1
0
mirror of https://github.com/bitdefender/bddisasm.git synced 2024-12-22 22:18:09 +00:00

Merge pull request #19 from bitdefender/stackstr_fps

Improved stack string detection heuristic: only consider registers wh…
This commit is contained in:
Anichitei Ionel-Cristinel 2020-08-11 12:11:37 +03:00 committed by GitHub
commit 3d109f22d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 94 additions and 12 deletions

View File

@ -655,13 +655,15 @@ ShemuSetGprValue(
bool High8
)
{
uint32_t bit;
switch (Size)
{
case 1:
if (High8)
{
// AH, CH, DH or BH accessed.
*((uint8_t *)(&Context->Registers.RegRax + Reg - 4) + 1) = Value & 0xFF;
*((uint8_t *)(&Context->Registers.RegRax + Reg - 4) + 1) = Value & 0xff;
}
else
{
@ -682,6 +684,55 @@ ShemuSetGprValue(
*(&Context->Registers.RegRax + Reg) = Value;
break;
}
if (High8)
{
bit = Reg - 4;
}
else
{
bit = Reg;
}
// Mark the GPR as being dirty/written.
Context->DirtyGprBitmap |= (1 << bit);
}
//
// ShemuCmpGprValue
//
static bool
ShemuCmpGprValue(
SHEMU_CONTEXT *Context,
uint32_t Reg,
uint32_t Size,
uint64_t Value,
bool High8
)
{
switch (Size)
{
case 1:
if (High8)
{
// AH, CH, DH or BH.
return *((uint8_t *)(&Context->Registers.RegRax + Reg - 4) + 1) == (Value & 0xff);
}
else
{
return *((uint8_t *)(&Context->Registers.RegRax + Reg)) == (Value & 0xff);
}
case 2:
return *((uint16_t *)(&Context->Registers.RegRax + Reg)) == (Value & 0xffff);
case 4:
return *((uint32_t *)(&Context->Registers.RegRax + Reg)) == (Value & 0xffffffff);
default:
return *(&Context->Registers.RegRax + Reg) == Value;
}
}
@ -1299,6 +1350,8 @@ ShemuSetOperandValue(
// Handle RIP save on the stack.
if (ShemuIsStackPtr(Context, gla, MAX(op->Size, Context->Instruction.WordLength)))
{
uint8_t stckstrlen = 0;
// Note: only Context->Instruction.WordLength bits are flagged as RIP, as that is the RIP size.
if (Context->Instruction.Instruction == ND_INS_CALLNR ||
Context->Instruction.Instruction == ND_INS_CALLNI)
@ -1327,6 +1380,9 @@ ShemuSetOperandValue(
// ...
// PUSH strn
// Other variants may exist, but all we care about are stores on the stack, and all are checked.
// Note that we will ignore registers which have not been modified during emulation; those are considered
// input values for the emulated code, and may be pointers or other data. We are interested only in
// stack values built within the emulate code.
for (uint32_t i = 0; i < Value->Size; i++)
{
unsigned char c = Value->Value.Bytes[i];
@ -1334,19 +1390,41 @@ ShemuSetOperandValue(
if ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') ||
c == '\\' || c == '/' || c == ':' || c == ' ')
{
Context->StrLength++;
if (Context->StrLength >= Context->StrThreshold)
{
Context->Flags |= SHEMU_FLAG_STACK_STR;
break;
}
stckstrlen++;
}
else
{
Context->StrLength = 0;
break;
}
}
if (stckstrlen == Value->Size)
{
// Make sure the value is not present inside a non-dirty GPR.
for (uint32_t i = 0; i < 16; i++)
{
if (ShemuCmpGprValue(Context, i, Value->Size, Value->Value.Qwords[0], false) &&
(0 == (Context->DirtyGprBitmap & (1 << i))))
{
// A register is saved on the stack, but that register wasn't written during the emulation.
stckstrlen = 0;
break;
}
}
}
Context->StrLength += stckstrlen;
if (Context->StrLength >= Context->StrThreshold)
{
Context->Flags |= SHEMU_FLAG_STACK_STR;
}
if (stckstrlen != Value->Size)
{
// Not a full string stored on the stack, reset the counter.
Context->StrLength = 0;
}
}
// Set the value.

View File

@ -130,7 +130,11 @@ typedef struct _SHEMU_CONTEXT
uint64_t MmxRegisters[ND_MAX_MMX_REGS];
// SSE registers state. 32 x 64 bytes = 2048 bytes for the SSE registers. Can be provided on input, if needed.
uint8_t SseRegisters[ND_MAX_SSE_REGS * ND_MAX_REGISTER_SIZE];
uint8_t SseRegisters[ND_MAX_SSE_REGS * ND_MAX_REGISTER_SIZE];
// General purpose registers write bitmap. After the first write, a register will be marked dirty in here.
// Should be 0 on input.
uint16_t DirtyGprBitmap;
// Operating mode (ND_CODE_16, ND_CODE_32 or ND_CODE_64). Must be provided as input.
uint8_t Mode;

View File

@ -7,6 +7,6 @@
#define DISASM_VERSION_MAJOR 1
#define DISASM_VERSION_MINOR 28
#define DISASM_VERSION_REVISION 0
#define DISASM_VERSION_REVISION 1
#endif // DISASM_VER_H

View File

@ -12,7 +12,7 @@ from setuptools import find_packages, setup, Command, Extension, Distribution
from codecs import open
VERSION = (0, 1, 2)
LIBRARY_VERSION = (1, 28, 0)
LIBRARY_VERSION = (1, 28, 1)
LIBRARY_INSTRUX_SIZE = 856
packages = ['pybddisasm']