Ejemplo n.º 1
0
        public void AddTaintOnPointer()
        {
            buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1));
            var clean = new AbstractValue(buffer);

            clean.AddTaint();
        }
Ejemplo n.º 2
0
        private static RegisterCollection createRegistersForLinuxStart()
        {
            var linuxMainDefaultValues = new RegisterCollection();

            var arg0 = new AbstractValue(1).AddTaint();

            var argvBuffer         = new[] { arg0 };
            var argvPointer        = new AbstractValue(argvBuffer);
            var argvPointerBuffer  = new[] { argvPointer };
            var argvPointerPointer = new AbstractValue(argvPointerBuffer);
            var stackBuffer        = AbstractValue.GetNewBuffer(0x200);

            var buffer         = new AbstractBuffer(stackBuffer);
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(0x100));

            // linux ABI dictates
            modifiedBuffer[5] = argvPointerPointer;

            // gcc generates code that accesses this at some optimization levels
            modifiedBuffer[0xfc] = new AbstractValue(1);

            var stackPointer = new AbstractValue(modifiedBuffer);

            linuxMainDefaultValues[RegisterName.ESP] = stackPointer;

            return(linuxMainDefaultValues);
        }
Ejemplo n.º 3
0
        public AbstractBuffer DoOperation(OperatorEffect operatorEffect, AbstractValue rhs)
        {
            if (null == rhs)
            {
                throw new ArgumentNullException("rhs");
            }

            var lhs = this;

            // TODO: should have a guard for if rhs isn't a pointer
            switch (operatorEffect)
            {
            case OperatorEffect.Assignment:
            {
                var result = new AbstractBuffer(lhs);

                return(result);
            }

            case OperatorEffect.Add:
            {
                var result = new AbstractBuffer(lhs);
                result.BaseIndex += rhs.Value;

                return(result);
            }

            case OperatorEffect.Sub:
            {
                var result = new AbstractBuffer(lhs);

                if (result.BaseIndex <
                    rhs.Value)
                {
                    throw new ArgumentOutOfRangeException(
                              String.Format(
                                  "Attempting to set a negative baseindex, baseindex: {0:x4}, _subValue {1:x4}",
                                  result.BaseIndex,
                                  rhs.Value
                                  )
                              );
                }

                result.BaseIndex -= rhs.Value;
                return(result);
            }

            case OperatorEffect.And:
            {
                var result = new AbstractBuffer(lhs);

                result.BaseIndex &= rhs.Value;
                return(result);
            }

            default:
                throw new ArgumentException(
                          String.Format("Unsupported OperatorEffect: {0}", operatorEffect), "operatorEffect");
            }
        }
Ejemplo n.º 4
0
 public void Pointer()
 {
     buffer  = new AbstractBuffer(new[] { new AbstractValue(2) });
     pointer = new AbstractValue(buffer);
     Assert.AreEqual(2, pointer.PointsTo[0].Value);
     StringAssert.StartsWith("*0x00000002", pointer.ToString());
 }
Ejemplo n.º 5
0
 public void InvalidPointerAnd()
 {
     var one = new AbstractValue(0x1);
     var buffer = new AbstractBuffer(new[] {one});
     var modifiedBuffer = buffer.DoOperation(OperatorEffect.Sub, new AbstractValue(3));
     modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xf));
 }
Ejemplo n.º 6
0
        public void PointerAssignment()
        {
            var values         = AbstractValue.GetNewBuffer(4);
            var buffer         = new AbstractBuffer(values);
            var assignedBuffer = buffer.DoOperation(OperatorEffect.Assignment, AbstractValue.Zero);

            Assert.AreNotSame(buffer, assignedBuffer);
        }
Ejemplo n.º 7
0
        public void InvalidPointerAnd()
        {
            var one            = new AbstractValue(0x1);
            var buffer         = new AbstractBuffer(new[] { one });
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Sub, new AbstractValue(3));

            modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xf));
        }
Ejemplo n.º 8
0
        public AbstractValue(AbstractBuffer willPointTo)
        {
            if (willPointTo.Length == 0)
            {
                throw new ArgumentException("Empty buffer is not allowed", "willPointTo");
            }

            storage  = 0xdeadbeef;
            pointsTo = new AbstractBuffer(willPointTo);
        }
Ejemplo n.º 9
0
        public AbstractValue(AbstractBuffer willPointTo)
        {
            if (willPointTo.Length == 0)
            {
                throw new ArgumentException("Empty buffer is not allowed", "willPointTo");
            }

            storage = 0xdeadbeef;
            pointsTo = new AbstractBuffer(willPointTo);
        }
Ejemplo n.º 10
0
        public void SetUp()
        {
            state       = new MachineState(new RegisterCollection());
            reportItems = new ReportCollection();
            var buffer  = new AbstractBuffer(AbstractValue.GetNewBuffer(0x200));
            var pointer = new AbstractValue(buffer);

            state.Registers[RegisterName.ESP] = pointer;
            state = state.DoOperation(RegisterName.EBP, OperatorEffect.Assignment, RegisterName.ESP);
        }
Ejemplo n.º 11
0
        public void PointerOverflowByOne()
        {
            var buffer  = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);

            var value = pointer[16];

            Assert.IsTrue(value.IsOutOfBounds);
            Assert.IsFalse(value.IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, value.Value);
        }
Ejemplo n.º 12
0
        public AbstractBuffer(AbstractBuffer other)
        {
            if (null == other)
            {
                throw new ArgumentNullException("other");
            }

            BaseIndex = other.BaseIndex;
            Length = other.Length;
            storage = new AbstractValue[other.storage.Length];
            Array.Copy(other.storage, storage, other.storage.Length);
        }
Ejemplo n.º 13
0
        public AbstractBuffer(AbstractBuffer other)
        {
            if (null == other)
            {
                throw new ArgumentNullException("other");
            }

            BaseIndex = other.BaseIndex;
            Length    = other.Length;
            storage   = new AbstractValue[other.storage.Length];
            Array.Copy(other.storage, storage, other.storage.Length);
        }
Ejemplo n.º 14
0
        public void Copy()
        {
            var values = AbstractValue.GetNewBuffer(4);
            var buffer = new AbstractBuffer(values);
            var newBuffer = new AbstractBuffer(buffer);
            Assert.AreNotSame(newBuffer, buffer);

            for (var index = 0; index < newBuffer.Length; index++)
            {
                Assert.AreSame(newBuffer[index], buffer[index]);
            }
        }
Ejemplo n.º 15
0
        public void Copy()
        {
            var values    = AbstractValue.GetNewBuffer(4);
            var buffer    = new AbstractBuffer(values);
            var newBuffer = new AbstractBuffer(buffer);

            Assert.AreNotSame(newBuffer, buffer);

            for (var index = 0; index < newBuffer.Length; index++)
            {
                Assert.AreSame(newBuffer[index], buffer[index]);
            }
        }
Ejemplo n.º 16
0
        public AbstractValue(AbstractValue other)
        {
            if (other == null)
            {
                throw new ArgumentNullException("other");
            }

            storage       = other.Value;
            tainted       = other.IsTainted;
            IsOutOfBounds = other.IsOutOfBounds;

            if (other.PointsTo != null)
            {
                pointsTo = new AbstractBuffer(other.PointsTo);
            }
        }
Ejemplo n.º 17
0
        public void MovPtrEspEax()
        {
            // mov [esp]. eax
            code = new Byte[] { 0x89, 0x04, 0x24 };
            state.Registers[RegisterName.EAX] = new AbstractValue(0x10);
            var values = new[] { new AbstractValue(1) };
            var buffer = new AbstractBuffer(values);

            state.Registers[RegisterName.ESP] = new AbstractValue(buffer);

            state = X86Emulator.Run(reportItems, state, code);

            var espBuffer = state.Registers[RegisterName.ESP].PointsTo;

            Assert.AreEqual(0x10, espBuffer[0].Value);
        }
Ejemplo n.º 18
0
        public AbstractValue(AbstractValue other)
        {
            if (other == null)
            {
                throw new ArgumentNullException("other");
            }

            storage = other.Value;
            tainted = other.IsTainted;
            IsOutOfBounds = other.IsOutOfBounds;

            if (other.PointsTo != null)
            {
                pointsTo = new AbstractBuffer(other.PointsTo);
            }
        }
Ejemplo n.º 19
0
        public void LeaEaxFromEdxPlusEax()
        {
            // lea    eax,[edx+eax]
            code = new Byte[] { 0x8d, 0x04, 0x02 };

            var zero   = new AbstractValue(0);
            var two    = new AbstractValue(2);
            var values = new[] { zero, two };
            var buffer = new AbstractBuffer(values);

            state.Registers[RegisterName.EDX] = new AbstractValue(buffer);
            state.Registers[RegisterName.EAX] = new AbstractValue(1);

            state = X86Emulator.Run(reportItems, state, code);
            var eax = state.Registers[RegisterName.EAX];

            Assert.AreEqual(two.Value, eax.PointsTo[0].Value);
        }
Ejemplo n.º 20
0
        public void LeaEdxFromEaxPlus16()
        {
            // lea    edx,[eax+index]
            const byte INDEX = 0x1;

            code = new Byte[] { 0x8d, 0x50, INDEX };

            var zero   = new AbstractValue(0);
            var values = new[] { zero, one };
            var buffer = new AbstractBuffer(values);

            state.Registers[RegisterName.EAX] = new AbstractValue(buffer);

            state = X86Emulator.Run(reportItems, state, code);
            var edx = state.Registers[RegisterName.EDX];

            Assert.IsNotNull(edx);
            Assert.AreEqual(one, edx.PointsTo[0]);
        }
Ejemplo n.º 21
0
        public void OverflowDoesntLoseIncrement()
        {
            var buffer = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);
            var value = new AbstractValue(0x41);
            value = value.AddTaint();

            pointer[0] = value;

            pointer = pointer.DoOperation(OperatorEffect.Add, new AbstractValue(1));

            pointer[16] = value;

            pointer = pointer.DoOperation(OperatorEffect.Sub, new AbstractValue(1));

            Assert.AreEqual(0x41, pointer[0].Value);
            Assert.IsTrue(value.IsTainted);
            Assert.AreEqual(0x41, pointer[17].Value);
            Assert.IsTrue(pointer[17].IsTainted);
        }
Ejemplo n.º 22
0
        public void PointerAdd()
        {
            var one    = new AbstractValue(0x1);
            var two    = new AbstractValue(0x2);
            var three  = new AbstractValue(0x3);
            var four   = new AbstractValue(0x4);
            var values = AbstractValue.GetNewBuffer(4);

            values[0] = one;
            values[1] = two;
            values[2] = three;
            values[3] = four;

            var buffer = new AbstractBuffer(values);

            Assert.AreEqual(one, buffer[0]);
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(2));

            Assert.AreEqual(three, modifiedBuffer[0]);
        }
Ejemplo n.º 23
0
        public void PointerOverflowTwiceStillRetainsOriginalValues()
        {
            var buffer  = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);

            // Access beyond buffer bounds forcing buffer to expand
            Assert.IsTrue(pointer[17].IsOutOfBounds);
            Assert.IsFalse(pointer[17].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[17].Value);

            pointer[17] = new AbstractValue(0x41414141);

            // Access beyond previously expanded bounds to force 2nd expand
            Assert.IsTrue(pointer[64].IsOutOfBounds);
            Assert.IsFalse(pointer[64].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[64].Value);

            // check that value set outside of bounds is still the same as well
            Assert.IsTrue(pointer[17].IsOutOfBounds);
            Assert.AreEqual(0x41414141, pointer[17].Value);
        }
Ejemplo n.º 24
0
        public void OverflowDoesntLoseIncrement()
        {
            var buffer  = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);
            var value   = new AbstractValue(0x41);

            value = value.AddTaint();

            pointer[0] = value;

            pointer = pointer.DoOperation(OperatorEffect.Add, new AbstractValue(1));

            pointer[16] = value;

            pointer = pointer.DoOperation(OperatorEffect.Sub, new AbstractValue(1));

            Assert.AreEqual(0x41, pointer[0].Value);
            Assert.IsTrue(value.IsTainted);
            Assert.AreEqual(0x41, pointer[17].Value);
            Assert.IsTrue(pointer[17].IsTainted);
        }
Ejemplo n.º 25
0
        public void PointerOverflowStillRetainsOldValues()
        {
            var test1  = new AbstractValue(0x41);
            var test2  = new AbstractValue(0x42);
            var buffer = AbstractValue.GetNewBuffer(2);

            buffer[0] = test1;
            buffer[1] = test2;

            var pointer = new AbstractBuffer(buffer);

            // Accessing pointer[2] will cause the AbstractBuffer to extend..
            Assert.IsTrue(pointer[2].IsOutOfBounds, " value is not out of bounds");
            Assert.IsFalse(pointer[2].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[2].Value);

            // And then we make sure the in bounds values stay the same
            Assert.IsFalse(pointer[0].IsOutOfBounds);
            Assert.IsFalse(pointer[1].IsOutOfBounds);

            Assert.AreEqual(0x41, pointer[0].Value);
            Assert.AreEqual(0x42, pointer[1].Value);
        }
Ejemplo n.º 26
0
 public void SetUp()
 {
     state = new MachineState(new RegisterCollection());
     reportItems = new ReportCollection();
     var buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(0x200));
     var pointer = new AbstractValue(buffer);
     state.Registers[RegisterName.ESP] = pointer;
     state = state.DoOperation(RegisterName.EBP, OperatorEffect.Assignment, RegisterName.ESP);
 }
Ejemplo n.º 27
0
        public void MovPtrEspEax()
        {
            // mov [esp]. eax
            code = new Byte[] {0x89, 0x04, 0x24};
            state.Registers[RegisterName.EAX] = new AbstractValue(0x10);
            var values = new[] {new AbstractValue(1)};
            var buffer = new AbstractBuffer(values);
            state.Registers[RegisterName.ESP] = new AbstractValue(buffer);

            state = X86Emulator.Run(reportItems, state, code);

            var espBuffer = state.Registers[RegisterName.ESP].PointsTo;
            Assert.AreEqual(0x10, espBuffer[0].Value);
        }
Ejemplo n.º 28
0
        public void PointerSub()
        {
            var one = new AbstractValue(0x1);
            var two = new AbstractValue(0x2);
            var three = new AbstractValue(0x3);
            var four = new AbstractValue(0x4);
            var values = AbstractValue.GetNewBuffer(4);

            values[0] = one;
            values[1] = two;
            values[2] = three;
            values[3] = four;

            var buffer = new AbstractBuffer(values);
            Assert.AreEqual(one, buffer[0]);
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(2));
            Assert.AreEqual(three, modifiedBuffer[0]);

            var subbedBuffer = modifiedBuffer.DoOperation(OperatorEffect.Sub, new AbstractValue(2));
            Assert.AreEqual(one, subbedBuffer[0]);
        }
Ejemplo n.º 29
0
        public void PointerOverflowTwiceStillRetainsOriginalValues()
        {
            var buffer = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);

            // Access beyond buffer bounds forcing buffer to expand
            Assert.IsTrue(pointer[17].IsOutOfBounds);
            Assert.IsFalse(pointer[17].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[17].Value);

            pointer[17] = new AbstractValue(0x41414141);

            // Access beyond previously expanded bounds to force 2nd expand
            Assert.IsTrue(pointer[64].IsOutOfBounds);
            Assert.IsFalse(pointer[64].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[64].Value);

            // check that value set outside of bounds is still the same as well
            Assert.IsTrue(pointer[17].IsOutOfBounds);
            Assert.AreEqual(0x41414141, pointer[17].Value);
        }
Ejemplo n.º 30
0
        public void PointerOverflowStillRetainsOldValues()
        {
            var test1 = new AbstractValue(0x41);
            var test2 = new AbstractValue(0x42);
            var buffer = AbstractValue.GetNewBuffer(2);

            buffer[0] = test1;
            buffer[1] = test2;

            var pointer = new AbstractBuffer(buffer);

            // Accessing pointer[2] will cause the AbstractBuffer to extend..
            Assert.IsTrue(pointer[2].IsOutOfBounds, " value is not out of bounds");
            Assert.IsFalse(pointer[2].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[2].Value);

            // And then we make sure the in bounds values stay the same
            Assert.IsFalse(pointer[0].IsOutOfBounds);
            Assert.IsFalse(pointer[1].IsOutOfBounds);

            Assert.AreEqual(0x41, pointer[0].Value);
            Assert.AreEqual(0x42, pointer[1].Value);
        }
Ejemplo n.º 31
0
        public void PointerOverflowByOne()
        {
            var buffer = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);

            var value = pointer[16];
            Assert.IsTrue(value.IsOutOfBounds);
            Assert.IsFalse(value.IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, value.Value);
        }
Ejemplo n.º 32
0
 public void PointerAssignment()
 {
     var values = AbstractValue.GetNewBuffer(4);
     var buffer = new AbstractBuffer(values);
     var assignedBuffer = buffer.DoOperation(OperatorEffect.Assignment, AbstractValue.Zero);
     Assert.AreNotSame(buffer, assignedBuffer);
 }
Ejemplo n.º 33
0
 public void OverflowZeroSizeBuffer()
 {
     var f = new AbstractBuffer(new AbstractValue[] {});
     Assert.IsFalse(f[0].IsInitialized);
 }
Ejemplo n.º 34
0
        public AbstractBuffer DoOperation(OperatorEffect operatorEffect, AbstractValue rhs)
        {
            if (null == rhs)
            {
                throw new ArgumentNullException("rhs");
            }

            var lhs = this;

            // TODO: should have a guard for if rhs isn't a pointer
            switch (operatorEffect)
            {
                case OperatorEffect.Assignment:
                {
                    var result = new AbstractBuffer(lhs);

                    return result;
                }

                case OperatorEffect.Add:
                {
                    var result = new AbstractBuffer(lhs);
                    result.BaseIndex += rhs.Value;

                    return result;
                }

                case OperatorEffect.Sub:
                {
                    var result = new AbstractBuffer(lhs);

                    if (result.BaseIndex <
                        rhs.Value)
                    {
                        throw new ArgumentOutOfRangeException(
                            String.Format(
                                "Attempting to set a negative baseindex, baseindex: {0:x4}, _subValue {1:x4}",
                                result.BaseIndex,
                                rhs.Value
                                )
                            );
                    }

                    result.BaseIndex -= rhs.Value;
                    return result;
                }

                case OperatorEffect.And:
                {
                    var result = new AbstractBuffer(lhs);

                    result.BaseIndex &= rhs.Value;
                    return result;
                }

                default:
                    throw new ArgumentException(
                        String.Format("Unsupported OperatorEffect: {0}", operatorEffect), "operatorEffect");
            }
        }
Ejemplo n.º 35
0
        public void PointerPointerPointer()
        {
            buffer = new AbstractBuffer(new[] {new AbstractValue(2)});
            pointer = new AbstractValue(buffer);
            var pointerPointer = new AbstractValue(new[] {pointer});
            var pointerPointerPointer = new AbstractValue(new[] {pointerPointer});
            Assert.AreEqual(2, pointerPointerPointer.PointsTo[0].PointsTo[0].PointsTo[0].Value);

            StringAssert.StartsWith("***0x00000002", pointerPointerPointer.ToString());
        }
Ejemplo n.º 36
0
        public void LeaEdxFromEaxPlus16()
        {
            // lea    edx,[eax+index]
            const byte INDEX = 0x1;
            code = new Byte[] {0x8d, 0x50, INDEX};

            var zero = new AbstractValue(0);
            var values = new[] {zero, one};
            var buffer = new AbstractBuffer(values);
            state.Registers[RegisterName.EAX] = new AbstractValue(buffer);

            state = X86Emulator.Run(reportItems, state, code);
            var edx = state.Registers[RegisterName.EDX];
            Assert.IsNotNull(edx);
            Assert.AreEqual(one, edx.PointsTo[0]);
        }
Ejemplo n.º 37
0
        public void PointerAnd()
        {
            var one = new AbstractValue(0x1);
            var two = new AbstractValue(0x2);
            var three = new AbstractValue(0x3);
            var four = new AbstractValue(0x4);
            var values = AbstractValue.GetNewBuffer(4);

            values[0] = one;
            values[1] = two;
            values[2] = three;
            values[3] = four;

            var buffer = new AbstractBuffer(values);
            Assert.AreEqual(one, buffer[0]);
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(3));
            Assert.AreEqual(four, modifiedBuffer[0]);
            var andedBuffer = modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xfffffff0));
            Assert.AreEqual(one, andedBuffer[0]);
        }
Ejemplo n.º 38
0
        public void OverflowZeroSizeBuffer()
        {
            var f = new AbstractBuffer(new AbstractValue[] {});

            Assert.IsFalse(f[0].IsInitialized);
        }
Ejemplo n.º 39
0
 public void AddTaintOnPointer()
 {
     buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1));
     var clean = new AbstractValue(buffer);
     clean.AddTaint();
 }
Ejemplo n.º 40
0
        public void LeaEaxFromEdxPlusEax()
        {
            // lea    eax,[edx+eax]
            code = new Byte[] {0x8d, 0x04, 0x02};

            var zero = new AbstractValue(0);
            var two = new AbstractValue(2);
            var values = new[] {zero, two};
            var buffer = new AbstractBuffer(values);
            state.Registers[RegisterName.EDX] = new AbstractValue(buffer);
            state.Registers[RegisterName.EAX] = new AbstractValue(1);

            state = X86Emulator.Run(reportItems, state, code);
            var eax = state.Registers[RegisterName.EAX];
            Assert.AreEqual(two.Value, eax.PointsTo[0].Value);
        }