mirror of
https://github.com/NationalSecurityAgency/ghidra.git
synced 2025-10-05 02:39:44 +02:00
Merge remote-tracking branch 'origin/GP-2489_Dan_taintTraceXOR--SQUASHED'
This commit is contained in:
Ryan Kurtz
commit
a5fdeba51a
3 changed files with 68 additions and 5 deletions
|
|
@ -62,7 +62,7 @@ public class TaintSpace {
|
||||||
* Retrieve the taint sets for the variable at the given offset
|
* Retrieve the taint sets for the variable at the given offset
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* This retrieve as many taint sets as there are elements in the given buffer vector. This first
|
* This retrieves as many taint sets as there are elements in the given buffer vector. This first
|
||||||
* element becomes the taint set at the given offset, then each subsequent element becomes the
|
* element becomes the taint set at the given offset, then each subsequent element becomes the
|
||||||
* taint set at each subsequent offset until the vector is filled. This is analogous to the
|
* taint set at each subsequent offset until the vector is filled. This is analogous to the
|
||||||
* manner in which bytes would be "read" from concrete state, starting at a given ofset, into a
|
* manner in which bytes would be "read" from concrete state, starting at a given ofset, into a
|
||||||
|
|
|
||||||
|
|
@ -449,9 +449,9 @@ public class TaintVec {
|
||||||
throw new IllegalArgumentException();
|
throw new IllegalArgumentException();
|
||||||
}
|
}
|
||||||
TaintVec vec = new TaintVec(length);
|
TaintVec vec = new TaintVec(length);
|
||||||
int diff = isBigEndian ? this.length - length : 0;
|
int shift = isBigEndian ? this.length - length : 0;
|
||||||
for (int i = 0; i < length; i++) {
|
for (int i = 0; i < length; i++) {
|
||||||
vec.sets[i] = vec.sets[i + diff];
|
vec.sets[i] = vec.sets[i + shift];
|
||||||
}
|
}
|
||||||
return vec;
|
return vec;
|
||||||
}
|
}
|
||||||
|
|
@ -489,9 +489,10 @@ public class TaintVec {
|
||||||
return truncated(length, isBigEndian);
|
return truncated(length, isBigEndian);
|
||||||
}
|
}
|
||||||
TaintVec vec = new TaintVec(length);
|
TaintVec vec = new TaintVec(length);
|
||||||
int diff = isBigEndian ? length - this.length : 0;
|
int diff = length - this.length;
|
||||||
|
int shift = isBigEndian ? diff : 0;
|
||||||
for (int i = 0; i < this.length; i++) {
|
for (int i = 0; i < this.length; i++) {
|
||||||
vec.sets[i + diff] = vec.sets[i];
|
vec.sets[i + shift] = this.sets[i];
|
||||||
}
|
}
|
||||||
TaintSet ext = isSigned ? isBigEndian ? sets[0] : sets[this.length - 1] : TaintSet.EMPTY;
|
TaintSet ext = isSigned ? isBigEndian ? sets[0] : sets[this.length - 1] : TaintSet.EMPTY;
|
||||||
int start = isBigEndian ? 0 : this.length;
|
int start = isBigEndian ? 0 : this.length;
|
||||||
|
|
|
||||||
|
|
@ -210,4 +210,66 @@ public class TaintTracePcodeEmulatorTest extends AbstractTracePcodeEmulatorTest
|
||||||
Range.singleton(1L), tb.range(0x00600000, 0x00600007))));
|
Range.singleton(1L), tb.range(0x00600000, 0x00600007))));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testZeroByXor() throws Throwable {
|
||||||
|
try (ToyDBTraceBuilder tb = new ToyDBTraceBuilder("Test", "x86:LE:64:default")) {
|
||||||
|
TraceThread thread = initTrace(tb,
|
||||||
|
List.of(
|
||||||
|
"RIP = 0x00400000;"),
|
||||||
|
List.of(
|
||||||
|
"XOR RAX, RAX"));
|
||||||
|
|
||||||
|
TaintTracePcodeEmulator emu = new TaintTracePcodeEmulator(tb.trace, 0);
|
||||||
|
PcodeThread<Pair<byte[], TaintVec>> emuThread = emu.newThread(thread.getPath());
|
||||||
|
emuThread.getState()
|
||||||
|
.setVar(tb.reg("RAX"), Pair.of(
|
||||||
|
tb.arr(1, 2, 3, 4, 5, 6, 7, 8),
|
||||||
|
TaintVec.copies(TaintSet.parse("test_0"), 8)));
|
||||||
|
|
||||||
|
emuThread.stepInstruction();
|
||||||
|
try (UndoableTransaction tid = tb.startTransaction()) {
|
||||||
|
emu.writeDown(tb.trace, 1, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
TracePropertyMap<String> taintMap =
|
||||||
|
tb.trace.getAddressPropertyManager().getPropertyMap("Taint", String.class);
|
||||||
|
TracePropertyMapRegisterSpace<String> mapSpace =
|
||||||
|
taintMap.getPropertyMapRegisterSpace(thread, 0, false);
|
||||||
|
|
||||||
|
assertEquals(Set.of(),
|
||||||
|
Set.copyOf(mapSpace.getEntries(Range.singleton(1L), tb.reg("RAX"))));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testZeroByXorVia32() throws Throwable {
|
||||||
|
try (ToyDBTraceBuilder tb = new ToyDBTraceBuilder("Test", "x86:LE:64:default")) {
|
||||||
|
TraceThread thread = initTrace(tb,
|
||||||
|
List.of(
|
||||||
|
"RIP = 0x00400000;"),
|
||||||
|
List.of(
|
||||||
|
"XOR EAX, EAX"));
|
||||||
|
|
||||||
|
TaintTracePcodeEmulator emu = new TaintTracePcodeEmulator(tb.trace, 0);
|
||||||
|
PcodeThread<Pair<byte[], TaintVec>> emuThread = emu.newThread(thread.getPath());
|
||||||
|
emuThread.getState()
|
||||||
|
.setVar(tb.reg("RAX"), Pair.of(
|
||||||
|
tb.arr(1, 2, 3, 4, 5, 6, 7, 8),
|
||||||
|
TaintVec.copies(TaintSet.parse("test_0"), 8)));
|
||||||
|
|
||||||
|
emuThread.stepInstruction();
|
||||||
|
try (UndoableTransaction tid = tb.startTransaction()) {
|
||||||
|
emu.writeDown(tb.trace, 1, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
TracePropertyMap<String> taintMap =
|
||||||
|
tb.trace.getAddressPropertyManager().getPropertyMap("Taint", String.class);
|
||||||
|
TracePropertyMapRegisterSpace<String> mapSpace =
|
||||||
|
taintMap.getPropertyMapRegisterSpace(thread, 0, false);
|
||||||
|
|
||||||
|
assertEquals(Set.of(),
|
||||||
|
Set.copyOf(mapSpace.getEntries(Range.singleton(1L), tb.reg("RAX"))));
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue