コード例 #1
0
ファイル: simplecfi.py プロジェクト: jinhojun/elf-mlsploit 
    def function_to_ret_locations(self, ff):
        if cfg_utils.is_sane_function(ff):
            start = ff.startpoint
            ends = set()
            for ret_site in ff.ret_sites:
                bb = self.patcher.project.factory.block(ret_site.addr)
                last_instruction = bb.capstone.insns[-1]
                if last_instruction.mnemonic != u"ret":
                    l.debug(
                        "bb at %s does not terminate with a ret in function %s"
                        % (hex(int(bb.addr)), ff.name))
                    break
                else:
                    if last_instruction.op_str == "":
                        offset = 0
                    else:
                        offset = int(last_instruction.op_str, 16)
                    ends.add((int(last_instruction.address), offset))
            else:
                if len(ends) == 0:
                    l.debug("cannot find any ret in function %s" % ff.name)
                else:
                    return ends  #avoid "long" problems

        l.debug("function %s has problems and cannot be patched" % ff.name)
        return []
コード例 #2
0
    def function_to_patch_locations(self, ff):
        # TODO tail-call is handled lazily just by considering jumping out functions as not sane
        if cfg_utils.is_sane_function(ff) and cfg_utils.detect_syscall_wrapper(self.patcher,ff) == None \
                and not cfg_utils.is_floatingpoint_function(self.patcher,ff) and not ff.addr in self.safe_functions:
            if cfg_utils.is_longjmp(self.patcher, ff):
                self.found_longjmp = ff.addr
            elif cfg_utils.is_setjmp(self.patcher, ff):
                self.found_setjmp = ff.addr
            else:
                start = ff.startpoint
                ends = set()
                for ret_site in ff.ret_sites:
                    bb = self.patcher.project.factory.fresh_block(
                        ret_site.addr, ret_site.size)
                    last_instruction = bb.capstone.insns[-1]
                    if last_instruction.mnemonic != u"ret":
                        msg = "bb at %s does not terminate with a ret in function %s"
                        l.debug(msg % (hex(int(bb.addr)), ff.name))
                        break
                    else:
                        ends.add(last_instruction.address)
                else:
                    if len(ends) == 0:
                        l.debug("cannot find any ret in function %s" % ff.name)
                    else:
                        return int(start.addr), map(
                            int, ends)  #avoid "long" problems

        l.debug("function %s has problems and cannot be patched" % ff.name)
        return None, None
コード例 #3
0
ファイル: shadowstack.py プロジェクト: jinhojun/elf-mlsploit 
 def function_to_canary_locations(self,ff):
     if cfg_utils.is_sane_function(ff):
         start = ff.startpoint
         ends = set()
         for ret_site in ff.ret_sites:
             bb = self.patcher.project.factory.block(ret_site.addr)
             last_instruction = bb.capstone.insns[-1]
             if last_instruction.mnemonic not in ("ret", "retl"):
                 l.debug("bb at %s does not terminate with a ret in function %s" % (hex(int(bb.addr)),ff.name))
                 break
             else:
                 ends.add(last_instruction.address)
         else:
             if len(ends) == 0:
                 l.debug("cannot find any ret in function %s" %ff.name)
             else:
                 return int(start.addr),map(int,ends) #avoid "long" problems
         
     l.debug("function %s has problems and cannot be patched" % ff.name)
     return None, None