def get_dangerous_args(self, ea): """ Find the dangerous function arguments Ex. "call strncpy" find the third push, which should correspond to the size argument @returns: list of arguments (may be empty) """ # TODO: x86 only at the moment, x64 at least # TODO: the algo as a whole is flaky... # which paths are being considered? if misc.is_64bit(): raise NotImplementedError prev_addr = ea dang_args = [] dang_name = GetOpnd(ea, 0) dang_arg_idx = 0 for pat, arg_idx in self.dangerous_patterns.iteritems(): if pat in dang_name: dang_arg_idx = arg_idx while dang_arg_idx > 0: pi = DecodePreviousInstruction(prev_addr) # DecodePreviousInstruction returns None if we try # to decode past the beginning of the function if not pi: return [] if pi.get_canon_mnem() == 'push': dang_arg_idx -= 1 push_op = GetOpnd(pi.ea, 0) dang_args.append(push_op) prev_addr = pi.ea return dang_args
def get_dangerous_args(self, ea): """ Find the dangerous function arguments Ex. "call strncpy" find the third push, which should correspond to the size argument @returns: list of arguments (may be empty) """ dang_name = GetOpnd(ea, 0) dang_arg_idx = 0 #x86_64_regs = ['rdi', 'rsi', 'rdx', 'rcx', 'r8', 'r9'] # System V AMD64 ABI x86_64_regs = ['rcx', 'rdx', 'r8', 'r9'] # Microsoft x64 # TODO: the algo as a whole is flaky... # which paths are being considered? for pat, arg_idx in self.dangerous_patterns.iteritems(): if pat in dang_name: dang_arg_idx = arg_idx if misc.is_64bit(): return x86_64_regs[:dang_arg_idx] prev_addr = ea dang_args = [] while dang_arg_idx > 0: pi = DecodePreviousInstruction(prev_addr) # DecodePreviousInstruction returns None if we try # to decode past the beginning of the function if not pi: return [] if pi.get_canon_mnem() == 'push': dang_arg_idx -= 1 push_op = GetOpnd(pi.ea, 0) dang_args.append(push_op) prev_addr = pi.ea return dang_args