private static RegisterCollection createRegistersForLinuxStart()
{
var linuxMainDefaultValues = new RegisterCollection();
var arg0 = new AbstractValue(1).AddTaint();
var argvBuffer = new[] { arg0 };
var argvPointer = new AbstractValue(argvBuffer);
var argvPointerBuffer = new[] { argvPointer };
var argvPointerPointer = new AbstractValue(argvPointerBuffer);
var stackBuffer = AbstractValue.GetNewBuffer(0x200);
var buffer = new AbstractBuffer(stackBuffer);
var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(0x100));
// linux ABI dictates
modifiedBuffer[5] = argvPointerPointer;
// gcc generates code that accesses this at some optimization levels
modifiedBuffer[0xfc] = new AbstractValue(1);
var stackPointer = new AbstractValue(modifiedBuffer);
linuxMainDefaultValues[RegisterName.ESP] = stackPointer;
return(linuxMainDefaultValues);
}
public void AddTaintOnPointer()
{
buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(1));
var clean = new AbstractValue(buffer);
clean.AddTaint();
}
public void AssignmentAtEnd()
{
var values = AbstractValue.GetNewBuffer(16);
pointer = new AbstractValue(values);
pointer.PointsTo[15] = new AbstractValue(0x31337);
Assert.AreEqual(0x31337, pointer.PointsTo[15].Value);
}
public void SetUp()
{
var registers = new RegisterCollection();
registers[RegisterName.ESP] = new AbstractValue(AbstractValue.GetNewBuffer(1));
state = new MachineState(registers);
contract = new GLibcStartMainContract();
}
public override MachineState Execute(MachineState state)
{
var buffer = AbstractValue.GetNewBuffer(state.TopOfStack.Value);
state.ReturnValue = new AbstractValue(buffer);
return(state);
}
public void PointerAssignment()
{
var values = AbstractValue.GetNewBuffer(4);
var buffer = new AbstractBuffer(values);
var assignedBuffer = buffer.DoOperation(OperatorEffect.Assignment, AbstractValue.Zero);
Assert.AreNotSame(buffer, assignedBuffer);
}
public void GetNewBufferReturnsUnallocatedValues()
{
var buffer = AbstractValue.GetNewBuffer(16);
for (var i = 0; i < 16; i++)
{
Assert.IsFalse(buffer[i].IsInitialized);
}
}
public void AssignmentAtByteZero()
{
var values = AbstractValue.GetNewBuffer(16);
pointer = new AbstractValue(values);
pointer.PointsTo[0] = new AbstractValue(0x31337);
Assert.AreEqual(0x31337, pointer.PointsTo[0].Value);
Assert.AreEqual("*0x00031337", pointer.ToString());
}
public void PointerAdd()
{
var buffer = AbstractValue.GetNewBuffer(0x10);
buffer[4] = one;
eax = new AbstractValue(buffer);
state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4));
Assert.AreEqual(one, eax.PointsTo[0]);
}
public void SetUp()
{
state = new MachineState(new RegisterCollection());
reportItems = new ReportCollection();
var buffer = new AbstractBuffer(AbstractValue.GetNewBuffer(0x200));
var pointer = new AbstractValue(buffer);
state.Registers[RegisterName.ESP] = pointer;
state = state.DoOperation(RegisterName.EBP, OperatorEffect.Assignment, RegisterName.ESP);
}
public void PointerOverflowByOne()
{
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractBuffer(buffer);
var value = pointer[16];
Assert.IsTrue(value.IsOutOfBounds);
Assert.IsFalse(value.IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, value.Value);
}
public void Copy()
{
state.Registers[RegisterName.ESP] = new AbstractValue(new AbstractBuffer(AbstractValue.GetNewBuffer(10)));
var newState = new MachineState(state);
Assert.AreNotSame(newState, state);
Assert.AreNotSame(newState.Registers, state.Registers);
Assert.AreNotSame(newState.DataSegment, state.DataSegment);
Assert.AreNotSame(newState.ReturnValue, state.ReturnValue);
Assert.AreSame(newState.TopOfStack, state.TopOfStack);
}
public void PushTwiceThenManuallyAdjustStackThenAssignToEbp()
{
var buffer = AbstractValue.GetNewBuffer(0x20);
esp = new AbstractValue(buffer);
state = state.PushOntoStack(one);
state = state.PushOntoStack(two);
state = state.DoOperation(RegisterName.ESP, OperatorEffect.Sub, new AbstractValue(0x4));
Assert.AreEqual(one, state.TopOfStack);
}
public void PushPopThenAssignToTop()
{
var buffer = AbstractValue.GetNewBuffer(0x20);
esp = new AbstractValue(buffer);
state = state.PushOntoStack(one);
// TODO(matt_hargett): extract into state.PopOffStack()
state = state.DoOperation(RegisterName.ESP, OperatorEffect.Sub, new AbstractValue(0x4));
state = state.DoOperation(RegisterName.ESP, 0, OperatorEffect.Assignment, two);
Assert.AreEqual(two, state.TopOfStack);
}
public void MovIntoAssignedEaxInBounds()
{
const Byte VALUE = 0x01;
const byte INDEX = 0xf;
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractValue(buffer);
state.ReturnValue = pointer;
code = new Byte[] { 0xc6, 0x40, INDEX, VALUE };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(VALUE, state.ReturnValue.PointsTo[INDEX].Value);
}
public void MovEbpMinus8()
{
// mov DWORD PTR [ebp-8],0xf
const byte FIFTEEN = 0x0f;
var value = AbstractValue.GetNewBuffer(0x100);
state.Registers[RegisterName.EBP] = new AbstractValue(value);
code = new Byte[] { 0xc7, 0x45, 0xf8, FIFTEEN, 0x00, 0x00, 0x00 };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(FIFTEEN, state.Registers[RegisterName.EBP].PointsTo[0xf8].Value);
}
public void PointerSub()
{
var buffer = AbstractValue.GetNewBuffer(0x10);
buffer[0] = one;
eax = new AbstractValue(buffer);
ebx = new AbstractValue(0x4);
state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, RegisterName.EBX);
Assert.IsNotNull(eax.PointsTo);
state = state.DoOperation(RegisterName.EAX, OperatorEffect.Sub, RegisterName.EBX);
Assert.AreEqual(one, eax.PointsTo[0]);
}
public void MovBytePtrEaxInBounds()
{
// mov BYTE PTR [eax], value
const byte VALUE = 0x01;
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractValue(buffer);
state.ReturnValue = pointer;
code = new Byte[] { 0xc6, 0x00, VALUE };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(VALUE, state.ReturnValue.PointsTo[0].Value);
}
public void Copy()
{
registers[RegisterName.ESP] = new AbstractValue(new AbstractBuffer(AbstractValue.GetNewBuffer(10)));
var newRegisters = new RegisterCollection(registers);
for (UInt32 i = 0; i < 7; i++)
{
var register = (RegisterName)i;
Assert.AreNotSame(newRegisters[register], registers[register]);
}
Assert.AreNotSame(newRegisters[RegisterName.ESP].PointsTo, registers[RegisterName.ESP].PointsTo);
}
public void Copy()
{
var values = AbstractValue.GetNewBuffer(4);
var buffer = new AbstractBuffer(values);
var newBuffer = new AbstractBuffer(buffer);
Assert.AreNotSame(newBuffer, buffer);
for (var index = 0; index < newBuffer.Length; index++)
{
Assert.AreSame(newBuffer[index], buffer[index]);
}
}
public void MovPtrEax16()
{
// mov DWORD PTR [eax],0x10
var value = AbstractValue.GetNewBuffer(1);
state.Registers[RegisterName.EAX] = new AbstractValue(value);
code = new Byte[] { 0xc7, 0x00, 0x10, 0x00, 0x00, 0x00 };
state = X86Emulator.Run(reportItems, state, code);
var sixteen = state.Registers[RegisterName.EAX].PointsTo[0];
Assert.AreEqual(0x10, sixteen.Value);
}
public void MovEaxEbpPlusTwelve()
{
var buffer = AbstractValue.GetNewBuffer(16);
buffer[12] = new AbstractValue(1);
var pointer = new AbstractValue(buffer);
state.Registers[RegisterName.EBP] = pointer;
code = new Byte[] { 0x8b, 0x45, 0xc };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x3, state.InstructionPointer);
Assert.AreEqual(1, state.ReturnValue.Value);
}
public void MovDwordPtrEaxPlus16FromEbx()
{
// mov BYTE PTR [eax+16],bl
const byte OFFSET = 0x10;
state.Registers[RegisterName.EBX] = new AbstractValue(0x1);
var buffer = AbstractValue.GetNewBuffer((uint)OFFSET + 1);
var pointer = new AbstractValue(buffer);
state.Registers[RegisterName.EAX] = pointer;
code = new Byte[] { 0x89, 0x58, OFFSET };
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x1, state.Registers[RegisterName.EAX].PointsTo[OFFSET].Value);
}
public void MovIntoAssignedEaxOutOfBounds()
{
const byte VALUE = 0x01;
const byte INDEX = 0x10;
var buffer = AbstractValue.GetNewBuffer(INDEX);
var pointer = new AbstractValue(buffer);
state.ReturnValue = pointer;
var nopCode = new Byte[] { 0x90 };
code = new Byte[] { 0xc6, 0x40, INDEX, VALUE };
state = X86Emulator.Run(reportItems, state, nopCode);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(1, reportItems.Count);
Assert.AreEqual(nopCode.Length, reportItems[0].InstructionPointer);
Assert.IsFalse(reportItems[0].IsTainted);
}
public void PointerAnd()
{
var buffer = AbstractValue.GetNewBuffer(0x10);
buffer[4] = one;
eax = new AbstractValue(buffer);
state = state.DoOperation(RegisterName.EAX, OperatorEffect.Add, new AbstractValue(0x4));
Assert.AreEqual(one, eax.PointsTo[0]);
var andValue = new AbstractValue(0xfffffff0);
var newState = state.DoOperation(RegisterName.EAX, OperatorEffect.And, andValue);
Assert.AreNotSame(newState, state);
Assert.AreNotEqual(newState, state);
state = newState;
Assert.AreEqual(one, eax.PointsTo[4]);
}
public void CmpEbpPlusEight0()
{
// cmp DWORD PTR [ebp+8],0x0
code = new Byte[] { 0x83, 0x7d, 0x08, 0x0 };
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractValue(buffer);
state.Registers[RegisterName.EBP] = pointer;
state.Registers[RegisterName.EBP].PointsTo[8] = new AbstractValue(1);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x4, state.InstructionPointer);
Assert.IsFalse(state.ZeroFlag);
state.Registers[RegisterName.EBP].PointsTo[8] = new AbstractValue(0);
state = X86Emulator.Run(reportItems, state, code);
Assert.AreEqual(0x8, state.InstructionPointer);
Assert.IsTrue(state.ZeroFlag);
}
public void PointerAdd()
{
var one = new AbstractValue(0x1);
var two = new AbstractValue(0x2);
var three = new AbstractValue(0x3);
var four = new AbstractValue(0x4);
var values = AbstractValue.GetNewBuffer(4);
values[0] = one;
values[1] = two;
values[2] = three;
values[3] = four;
var buffer = new AbstractBuffer(values);
Assert.AreEqual(one, buffer[0]);
var modifiedBuffer = buffer.DoOperation(OperatorEffect.Add, new AbstractValue(2));
Assert.AreEqual(three, modifiedBuffer[0]);
}
public void PointerOverflowTwiceStillRetainsOriginalValues()
{
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractBuffer(buffer);
// Access beyond buffer bounds forcing buffer to expand
Assert.IsTrue(pointer[17].IsOutOfBounds);
Assert.IsFalse(pointer[17].IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, pointer[17].Value);
pointer[17] = new AbstractValue(0x41414141);
// Access beyond previously expanded bounds to force 2nd expand
Assert.IsTrue(pointer[64].IsOutOfBounds);
Assert.IsFalse(pointer[64].IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, pointer[64].Value);
// check that value set outside of bounds is still the same as well
Assert.IsTrue(pointer[17].IsOutOfBounds);
Assert.AreEqual(0x41414141, pointer[17].Value);
}
public void OverflowDoesntLoseIncrement()
{
var buffer = AbstractValue.GetNewBuffer(16);
var pointer = new AbstractBuffer(buffer);
var value = new AbstractValue(0x41);
value = value.AddTaint();
pointer[0] = value;
pointer = pointer.DoOperation(OperatorEffect.Add, new AbstractValue(1));
pointer[16] = value;
pointer = pointer.DoOperation(OperatorEffect.Sub, new AbstractValue(1));
Assert.AreEqual(0x41, pointer[0].Value);
Assert.IsTrue(value.IsTainted);
Assert.AreEqual(0x41, pointer[17].Value);
Assert.IsTrue(pointer[17].IsTainted);
}
public void PointerOverflowStillRetainsOldValues()
{
var test1 = new AbstractValue(0x41);
var test2 = new AbstractValue(0x42);
var buffer = AbstractValue.GetNewBuffer(2);
buffer[0] = test1;
buffer[1] = test2;
var pointer = new AbstractBuffer(buffer);
// Accessing pointer[2] will cause the AbstractBuffer to extend..
Assert.IsTrue(pointer[2].IsOutOfBounds, " value is not out of bounds");
Assert.IsFalse(pointer[2].IsInitialized);
Assert.AreEqual(AbstractValue.UNKNOWN, pointer[2].Value);
// And then we make sure the in bounds values stay the same
Assert.IsFalse(pointer[0].IsOutOfBounds);
Assert.IsFalse(pointer[1].IsOutOfBounds);
Assert.AreEqual(0x41, pointer[0].Value);
Assert.AreEqual(0x42, pointer[1].Value);
}