Skip to content

Commit

Permalink
Merge branch 'indirect_syscalls'
Browse files Browse the repository at this point in the history
  • Loading branch information
hasherezade committed Nov 19, 2024
2 parents 9231980 + df50ad3 commit 2520252
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 17 deletions.
13 changes: 4 additions & 9 deletions ModuleInfo.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ const s_module* get_by_addr(ADDRINT Address, std::map<ADDRINT, s_module> &module
return nullptr;
}

std::string get_func_at(ADDRINT callAddr)
std::string get_func_at(ADDRINT callAddr, ADDRINT& diff)
{
IMG pImg = IMG_FindByAddress(callAddr);
if (!IMG_Valid(pImg)) {
Expand All @@ -43,16 +43,11 @@ std::string get_func_at(ADDRINT callAddr)
sstr << "[ + " << (callAddr - base) << "]*";
return sstr.str();
}

std::string name = get_unmangled_name(rtn);
ADDRINT rtnAddr = RTN_Address(rtn);
if (rtnAddr == callAddr) {
return name;
}
// it doesn't start at the beginning of the routine
const ADDRINT diff = callAddr - rtnAddr;
std::ostringstream sstr;
sstr << "[" << name << "+" << std::hex << diff << "]*";
return sstr.str();
diff = callAddr - rtnAddr;
return name;
}

ADDRINT get_mod_base(ADDRINT Address)
Expand Down
2 changes: 1 addition & 1 deletion ModuleInfo.h
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ bool init_section(s_module &section, const ADDRINT &ImageBase, const SEC &sec);

const s_module* get_by_addr(ADDRINT Address, std::map<ADDRINT, s_module> &modules);

std::string get_func_at(ADDRINT callAddr);
std::string get_func_at(ADDRINT callAddr, ADDRINT&diff);

ADDRINT get_mod_base(ADDRINT Address);

Expand Down
22 changes: 21 additions & 1 deletion Settings.h
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,27 @@ t_shellc_options ConvertShcOption(int value);

class SyscallsTable {
public:

static bool isSyscallFuncName(const std::string &name)
{
if (name.length() < 2) return false;
if ((name[0] == 'Z' && name[1] == 'w') ||
(name[0] == 'N' && name[1] == 't' && name[2] >= 'A' && name[2] <= 'Z'))
{
return true;
}
return false;
}

static bool isSyscallDll(const std::string& dllName)
{
if (util::iequals("ntdll", dllName)
|| util::iequals("win32u", dllName))
{
return true;
}
return false;
}

static std::string convertNameToNt(std::string funcName)
{
std::string prefix1("Nt");
Expand Down
34 changes: 28 additions & 6 deletions TinyTracer.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -181,9 +181,33 @@ VOID SaveHeavensGateTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, AD

traceLog.logInstruction(pageFrom, RvaFrom, ss.str());
PIN_WriteErrorMessage("ERROR: Cannot trace after the far transition", 1000, PIN_ERR_SEVERITY_TYPE::PIN_ERR_FATAL, 0);
}

std::string resolve_func_name(const ADDRINT addrTo, const std::string& dll_name, const CONTEXT* ctx)
{
ADDRINT diff = 0;
const std::string name = get_func_at(addrTo, diff);
// it doesn't start at the beginning of the routine
if (!diff) {
return name;
}
std::ostringstream sstr;
sstr << "[" << name << "+" << std::hex << diff << "]*";

if (ctx && m_Settings.syscallsTable.count()
&& SyscallsTable::isSyscallFuncName(name) && SyscallsTable::isSyscallDll(util::getDllName(dll_name)))
{
//possibly a proxy to the indirect syscall
const ADDRINT eax = (ADDRINT)PIN_GetContextReg(ctx, REG_GAX);
const std::string realName = m_Settings.syscallsTable.getName(eax);
if (realName.length() && SyscallsTable::convertNameToNt(name) != realName) {
sstr << " -> " << realName;
}
}
return sstr.str();
}


VOID _SaveTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, BOOL isIndirect, const CONTEXT* ctx = NULL)
{
const WatchedType fromWType = isWatchedAddress(addrFrom); // is the call from the traced area?
Expand All @@ -205,8 +229,8 @@ VOID _SaveTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, BOOL isIndir
{
ADDRINT RvaFrom = addr_to_rva(addrFrom);
if (isTargetPeModule) {
const std::string func = get_func_at(addrTo);
const std::string dll_name = IMG_Name(targetModule);
const std::string func = resolve_func_name(addrTo, dll_name, ctx);
if (m_Settings.excludedFuncs.contains(dll_name, func)) {
return;
}
Expand All @@ -229,8 +253,8 @@ VOID _SaveTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, BOOL isIndir
const ADDRINT pageTo = query_region_base(addrTo);

if (isTargetPeModule) { // it is a call to a module
const std::string func = get_func_at(addrTo);
const std::string dll_name = IMG_Name(targetModule);
const std::string func = resolve_func_name(addrTo, dll_name, ctx);
if (m_Settings.excludedFuncs.contains(dll_name, func)) {
return;
}
Expand Down Expand Up @@ -266,8 +290,8 @@ VOID _SaveTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, BOOL isIndir
const ADDRINT returnAddr = getReturnFromTheStack(ctx);
const WatchedType toWType = isWatchedAddress(returnAddr); // does it return into the traced area?
if (toWType != WatchedType::NOT_WATCHED) {
const std::string func = get_func_at(addrTo);
const std::string dll_name = IMG_Name(targetModule);
const std::string func = resolve_func_name(addrTo, dll_name, ctx);
if (m_Settings.excludedFuncs.contains(dll_name, func)) {
return;
}
Expand Down Expand Up @@ -609,9 +633,7 @@ VOID SyscallCalled(THREADID tid, CONTEXT* ctxt, SYSCALL_STANDARD std, VOID* v)
// check if it is watched by the function name:
std::string syscallFuncName = SyscallsTable::convertNameToNt(m_Settings.syscallsTable.getName(syscallNum));
for (size_t i = 0; i < m_Settings.funcWatch.funcs.size(); i++) {
if (util::iequals("ntdll", m_Settings.funcWatch.funcs[i].dllName)
|| util::iequals("win32u", m_Settings.funcWatch.funcs[i].dllName))
{
if (SyscallsTable::isSyscallDll(m_Settings.funcWatch.funcs[i].dllName)) {
std::string funcName = SyscallsTable::convertNameToNt(m_Settings.funcWatch.funcs[i].funcName);
if (syscallFuncName == funcName) {
LogSyscallsArgs(funcName.c_str(), ctxt, std, address, m_Settings.funcWatch.funcs[i].paramCount);
Expand Down
2 changes: 2 additions & 0 deletions Util.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ size_t util::getAsciiLenW(const wchar_t *inp, size_t maxInp)
std::string util::getDllName(const std::string& str)
{
std::size_t len = str.length();
if (!len) return str;

std::size_t found = str.find_last_of("/\\");
std::size_t ext = str.find_last_of(".");
if (ext > len) ext = len;
Expand Down

0 comments on commit 2520252

Please sign in to comment.