From 62ea3df536faae7e1706bbbc2c19cf43c4dae213 Mon Sep 17 00:00:00 2001 From: Cyrille Bagard Date: Sat, 25 Apr 2015 09:21:32 +0000 Subject: Included a new plugin to mark calls to exit() functions as return points. git-svn-id: svn://svn.gna.org/svn/chrysalide/trunk@517 abbe820e-26c8-41b2-8c08-b7b2b41f8b0a --- ChangeLog | 19 ++++++ configure.ac | 1 + plugins/Makefile.am | 2 +- plugins/libcsem/Makefile.am | 13 ++++ plugins/libcsem/exit.c | 122 +++++++++++++++++++++++++++++++++++++ plugins/libcsem/exit.h | 37 +++++++++++ plugins/libcsem/semantic.c | 62 +++++++++++++++++++ plugins/libcsem/semantic.h | 39 ++++++++++++ src/analysis/disass/disassembler.c | 33 ++++++++++ src/plugins/plugin-def.h | 34 +++++++++-- 10 files changed, 357 insertions(+), 5 deletions(-) create mode 100644 plugins/libcsem/Makefile.am create mode 100644 plugins/libcsem/exit.c create mode 100644 plugins/libcsem/exit.h create mode 100644 plugins/libcsem/semantic.c create mode 100644 plugins/libcsem/semantic.h diff --git a/ChangeLog b/ChangeLog index b9f23cc..1e95e36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,22 @@ +15-04-25 Cyrille Bagard + + * configure.ac: + Add the new Makefile from the 'plugins/libcsem directory. + + * plugins/libcsem/exit.c: + * plugins/libcsem/exit.h: + * plugins/libcsem/Makefile.am: + * plugins/libcsem/semantic.c: + * plugins/libcsem/semantic.h: + New entries: include a new plugin to mark calls to exit() functions as return points. + + * plugins/Makefile.am: + Add libcsem to SUBDIRS. + + * src/analysis/disass/disassembler.c: + * src/plugins/plugin-def.h: + Define new kinds of plugin hooks. + 15-04-24 Cyrille Bagard * src/gtkext/graph/nodes/flow.c: diff --git a/configure.ac b/configure.ac index f4f7483..42f802a 100644 --- a/configure.ac +++ b/configure.ac @@ -261,6 +261,7 @@ AC_CONFIG_FILES([Makefile plugins/androhelpers/Makefile plugins/devdbg/Makefile plugins/govm/Makefile + plugins/libcsem/Makefile plugins/mobicore/Makefile plugins/pychrysa/Makefile plugins/pychrysa/analysis/Makefile diff --git a/plugins/Makefile.am b/plugins/Makefile.am index de8fa29..2fdd3ad 100644 --- a/plugins/Makefile.am +++ b/plugins/Makefile.am @@ -1,2 +1,2 @@ -SUBDIRS = androhelpers devdbg mobicore pychrysa python readelf stackvars +SUBDIRS = androhelpers devdbg libcsem mobicore pychrysa python readelf stackvars diff --git a/plugins/libcsem/Makefile.am b/plugins/libcsem/Makefile.am new file mode 100644 index 0000000..1c8ad9c --- /dev/null +++ b/plugins/libcsem/Makefile.am @@ -0,0 +1,13 @@ + +lib_LTLIBRARIES = liblibcsem.la + +liblibcsem_la_SOURCES = \ + exit.h exit.c \ + semantic.h semantic.c + +liblibcsem_la_CFLAGS = $(AM_CFLAGS) + + +AM_CPPFLAGS = $(LIBGTK_CFLAGS) $(LIBXML_CFLAGS) -I../../src + +AM_CFLAGS = $(DEBUG_CFLAGS) $(WARNING_FLAGS) $(COMPLIANCE_FLAGS) diff --git a/plugins/libcsem/exit.c b/plugins/libcsem/exit.c new file mode 100644 index 0000000..fbe0923 --- /dev/null +++ b/plugins/libcsem/exit.c @@ -0,0 +1,122 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * exit.c - définition des sorties comme points de non retour + * + * Copyright (C) 2015 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * OpenIDA is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * OpenIDA is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see . + */ + + +#include "exit.h" + + + +/* Modifie toutes les instructions appelant exit(). */ +static void mark_one_kind_of_exit_as_return(const GLoadedBinary *, const char *); + + + +/****************************************************************************** +* * +* Paramètres : binary = binaire dont le contenu est en cours de traitement. * +* * +* Description : Modifie toutes les instructions appelant exit(). * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +static void mark_one_kind_of_exit_as_return(const GLoadedBinary *binary, const char *fname) +{ + GBinFormat *format; /* Format du fichier binaire */ + GBinSymbol *symbol; /* Symbole de fonction trouvé */ + const mrange_t *range; /* Emplacement du symbole */ + GArchProcessor *proc; /* Architecture du binaire */ + GArchInstruction *instr; /* Instruction de sortie */ + GArchInstruction **sources; /* Instructions diverses liées */ + InstructionLinkType *types; /* Types de lien existants */ + size_t count; /* Nbre de sources affichées */ + size_t i; /* Boucle de parcours */ + + format = G_BIN_FORMAT(g_loaded_binary_get_format(binary)); + + if (!g_binary_format_find_symbol_by_label(format, fname, &symbol)) + goto mokoear_exit; + + if (g_binary_symbol_get_target_type(symbol) != STP_ROUTINE) + goto mokoear_done_with_sym; + + range = g_binary_symbol_get_range(symbol); + + proc = g_loaded_binary_get_processor(binary); + + instr = g_arch_processor_find_instr_by_address(proc, get_mrange_addr(range)); + + count = g_arch_instruction_get_sources(instr, &sources, &types); + + for (i = 0; i < count; i++) + { + if (types[i] != ILT_CALL) continue; + + g_arch_instruction_define_as_return(sources[i], true); + + } + + g_object_unref(G_OBJECT(proc)); + + mokoear_done_with_sym: + + g_object_unref(G_OBJECT(symbol)); + + mokoear_exit: + + //g_object_unref(G_OBJECT(format)); + + ; + +} + + +/****************************************************************************** +* * +* Paramètres : binary = binaire dont le contenu est en cours de traitement. * +* * +* Description : Modifie toutes les instructions appelant exit(). * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +void mark_exit_calls_as_return_instructions(const GLoadedBinary *binary) +{ + const char **iter; /* Boucle de parcours */ + + static const char *exit_functions[] = { + "exit", + "_exit", + "_Exit", + NULL + }; + + for (iter = exit_functions; *iter != NULL; iter++) + mark_one_kind_of_exit_as_return(binary, *iter); + +} diff --git a/plugins/libcsem/exit.h b/plugins/libcsem/exit.h new file mode 100644 index 0000000..f580036 --- /dev/null +++ b/plugins/libcsem/exit.h @@ -0,0 +1,37 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * exit.h - prototypes pour la définition des sorties comme points de non retour + * + * Copyright (C) 2015 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * OpenIDA is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * OpenIDA is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see . + */ + + +#ifndef _PLUGINS_LIBCSEM_EXIT_H +#define _PLUGINS_LIBCSEM_EXIT_H + + +#include + + + +/* Modifie toutes les instructions appelant exit(). */ +void mark_exit_calls_as_return_instructions(const GLoadedBinary *); + + + +#endif /* _PLUGINS_LIBCSEM_EXIT_H */ diff --git a/plugins/libcsem/semantic.c b/plugins/libcsem/semantic.c new file mode 100644 index 0000000..2da2ea6 --- /dev/null +++ b/plugins/libcsem/semantic.c @@ -0,0 +1,62 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * semantic.c - prise en charge personnalisée de la bibliothèque C + * + * Copyright (C) 2015 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * OpenIDA is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * OpenIDA is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see . + */ + + +#include "semantic.h" + + +#include + + +#include "exit.h" + + + +DEFINE_CHRYSALIDE_ACTIVE_PLUGIN("LibC semantics", "Register semantic information relative to the libc", "0.1.0", + PGA_DISASSEMBLY_HOOKED_POST); + + + +/****************************************************************************** +* * +* Paramètres : plugin = greffon à manipuler. * +* action = type d'action attendue. * +* binary = binaire dont le contenu est en cours de traitement. * +* * +* Description : Exécute une action pendant un désassemblage de binaire. * +* * +* Retour : - * +* * +* Remarques : - * +* * +******************************************************************************/ + +G_MODULE_EXPORT void process_binary_disassembly(const GPluginModule *plugin, PluginAction action, GLoadedBinary *binary) +{ + if (action == PGA_DISASSEMBLY_HOOKED_POST) + { + /* Traitement de appels à exit() ou fonctions similaires */ + mark_exit_calls_as_return_instructions(binary); + + } + +} diff --git a/plugins/libcsem/semantic.h b/plugins/libcsem/semantic.h new file mode 100644 index 0000000..72ce0ce --- /dev/null +++ b/plugins/libcsem/semantic.h @@ -0,0 +1,39 @@ + +/* Chrysalide - Outil d'analyse de fichiers binaires + * semantic.h - prototypes pour la prise en charge personnalisée de la bibliothèque C + * + * Copyright (C) 2015 Cyrille Bagard + * + * This file is part of Chrysalide. + * + * OpenIDA is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * OpenIDA is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Foobar. If not, see . + */ + + +#ifndef _PLUGINS_LIBCSEM_SEMANTIC_H +#define _PLUGINS_LIBCSEM_SEMANTIC_H + + +#include +#include +#include + + + +/* Exécute une action pendant un désassemblage de binaire. */ +G_MODULE_EXPORT void process_binary_disassembly(const GPluginModule *, PluginAction, GLoadedBinary *); + + + +#endif /* _PLUGINS_LIBCSEM_SEMANTIC_H */ diff --git a/src/analysis/disass/disassembler.c b/src/analysis/disass/disassembler.c index 1227e84..7b6c63e 100644 --- a/src/analysis/disass/disassembler.c +++ b/src/analysis/disass/disassembler.c @@ -227,6 +227,11 @@ static void g_delayed_disassembly_process(GDelayedDisassembly *disass, GtkExtSta g_arch_processor_set_disassembled_instructions(proc, *disass->instrs); + // plugins ////////////////////////// + process_disassembly_event(PGA_DISASSEMBLY_RAW, disass->binary); + + + /* *disass->instrs = disassemble_binary_parts(disass->binary, disass->parts, disass->count, statusbar, id); @@ -262,6 +267,10 @@ static void g_delayed_disassembly_process(GDelayedDisassembly *disass, GtkExtSta + // plugins ////////////////////////// + process_disassembly_event(PGA_DISASSEMBLY_HOOKED_LINK, disass->binary); + + //gtk_extended_status_bar_remove(statusbar, id); @@ -296,6 +305,10 @@ static void g_delayed_disassembly_process(GDelayedDisassembly *disass, GtkExtSta + // plugins ////////////////////////// + process_disassembly_event(PGA_DISASSEMBLY_HOOKED_POST, disass->binary); + + /** * TODO : établir les couvertures de fonctions, @@ -323,6 +336,12 @@ static void g_delayed_disassembly_process(GDelayedDisassembly *disass, GtkExtSta + // plugins ////////////////////////// + process_disassembly_event(PGA_DISASSEMBLY_LIMITED, disass->binary); + + + + /* Troisième étape */ id = gtk_extended_status_bar_push(statusbar, _("Detecting loops..."), true); @@ -333,6 +352,10 @@ static void g_delayed_disassembly_process(GDelayedDisassembly *disass, GtkExtSta /// + // plugins ////////////////////////// + process_disassembly_event(PGA_DISASSEMBLY_LOOPS, disass->binary); + + /* Quatrième étape */ @@ -358,6 +381,11 @@ G_BIN_FORMAT(g_loaded_binary_get_format(disass->binary) + // plugins ////////////////////////// + process_disassembly_event(PGA_DISASSEMBLY_LINKED, disass->binary); + + + @@ -376,6 +404,9 @@ G_BIN_FORMAT(g_loaded_binary_get_format(disass->binary) //run_plugins_on_binary(disass->binary, PGA_BINARY_GROUPED, true); + process_disassembly_event(PGA_DISASSEMBLY_GROUPED, disass->binary); + + @@ -392,6 +423,8 @@ G_BIN_FORMAT(g_loaded_binary_get_format(disass->binary) //run_plugins_on_binary(disass->binary, PGA_BINARY_GROUPED, true); + process_disassembly_event(PGA_DISASSEMBLY_RANKED, disass->binary); + /* Septième étape */ diff --git a/src/plugins/plugin-def.h b/src/plugins/plugin-def.h index d7a37e4..68f9942 100644 --- a/src/plugins/plugin-def.h +++ b/src/plugins/plugin-def.h @@ -117,7 +117,7 @@ typedef enum _PluginAction */ /* Détection et chargement */ - PGA_FORMAT_MATCHER = DPC_BINARY_PROCESSING | DPS_FORMAT | DEFINE_PLUGIN_ACTION(0), + PGA_FORMAT_MATCHER = DPC_BINARY_PROCESSING | DPS_FORMAT | DEFINE_PLUGIN_ACTION(0), /* Accompagnement du chargement (fin) */ PGA_FORMAT_LOADER_LAST = DPC_BINARY_PROCESSING | DPS_FORMAT | DEFINE_PLUGIN_ACTION(1), @@ -127,10 +127,36 @@ typedef enum _PluginAction */ /* Désassemblage démarré */ - PGA_DISASSEMBLY_STARTED = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(0), + PGA_DISASSEMBLY_STARTED = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(0), + + /* Instructions toutes jutes désassemblées */ + PGA_DISASSEMBLY_RAW = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(1), + + /* Crochets de type 'link' exécutés */ + PGA_DISASSEMBLY_HOOKED_LINK = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(2), + + /* Crochets de type 'post' exécutés */ + PGA_DISASSEMBLY_HOOKED_POST = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(3), + + /* Limites de routines définies */ + PGA_DISASSEMBLY_LIMITED = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(4), + + /* Détection d'éventuelles boucles effectuée */ + PGA_DISASSEMBLY_LOOPS = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(5), + + /* Liaisons entre instructions mises en place */ + PGA_DISASSEMBLY_LINKED = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(6), + + /* Instructions regroupées en blocs basiques */ + PGA_DISASSEMBLY_GROUPED = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(7), + + /* Définitions de profondeurs d'exécution */ + PGA_DISASSEMBLY_RANKED = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(8), /* Désassemblage fini */ - PGA_DISASSEMBLY_ENDED = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(1), + PGA_DISASSEMBLY_ENDED = DPC_BINARY_PROCESSING | DPS_DISASSEMBLY | DEFINE_PLUGIN_ACTION(9), + + @@ -161,7 +187,7 @@ typedef enum _PluginAction /* MAJ !! */ -#define PGA_COUNT 6 +#define PGA_COUNT 16 -- cgit v0.11.2-87-g4458