/// <summary>
/// Initializes the simulation using a provided memory safety model.
/// </summary>
/// <param name="model">The memory safety model.</param>
public Simulation(MemorySafetyModel model)
{
this.Model = model;
this.CompleteGraph = new DirectedGraph();
this.Transitions = new List <Transition>();
}
public static Simulation GetAllTechniquesSimulation(MemorySafetyModel model)
{
List <ExploitationTechnique> techniques = new List <ExploitationTechnique>();
var parameters = new MemoryAccessParameter[]
{
MemoryAccessParameter.Base,
MemoryAccessParameter.Content,
MemoryAccessParameter.Displacement,
MemoryAccessParameter.Extent
};
var regions = Enum.GetValues(typeof(MemoryRegionType));
//
// Multi-region generic techniques.
//
foreach (MemoryRegionType region in regions)
{
//
// Skip regions that are not relevant.
//
if (!MemoryAddress.WritableRegionTypes.Contains(region))
{
continue;
}
//
// r->r, r->w, and w->r techniques.
//
foreach (MemoryAccessParameter parameter in parameters)
{
if (parameter != MemoryAccessParameter.Content)
{
techniques.Add(
new SimpleTechnique(
new ReadToReadPrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Read, region))
)
);
}
techniques.Add(
new SimpleTechnique(
new ReadToWritePrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Write, region))
)
);
techniques.Add(
new SimpleTechnique(
new WriteToReadPrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Read, region))
)
);
}
}
techniques.Add(new CorruptFunctionPointer());
techniques.Add(new CorruptCppObjectVirtualTablePointer());
//
// Stack-specific techniques.
//
techniques.Add(new CorruptStackReturnAddress());
techniques.Add(new CorruptStackFramePointer());
techniques.Add(new CorruptStackStructuredExceptionHandler());
//
// Heap-specific techniques.
//
//
// Content initialization techniques.
//
techniques.Add(new HeapSpray());
techniques.Add(new StackLocalVariableInitialization());
techniques.Add(new LoadNonASLRImage());
techniques.Add(new LoadNonASLRNonSafeSEHImage());
//
// Code execution techniques.
//
techniques.Add(new ExecuteControlledDataAsCode());
techniques.Add(new ExecuteJITCode());
techniques.Add(new ExecuteROPPayload.StageViaVirtualAllocOrProtect());
techniques.Add(new ExecuteROPPayload.StageViaExecutableHeap());
techniques.Add(new ExecuteROPPayload.StageViaDisableNX());
techniques.Add(new ExecuteROPPayload.PureROP());
techniques.Add(
new SimpleTechnique(
new WriteToExecutePrimitive()
)
);
//
// Add the transitions to the simulation.
//
Simulation simulation = new Simulation(model);
simulation.BeginAddTransition();
foreach (ExploitationTechnique technique in techniques)
{
technique.AddTransitionsToSimulation(simulation);
}
simulation.EndAddTransition();
return(simulation);
}