public void Execute()
{
var address = new AbstractValue(0xdeadbabe);
state = state.PushOntoStack(address);
state = contract.Execute(state);
Assert.AreEqual(address.Value, state.InstructionPointer);
}
public void Initialized()
{
var uninit = new AbstractValue(0xabcdef);
Assert.IsTrue(uninit.IsInitialized);
Assert.AreEqual(0xabcdef, uninit.Value);
}
private void Extend(UInt32 newLength)
{
// Account for element [0] of the array
newLength = newLength + 1;
if (newLength >= Length)
{
var extendedCopy = new AbstractValue[newLength];
Int32 i;
for (i = 0; i < storage.Length; i++)
{
extendedCopy[i] = storage[i];
}
for (; i < newLength; i++)
{
extendedCopy[i] = new AbstractValue(AbstractValue.UNKNOWN)
{
IsOutOfBounds = true
};
}
storage = extendedCopy;
}
return;
}
public void AddTaintOnPointer()
{
buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1));
var clean = new AbstractValue(buffer);
clean.AddTaint();
}
public void TruncateValue()
{
var dwordValue = new AbstractValue(0xdeadbeef);
var byteValue = dwordValue.TruncateValueToByte();
Assert.AreEqual(0xef, byteValue.Value);
}
public void PointerHashcodes()
{
pointer = new AbstractValue(new[] { new AbstractValue(1) });
var pointer2 = new AbstractValue(new[] { new AbstractValue(2) });
Assert.AreNotEqual(pointer.GetHashCode(), pointer2.GetHashCode());
}
public void Pointer()
{
buffer = new AbstractBuffer(new[] { new AbstractValue(2) });
pointer = new AbstractValue(buffer);
Assert.AreEqual(2, pointer.PointsTo[0].Value);
StringAssert.StartsWith("*0x00000002", pointer.ToString());
}
public AbstractBuffer DoOperation(OperatorEffect operatorEffect, AbstractValue rhs)
{
if (null == rhs)
{
throw new ArgumentNullException("rhs");
}
var lhs = this;
// TODO: should have a guard for if rhs isn't a pointer
switch (operatorEffect)
{
case OperatorEffect.Assignment:
{
var result = new AbstractBuffer(lhs);
return(result);
}
case OperatorEffect.Add:
{
var result = new AbstractBuffer(lhs);
result.BaseIndex += rhs.Value;
return(result);
}
case OperatorEffect.Sub:
{
var result = new AbstractBuffer(lhs);
if (result.BaseIndex <
rhs.Value)
{
throw new ArgumentOutOfRangeException(
String.Format(
"Attempting to set a negative baseindex, baseindex: {0:x4}, _subValue {1:x4}",
result.BaseIndex,
rhs.Value
)
);
}
result.BaseIndex -= rhs.Value;
return(result);
}
case OperatorEffect.And:
{
var result = new AbstractBuffer(lhs);
result.BaseIndex &= rhs.Value;
return(result);
}
default:
throw new ArgumentException(
String.Format("Unsupported OperatorEffect: {0}", operatorEffect), "operatorEffect");
}
}
private static RegisterCollection createRegistersForLinuxStart()
{
var linuxMainDefaultValues = new RegisterCollection();
var arg0 = new AbstractValue(1).AddTaint();
var argvBuffer = new[] { arg0 };
var argvPointer = new AbstractValue(argvBuffer);
var argvPointerBuffer = new[] { argvPointer };
var argvPointerPointer = new AbstractValue(argvPointerBuffer);
var stackBuffer = AbstractValue.GetNewBuffer(0x200);
var buffer = new AbstractBuffer(stackBuffer);
var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(0x100));
// linux ABI dictates
modifiedBuffer[5] = argvPointerPointer;
// gcc generates code that accesses this at some optimization levels
modifiedBuffer[0xfc] = new AbstractValue(1);
var stackPointer = new AbstractValue(modifiedBuffer);
linuxMainDefaultValues[RegisterName.ESP] = stackPointer;
return(linuxMainDefaultValues);
}
public void AssignmentAtEnd()
{
var values = AbstractValue.GetNewBuffer(16);
pointer = new AbstractValue(values);
pointer.PointsTo[15] = new AbstractValue(0x31337);
Assert.AreEqual(0x31337, pointer.PointsTo[15].Value);
}
public MachineState DoOperation(OperatorEffect operatorEffect, AbstractValue offset)
{
if (offset.IsPointer)
{
throw new ArgumentException("_offset pointer not supported.");
}
var newState = new MachineState(this);
switch (operatorEffect)
{
case OperatorEffect.Jnz:
{
if (!newState.zeroFlag)
{
newState.instructionPointer += offset.Value;
}
break;
}
default:
{
throw new ArgumentException(
String.Format("Unsupported OperatorEffect: {0}", operatorEffect), "operatorEffect");
}
}
return(newState);
}
public MachineState PushOntoStack(AbstractValue value)
{
var newState = DoOperation(RegisterName.ESP, OperatorEffect.Add, new AbstractValue(0x4));
newState.TopOfStack = new AbstractValue(value);
return(newState);
}
public void ReturnValueIsAliasedToEax()
{
var value = new AbstractValue(0x31337);
state.ReturnValue = value;
Assert.AreEqual(value, state.Registers[RegisterName.EAX]);
}
public void InvalidPointerAnd()
{
var one = new AbstractValue(0x1);
var buffer = new AbstractBuffer(new[] {one});
var modifiedBuffer = buffer.DoOperation(OperatorEffect.Sub, new AbstractValue(3));
modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xf));
}
public RegisterCollection()
{
registers = new AbstractValue[8];
for (UInt32 i = 0; i < registers.Length; ++i)
{
registers[i] = new AbstractValue();
}
}
public void InvalidPointerAnd()
{
var one = new AbstractValue(0x1);
var buffer = new AbstractBuffer(new[] { one });
var modifiedBuffer = buffer.DoOperation(OperatorEffect.Sub, new AbstractValue(3));
modifiedBuffer.DoOperation(OperatorEffect.And, new AbstractValue(0xf));
}
public void PointerAssignment()
{
var values = AbstractValue.GetNewBuffer(4);
var buffer = new AbstractBuffer(values);
var assignedBuffer = buffer.DoOperation(OperatorEffect.Assignment, AbstractValue.Zero);
Assert.AreNotSame(buffer, assignedBuffer);
}
public void Execute()
{
var address = new AbstractValue(0xdeadbabe);
state = state.PushOntoStack(address);
state = contract.Execute(state);
Assert.AreEqual(address.Value, state.InstructionPointer);
}
public void NotInitialized()
{
var uninitializedValue = new AbstractValue();
Assert.IsFalse(uninitializedValue.IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, uninitializedValue.Value);
Assert.AreEqual("?", uninitializedValue.ToString());
}
public RegisterCollection(RegisterCollection _copyMe)
{
registers = new AbstractValue[8];
for (UInt32 i = 0; i < registers.Length; ++i)
{
registers[i] = new AbstractValue(_copyMe.registers[i]);
}
}
public void AssignmentAtEnd()
{
var values = AbstractValue.GetNewBuffer(16);
pointer = new AbstractValue(values);
pointer.PointsTo[15] = new AbstractValue(0x31337);
Assert.AreEqual(0x31337, pointer.PointsTo[15].Value);
}
public void AddTaint()
{
var clean = new AbstractValue(0x31337);
Assert.IsFalse(clean.IsTainted);
var tainted = clean.AddTaint();
Assert.IsTrue(tainted.IsTainted);
Assert.AreNotSame(clean, tainted);
}
public void NoPointer()
{
var value = new AbstractValue(2).AddTaint();
Assert.IsNull(value.PointsTo);
StringAssert.Contains("0x00000002", value.ToString());
StringAssert.Contains("t", value.ToString());
}
public void SetUp()
{
var registers = new RegisterCollection();
registers[RegisterName.ESP] = new AbstractValue(AbstractValue.GetNewBuffer(1));
state = new MachineState(registers);
contract = new GLibcStartMainContract();
}
public RegisterCollection(RegisterCollection _copyMe)
{
registers = new AbstractValue[8];
for (UInt32 i = 0; i < registers.Length; ++i)
{
registers[i] = new AbstractValue(_copyMe.registers[i]);
}
}
public void AssignmentAtByteZero()
{
var values = AbstractValue.GetNewBuffer(16);
pointer = new AbstractValue(values);
pointer.PointsTo[0] = new AbstractValue(0x31337);
Assert.AreEqual(0x31337, pointer.PointsTo[0].Value);
Assert.AreEqual("*0x00031337", pointer.ToString());
}
public override MachineState Execute(MachineState state)
{
var buffer = AbstractValue.GetNewBuffer(state.TopOfStack.Value);
state.ReturnValue = new AbstractValue(buffer);
return(state);
}
public RegisterCollection()
{
registers = new AbstractValue[8];
for (UInt32 i = 0; i < registers.Length; ++i)
{
registers[i] = new AbstractValue();
}
}
public void AssignmentAtByteZero()
{
var values = AbstractValue.GetNewBuffer(16);
pointer = new AbstractValue(values);
pointer.PointsTo[0] = new AbstractValue(0x31337);
Assert.AreEqual(0x31337, pointer.PointsTo[0].Value);
Assert.AreEqual("*0x00031337", pointer.ToString());
}
public void Shr()
{
eax = new AbstractValue(0x8).AddTaint();
ebx = new AbstractValue(0x3);
state = state.DoOperation(RegisterName.EAX, OperatorEffect.Shr, RegisterName.EBX);
Assert.AreEqual(0x1, eax.Value);
Assert.IsTrue(eax.IsTainted);
}
public void And()
{
eax = new AbstractValue(0x350).AddTaint();
ebx = new AbstractValue(0xff);
state = state.DoOperation(RegisterName.EAX, OperatorEffect.And, RegisterName.EBX);
Assert.AreEqual(0x50, eax.Value);
Assert.IsTrue(eax.IsTainted);
}
public void GetNewBufferReturnsUnallocatedValues()
{
var buffer = AbstractValue.GetNewBuffer(16);
for (var i = 0; i < 16; i++)
{
Assert.IsFalse(buffer[i].IsInitialized);
}
}
public void And()
{
eax = new AbstractValue(0x350).AddTaint();
ebx = new AbstractValue(0xff);
state = state.DoOperation(RegisterName.EAX, OperatorEffect.And, RegisterName.EBX);
Assert.AreEqual(0x50, eax.Value);
Assert.IsTrue(eax.IsTainted);
}
public AbstractValue TruncateValueToByte()
{
var byteValue = Value & 0xff;
var truncatedValue = new AbstractValue(byteValue);
truncatedValue.IsTainted = IsTainted;
return(truncatedValue);
}
public void PointerAdd()
{
var buffer = AbstractValue.GetNewBuffer(0x10);
buffer[4] = one;
eax = new AbstractValue(buffer);
state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4));
Assert.AreEqual(one, eax.PointsTo[0]);
}
public void MovFromGlobalIntoEax()
{
code = new Byte[] { 0xa1, 0xe4, 0x84, 0x04, 0x08 };
var value = new AbstractValue(31337);
state.DataSegment[0x080484e4] = value;
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(value, state.Registers[RegisterName.EAX]);
}
public AbstractValue(AbstractValue[] willPointTo)
{
if (willPointTo.Length == 0)
{
throw new ArgumentException("Empty buffer is not allowed", "willPointTo");
}
storage = 0xdeadbeef;
pointsTo = new AbstractBuffer(willPointTo);
}
public AbstractBuffer(AbstractValue[] values)
{
if (null == values)
{
throw new ArgumentNullException("values");
}
storage = values;
Length = storage.Length;
}
public void AssignmentRetainsOOB()
{
var oob = new AbstractValue(1)
{
IsOutOfBounds = true
};
state = state.DoOperation(RegisterName.EAX, OperatorEffect.Assignment, oob);
Assert.IsTrue(eax.IsOutOfBounds);
}
public void SetUp()
{
state = new MachineState(new RegisterCollection());
reportItems = new ReportCollection();
var buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(0x200));
var pointer = new AbstractValue(buffer);
state.Registers[RegisterName.ESP] = pointer;
state = state.DoOperation(RegisterName.EBP, OperatorEffect.Assignment, RegisterName.ESP);
}
public AbstractValue(AbstractValue other)
{
if (other == null)
{
throw new ArgumentNullException("other");
}
storage = other.Value;
tainted = other.IsTainted;
IsOutOfBounds = other.IsOutOfBounds;
if (other.PointsTo != null)
{
pointsTo = new AbstractBuffer(other.PointsTo);
}
}
public void PointerAdd()
{
var one = new AbstractValue(0x1);
var two = new AbstractValue(0x2);
var three = new AbstractValue(0x3);
var four = new AbstractValue(0x4);
var values = AbstractValue.GetNewBuffer(4);
values[0] = one;
values[1] = two;
values[2] = three;
values[3] = four;
var buffer = new AbstractBuffer(values);
Assert.AreEqual(one, buffer[0]);
var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(2));
Assert.AreEqual(three, modifiedBuffer[0]);
}
public void OverflowDoesntLoseIncrement()
{
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractBuffer(buffer);
var value = new AbstractValue(0x41);
value = value.AddTaint();
pointer[0] = value;
pointer = pointer.DoOperation(OperatorEffect.Add, new AbstractValue(1));
pointer[16] = value;
pointer = pointer.DoOperation(OperatorEffect.Sub, new AbstractValue(1));
Assert.AreEqual(0x41, pointer[0].Value);
Assert.IsTrue(value.IsTainted);
Assert.AreEqual(0x41, pointer[17].Value);
Assert.IsTrue(pointer[17].IsTainted);
}
public void ZeroSizeBuffer()
{
pointer = new AbstractValue(new AbstractValue[] {});
}
public void TruncateValue()
{
var dwordValue = new AbstractValue(0xdeadbeef);
var byteValue = dwordValue.TruncateValueToByte();
Assert.AreEqual(0xef, byteValue.Value);
}
public void PointerPointerPointer()
{
buffer = new AbstractBuffer(new[] {new AbstractValue(2)});
pointer = new AbstractValue(buffer);
var pointerPointer = new AbstractValue(new[] {pointer});
var pointerPointerPointer = new AbstractValue(new[] {pointerPointer});
Assert.AreEqual(2, pointerPointerPointer.PointsTo[0].PointsTo[0].PointsTo[0].Value);
StringAssert.StartsWith("***0x00000002", pointerPointerPointer.ToString());
}
public void PointerHashcodes()
{
pointer = new AbstractValue(new[] {new AbstractValue(1)});
var pointer2 = new AbstractValue(new[] {new AbstractValue(2)});
Assert.AreNotEqual(pointer.GetHashCode(), pointer2.GetHashCode());
}
public void OutOfBoundsPropertySurvivesCopy()
{
var src = new AbstractValue(0x31337)
{
IsOutOfBounds = true
};
var dest = new AbstractValue(src);
Assert.IsTrue(dest.IsOutOfBounds);
}
public void NullCopyCtor()
{
pointer = new AbstractValue((AbstractValue)null);
}
public AbstractValue AddTaint()
{
if (PointsTo != null)
{
throw new InvalidOperationException("Cannot AddTaint to a pointer");
}
var taintedValue = new AbstractValue(this)
{
IsTainted = true
};
return taintedValue;
}
public AbstractValue TruncateValueToByte()
{
var byteValue = Value & 0xff;
var truncatedValue = new AbstractValue(byteValue);
truncatedValue.IsTainted = IsTainted;
return truncatedValue;
}
private void Extend(UInt32 newLength)
{
// Account for element [0] of the array
newLength = newLength + 1;
if (newLength >= Length)
{
var extendedCopy = new AbstractValue[newLength];
Int32 i;
for (i = 0; i < storage.Length; i++)
{
extendedCopy[i] = storage[i];
}
for (; i < newLength; i++)
{
extendedCopy[i] = new AbstractValue(AbstractValue.UNKNOWN)
{
IsOutOfBounds = true
};
}
storage = extendedCopy;
}
return;
}
public void PointerOverflowStillRetainsOldValues()
{
var test1 = new AbstractValue(0x41);
var test2 = new AbstractValue(0x42);
var buffer = AbstractValue.GetNewBuffer(2);
buffer[0] = test1;
buffer[1] = test2;
var pointer = new AbstractBuffer(buffer);
// Accessing pointer[2] will cause the AbstractBuffer to extend..
Assert.IsTrue(pointer[2].IsOutOfBounds, " value is not out of bounds");
Assert.IsFalse(pointer[2].IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, pointer[2].Value);
// And then we make sure the in bounds values stay the same
Assert.IsFalse(pointer[0].IsOutOfBounds);
Assert.IsFalse(pointer[1].IsOutOfBounds);
Assert.AreEqual(0x41, pointer[0].Value);
Assert.AreEqual(0x42, pointer[1].Value);
}
public void PointerOverflowTwiceStillRetainsOriginalValues()
{
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractBuffer(buffer);
// Access beyond buffer bounds forcing buffer to expand
Assert.IsTrue(pointer[17].IsOutOfBounds);
Assert.IsFalse(pointer[17].IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, pointer[17].Value);
pointer[17] = new AbstractValue(0x41414141);
// Access beyond previously expanded bounds to force 2nd expand
Assert.IsTrue(pointer[64].IsOutOfBounds);
Assert.IsFalse(pointer[64].IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, pointer[64].Value);
// check that value set outside of bounds is still the same as well
Assert.IsTrue(pointer[17].IsOutOfBounds);
Assert.AreEqual(0x41414141, pointer[17].Value);
}
public void AddTaintOnPointer()
{
buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1));
var clean = new AbstractValue(buffer);
clean.AddTaint();
}
public void EmptyBuffer()
{
pointer = new AbstractValue(new AbstractBuffer(new AbstractValue[] {}));
}
public void NoPointer()
{
var value = new AbstractValue(2).AddTaint();
Assert.IsNull(value.PointsTo);
StringAssert.Contains("0x00000002", value.ToString());
StringAssert.Contains("t", value.ToString());
}
public static AbstractValue[] GetNewBuffer(UInt32 size)
{
if (size > MAX_BUFFER_SIZE)
{
throw new ArgumentOutOfRangeException(
"size", "Size specified larger than maximum allowed: " + MAX_BUFFER_SIZE);
}
var buffer = new AbstractValue[size];
for (UInt32 i = 0; i < size; i++)
{
buffer[i] = new AbstractValue();
}
return buffer;
}
public void Initialized()
{
var uninit = new AbstractValue(0xabcdef);
Assert.IsTrue(uninit.IsInitialized);
Assert.AreEqual(0xabcdef, uninit.Value);
}
public void NotInitialized()
{
var uninitializedValue = new AbstractValue();
Assert.IsFalse(uninitializedValue.IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, uninitializedValue.Value);
Assert.AreEqual("?", uninitializedValue.ToString());
}