def runStrings(vw, ea, uselocalagg=True): ''' Returns a list of (write log entry, decoded strings) where the write log is the tuple (pc, va, bytes) for the instruction that wrote the first byte of the string ''' emu = vw.getEmulator(True, True) #modify the stack base for the emulator - smaller mask & frame size # wasn't working for funcs with large locals frame size emu.stack_map_mask = e_bits.sign_extend(0xfff00000, 4, vw.psize) emu.stack_map_base = e_bits.sign_extend(0xbfb00000, 4, vw.psize) emu.stack_pointer = emu.stack_map_base + 16*4096 emu.runFunction(ea, maxhit=1, maxloop=1) logger = jayutils.getLogger('stack_graph') if uselocalagg: #logger.info('Using local agg') stringList = [] jayutils.path_bfs(emu.path, stack_track_visitor, vw=vw, emu=emu, logger=logger, res=stringList ) return stringList else: #logger.info('Using global agg') agg = StringAccumulator() jayutils.path_bfs(emu.path, stack_track_visitor, vw=vw, emu=emu, logger=logger, agg=agg ) return agg.stringDict.values()
def getPushArgs(self, va, num, regs=None): ''' num -> first arg is 1, 2nd is 2, ... Returns a list of dicts whose key is the arg number (starting at 1, 2.. num) Each dict for a stack argument is a write log tuple (pc, va bytes) Each dict for a registry is a tuple (pc, value) ''' if regs is None: regs = [] count = 0 touched = [] #func = self.vw.getFunction(va) #if func is None: # self.logger.error('Could not get function start from vw 0x%08x -> has analysis been done???', va) # return [] funcStart = idc.get_func_attr(va, idc.FUNCATTR_START) #if func != funcStart: # self.logger.error('IDA & vivisect disagree over function start. Needs to be addressed before process') # self.logger.error(' IDA: 0x%08x. vivisect: 0x%08x', funcStart, func) # return [] #map a every (?) va in a function to the pathnode it was found in if funcStart != self.lastFunc: emu = self.vw.getEmulator(True, True) self.logger.debug('Generating va_write_map for function 0x%08x', funcStart) self.regMon = RegMonitor(regs) emu.setEmulationMonitor(self.regMon) emu.runFunction(funcStart, maxhit=1, maxloop=1) #cache the last va_write_map for a given function self.va_write_map = {} self.va_read_map = {} self.lastFunc = funcStart jayutils.path_bfs(emu.path, build_emu_va_map, res=self.va_write_map, emu=emu, logtype='writelog') jayutils.path_bfs(emu.path, build_emu_va_map, res=self.va_read_map, emu=emu, logtype='readlog') else: self.logger.debug('Using cached va_write_map') #self.logger.debug('Len va_write_map: %d', len(self.va_write_map)) #for cVa, wlog in self.va_write_map.items(): # self.logger.debug('0x%08x: %s', cVa, formatWriteLogEntry(wlog)) baseEntry = self.va_write_map.get(va, None) if baseEntry is None: self.logger.error( 'Node does not have write log. Requires a call instruction (which writes to the stack) for this to work: 0x%08x', va) return [] self.startSp = baseEntry[1] return self.analyzeTracker(baseEntry, va, num, regs)
def getPushArgs(self, va, num, regs=None): ''' num -> first arg is 1, 2nd is 2, ... Returns a list of dicts whose key is the arg number (starting at 1, 2.. num) Each dict for a stack argument is a write log tuple (pc, va bytes) Each dict for a registry is a tuple (pc, value) ''' if regs is None: regs = [] count = 0 touched = [] #func = self.vw.getFunction(va) #if func is None: # self.logger.error('Could not get function start from vw 0x%08x -> has analysis been done???', va) # return [] funcStart = idc.GetFunctionAttr(va, idc.FUNCATTR_START) #if func != funcStart: # self.logger.error('IDA & vivisect disagree over function start. Needs to be addressed before process') # self.logger.error(' IDA: 0x%08x. vivisect: 0x%08x', funcStart, func) # return [] #map a every (?) va in a function to the pathnode it was found in if funcStart != self.lastFunc: emu = self.vw.getEmulator(True, True) self.logger.debug('Generating va_write_map for function 0x%08x', funcStart) self.regMon = RegMonitor(regs) emu.setEmulationMonitor(self.regMon) emu.runFunction(funcStart, maxhit=1, maxloop=1) #cache the last va_write_map for a given function self.va_write_map = {} self.va_read_map = {} self.lastFunc = funcStart jayutils.path_bfs(emu.path, build_emu_va_map, res=self.va_write_map, emu=emu, logtype='writelog') jayutils.path_bfs(emu.path, build_emu_va_map, res=self.va_read_map, emu=emu, logtype='readlog') else: self.logger.debug('Using cached va_write_map') #self.logger.debug('Len va_write_map: %d', len(self.va_write_map)) #for cVa, wlog in self.va_write_map.items(): # self.logger.debug('0x%08x: %s', cVa, formatWriteLogEntry(wlog)) baseEntry = self.va_write_map.get(va, None) if baseEntry is None: self.logger.error('Node does not have write log. Requires a call instruction (which writes to the stack) for this to work: 0x%08x', va) return [] self.startSp = baseEntry[1] return self.analyzeTracker(baseEntry, va, num, regs)