Merge pull request #12 from 0xPhoeniX/coda_data_mix_fix

Coda data mix fix
0xPhoeniX · Aug 17, 2017 · 541c908 · 541c908
2 parents af58592 + 7a4c6f6
commit 541c908
Show file tree

Hide file tree

Showing 10 changed files with 374 additions and 284 deletions.
diff --git a/MazeTracer/src/log.cpp b/MazeTracer/src/log.cpp
@@ -142,6 +142,7 @@ bool save_calls(JSON_Object *root_object, map<ADDRINT, CALL_INFO> &calls)
 		json_object_set_string(call, "name", citer->second.name);
 		json_object_set_number(call, "target", citer->first);
 		json_object_set_number(call, "is_reg", citer->second.isRegBased);
+		json_object_set_number(call, "suspect", citer->second.isSuspect);
 
 		json_array_append_value(calls_ar, call_val);
 	}
@@ -184,6 +185,26 @@ void save_api_log(JSON_Object *root_object, ADDRINT tid)
 	json_object_set_value(root_object, "api_parameters", api_params_val);
 }
 
+void detect_push_as_call(map<ADDRINT, BASIC_BLOCK_INFO> &bbls, map<ADDRINT, CALL_INFO> &calls)
+{
+	map<ADDRINT, CALL_INFO>::iterator citer;
+	map<ADDRINT, CALL_ITEM>::iterator callee;
+
+	for (citer = calls.begin(); citer != calls.end(); citer++)
+	{
+		for (callee = citer->second.callees.begin(); 
+			 callee != citer->second.callees.end(); 
+			 callee++)
+		{
+			if (bbls.find(callee->first + 5) != bbls.end())
+			{
+				citer->second.isSuspect = 0;
+				break;
+			}
+		}
+	}
+}
+
 /* ===================================================================== */
 // Analysis routines
 /* ===================================================================== */
@@ -219,6 +240,7 @@ Maze output format:
 						"target":	1234,
 						"is_reg":	1,
 						"execs":	4,
+						"suspect":  1,
 						"callees":	[ {"ref": 0x123456, "execs": 1} ],
 						"bbl_ids":	[]
 					}
@@ -264,6 +286,9 @@ void save_maze_log()
 				JSON_Value *thread_value = json_value_init_object();
 				JSON_Object *thread_object = json_value_get_object(thread_value);
 
+				// apply post processing 
+				detect_push_as_call(tid_basic_blocks[i], tid_calls[i]);
+
 				// save basic data before the memory area
 				save_thread_aux(thread_object, i);
 				save_bbls(thread_object, tid_basic_blocks[i]);

diff --git a/MazeTracer/src/mazewarker.cpp b/MazeTracer/src/mazewarker.cpp
@@ -24,7 +24,6 @@ map<ADDRINT, TRACK_MEM_INFO> mem_info;
 map<ADDRINT, ADDRINT> tfuncs;
 ADDRINT mem_reg_id = 0;
 struct {ADDRINT base; ADDRINT limit;} stack_bases[THREAD_LIMIT];
-PIN_LOCK lock;
 
 KNOB<string> KnobConfigFile(KNOB_MODE_WRITEONCE,  "pintool",
     "cfg", "", "specify configuration file path");
@@ -41,16 +40,16 @@ INT32 Usage()
 
 VOID ImageLoad(IMG img, VOID *v)
 {
-	const std::string image_path = IMG_Name(img);
-	ADDRINT image_base = IMG_StartAddress(img);
+    const std::string image_path = IMG_Name(img);
+    ADDRINT image_base = IMG_StartAddress(img);
 
     LOG("[" + string(__FUNCTION__) + "]\n\tImage: " + image_path + 
         "\n\tStart Address: " + hexstr(image_base) +
         "\n\tID: " + decstr(IMG_Id(img)) + "\n");
 
-	pe_watch_module((void*)image_base, image_path.c_str());
+    pe_watch_module((void*)image_base, image_path.c_str());
 #ifdef OS32
-	apply_api_filters(img);
+    apply_api_filters(img);
 #endif
 }
 
@@ -60,118 +59,119 @@ VOID ImageLoad(IMG img, VOID *v)
 
 VOID Fini(INT32 code, VOID *v)
 {
-	save_maze_log();
+    save_maze_log();
 #ifdef OS32
-	unload_python();
+    unload_python();
 #endif
 }
 
 VOID ThreadStart(THREADID threadid, CONTEXT *ctxt, INT32 flags, VOID *v)
 {
-	W::MEMORY_BASIC_INFORMATION mbi;
-	ADDRINT stack_ptr = PIN_GetContextReg(ctxt, REG_STACK_PTR);
-	ADDRINT thread_func = PIN_GetContextReg(ctxt, REG_EAX);
-
-	if (stack_ptr > 0x1000)
-	{
-		W::VirtualQuery((W::PVOID)stack_ptr, &mbi, sizeof(mbi));
-		stack_bases[(int)threadid].limit = (ADDRINT)mbi.AllocationBase;
-		stack_bases[(int)threadid].base = mbi.RegionSize + ((ADDRINT)mbi.BaseAddress - (ADDRINT)mbi.AllocationBase) + stack_bases[(int)threadid].limit;
-	}
-
-	if (thread_func > 0x1000)
-	{
-		ADDRINT base, size;
-
-		if (DoTrace(thread_func) && get_address_info(thread_func, base, size, NULL))
-		{
-			map<ADDRINT, TRACK_MEM_INFO>::iterator iter;
-			list<PCODE_BLOCK>::iterator diter;
-
-			memory_monitor(thread_func, 32);
-			tfuncs[threadid] = thread_func;
-
-			iter = mem_info.find(base);
-			if (iter != mem_info.end())
-			{
-				ADDRINT offset = thread_func - iter->second.base;
-				for (diter = iter->second.code.begin(); diter != iter->second.code.end(); diter++)
-				{
-					if (offset <= (*diter)->size && thread_func >= iter->second.base)
-					{
-						if (memcmp((void*)(base + offset), (*diter)->code + offset, 32) == 0)
-						{
-							(*diter)->tids->push_back(threadid);
-							break;
-						}
-					}
-				}
-			}
-
-			thread_num++;
-		}
-	}
+    W::MEMORY_BASIC_INFORMATION mbi;
+    ADDRINT stack_ptr = PIN_GetContextReg(ctxt, REG_STACK_PTR);
+    ADDRINT thread_func = PIN_GetContextReg(ctxt, REG_EAX);
+
+    if (stack_ptr > 0x1000)
+    {
+        W::VirtualQuery((W::PVOID)stack_ptr, &mbi, sizeof(mbi));
+        stack_bases[(int)threadid].limit = (ADDRINT)mbi.AllocationBase;
+        stack_bases[(int)threadid].base = mbi.RegionSize + 
+										  ((ADDRINT)mbi.BaseAddress - (ADDRINT)mbi.AllocationBase) + 
+										  stack_bases[(int)threadid].limit;
+    }
+
+    if (thread_func > 0x1000)
+    {
+        ADDRINT base, size;
+
+        if (DoTrace(thread_func) && get_address_info(thread_func, base, size, NULL))
+        {
+            map<ADDRINT, TRACK_MEM_INFO>::iterator iter;
+            list<PCODE_BLOCK>::iterator diter;
+
+            memory_monitor(thread_func, 32);
+            tfuncs[threadid] = thread_func;
+
+            iter = mem_info.find(base);
+            if (iter != mem_info.end())
+            {
+                ADDRINT offset = thread_func - iter->second.base;
+                for (diter = iter->second.code.begin(); diter != iter->second.code.end(); diter++)
+                {
+                    if (offset <= (*diter)->size && thread_func >= iter->second.base)
+                    {
+                        if (memcmp((void*)(base + offset), (*diter)->code + offset, 32) == 0)
+                        {
+                            (*diter)->tids->push_back(threadid);
+                            break;
+                        }
+                    }
+                }
+            }
+
+            thread_num++;
+        }
+    }
 }
 
 VOID InternalTimerThread(void *args)
 {
-	PIN_Sleep(1000);
-	for (int i = 0; i < 300; i++)
-	{
-		if (PIN_IsProcessExiting())
-			PIN_ExitThread(0);
-		PIN_Sleep(1000);
-	}
-	PIN_Detach();
+    PIN_Sleep(1000);
+    for (int i = 0; i < 300; i++)
+    {
+        if (PIN_IsProcessExiting())
+            PIN_ExitThread(0);
+        PIN_Sleep(1000);
+    }
+    PIN_Detach();
 }
 
 VOID DetachFunction(VOID *v)
 {
-	save_maze_log();
+    save_maze_log();
 #ifdef OS32
-	unload_python();
+    unload_python();
 #endif
 }
 
 int main(int argc, char *argv[])
 {
-	PIN_InitLock(&lock);
-	PIN_InitSymbols();
-	if (PIN_Init(argc,argv))
-		return Usage();
+    PIN_InitSymbols();
+    if (PIN_Init(argc,argv))
+        return Usage();
 
-	if (load_cfg(KnobConfigFile.Value().c_str())) {
-		cfg.output_dir = KnobOutputDir.Value();
+    if (load_cfg(KnobConfigFile.Value().c_str())) {
+        cfg.output_dir = KnobOutputDir.Value();
 
 #ifdef OS32
-		load_python(cfg.script_path.c_str());
+        load_python(cfg.script_path.c_str());
 #endif
-		pe_init_subsystem();
+        pe_init_subsystem();
 
-		// Register ImageLoad to be called when an image is loaded
-		IMG_AddInstrumentFunction(ImageLoad, 0);
+        // Register ImageLoad to be called when an image is loaded
+        IMG_AddInstrumentFunction(ImageLoad, 0);
 
-		// Register function to be called to instrument traces
-		TRACE_AddInstrumentFunction(Trace, 0);
+        // Register function to be called to instrument traces
+        TRACE_AddInstrumentFunction(Trace, 0);
 
-		// Register function to be called when the application exits
-		PIN_AddFiniFunction(Fini, 0);
+        // Register function to be called when the application exits
+        PIN_AddFiniFunction(Fini, 0);
 
-		PIN_AddContextChangeFunction(ContextCallback, 0);
+        PIN_AddContextChangeFunction(ContextCallback, 0);
 
-		// Catch global internal exceptions
-		PIN_AddInternalExceptionHandler(ExceptionHandler, 0);
+        // Catch global internal exceptions
+        PIN_AddInternalExceptionHandler(ExceptionHandler, 0);
 
-		PIN_AddThreadStartFunction(ThreadStart, 0);
+        PIN_AddThreadStartFunction(ThreadStart, 0);
 
-		PIN_SpawnInternalThread(InternalTimerThread, 0, 0, 0);
-		PIN_AddDetachFunction(DetachFunction, 0);
+        PIN_SpawnInternalThread(InternalTimerThread, 0, 0, 0);
+        PIN_AddDetachFunction(DetachFunction, 0);
 
-		// Start the program, never returns
-		PIN_StartProgram();
-	}
+        // Start the program, never returns
+        PIN_StartProgram();
+    }
 
-	LOG("[!!!] Please check configuration.");
+    LOG("[!!!] Please check configuration.");
 
     return 0;
 }

diff --git a/MazeTracer/src/mazewarker.h b/MazeTracer/src/mazewarker.h
@@ -34,6 +34,7 @@ typedef struct _CALL_INFO
 	ADDRINT execs;
 	ADDRINT base;
 	short isRegBased;
+	char isSuspect;
 	list<ADDRINT> rets;
 	list<ADDRINT> bbl_id;
 	map<ADDRINT, CALL_ITEM> callees;

diff --git a/MazeTracer/src/src.vcxproj b/MazeTracer/src/src.vcxproj
@@ -74,6 +74,7 @@
     <GenerateManifest>false</GenerateManifest>
     <OutDir>$(SolutionDir)$(Configuration)\$(Platform)\</OutDir>
     <IntDir>$(SolutionDir)$(Configuration)\$(Platform)\obj\</IntDir>
+    <TargetName>$(SolutionName)</TargetName>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <LinkIncremental>false</LinkIncremental>