public void AddTaintOnPointer() { buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1)); var clean = new AbstractValue(buffer); clean.AddTaint(); }
private static RegisterCollection createRegistersForLinuxStart() { var linuxMainDefaultValues = new RegisterCollection(); var arg0 = new AbstractValue(1).AddTaint(); var argvBuffer = new[] { arg0 }; var argvPointer = new AbstractValue(argvBuffer); var argvPointerBuffer = new[] { argvPointer }; var argvPointerPointer = new AbstractValue(argvPointerBuffer); var stackBuffer = AbstractValue.GetNewBuffer(0x200); var buffer = new AbstractBuffer(stackBuffer); var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(0x100)); // linux ABI dictates modifiedBuffer[5] = argvPointerPointer; // gcc generates code that accesses this at some optimization levels modifiedBuffer[0xfc] = new AbstractValue(1); var stackPointer = new AbstractValue(modifiedBuffer); linuxMainDefaultValues[RegisterName.ESP] = stackPointer; return(linuxMainDefaultValues); }
public AbstractBuffer DoOperation(OperatorEffect operatorEffect, AbstractValue rhs) { if (null == rhs) { throw new ArgumentNullException("rhs"); } var lhs = this; // TODO: should have a guard for if rhs isn't a pointer switch (operatorEffect) { case OperatorEffect.Assignment: { var result = new AbstractBuffer(lhs); return(result); } case OperatorEffect.Add: { var result = new AbstractBuffer(lhs); result.BaseIndex += rhs.Value; return(result); } case OperatorEffect.Sub: { var result = new AbstractBuffer(lhs); if (result.BaseIndex < rhs.Value) { throw new ArgumentOutOfRangeException( String.Format( "Attempting to set a negative baseindex, baseindex: {0:x4}, _subValue {1:x4}", result.BaseIndex, rhs.Value ) ); } result.BaseIndex -= rhs.Value; return(result); } case OperatorEffect.And: { var result = new AbstractBuffer(lhs); result.BaseIndex &= rhs.Value; return(result); } default: throw new ArgumentException( String.Format("Unsupported OperatorEffect: {0}", operatorEffect), "operatorEffect"); } }
public void Pointer() { buffer = new AbstractBuffer(new[] { new AbstractValue(2) }); pointer = new AbstractValue(buffer); Assert.AreEqual(2, pointer.PointsTo[0].Value); StringAssert.StartsWith("*0x00000002", pointer.ToString()); }
public void InvalidPointerAnd() { var one = new AbstractValue(0x1); var buffer = new AbstractBuffer(new[] {one}); var modifiedBuffer = buffer.DoOperation(OperatorEffect.Sub, new AbstractValue(3)); modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xf)); }
public void PointerAssignment() { var values = AbstractValue.GetNewBuffer(4); var buffer = new AbstractBuffer(values); var assignedBuffer = buffer.DoOperation(OperatorEffect.Assignment, AbstractValue.Zero); Assert.AreNotSame(buffer, assignedBuffer); }
public void InvalidPointerAnd() { var one = new AbstractValue(0x1); var buffer = new AbstractBuffer(new[] { one }); var modifiedBuffer = buffer.DoOperation(OperatorEffect.Sub, new AbstractValue(3)); modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xf)); }
public AbstractValue(AbstractBuffer willPointTo) { if (willPointTo.Length == 0) { throw new ArgumentException("Empty buffer is not allowed", "willPointTo"); } storage = 0xdeadbeef; pointsTo = new AbstractBuffer(willPointTo); }
public void SetUp() { state = new MachineState(new RegisterCollection()); reportItems = new ReportCollection(); var buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(0x200)); var pointer = new AbstractValue(buffer); state.Registers[RegisterName.ESP] = pointer; state = state.DoOperation(RegisterName.EBP, OperatorEffect.Assignment, RegisterName.ESP); }
public void PointerOverflowByOne() { var buffer = AbstractValue.GetNewBuffer(16); var pointer = new AbstractBuffer(buffer); var value = pointer[16]; Assert.IsTrue(value.IsOutOfBounds); Assert.IsFalse(value.IsInitialized); Assert.AreEqual(AbstractValue.UNKNOWN, value.Value); }
public AbstractBuffer(AbstractBuffer other) { if (null == other) { throw new ArgumentNullException("other"); } BaseIndex = other.BaseIndex; Length = other.Length; storage = new AbstractValue[other.storage.Length]; Array.Copy(other.storage, storage, other.storage.Length); }
public void Copy() { var values = AbstractValue.GetNewBuffer(4); var buffer = new AbstractBuffer(values); var newBuffer = new AbstractBuffer(buffer); Assert.AreNotSame(newBuffer, buffer); for (var index = 0; index < newBuffer.Length; index++) { Assert.AreSame(newBuffer[index], buffer[index]); } }
public AbstractValue(AbstractValue other) { if (other == null) { throw new ArgumentNullException("other"); } storage = other.Value; tainted = other.IsTainted; IsOutOfBounds = other.IsOutOfBounds; if (other.PointsTo != null) { pointsTo = new AbstractBuffer(other.PointsTo); } }
public void MovPtrEspEax() { // mov [esp]. eax code = new Byte[] { 0x89, 0x04, 0x24 }; state.Registers[RegisterName.EAX] = new AbstractValue(0x10); var values = new[] { new AbstractValue(1) }; var buffer = new AbstractBuffer(values); state.Registers[RegisterName.ESP] = new AbstractValue(buffer); state = X86Emulator.Run(reportItems, state, code); var espBuffer = state.Registers[RegisterName.ESP].PointsTo; Assert.AreEqual(0x10, espBuffer[0].Value); }
public void LeaEaxFromEdxPlusEax() { // lea eax,[edx+eax] code = new Byte[] { 0x8d, 0x04, 0x02 }; var zero = new AbstractValue(0); var two = new AbstractValue(2); var values = new[] { zero, two }; var buffer = new AbstractBuffer(values); state.Registers[RegisterName.EDX] = new AbstractValue(buffer); state.Registers[RegisterName.EAX] = new AbstractValue(1); state = X86Emulator.Run(reportItems, state, code); var eax = state.Registers[RegisterName.EAX]; Assert.AreEqual(two.Value, eax.PointsTo[0].Value); }
public void LeaEdxFromEaxPlus16() { // lea edx,[eax+index] const byte INDEX = 0x1; code = new Byte[] { 0x8d, 0x50, INDEX }; var zero = new AbstractValue(0); var values = new[] { zero, one }; var buffer = new AbstractBuffer(values); state.Registers[RegisterName.EAX] = new AbstractValue(buffer); state = X86Emulator.Run(reportItems, state, code); var edx = state.Registers[RegisterName.EDX]; Assert.IsNotNull(edx); Assert.AreEqual(one, edx.PointsTo[0]); }
public void OverflowDoesntLoseIncrement() { var buffer = AbstractValue.GetNewBuffer(16); var pointer = new AbstractBuffer(buffer); var value = new AbstractValue(0x41); value = value.AddTaint(); pointer[0] = value; pointer = pointer.DoOperation(OperatorEffect.Add, new AbstractValue(1)); pointer[16] = value; pointer = pointer.DoOperation(OperatorEffect.Sub, new AbstractValue(1)); Assert.AreEqual(0x41, pointer[0].Value); Assert.IsTrue(value.IsTainted); Assert.AreEqual(0x41, pointer[17].Value); Assert.IsTrue(pointer[17].IsTainted); }
public void PointerAdd() { var one = new AbstractValue(0x1); var two = new AbstractValue(0x2); var three = new AbstractValue(0x3); var four = new AbstractValue(0x4); var values = AbstractValue.GetNewBuffer(4); values[0] = one; values[1] = two; values[2] = three; values[3] = four; var buffer = new AbstractBuffer(values); Assert.AreEqual(one, buffer[0]); var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(2)); Assert.AreEqual(three, modifiedBuffer[0]); }
public void PointerOverflowTwiceStillRetainsOriginalValues() { var buffer = AbstractValue.GetNewBuffer(16); var pointer = new AbstractBuffer(buffer); // Access beyond buffer bounds forcing buffer to expand Assert.IsTrue(pointer[17].IsOutOfBounds); Assert.IsFalse(pointer[17].IsInitialized); Assert.AreEqual(AbstractValue.UNKNOWN, pointer[17].Value); pointer[17] = new AbstractValue(0x41414141); // Access beyond previously expanded bounds to force 2nd expand Assert.IsTrue(pointer[64].IsOutOfBounds); Assert.IsFalse(pointer[64].IsInitialized); Assert.AreEqual(AbstractValue.UNKNOWN, pointer[64].Value); // check that value set outside of bounds is still the same as well Assert.IsTrue(pointer[17].IsOutOfBounds); Assert.AreEqual(0x41414141, pointer[17].Value); }
public void PointerOverflowStillRetainsOldValues() { var test1 = new AbstractValue(0x41); var test2 = new AbstractValue(0x42); var buffer = AbstractValue.GetNewBuffer(2); buffer[0] = test1; buffer[1] = test2; var pointer = new AbstractBuffer(buffer); // Accessing pointer[2] will cause the AbstractBuffer to extend.. Assert.IsTrue(pointer[2].IsOutOfBounds, " value is not out of bounds"); Assert.IsFalse(pointer[2].IsInitialized); Assert.AreEqual(AbstractValue.UNKNOWN, pointer[2].Value); // And then we make sure the in bounds values stay the same Assert.IsFalse(pointer[0].IsOutOfBounds); Assert.IsFalse(pointer[1].IsOutOfBounds); Assert.AreEqual(0x41, pointer[0].Value); Assert.AreEqual(0x42, pointer[1].Value); }
public void MovPtrEspEax() { // mov [esp]. eax code = new Byte[] {0x89, 0x04, 0x24}; state.Registers[RegisterName.EAX] = new AbstractValue(0x10); var values = new[] {new AbstractValue(1)}; var buffer = new AbstractBuffer(values); state.Registers[RegisterName.ESP] = new AbstractValue(buffer); state = X86Emulator.Run(reportItems, state, code); var espBuffer = state.Registers[RegisterName.ESP].PointsTo; Assert.AreEqual(0x10, espBuffer[0].Value); }
public void PointerSub() { var one = new AbstractValue(0x1); var two = new AbstractValue(0x2); var three = new AbstractValue(0x3); var four = new AbstractValue(0x4); var values = AbstractValue.GetNewBuffer(4); values[0] = one; values[1] = two; values[2] = three; values[3] = four; var buffer = new AbstractBuffer(values); Assert.AreEqual(one, buffer[0]); var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(2)); Assert.AreEqual(three, modifiedBuffer[0]); var subbedBuffer = modifiedBuffer.DoOperation(OperatorEffect.Sub, new AbstractValue(2)); Assert.AreEqual(one, subbedBuffer[0]); }
public void OverflowZeroSizeBuffer() { var f = new AbstractBuffer(new AbstractValue[] {}); Assert.IsFalse(f[0].IsInitialized); }
public AbstractBuffer DoOperation(OperatorEffect operatorEffect, AbstractValue rhs) { if (null == rhs) { throw new ArgumentNullException("rhs"); } var lhs = this; // TODO: should have a guard for if rhs isn't a pointer switch (operatorEffect) { case OperatorEffect.Assignment: { var result = new AbstractBuffer(lhs); return result; } case OperatorEffect.Add: { var result = new AbstractBuffer(lhs); result.BaseIndex += rhs.Value; return result; } case OperatorEffect.Sub: { var result = new AbstractBuffer(lhs); if (result.BaseIndex < rhs.Value) { throw new ArgumentOutOfRangeException( String.Format( "Attempting to set a negative baseindex, baseindex: {0:x4}, _subValue {1:x4}", result.BaseIndex, rhs.Value ) ); } result.BaseIndex -= rhs.Value; return result; } case OperatorEffect.And: { var result = new AbstractBuffer(lhs); result.BaseIndex &= rhs.Value; return result; } default: throw new ArgumentException( String.Format("Unsupported OperatorEffect: {0}", operatorEffect), "operatorEffect"); } }
public void PointerPointerPointer() { buffer = new AbstractBuffer(new[] {new AbstractValue(2)}); pointer = new AbstractValue(buffer); var pointerPointer = new AbstractValue(new[] {pointer}); var pointerPointerPointer = new AbstractValue(new[] {pointerPointer}); Assert.AreEqual(2, pointerPointerPointer.PointsTo[0].PointsTo[0].PointsTo[0].Value); StringAssert.StartsWith("***0x00000002", pointerPointerPointer.ToString()); }
public void LeaEdxFromEaxPlus16() { // lea edx,[eax+index] const byte INDEX = 0x1; code = new Byte[] {0x8d, 0x50, INDEX}; var zero = new AbstractValue(0); var values = new[] {zero, one}; var buffer = new AbstractBuffer(values); state.Registers[RegisterName.EAX] = new AbstractValue(buffer); state = X86Emulator.Run(reportItems, state, code); var edx = state.Registers[RegisterName.EDX]; Assert.IsNotNull(edx); Assert.AreEqual(one, edx.PointsTo[0]); }
public void PointerAnd() { var one = new AbstractValue(0x1); var two = new AbstractValue(0x2); var three = new AbstractValue(0x3); var four = new AbstractValue(0x4); var values = AbstractValue.GetNewBuffer(4); values[0] = one; values[1] = two; values[2] = three; values[3] = four; var buffer = new AbstractBuffer(values); Assert.AreEqual(one, buffer[0]); var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(3)); Assert.AreEqual(four, modifiedBuffer[0]); var andedBuffer = modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xfffffff0)); Assert.AreEqual(one, andedBuffer[0]); }
public void LeaEaxFromEdxPlusEax() { // lea eax,[edx+eax] code = new Byte[] {0x8d, 0x04, 0x02}; var zero = new AbstractValue(0); var two = new AbstractValue(2); var values = new[] {zero, two}; var buffer = new AbstractBuffer(values); state.Registers[RegisterName.EDX] = new AbstractValue(buffer); state.Registers[RegisterName.EAX] = new AbstractValue(1); state = X86Emulator.Run(reportItems, state, code); var eax = state.Registers[RegisterName.EAX]; Assert.AreEqual(two.Value, eax.PointsTo[0].Value); }