def exit_pre_analysis(state):
global test_fun_ret_addr
exit_sim_target = getattr(state.inspect, 'exit_target')
exit_jumpkind = getattr(state.inspect, 'exit_jumpkind')
# ************ changed by pjq ************
block_state = son_father_process.get_state()
last_block_addr = get_last_block_addr(block_state)
paa_trace = get_trace(block_state)
if exit_jumpkind == 'Ijk_Ret' and exit_sim_target != None:
exit_target = state.se.min_int(exit_sim_target)
if exit_target == test_fun_ret_addr:
print 'exit_target:', exit_target
ret_reg_name = simuvex.DefaultCC[proj.arch.name].RETURN_VAL
ret_reg_sim_val = ret_reg_name.get_value(state)
ret_reg_val = state.se.any_int(ret_reg_sim_val)
for heap_set in path_heap_set.path_regions:
if last_block_addr is not None and heap_set.simRunAddr == last_block_addr or\
last_block_addr is None and heap_set.simRunAddr == func_addr:
for he in heap_set.regions:
if he.heapStart == ret_reg_val:
print 'ret_reg_val:', ret_reg_val
heap_set.remove(ret_reg_val)
#memory leak check
for he in heap_set.regions:
if he.isRemoved == False:
print 'memory leak!!!!!!!!!!!!!!'
def mem_write_pre_analysis(state):
#print '\nstate:',state.ip
write_sim_addr = getattr(state.inspect, 'mem_write_address')
write_sim_length = getattr(state.inspect, 'mem_write_length')
write_sim_expr = getattr(state.inspect, 'mem_write_expr')
if state.se.satisfiable():
#write_addr = state.se.any_int(write_sim_addr)
write_addr = write_sim_addr
write_length = state.se.any_int(write_sim_expr.length) / 8
statement = getattr(state.inspect, 'statement')
instruction = getattr(state.inspect, 'instruction')
address = getattr(state.inspect, 'address')
function_name = getattr(state.inspect, 'function_name')
state1 = state.copy()
#if write_addr < stack_candy_addr and stack_candy_addr < write_addr + write_length \
#or write_addr >= stack_candy_addr and write_addr + write_length <= stack_candy_addr +0x1000:
if state1.se.satisfiable([write_addr < stack_candy_addr, stack_candy_addr < write_addr + write_length]) \
or state1.se.satisfiable([write_addr >= stack_candy_addr, write_addr + write_length <= stack_candy_addr +0x1000]):
print '-----------------------stack overflow-----------------------'
print 'write_addr:', write_addr
print 'write_length:%x' % write_length
print 'heap_location:%x' % state.libc.heap_location
print 'function_name:', function_name
print 'mem_write_analysis stack_candy_addr:%x' % stack_candy_addr
block_state = son_father_process.get_state()
print 'stack overflow trace:', get_trace(block_state)
print '------------------------------------------------------------'
def mem_write_pre_analysis(state):
#print 'memWrite<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<'
write_sim_addr = getattr(state.inspect, 'mem_write_address')
write_sim_expr = getattr(state.inspect, 'mem_write_expr')
# ************ changed by pjq ************
block_state = son_father_process.get_state()
last_block_addr = get_last_block_addr(block_state)
paa_trace = get_trace(block_state)
for heap_set in path_heap_set.path_regions:
if last_block_addr is not None and heap_set.simRunAddr == last_block_addr or\
last_block_addr is None and heap_set.simRunAddr == func_addr:
write_addr = state.se.any_int(write_sim_addr)
write_expr = state.se.any_int(write_sim_expr)
for he in heap_set.regions:
if he.heapStart == write_expr:
#wait to repaire
for arg in args_set:
if arg <= write_addr and write_addr <= arg + write_range:
#print 'argument:',hex(write_addr)
heap_set.remove(write_expr)
################
section = proj_main_bin.find_section_containing(write_addr)
if section != None:
if section.name == '.bss' or section.name == '.data':
#print 'global_addr:',write_expr
heap_set.remove(write_expr)
def call_pre_analysis(state):
#print 'pre_call>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>'
global malloc_region, free_region
fun_name = getattr(state.inspect, 'simprocedure_name')
fun_address = getattr(state.inspect, 'simprocedure_addr')
arg_reg_name = simuvex.DefaultCC[proj.arch.name].ARG_REGS[0]
arg_reg_sim_value = state.regs.get(arg_reg_name)
if fun_name == 'malloc':
if state.se.symbolic(arg_reg_sim_value):
arg_reg_value = state.se.max_int(arg_reg_sim_value)
#print 'malloc_size:',arg_reg_value
if arg_reg_value > state.libc.max_variable_size:
arg_reg_value = state.libc.max_variable_size
else:
arg_reg_value = state.se.any_int(arg_reg_sim_value) * 8
#print 'pre_malloc:{}'.format(hex(state.libc.heap_location))
state.libc.heap_location += red_length * 2
heap_location = state.libc.heap_location
heap_start = state.libc.heap_location
heap_length = arg_reg_value
# ************ changed by pjq ************
block_state = son_father_process.get_state()
last_block_addr = get_last_block_addr(block_state)
for heap_set in path_heap_set.path_regions:
if last_block_addr is not None and heap_set.simRunAddr == last_block_addr or \
last_block_addr is None and heap_set.simRunAddr == func_addr:
malloc_region = (heap_set.simRunAddr,
HeapRegion(heap_start, heap_length))
break
elif fun_name == 'free':
arg_reg_value = state.se.any_int(arg_reg_sim_value)
# ************ changed by pjq ************
block_state = son_father_process.get_state()
last_block_addr = get_last_block_addr(block_state)
for heap_set in path_heap_set.path_regions:
if last_block_addr is not None and heap_set.simRunAddr == last_block_addr or \
last_block_addr is None and heap_set.simRunAddr == func_addr:
free_region = (heap_set.simRunAddr, arg_reg_value)
break
def mem_write_pre_analysis(state):
#print '\nmemWrite<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<'
#write_sim_addr = getattr(state.inspect, 'mem_write_address')
# ************ changed by pjq ************
write_addr = getattr(state.inspect, 'mem_write_address')
s1 = state.copy()
block_state = son_father_process.get_state()
last_block_addr = get_last_block_addr(block_state)
paa_trace = get_trace(block_state)
for heap_set in path_heap_set.path_regions:
if last_block_addr is not None and heap_set.simRunAddr == last_block_addr or\
last_block_addr is None and heap_set.simRunAddr == func_addr:
if heap_set.is_use_after_free(write_addr, s1):
print 'use_after_free:', paa_trace
if heap_set.is_over_flow(write_addr, s1):
print 'over_flow:', paa_trace
except Exception, e:
print e
def call_pre_analysis(state):
#print 'pre_call>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>'
arch_length = simuvex.DefaultCC[proj.arch.name].ARCH.bits / 8
#pre_ebp = state.memory.load(,arch_length)
fun_name = getattr(state.inspect, 'simprocedure_name')
fun_address = getattr(state.inspect, 'simprocedure_addr')
try:
func_object = proj._sim_procedures[fun_address].procedure(
fun_address, proj.arch)
except Exception, e:
return
block_state = son_father_process.get_state()
paa_trace = get_trace(block_state)
if fun_name == 'printf':
arg0 = func_object.cc.arg(state, 0)
if if_comefrom_input(arg0):
print[hex(i) for i in paa_trace]
elif fun_name == 'sprintf':
arg1 = func_object.cc.arg(state, 1)
if if_comefrom_input(arg1):
print[hex(i) for i in paa_trace]
elif fun_name == 'fprintf':
arg1 = func_object.cc.arg(state, 1)
if if_comefrom_input(arg1):
print[hex(i) for i in paa_trace]
#print 'pre_call<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<'
def exit_pre_analysis(state):
exit_sim_target = getattr(state.inspect, 'exit_target')
block_state = son_father_process.get_state()
paa_trace = get_trace(block_state)
if if_comefrom_input(exit_sim_target):
print paa_trace