public MemoryAddress(MemoryContentDataType dataType, MemoryRegionType?region = null) { this.DataType = dataType; if (region != null) { this.Region = region.Value; } else { this.Region = MemoryRegionType.Any; } }
public override void AddTransitionsToSimulation(Simulation simulation) { var dataTypes = new MemoryContentDataType[] { MemoryContentDataType.WriteBasePointer, MemoryContentDataType.WriteDisplacement, MemoryContentDataType.WriteContent, MemoryContentDataType.WriteExtent, MemoryContentDataType.ReadBasePointer, MemoryContentDataType.ReadContent, MemoryContentDataType.ReadDisplacement, MemoryContentDataType.ReadExtent, MemoryContentDataType.FunctionPointer, MemoryContentDataType.CppVirtualTablePointer }; foreach (MemoryContentDataType dataType in dataTypes) { MemoryAddress address = new MemoryAddress(dataType, MemoryRegionType.Stack); simulation.AddRootTransition( this, new InitializeDestinationContentPrimitive( String.Format("Initialize content at destination address ({0}) of write via stack local var initialization", address), destinationAddress: address, constraints: (context) => ( (context.AttackerFavorsAssumeTrue(AssumptionName.CanInitializeContentViaStackOverlappingLocal) == true) ) ) ); simulation.AddRootTransition( this, new InitializeSourceContentPrimitive( String.Format("Initialize content at source address ({0}) of read via stack local var initialization", address), sourceAddress: address, constraints: (context) => ( (context.AttackerFavorsAssumeTrue(AssumptionName.CanInitializeContentViaStackOverlappingLocal) == true) ) ) ); } }
public override void AddTransitionsToSimulation(Simulation simulation) { var dataTypes = new MemoryContentDataType[] { MemoryContentDataType.AttackerControlledData, MemoryContentDataType.WriteBasePointer, MemoryContentDataType.WriteDisplacement, MemoryContentDataType.WriteContent, MemoryContentDataType.WriteExtent, MemoryContentDataType.ReadBasePointer, MemoryContentDataType.ReadContent, MemoryContentDataType.ReadDisplacement, MemoryContentDataType.ReadExtent, MemoryContentDataType.FunctionPointer, MemoryContentDataType.CppVirtualTablePointer, MemoryContentDataType.CppVirtualTable, }; var regionTypes = new MemoryRegionType[] { MemoryRegionType.Heap, MemoryRegionType.Any }; foreach (MemoryRegionType regionType in regionTypes) { foreach (MemoryContentDataType dataType in dataTypes) { MemoryAddress address = new MemoryAddress(dataType, regionType); simulation.AddRootTransition( this, new InitializeDestinationContentPrimitive( String.Format("heap spray content to init dest {0}", address), destinationAddress: address, constraints: (context) => ( (context.CanInitializeContentViaHeapSpray() == true) ), onSuccess: (SimulationContext context, ref Violation v) => { context.Assume(AssumptionName.CanInitializeContentViaHeapSpray); context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData)); } ) ); simulation.AddRootTransition( this, new InitializeSourceContentPrimitive( String.Format("heap spray content to init src {0}", address), sourceAddress: address, constraints: (context) => ( (context.CanInitializeContentViaHeapSpray() == true) ), onSuccess: (SimulationContext context, ref Violation v) => { context.Assume(AssumptionName.CanInitializeContentViaHeapSpray); context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData)); } ) ); } } // // Heap spraying can also be used to spray code (on systems that don't support or enable // NX). // MemoryAddress codeAddress = new MemoryAddress(MemoryContentDataType.AttackerControlledData); simulation.AddRootTransition( this, new InitializeExecutableContentPrimitive( String.Format("initialize content with code via heap spray"), codeAddress, constraints: (context) => ( // no need for this technique if we can already accomplish this via spraying data. (context.CanExecuteMemoryAtAddress(new MemoryAddress(MemoryContentDataType.AttackerControlledData, null)) == false) && (context.CanInitializeContentViaHeapSpray() == true) ), onSuccess: (SimulationContext context, ref Violation v) => { context.Assume(AssumptionName.CanInitializeContentViaHeapSpray); context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData)); context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledCode)); } ) ); }