public void Execute()
 {
     var address = new AbstractValue(0xdeadbabe);
     state = state.PushOntoStack(address);
     state = contract.Execute(state);
     Assert.AreEqual(address.Value, state.InstructionPointer);
 }
Ejemplo n.º 2
0
        public void Initialized()
        {
            var uninit = new AbstractValue(0xabcdef);

            Assert.IsTrue(uninit.IsInitialized);
            Assert.AreEqual(0xabcdef, uninit.Value);
        }
Ejemplo n.º 3
0
        private void Extend(UInt32 newLength)
        {
            // Account for element [0] of the array
            newLength = newLength + 1;
            if (newLength >= Length)
            {
                var extendedCopy = new AbstractValue[newLength];

                Int32 i;
                for (i = 0; i < storage.Length; i++)
                {
                    extendedCopy[i] = storage[i];
                }

                for (; i < newLength; i++)
                {
                    extendedCopy[i] = new AbstractValue(AbstractValue.UNKNOWN)
                    {
                        IsOutOfBounds = true
                    };
                }

                storage = extendedCopy;
            }

            return;
        }
Ejemplo n.º 4
0
        public void AddTaintOnPointer()
        {
            buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1));
            var clean = new AbstractValue(buffer);

            clean.AddTaint();
        }
Ejemplo n.º 5
0
        public void TruncateValue()
        {
            var dwordValue = new AbstractValue(0xdeadbeef);
            var byteValue  = dwordValue.TruncateValueToByte();

            Assert.AreEqual(0xef, byteValue.Value);
        }
Ejemplo n.º 6
0
        public void PointerHashcodes()
        {
            pointer = new AbstractValue(new[] { new AbstractValue(1) });
            var pointer2 = new AbstractValue(new[] { new AbstractValue(2) });

            Assert.AreNotEqual(pointer.GetHashCode(), pointer2.GetHashCode());
        }
Ejemplo n.º 7
0
 public void Pointer()
 {
     buffer  = new AbstractBuffer(new[] { new AbstractValue(2) });
     pointer = new AbstractValue(buffer);
     Assert.AreEqual(2, pointer.PointsTo[0].Value);
     StringAssert.StartsWith("*0x00000002", pointer.ToString());
 }
Ejemplo n.º 8
0
        public AbstractBuffer DoOperation(OperatorEffect operatorEffect, AbstractValue rhs)
        {
            if (null == rhs)
            {
                throw new ArgumentNullException("rhs");
            }

            var lhs = this;

            // TODO: should have a guard for if rhs isn't a pointer
            switch (operatorEffect)
            {
            case OperatorEffect.Assignment:
            {
                var result = new AbstractBuffer(lhs);

                return(result);
            }

            case OperatorEffect.Add:
            {
                var result = new AbstractBuffer(lhs);
                result.BaseIndex += rhs.Value;

                return(result);
            }

            case OperatorEffect.Sub:
            {
                var result = new AbstractBuffer(lhs);

                if (result.BaseIndex <
                    rhs.Value)
                {
                    throw new ArgumentOutOfRangeException(
                              String.Format(
                                  "Attempting to set a negative baseindex, baseindex: {0:x4}, _subValue {1:x4}",
                                  result.BaseIndex,
                                  rhs.Value
                                  )
                              );
                }

                result.BaseIndex -= rhs.Value;
                return(result);
            }

            case OperatorEffect.And:
            {
                var result = new AbstractBuffer(lhs);

                result.BaseIndex &= rhs.Value;
                return(result);
            }

            default:
                throw new ArgumentException(
                          String.Format("Unsupported OperatorEffect: {0}", operatorEffect), "operatorEffect");
            }
        }
Ejemplo n.º 9
0
        private static RegisterCollection createRegistersForLinuxStart()
        {
            var linuxMainDefaultValues = new RegisterCollection();

            var arg0 = new AbstractValue(1).AddTaint();

            var argvBuffer         = new[] { arg0 };
            var argvPointer        = new AbstractValue(argvBuffer);
            var argvPointerBuffer  = new[] { argvPointer };
            var argvPointerPointer = new AbstractValue(argvPointerBuffer);
            var stackBuffer        = AbstractValue.GetNewBuffer(0x200);

            var buffer         = new AbstractBuffer(stackBuffer);
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(0x100));

            // linux ABI dictates
            modifiedBuffer[5] = argvPointerPointer;

            // gcc generates code that accesses this at some optimization levels
            modifiedBuffer[0xfc] = new AbstractValue(1);

            var stackPointer = new AbstractValue(modifiedBuffer);

            linuxMainDefaultValues[RegisterName.ESP] = stackPointer;

            return(linuxMainDefaultValues);
        }
Ejemplo n.º 10
0
 public void AssignmentAtEnd()
 {
     var values = AbstractValue.GetNewBuffer(16);
     pointer = new AbstractValue(values);
     pointer.PointsTo[15] = new AbstractValue(0x31337);
     Assert.AreEqual(0x31337, pointer.PointsTo[15].Value);
 }
Ejemplo n.º 11
0
        public MachineState DoOperation(OperatorEffect operatorEffect, AbstractValue offset)
        {
            if (offset.IsPointer)
            {
                throw new ArgumentException("_offset pointer not supported.");
            }

            var newState = new MachineState(this);

            switch (operatorEffect)
            {
            case OperatorEffect.Jnz:
            {
                if (!newState.zeroFlag)
                {
                    newState.instructionPointer += offset.Value;
                }

                break;
            }

            default:
            {
                throw new ArgumentException(
                          String.Format("Unsupported OperatorEffect: {0}", operatorEffect), "operatorEffect");
            }
            }

            return(newState);
        }
Ejemplo n.º 12
0
        public MachineState PushOntoStack(AbstractValue value)
        {
            var newState = DoOperation(RegisterName.ESP, OperatorEffect.Add, new AbstractValue(0x4));

            newState.TopOfStack = new AbstractValue(value);
            return(newState);
        }
Ejemplo n.º 13
0
        public void ReturnValueIsAliasedToEax()
        {
            var value = new AbstractValue(0x31337);

            state.ReturnValue = value;
            Assert.AreEqual(value, state.Registers[RegisterName.EAX]);
        }
Ejemplo n.º 14
0
 public void InvalidPointerAnd()
 {
     var one = new AbstractValue(0x1);
     var buffer = new AbstractBuffer(new[] {one});
     var modifiedBuffer = buffer.DoOperation(OperatorEffect.Sub, new AbstractValue(3));
     modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xf));
 }
Ejemplo n.º 15
0
 public RegisterCollection()
 {
     registers = new AbstractValue[8];
     for (UInt32 i = 0; i < registers.Length; ++i)
     {
         registers[i] = new AbstractValue();
     }
 }
Ejemplo n.º 16
0
        public void InvalidPointerAnd()
        {
            var one            = new AbstractValue(0x1);
            var buffer         = new AbstractBuffer(new[] { one });
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Sub, new AbstractValue(3));

            modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xf));
        }
Ejemplo n.º 17
0
        public void PointerAssignment()
        {
            var values         = AbstractValue.GetNewBuffer(4);
            var buffer         = new AbstractBuffer(values);
            var assignedBuffer = buffer.DoOperation(OperatorEffect.Assignment, AbstractValue.Zero);

            Assert.AreNotSame(buffer, assignedBuffer);
        }
        public void Execute()
        {
            var address = new AbstractValue(0xdeadbabe);

            state = state.PushOntoStack(address);
            state = contract.Execute(state);
            Assert.AreEqual(address.Value, state.InstructionPointer);
        }
Ejemplo n.º 19
0
        public void NotInitialized()
        {
            var uninitializedValue = new AbstractValue();

            Assert.IsFalse(uninitializedValue.IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, uninitializedValue.Value);
            Assert.AreEqual("?", uninitializedValue.ToString());
        }
Ejemplo n.º 20
0
 public RegisterCollection(RegisterCollection _copyMe)
 {
     registers = new AbstractValue[8];
     for (UInt32 i = 0; i < registers.Length; ++i)
     {
         registers[i] = new AbstractValue(_copyMe.registers[i]);
     }
 }
Ejemplo n.º 21
0
        public void AssignmentAtEnd()
        {
            var values = AbstractValue.GetNewBuffer(16);

            pointer = new AbstractValue(values);
            pointer.PointsTo[15] = new AbstractValue(0x31337);
            Assert.AreEqual(0x31337, pointer.PointsTo[15].Value);
        }
Ejemplo n.º 22
0
 public void AddTaint()
 {
     var clean = new AbstractValue(0x31337);
     Assert.IsFalse(clean.IsTainted);
     var tainted = clean.AddTaint();
     Assert.IsTrue(tainted.IsTainted);
     Assert.AreNotSame(clean, tainted);
 }
Ejemplo n.º 23
0
        public void NoPointer()
        {
            var value = new AbstractValue(2).AddTaint();

            Assert.IsNull(value.PointsTo);
            StringAssert.Contains("0x00000002", value.ToString());
            StringAssert.Contains("t", value.ToString());
        }
        public void SetUp()
        {
            var registers = new RegisterCollection();

            registers[RegisterName.ESP] = new AbstractValue(AbstractValue.GetNewBuffer(1));
            state    = new MachineState(registers);
            contract = new GLibcStartMainContract();
        }
Ejemplo n.º 25
0
 public RegisterCollection(RegisterCollection _copyMe)
 {
     registers = new AbstractValue[8];
     for (UInt32 i = 0; i < registers.Length; ++i)
     {
         registers[i] = new AbstractValue(_copyMe.registers[i]);
     }
 }
Ejemplo n.º 26
0
 public void AssignmentAtByteZero()
 {
     var values = AbstractValue.GetNewBuffer(16);
     pointer = new AbstractValue(values);
     pointer.PointsTo[0] = new AbstractValue(0x31337);
     Assert.AreEqual(0x31337, pointer.PointsTo[0].Value);
     Assert.AreEqual("*0x00031337", pointer.ToString());
 }
Ejemplo n.º 27
0
        public override MachineState Execute(MachineState state)
        {
            var buffer = AbstractValue.GetNewBuffer(state.TopOfStack.Value);

            state.ReturnValue = new AbstractValue(buffer);

            return(state);
        }
Ejemplo n.º 28
0
 public RegisterCollection()
 {
     registers = new AbstractValue[8];
     for (UInt32 i = 0; i < registers.Length; ++i)
     {
         registers[i] = new AbstractValue();
     }
 }
Ejemplo n.º 29
0
        public void AssignmentAtByteZero()
        {
            var values = AbstractValue.GetNewBuffer(16);

            pointer             = new AbstractValue(values);
            pointer.PointsTo[0] = new AbstractValue(0x31337);
            Assert.AreEqual(0x31337, pointer.PointsTo[0].Value);
            Assert.AreEqual("*0x00031337", pointer.ToString());
        }
Ejemplo n.º 30
0
        public void Shr()
        {
            eax   = new AbstractValue(0x8).AddTaint();
            ebx   = new AbstractValue(0x3);
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Shr, RegisterName.EBX);

            Assert.AreEqual(0x1, eax.Value);
            Assert.IsTrue(eax.IsTainted);
        }
Ejemplo n.º 31
0
        public void And()
        {
            eax   = new AbstractValue(0x350).AddTaint();
            ebx   = new AbstractValue(0xff);
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.And, RegisterName.EBX);

            Assert.AreEqual(0x50, eax.Value);
            Assert.IsTrue(eax.IsTainted);
        }
Ejemplo n.º 32
0
        public void GetNewBufferReturnsUnallocatedValues()
        {
            var buffer = AbstractValue.GetNewBuffer(16);

            for (var i = 0; i < 16; i++)
            {
                Assert.IsFalse(buffer[i].IsInitialized);
            }
        }
Ejemplo n.º 33
0
        public void And()
        {
            eax = new AbstractValue(0x350).AddTaint();
            ebx = new AbstractValue(0xff);
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.And, RegisterName.EBX);

            Assert.AreEqual(0x50, eax.Value);
            Assert.IsTrue(eax.IsTainted);
        }
Ejemplo n.º 34
0
        public AbstractValue TruncateValueToByte()
        {
            var byteValue      = Value & 0xff;
            var truncatedValue = new AbstractValue(byteValue);

            truncatedValue.IsTainted = IsTainted;

            return(truncatedValue);
        }
Ejemplo n.º 35
0
        public void PointerAdd()
        {
            var buffer = AbstractValue.GetNewBuffer(0x10);

            buffer[4] = one;
            eax       = new AbstractValue(buffer);

            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4));
            Assert.AreEqual(one, eax.PointsTo[0]);
        }
Ejemplo n.º 36
0
        public void MovFromGlobalIntoEax()
        {
            code = new Byte[] { 0xa1, 0xe4, 0x84, 0x04, 0x08 };
            var value = new AbstractValue(31337);

            state.DataSegment[0x080484e4] = value;
            state = X86Emulator.Run(reportItems, state, code);

            Assert.AreEqual(value, state.Registers[RegisterName.EAX]);
        }
Ejemplo n.º 37
0
        public AbstractValue(AbstractValue[] willPointTo)
        {
            if (willPointTo.Length == 0)
            {
                throw new ArgumentException("Empty buffer is not allowed", "willPointTo");
            }

            storage = 0xdeadbeef;
            pointsTo = new AbstractBuffer(willPointTo);
        }
Ejemplo n.º 38
0
        public AbstractBuffer(AbstractValue[] values)
        {
            if (null == values)
            {
                throw new ArgumentNullException("values");
            }

            storage = values;
            Length = storage.Length;
        }
Ejemplo n.º 39
0
        public void AssignmentRetainsOOB()
        {
            var oob = new AbstractValue(1)
            {
                IsOutOfBounds = true
            };

            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Assignment, oob);
            Assert.IsTrue(eax.IsOutOfBounds);
        }
Ejemplo n.º 40
0
        public void SetUp()
        {
            state       = new MachineState(new RegisterCollection());
            reportItems = new ReportCollection();
            var buffer  = new AbstractBuffer(AbstractValue.GetNewBuffer(0x200));
            var pointer = new AbstractValue(buffer);

            state.Registers[RegisterName.ESP] = pointer;
            state = state.DoOperation(RegisterName.EBP, OperatorEffect.Assignment, RegisterName.ESP);
        }
Ejemplo n.º 41
0
        public AbstractValue(AbstractValue other)
        {
            if (other == null)
            {
                throw new ArgumentNullException("other");
            }

            storage = other.Value;
            tainted = other.IsTainted;
            IsOutOfBounds = other.IsOutOfBounds;

            if (other.PointsTo != null)
            {
                pointsTo = new AbstractBuffer(other.PointsTo);
            }
        }
Ejemplo n.º 42
0
        public void PointerAdd()
        {
            var one = new AbstractValue(0x1);
            var two = new AbstractValue(0x2);
            var three = new AbstractValue(0x3);
            var four = new AbstractValue(0x4);
            var values = AbstractValue.GetNewBuffer(4);

            values[0] = one;
            values[1] = two;
            values[2] = three;
            values[3] = four;

            var buffer = new AbstractBuffer(values);
            Assert.AreEqual(one, buffer[0]);
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(2));
            Assert.AreEqual(three, modifiedBuffer[0]);
        }
Ejemplo n.º 43
0
        public void OverflowDoesntLoseIncrement()
        {
            var buffer = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);
            var value = new AbstractValue(0x41);
            value = value.AddTaint();

            pointer[0] = value;

            pointer = pointer.DoOperation(OperatorEffect.Add, new AbstractValue(1));

            pointer[16] = value;

            pointer = pointer.DoOperation(OperatorEffect.Sub, new AbstractValue(1));

            Assert.AreEqual(0x41, pointer[0].Value);
            Assert.IsTrue(value.IsTainted);
            Assert.AreEqual(0x41, pointer[17].Value);
            Assert.IsTrue(pointer[17].IsTainted);
        }
Ejemplo n.º 44
0
 public void ZeroSizeBuffer()
 {
     pointer = new AbstractValue(new AbstractValue[] {});
 }
Ejemplo n.º 45
0
 public void TruncateValue()
 {
     var dwordValue = new AbstractValue(0xdeadbeef);
     var byteValue = dwordValue.TruncateValueToByte();
     Assert.AreEqual(0xef, byteValue.Value);
 }
Ejemplo n.º 46
0
        public void PointerPointerPointer()
        {
            buffer = new AbstractBuffer(new[] {new AbstractValue(2)});
            pointer = new AbstractValue(buffer);
            var pointerPointer = new AbstractValue(new[] {pointer});
            var pointerPointerPointer = new AbstractValue(new[] {pointerPointer});
            Assert.AreEqual(2, pointerPointerPointer.PointsTo[0].PointsTo[0].PointsTo[0].Value);

            StringAssert.StartsWith("***0x00000002", pointerPointerPointer.ToString());
        }
Ejemplo n.º 47
0
        public void PointerHashcodes()
        {
            pointer = new AbstractValue(new[] {new AbstractValue(1)});
            var pointer2 = new AbstractValue(new[] {new AbstractValue(2)});

            Assert.AreNotEqual(pointer.GetHashCode(), pointer2.GetHashCode());
        }
Ejemplo n.º 48
0
        public void OutOfBoundsPropertySurvivesCopy()
        {
            var src = new AbstractValue(0x31337)
                      {
                          IsOutOfBounds = true
                      };
            var dest = new AbstractValue(src);

            Assert.IsTrue(dest.IsOutOfBounds);
        }
Ejemplo n.º 49
0
 public void NullCopyCtor()
 {
     pointer = new AbstractValue((AbstractValue)null);
 }
Ejemplo n.º 50
0
        public AbstractValue AddTaint()
        {
            if (PointsTo != null)
            {
                throw new InvalidOperationException("Cannot AddTaint to a pointer");
            }

            var taintedValue = new AbstractValue(this)
                               {
                                   IsTainted = true
                               };
            return taintedValue;
        }
Ejemplo n.º 51
0
        public AbstractValue TruncateValueToByte()
        {
            var byteValue = Value & 0xff;
            var truncatedValue = new AbstractValue(byteValue);
            truncatedValue.IsTainted = IsTainted;

            return truncatedValue;
        }
Ejemplo n.º 52
0
        private void Extend(UInt32 newLength)
        {
            // Account for element [0] of the array
            newLength = newLength + 1;
            if (newLength >= Length)
            {
                var extendedCopy = new AbstractValue[newLength];

                Int32 i;
                for (i = 0; i < storage.Length; i++)
                {
                    extendedCopy[i] = storage[i];
                }

                for (; i < newLength; i++)
                {
                    extendedCopy[i] = new AbstractValue(AbstractValue.UNKNOWN)
                                      {
                                          IsOutOfBounds = true
                                      };
                }

                storage = extendedCopy;
            }

            return;
        }
Ejemplo n.º 53
0
        public void PointerOverflowStillRetainsOldValues()
        {
            var test1 = new AbstractValue(0x41);
            var test2 = new AbstractValue(0x42);
            var buffer = AbstractValue.GetNewBuffer(2);

            buffer[0] = test1;
            buffer[1] = test2;

            var pointer = new AbstractBuffer(buffer);

            // Accessing pointer[2] will cause the AbstractBuffer to extend..
            Assert.IsTrue(pointer[2].IsOutOfBounds, " value is not out of bounds");
            Assert.IsFalse(pointer[2].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[2].Value);

            // And then we make sure the in bounds values stay the same
            Assert.IsFalse(pointer[0].IsOutOfBounds);
            Assert.IsFalse(pointer[1].IsOutOfBounds);

            Assert.AreEqual(0x41, pointer[0].Value);
            Assert.AreEqual(0x42, pointer[1].Value);
        }
Ejemplo n.º 54
0
        public void PointerOverflowTwiceStillRetainsOriginalValues()
        {
            var buffer = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);

            // Access beyond buffer bounds forcing buffer to expand
            Assert.IsTrue(pointer[17].IsOutOfBounds);
            Assert.IsFalse(pointer[17].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[17].Value);

            pointer[17] = new AbstractValue(0x41414141);

            // Access beyond previously expanded bounds to force 2nd expand
            Assert.IsTrue(pointer[64].IsOutOfBounds);
            Assert.IsFalse(pointer[64].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[64].Value);

            // check that value set outside of bounds is still the same as well
            Assert.IsTrue(pointer[17].IsOutOfBounds);
            Assert.AreEqual(0x41414141, pointer[17].Value);
        }
Ejemplo n.º 55
0
 public void AddTaintOnPointer()
 {
     buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1));
     var clean = new AbstractValue(buffer);
     clean.AddTaint();
 }
Ejemplo n.º 56
0
 public void EmptyBuffer()
 {
     pointer = new AbstractValue(new AbstractBuffer(new AbstractValue[] {}));
 }
Ejemplo n.º 57
0
        public void NoPointer()
        {
            var value = new AbstractValue(2).AddTaint();

            Assert.IsNull(value.PointsTo);
            StringAssert.Contains("0x00000002", value.ToString());
            StringAssert.Contains("t", value.ToString());
        }
Ejemplo n.º 58
0
        public static AbstractValue[] GetNewBuffer(UInt32 size)
        {
            if (size > MAX_BUFFER_SIZE)
            {
                throw new ArgumentOutOfRangeException(
                    "size", "Size specified larger than maximum allowed: " + MAX_BUFFER_SIZE);
            }

            var buffer = new AbstractValue[size];
            for (UInt32 i = 0; i < size; i++)
            {
                buffer[i] = new AbstractValue();
            }

            return buffer;
        }
Ejemplo n.º 59
0
 public void Initialized()
 {
     var uninit = new AbstractValue(0xabcdef);
     Assert.IsTrue(uninit.IsInitialized);
     Assert.AreEqual(0xabcdef, uninit.Value);
 }
Ejemplo n.º 60
0
 public void NotInitialized()
 {
     var uninitializedValue = new AbstractValue();
     Assert.IsFalse(uninitializedValue.IsInitialized);
     Assert.AreEqual(AbstractValue.UNKNOWN, uninitializedValue.Value);
     Assert.AreEqual("?", uninitializedValue.ToString());
 }