def has_tainted_operands(operands, taint_id):
# type: (list[manticore.core.cpu.abstractcpu.Operand], object) -> bool
for operand in operands:
op = operand.read()
if issymbolic(op) and taint_id in op.taint:
return True
return False
def did_write_memory_callback(self, state, where, value, size):
if not self.active:
return
write = self.get_next("mem_write")
if not issymbolic(value):
return
assert write["where"] == where and write["size"] == size
state.constrain(value == write["value"])
def did_write_memory_callback(self, state, where, value, size):
if not self.active:
return
write = self.get_next('mem_write')
if not issymbolic(value):
return
assert write['where'] == where and write['size'] == size
state.constrain(value == write['value'])
def did_execute_instruction_callback(self, state, last_pc, pc, insn):
if not self.active:
return
event = self.get_next('regs')
self.last_instruction = event['values']
if issymbolic(pc):
state.constrain(state.cpu.RIP == self.last_instruction['RIP'])
else:
for start, stop in self.symbolic_ranges:
if start <= pc <= stop:
self.active = False
def has_tainted_flags(state, cc):
if cc == cs.arm.ARM_CC_AL:
ret = []
elif cc == cs.arm.ARM_CC_EQ:
ret = ['Z']
elif cc == cs.arm.ARM_CC_NE:
ret = ['Z']
elif cc == cs.arm.ARM_CC_HS:
ret = ['C']
elif cc == cs.arm.ARM_CC_LO:
ret = ['C']
elif cc == cs.arm.ARM_CC_MI:
ret = ['N']
elif cc == cs.arm.ARM_CC_PL:
ret = ['N']
elif cc == cs.arm.ARM_CC_VS:
ret = ['V']
elif cc == cs.arm.ARM_CC_VC:
ret = ['V']
elif cc == cs.arm.ARM_CC_HI:
ret = ['C', 'Z']
elif cc == cs.arm.ARM_CC_LS:
ret = ['C', 'Z']
elif cc == cs.arm.ARM_CC_GE:
ret = ['N', 'V']
elif cc == cs.arm.ARM_CC_LT:
ret = ['N', 'V']
elif cc == cs.arm.ARM_CC_GT:
ret = ['Z', 'N', 'V']
elif cc == cs.arm.ARM_CC_LE:
ret = ['Z', 'N', 'V']
for flag in ret:
flag_name = 'APSR_{}'.format(flag)
flag_val = state.cpu.regfile.read(flag_name)
if issymbolic(flag_val) and taint_id in flag_val.taint:
return True
return False
def is_symbolic(self, val): return manticore.issymbolic(val)
def concrete_checker(state):
"""
initial checker hook for SANDSHREW_sym that checks for the presence of symbolic input.
If so, an unconstrained hook is attached to the memory location to restore symbolic state after concretization
"""
cpu = state.cpu
with m.locked_context() as context:
logging.debug(
f"Entering target function SANDSHREW_{sym} at {hex(state.cpu.PC)}"
)
# check if RSI, the assumed input arg, is symbolic
data = cpu.read_int(cpu.RSI)
if issymbolic(data):
logging.debug(
f"Symbolic input parameter to function {sym}() detected"
)
# store instruction after `call SANDSHREW_*`
return_pc = context["trace"][-1] + 5
# attach a hook to the return_pc, as this is where we will perform concolic execution
@m.hook(return_pc)
def unconstrain_hook(state):
"""
unconstrain_hook writes unconstrained symbolic data to the memory location of the output.
"""
with m.locked_context() as context:
# output param is RDI, symbolicate RAX
context["return_addr"] = cpu.RAX
logging.debug(
f"Writing unconstrained buffer to output memory location"
)
# initialize unconstrained symbolic input
return_buf = state.new_symbolic_buffer(BUFFER_SIZE)
# apply charset constraints based on user input
for i in range(BUFFER_SIZE):
if args.constraint == "alpha":
state.constrain(
operators.OR(
operators.AND(
ord("A") <= return_buf[i],
return_buf[i] <= ord("Z")),
operators.AND(
ord("a") <= return_buf[i],
return_buf[i] <= ord("z")),
))
elif args.constraint == "num":
state.constrain(
operators.AND(
ord("0") <= return_buf[i],
return_buf[i] <= ord("9")))
elif args.constraint == "alphanum":
raise NotImplementedError(
"alphanum constraint set not yet implemented"
)
elif args.constraint == "ascii":
state.constrain(
operators.AND(
ord(" ") <= return_buf[i],
return_buf[i] <= ord("}")))
# write to address
state.cpu.write_bytes(context["return_addr"],
return_buf)
def test_issymbolic_neg(self):
v = 1
self.assertFalse(issymbolic(v))
def test_issymbolic(self):
v = BitVecVariable(32, 'sym')
self.assertTrue(issymbolic(v))
def has_tainted_operands(operands):
for operand in operands:
op = operand.read()
if issymbolic(op) and taint_id in op.taint:
return True
return False
def test_issymbolic_neg(self):
v = 1
self.assertFalse(issymbolic(v))
def test_issymbolic(self):
v = BitVecVariable(32, 'sym')
self.assertTrue(issymbolic(v))
def test_issymbolic(self):
v = BitVecVariable(size=32, name="sym")
self.assertTrue(issymbolic(v))
