-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathPEInstrument.py
More file actions
831 lines (740 loc) · 36.4 KB
/
PEInstrument.py
File metadata and controls
831 lines (740 loc) · 36.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
#!/usr/bin/python
# -*- coding: utf-8 -*-
"""PEInstrument
support instrumentation feature for window executable binary format(PE).
"""
from PEManager import *
from keystone import *
from Disassembler import *
from CodeManager import *
import DataSegment
from Log import LoggerFactory
_INSTRUMENT_POS_PREV_ = 0x1000
_INSTRUMENT_POS_AFTER_ = 0x1001
_INSTRUMENT_POS_REPLACE_ = 0x1002
class PEInstrument(object):
def __init__(self, pe_manager):
"""
constructor of PEInstrument.
Args:
pe_manager(PEManager) : The manager of the file to instrument.
"""
if not isinstance(pe_manager, PEManager):
print("YOU MUST set up PE Manager")
exit()
self.pe_manager = pe_manager
self.pe_manager.set_instrument(self)
self.entryPointVA = self.pe_manager.get_entry_point_rva()
self.ks = Ks(KS_ARCH_X86, KS_MODE_32)
self.cs = Cs(CS_ARCH_X86, CS_MODE_32)
execute_section = self.pe_manager.get_text_section()
execute_section_data = \
self.pe_manager.get_section_raw_data(execute_section)
self.code_manager = CodeManager(execute_section_data,
execute_section.VirtualAddress)
self.disassembler = Disassembler(self.code_manager)
# save history of instrument for relocation
self.instrument_pos_dict = {}
self.current_instrument_pos_dict = {}
self.overflowed_instrument_dict = {}
self.log = None
# variable for handle overflow
self.overflowed = False
# function registry
self.pre_indirect_branch_functions = []
self.pre_relative_branch_functions = []
self.pre_return_functions = []
self.after_indirect_branch_functions = []
self.after_relative_branch_functions = []
self.after_return_functions = []
self.replace_indirect_branch_functions = []
self.replace_relative_branch_functions = []
self.replace_return_functions = []
@classmethod
def from_filename(cls, filename):
pe_manager = PEManager(filename)
return cls(pe_manager)
def get_pe_manager(self):
return self.pe_manager
def _is_instrument_overflow_occurred(self):
return self.overflowed
def _instrument_overflow_handled(self):
self.overflowed = False
def _instrument_overflow_occurred(self):
self.overflowed = True
def writefile(self, filename):
"""
write to file with PE format.
Args:
filename(str)
the name of the file to write.
"""
self.pe_manager.writefile(filename)
def get_instrumented_pos(self):
return self.instrument_pos_dict
def get_instructions(self):
"""
get disassembled instructions. Instructions excluding data that
exist in the text section.
Returns:
:obj:`list`: list containing :
:obj:`tuple`
- int : instruction address.
- :obj:`instruction` : instruction.
"""
relocation_dict = self.pe_manager.get_relocation()
sorted_relocation = sorted(relocation_dict.items(),
key=operator.itemgetter(0))
instructions = self.disassembler.get_disassemble_dict()
relocation_list = []
if len(self.instrument_pos_dict) > 0:
for index, (address, el) in enumerate(sorted_relocation):
increased_size = self.get_instrumented_vector_size(address
- 0x1000)
relocation_list.append(address - 0x1000 + increased_size)
else:
for index, (address, el) in enumerate(sorted_relocation):
relocation_list.append(address - 0x1000)
for address in relocation_list:
for size in range(4):
relocation_address_range = address + size
if relocation_address_range in instructions:
del instructions[relocation_address_range]
sorted_instructions = sorted(instructions.items(),
key=operator.itemgetter(0))
return sorted_instructions
def register_pre_indirect_branch(self, fn):
self.pre_indirect_branch_functions.append(fn)
def register_pre_relative_branch(self, fn):
self.pre_relative_branch_functions.append(fn)
def register_pre_return(self, fn):
self.pre_return_functions.append(fn)
def is_pre_indirect_branch_instrument_exist(self):
return len(self.pre_indirect_branch_functions) > 0
def is_pre_relative_branch_instrument_exist(self):
return len(self.pre_relative_branch_functions) > 0
def is_pre_return_instrument_exist(self):
return len(self.pre_return_functions) > 0
def register_after_indirect_branch(self, fn):
self.after_indirect_branch_functions.append(fn)
def register_after_relative_branch(self, fn):
self.after_relative_branch_functions.append(fn)
def register_after_return(self, fn):
self.after_return_functions.append(fn)
def is_after_indirect_branch_instrument_exist(self):
return len(self.after_indirect_branch_functions) > 0
def is_after_relative_branch_instrument_exist(self):
return len(self.after_relative_branch_functions) > 0
def is_after_return_instrument_exist(self):
return len(self.after_return_functions) > 0
def do_instrument(self):
"""
instrument instruction when reached instruction that has control flow as
redirect.
"""
self.log = LoggerFactory().get_new_logger("Instrument.log")
instrument_total = 0
instructions = self.get_instructions()
for address, inst in instructions:
try:
if self.disassembler.is_indirect_branch(inst):
if self.is_pre_indirect_branch_instrument_exist():
self.log.log('[0x{:x}]\t[0x{:x}]\t{:s}\t{:s}\n'
.format(inst.address + instrument_total,
inst.address, inst.mnemonic,
inst.op_str))
for fn in self.pre_indirect_branch_functions:
result = \
self.instrument(fn, inst, instrument_total)
instrument_total += result
if self.is_after_indirect_branch_instrument_exist():
self.log.log('[0x{:x}]\t[0x{:x}]\t{:s}\t{:s}\n'
.format(inst.address + instrument_total,
inst.address, inst.mnemonic,
inst.op_str))
for fn in self.after_indirect_branch_functions:
result = \
self.instrument(fn, inst, instrument_total,
position=_INSTRUMENT_POS_AFTER_)
instrument_total += result
elif self.disassembler.is_relative_branch(inst) \
and self.disassembler.is_call(inst):
if self.is_pre_relative_branch_instrument_exist():
for fn in self.pre_relative_branch_functions:
result = \
self.instrument(fn, inst, instrument_total)
instrument_total += result
if self.is_after_relative_branch_instrument_exist():
self.log.log('[0x{:x}]\t[0x{:x}]\t{:s}\t{:s}\n'
.format(inst.address + instrument_total,
inst.address, inst.mnemonic,
inst.op_str))
for fn in self.after_relative_branch_functions:
result = \
self.instrument(fn, inst, instrument_total,
position=_INSTRUMENT_POS_AFTER_)
instrument_total += result
elif self.disassembler.is_return(inst):
if self.is_pre_return_instrument_exist():
for fn in self.pre_return_functions:
result = self.instrument(fn, inst, instrument_total)
instrument_total += result
if self.is_after_return_instrument_exist():
self.log.log('[0x{:x}]\t[0x{:x}]\t{:s}\t{:s}\n'
.format(inst.address + instrument_total,
inst.address, inst.mnemonic,
inst.op_str))
for fn in self.after_return_functions:
result = \
self.instrument(fn, inst, instrument_total,
position=_INSTRUMENT_POS_AFTER_)
instrument_total += result
except Exception as e:
print("ERROR WHILE INSTRUMENT")
print(e)
exit()
self.adjust_instruction_layout()
def instrument(self, fn, instruction, total_count=0,
position=_INSTRUMENT_POS_PREV_):
"""
The instrument passes the instruction to the user function. When
the user function is finished and the instruction to be instrumented
is returned, the instruction is inserted at the position of the current
instruction. As a result, the position of the current instruction is
pushed backward by the size of the inserted instruction.
Args:
fn(function)
User function to return instruction to be instrumented
instruction(instruction)
Instruction to be passed to the user function.
total_count(int)
total count of instrumented.
position(int)
position where be instrumented.
Returns:
int : size of instrumented instructions.
"""
instrument_size = 0
instrument_inst, count = fn(instruction)
if count > 0:
if position == _INSTRUMENT_POS_PREV_:
instrument_size = len(instrument_inst)
offset = instruction.address + total_count
self.code_manager.instrument(offset, instrument_inst)
self.current_instrument_pos_dict[offset] = instrument_size
self.instrument_pos_dict[offset] = instrument_size
elif position == _INSTRUMENT_POS_AFTER_:
instrument_size = len(instrument_inst)
offset = instruction.address + total_count + instruction.size
self.code_manager.instrument(offset, instrument_inst)
self.current_instrument_pos_dict[offset] = instrument_size
self.instrument_pos_dict[offset] = instrument_size
elif position == _INSTRUMENT_POS_REPLACE_:
instrument_size = len(instrument_inst) - instruction.size
offset = instruction.address + total_count
self.code_manager.instrument_with_replace(offset,
instruction.size,
instrument_inst)
self.current_instrument_pos_dict[offset] = instrument_size
self.instrument_pos_dict[offset] = instrument_size
return instrument_size
def get_instrumented_size(self, instruction):
"""
Calculate the instrumented size from the current address to the branch
target. use this when instrumented thing is applied to disassembled one.
but if not applied instrumented thing, then use method the
get_instrumented_size_with_vector.
Args:
instruction(instruction):
branch instruction that has relatively operand value
Returns:
int : size of instrumented until instruction's address.
"""
instruction_address = instruction.address
instruction_destiny = instruction.operands[0].imm
instrument_size_till_destiny = 0
if instruction_address <= instruction_destiny:
sorted_instrument = sorted(self.current_instrument_pos_dict.items(),
key=operator.itemgetter(0))
for instrument_address, instrument_size in sorted_instrument:
if instrument_address > instruction_destiny:
break
if (instruction_address
< instrument_address <= instruction_destiny):
instrumented_size = instrument_size
instrument_size_till_destiny += instrumented_size
instruction_destiny += instrumented_size
else:
sorted_instrument = sorted(self.current_instrument_pos_dict.items(),
key=operator.itemgetter(0),
reverse=True)
for instrument_address, instrument_size in sorted_instrument:
# instruction_destiny can be instrumented instruction.
# cause subtract instrument_size from instruction_destiny
if (instruction_destiny - instrument_size
<= instrument_address < instruction_address):
if instrument_address \
< instruction_destiny - instrument_size:
break
instrumented_size = instrument_size
instrument_size_till_destiny += instrumented_size
instruction_destiny -= instrumented_size
return instrument_size_till_destiny
def get_instrumented_vector_size(self, rva, instrument_pos_dict=None):
"""
Calculate the instrumented size until virtual address that argumented.
if not applied instrumented thing, to disssembled one, use this.
Args:
rva(int): virtual address for calculate on.
instrument_pos_dict(dict) : dict contains instruments position.
Returns:
int :
instrumented size until argument virtual address with
increasing of instrumented size.
"""
if instrument_pos_dict is None:
instrument_pos_dict = self.instrument_pos_dict
sorted_instrument = sorted(instrument_pos_dict.items(),
key=operator.itemgetter(0))
instrumented_size = 0
for address, size in sorted_instrument:
if address <= rva:
instrumented_size += size
rva += size
else:
break
return instrumented_size
def get_instrumented_total_size(self):
"""
Total size of instrument.
Returns:
int : Total size of instrumentation.
"""
sorted_instrument = sorted(self.instrument_pos_dict.items(),
key=operator.itemgetter(0))
instrumented_size = 0
for address, size in sorted_instrument:
instrumented_size += size
return instrumented_size
def get_code(self):
"""
get codes that working on.
Returns:
:obj:`bytearray` : text section's data.
"""
return self.code_manager.get_code()
def adjust_instruction_layout(self):
"""
Adjusts the binary layout that has changed due to the address
and the relatively operand of the instruction being changed during
the instrumenting.
"""
# instructions = self.Disassembler.getDisassembleList()
instructions = self.get_instructions()
if not self.pe_manager.is_possible_relocation():
print("Not Support PE without relocation, yet.")
exit()
self._save_instruction_log()
self.log = LoggerFactory().get_new_logger("AdjustDirectBranches.log")
for instAddress, instruction in instructions:
if ((not self.disassembler.is_indirect_branch(instruction))
and (self.disassembler.is_branch(instruction)
or self.disassembler.is_relative_branch(instruction))):
self.adjust_direct_branches(instruction)
if instruction.mnemonic.startswith('prefetch'):
self.adjust_registers_instruction_operand(instruction)
self.log.fin()
if self._is_instrument_overflow_occurred():
overflowed_inst_handled = self.handle_overflowed_instrument()
if overflowed_inst_handled:
self.adjust_instruction_layout()
else:
print("ERROR WHILE HANDLE OVERFLOW")
exit()
def adjust_direct_branches(self, instruction):
"""
adjust instruction's operand value. Because the instructions calculate
the address to branch relatively from the current position, it is
necessary to apply the offset value changed by the instrument.
Args:
instruction(instruction):
branch instruction that has relatively operand value
"""
operand_value = 0
adjusted_operand_value = 0
instrumented_size_till = self.get_instrumented_size(instruction)
# adjust operand value
if instrumented_size_till > 0:
operand_size = instruction.operands[0].size
instruction_size = instruction.size
if instruction_size == 2:
operand_start = instruction.address + 1
operand_end = instruction.address + 2
elif instruction_size == 3:
operand_start = instruction.address + 2
operand_end = instruction.address + 3
elif instruction_size == 6:
operand_start = instruction.address + 2
operand_end = instruction.address + 6
elif instruction_size == 5:
operand_start = instruction.address + 1
operand_end = instruction.address + instruction_size
else:
instruction_length = \
self.disassembler.get_opcode_length(instruction)
self.log.log("[CACULATED][{:d}]\t".format(instruction_length))
operand_start = instruction.address + instruction_length
operand_end = instruction.address + instruction_size
self.log.log("[{:d}]\t".format(instruction_size))
try:
operand_value = \
self.code_manager.get_data_from_offset_with_format(
operand_start,
operand_end
)
except Exception as e:
print ("[except]============================================")
print (e)
print ("[0x{}]\t{} {}\t\tINSIZE:{}\tOPSIZE:{}\t"
"OP START:{}\tOP END:{}\tVALUE:{:x}"
.format(instruction.address,
instruction.mnemonic,
instruction.op_str,
instruction_size,
operand_size,
operand_start, operand_end,
instruction.operands[0].imm
)
)
exit()
if operand_value > 0:
adjusted_operand_value = operand_value + instrumented_size_till
else:
adjusted_operand_value = operand_value - instrumented_size_till
try:
self.code_manager.set_data_at_offset_with_format(
operand_start,
operand_end,
adjusted_operand_value
)
set_value = \
self.code_manager.get_data_from_offset_with_format(
operand_start,
operand_end
)
if adjusted_operand_value != set_value:
print("ERROR WHILE ADJUST DIRECT BRANCH")
exit()
self.log.log("[0x{:04x}]\t{:s}\t{:s}\t{:x}\t{:x}\n"
.format(instruction.address,
instruction.mnemonic,
instruction.op_str, operand_value,
adjusted_operand_value))
except Exception as e:
print(e)
self._instrument_overflow_occurred()
self.overflowed_instrument_dict[instruction.address] = \
(instruction,
(operand_value, adjusted_operand_value,
instrumented_size_till)
)
self.log.log(
"\t[OVERFLOWED] [0x{:04x}]\t{:s}\t{:s}\t{:x}\t{:x}\n"
.format(instruction.address, instruction.mnemonic,
instruction.op_str, operand_value,
adjusted_operand_value))
return adjusted_operand_value
def adjust_registers_instruction_operand(self, instruction):
"""
adjust instruction operand that register before.
Args:
instruction(instruction) : instruction to be adjusting.
Returns:
int : adjusted operand value.
"""
operand_value = 0
instrumented_size_till = self.get_instrumented_size(instruction)
# fixed instruction opcode size for prefetch
opcode_size = 3
instruction_size = instruction.size
operand_start = instruction.address + opcode_size
operand_end = instruction.address + instruction_size
self.log.log("[{:d}]\t".format(instruction_size))
try:
operand_value = \
self.code_manager.get_data_from_offset_with_format(
operand_start,
operand_end
)
except Exception as e:
print ("[except]============================================")
print (e)
print ("[0x%08x]\t%s 0x%x\t\tINS:%d\tOPS:%d\tOP START:%x\t"
"OP END:%x".format(instruction.address,
instruction.mnemonic,
instruction.operands[0].imm,
instruction_size,
operand_start, operand_end,
operand_value
)
)
exit()
image_base = self.pe_manager.get_image_base()
if operand_value > 0:
adjusted_operand_value = operand_value + instrumented_size_till
if adjusted_operand_value < image_base:
adjusted_operand_value += image_base
else:
adjusted_operand_value = operand_value - instrumented_size_till
if adjusted_operand_value < image_base:
adjusted_operand_value += image_base
try:
self.code_manager.set_data_at_offset_with_format(
operand_start,
operand_end,
adjusted_operand_value
)
set_value = \
self.code_manager.get_data_from_offset_with_format(
operand_start,
operand_end
)
if adjusted_operand_value != set_value:
print("ERROR WHILE ADJUST DIRECT BRANCH")
exit()
self.log.log("[0x{:04x}]\t{:s}\t{:s}\t{:x}\t{:x}\n"
.format(instruction.address,
instruction.mnemonic,
instruction.op_str, operand_value,
adjusted_operand_value))
except Exception as e:
print (e)
self._instrument_overflow_occurred()
self.overflowed_instrument_dict[instruction.address] = \
(instruction,
(operand_value, adjusted_operand_value,
instrumented_size_till)
)
self.log.log(
"\t[OVERFLOWED] [0x{:04x}]\t{:s}\t{:s}\t{:x}\t{:x}\n"
.format(instruction.address, instruction.mnemonic,
instruction.op_str, operand_value,
adjusted_operand_value))
return adjusted_operand_value
def handle_overflowed_instrument(self):
"""
extend the size of the operand if exceed the range of operand values
while instrument.
Note:
The formula for determining the operand value of a branch
instruction in x86:
[Destination.Address - Instruction.Address - Instruction.size]
in this case, the operand value overflowed while we adjust direct
branches operands. that mean, 1 byte of operand size is too small
for adjusted operand value. cause we expand operand size to 4byte.
instruction size increase to 5byte or 6byte. according in formula of
determining operand value, The keystone adjusts the operand value
when it compiled.
the keystone is based on the address at which the instruction ends,
like this,
ks.asm('jmp 140') = [233, 135, 0, 0, 0]
but since the value we pass is based on the start address of the
instruction, it corrects the value of operand in the case of a
positive branch.
In the case of a negative branch, the base address is the starting
address of the instruction, so do not change it.
Returns:
bool : True if occurred overflow while instrumentation, False otherwise.
"""
self.log = \
LoggerFactory().get_new_logger("HandleOverflowInstrument.log")
total_instrument_size = 0
# self.instrument_map.clear()
handled_overflowed_pos_dict = {}
sorted_instrument = sorted(self.overflowed_instrument_dict.items(),
key=operator.itemgetter(0))
for index, \
(instruction_address,
(instruction,
(operand_value, adjusted_operand_value, instrumented_size_till)
)
) in enumerate(sorted_instrument):
instruction_address += total_instrument_size
print ("[{}] overflowed instrument instruction : [0x{:x}] {:s} "
"{} ========[{}]==========> {}"
.format(index, instruction_address, instruction.mnemonic,
operand_value, instrumented_size_till,
adjusted_operand_value))
self.log.log("[0x{:x}] {:s} {}\t {} ========[{}]==========> {}\n"
.format(instruction.address, instruction.mnemonic,
instruction.op_str, operand_value,
instrumented_size_till,
adjusted_operand_value))
# adding 2 is to change the base of operand value to the
# start address of the instruction.
code = "{:s} {}".format(instruction.mnemonic,
adjusted_operand_value + 2)
hex_code = binascii.hexlify(code).decode('hex')
try:
encoding, count = self.ks.asm(hex_code)
for inst in self.cs.disasm(bytearray(encoding),
instruction_address):
self.log.log("\t" + code + "\t"
+ inst.mnemonic + " "
+ inst.op_str + "\n")
instrumented_size = len(encoding)
if instrumented_size == 5:
if adjusted_operand_value > 0:
encoding[1] += 3
else:
encoding[1] += 0
elif instrumented_size == 6:
if adjusted_operand_value > 0:
encoding[2] += 4
else:
encoding[2] += 0
else:
print("ERROR")
# patch
self.code_manager.set_instruction_at_offset(instruction_address,
instruction_address
+ instruction.size,
encoding)
# save increased opcode, operand size for adjust again
increased_size = instrumented_size - instruction.size
handled_overflowed_pos_dict[instruction_address] \
= increased_size
total_instrument_size += increased_size
self.log.log("\t\t{} : {:d}\n".format(encoding,
increased_size))
except KsError as ex:
print("ERROR : {}".format(ex))
exit()
self.save_instrument_history(self.instrument_pos_dict,
handled_overflowed_pos_dict)
self.current_instrument_pos_dict = handled_overflowed_pos_dict
self.overflowed_instrument_dict.clear()
self._instrument_overflow_handled()
self.log.fin()
return True
def merge_adjust_pos_with_prev(self, src_adjust_dict, dst_adjust_dict):
"""
Merging previous adjust map with later adjust map
Args:
src_adjust_dict(dict): previous adjust map.
dst_adjust_dict(dict): later adjust map.
Returns:
:obj:`dict` : adjusted instrumented map.
"""
self.log = LoggerFactory().get_new_logger("AdjustingMerge.log")
adjusted_dict = {}
sorted_src_adjust_dict = sorted(src_adjust_dict.items(),
key=operator.itemgetter(0))
sorted_dst_adjust_dict = sorted(dst_adjust_dict.items(),
key=operator.itemgetter(0))
# ready
dst_index = 0
instrumented_size_by_dst = 0
# initialize destiny
dst_instrumented_address, dst_instrumented_size = \
sorted_dst_adjust_dict[dst_index]
instrument_size_of_dst_address = dst_instrumented_size
src_total_instrument_size = 0
self.log.log("[instrument address]\t[instrument size]\t"
"[adjusted address]\t[total instrumented size]\n")
# source instrumented iterating
for src_instrumented_address, src_instrumented_size \
in sorted_src_adjust_dict:
adjust_instrument_address = src_instrumented_address
# increase source instrument address by destiny instrument size.
adjust_instrument_address += instrumented_size_by_dst
# this condition be true when reach next destiny instrument address.
# so, append current instrument point and load next.
while adjust_instrument_address > dst_instrumented_address \
and len(sorted_dst_adjust_dict) > dst_index:
# save current status for append.
current_adjust_address = dst_instrumented_address
current_instrument_size = instrument_size_of_dst_address
# get next element of destiny instrument info.
dst_index += 1
if len(sorted_dst_adjust_dict) > dst_index:
# load next instrument info.
dst_instrumented_address, dst_instrumented_size = \
sorted_dst_adjust_dict[dst_index]
# if same address is exist, then occurred bug.
if current_adjust_address in adjusted_dict:
self.log.log("[OVERLAPPING]\t")
# update current status.
# increase current source address, cause
adjust_instrument_address += dst_instrumented_size
instrumented_size_by_dst += current_instrument_size
instrument_size_of_dst_address = dst_instrumented_size
# this is last instrument
else:
current_adjust_address = dst_instrumented_address
current_instrument_size = instrument_size_of_dst_address
instrumented_size_by_dst += current_instrument_size
print("LAST INSTRUMENT")
# append current destiny instrument info to adjust dict.
adjusted_dict[current_adjust_address] = current_instrument_size
# logging
self.log.log("{:>20}\t{:>17}\t{:>18}\t{:>25}\t[OVERFLOW]\n"
.format(hex(current_adjust_address),
hex(current_instrument_size),
hex(current_instrument_size),
hex(instrumented_size_by_dst
+ src_total_instrument_size),
))
# logging
self.log.log("{:>20}\t{:>17}\t{:>18}\t{:>25}\n"
.format(hex(src_instrumented_address
- src_total_instrument_size),
hex(src_instrumented_size),
hex(adjust_instrument_address),
hex(src_total_instrument_size
+ instrumented_size_by_dst)
)
)
src_total_instrument_size += src_instrumented_size
adjusted_dict[adjust_instrument_address] = src_instrumented_size
return adjusted_dict
def save_instrument_history(self, instrumented_pos_dict,
handled_overflowed_pos_dict):
adjusted_dict = \
self.merge_adjust_pos_with_prev(instrumented_pos_dict,
handled_overflowed_pos_dict)
self.instrument_pos_dict = adjusted_dict
def append_code(self, code):
"""
append code to last of code section.
Args:
code(str) : assembly code that append to last of code section.
Returns:
int : relative address of code that appended
"""
_pad_size = 3
pad = ";nop;" * _pad_size
code = pad + code + pad
encoding, count = self.ks.asm(code)
code_offset = self.code_manager.instrument_at_last(encoding)
code_rva = self.code_manager.get_base_rva() + code_offset + _pad_size
return code_rva
def falloc(self, size):
"""
get allocated memory space from data segment.
Args:
size(int): size of space that allocate.
Returns:
:obj:`DataSegment`: DataSegment that represent for allocation.
"""
data_chunk = DataSegment.Chunk(self.pe_manager, size)
return data_chunk
def _save_instruction_log(self):
self.log = LoggerFactory().get_new_logger("final_instructions.log")
instructions = self.get_instructions()
for address, inst in instructions:
self.log.log("[0x{:04x}]\t{}\t{}\n"
.format(address
+ self.pe_manager.get_image_base()
+ 0x1000,
inst.mnemonic, inst.op_str))