forked from SoftwareSecurityLab/UbSym
-
Notifications
You must be signed in to change notification settings - Fork 0
/
InitRun.py
68 lines (54 loc) · 2.47 KB
/
InitRun.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Created on Mon Dec 21 18:14:17 2020
@author: Sara Baradaran, Mahdi Heidari, Ali Kamali
"""
from analysis.MCSimulation import MCSimulation
from analysis.MallocExtractParam import mallocEx
from analysis.TypeUtils import *
class InitRun:
def __init__(self,project,mc_config,cfg_analyses,target_func=None):
self.project=project
self.project.hook_symbol('malloc',mallocEx(num_args=1))
self.target_func=target_func
self.cfg_analyses=cfg_analyses
self.malloc_points=[]
self.mc=MCSimulation(config_file=mc_config)
for addr,func in self.cfg_analyses.getAddressOfFunctionCall('malloc'):
if self.cfg_analyses.isReachableFromMain(func.name):
self.malloc_points.append((addr,func))
def run(self,args_index=[]):
flag=True
res=None
while flag:
inSample = self.mc.generate(count=1)[0]
inputs=[]
for i in range(len(inSample)):
tp=self.mc.getVarTypes(i)
if 'int' in tp:
inputs.append(getIntConcreteBV(int(inSample[i])))
elif isinstance(tp,tuple) and 'char*' in tp[0]:
inputs.append(getCharStringConcreteBV(inSample[i][0:20]))
else:
inputs.append(getCharStringConcreteBV(inSample[i]))
argss=[]
if len(args_index) > 0:
argss.append(self.project.filename)
for indx in args_index:
argss.append(inputs.pop(indx-1))
state=self.project.factory.entry_state(args=argss,stdin=angr.SimPacketsStream(name='stdin', content=inputs,),add_options=angr.options.unicorn)
else:
state=self.project.factory.entry_state(stdin=angr.SimPacketsStream(name='stdin', content=inputs,),add_options=angr.options.unicorn)
state.libc.buf_symbolic_bytes=100
simgr=self.project.factory.simulation_manager(state)
simgr.explore(find=self._explore_states)
res=dict(simgr.deadended[0].globals)
if len(self.malloc_points) == len(res):
flag=False
return res
def _explore_states(self,state):
for addr,func in self.malloc_points:
if addr in state.block().instruction_addrs:
state.globals[addr]=None
return False