[FEATURE] Resolve indirect syscalls

hasherezade · Nov 19, 2024 · f593984 · f593984
1 parent 9231980
commit f593984
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 14 deletions.
diff --git a/ModuleInfo.cpp b/ModuleInfo.cpp
@@ -28,7 +28,7 @@ const s_module* get_by_addr(ADDRINT Address, std::map<ADDRINT, s_module> &module
     return nullptr;
 }
 
-std::string get_func_at(ADDRINT callAddr)
+std::string get_func_at(ADDRINT callAddr, ADDRINT& diff)
 {
     IMG pImg = IMG_FindByAddress(callAddr);
     if (!IMG_Valid(pImg)) {
@@ -43,16 +43,11 @@ std::string get_func_at(ADDRINT callAddr)
         sstr << "[ + " << (callAddr - base) << "]*";
         return sstr.str();
     }
+
     std::string name = get_unmangled_name(rtn);
     ADDRINT rtnAddr = RTN_Address(rtn);
-    if (rtnAddr == callAddr) {
-        return name;
-    }
-    // it doesn't start at the beginning of the routine
-    const ADDRINT diff = callAddr - rtnAddr;
-    std::ostringstream sstr;
-    sstr << "[" << name << "+" << std::hex << diff << "]*";
-    return sstr.str();
+    diff = callAddr - rtnAddr;
+    return name;
 }
 
 ADDRINT get_mod_base(ADDRINT Address)

diff --git a/ModuleInfo.h b/ModuleInfo.h
@@ -17,7 +17,7 @@ bool init_section(s_module &section, const ADDRINT &ImageBase, const SEC &sec);
 
 const s_module* get_by_addr(ADDRINT Address, std::map<ADDRINT, s_module> &modules);
 
-std::string get_func_at(ADDRINT callAddr);
+std::string get_func_at(ADDRINT callAddr, ADDRINT&diff);
 
 ADDRINT get_mod_base(ADDRINT Address);
 

diff --git a/Settings.h b/Settings.h
@@ -22,7 +22,17 @@ t_shellc_options ConvertShcOption(int value);
 
 class SyscallsTable {
 public:
-
+    static bool isSyscallFuncName(const std::string name)
+    {
+        if (name.length() < 2) return false;
+        if ((name[0] == 'Z' && name[1] == 'w') ||
+            (name[0] == 'N' && name[1] == 't' && name[2] >= 'A' && name[2] <= 'Z'))
+        {
+            return true;
+        }
+        return false;
+    }
+
     static std::string convertNameToNt(std::string funcName)
     {
         std::string prefix1("Nt");

diff --git a/TinyTracer.cpp b/TinyTracer.cpp
@@ -181,9 +181,30 @@ VOID SaveHeavensGateTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, AD
 
     traceLog.logInstruction(pageFrom, RvaFrom, ss.str());
     PIN_WriteErrorMessage("ERROR: Cannot trace after the far transition", 1000, PIN_ERR_SEVERITY_TYPE::PIN_ERR_FATAL, 0);
+}
 
+std::string resolve_func_name(const ADDRINT addrTo, const CONTEXT* ctx)
+{
+    ADDRINT diff = 0;
+    const std::string name = get_func_at(addrTo, diff);
+    // it doesn't start at the beginning of the routine
+    if (!diff) {
+        return name;
+    }
+    std::ostringstream sstr;
+    sstr << "[" << name << "+" << std::hex << diff << "]*";
+
+    if (ctx && m_Settings.syscallsTable.count() && SyscallsTable::isSyscallFuncName(name)) { //possibly a proxy to the invalid syscall
+        const ADDRINT eax = (ADDRINT)PIN_GetContextReg(ctx, REG_GAX);
+        const std::string realName = m_Settings.syscallsTable.getName(eax);
+        if (realName.length() && SyscallsTable::convertNameToNt(name) != realName) {
+            sstr << " -> " << realName;
+        }
+    }
+    return sstr.str();
 }
 
+
 VOID _SaveTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, BOOL isIndirect, const CONTEXT* ctx = NULL)
 {
     const WatchedType fromWType = isWatchedAddress(addrFrom); // is the call from the traced area?
@@ -205,7 +226,7 @@ VOID _SaveTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, BOOL isIndir
     {
         ADDRINT RvaFrom = addr_to_rva(addrFrom);
         if (isTargetPeModule) {
-            const std::string func = get_func_at(addrTo);
+            const std::string func = resolve_func_name(addrTo, ctx);
             const std::string dll_name = IMG_Name(targetModule);
             if (m_Settings.excludedFuncs.contains(dll_name, func)) {
                 return;
@@ -229,7 +250,7 @@ VOID _SaveTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, BOOL isIndir
         const ADDRINT pageTo = query_region_base(addrTo);
 
         if (isTargetPeModule) { // it is a call to a module
-            const std::string func = get_func_at(addrTo);
+            const std::string func = resolve_func_name(addrTo, ctx);
             const std::string dll_name = IMG_Name(targetModule);
             if (m_Settings.excludedFuncs.contains(dll_name, func)) {
                 return;
@@ -266,7 +287,7 @@ VOID _SaveTransitions(const ADDRINT addrFrom, const ADDRINT addrTo, BOOL isIndir
         const ADDRINT returnAddr = getReturnFromTheStack(ctx);
         const WatchedType toWType = isWatchedAddress(returnAddr); // does it return into the traced area?
         if (toWType != WatchedType::NOT_WATCHED) {
-            const std::string func = get_func_at(addrTo);
+            const std::string func = resolve_func_name(addrTo, ctx);
             const std::string dll_name = IMG_Name(targetModule);
             if (m_Settings.excludedFuncs.contains(dll_name, func)) {
                 return;