Пример #1
0
 def findDep(self, item):
     arg = item.args[self.lastClickIndex]
     address = item.address + item.instr.l
     func = item.func
     if func.ircfg is None:
         func.ira = BinaryAnalysis.iraType(func.cfg.loc_db)
         func.ircfg = func.ira.new_ircfg_from_asmcfg(func.cfg)
         func.defUse = DiGraphDefUse(ReachingDefinitions(func.ircfg))
     indexReg = eval('BinaryAnalysis.machine.mn.regs.regs' + str(arg.size).zfill(2) + '_expr').index(arg)
     arg = eval('BinaryAnalysis.machine.mn.regs.regs' + str(BinaryAnalysis.disasmEngine.attrib).zfill(2) + '_expr')[
         indexReg]
     elements = set()
     elements.add(arg)
     depgraph = DependencyGraph(func.ircfg, implicit=False, apply_simp=True, follow_call=False, follow_mem=True)
     currentLockey = next(iter(func.ircfg.getby_offset(address)))
     assignblkIndex = 0
     currentBlock = func.ircfg.get_block(currentLockey)
     for assignblkIndex, assignblk in enumerate(currentBlock):
         if assignblk.instr.offset == address:
             break
     outputLog = ''
     for solNum, sol in enumerate(depgraph.get(currentBlock.loc_key, elements, assignblkIndex, set())):
         results = sol.emul(func.ira, ctx={})
         outputLog += 'Solution %d:\n' % solNum
         for k, v in viewitems(results):
             outputLog += str(k) + ' = ' + str(v) + '\n'
         path = ' -> '.join(BinaryAnalysis.locDB.pretty_str(h) for h in sol.history[::-1])
         outputLog += path + '\n\n'
     self.log.emit(outputLog)
Пример #2
0
 def taintAnalysis(self, item):
     func = item.func
     if func.ircfg is None:
         func.ira = BinaryAnalysis.iraType(func.cfg.loc_db)
         func.ircfg = func.ira.new_ircfg_from_asmcfg(func.cfg)
         func.defUse = DiGraphDefUse(ReachingDefinitions(func.ircfg))
     current_block = func.ircfg.get_block(item.block.loc_key)
     index = 0
     dstArg = None
     for index, assignblk in enumerate(current_block):
         if assignblk.instr.offset == item.address:
             for dst, src in assignblk.items():
                 dstArg = dst
             break
     queue = [AssignblkNode(item.block.loc_key, index, dstArg)]
     currentPoint = 0
     endPoint = 0
     while currentPoint <= endPoint:
         node = queue[currentPoint]
         currentPoint += 1
         assign = func.ircfg.blocks[node.label][node.index]
         self.focusAddress(assign.instr.offset, False)
         for node2 in func.defUse.successors(node):
             endPoint += 1
             queue.append(node2)
Пример #3
0
 def getNormalIRCFG(self):
     if self.normalIRCFG is not None:
         return self.normalIRCFG
     else:
         self.normalIRCFG = self.normalIRA.new_ircfg_from_asmcfg(self.cfg)
         simplifier = IRCFGSimplifierCommon(self.normalIRA)
         simplifier.simplify(self.normalIRCFG, self.head)
         self.normalDefUse = DiGraphDefUse(
             ReachingDefinitions(self.normalIRCFG))
         return self.normalIRCFG
Пример #4
0
    def __init__(self, ircfg, asmcfg):
        self.defuse_edges = {}
        self.reaching_defs = ReachingDefinitions(ircfg)
        defuse = DiGraphDefUse(self.reaching_defs, deref_mem=False, apply_simp=True)
        heads = asmcfg.heads()
        self.dominators = asmcfg.compute_dominators(heads[0])
        self.immediate_dominators = asmcfg.compute_immediate_dominators(heads[0])

        self.back_edges = []
        self.rev_back_edges = {}
        for node in asmcfg.walk_depth_first_forward(heads[0]):
            for successor in asmcfg.successors_iter(node):
                # check for a back edge to a dominator
                if successor in self.dominators[node]:
                    edge = (node, successor)
                    self.rev_back_edges.setdefault(successor, set()).add(node)
                    self.back_edges.append(edge)

        for src, dst in defuse.edges():
            self.defuse_edges.setdefault(src, []).append(dst)
Пример #5
0
 def getSSAIRCFG(self):
     if self.ssaIRCFG is not None:
         return self.ssaIRCFG
     else:
         self.ssaIRCFG = self.ssaIRA.new_ircfg_from_asmcfg(self.cfg)
         simplifier = IRCFGSimplifierCommon(self.ssaIRA)
         simplifier.simplify(self.ssaIRCFG, self.head)
         ssa = SSADiGraph(self.ssaIRCFG)
         ssa.transform(self.head)
         self.ssaDefUse = DiGraphDefUse(ReachingDefinitions(self.ssaIRCFG))
         return self.ssaIRCFG
Пример #6
0
 def __init__(self, address, cfg):
     self.rawIRA = BinaryAnalysis.iraType(cfg.loc_db)
     self.normalIRA = BinaryAnalysis.iraType(cfg.loc_db)
     self.ssaIRA = IRADelModCallStack(cfg.loc_db)
     self.maxIRA1 = IRADelModCallStack(cfg.loc_db)
     self.maxIRA2 = IRAOutRegs(cfg.loc_db)
     self.rawIRCFG = self.rawIRA.new_ircfg_from_asmcfg(cfg)
     self.normalIRCFG = None
     self.ssaIRCFG = None
     self.maxIRCFG = None
     self.rawDefUse = DiGraphDefUse(ReachingDefinitions(self.rawIRCFG))
     self.normalDefUse = None
     self.ssaDefUse = None
     self.maxDefUse = None
     self.head = cfg.loc_db.get_offset_location(address)
     self.address = address
     self.cfg = cfg
Пример #7
0
 def getMaxIRCFG(self):
     if self.maxIRCFG is not None:
         return self.maxIRCFG
     else:
         self.maxIRCFG = self.maxIRA1.new_ircfg_from_asmcfg(self.cfg)
         simplifier = IRCFGSimplifierCommon(self.maxIRA1)
         simplifier.simplify(self.maxIRCFG, self.head)
         for loc in self.maxIRCFG.leaves():
             irblock = self.maxIRCFG.blocks.get(loc)
             if irblock is None:
                 continue
             regs = {}
             for reg in self.maxIRA1.get_out_regs(irblock):
                 regs[reg] = reg
             assignblks = list(irblock)
             newAssignBlk = AssignBlock(regs, assignblks[-1].instr)
             assignblks.append(newAssignBlk)
             newIrBlock = IRBlock(irblock.loc_key, assignblks)
             self.maxIRCFG.blocks[loc] = newIrBlock
         simplifier = CustomIRCFGSimplifierSSA(self.maxIRA2)
         simplifier.simplify(self.maxIRCFG, self.head)
         self.maxDefUse = DiGraphDefUse(ReachingDefinitions(self.maxIRCFG))
         return self.maxIRCFG
Пример #8
0
    log.info("Gen Graph... %x" % ad)

    log.info("Print blocks (with analyse)")
    for label, block in viewitems(ir_arch_a.blocks):
        print(block)

    if args.simplify > 0:
        log.info("Simplify...")
        ircfg_simplifier = IRCFGSimplifierCommon(ir_arch_a)
        ircfg_simplifier.simplify(ircfg_a, head)
        log.info("ok...")

    if args.defuse:
        reachings = ReachingDefinitions(ircfg_a)
        open('graph_defuse.dot', 'w').write(DiGraphDefUse(reachings).dot())

    out = ircfg.dot()
    open('graph_irflow_raw.dot', 'w').write(out)
    out = ircfg_a.dot()
    open('graph_irflow.dot', 'w').write(out)

    if args.ssa and not args.propagexpr:
        if len(entry_points) != 1:
            raise RuntimeError("Your graph should have only one head")
        ssa = SSADiGraph(ircfg_a)
        ssa.transform(head)
        open("ssa.dot", "w").write(ircfg_a.dot())

if args.propagexpr:
Пример #9
0
                                (G5_IRA, G5_EXP_IRA), (G6_IRA, G6_EXP_IRA),
                                (G7_IRA, G7_EXP_IRA), (G8_IRA, G8_EXP_IRA),
                                (G9_IRA, G9_EXP_IRA), (G10_IRA, G10_EXP_IRA),
                                (G11_IRA, G11_EXP_IRA), (G12_IRA, G12_EXP_IRA),
                                (G13_IRA, G13_EXP_IRA), (G14_IRA, G14_EXP_IRA),
                                (G15_IRA, G15_EXP_IRA), (G16_IRA, G16_EXP_IRA),
                                (G17_IRA, G17_EXP_IRA)]):
    # Extract test elements
    g_ira, g_exp_ira = test

    print("[+] Test", test_nb + 1)

    # Print initial graph, for debug
    open("graph_%02d.dot" % (test_nb + 1), "w").write(g_ira.dot())

    reaching_defs = ReachingDefinitions(g_ira)
    defuse = DiGraphDefUse(reaching_defs, deref_mem=True)

    # # Simplify graph
    deadrm(g_ira)

    # # Print simplified graph, for debug
    open("simp_graph_%02d.dot" % (test_nb + 1), "w").write(g_ira.dot())

    # Same number of blocks
    assert len(g_ira.blocks) == len(g_exp_ira.blocks)
    # Check that each expr in the blocks are the same
    for lbl, irb in viewitems(g_ira.blocks):
        exp_irb = g_exp_ira.blocks[lbl]
        assert exp_irb.assignblks == irb.assignblks