Beispiel #1
0
 public MachineState(MachineState copyMe)
 {
     instructionPointer = copyMe.instructionPointer;
     registers = new RegisterCollection(copyMe.registers);
     dataSegment = new Dictionary<UInt32, AbstractValue>(copyMe.dataSegment);
     zeroFlag = copyMe.zeroFlag;
 }
        public override MachineState Execute(MachineState state)
        {
            var buffer = AbstractValue.GetNewBuffer(state.TopOfStack.Value);
            state.ReturnValue = new AbstractValue(buffer);

            return state;
        }
 public void SetUp()
 {
     var registers = new RegisterCollection();
     registers[RegisterName.ESP] = new AbstractValue(AbstractValue.GetNewBuffer(1));
     state = new MachineState(registers);
     contract = new GLibcStartMainContract();
 }
 public void Execute()
 {
     var address = new AbstractValue(0xdeadbabe);
     state = state.PushOntoStack(address);
     state = contract.Execute(state);
     Assert.AreEqual(address.Value, state.InstructionPointer);
 }
 public void BigComplicatedMuthafuqqa()
 {
     const byte VALUE = 0xcd;
     state = state.DoOperation(RegisterName.ESP, OperatorEffect.Add, new AbstractValue(0x40));
     state.InstructionPointer = 0x804839b;
     state = X86Emulator.Run(reportItems, state, new byte[] {0x55});
     state = X86Emulator.Run(reportItems, state, new byte[] {0x89, 0xe5});
     PrintStackAndBlock();
     state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xec, 0x08});
     state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xe4, 0xf0});
     state = X86Emulator.Run(reportItems, state, new byte[] {0xb8, 0x00, 0x00, 0x00, 0x00});
     state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xc0, 0x0f});
     state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xc0, 0x0f});
     state = X86Emulator.Run(reportItems, state, new byte[] {0xc1, 0xe8, 0x04});
     state = X86Emulator.Run(reportItems, state, new byte[] {0xc1, 0xe0, 0x04});
     state = X86Emulator.Run(reportItems, state, new byte[] {0x29, 0xc4});
     state = X86Emulator.Run(reportItems, state, new byte[] {0xc7, 0x04, 0x24, VALUE, 0, 0, 0});
     Assert.AreEqual(VALUE, state.TopOfStack.Value);
     state = X86Emulator.Run(reportItems, state, new byte[] {0xe8, 0x10, 0, 0, 0});
     PrintStackAndBlock();
     state = X86Emulator.Run(reportItems, state, new byte[] {0x55});
     PrintStackAndBlock();
     state = X86Emulator.Run(reportItems, state, new byte[] {0x89, 0xe5});
     PrintStackAndBlock();
     state = X86Emulator.Run(reportItems, state, new byte[] {0x83, 0xec, 0x18});
     PrintStackAndBlock();
     state = X86Emulator.Run(reportItems, state, new byte[] {0x8b, 0x45, 0x08});
     PrintStackAndBlock();
     Assert.AreEqual(VALUE, state.Registers[RegisterName.EAX].Value);
 }
        public override Boolean IsSatisfiedBy(MachineState state, Byte[] code)
        {
            var effectiveAddress = Opcode.GetEffectiveAddress(code, state.InstructionPointer);

            const UInt32 GLIBC_START_MAIN_IMPORT_FUNCTION_ADDR = 0x80482b8;

            return effectiveAddress == GLIBC_START_MAIN_IMPORT_FUNCTION_ADDR;
        }
 public void AddOneToEAX()
 {
     code = new Byte[] {0x05, 0x01, 0x00, 0x00, 0x00};
     state.Registers[RegisterName.EAX] = new AbstractValue(1);
     state = X86Emulator.Run(reportItems, state, code);
     Assert.AreEqual(code.Length, state.InstructionPointer);
     Assert.AreEqual(0x2, state.Registers[RegisterName.EAX].Value);
 }
Beispiel #8
0
        private static void PrintStackFor(MachineState state)
        {
            var esp = state.Registers[RegisterName.ESP];

            Console.WriteLine("Stack dump");
            Console.WriteLine("esp-8\t\t esp-4\t\t esp");
            Console.WriteLine("{0}\t\t {1}\t\t {2}", esp.PointsTo[-2], esp.PointsTo[-1], esp.PointsTo[0]);
        }
 public void AddImmediateNonPointerDeref()
 {
     // add    [eax], 0x00
     code = new Byte[] {0x83, 0x00, 0x00};
     state.Registers[RegisterName.EAX] = one;
     Assert.IsFalse(one.IsPointer);
     state = X86Emulator.Run(reportItems, state, code);
 }
        public void Add()
        {
            eax = one;
            ebx = two;
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX);

            Assert.AreEqual(3, eax.Value);
            Assert.IsTrue(eax.IsTainted);
        }
        public void And()
        {
            eax = new AbstractValue(0x350).AddTaint();
            ebx = new AbstractValue(0xff);
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.And, RegisterName.EBX);

            Assert.AreEqual(0x50, eax.Value);
            Assert.IsTrue(eax.IsTainted);
        }
        public void Assignment()
        {
            eax = one;
            ebx = two;
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Assignment, RegisterName.EBX);

            Assert.AreEqual(eax, ebx);
            Assert.AreNotSame(eax, ebx);
        }
        public void IsSatisified()
        {
            var code = new Byte[] {0xe8, 0xb7, 0xff, 0xff, 0xff};
            state = new MachineState {InstructionPointer = 0x80482fc};
            Assert.IsTrue(contract.IsSatisfiedBy(state, code));

            state.InstructionPointer = 0xdeadbeef;
            Assert.IsFalse(contract.IsSatisfiedBy(state, code));
        }
 public void AddImmediateToEAX()
 {
     // add    eax,0xf
     const byte IMMEDIATE = 0x0f;
     code = new Byte[] {0x83, 0xc0, IMMEDIATE};
     const uint VALUE = 1;
     state.Registers[RegisterName.EAX] = new AbstractValue(VALUE);
     state = X86Emulator.Run(reportItems, state, code);
     Assert.AreEqual(VALUE + IMMEDIATE, state.Registers[RegisterName.EAX].Value);
 }
Beispiel #15
0
        public static MachineState Run(Collection<ReportItem> reportItemCollector,
            MachineState machineState,
            Byte[] code)
        {
            if (code.Length == 0)
            {
                throw new ArgumentException("Empty array not allowed.", "code");
            }

            var afterState = EmulateOpcode(reportItemCollector, machineState, code);

            if (!BranchTaken(machineState, afterState))
            {
                afterState.InstructionPointer += opcode.GetInstructionLengthFor(code);
            }

            return afterState;
        }
Beispiel #16
0
 internal EmulationEventArgs(MachineState state, ReadOnlyCollection <Byte> code)
 {
     this.state = state;
     this.code  = code;
 }
        public void Sub()
        {
            eax = one;
            ebx = two;
            state = state.DoOperation(RegisterName.EBX, OperatorEffect.Sub, RegisterName.EAX);

            Assert.AreEqual(1, ebx.Value);
            Assert.IsTrue(ebx.IsTainted);
        }
Beispiel #18
0
 public void SetUp()
 {
     state = new MachineState(new RegisterCollection());
 }
 public void SetUp()
 {
     state = new MachineState(new RegisterCollection());
 }
        public void Shr()
        {
            eax = new AbstractValue(0x8).AddTaint();
            ebx = new AbstractValue(0x3);
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Shr, RegisterName.EBX);

            Assert.AreEqual(0x1, eax.Value);
            Assert.IsTrue(eax.IsTainted);
        }
 public void Copy()
 {
     state.Registers[RegisterName.ESP] = new AbstractValue(new AbstractBuffer(AbstractValue.GetNewBuffer(10)));
     var newState = new MachineState(state);
     Assert.AreNotSame(newState, state);
     Assert.AreNotSame(newState.Registers, state.Registers);
     Assert.AreNotSame(newState.DataSegment, state.DataSegment);
     Assert.AreNotSame(newState.ReturnValue, state.ReturnValue);
     Assert.AreSame(newState.TopOfStack, state.TopOfStack);
 }
        public void PushTwiceThenManuallyAdjustStackThenAssignToEbp()
        {
            var buffer = AbstractValue.GetNewBuffer(0x20);
            esp = new AbstractValue(buffer);
            state = state.PushOntoStack(one);
            state = state.PushOntoStack(two);

            state = state.DoOperation(RegisterName.ESP, OperatorEffect.Sub, new AbstractValue(0x4));
            Assert.AreEqual(one, state.TopOfStack);
        }
        public void PointerAnd()
        {
            var buffer = AbstractValue.GetNewBuffer(0x10);
            buffer[4] = one;

            eax = new AbstractValue(buffer);

            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4));
            Assert.AreEqual(one, eax.PointsTo[0]);

            var andValue = new AbstractValue(0xfffffff0);
            var newState = state.DoOperation(RegisterName.EAX, OperatorEffect.And, andValue);
            Assert.AreNotSame(newState, state);
            Assert.AreNotEqual(newState, state);

            state = newState;
            Assert.AreEqual(one, eax.PointsTo[4]);
        }
 public void PointerSub()
 {
     var buffer = AbstractValue.GetNewBuffer(0x10);
     buffer[0] = one;
     eax = new AbstractValue(buffer);
     ebx = new AbstractValue(0x4);
     state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX);
     Assert.IsNotNull(eax.PointsTo);
     state = state.DoOperation(RegisterName.EAX, OperatorEffect.Sub, RegisterName.EBX);
     Assert.AreEqual(one, eax.PointsTo[0]);
 }
 public void NonAssignmentOfPointer()
 {
     eax = one;
     ebx = new AbstractValue(new[] {two});
     state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX);
 }
        public void PointerAdd()
        {
            var buffer = AbstractValue.GetNewBuffer(0x10);
            buffer[4] = one;
            eax = new AbstractValue(buffer);

            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4));
            Assert.AreEqual(one, eax.PointsTo[0]);
        }
 public void JnzPointerOffset()
 {
     var pointer = new AbstractValue(AbstractValue.GetNewBuffer(1));
     state = state.DoOperation(OperatorEffect.Jnz, pointer);
 }
Beispiel #28
0
        public void JnzPointerOffset()
        {
            var pointer = new AbstractValue(AbstractValue.GetNewBuffer(1));

            state = state.DoOperation(OperatorEffect.Jnz, pointer);
        }
 public void InvalidOpcode()
 {
     // int3 -- not really invalid, but we probably won't see it in any program we care about
     code  = new Byte[] { 0xcc };
     state = X86Emulator.Run(reportItems, state, code);
 }
Beispiel #30
0
 protected virtual MachineState RunCode(MachineState _machineState, Byte[] code)
 {
     return(X86Emulator.Run(reportItems, _machineState, code));
 }
        public void PushPopThenAssignToTop()
        {
            var buffer = AbstractValue.GetNewBuffer(0x20);
            esp = new AbstractValue(buffer);
            state = state.PushOntoStack(one);

            // TODO(matt_hargett): extract into state.PopOffStack()
            state = state.DoOperation(RegisterName.ESP, OperatorEffect.Sub, new AbstractValue(0x4));
            state = state.DoOperation(RegisterName.ESP, 0, OperatorEffect.Assignment, two);
            Assert.AreEqual(two, state.TopOfStack);
        }
        public void AssignmentRetainsOOB()
        {
            var oob = new AbstractValue(1)
                      {
                          IsOutOfBounds = true
                      };

            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Assignment, oob);
            Assert.IsTrue(eax.IsOutOfBounds);
        }
Beispiel #33
0
 public void NonAssignmentOfPointer()
 {
     eax   = one;
     ebx   = new AbstractValue(new[] { two });
     state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX);
 }
 public void EmptyCodeArray()
 {
     code  = new Byte[] {};
     state = X86Emulator.Run(reportItems, state, code);
 }
        public void Equality()
        {
            var same = new MachineState(new RegisterCollection());
            same.DataSegment[0] = new AbstractValue(2);
            var same2 = new MachineState(new RegisterCollection());
            same2.DataSegment[0] = new AbstractValue(2);

            var registers = new RegisterCollection();
            registers[RegisterName.EAX] = new AbstractValue(1);
            var differentViaRegisters = new MachineState(registers);
            differentViaRegisters.DataSegment[0] = new AbstractValue(2);

            Assert.IsTrue(same.Equals(same2));
            Assert.IsFalse(differentViaRegisters.Equals(same));

            Assert.IsTrue(same == same2);
            Assert.IsTrue(same != differentViaRegisters);

            Assert.AreEqual(same.GetHashCode(), same2.GetHashCode());
            Assert.AreNotEqual(same.GetHashCode(), differentViaRegisters.GetHashCode());

            registers = new RegisterCollection();
            var differentViaDataSegmentKey = new MachineState(registers);
            differentViaDataSegmentKey.DataSegment[1] = new AbstractValue(2);

            Assert.IsFalse(same.Equals(differentViaDataSegmentKey));

            registers = new RegisterCollection();
            var differentViaDataSegmentValue = new MachineState(registers);
            differentViaDataSegmentValue.DataSegment[0] = new AbstractValue(1);

            Assert.IsFalse(same.Equals(differentViaDataSegmentValue));
        }
Beispiel #36
0
            protected override MachineState RunCode(MachineState machineState, Byte[] instructionBytes)
            {
                for (UInt32 i = 0; i < actualReportItemCount; i++)
                {
                    ReportItems.Add(new ReportItem(i, false));
                }

                machineState.InstructionPointer += (UInt32)instructionBytes.Length;

                return machineState;
            }
        public void Jnz()
        {
            const byte offset = 6;
            eax = two;
            ebx = one;
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Cmp, RegisterName.EAX);
            state = state.DoOperation(OperatorEffect.Jnz, new AbstractValue(offset));
            Assert.AreEqual(0, state.InstructionPointer);

            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Cmp, RegisterName.EBX);
            state = state.DoOperation(OperatorEffect.Jnz, new AbstractValue(offset));
            Assert.AreEqual(offset, state.InstructionPointer);
        }