def has_tainted_operands(operands, taint_id): # type: (list[manticore.core.cpu.abstractcpu.Operand], object) -> bool for operand in operands: op = operand.read() if issymbolic(op) and taint_id in op.taint: return True return False
def did_write_memory_callback(self, state, where, value, size): if not self.active: return write = self.get_next("mem_write") if not issymbolic(value): return assert write["where"] == where and write["size"] == size state.constrain(value == write["value"])
def did_write_memory_callback(self, state, where, value, size): if not self.active: return write = self.get_next('mem_write') if not issymbolic(value): return assert write['where'] == where and write['size'] == size state.constrain(value == write['value'])
def did_execute_instruction_callback(self, state, last_pc, pc, insn): if not self.active: return event = self.get_next('regs') self.last_instruction = event['values'] if issymbolic(pc): state.constrain(state.cpu.RIP == self.last_instruction['RIP']) else: for start, stop in self.symbolic_ranges: if start <= pc <= stop: self.active = False
def has_tainted_flags(state, cc): if cc == cs.arm.ARM_CC_AL: ret = [] elif cc == cs.arm.ARM_CC_EQ: ret = ['Z'] elif cc == cs.arm.ARM_CC_NE: ret = ['Z'] elif cc == cs.arm.ARM_CC_HS: ret = ['C'] elif cc == cs.arm.ARM_CC_LO: ret = ['C'] elif cc == cs.arm.ARM_CC_MI: ret = ['N'] elif cc == cs.arm.ARM_CC_PL: ret = ['N'] elif cc == cs.arm.ARM_CC_VS: ret = ['V'] elif cc == cs.arm.ARM_CC_VC: ret = ['V'] elif cc == cs.arm.ARM_CC_HI: ret = ['C', 'Z'] elif cc == cs.arm.ARM_CC_LS: ret = ['C', 'Z'] elif cc == cs.arm.ARM_CC_GE: ret = ['N', 'V'] elif cc == cs.arm.ARM_CC_LT: ret = ['N', 'V'] elif cc == cs.arm.ARM_CC_GT: ret = ['Z', 'N', 'V'] elif cc == cs.arm.ARM_CC_LE: ret = ['Z', 'N', 'V'] for flag in ret: flag_name = 'APSR_{}'.format(flag) flag_val = state.cpu.regfile.read(flag_name) if issymbolic(flag_val) and taint_id in flag_val.taint: return True return False
def is_symbolic(self, val): return manticore.issymbolic(val)
def concrete_checker(state): """ initial checker hook for SANDSHREW_sym that checks for the presence of symbolic input. If so, an unconstrained hook is attached to the memory location to restore symbolic state after concretization """ cpu = state.cpu with m.locked_context() as context: logging.debug( f"Entering target function SANDSHREW_{sym} at {hex(state.cpu.PC)}" ) # check if RSI, the assumed input arg, is symbolic data = cpu.read_int(cpu.RSI) if issymbolic(data): logging.debug( f"Symbolic input parameter to function {sym}() detected" ) # store instruction after `call SANDSHREW_*` return_pc = context["trace"][-1] + 5 # attach a hook to the return_pc, as this is where we will perform concolic execution @m.hook(return_pc) def unconstrain_hook(state): """ unconstrain_hook writes unconstrained symbolic data to the memory location of the output. """ with m.locked_context() as context: # output param is RDI, symbolicate RAX context["return_addr"] = cpu.RAX logging.debug( f"Writing unconstrained buffer to output memory location" ) # initialize unconstrained symbolic input return_buf = state.new_symbolic_buffer(BUFFER_SIZE) # apply charset constraints based on user input for i in range(BUFFER_SIZE): if args.constraint == "alpha": state.constrain( operators.OR( operators.AND( ord("A") <= return_buf[i], return_buf[i] <= ord("Z")), operators.AND( ord("a") <= return_buf[i], return_buf[i] <= ord("z")), )) elif args.constraint == "num": state.constrain( operators.AND( ord("0") <= return_buf[i], return_buf[i] <= ord("9"))) elif args.constraint == "alphanum": raise NotImplementedError( "alphanum constraint set not yet implemented" ) elif args.constraint == "ascii": state.constrain( operators.AND( ord(" ") <= return_buf[i], return_buf[i] <= ord("}"))) # write to address state.cpu.write_bytes(context["return_addr"], return_buf)
def test_issymbolic_neg(self): v = 1 self.assertFalse(issymbolic(v))
def test_issymbolic(self): v = BitVecVariable(32, 'sym') self.assertTrue(issymbolic(v))
def has_tainted_operands(operands): for operand in operands: op = operand.read() if issymbolic(op) and taint_id in op.taint: return True return False
def test_issymbolic(self): v = BitVecVariable(size=32, name="sym") self.assertTrue(issymbolic(v))