def reset(self):
triton.resetEngines()
triton.clearPathConstraints()
triton.setArchitecture(self.arch)
triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)
triton.addCallback(self.memoryCaching,
triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
triton.addCallback(self.constantFolding,
triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)
for r in self.regs:
if r in self.triton_regs:
triton.setConcreteRegisterValue(
triton.Register(self.triton_regs[r], self.regs[r] & ((1 << self.triton_regs[r].getBitSize()) - 1))
)
for m in cache:
self.write_mem(m['start'], m["data"])
for address in self.inputs:
self.inputs[address] = triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(
address,
triton.CPUSIZE.BYTE
)
)
def test_taint_assignement_memory_register(self):
"""Check tainting assignment memory <- register."""
setArchitecture(ARCH.X86_64)
taintMemory(MemoryAccess(0x2000, 8))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))
taintAssignmentMemoryRegister(MemoryAccess(0x2002, 2), REG.AX)
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2004, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2005, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2006, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2007, 1)))
taintMemory(MemoryAccess(0x2000, 8))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))
taintAssignmentMemoryRegister(MemoryAccess(0x1fff, 8), REG.RAX)
self.assertFalse(isMemoryTainted(MemoryAccess(0x1fff, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2004, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2005, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2006, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2007, 1)))
def reset(self):
triton.resetEngines()
triton.clearPathConstraints()
triton.setArchitecture(self.arch)
triton.enableMode(triton.MODE.ALIGNED_MEMORY, True)
triton.enableMode(triton.MODE.ONLY_ON_SYMBOLIZED, True)
triton.addCallback(self.memoryCaching,
triton.CALLBACK.GET_CONCRETE_MEMORY_VALUE)
triton.addCallback(self.constantFolding,
triton.CALLBACK.SYMBOLIC_SIMPLIFICATION)
for r in self.regs:
if r in self.triton_regs:
triton.setConcreteRegisterValue(
triton.Register(
self.triton_regs[r], self.regs[r] &
((1 << self.triton_regs[r].getBitSize()) - 1)))
for m in cache:
self.write_mem(m['start'], m["data"])
for address in self.inputs:
self.inputs[address] = triton.convertMemoryToSymbolicVariable(
triton.MemoryAccess(address, triton.CPUSIZE.BYTE))
def __init__(self, context=None):
self.r2p = R2Plugin("pimp", self)
arch = self.r2p.arch
bits = self.r2p.bits
self.comments = {}
self.arch = tritonarch[arch][bits]
self.inputs = {}
self.regs = {}
triton.setArchitecture(self.arch)
triton.setAstRepresentationMode(triton.AST_REPRESENTATION.PYTHON)
# Hack in order to be able to get triton register ids by name
self.triton_regs = {}
for r in triton.getAllRegisters():
self.triton_regs[r.getName()] = r
if self.arch == triton.ARCH.X86:
self.pcreg = triton.REG.EIP
elif self.arch == triton.ARCH.X86_64:
self.pcreg = triton.REG.RIP
else:
raise (ValueError("Architecture not implemented"))
setattr(self.memoryCaching, "memsolver", self.r2p)
def test_taint_union_register_memory(self):
"""Check tainting union register U memory."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
untaintRegister(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
self.assertFalse(isRegisterTainted(REG.RAX))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
# !T U T
untaintRegister(REG.RAX)
taintMemory(MemoryAccess(0x2000, 4))
taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
# T U T
taintRegister(REG.RAX)
taintMemory(MemoryAccess(0x2000, 4))
taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
def test_taint_union_register_register(self):
"""Check tainting union register U register."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintUnionRegisterRegister(REG.RAX, REG.RBX)
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertFalse(isRegisterTainted(REG.RBX))
taintRegister(REG.RBX)
taintUnionRegisterRegister(REG.RAX, REG.RBX)
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isRegisterTainted(REG.RBX))
untaintRegister(REG.RAX)
taintRegister(REG.RBX)
taintUnionRegisterRegister(REG.RAX, REG.RBX)
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isRegisterTainted(REG.RBX))
untaintRegister(REG.RAX)
untaintRegister(REG.RBX)
taintUnionRegisterRegister(REG.RAX, REG.RBX)
self.assertFalse(isRegisterTainted(REG.RAX))
self.assertFalse(isRegisterTainted(REG.RBX))
def test_taint_assignement_memory_register(self):
"""Check tainting assignment memory <- register."""
setArchitecture(ARCH.X86_64)
taintMemory(MemoryAccess(0x2000, 8))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))
taintAssignmentMemoryRegister(MemoryAccess(0x2002, 2), REG.AX)
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2004, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2005, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2006, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2007, 1)))
taintMemory(MemoryAccess(0x2000, 8))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))
taintAssignmentMemoryRegister(MemoryAccess(0x1fff, 8), REG.RAX)
self.assertFalse(isMemoryTainted(MemoryAccess(0x1fff, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2004, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2005, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2006, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2007, 1)))
def test_taint_union_register_memory(self):
"""Check tainting union register U memory."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
untaintRegister(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
self.assertFalse(isRegisterTainted(REG.RAX))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
# !T U T
untaintRegister(REG.RAX)
taintMemory(MemoryAccess(0x2000, 4))
taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
# T U T
taintRegister(REG.RAX)
taintMemory(MemoryAccess(0x2000, 4))
taintUnionRegisterMemory(REG.RAX, MemoryAccess(0x2000, 4))
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
def test_taint_union_register_register(self):
"""Check tainting union register U register."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintUnionRegisterRegister(REG.RAX, REG.RBX)
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertFalse(isRegisterTainted(REG.RBX))
taintRegister(REG.RBX)
taintUnionRegisterRegister(REG.RAX, REG.RBX)
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isRegisterTainted(REG.RBX))
untaintRegister(REG.RAX)
taintRegister(REG.RBX)
taintUnionRegisterRegister(REG.RAX, REG.RBX)
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isRegisterTainted(REG.RBX))
untaintRegister(REG.RAX)
untaintRegister(REG.RBX)
taintUnionRegisterRegister(REG.RAX, REG.RBX)
self.assertFalse(isRegisterTainted(REG.RAX))
self.assertFalse(isRegisterTainted(REG.RBX))
def test_taint_union_memory_memory(self):
"""Check tainting union memory U memory."""
setArchitecture(ARCH.X86_64)
taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
MemoryAccess(0x3000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x3000, 4)))
untaintMemory(MemoryAccess(0x2000, 4))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
MemoryAccess(0x3000, 4))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x3000, 4)))
taintMemory(MemoryAccess(0x3000, 4))
taintUnionMemoryMemory(MemoryAccess(0x2000, 4),
MemoryAccess(0x3000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x3000, 4)))
def test_taint_assignement_memory_memory(self):
"""Check tainting assignment memory <- memory."""
setArchitecture(ARCH.X86_64)
taintMemory(MemoryAccess(0x2000, 1))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1),
MemoryAccess(0x2000, 1))
self.assertTrue(isMemoryTainted(MemoryAccess(0x1000, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1),
MemoryAccess(0x3000, 1))
taintAssignmentMemoryMemory(MemoryAccess(0x2000, 1),
MemoryAccess(0x3000, 1))
self.assertFalse(isMemoryTainted(MemoryAccess(0x1000, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintAssignmentMemoryMemory(MemoryAccess(0x2001, 2),
MemoryAccess(0x3000, 1))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
def __init__(self, context=None):
self.r2p = None
self.comments = {}
self.arch = None
self.inputs = collections.OrderedDict()
self.regs = {}
self.triton_regs = {}
self.commands = {}
self.last_symjump = None
self.input_type = None
self.r2p = R2("pimp")
arch = self.r2p.arch
bits = self.r2p.bits
self.arch = tritonarch[arch][bits]
self.trace = collections.Counter()
triton.setArchitecture(self.arch)
triton.setAstRepresentationMode(triton.AST_REPRESENTATION.PYTHON)
# Hack in order to be able to get triton register ids by name
for r in triton.getAllRegisters():
self.triton_regs[r.getName()] = r
if self.arch == triton.ARCH.X86:
self.pcreg = triton.REG.EIP
elif self.arch == triton.ARCH.X86_64:
self.pcreg = triton.REG.RIP
else:
raise(ValueError("Architecture not implemented"))
setattr(self.memoryCaching, "memsolver", self.r2p)
def test_xmm_on_x86(self):
"""Check xmm on 32 bits arch."""
setArchitecture(ARCH.X86)
xmm = Register(REG.XMM1, 0x112233445566778899aabbccddeeff00)
self.assertEqual(xmm.getBitSize(), 128)
self.assertEqual(xmm.getConcreteValue(),
0x112233445566778899aabbccddeeff00)
def test_xmm_on_x86(self):
"""Check xmm on 32 bits arch."""
setArchitecture(ARCH.X86)
xmm = Register(REG.XMM1, 0x112233445566778899aabbccddeeff00)
self.assertEqual(xmm.getBitSize(), 128)
self.assertEqual(xmm.getConcreteValue(),
0x112233445566778899aabbccddeeff00)
def test_parent(self):
"""Check parent register on multiple arch."""
self.assertEqual(self.reg.getParent().getName(), "rax")
setArchitecture(ARCH.X86)
self.reg = REG.AH
self.assertEqual(self.reg.getParent().getName(), "eax")
self.assertEqual(self.reg.getParent().getBitSize(), 32)
def test_parent(self):
"""Check parent register on multiple arch."""
self.assertEqual(self.reg.getParent().getName(), "rax")
setArchitecture(ARCH.X86)
self.reg = REG.AH
self.assertEqual(self.reg.getParent().getName(), "eax")
self.assertEqual(self.reg.getParent().getBitSize(), 32)
def setUp(self):
"""Define and process the instruction to test."""
setArchitecture(ARCH.X86_64)
self.inst = Instruction()
self.inst.setOpcodes("\x48\x01\xd8") # add rax, rbx
self.inst.setAddress(0x400000)
self.inst.updateContext(Register(REG.RAX, 0x1122334455667788))
self.inst.updateContext(Register(REG.RBX, 0x8877665544332211))
processing(self.inst)
def test_taint_assignement_register_immediate(self):
"""Check tainting assignment register <- immediate."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintAssignmentRegisterImmediate(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
def test_taint_assignement_register_immediate(self):
"""Check tainting assignment register <- immediate."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintAssignmentRegisterImmediate(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
def test_load_ds(self):
"""Check load from ds segment."""
setArchitecture(ARCH.X86)
inst = Instruction()
# mov ax, ds:word_40213C
inst.setOpcodes("\x66\xA1\x3C\x21\x40\x00")
processing(inst)
self.assertEqual(inst.getOperands()[1].getAddress(), 0x40213C)
self.assertEqual(inst.getOperands()[1].getBitSize(), 16)
def test_taint_union_memory_immediate(self):
"""Check tainting union memory U immediate."""
setArchitecture(ARCH.X86_64)
taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintUnionMemoryImmediate(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
untaintMemory(MemoryAccess(0x2000, 4))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
def test_known_issues(self):
"""Check tainting result after processing."""
setArchitecture(ARCH.X86)
taintRegister(REG.EAX)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcodes("\x8D\x04\x06")
processing(inst)
self.assertTrue(isRegisterTainted(REG.EAX))
self.assertFalse(isRegisterTainted(REG.EBX))
def test_known_issues(self):
"""Check tainting result after processing."""
setArchitecture(ARCH.X86)
taintRegister(REG.EAX)
inst = Instruction()
# lea eax,[esi+eax*1]
inst.setOpcodes("\x8D\x04\x06")
processing(inst)
self.assertTrue(isRegisterTainted(REG.EAX))
self.assertFalse(isRegisterTainted(REG.EBX))
def test_taint_union_register_immediate(self):
"""Check tainting union register U immediate."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintUnionRegisterImmediate(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
untaintRegister(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
taintUnionRegisterImmediate(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
def test_taint_union_register_immediate(self):
"""Check tainting union register U immediate."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintUnionRegisterImmediate(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
untaintRegister(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
taintUnionRegisterImmediate(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
def setUp(self):
# Initialize the engine
TT.setArchitecture(TT.ARCH.X86)
self.mba8 = MBA(8)
self.mba16 = MBA(16)
self.mba8.use_esf = True
self.mba16.use_esf = True
# Useful variables using duringtests
self.x8_t = TAst.variable(TT.newSymbolicVariable(8))
self.y8_t = TAst.variable(TT.newSymbolicVariable(8))
self.x16_t = TAst.variable(TT.newSymbolicVariable(16))
self.y16_t = TAst.variable(TT.newSymbolicVariable(16))
self.x8 = self.mba8.var(self.x8_t.getValue())
self.y8 = self.mba8.var(self.y8_t.getValue())
self.x16 = self.mba16.var(self.x16_t.getValue())
self.y16 = self.mba16.var(self.y16_t.getValue())
def test_load_immediate_fs(self):
"""Check load from fs segment with immediate."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov eax, DWORD PTR fs:0xffffffffffffdf98
inst.setOpcodes("\x64\x8B\x04\x25\x98\xDF\xFF\xFF")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9698)
self.assertEqual(load.getBitSize(), 32)
def test_taint_get_tainted_registers(self):
"""Get tainted registers"""
setArchitecture(ARCH.X86_64)
r = getTaintedRegisters()
self.assertTrue(len(r) == 0)
taintRegister(REG.EAX)
taintRegister(REG.AX)
taintRegister(REG.RBX)
taintRegister(REG.CL)
taintRegister(REG.DI)
r = getTaintedRegisters()
self.assertTrue(REG.RAX in r)
self.assertTrue(REG.RBX in r)
self.assertTrue(REG.RCX in r)
self.assertTrue(REG.RDI in r)
def test_taint_get_tainted_registers(self):
"""Get tainted registers"""
setArchitecture(ARCH.X86_64)
r = getTaintedRegisters()
self.assertTrue(len(r) == 0)
taintRegister(REG.EAX)
taintRegister(REG.AX)
taintRegister(REG.RBX)
taintRegister(REG.CL)
taintRegister(REG.DI)
r = getTaintedRegisters()
self.assertTrue(REG.RAX in r)
self.assertTrue(REG.RBX in r)
self.assertTrue(REG.RCX in r)
self.assertTrue(REG.RDI in r)
def test_pop_esp(self):
"""Check pop on esp processing."""
setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction('\xBC\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst2 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [esp]
inst3 = Instruction('\x8F\x04\x24')
processing(inst1)
processing(inst2)
processing(inst3)
self.assertEqual(inst3.getOperands()[0].getAddress(), 0x19fe04, "esp has been poped")
self.assertEqual(inst3.getOperands()[0].getConcreteValue(), 0x11111111, "new value is still 0x11111111")
self.assertEqual(inst3.getStoreAccess()[0][0].getAddress(), 0x19fe04, "inst3 set the value in 0x19fe04")
self.assertEqual(inst3.getStoreAccess()[0][1].evaluate(), 0x11111111, "And this value is 0x11111111")
def test_load_indirect_fs(self):
"""Check load from fs with indirect address."""
setArchitecture(ARCH.X86_64)
inst = Instruction()
# mov rax, QWORD PTR fs:[rax]
inst.setOpcodes("\x64\x48\x8B\x00")
inst.setAddress(0x400000)
setConcreteRegisterValue(Register(REG.FS, 0x7fffda8ab700))
setConcreteRegisterValue(Register(REG.RAX, 0xffffffffffffdf90))
processing(inst)
self.assertTrue(inst.getLoadAccess())
load, _ = inst.getLoadAccess()[0]
self.assertEqual(load.getAddress(), 0x7fffda8a9690)
self.assertEqual(load.getBitSize(), 64)
def test_taint_assignement_register_memory(self):
"""Check tainting assignment register <- memory."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x2000, 8))
self.assertFalse(isRegisterTainted(REG.RAX))
taintMemory(MemoryAccess(0x2000, 8))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))
taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x2000, 8))
self.assertTrue(isRegisterTainted(REG.RAX))
taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x3000, 8))
self.assertFalse(isRegisterTainted(REG.RAX))
def test_taint_register(self):
"""Check over tainting register."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
untaintRegister(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.AH)
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isRegisterTainted(REG.EAX))
self.assertTrue(isRegisterTainted(REG.AX))
untaintRegister(REG.AH)
self.assertFalse(isRegisterTainted(REG.RAX))
self.assertFalse(isRegisterTainted(REG.EAX))
self.assertFalse(isRegisterTainted(REG.AX))
def test_taint_assignement_register_memory(self):
"""Check tainting assignment register <- memory."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x2000, 8))
self.assertFalse(isRegisterTainted(REG.RAX))
taintMemory(MemoryAccess(0x2000, 8))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 8)))
taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x2000, 8))
self.assertTrue(isRegisterTainted(REG.RAX))
taintAssignmentRegisterMemory(REG.RAX, MemoryAccess(0x3000, 8))
self.assertFalse(isRegisterTainted(REG.RAX))
def test_taint_register(self):
"""Check over tainting register."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
untaintRegister(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.AH)
self.assertTrue(isRegisterTainted(REG.RAX))
self.assertTrue(isRegisterTainted(REG.EAX))
self.assertTrue(isRegisterTainted(REG.AX))
untaintRegister(REG.AH)
self.assertFalse(isRegisterTainted(REG.RAX))
self.assertFalse(isRegisterTainted(REG.EAX))
self.assertFalse(isRegisterTainted(REG.AX))
def test_mov_xmm_to_memory(self):
"""Check move and xmm register to memory do not crash."""
setArchitecture(ARCH.X86_64)
# movhpd QWORD PTR [rax], xmm1
processing(Instruction("\x66\x0F\x17\x08"))
# movhpd xmm1, QWORD PTR [rax]
processing(Instruction("\x66\x0F\x16\x08"))
# movhps QWORD PTR [rax], xmm1
processing(Instruction("\x0F\x17\x08"))
# movhps xmm1, QWORD PTR [rax]
processing(Instruction("\x0F\x16\x08"))
# movlpd QWORD PTR [rax], xmm1
processing(Instruction("\x66\x0F\x13\x08"))
# movlpd xmm1, QWORD PTR [rax]
processing(Instruction("\x66\x0F\x12\x08"))
# movlps QWORD PTR [rax], xmm1
processing(Instruction("\x0F\x13\x08"))
# movlps xmm1, QWORD PTR [rax]
processing(Instruction("\x0F\x12\x08"))
def test_urem(self):
code = [
"\xbf\xAB\x00\x00\x00", # mov edi, 0xAB
"\xf7\xff", # idiv edi
"\x83\xfa\x00" # cmp edx, 0x00
]
TT.setArchitecture(TT.ARCH.X86_64)
rax = TT.convertRegisterToSymbolicVariable(TT.REG.RAX)
rax = tritonast2arybo(TAst.variable(rax))
rdx = TT.convertRegisterToSymbolicVariable(TT.REG.RDX)
rdx = tritonast2arybo(TAst.variable(rdx))
for opcodes in code:
inst = TT.Instruction(opcodes)
TT.processing(inst)
exprs = TT.sliceExpressions(TT.getSymbolicRegisters()[TT.REG.RDX])
e = tritonexprs2arybo(exprs)
to_llvm_function(e, [rax.v, rdx.v])
def test_taint_get_tainted_memory(self):
"""Get tainted memory"""
setArchitecture(ARCH.X86_64)
m = getTaintedMemory()
self.assertTrue(len(m) == 0)
taintMemory(0x1000)
taintMemory(0x2000)
taintMemory(0x3000)
taintMemory(MemoryAccess(0x4000, 4))
m = getTaintedMemory()
self.assertTrue(0x1000 in m)
self.assertTrue(0x2000 in m)
self.assertTrue(0x3000 in m)
self.assertTrue(0x4000 in m)
self.assertTrue(0x4001 in m)
self.assertTrue(0x4002 in m)
self.assertTrue(0x4003 in m)
self.assertFalse(0x5000 in m)
def test_pop(self):
"""Check the pop instruction processing."""
setArchitecture(ARCH.X86)
# mov esp, 0x19fe00
inst1 = Instruction('\xBC\x00\xFE\x19\x00')
# mov edi, 0x19fe00
inst2 = Instruction('\xBF\x00\xFE\x19\x00')
# mov dword ptr [esp], 0x11111111
inst3 = Instruction('\xC7\x04\x24\x11\x11\x11\x11')
# pop dword ptr [edi]
inst4 = Instruction('\x8F\x07')
processing(inst1)
processing(inst2)
processing(inst3)
processing(inst4)
self.assertEqual(inst4.getOperands()[0].getAddress(), 0x19fe00, "poping edi doesn't change it")
self.assertEqual(inst4.getOperands()[0].getConcreteValue(), 0x11111111, "pointed value in edi is the previously pointed value by esp")
self.assertEqual(inst4.getStoreAccess()[0][0].getAddress(), 0x19fe00, "inst4 store the new value in 0x19fe00 (edi value)")
self.assertEqual(inst4.getStoreAccess()[0][1].evaluate(), 0x11111111, "The stored value is 0x11111111")
def test_taint_get_tainted_memory(self):
"""Get tainted memory"""
setArchitecture(ARCH.X86_64)
m = getTaintedMemory()
self.assertTrue(len(m) == 0)
taintMemory(0x1000)
taintMemory(0x2000)
taintMemory(0x3000)
taintMemory(MemoryAccess(0x4000, 4))
m = getTaintedMemory()
self.assertTrue(0x1000 in m)
self.assertTrue(0x2000 in m)
self.assertTrue(0x3000 in m)
self.assertTrue(0x4000 in m)
self.assertTrue(0x4001 in m)
self.assertTrue(0x4002 in m)
self.assertTrue(0x4003 in m)
self.assertFalse(0x5000 in m)
def test_taint_assignement_memory_immediate(self):
"""Check tainting assignment memory <- immediate."""
setArchitecture(ARCH.X86_64)
taintMemory(0x1000)
self.assertTrue(isMemoryTainted(0x1000))
taintAssignmentMemoryImmediate(MemoryAccess(0x1000, 1))
self.assertFalse(isMemoryTainted(0x1000))
taintMemory(0x1000)
self.assertTrue(isMemoryTainted(0x1000))
taintAssignmentMemoryImmediate(MemoryAccess(0x0fff, 2))
self.assertFalse(isMemoryTainted(0x1000))
taintMemory(0x1000)
self.assertTrue(isMemoryTainted(0x1000))
taintAssignmentMemoryImmediate(MemoryAccess(0x0ffe, 2))
self.assertTrue(isMemoryTainted(0x1000))
taintMemory(MemoryAccess(0x1000, 4))
self.assertTrue(isMemoryTainted(0x1000))
self.assertTrue(isMemoryTainted(0x1001))
self.assertTrue(isMemoryTainted(0x1002))
self.assertTrue(isMemoryTainted(0x1003))
self.assertFalse(isMemoryTainted(0x1004))
taintAssignmentMemoryImmediate(MemoryAccess(0x1001, 1))
self.assertTrue(isMemoryTainted(0x1000))
self.assertFalse(isMemoryTainted(0x1001))
self.assertTrue(isMemoryTainted(0x1002))
self.assertTrue(isMemoryTainted(0x1003))
taintAssignmentMemoryImmediate(MemoryAccess(0x1000, 4))
self.assertFalse(isMemoryTainted(0x1000))
self.assertFalse(isMemoryTainted(0x1001))
self.assertFalse(isMemoryTainted(0x1002))
self.assertFalse(isMemoryTainted(0x1003))
def test_taint_assignement_memory_immediate(self):
"""Check tainting assignment memory <- immediate."""
setArchitecture(ARCH.X86_64)
taintMemory(0x1000)
self.assertTrue(isMemoryTainted(0x1000))
taintAssignmentMemoryImmediate(MemoryAccess(0x1000, 1))
self.assertFalse(isMemoryTainted(0x1000))
taintMemory(0x1000)
self.assertTrue(isMemoryTainted(0x1000))
taintAssignmentMemoryImmediate(MemoryAccess(0x0fff, 2))
self.assertFalse(isMemoryTainted(0x1000))
taintMemory(0x1000)
self.assertTrue(isMemoryTainted(0x1000))
taintAssignmentMemoryImmediate(MemoryAccess(0x0ffe, 2))
self.assertTrue(isMemoryTainted(0x1000))
taintMemory(MemoryAccess(0x1000, 4))
self.assertTrue(isMemoryTainted(0x1000))
self.assertTrue(isMemoryTainted(0x1001))
self.assertTrue(isMemoryTainted(0x1002))
self.assertTrue(isMemoryTainted(0x1003))
self.assertFalse(isMemoryTainted(0x1004))
taintAssignmentMemoryImmediate(MemoryAccess(0x1001, 1))
self.assertTrue(isMemoryTainted(0x1000))
self.assertFalse(isMemoryTainted(0x1001))
self.assertTrue(isMemoryTainted(0x1002))
self.assertTrue(isMemoryTainted(0x1003))
taintAssignmentMemoryImmediate(MemoryAccess(0x1000, 4))
self.assertFalse(isMemoryTainted(0x1000))
self.assertFalse(isMemoryTainted(0x1001))
self.assertFalse(isMemoryTainted(0x1002))
self.assertFalse(isMemoryTainted(0x1003))
def test_taint_assignement_register_register(self):
"""Check tainting assignment register <- register."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintAssignmentRegisterRegister(REG.RAX, REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
untaintRegister(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
taintAssignmentRegisterRegister(REG.RAX, REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
self.assertFalse(isRegisterTainted(REG.RBX))
taintRegister(REG.RBX)
self.assertTrue(isRegisterTainted(REG.RBX))
taintAssignmentRegisterRegister(REG.RAX, REG.RBX)
self.assertTrue(isRegisterTainted(REG.RAX))
def test_taint_assignement_register_register(self):
"""Check tainting assignment register <- register."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
taintAssignmentRegisterRegister(REG.RAX, REG.RAX)
self.assertTrue(isRegisterTainted(REG.RAX))
untaintRegister(REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
taintAssignmentRegisterRegister(REG.RAX, REG.RAX)
self.assertFalse(isRegisterTainted(REG.RAX))
self.assertFalse(isRegisterTainted(REG.RBX))
taintRegister(REG.RBX)
self.assertTrue(isRegisterTainted(REG.RBX))
taintAssignmentRegisterRegister(REG.RAX, REG.RBX)
self.assertTrue(isRegisterTainted(REG.RAX))
def test_taint_union_memory_register(self):
"""Check tainting union memory U register."""
setArchitecture(ARCH.X86_64)
taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isRegisterTainted(REG.RAX))
untaintMemory(MemoryAccess(0x2000, 4))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isRegisterTainted(REG.RAX))
taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertTrue(isRegisterTainted(REG.RAX))
def test_taint_union_memory_register(self):
"""Check tainting union memory U register."""
setArchitecture(ARCH.X86_64)
taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isRegisterTainted(REG.RAX))
untaintMemory(MemoryAccess(0x2000, 4))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isRegisterTainted(REG.RAX))
taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isRegisterTainted(REG.RAX))
taintRegister(REG.RAX)
taintUnionMemoryRegister(MemoryAccess(0x2000, 4), REG.RAX)
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertTrue(isRegisterTainted(REG.RAX))
def test_taint_memory(self):
"""Check tainting memory."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isMemoryTainted(0x1000))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintMemory(0x1000)
taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(0x1000))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 2)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2002, 2)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2003, 2)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x1fff, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2004, 1)))
self.assertFalse(isMemoryTainted(0x1001))
self.assertFalse(isMemoryTainted(0x0fff))
untaintMemory(0x1000)
untaintMemory(MemoryAccess(0x2000, 4))
self.assertFalse(isMemoryTainted(0x1000))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 2)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 2)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 2)))
def test_taint_memory(self):
"""Check tainting memory."""
setArchitecture(ARCH.X86_64)
self.assertFalse(isMemoryTainted(0x1000))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintMemory(0x1000)
taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(0x1000))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 2)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2002, 2)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2003, 2)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x1fff, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2004, 1)))
self.assertFalse(isMemoryTainted(0x1001))
self.assertFalse(isMemoryTainted(0x0fff))
untaintMemory(0x1000)
untaintMemory(MemoryAccess(0x2000, 4))
self.assertFalse(isMemoryTainted(0x1000))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 4)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 2)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2002, 2)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2003, 2)))
def test_taint_assignement_memory_memory(self):
"""Check tainting assignment memory <- memory."""
setArchitecture(ARCH.X86_64)
taintMemory(MemoryAccess(0x2000, 1))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1), MemoryAccess(0x2000, 1))
self.assertTrue(isMemoryTainted(MemoryAccess(0x1000, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
taintAssignmentMemoryMemory(MemoryAccess(0x1000, 1), MemoryAccess(0x3000, 1))
taintAssignmentMemoryMemory(MemoryAccess(0x2000, 1), MemoryAccess(0x3000, 1))
self.assertFalse(isMemoryTainted(MemoryAccess(0x1000, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2000, 1)))
taintMemory(MemoryAccess(0x2000, 4))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 4)))
taintAssignmentMemoryMemory(MemoryAccess(0x2001, 2), MemoryAccess(0x3000, 1))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertFalse(isMemoryTainted(MemoryAccess(0x2001, 1)))
self.assertTrue(isMemoryTainted(MemoryAccess(0x2000, 1)))
def setUp(self):
"""Define the arch and modes."""
setArchitecture(ARCH.X86_64)
enableMode(MODE.ALIGNED_MEMORY, True)
enableMode(MODE.AST_DICTIONARIES, True)
super(TestSymboliqueEngineAlignedAst, self).setUp()
def setUp(self):
"""Define the arch and modes."""
setArchitecture(ARCH.X86_64)
enableMode(MODE.AST_DICTIONARIES, True)
super(TestSymboliqueEngineConcreteAst, self).setUp()
def setUp(self):
"""Define the architecture and memory access to check."""
setArchitecture(ARCH.X86_64)
self.mem = MemoryAccess(0x400f4d3, 8, 0x6162636465666768)
import triton as TT
from arybo.tools import triton2arybo
TT.setArchitecture(TT.ARCH.X86_64)
TT.convertRegisterToSymbolicVariable(TT.REG.RAX)
TT.convertRegisterToSymbolicVariable(TT.REG.RBX)
inst = TT.Instruction()
inst.setOpcodes("\x48\x31\xd8") # xor rax, rbx
TT.processing(inst)
rax_ast = TT.buildSymbolicRegister(TT.REG.RAX)
rax_ast = TT.getFullAst(rax_ast)
print(rax_ast)
e = triton2arybo(rax_ast)
print(e)