diff --git a/analyzer/analyzer.py b/analyzer/analyzer.py index dd38060..8dccdf4 100644 --- a/analyzer/analyzer.py +++ b/analyzer/analyzer.py @@ -58,7 +58,6 @@ def load_config(config_file): 'r12', 'r13', 'r14', 'r15']} init_config(config) - return config def load_angr_project(binary_file: str, base_address, use_pickle) -> angr.Project: @@ -125,7 +124,7 @@ def append_to_csv(csv_filename, transmissions): writer.writerows(flatten_dicts) -def analyse_gadget(proj, gadget_address, name, config, csv_filename, tfp_csv_filename, asm_folder): +def analyse_gadget(proj, gadget_address, name, csv_filename, tfp_csv_filename, asm_folder): """ Run the scanner from a single entrypoint and analyze the potential transmissions found at symbolic-execution time. @@ -134,7 +133,7 @@ def analyse_gadget(proj, gadget_address, name, config, csv_filename, tfp_csv_fil # Step 1. Analyze the code snippet with angr. l.info(f"Analyzing gadget at address {hex(gadget_address)}...") s = Scanner() - s.run(proj, gadget_address, config) + s.run(proj, gadget_address) l.info(f"Found {len(s.transmissions)} potential transmissions.") l.info(f"Found {len(s.calls)} tainted function pointers.") @@ -230,7 +229,7 @@ def run(binary, config_file, base_address, gadgets, cache_project, csv_filename= # Simplify how symbols get printed. claripy.ast.base._unique_names = False - config = load_config(config_file) + load_config(config_file) if global_config["LogLevel"] == 0: disable_logging() @@ -253,4 +252,4 @@ def run(binary, config_file, base_address, gadgets, cache_project, csv_filename= # Run the Analyzer. # TODO: Parallelize. for g in gadgets: - analyse_gadget(proj, g[0], g[1], config, csv_filename, tfp_csv_filename, asm_folder) + analyse_gadget(proj, g[0], g[1], csv_filename, tfp_csv_filename, asm_folder) diff --git a/analyzer/scanner/scanner.py b/analyzer/scanner/scanner.py index c5ecab1..a48151b 100644 --- a/analyzer/scanner/scanner.py +++ b/analyzer/scanner/scanner.py @@ -112,7 +112,7 @@ def __init__(self): self.cur_state = None - def initialize_regs_and_stack(self, state: angr.sim_state.SimState, config): + def initialize_regs_and_stack(self, state: angr.sim_state.SimState): """ Mark stack locations and registers as attacker-controlled. """ @@ -121,7 +121,7 @@ def initialize_regs_and_stack(self, state: angr.sim_state.SimState, config): state.regs.gs = claripy.BVS('gs', 64, annotations=(UncontrolledAnnotation('gs'),)) # Attacker-controlled registers. - for reg in config['controlled_registers']: + for reg in global_config['controlled_registers']: try: length = getattr(state.regs, reg).length except AttributeError: @@ -133,8 +133,8 @@ def initialize_regs_and_stack(self, state: angr.sim_state.SimState, config): # Attacker-controlled stack locations: save them as stores. # TODO: this is a hack. If STL forwarding is disabled, stack variables # will not be loaded. - if 'controlled_stack' in config: - for region in config['controlled_stack']: + if 'controlled_stack' in global_config: + for region in global_config['controlled_stack']: for offset in range(region['start'], region['end'], region['size']): size = region['size'] assert (size in [1, 2, 4, 8]) @@ -551,7 +551,7 @@ def exit_hook_before(self, state : angr.SimState): raise SplitException - def run(self, proj: angr.Project, start_address, config) -> list[TransmissionExpr]: + def run(self, proj: angr.Project, start_address) -> list[TransmissionExpr]: """ Run the symbolic execution engine for a given number of basic blocks. """ @@ -584,7 +584,7 @@ def run(self, proj: angr.Project, start_address, config) -> list[TransmissionExp state.inspect.b('address_concretization', when=angr.BP_AFTER, action=skip_concretization) state.inspect.b('expr', when=angr.BP_AFTER, action=self.expr_hook_after) - self.initialize_regs_and_stack(state, config) + self.initialize_regs_and_stack(state) self.thunk_list = get_x86_indirect_thunks(proj) # Run the symbolic execution engine.