Ejemplo n.º 1
0
        private static void RunDataFlowAnalysis(IndexDb indexDb, CallGraph graph,
                                                string entryPoint, List <TypeDef> requiredArgumentTypes,
                                                SymbolicEngine symbolicEngine, string output)
        {
            try
            {
                if (!entryPoint.EndsWith(")"))
                {
                    entryPoint += "()";
                }

                var entryIndex = 0;
                foreach (var entry in /*graph.EntryNodes.Values) //*/ graph.Nodes.Values)
                {
                    if (entry.MethodSignature.ToString() != entryPoint &&
                        entry.MethodSignature.ToString() != $"{typeof(Deserializers).Namespace}.{entryPoint}")
                    {
                        continue;
                    }

                    Console.WriteLine($"{entry.MethodSignature} analyzing...");
                    var references = indexDb.AssemblyReferences[entry.AssemblyName];
                    Console.WriteLine($"    Assembly: {entry.AssemblyName}, References: {references.Count}");
                    var timer  = Stopwatch.StartNew();
                    var result = symbolicEngine.ExecuteForward(entry.MethodDef, requiredArgumentTypes);
                    if (result == null)
                    {
                        Console.WriteLine("FATAL ERROR: DFA result is empty.");
                        break;
                    }

                    timer.Stop();
                    Console.WriteLine($"{entry.MethodSignature}: {timer.ElapsedMilliseconds} ms");
                    if (result.HasPattern)
                    {
                    }

                    Console.WriteLine($"DFA: {entry.MethodSignature} {result.ExternalCallCount} calls of {result.PatternCount} tainted object");
                    result.Stat.DumpConsole();
                    Console.WriteLine($"All method calls/instructions: {result.Summary.MethodCallCount} / {result.Summary.InstructionCount}");
                    Console.WriteLine("============");
                    //result.Stat.DumpTxt(output, $"dfa_stat_{entryIndex++}_{entry.MethodDef.Name}.txt");
                    //result.Stat.DumpCsv(output, $"dfa_stat_{entryIndex}_{entry.MethodDef.Name}.csv");
                    var p = result.Dump(output, $"patterns_{entryIndex}_{entry.MethodDef.Name}");
                    result.DumpAllStat(output, $"dfa_stat_{entryIndex}_{entry.MethodDef.Name}.txt", p);
                    Console.WriteLine();
                    entryIndex++;
                    break;
                }

                Console.WriteLine("Analysis is competed!");
            }
            catch (ThreadAbortException)
            {
                Thread.ResetAbort();
            }
        }
Ejemplo n.º 2
0
        protected DataFlowAnalysisResult Execute(MethodDef method,
                                                 MethodUniqueSignature taintedSignature = null)
        {
            engine = new SymbolicEngine(index, taintedSignature, 20, true, InputTaintedMode);

            var result = engine.ExecuteForward(method);

            result?.Summary.Dump(@"C:\tmp\experiments\tests", method.Name);
            result.Stat.DumpConsole();
            Console.WriteLine($"All method calls/instructions: {result.Summary.MethodCallCount:N0} / {result.Summary.InstructionCount:N0}");
            return(result);
        }