
# Compare contexts.
asm_instr_curr, _, _, regs_curr = state_curr
_, _, _, regs_next = state_next
# Print instruction.
if self._options.verbose:
asm_str = format_asm_instruction(asm_instr_curr, self._options)
print("{:#010x}:\t{}".format(asm_instr_curr.address, asm_str))
if asm_instr_curr.mnemonic in ["sysenter"]:
return
# Fix undefine flags.
if asm_instr_curr.mnemonic in self._undefined_flags:
print("Fixing undefined flags...")
flags_reg = self._arch.flags_register()
flags_next = regs_next[flags_reg]
flags_curr = self._emulator.ir_emulator.registers[flags_reg]
flags_undef = self._undefined_flags[asm_instr_curr.mnemonic]
self._emulator.ir_emulator.registers[flags_reg] = fix_flags(flags_next, flags_curr, flags_undef, self._arch)
# Check registers values.
cmp_result = compare_contexts(regs_curr, regs_next, self._emulator.ir_emulator.registers)
if not cmp_result:
print("Contexts don't match!\n\n")
print(print_contexts(regs_curr, regs_next, self._emulator.ir_emulator.registers, skip=["eax_next", "rax_next"]))
if self._options.abort:
sys.exit(1)
else:
self._set_regs = True
def finalize(self):
self._trace.close()