Example #1
0
        private static RegisterCollection createRegistersForLinuxStart()
        {
            var linuxMainDefaultValues = new RegisterCollection();

            var arg0 = new AbstractValue(1).AddTaint();

            var argvBuffer         = new[] { arg0 };
            var argvPointer        = new AbstractValue(argvBuffer);
            var argvPointerBuffer  = new[] { argvPointer };
            var argvPointerPointer = new AbstractValue(argvPointerBuffer);
            var stackBuffer        = AbstractValue.GetNewBuffer(0x200);

            var buffer         = new AbstractBuffer(stackBuffer);
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(0x100));

            // linux ABI dictates
            modifiedBuffer[5] = argvPointerPointer;

            // gcc generates code that accesses this at some optimization levels
            modifiedBuffer[0xfc] = new AbstractValue(1);

            var stackPointer = new AbstractValue(modifiedBuffer);

            linuxMainDefaultValues[RegisterName.ESP] = stackPointer;

            return(linuxMainDefaultValues);
        }
        public void AddTaintOnPointer()
        {
            buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1));
            var clean = new AbstractValue(buffer);

            clean.AddTaint();
        }
        public void AssignmentAtEnd()
        {
            var values = AbstractValue.GetNewBuffer(16);

            pointer = new AbstractValue(values);
            pointer.PointsTo[15] = new AbstractValue(0x31337);
            Assert.AreEqual(0x31337, pointer.PointsTo[15].Value);
        }
        public void SetUp()
        {
            var registers = new RegisterCollection();

            registers[RegisterName.ESP] = new AbstractValue(AbstractValue.GetNewBuffer(1));
            state    = new MachineState(registers);
            contract = new GLibcStartMainContract();
        }
Example #5
0
        public override MachineState Execute(MachineState state)
        {
            var buffer = AbstractValue.GetNewBuffer(state.TopOfStack.Value);

            state.ReturnValue = new AbstractValue(buffer);

            return(state);
        }
        public void PointerAssignment()
        {
            var values         = AbstractValue.GetNewBuffer(4);
            var buffer         = new AbstractBuffer(values);
            var assignedBuffer = buffer.DoOperation(OperatorEffect.Assignment, AbstractValue.Zero);

            Assert.AreNotSame(buffer, assignedBuffer);
        }
Example #7
0
        public void GetNewBufferReturnsUnallocatedValues()
        {
            var buffer = AbstractValue.GetNewBuffer(16);

            for (var i = 0; i < 16; i++)
            {
                Assert.IsFalse(buffer[i].IsInitialized);
            }
        }
        public void AssignmentAtByteZero()
        {
            var values = AbstractValue.GetNewBuffer(16);

            pointer             = new AbstractValue(values);
            pointer.PointsTo[0] = new AbstractValue(0x31337);
            Assert.AreEqual(0x31337, pointer.PointsTo[0].Value);
            Assert.AreEqual("*0x00031337", pointer.ToString());
        }
Example #9
0
        public void PointerAdd()
        {
            var buffer = AbstractValue.GetNewBuffer(0x10);

            buffer[4] = one;
            eax       = new AbstractValue(buffer);

            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4));
            Assert.AreEqual(one, eax.PointsTo[0]);
        }
Example #10
0
        public void SetUp()
        {
            state       = new MachineState(new RegisterCollection());
            reportItems = new ReportCollection();
            var buffer  = new AbstractBuffer(AbstractValue.GetNewBuffer(0x200));
            var pointer = new AbstractValue(buffer);

            state.Registers[RegisterName.ESP] = pointer;
            state = state.DoOperation(RegisterName.EBP, OperatorEffect.Assignment, RegisterName.ESP);
        }
        public void PointerOverflowByOne()
        {
            var buffer  = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);

            var value = pointer[16];

            Assert.IsTrue(value.IsOutOfBounds);
            Assert.IsFalse(value.IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, value.Value);
        }
Example #12
0
        public void Copy()
        {
            state.Registers[RegisterName.ESP] = new AbstractValue(new AbstractBuffer(AbstractValue.GetNewBuffer(10)));
            var newState = new MachineState(state);

            Assert.AreNotSame(newState, state);
            Assert.AreNotSame(newState.Registers, state.Registers);
            Assert.AreNotSame(newState.DataSegment, state.DataSegment);
            Assert.AreNotSame(newState.ReturnValue, state.ReturnValue);
            Assert.AreSame(newState.TopOfStack, state.TopOfStack);
        }
Example #13
0
        public void PushTwiceThenManuallyAdjustStackThenAssignToEbp()
        {
            var buffer = AbstractValue.GetNewBuffer(0x20);

            esp   = new AbstractValue(buffer);
            state = state.PushOntoStack(one);
            state = state.PushOntoStack(two);

            state = state.DoOperation(RegisterName.ESP, OperatorEffect.Sub, new AbstractValue(0x4));
            Assert.AreEqual(one, state.TopOfStack);
        }
Example #14
0
        public void PushPopThenAssignToTop()
        {
            var buffer = AbstractValue.GetNewBuffer(0x20);

            esp   = new AbstractValue(buffer);
            state = state.PushOntoStack(one);

            // TODO(matt_hargett): extract into state.PopOffStack()
            state = state.DoOperation(RegisterName.ESP, OperatorEffect.Sub, new AbstractValue(0x4));
            state = state.DoOperation(RegisterName.ESP, 0, OperatorEffect.Assignment, two);
            Assert.AreEqual(two, state.TopOfStack);
        }
Example #15
0
        public void MovIntoAssignedEaxInBounds()
        {
            const Byte VALUE   = 0x01;
            const byte INDEX   = 0xf;
            var        buffer  = AbstractValue.GetNewBuffer(16);
            var        pointer = new AbstractValue(buffer);

            state.ReturnValue = pointer;
            code  = new Byte[] { 0xc6, 0x40, INDEX, VALUE };
            state = X86Emulator.Run(reportItems, state, code);
            Assert.AreEqual(VALUE, state.ReturnValue.PointsTo[INDEX].Value);
        }
Example #16
0
        public void MovEbpMinus8()
        {
            // mov    DWORD PTR [ebp-8],0xf
            const byte FIFTEEN = 0x0f;
            var        value   = AbstractValue.GetNewBuffer(0x100);

            state.Registers[RegisterName.EBP] = new AbstractValue(value);
            code  = new Byte[] { 0xc7, 0x45, 0xf8, FIFTEEN, 0x00, 0x00, 0x00 };
            state = X86Emulator.Run(reportItems, state, code);

            Assert.AreEqual(FIFTEEN, state.Registers[RegisterName.EBP].PointsTo[0xf8].Value);
        }
Example #17
0
        public void PointerSub()
        {
            var buffer = AbstractValue.GetNewBuffer(0x10);

            buffer[0] = one;
            eax       = new AbstractValue(buffer);
            ebx       = new AbstractValue(0x4);
            state     = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX);
            Assert.IsNotNull(eax.PointsTo);
            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Sub, RegisterName.EBX);
            Assert.AreEqual(one, eax.PointsTo[0]);
        }
Example #18
0
        public void MovBytePtrEaxInBounds()
        {
            // mov    BYTE PTR [eax], value
            const byte VALUE   = 0x01;
            var        buffer  = AbstractValue.GetNewBuffer(16);
            var        pointer = new AbstractValue(buffer);

            state.ReturnValue = pointer;
            code  = new Byte[] { 0xc6, 0x00, VALUE };
            state = X86Emulator.Run(reportItems, state, code);
            Assert.AreEqual(VALUE, state.ReturnValue.PointsTo[0].Value);
        }
Example #19
0
        public void Copy()
        {
            registers[RegisterName.ESP] = new AbstractValue(new AbstractBuffer(AbstractValue.GetNewBuffer(10)));
            var newRegisters = new RegisterCollection(registers);

            for (UInt32 i = 0; i < 7; i++)
            {
                var register = (RegisterName)i;
                Assert.AreNotSame(newRegisters[register], registers[register]);
            }

            Assert.AreNotSame(newRegisters[RegisterName.ESP].PointsTo, registers[RegisterName.ESP].PointsTo);
        }
        public void Copy()
        {
            var values    = AbstractValue.GetNewBuffer(4);
            var buffer    = new AbstractBuffer(values);
            var newBuffer = new AbstractBuffer(buffer);

            Assert.AreNotSame(newBuffer, buffer);

            for (var index = 0; index < newBuffer.Length; index++)
            {
                Assert.AreSame(newBuffer[index], buffer[index]);
            }
        }
Example #21
0
        public void MovPtrEax16()
        {
            // mov    DWORD PTR [eax],0x10
            var value = AbstractValue.GetNewBuffer(1);

            state.Registers[RegisterName.EAX] = new AbstractValue(value);
            code  = new Byte[] { 0xc7, 0x00, 0x10, 0x00, 0x00, 0x00 };
            state = X86Emulator.Run(reportItems, state, code);

            var sixteen = state.Registers[RegisterName.EAX].PointsTo[0];

            Assert.AreEqual(0x10, sixteen.Value);
        }
Example #22
0
        public void MovEaxEbpPlusTwelve()
        {
            var buffer = AbstractValue.GetNewBuffer(16);

            buffer[12] = new AbstractValue(1);

            var pointer = new AbstractValue(buffer);

            state.Registers[RegisterName.EBP] = pointer;

            code  = new Byte[] { 0x8b, 0x45, 0xc };
            state = X86Emulator.Run(reportItems, state, code);

            Assert.AreEqual(0x3, state.InstructionPointer);
            Assert.AreEqual(1, state.ReturnValue.Value);
        }
Example #23
0
        public void MovDwordPtrEaxPlus16FromEbx()
        {
            // mov    BYTE PTR [eax+16],bl
            const byte OFFSET = 0x10;

            state.Registers[RegisterName.EBX] = new AbstractValue(0x1);
            var buffer  = AbstractValue.GetNewBuffer((uint)OFFSET + 1);
            var pointer = new AbstractValue(buffer);

            state.Registers[RegisterName.EAX] = pointer;

            code  = new Byte[] { 0x89, 0x58, OFFSET };
            state = X86Emulator.Run(reportItems, state, code);

            Assert.AreEqual(0x1, state.Registers[RegisterName.EAX].PointsTo[OFFSET].Value);
        }
Example #24
0
        public void MovIntoAssignedEaxOutOfBounds()
        {
            const byte VALUE   = 0x01;
            const byte INDEX   = 0x10;
            var        buffer  = AbstractValue.GetNewBuffer(INDEX);
            var        pointer = new AbstractValue(buffer);

            state.ReturnValue = pointer;
            var nopCode = new Byte[] { 0x90 };

            code  = new Byte[] { 0xc6, 0x40, INDEX, VALUE };
            state = X86Emulator.Run(reportItems, state, nopCode);
            state = X86Emulator.Run(reportItems, state, code);
            Assert.AreEqual(1, reportItems.Count);
            Assert.AreEqual(nopCode.Length, reportItems[0].InstructionPointer);
            Assert.IsFalse(reportItems[0].IsTainted);
        }
Example #25
0
        public void PointerAnd()
        {
            var buffer = AbstractValue.GetNewBuffer(0x10);

            buffer[4] = one;

            eax = new AbstractValue(buffer);

            state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4));
            Assert.AreEqual(one, eax.PointsTo[0]);

            var andValue = new AbstractValue(0xfffffff0);
            var newState = state.DoOperation(RegisterName.EAX, OperatorEffect.And, andValue);

            Assert.AreNotSame(newState, state);
            Assert.AreNotEqual(newState, state);

            state = newState;
            Assert.AreEqual(one, eax.PointsTo[4]);
        }
Example #26
0
        public void CmpEbpPlusEight0()
        {
            // cmp    DWORD PTR [ebp+8],0x0
            code = new Byte[] { 0x83, 0x7d, 0x08, 0x0 };
            var buffer = AbstractValue.GetNewBuffer(16);

            var pointer = new AbstractValue(buffer);

            state.Registers[RegisterName.EBP]             = pointer;
            state.Registers[RegisterName.EBP].PointsTo[8] = new AbstractValue(1);

            state = X86Emulator.Run(reportItems, state, code);
            Assert.AreEqual(0x4, state.InstructionPointer);
            Assert.IsFalse(state.ZeroFlag);

            state.Registers[RegisterName.EBP].PointsTo[8] = new AbstractValue(0);
            state = X86Emulator.Run(reportItems, state, code);
            Assert.AreEqual(0x8, state.InstructionPointer);
            Assert.IsTrue(state.ZeroFlag);
        }
        public void PointerAdd()
        {
            var one    = new AbstractValue(0x1);
            var two    = new AbstractValue(0x2);
            var three  = new AbstractValue(0x3);
            var four   = new AbstractValue(0x4);
            var values = AbstractValue.GetNewBuffer(4);

            values[0] = one;
            values[1] = two;
            values[2] = three;
            values[3] = four;

            var buffer = new AbstractBuffer(values);

            Assert.AreEqual(one, buffer[0]);
            var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(2));

            Assert.AreEqual(three, modifiedBuffer[0]);
        }
        public void PointerOverflowTwiceStillRetainsOriginalValues()
        {
            var buffer  = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);

            // Access beyond buffer bounds forcing buffer to expand
            Assert.IsTrue(pointer[17].IsOutOfBounds);
            Assert.IsFalse(pointer[17].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[17].Value);

            pointer[17] = new AbstractValue(0x41414141);

            // Access beyond previously expanded bounds to force 2nd expand
            Assert.IsTrue(pointer[64].IsOutOfBounds);
            Assert.IsFalse(pointer[64].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[64].Value);

            // check that value set outside of bounds is still the same as well
            Assert.IsTrue(pointer[17].IsOutOfBounds);
            Assert.AreEqual(0x41414141, pointer[17].Value);
        }
        public void OverflowDoesntLoseIncrement()
        {
            var buffer  = AbstractValue.GetNewBuffer(16);
            var pointer = new AbstractBuffer(buffer);
            var value   = new AbstractValue(0x41);

            value = value.AddTaint();

            pointer[0] = value;

            pointer = pointer.DoOperation(OperatorEffect.Add, new AbstractValue(1));

            pointer[16] = value;

            pointer = pointer.DoOperation(OperatorEffect.Sub, new AbstractValue(1));

            Assert.AreEqual(0x41, pointer[0].Value);
            Assert.IsTrue(value.IsTainted);
            Assert.AreEqual(0x41, pointer[17].Value);
            Assert.IsTrue(pointer[17].IsTainted);
        }
        public void PointerOverflowStillRetainsOldValues()
        {
            var test1  = new AbstractValue(0x41);
            var test2  = new AbstractValue(0x42);
            var buffer = AbstractValue.GetNewBuffer(2);

            buffer[0] = test1;
            buffer[1] = test2;

            var pointer = new AbstractBuffer(buffer);

            // Accessing pointer[2] will cause the AbstractBuffer to extend..
            Assert.IsTrue(pointer[2].IsOutOfBounds, " value is not out of bounds");
            Assert.IsFalse(pointer[2].IsInitialized);
            Assert.AreEqual(AbstractValue.UNKNOWN, pointer[2].Value);

            // And then we make sure the in bounds values stay the same
            Assert.IsFalse(pointer[0].IsOutOfBounds);
            Assert.IsFalse(pointer[1].IsOutOfBounds);

            Assert.AreEqual(0x41, pointer[0].Value);
            Assert.AreEqual(0x42, pointer[1].Value);
        }