def getLoopPaths(fgraph): ''' Similar to getCodePaths(), however, getLoopPaths() will return path lists which loop. The last element in the (node,edge) list will be the first "looped" block. ''' for root in fgraph.getHierRootNodes(): proot = vg_pathcore.newPathNode(nid=root[0], eid=None) todo = [ (root[0], proot, 0), ] while todo: node, cpath, loopcnt = todo.pop() count = 0 free = [] if loopcnt == 1: yield [_nodeedge(n) for n in vg_pathcore.getPathToNode(npath)] else: for eid, fromid, toid, einfo in fgraph.getRefsFromByNid(node): loopcnt = vg_pathcore.getPathLoopCount(cpath, 'nid', toid) if loopcnt > 1: continue count += 1 npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) todo.append((toid, npath, loopcnt)) if not count: vg_pathcore.trimPath(cpath)
def _getCodePathsThru2(fgraph, tgtcbva, path, firstpath, loopcnt=0, pathcnt=0, maxpath=None): tgtnode = fgraph.getNode(tgtcbva) todo = [ (tgtnode,firstpath), ] while todo: node,cpath = todo.pop() refsfrom = fgraph.getRefsFrom(node) # This is a leaf node! if not refsfrom: path = vg_pathcore.getPathToNode(cpath) yield path, pathcnt vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsfrom: # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', toid) if loops > loopcnt: continue npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) tonode = fgraph.getNode(toid) todo.append((tonode,npath))
def getLoopPaths(fgraph): ''' Similar to getCodePaths(), however, getLoopPaths() will return path lists which loop. The last element in the (node,edge) list will be the first "looped" block. ''' loops = [] for root in fgraph.getRootNodes(): proot = vg_pathcore.newPathNode(nid=root, eid=None) todo = [ (root,proot), ] while todo: nodeid,cpath = todo.pop() for eid, fromid, toid, einfo in fgraph.getRefsFrom(nodeid): loopcnt = vg_pathcore.getPathLoopCount(cpath, 'nid', toid) if loopcnt > 1: continue npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) if loopcnt == 1: loops.append(npath) else: todo.append((toid,npath)) for lnode in loops: yield [ _nodeedge(n) for n in vg_pathcore.getPathToNode(lnode) ]
def getLoopPaths(fgraph): ''' Similar to getCodePaths(), however, getLoopPaths() will return path lists which loop. The last element in the (node,edge) list will be the first "looped" block. ''' loops = [] for root in fgraph.getRootNodes(): proot = vg_pathcore.newPathNode(nid=root, eid=None) todo = [ (root, proot), ] while todo: nodeid, cpath = todo.pop() for eid, fromid, toid, einfo in fgraph.getRefsFrom(nodeid): loopcnt = vg_pathcore.getPathLoopCount(cpath, 'nid', toid) if loopcnt > 1: continue npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) if loopcnt == 1: loops.append(npath) else: todo.append((toid, npath)) for lnode in loops: yield [_nodeedge(n) for n in vg_pathcore.getPathToNode(lnode)]
def getLoopPaths(fgraph): ''' Similar to getCodePaths(), however, getLoopPaths() will return path lists which loop. The last element in the (node,edge) list will be the first "looped" block. ''' for root in fgraph.getHierRootNodes(): proot = vg_pathcore.newPathNode(nid=root[0], eid=None) todo = [ (root[0],proot,0), ] while todo: node,cpath,loopcnt = todo.pop() count = 0 free = [] if loopcnt == 1: yield [ _nodeedge(n) for n in vg_pathcore.getPathToNode(npath) ] else: for eid, fromid, toid, einfo in fgraph.getRefsFromByNid(node): loopcnt = vg_pathcore.getPathLoopCount(cpath, 'nid', toid) if loopcnt > 1: continue count += 1 npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) todo.append((toid,npath,loopcnt)) if not count: vg_pathcore.trimPath(cpath)
def walkCodePaths(fgraph, callback, loopcnt=0, maxpath=None): ''' walkCodePaths is a path generator which uses a callback function to determine the viability of each particular path. This approach allows the calling function (eg. walkSymbolikPaths) to do in-generator checks/processing and trim paths which are simply not possible/desireable. Callbacks will receive the current path, the current edge, and the new path node. For root nodes, the current path and edge will be None types. ''' pathcnt = 0 for root in fgraph.getHierRootNodes(): proot = vg_pathcore.newPathNode(nid=root[0], eid=None) # Fire callback once to init the dest "path node" callback(None, None, proot) todo = [ (root, proot), ] while todo: node, cpath = todo.pop() refsfrom = fgraph.getRefsFrom(node) # This is a leaf node! if not refsfrom: #path = vg_pathcore.getPathToNode(cpath) #yield [ _nodeedge(n) for n in path ] # let the callback know we've reached one... #if callback(cpath, None, None): yield cpath vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsfrom: # Skip loops if they are "deeper" than we are allowed if vg_pathcore.getPathLoopCount(cpath, 'nid', toid) > loopcnt: continue edge = (eid, fromid, toid, einfo) npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) if not callback(cpath, edge, npath): vg_pathcore.trimPath(npath) continue todo.append((fgraph.getNode(toid), npath))
def walkCodePaths(fgraph, callback, loopcnt=0, maxpath=None): ''' walkCodePaths is a path generator which uses a callback function to determine the viability of each particular path. This approach allows the calling function (eg. walkSymbolikPaths) to do in-generator checks/processing and trim paths which are simply not possible/desireable. Callbacks will receive the current path, the current edge, and the new path node. For root nodes, the current path and edge will be None types. ''' pathcnt = 0 routed = fgraph.getMeta('Routed', False) for root in fgraph.getHierRootNodes(): proot = vg_pathcore.newPathNode(nid=root[0], eid=None) # Fire callback once to init the dest "path node" callback(None, None, proot) todo = [(root,proot), ] while todo: node,cpath = todo.pop() refsfrom = fgraph.getRefsFrom(node) # This is a leaf node! if not refsfrom: #path = vg_pathcore.getPathToNode(cpath) #yield [ _nodeedge(n) for n in path ] # let the callback know we've reached one... #if callback(cpath, None, None): yield cpath vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsfrom: # skip edges which are not marked "follow" if routed and not einfo.get('follow', False): continue # Skip loops if they are "deeper" than we are allowed if vg_pathcore.getPathLoopCount(cpath, 'nid', toid) > loopcnt: continue edge = (eid,fromid,toid,einfo) npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) if not callback(cpath, edge, npath): vg_pathcore.trimPath(npath) continue todo.append((fgraph.getNode(toid),npath))
def getCodePathsThru(fgraph, tgtcbva, loopcnt=0, maxpath=None): ''' Yields all the paths through the hierarchical graph which pass through the target codeblock "tgtcb". Each "root" node is traced to the target, and all paths are traversed from there to the end. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsThru(fgraph, tgtcb): for node,edge in path: ...etc... ''' # this starts with the "To" side, finding a path back from tgtcbva to root pathcnt = 0 looptrack = [] pnode = vg_pathcore.newPathNode(nid=tgtcbva, eid=None) rootnodes = fgraph.getHierRootNodes() tgtnode = fgraph.getNode(tgtcbva) todo = [(tgtnode,pnode), ] while todo: node,cpath = todo.pop() refsto = fgraph.getRefsTo(node) # This is the root node! if node in rootnodes: path = vg_pathcore.getPathToNode(cpath) path.reverse() # build the path in the right direction newcpath = None lastnk = {'eid':None} for np,nc,nk in path: newcpath = vg_pathcore.newPathNode(parent=newcpath, nid=nk['nid'], eid=lastnk['eid']) lastnk = nk for fullpath, count in _getCodePathsThru2(fgraph, tgtcbva, path, newcpath, loopcnt=loopcnt, pathcnt=pathcnt, maxpath=maxpath): yield [ _nodeedge(n) for n in fullpath ] vg_pathcore.trimPath(cpath) pathcnt += count if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsto: # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', fromid) if loops > loopcnt: continue #vg_pathcore.setNodeProp(cpath, 'eid', eid) #print "-e: %d %x %x %s" % (eid, fromid, toid, repr(einfo)) npath = vg_pathcore.newPathNode(parent=cpath, nid=fromid, eid=eid) fromnode = fgraph.getNode(fromid) todo.append((fromnode,npath))
def getCodePathsThru(fgraph, tgtcbva, loopcnt=0, maxpath=None): ''' Yields all the paths through the hierarchical graph which pass through the target codeblock "tgtcb". Each "root" node is traced to the target, and all paths are traversed from there to the end. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsThru(fgraph, tgtcb): for node,edge in path: ...etc... ''' # this starts with the "To" side, finding a path back from tgtcbva to root pathcnt = 0 looptrack = [] pnode = vg_pathcore.newPathNode(nid=tgtcbva, eid=None) node = fgraph.getNode(tgtcbva) todo = [(node,pnode), ] while todo: node,cpath = todo.pop() refsto = fgraph.getRefsTo(node) # This is the root node! if node[1].get('rootnode'): path = vg_pathcore.getPathToNode(cpath) path.reverse() # build the path in the right direction newcpath = None lastnk = {'eid':None} for np,nc,nk in path: newcpath = vg_pathcore.newPathNode(parent=newcpath, nid=nk['nid'], eid=lastnk['eid']) lastnk = nk for fullpath, count in _getCodePathsThru2(fgraph, tgtcbva, path, newcpath, loopcnt=loopcnt, pathcnt=pathcnt, maxpath=maxpath): yield [ _nodeedge(n) for n in fullpath ] vg_pathcore.trimPath(cpath) pathcnt += count if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsto: # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', fromid) if loops > loopcnt: continue #vg_pathcore.setNodeProp(cpath, 'eid', eid) #print "-e: %d %x %x %s" % (eid, fromid, toid, repr(einfo)) npath = vg_pathcore.newPathNode(parent=cpath, nid=fromid, eid=eid) fromnode = fgraph.getNode(fromid) todo.append((fromnode,npath))
def getCodePathsTo(fgraph, tocbva, loopcnt=0, maxpath=None): ''' Yields all the paths through the hierarchical graph starting at the "root nodes" and ending at tocbva. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsTo(fgraph, tocbva): for node,edge in path: ...etc... ''' pathcnt = 0 looptrack = [] pnode = vg_pathcore.newPathNode(nid=tocbva, eid=None) #rootnodes = fgraph.getHierRootNodes() cbnode = fgraph.getNode(tocbva) todo = [ (cbnode, pnode), ] while todo: node, cpath = todo.pop() refsto = fgraph.getRefsTo(node) # Is this is the root node? if node[1].get('rootnode'): path = vg_pathcore.getPathToNode(cpath) path.reverse() yield [_nodeedge(n) for n in path] vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, n1, n2, einfo in refsto: # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', n1) if loops > loopcnt: continue vg_pathcore.setNodeProp(cpath, 'eid', eid) npath = vg_pathcore.newPathNode(parent=cpath, nid=n1, eid=None) node1 = fgraph.getNode(n1) todo.append((node1, npath))
def getCodePathsTo(fgraph, tocbva, loopcnt=0, maxpath=None): ''' Yields all the paths through the hierarchical graph starting at the "root nodes" and ending at tocbva. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsTo(fgraph, tocbva): for node,edge in path: ...etc... ''' pathcnt = 0 looptrack = [] pnode = vg_pathcore.newPathNode(nid=tocbva, eid=None) #rootnodes = fgraph.getHierRootNodes() cbnode = fgraph.getNode(tocbva) todo = [(cbnode,pnode), ] while todo: node,cpath = todo.pop() refsto = fgraph.getRefsTo(node) # Is this is the root node? if node[1].get('rootnode'): path = vg_pathcore.getPathToNode(cpath) path.reverse() yield [ _nodeedge(n) for n in path ] vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, n1, n2, einfo in refsto: # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', n1) if loops > loopcnt: continue vg_pathcore.setNodeProp(cpath, 'eid', eid) npath = vg_pathcore.newPathNode(parent=cpath, nid=n1, eid=None) node1 = fgraph.getNode(n1) todo.append((node1,npath))
def getCodePaths(fgraph, loopcnt=0, maxpath=None): ''' Yields all the paths through the hierarchical graph. Each "root" node is traced to all terminating points. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePaths(fgraph): for node,edge in path: ...etc... ''' pathcnt = 0 for root in fgraph.getHierRootNodes(): proot = vg_pathcore.newPathNode(nid=root[0], eid=None) todo = [ (root, proot), ] while todo: node, cpath = todo.pop() refsfrom = fgraph.getRefsFrom(node) # This is a leaf node! if not refsfrom: path = vg_pathcore.getPathToNode(cpath) yield [_nodeedge(n) for n in path] vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsfrom: # Skip loops if they are "deeper" than we are allowed if vg_pathcore.getPathLoopCount(cpath, 'nid', toid) > loopcnt: continue npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) tonode = fgraph.getNode(toid) todo.append((tonode, npath))
def getCodePathsFrom(fgraph, fromcbva, loopcnt=0, maxpath=None): ''' Yields all the paths through the hierarchical graph beginning with "fromcbva", which is traced to all terminating points. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsFrom(fgraph, fromcbva): for node,edge in path: ...etc... ''' pathcnt = 0 proot = vg_pathcore.newPathNode(nid=fromcbva, eid=None) cbnid, cbnode = fgraph.getNode(fromcbva) todo = [ (cbnid, proot), ] while todo: nid, cpath = todo.pop() refsfrom = fgraph.getRefsFromByNid(nid) # This is a leaf node! if not refsfrom: path = vg_pathcore.getPathToNode(cpath) yield [_nodeedge(n) for n in path] vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, n2, einfo in refsfrom: # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', n2) if loops > loopcnt: continue npath = vg_pathcore.newPathNode(parent=cpath, nid=n2, eid=eid) todo.append((n2, npath))
def getCodePathsFrom(fgraph, fromcbva, loopcnt=0, maxpath=None): ''' Yields all the paths through the hierarchical graph beginning with "fromcbva", which is traced to all terminating points. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsFrom(fgraph, fromcbva): for node,edge in path: ...etc... ''' pathcnt = 0 proot = vg_pathcore.newPathNode(nid=fromcbva, eid=None) cbnid,cbnode = fgraph.getNode(fromcbva) todo = [(cbnid,proot), ] while todo: nid,cpath = todo.pop() refsfrom = fgraph.getRefsFromByNid(nid) # This is a leaf node! if not refsfrom: path = vg_pathcore.getPathToNode(cpath) yield [ _nodeedge(n) for n in path ] vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, n2, einfo in refsfrom: # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', n2) if loops > loopcnt: continue npath = vg_pathcore.newPathNode(parent=cpath, nid=n2, eid=eid) todo.append((n2,npath))
def getCodePaths(fgraph, loopcnt=0, maxpath=None): ''' Yields all the paths through the hierarchical graph. Each "root" node is traced to all terminating points. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePaths(fgraph): for node,edge in path: ...etc... ''' pathcnt = 0 for root in fgraph.getHierRootNodes(): proot = vg_pathcore.newPathNode(nid=root[0], eid=None) todo = [(root,proot), ] while todo: node,cpath = todo.pop() refsfrom = fgraph.getRefsFrom(node) # This is a leaf node! if not refsfrom: path = vg_pathcore.getPathToNode(cpath) yield [ _nodeedge(n) for n in path ] vg_pathcore.trimPath(cpath) pathcnt += 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsfrom: # Skip loops if they are "deeper" than we are allowed if vg_pathcore.getPathLoopCount(cpath, 'nid', toid) > loopcnt: continue npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) tonode = fgraph.getNode(toid) todo.append((tonode,npath))
def getFuncCbRoutedPaths(self, fromva, tova, loopcnt=0, maxpath=None, maxsec=None): ''' Yields all the paths through the hierarchical graph starting at the "root nodes" and ending at tocbva. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsTo(fgraph, tocbva): for node,edge in path: ...etc... ''' fgraph = self.graph self.__update = 0 self.__go__ = True pathcnt = 0 tocbva = getGraphNodeByVa(fgraph, tova) frcbva = getGraphNodeByVa(fgraph, fromva) preRouteGraph(fgraph, fromva, tova) pnode = vg_pathcore.newPathNode(nid=frcbva, eid=None) todo = [(frcbva, pnode), ] if maxsec: self.watchdog(maxsec) while todo: if not self.__go__: raise PathForceQuitException() nodeid,cpath = todo.pop() refsfrom = fgraph.getRefsFrom((nodeid, None)) # This is the root node! if nodeid == tocbva: path = vg_pathcore.getPathToNode(cpath) yield [ _nodeedge(n) for n in path ] vg_pathcore.trimPath(cpath) pathcnt += 1 self.__update = 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsfrom: if fgraph.getNodeProps(fromid).get('down') != True: #sys.stderr.write('.') # TODO: drop the bad edges from graph in preprocessing? instead of "if" here continue # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', fromid) if loops > loopcnt: vg_pathcore.trimPath(cpath) #sys.stderr.write('o') # as long as we have at least one path, we count loops as paths, lest we die. if pathcnt: pathcnt += 1 continue npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) todo.append((toid,npath)) vg_pathcore.trimPath(cpath)
def getFuncCbRoutedPaths_genback(self, fromva, tova, loopcnt=0, maxpath=None, maxsec=None): ''' Yields all the paths through the hierarchical graph starting at the "root nodes" and ending at tocbva. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsTo(fgraph, tocbva): for node,edge in path: ...etc... ''' fgraph = self.graph self.__update = 0 self.__go__ = True pathcnt = 0 tocbva = getGraphNodeByVa(fgraph, tova) frcbva = getGraphNodeByVa(fgraph, fromva) preRouteGraph(fgraph, fromva, tova) pnode = vg_pathcore.newPathNode(nid=tocbva, eid=None) todo = [(tocbva,pnode), ] if maxsec: self.watchdog(maxsec) while todo: if not self.__go__: raise PathForceQuitException() nodeid,cpath = todo.pop() refsto = fgraph.getRefsTo((nodeid, None)) # This is the root node! if nodeid == frcbva: path = vg_pathcore.getPathToNode(cpath) path.reverse() self.__steplock.acquire() yield [ viv_graph._nodeedge(n) for n in path ] vg_pathcore.trimPath(cpath) pathcnt += 1 self.__update = 1 self.__steplock.release() if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsto: if fgraph.getNodeProps(fromid).get('up') != True: # TODO: drop the bad edges from graph in preprocessing? instead of "if" here vg_pathcore.trimPath(cpath) continue # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', fromid) if loops > loopcnt: continue vg_pathcore.setNodeProp(cpath, 'eid', eid) npath = vg_pathcore.newPathNode(parent=cpath, nid=fromid, eid=None) todo.append((fromid,npath))
def _runFunction(self, funcva, stopva=None, maxhit=None, maxloop=None, maxrep=None, strictops=True, func_only=True): """ :param func_only: is this emulator meant to stay in one function scope? :param strictops: should we bail on emulation if unsupported instruction encountered """ vg_path.setNodeProp(self.curpath, 'bva', funcva) hits = {} rephits = {} todo = [ (funcva, self.getEmuSnap(), self.path), ] emu = self._emu vw = self._emu.vw # Save a dereference many many times depth = 0 op = None while len(todo) > 0: va, esnap, self.curpath = todo.pop() self.setEmuSnap(esnap) emu.setProgramCounter(va) # Check if we are beyond our loop max... if maxloop != None: lcount = vg_path.getPathLoopCount(self.curpath, 'bva', va) if lcount > maxloop: continue while True: startpc = emu.getProgramCounter() if not vw.isValidPointer(startpc): break if startpc == stopva: return # If we ran out of path (branches that went # somewhere that we couldn't follow? if self.curpath == None: break try: op = emu.parseOpcode(startpc) if op.prefixes & PREFIX_REP and maxrep != None: # execute same instruction with `rep` prefix up to maxrep times h = rephits.get(startpc, 0) h += 1 if h > maxrep: break rephits[startpc] = h elif maxhit != None: # Check straight hit count for all other instructions... h = hits.get(startpc, 0) h += 1 if h > maxhit: break hits[startpc] = h nextpc = startpc + len(op) self.op = op for mon in self._monitors: mon.prehook(emu, op, startpc) iscall = bool(op.iflags & v_envi.IF_CALL) if iscall: wentInto = self.handleCall(startpc, op, avoid_calls=func_only) if wentInto: depth += 1 else: emu.executeOpcode(op) vg_path.getNodeProp(self.curpath, 'valist').append(startpc) endpc = emu.getProgramCounter() for mon in self._monitors: mon.posthook(emu, op, endpc) if not iscall: # If it wasn't a call, check for branches, if so, add them to # the todo list and go around again... blist = emu.checkBranches(startpc, endpc, op) if len(blist) > 0: # pc in the snap will be wrong, but over-ridden at restore esnap = self.getEmuSnap() for bva, bpath in blist: todo.append((bva, esnap, bpath)) break if op.iflags & v_envi.IF_RET: vg_path.setNodeProp(self.curpath, 'cleanret', True) if depth == 0: break else: depth -= 1 # If we enounter a procedure exit, it doesn't # matter what PC is, we're done here. except v_envi.UnsupportedInstruction as e: if strictops: break else: self._logger.debug( 'runFunction continuing after unsupported instruction: 0x%08x %s', e.op.va, e.op.mnem) emu.setProgramCounter(e.op.va + e.op.size) except Exception as e: self._logger.warning( "error during emulation of function: %s", e) #, exc_info=True) for mon in self._monitors: mon.logAnomaly(emu, startpc, str(e)) break # If we exc during execution, this branch is dead.
def _runFunction(self, funcva, stopva=None, maxhit=None, maxloop=None, maxrep=None, strictops=True, func_only=True): """ :param func_only: is this emulator meant to stay in one function scope? :param strictops: should we bail on emulation if unsupported instruction encountered """ vg_path.setNodeProp(self.curpath, 'bva', funcva) hits = {} rephits = {} todo = [(funcva, self.getEmuSnap(), self.path), ] emu = self._emu vw = self._emu.vw # Save a dereference many many times depth = 0 op = None while len(todo) > 0: va, esnap, self.curpath = todo.pop() self.setEmuSnap(esnap) emu.setProgramCounter(va) # Check if we are beyond our loop max... if maxloop != None: lcount = vg_path.getPathLoopCount(self.curpath, 'bva', va) if lcount > maxloop: continue while True: startpc = emu.getProgramCounter() if not vw.isValidPointer(startpc): break if startpc == stopva: return # If we ran out of path (branches that went # somewhere that we couldn't follow? if self.curpath == None: break try: op = emu.parseOpcode(startpc) if op.prefixes & PREFIX_REP and maxrep != None: # execute same instruction with `rep` prefix up to maxrep times h = rephits.get(startpc, 0) h += 1 if h > maxrep: break rephits[startpc] = h elif maxhit != None: # Check straight hit count for all other instructions... h = hits.get(startpc, 0) h += 1 if h > maxhit: break hits[startpc] = h nextpc = startpc + len(op) self.op = op for mon in self._monitors: mon.prehook(emu, op, startpc) iscall = bool(op.iflags & v_envi.IF_CALL) if iscall: wentInto = self.handleCall(startpc, op, avoid_calls=func_only) if wentInto: depth += 1 else: emu.executeOpcode(op) vg_path.getNodeProp(self.curpath, 'valist').append(startpc) endpc = emu.getProgramCounter() for mon in self._monitors: mon.posthook(emu, op, endpc) if not iscall: # If it wasn't a call, check for branches, if so, add them to # the todo list and go around again... blist = emu.checkBranches(startpc, endpc, op) if len(blist) > 0: # pc in the snap will be wrong, but over-ridden at restore esnap = self.getEmuSnap() for bva, bpath in blist: todo.append((bva, esnap, bpath)) break if op.iflags & v_envi.IF_RET: vg_path.setNodeProp(self.curpath, 'cleanret', True) if depth == 0: break else: depth -= 1 # If we enounter a procedure exit, it doesn't # matter what PC is, we're done here. except v_envi.UnsupportedInstruction as e: if strictops: break else: self._logger.debug('runFunction continuing after unsupported instruction: 0x%08x %s', e.op.va, e.op.mnem) emu.setProgramCounter(e.op.va + e.op.size) except Exception as e: self._logger.warning("error during emulation of function: %s", e)#, exc_info=True) for mon in self._monitors: mon.logAnomaly(emu, startpc, str(e)) break # If we exc during execution, this branch is dead.
def runFunction(self, funcva, stopva=None, maxhit=None, maxloop=None, tmode=None): """ This is a utility function specific to WorkspaceEmulation (and impemu) that will emulate, but only inside the given function. You may specify a stopva to return once that location is hit. """ logger.debug( '=== emu.runFunction(0x%x, stopva=%r, maxhit=%r, maxloop=%r, tmode=%r)', funcva, stopva, maxhit, maxloop, tmode) funcva = self._prep(funcva, tmode) # Let the current (should be base also) path know where we are starting vg_path.setNodeProp(self.curpath, 'bva', funcva) hits = {} todo = [(funcva, self.getEmuSnap(), self.path)] vw = self.vw # Save a dereference many many times while len(todo): va, esnap, self.curpath = todo.pop() self.setEmuSnap(esnap) self.setProgramCounter(va) tmode = self.getFlag(PSR_T_bit) # Check if we are beyond our loop max... if maxloop is not None: lcount = vg_path.getPathLoopCount(self.curpath, 'bva', va) if lcount > maxloop: continue while True: starteip = self.getProgramCounter() if not vw.isValidPointer(starteip): break if starteip == stopva: return # Check straight hit count... if maxhit is not None: h = hits.get(starteip, 0) h += 1 if h > maxhit: break hits[starteip] = h # If we ran out of path (branches that went # somewhere that we couldn't follow)? if self.curpath is None: break try: # FIXME unify with stepi code... op = self.parseOpcode(starteip | tmode) self.op = op if self.emumon: try: self.emumon.prehook(self, op, starteip) except v_exc.BadOpBytes as e: logger.debug(str(e)) break except v_exc.BadOutInstruction: pass except Exception as e: logger.log( self._log_level, "funcva: 0x%x opva: 0x%x: %r (%r) (in emumon prehook: %r)", funcva, starteip, op, e, self.emumon) if self.emustop: return # Execute the opcode self.executeOpcode(op) vg_path.getNodeProp(self.curpath, 'valist').append(starteip) endeip = self.getProgramCounter() if self.emumon: try: self.emumon.posthook(self, op, endeip) except v_exc.BadOpBytes as e: logger.debug(str(e)) break except v_exc.BadOutInstruction: pass except Exception as e: logger.log( self._log_level, "funcva: 0x%x opva: 0x%x: %r (%r) (in emumon posthook: %r)", funcva, starteip, op, e, self.emumon) if self.emustop: return iscall = self.checkCall(starteip, endeip, op) if self.emustop: return # If it wasn't a call, check for branches, if so, add them to # the todo list and go around again... if not iscall: blist = self.checkBranches(starteip, endeip, op) if len(blist): # pc in the snap will be wrong, but over-ridden at restore esnap = self.getEmuSnap() for bva, bpath in blist: todo.append((bva, esnap, bpath)) break else: # check if we've blx'd to a different thumb state. if so, # be sure to return to the original tmode before continuing emulation pass newtmode = self.getFlag(PSR_T_bit) if newtmode != tmode: self.setFlag(PSR_T_bit, tmode) # If we enounter a procedure exit, it doesn't # matter what EIP is, we're done here. if op.iflags & envi.IF_RET: vg_path.setNodeProp(self.curpath, 'cleanret', True) break # TODO: hook things like error(...) when they have a param that indicates to # exit. Might be a bit hairy since we'll possibly have to fix up codeblocks # Make sure we can at least get past the first instruction in certain functions if self.vw.isNoReturnVa(op.va) and op.va != funcva: vg_path.setNodeProp(self.curpath, 'cleanret', False) break except envi.BadOpcode: break except envi.UnsupportedInstruction as e: if self.strictops: logger.debug( 'runFunction breaking after unsupported instruction: 0x%08x %s', e.op.va, e.op.mnem) raise e else: logger.debug( 'runFunction continuing after unsupported instruction: 0x%08x %s', e.op.va, e.op.mnem) self.setProgramCounter(e.op.va + e.op.size) except v_exc.BadOutInstruction: break except Exception as e: if self.emumon is not None and not isinstance( e, e_exc.BreakpointHit): self.emumon.logAnomaly(self, starteip, str(e)) logger.debug( 'runFunction breaking after exception (fva: 0x%x): %s', funcva, e) break # If we exc during execution, this branch is dead.
def runFunction(self, funcva, stopva=None, maxhit=None, maxloop=None): """ This is a utility function specific to WorkspaceEmulation (and impemu) that will emulate, but only inside the given function. You may specify a stopva to return once that location is hit. """ self.funcva = funcva # Let the current (should be base also) path know where we are starting vg_path.setNodeProp(self.curpath, 'bva', funcva) hits = {} todo = [(funcva,self.getEmuSnap(),self.path),] vw = self.vw # Save a dereference many many times while len(todo): va,esnap,self.curpath = todo.pop() self.setEmuSnap(esnap) self.setProgramCounter(va) # Check if we are beyond our loop max... if maxloop != None: lcount = vg_path.getPathLoopCount(self.curpath, 'bva', va) if lcount > maxloop: continue while True: starteip = self.getProgramCounter() if not vw.isValidPointer(starteip): break if starteip == stopva: return # Check straight hit count... if maxhit != None: h = hits.get(starteip, 0) h += 1 if h > maxhit: break hits[starteip] = h # If we ran out of path (branches that went # somewhere that we couldn't follow? if self.curpath == None: break try: # FIXME unify with stepi code... op = self.parseOpcode(starteip) self.op = op if self.emumon: self.emumon.prehook(self, op, starteip) if self.emustop: return # Execute the opcode self.executeOpcode(op) vg_path.getNodeProp(self.curpath, 'valist').append(starteip) endeip = self.getProgramCounter() if self.emumon: self.emumon.posthook(self, op, endeip) if self.emustop: return iscall = self.checkCall(starteip, endeip, op) if self.emustop: return # If it wasn't a call, check for branches, if so, add them to # the todo list and go around again... if not iscall: blist = self.checkBranches(starteip, endeip, op) if len(blist): # pc in the snap will be wrong, but over-ridden at restore esnap = self.getEmuSnap() for bva,bpath in blist: todo.append((bva, esnap, bpath)) break # If we enounter a procedure exit, it doesn't # matter what EIP is, we're done here. if op.iflags & envi.IF_RET: vg_path.setNodeProp(self.curpath, 'cleanret', True) break except envi.UnsupportedInstruction, e: if self.strictops: break else: print 'runFunction continuing after unsupported instruction: 0x%08x %s' % (e.op.va, e.op.mnem) self.setProgramCounter(e.op.va+ e.op.size) except Exception, e: #traceback.print_exc() if self.emumon != None: self.emumon.logAnomaly(self, starteip, str(e)) break # If we exc during execution, this branch is dead.
def runFunction(self, funcva, stopva=None, maxhit=None, maxloop=None): """ This is a utility function specific to WorkspaceEmulation (and impemu) that will emulate, but only inside the given function. You may specify a stopva to return once that location is hit. """ self.funcva = funcva # Let the current (should be base also) path know where we are starting vg_path.setNodeProp(self.curpath, 'bva', funcva) hits = {} todo = [(funcva, self.getEmuSnap(), self.path)] vw = self.vw # Save a dereference many many times while len(todo): va, esnap, self.curpath = todo.pop() self.setEmuSnap(esnap) self.setProgramCounter(va) # Check if we are beyond our loop max... if maxloop is not None: lcount = vg_path.getPathLoopCount(self.curpath, 'bva', va) if lcount > maxloop: continue while True: starteip = self.getProgramCounter() if not vw.isValidPointer(starteip): break if starteip == stopva: return # Check straight hit count... if maxhit is not None: h = hits.get(starteip, 0) h += 1 if h > maxhit: break hits[starteip] = h # If we ran out of path (branches that went # somewhere that we couldn't follow)? if self.curpath is None: break try: # FIXME unify with stepi code... op = self.parseOpcode(starteip) self.op = op if self.emumon: try: self.emumon.prehook(self, op, starteip) except Exception as e: if not self.getMeta('silent'): logger.warn( "funcva: 0x%x opva: 0x%x: %r (%r) (in emumon prehook)", funcva, starteip, op, e) if self.emustop: return # Execute the opcode self.executeOpcode(op) vg_path.getNodeProp(self.curpath, 'valist').append(starteip) endeip = self.getProgramCounter() if self.emumon: try: self.emumon.posthook(self, op, endeip) except Exception as e: if not self.getMeta('silent'): logger.warn( "funcva: 0x%x opva: 0x%x: %r (%r) (in emumon posthook)", funcva, starteip, op, e) if self.emustop: return iscall = self.checkCall(starteip, endeip, op) if self.emustop: return # If it wasn't a call, check for branches, if so, add them to # the todo list and go around again... if not iscall: blist = self.checkBranches(starteip, endeip, op) if len(blist): # pc in the snap will be wrong, but over-ridden at restore esnap = self.getEmuSnap() for bva, bpath in blist: todo.append((bva, esnap, bpath)) break # If we enounter a procedure exit, it doesn't # matter what EIP is, we're done here. if op.iflags & envi.IF_RET: vg_path.setNodeProp(self.curpath, 'cleanret', True) break except envi.UnsupportedInstruction as e: if self.strictops: logger.debug( 'runFunction failed: unsupported instruction: 0x%08x %s', e.op.va, e.op.mnem) break else: logger.debug( 'runFunction continuing after unsupported instruction: 0x%08x %s', e.op.va, e.op.mnem) self.setProgramCounter(e.op.va + e.op.size) except Exception as e: if self.emumon is not None and not isinstance( e, e_exc.BreakpointHit): self.emumon.logAnomaly(self, starteip, str(e)) break # If we exc during execution, this branch is dead.
def getFuncCbRoutedPaths(self, fromva, tova, loopcnt=0, maxpath=None, timeout=None): ''' Yields all the paths through the hierarchical graph starting at the "root nodes" and ending at tocbva. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsTo(fgraph, tocbva): for node,edge in path: ...etc... ''' fgraph = self.graph self.__update = 0 self.__go__ = True pathcnt = 0 tocbva = getGraphNodeByVa(fgraph, tova) frcbva = getGraphNodeByVa(fgraph, fromva) preRouteGraph(fgraph, fromva, tova) pnode = vg_pathcore.newPathNode(nid=frcbva, eid=None) todo = [ (frcbva, pnode), ] maxtime = None if timeout: maxtime = time.time() + timeout while todo: if maxtime and time.time() > maxtime: raise PathForceQuitException() if not self.__go__: raise PathForceQuitException() nodeid, cpath = todo.pop() refsfrom = fgraph.getRefsFrom((nodeid, None)) # This is the root node! if nodeid == tocbva: path = vg_pathcore.getPathToNode(cpath) yield [_nodeedge(n) for n in path] vg_pathcore.trimPath(cpath) pathcnt += 1 self.__update = 1 if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsfrom: if fgraph.getNodeProps(fromid).get('down') != True: #sys.stderr.write('.') # TODO: drop the bad edges from graph in preprocessing? instead of "if" here continue # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', fromid) if loops > loopcnt: vg_pathcore.trimPath(cpath) #sys.stderr.write('o') # as long as we have at least one path, we count loops as paths, lest we die. if pathcnt: pathcnt += 1 continue npath = vg_pathcore.newPathNode(parent=cpath, nid=toid, eid=eid) todo.append((toid, npath)) vg_pathcore.trimPath(cpath) self.__go__ = False
def getFuncCbRoutedPaths_genback(self, fromva, tova, loopcnt=0, maxpath=None, timeout=None): ''' Yields all the paths through the hierarchical graph starting at the "root nodes" and ending at tocbva. Specify a loopcnt to allow loop paths to be generated with the given "loop iteration count" Example: for path in getCodePathsTo(fgraph, tocbva): for node,edge in path: ...etc... ''' fgraph = self.graph self.__update = 0 self.__go__ = True pathcnt = 0 tocbva = getGraphNodeByVa(fgraph, tova) frcbva = getGraphNodeByVa(fgraph, fromva) preRouteGraph(fgraph, fromva, tova) pnode = vg_pathcore.newPathNode(nid=tocbva, eid=None) todo = [ (tocbva, pnode), ] maxtime = None if timeout: maxtime = time.time() + timeout while todo: if maxtime and time.time() > maxtime: raise PathForceQuitException() if not self.__go__: raise PathForceQuitException() nodeid, cpath = todo.pop() refsto = fgraph.getRefsTo((nodeid, None)) # This is the root node! if nodeid == frcbva: path = vg_pathcore.getPathToNode(cpath) path.reverse() self.__steplock.acquire() yield [viv_graph._nodeedge(n) for n in path] vg_pathcore.trimPath(cpath) pathcnt += 1 self.__update = 1 self.__steplock.release() if maxpath and pathcnt >= maxpath: return for eid, fromid, toid, einfo in refsto: if fgraph.getNodeProps(fromid).get('up') != True: # TODO: drop the bad edges from graph in preprocessing? instead of "if" here vg_pathcore.trimPath(cpath) continue # Skip loops if they are "deeper" than we are allowed loops = vg_pathcore.getPathLoopCount(cpath, 'nid', fromid) if loops > loopcnt: continue vg_pathcore.setNodeProp(cpath, 'eid', eid) npath = vg_pathcore.newPathNode(parent=cpath, nid=fromid, eid=None) todo.append((fromid, npath)) self.__go__ = False