def setUp(self):
self._arch_info = X86ArchitectureInformation(ARCH_X86_MODE_32)
self._emulator = ReilEmulator(self._arch_info)
self._asm_parser = X86Parser(ARCH_X86_MODE_32)
self._translator = X86Translator(ARCH_X86_MODE_32)
def __init__(self, binary):
self.__binary = binary
self.__arch_mode = self.__binary.architecture_mode
self.__arch = X86ArchitectureInformation(self.__arch_mode)
self.__disassembler = X86Disassembler(self.__arch_mode)
self.__translator = X86Translator(self.__arch_mode)
self.__bb_builder = CFGRecoverer(
RecursiveDescent(self.__disassembler, self.__binary.text_section,
self.__translator, self.__arch))
def setUp(self):
self.arch_mode = ARCH_X86_MODE_64
self.arch_info = X86ArchitectureInformation(self.arch_mode)
self.x86_parser = X86Parser(self.arch_mode)
self.x86_translator = X86Translator(self.arch_mode)
self.reil_emulator = ReilEmulator(self.arch_info)
self.context_filename = "failing_context.data"
def __translate(self, asm_instr):
reil_translator = X86Translator(self.arch_info.architecture_mode)
# Create ReilContainer
instr_container = ReilContainer()
instr_seq = ReilSequence()
for reil_instr in reil_translator.translate(asm_instr):
instr_seq.append(reil_instr)
instr_container.add(instr_seq)
return instr_container
def test_emulate_x86_64(self):
binary = BinaryFile(get_full_path("./samples/bin/loop-simple.x86_64"))
arch_mode = ARCH_X86_MODE_64
arch_info = X86ArchitectureInformation(arch_mode)
ir_emulator = ReilEmulator(arch_info)
disassembler = X86Disassembler(ARCH_X86_MODE_64)
ir_translator = X86Translator(ARCH_X86_MODE_64)
emu = Emulator(arch_info, ir_emulator, ir_translator, disassembler)
emu.load_binary(binary)
emu.emulate(0x4004d6, 0x400507, {}, None, False)
def __init__(self, binary, symbols):
self.__binary = binary
self.__arch_mode = self.__binary.architecture_mode
self.__arch = X86ArchitectureInformation(self.__arch_mode)
self.__disassembler = X86Disassembler(self.__arch_mode)
self.__translator = X86Translator(self.__arch_mode)
self.__bb_builder = CFGRecoverer(
RecursiveDescent(self.__disassembler, self.__binary.text_section,
self.__translator, self.__arch))
self.__container = {}
self.__symbols = symbols
self.__symbols_by_addr = {}
for name, start, end in symbols:
self.__symbols_by_addr[start] = (name, end)
def setUp(self):
self._arch_info = X86ArchitectureInformation(ARCH_X86_MODE_32)
self._smt_solver = SmtSolver()
self._smt_translator = SmtTranslator(self._smt_solver,
self._arch_info.address_size)
self._smt_translator.set_arch_alias_mapper(
self._arch_info.alias_mapper)
self._smt_translator.set_arch_registers_size(
self._arch_info.registers_size)
self._x86_parser = X86Parser(ARCH_X86_MODE_32)
self._x86_translator = X86Translator(ARCH_X86_MODE_32)
self._code_analyzer = CodeAnalyzer(self._smt_solver,
self._smt_translator,
self._arch_info)
def __init__(self, arch, trace, start_address, options):
AsmTraceAnalyzer.__init__(self, arch, trace)
self._options = options
disassembler = X86Disassembler(arch.architecture_mode)
ir_translator = X86Translator(arch.architecture_mode)
self._emulator = Emulator(arch, ReilEmulator(arch), ir_translator,
disassembler)
self._undefined_flags = {
"bsf": ["cf", "of", "sf", "af", "pf"],
"bt": ["pf"], # TODO Check.
"div": ["cf", "of", "sf", "zf", "af", "pf"],
"imul": ["pf"], # TODO Check.
"shl": ["of"], # TODO Check.
"shr": ["of"], # TODO Check.
}
self._set_regs = True
self._next_addr = start_address
def raw_to_IRBlock(raw, thumb=False):
# Check for Architecture
if (curr_arch_type() == ArchType.ARCH_X86):
disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_32)
ir_translator = X86Translator(architecture_mode=ARCH_X86_MODE_32)
alias_mapper = X86ArchitectureInformation(
ARCH_X86_MODE_32).alias_mapper
elif (curr_arch_type() == ArchType.ARCH_X64):
disassembler = X86Disassembler(architecture_mode=ARCH_X86_MODE_64)
ir_translator = X86Translator(architecture_mode=ARCH_X86_MODE_64)
alias_mapper = X86ArchitectureInformation(
ARCH_X86_MODE_64).alias_mapper
elif (curr_arch_type() == ArchType.ARCH_ARM32 and not thumb):
disassembler = ArmDisassembler(architecture_mode=ARCH_ARM_MODE_ARM)
ir_translator = ArmTranslator(architecture_mode=ARCH_ARM_MODE_ARM)
alias_mapper = ArmArchitectureInformation(
ARCH_ARM_MODE_ARM).alias_mapper
elif (curr_arch_type() == ArchType.ARCH_ARM32 and thumb):
disassembler = ArmDisassembler(architecture_mode=ARCH_ARM_MODE_THUMB)
ir_translator = ArmTranslator(architecture_mode=ARCH_ARM_MODE_THUMB)
alias_mapper = ArmArchitectureInformation(
ARCH_ARM_MODE_THUMB).alias_mapper
else:
raise Exception("ARCH TYPE NOT SUPPORTED")
(irsb, string) = raw_to_REIL(raw, disassembler, ir_translator)
if (irsb is None):
return (None, string)
asm_instr_string = '; '.join(str(i) for i in string)
# Check if branch instructions in the middle of the gadget
for ins in string[:-1]:
if (str(ins)[0:2] == "bl"):
return (None, "Branch in the middle of the gadget")
res = IRBlock()
# Translate instruction by instruction
try:
for instr in irsb:
# print(instr) # DEBUG
i = None
if (instr.mnemonic == ReilMnemonic.NOP):
pass
elif (is_calculation_instr(instr.mnemonic)):
i = IRInstruction(
barf_operation_to_IR(instr.mnemonic),
barf_operand_to_IR(instr.operands[0], alias_mapper),
barf_operand_to_IR(instr.operands[1], alias_mapper),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (is_load_instr(instr.mnemonic)):
i = IRInstruction(
IROperation.LDM,
barf_operand_to_IR(instr.operands[0], alias_mapper),
ArgEmpty(),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (is_store_instr(instr.mnemonic)):
i = IRInstruction(
IROperation.STM,
barf_operand_to_IR(instr.operands[0], alias_mapper),
ArgEmpty(),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (is_put_instr(instr.mnemonic)):
i = IRInstruction(
IROperation.STR,
barf_operand_to_IR(instr.operands[0], alias_mapper),
ArgEmpty(),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (instr.mnemonic == ReilMnemonic.BISZ):
i = IRInstruction(
IROperation.UNKNOWN, ArgEmpty(), ArgEmpty(),
barf_operand_to_IR(instr.operands[2], alias_mapper))
elif (instr.mnemonic == ReilMnemonic.JCC):
if (isinstance(instr.operands[0], ReilImmediateOperand)
and instr.operands[0]._immediate != 0):
if (instr.operands[2].size > curr_arch_bits()):
i = IRInstruction(
IROperation.BSH,
barf_operand_to_IR(instr.operands[2],
alias_mapper),
ArgCst(curr_arch_bits() - instr.operands[2].size,
curr_arch_bits()),
ArgReg(curr_arch_ip(), curr_arch_bits()))
else:
i = IRInstruction(
IROperation.STR,
barf_operand_to_IR(instr.operands[2],
alias_mapper), ArgEmpty(),
ArgReg(curr_arch_ip(), curr_arch_bits()))
else:
i = IRInstruction(IROperation.UNKNOWN, ArgEmpty(),
ArgEmpty(),
ArgReg(curr_arch_ip(), curr_arch_bits()))
break
elif (instr.mnemonic == ReilMnemonic.BISZ):
raise REILOperationNotSupported(
"REIL Operation 'BISZ' not supported")
else:
return (None, string)
if (i):
res.add_instr(i)
# Possible exceptions
except RegNotSupported as e:
log("In " + asm_instr_string + " | " + str(e))
return (None, string)
except CstTooBig as e:
log("In " + asm_instr_string + " | " + str(e))
return (None, string)
except REILOperationNotSupported as e:
log("In " + asm_instr_string + " | " + str(e))
return (None, string)
# Succesful return
return (res, string)
def setUp(self):
self._parser = X86Parser(ARCH_X86_MODE_32)
self._translator = X86Translator(ARCH_X86_MODE_32)
def setUp(self):
self._arch_mode = ARCH_X86_MODE_32
self._arch_info = X86ArchitectureInformation(self._arch_mode)
self._disassembler = X86Disassembler(ARCH_X86_MODE_32)
self._translator = X86Translator(ARCH_X86_MODE_32)
def barf_classify(gadget_map, printout=True):
arch_mode = ARCH_X86_MODE_32
arch_info = X86ArchitectureInformation(arch_mode)
translator = X86Translator(arch_mode)
instruction_parser = X86Parser(arch_mode)
ir_emulator = ReilEmulator(arch_info)
classifier = GadgetClassifier(ir_emulator, arch_info)
raw_gadgets = {}
typed_gadgets = []
for _, gadget in gadget_map.items():
# Translation cycle: from my emulator to BARF representation
classifiable = False
barf_instr_list = []
for _, instr in gadget.instructions.items():
# Parse a ROPInstruction into the BARF representation of an x86 instruction
barf_instr = instruction_parser.parse("{} {}".format(
instr.mnemonic, instr.op_str))
barf_instr.address = instr.address
try:
# Translate an x86 instruction into a list of REIL instructions
reil_transl_instrs = translator.translate(barf_instr)
barf_instr.ir_instrs = reil_transl_instrs
classifiable = True
except TranslationError:
classifiable = False
finally:
barf_instr_list.append(barf_instr)
# Classification of the gadgets
barf_g = RawGadget(barf_instr_list)
raw_gadgets[barf_g.address] = barf_g
if classifiable:
classified = classifier.classify(barf_g)
for tg in classified:
typed_gadgets.append(tg)
if printout:
print_gadgets_raw(list(raw_gadgets.values()), sys.stdout, 'addr', True,
'Raw Gadgets', False)
verified = []
unverified = []
solver = Z3Solver()
translator = SmtTranslator(solver, arch_info.address_size)
code_analyzer = CodeAnalyzer(solver, translator, arch_info)
verifier = GadgetVerifier(code_analyzer, arch_info)
for tg in typed_gadgets:
if verifier.verify(tg):
verified.append(tg)
else:
unverified.append(tg)
print_gadgets_typed(verified, sys.stdout, arch_info.address_size,
'Verified classification')
print_gadgets_typed(unverified, sys.stdout, arch_info.address_size,
'Unverified classification')
for tg in typed_gadgets:
if tg.address in raw_gadgets:
raw_gadgets.pop(tg.address)
print_gadgets_raw(list(raw_gadgets.values()), sys.stdout, 'addr',
False, 'Not classified', False)
return {tg.address: tg for tg in typed_gadgets}
