diff --git a/.build_number b/.build_number index bf2f48558..021807516 100644 --- a/.build_number +++ b/.build_number @@ -1 +1 @@ -746 +747 diff --git a/examples/inject_model_with_snapshot.py b/examples/inject_model_with_snapshot.py index ba25fa136..fa7417224 100644 --- a/examples/inject_model_with_snapshot.py +++ b/examples/inject_model_with_snapshot.py @@ -74,7 +74,7 @@ def cbefore(instruction): if instruction.getAddress() == 0x40058b: rax = getRegValue(IDREF.REG.RAX) if rax in password: - setMemValue(rax, 1, password[rax]) + setMemValue(rax, 8, password[rax]) print '[+] Inject the character \'%c\' in memory' %(chr(password[rax])) # Epilogue of the function diff --git a/examples/inject_model_with_snapshot_32b.py b/examples/inject_model_with_snapshot_32b.py index 3a2c8b631..4d8d2095d 100644 --- a/examples/inject_model_with_snapshot_32b.py +++ b/examples/inject_model_with_snapshot_32b.py @@ -74,7 +74,7 @@ def cbefore(instruction): if instruction.getAddress() == 0x8048412: rax = getRegValue(IDREF.REG.EAX) if rax in password: - setMemValue(rax, 1, password[rax]) + setMemValue(rax, 8, password[rax]) print '[+] Inject the character \'%c\' in memory' %(chr(password[rax])) # Epilogue of the function diff --git a/src/bindings/python/modules/tritonCallbacks.cpp b/src/bindings/python/modules/tritonCallbacks.cpp index 91523c4d9..2980bfe55 100644 --- a/src/bindings/python/modules/tritonCallbacks.cpp +++ b/src/bindings/python/modules/tritonCallbacks.cpp @@ -181,12 +181,19 @@ static PyObject *Triton_getMemValue(PyObject *self, PyObject *args) { ad = PyLong_AsUint(addr); rs = PyLong_AsUint(readSize); - if (rs != DQWORD_SIZE && rs != QWORD_SIZE && rs != DWORD_SIZE && rs != WORD_SIZE && rs != BYTE_SIZE) - return PyErr_Format(PyExc_TypeError, "getMemValue(): The readSize argument must be: DQWORD, QWORD, DWORD, WORD or BYTE"); + if (rs == 0) + return PyErr_Format(PyExc_TypeError, "getMemValue(): The readSize cannot be 0"); + + if (rs > DQWORD_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "getMemValue(): The readSize must be less than 128"); + + if (rs % BYTE_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "getMemValue(): The readSize must be a multiple of 8"); if (PIN_CheckReadAccess(reinterpret_cast(ad)) == false) return PyErr_Format(PyExc_TypeError, "getMemValue(): The targeted address memory can not be read"); + rs = rs / BYTE_SIZE_BIT; MemoryOperand mem(ad, rs); /* If this is a 128-bits read size, we must use uint128ToPyLongObject() */ @@ -365,13 +372,20 @@ static PyObject *Triton_setMemValue(PyObject *self, PyObject *args) { ad = PyLong_AsUint(addr); ws = PyLong_AsUint(writeSize); - if (ws != DQWORD_SIZE && ws != QWORD_SIZE && ws != DWORD_SIZE && ws != WORD_SIZE && ws != BYTE_SIZE) - return PyErr_Format(PyExc_TypeError, "setMemValue(): The writeSize argument must be: DQWORD, QWORD, DWORD, WORD or BYTE"); + if (ws == 0) + return PyErr_Format(PyExc_TypeError, "setMemValue(): The writeSize cannot be 0"); + + if (ws > DQWORD_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "setMemValue(): The writeSize must be less than 128"); + + if (ws % BYTE_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "setMemValue(): The writeSize must be a multiple of 8"); if (PIN_CheckWriteAccess(reinterpret_cast(ad)) == false) return PyErr_Format(PyExc_TypeError, "setMemValue(): Can not write into the targeted address memory"); va = PyLongObjectToUint128(value); + ws = ws / BYTE_SIZE_BIT; MemoryOperand mo(ad, ws); ap.setMemValue(mo, ws, va); @@ -600,6 +614,15 @@ static PyObject *Triton_convertExprToSymVar(PyObject *self, PyObject *args) { if (symVarSize == nullptr || (!PyLong_Check(symVarSize) && !PyInt_Check(symVarSize))) return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): expected an integer as second argument"); + if (PyLong_AsUint(symVarSize) == 0) + return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): The size must cannot be 0"); + + if (PyLong_AsUint(symVarSize) % BYTE_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): The size must be a multiple of 8"); + + if (PyLong_AsUint(symVarSize) > DQWORD_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): The size must be less than 128"); + if (!PyString_Check(varComment)) return PyErr_Format(PyExc_TypeError, "convertExprToSymVar(): expected a comment (string) as third argument"); @@ -631,10 +654,19 @@ static PyObject *Triton_convertMemToSymVar(PyObject *self, PyObject *args) { if (symVarSize == nullptr || (!PyLong_Check(symVarSize) && !PyInt_Check(symVarSize))) return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): expected a size as second argument"); + if (PyLong_AsUint(symVarSize) == 0) + return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): The size must cannot be 0"); + + if (PyLong_AsUint(symVarSize) % BYTE_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): The size must be a multiple of 8"); + + if (PyLong_AsUint(symVarSize) > DQWORD_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): The size must be less than 128"); + if (!PyString_Check(varComment)) return PyErr_Format(PyExc_TypeError, "convertMemToSymVar(): expected a comment (string) as third argument"); - vs = PyLong_AsUint(symVarSize); + vs = PyLong_AsUint(symVarSize) / BYTE_SIZE_BIT; vc = PyString_AsString(varComment); MemoryOperand mo(PyLong_AsUint(memAddr), vs); @@ -662,6 +694,15 @@ static PyObject *Triton_convertRegToSymVar(PyObject *self, PyObject *args) { if (symVarSize == nullptr || (!PyLong_Check(symVarSize) && !PyInt_Check(symVarSize))) return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): expected a size as second argument"); + if (PyLong_AsUint(symVarSize) == 0) + return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): The size must cannot be 0"); + + if (PyLong_AsUint(symVarSize) % BYTE_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): The size must be a multiple of 8"); + + if (PyLong_AsUint(symVarSize) > DQWORD_SIZE_BIT) + return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): The size must be less than 128"); + if (!PyString_Check(varComment)) return PyErr_Format(PyExc_TypeError, "convertRegToSymVar(): expected a comment (string) as third argument"); diff --git a/tests/test_convertMemToSymVar.py b/tests/test_convertMemToSymVar.py index 2929a45bd..2fc824691 100644 --- a/tests/test_convertMemToSymVar.py +++ b/tests/test_convertMemToSymVar.py @@ -21,7 +21,7 @@ def sbefore(instruction): if addr != 0: # Check valid address print instruction.getDisassembly(), "at", hex(addr) print "Operand mem size:", op.getMem().getSize() - s = convertMemToSymVar(addr, op.getMem().getSize(), "test") # convertMemToSymVar + s = convertMemToSymVar(addr, op.getMem().getBitSize(), "test") # convertMemToSymVar print "New symbolic variable:" print "[+] Comment:", s.getComment() print "[+] Size: %d" % (s.getSize()) diff --git a/tools/code_coverage.py b/tools/code_coverage.py index 48d56420a..fa6bd9d17 100644 --- a/tools/code_coverage.py +++ b/tools/code_coverage.py @@ -193,22 +193,22 @@ def mainAnalysis(threadId): rdi = getRegValue(IDREF.REG.RDI) # argc rsi = getRegValue(IDREF.REG.RSI) # argv - argv0_addr = getMemValue(rsi, IDREF.CPUSIZE.QWORD) # argv[0] pointer - argv1_addr = getMemValue(rsi + 8, IDREF.CPUSIZE.QWORD) # argv[1] pointer + argv0_addr = getMemValue(rsi, IDREF.CPUSIZE.QWORD_BIT) # argv[0] pointer + argv1_addr = getMemValue(rsi + 8, IDREF.CPUSIZE.QWORD_BIT) # argv[1] pointer print "[+] In main() we set :" od = OrderedDict(sorted(TritonExecution.input.dataAddr.items())) for k,v in od.iteritems(): print "\t[0x%x] = %x %c" % (k, v, v) - setMemValue(k, IDREF.CPUSIZE.BYTE, v) - convertMemToSymVar(k, IDREF.CPUSIZE.BYTE, "addr_%d" % k) + setMemValue(k, 8, v) + convertMemToSymVar(k, IDREF.CPUSIZE.BYTE_BIT, "addr_%d" % k) for idx, byte in enumerate(TritonExecution.input.data): if argv1_addr + idx not in TritonExecution.input.dataAddr: # Not overwrite the previous setting print "\t[0x%x] = %x %c" % (argv1_addr + idx, ord(byte), ord(byte)) - setMemValue(argv1_addr + idx, IDREF.CPUSIZE.BYTE, ord(byte)) - convertMemToSymVar(argv1_addr + idx, IDREF.CPUSIZE.BYTE, "addr_%d" % idx) + setMemValue(argv1_addr + idx, IDREF.CPUSIZE.BYTE_BIT, ord(byte)) + convertMemToSymVar(argv1_addr + idx, IDREF.CPUSIZE.BYTE_BIT, "addr_%d" % idx) @staticmethod diff --git a/tools/format_string_bug_analysis.py b/tools/format_string_bug_analysis.py index 721831071..7e4dc90a7 100644 --- a/tools/format_string_bug_analysis.py +++ b/tools/format_string_bug_analysis.py @@ -53,7 +53,7 @@ def printfAnalysis(threadId): print '[+] Analyzing the printf prologue argument.' arg = getRegValue(IDREF.REG.RDI) index = 0 - while getMemValue(arg + index, 1) != 0x00: + while getMemValue(arg + index, 8) != 0x00: if isMemTainted(arg + index) == True: print '[+] Possible format string bug found. The first argument contains some tainted bytes.' global TRACE @@ -71,9 +71,9 @@ def mainAnalysis(threadId): rsi = getRegValue(IDREF.REG.RSI) # argv while rdi != 0: - argv = getMemValue(rsi + ((rdi-1) * 8), 8) + argv = getMemValue(rsi + ((rdi-1) * 8), 64) offset = 0 - while getMemValue(argv + offset, 1) != 0x00: + while getMemValue(argv + offset, 8) != 0x00: taintMem(argv + offset) offset += 1 print '[+] %03d bytes tainted from the argv[%d] (%#x) pointer' %(offset, rdi-1, argv) diff --git a/tools/generate_db.py b/tools/generate_db.py index 7ad3e0634..b95fc35d5 100644 --- a/tools/generate_db.py +++ b/tools/generate_db.py @@ -32,11 +32,11 @@ def accessMemoryDump(opType, instruction, operand): accessAddr = operand.getMem().getAddress() accessSize = operand.getMem().getSize() contentAsString = str() - contentAsInteger = getMemValue(accessAddr, accessSize) + contentAsInteger = getMemValue(accessAddr, accessSize * 8) # fills the contentAsString for i in range(accessSize): - contentAsString += '%02x ' %(getMemValue(accessAddr+i, 1)) + contentAsString += '%02x ' %(getMemValue(accessAddr+i, 8)) cursor.execute("INSERT INTO memoryAccess VALUES (%d, '%s', %d, %d, '%s', %d)" %(insAddr, accessType, accessSize, accessAddr, contentAsString[:-1], contentAsInteger)) diff --git a/tools/memory_tracer.py b/tools/memory_tracer.py index 26502519f..57ca8fc0e 100644 --- a/tools/memory_tracer.py +++ b/tools/memory_tracer.py @@ -54,9 +54,9 @@ def dump(opType, instruction, operand): if checkReadAccess(memoryAccess): a = '%c:0x%016x:' %(opAccess, memoryAccess) for i in range(memoryAccessSize): - a += ' %02x' %(getMemValue(memoryAccess+i, 1)) + a += ' %02x' %(getMemValue(memoryAccess+i, 8)) - print '%s%s%s (%#x)' %(d, ' '*(70-len(d)), a, getMemValue(memoryAccess, memoryAccessSize)) + print '%s%s%s (%#x)' %(d, ' '*(70-len(d)), a, getMemValue(memoryAccess, memoryAccessSize * 8)) return