예제 #1
0
def hook(insn):
    global a
    if insn.getAddress() == 0x400740:
        for op in insn.getOperands():

            if op.getType() == triton.OPERAND.REG:

                addr = pintool.getCurrentRegisterValue(op)
                print(hex(addr))
                a = addr
                print("a:" + str(hex(a)))
                for i in range(4):
                    c = pintool.getCurrentMemoryValue(a + i)
                    print(str(i) + " : " + str(hex(c)))
    if insn.getAddress() == 0x40074a:
        print(hex(a))
        for i in range(4):
            c = pintool.getCurrentMemoryValue(a + i)
            print(str(i) + " : " + str(hex(c)))

    if insn.getAddress() == 0x40074a:
        for op in insn.getOperands():

            if op.getType() == triton.OPERAND.MEM:

                addr = op.getAddress()
                print(hex(addr))

                c = pintool.getCurrentMemoryValue(addr)
                print(str(hex(c)))
예제 #2
0
def read_hook(tid):
    global a
    print("read_hook")
    print(hex(a))
    for i in range(4):
        c = pintool.getCurrentMemoryValue(a + i)
        print(str(i) + " : " + str(hex(c)))
예제 #3
0
def symbolize_inputs(tid):
    rsi = pintool.getCurrentRegisterValue(Triton.registers.rsi)  # argv
    addr = pintool.getCurrentMemoryValue(rsi + (triton.CPUSIZE.QWORD),
                                         triton.CPUSIZE.QWORD)  # argv[1]

    # symbolize each character in argv[1], i.e the serial (including the terminating NULL)
    c = None
    s = ''
    while c != 0:
        c = pintool.getCurrentMemoryValue(addr)
        s += chr(c)
        Triton.setConcreteMemoryValue(addr, c)
        Triton.convertMemoryToSymbolicVariable(
            triton.MemoryAccess(addr, triton.CPUSIZE.BYTE)).setComment(
                'argv[1][%d]' % (len(s) - 1))
        addr += 1
    print 'Symbolized argv[1]: %s' % (s)
예제 #4
0
def symbolize_inputs(tid):
    rdi = pintool.getCurrentRegisterValue(Triton.registers.rdi) # argc
    rsi = pintool.getCurrentRegisterValue(Triton.registers.rsi) # argv

    # for each string in argv
    while rdi > 1:
        addr = pintool.getCurrentMemoryValue(rsi + ((rdi-1)*triton.CPUSIZE.QWORD), triton.CPUSIZE.QWORD)
        # symbolize the current argument string (including the terminating NULL)
        c = None
        s = ''
        while c != 0:
            c = pintool.getCurrentMemoryValue(addr)
            s += chr(c)
            Triton.setConcreteMemoryValue(addr, c)
            Triton.convertMemoryToSymbolicVariable(triton.MemoryAccess(addr, triton.CPUSIZE.BYTE)).setComment('argv[%d][%d]' % (rdi-1, len(s)-1))
            addr += 1
        rdi -= 1
        print 'Symbolized argument %d: %s' % (rdi, s)
예제 #5
0
def symbolize_inputs(threadId):
    rdi = pintool.getCurrentRegisterValue(Triton.registers.rdi) # argc
    rsi = pintool.getCurrentRegisterValue(Triton.registers.rsi) # argv

    while rdi > 1:
        addr = pintool.getCurrentMemoryValue(
            rsi + ((rdi-1) * triton.CPUSIZE.QWORD),
            triton.CPUSIZE.QWORD)

        c = None
        s = ""
        while c != 0:
            c = pintool.getCurrentMemoryValue(addr)
            s += chr(c)
            Triton.setConcreteMemoryValue(addr, c)
            Triton.convertMemoryToSymbolicVariable(
                triton.MemoryAccess(addr, triton.CPUSIZE.BYTE)
                ).setComment(f"argv[{rdi-1}][{len(s)-1}]")
            addr += 1
        rdi -= 1
        print(f"Symbolized argument {rdi}: {s}")
예제 #6
0
def read_hook(tid):
    global symvar_addr
    data_len = pintool.getCurrentRegisterValue(Triton.registers.eax)
    print("Taint src length : " + str(data_len))
    for i in range(data_len):
        c = pintool.getCurrentMemoryValue(symvar_addr + i)

        Triton.setConcreteMemoryValue(symvar_addr + i, c)
        Triton.convertMemoryToSymbolicVariable(
            triton.MemoryAccess(
                symvar_addr + i,
                triton.CPUSIZE.BYTE)).setComment('taintedByte ' +
                                                 str(hex(symvar_addr + i)) +
                                                 ' : ' + str(c))

    print('Symbolized taintedByte ' + str(hex(symvar_addr)) + ' ~ ' +
          str(hex(symvar_addr + i)))
예제 #7
0
def hook(insn):
    global symvar_addr
    if insn.getAddress() == 0x400740:

        addr = pintool.getCurrentRegisterValue(Triton.registers.rcx)
        print(hex(addr))
        symvar_addr = addr
        print("hook")
        for i in range(4):
            c = pintool.getCurrentMemoryValue(symvar_addr + i)
            print(str(i) + " : " + str(hex(c)))

    if insn.getAddress() == taintedIns:
        for op in insn.getOperands():
            if op.getType() == triton.OPERAND.REG:
                print 'Found Target Ins \'%s\'' % (insn)
                exploit_mmap(insn, op)
                return
예제 #8
0
def read_hook(tid):
    global symvar_addr
    print("read_hook")

    for i in range(4):
        c = pintool.getCurrentMemoryValue(symvar_addr + i)
        #print(str(i)+" : "+str(hex(c)))

        Triton.setConcreteMemoryValue(symvar_addr + i, c)
        Triton.convertMemoryToSymbolicVariable(
            triton.MemoryAccess(
                symvar_addr + i,
                triton.CPUSIZE.BYTE)).setComment('taintedByte ' +
                                                 str(hex(symvar_addr + i)) +
                                                 ' : ' + str(c))

        print('Symbolized taintedByte ' + str(hex(symvar_addr + i)) + ' : ' +
              str(c))
예제 #9
0
def needMem(ctx, mem):
    ctx.setConcreteMemoryValue(mem, Pintool.getCurrentMemoryValue(mem))
    return
예제 #10
0
def needMem(ctx, mem):
    ctx.setConcreteMemoryValue(mem, Pintool.getCurrentMemoryValue(mem))
    return